diff --git a/apps/apps.c b/apps/apps.c
index 5b7aedccd..680123834 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2238,6 +2238,8 @@ int args_verify(char ***pargs, int *pargc,
flags |= X509_V_FLAG_NOTIFY_POLICY;
else if (!strcmp(arg, "-check_ss_sig"))
flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+ else if (!strcmp(arg, "-no_alt_chains"))
+ flags |= X509_V_FLAG_NO_ALT_CHAINS;
else
return 0;
diff --git a/apps/cms.c b/apps/cms.c
index 0cc4b46d8..d7645c0d6 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -580,6 +580,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,
"-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf(bio_err,
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 71def2611..572f0643e 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -518,6 +518,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n");
BIO_printf(bio_err,
"-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-VAfile file validator certificates file\n");
BIO_printf(bio_err,
diff --git a/apps/s_client.c b/apps/s_client.c
index b9b79756a..28737b6d1 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -322,6 +322,8 @@ static void sc_usage(void)
" -pass arg - private key file pass phrase source\n");
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err,
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
BIO_printf(bio_err,
diff --git a/apps/s_server.c b/apps/s_server.c
index 7e501d21b..b58e5e07c 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -540,6 +540,8 @@ static void sv_usage(void)
BIO_printf(bio_err, " -state - Print the SSL states\n");
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err,
" -nocert - Don't use any certificates (Anon-DH)\n");
BIO_printf(bio_err,
diff --git a/apps/smime.c b/apps/smime.c
index 7b351f601..53e43c5e7 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -441,6 +441,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,
"-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf(bio_err,
diff --git a/apps/verify.c b/apps/verify.c
index 7295c769f..e29f9bb7e 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -227,7 +227,7 @@ int MAIN(int argc, char **argv)
if (ret == 1) {
BIO_printf(bio_err,
"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
- BIO_printf(bio_err, " [-attime timestamp]");
+ BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, " [-engine e]");
#endif