Add documentation for the -no_alt_chains option for various apps, as well as
the X509_V_FLAG_NO_ALT_CHAINS flag. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
This commit is contained in:
Matt Caswell
parent
25690b7f5f
commit
fa7b01115b
@ -54,6 +54,7 @@ B<openssl> B<cms>
|
||||
[B<-suiteB_128_only>]
|
||||
[B<-suiteB_192>]
|
||||
[B<-trusted_first>]
|
||||
[B<-no_alt_chains>]
|
||||
[B<-use_deltas>]
|
||||
[B<-verify_depth num>]
|
||||
[B<-verify_email email>]
|
||||
@ -459,11 +460,11 @@ address matches that specified in the From: address.
|
||||
B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
|
||||
B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
|
||||
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
|
||||
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
|
||||
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
|
||||
B<-verify_name>, B<-x509_strict>
|
||||
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
|
||||
B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
|
||||
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
|
||||
|
||||
Set various certificate chain valiadition options. See the
|
||||
Set various certificate chain validation options. See the
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
|
||||
=back
|
||||
@ -697,4 +698,6 @@ Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0.
|
||||
The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
|
||||
to OpenSSL 1.1.0.
|
||||
|
||||
The -no_alt_chains options was first added to OpenSSL 1.1.0.
|
||||
|
||||
=cut
|
||||
|
||||
@ -48,6 +48,7 @@ B<openssl> B<ocsp>
|
||||
[B<-suiteB_128_only>]
|
||||
[B<-suiteB_192>]
|
||||
[B<-trusted_first>]
|
||||
[B<-no_alt_chains>]
|
||||
[B<-use_deltas>]
|
||||
[B<-verify_depth num>]
|
||||
[B<-verify_email email>]
|
||||
@ -173,9 +174,9 @@ the signature on the OCSP response.
|
||||
B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
|
||||
B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
|
||||
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
|
||||
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
|
||||
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
|
||||
B<-verify_name>, B<-x509_strict>
|
||||
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
|
||||
B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
|
||||
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
|
||||
|
||||
Set different certificate verification options.
|
||||
See L<B<verify>|verify(1)> manual page for details.
|
||||
@ -416,3 +417,9 @@ second file.
|
||||
|
||||
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
|
||||
-reqin req.der -respout resp.der
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
The -no_alt_chains options was first added to OpenSSL 1.1.0.
|
||||
|
||||
=cut
|
||||
|
||||
@ -19,7 +19,6 @@ B<openssl> B<s_client>
|
||||
[B<-pass arg>]
|
||||
[B<-CApath directory>]
|
||||
[B<-CAfile filename>]
|
||||
[B<-trusted_first>]
|
||||
[B<-attime timestamp>]
|
||||
[B<-check_ss_sig>]
|
||||
[B<-crl_check>]
|
||||
@ -39,6 +38,7 @@ B<openssl> B<s_client>
|
||||
[B<-suiteB_128_only>]
|
||||
[B<-suiteB_192>]
|
||||
[B<-trusted_first>]
|
||||
[B<-no_alt_chains>]
|
||||
[B<-use_deltas>]
|
||||
[B<-verify_depth num>]
|
||||
[B<-verify_email email>]
|
||||
@ -155,11 +155,11 @@ and to use when attempting to build the client certificate chain.
|
||||
B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
|
||||
B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
|
||||
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
|
||||
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
|
||||
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
|
||||
B<-verify_name>, B<-x509_strict>
|
||||
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
|
||||
B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
|
||||
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
|
||||
|
||||
Set various certificate chain valiadition options. See the
|
||||
Set various certificate chain validation options. See the
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
|
||||
=item B<-reconnect>
|
||||
@ -411,4 +411,8 @@ information whenever a session is renegotiated.
|
||||
|
||||
L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
The -no_alt_chains options was first added to OpenSSL 1.1.0.
|
||||
|
||||
=cut
|
||||
|
||||
@ -51,6 +51,7 @@ B<openssl> B<s_server>
|
||||
[B<-suiteB_128_only>]
|
||||
[B<-suiteB_192>]
|
||||
[B<-trusted_first>]
|
||||
[B<-no_alt_chains>]
|
||||
[B<-use_deltas>]
|
||||
[B<-verify_depth num>]
|
||||
[B<-verify_return_error>]
|
||||
@ -218,8 +219,8 @@ anonymous ciphersuite or PSK) this option has no effect.
|
||||
B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,
|
||||
B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
|
||||
B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>,
|
||||
B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
|
||||
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
|
||||
B<-no_alt_chains>, B<-use_deltas>, B<-verify_depth>, B<-verify_email>,
|
||||
B<-verify_hostname>, B<-verify_ip>, B<-verify_name>, B<-x509_strict>
|
||||
|
||||
Set different peer certificate verification options.
|
||||
See the L<B<verify>|verify(1)> manual page for details.
|
||||
@ -481,4 +482,8 @@ unknown cipher suites a client says it supports.
|
||||
|
||||
L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
The -no_alt_chains options was first added to OpenSSL 1.1.0.
|
||||
|
||||
=cut
|
||||
|
||||
@ -36,6 +36,7 @@ B<openssl> B<smime>
|
||||
[B<-suiteB_128_only>]
|
||||
[B<-suiteB_192>]
|
||||
[B<-trusted_first>]
|
||||
[B<-no_alt_chains>]
|
||||
[B<-use_deltas>]
|
||||
[B<-verify_depth num>]
|
||||
[B<-verify_email email>]
|
||||
@ -291,9 +292,9 @@ address matches that specified in the From: address.
|
||||
B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
|
||||
B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
|
||||
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
|
||||
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
|
||||
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
|
||||
B<-verify_name>, B<-x509_strict>
|
||||
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
|
||||
B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
|
||||
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
|
||||
|
||||
Set various options of certificate chain verification. See
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
@ -475,5 +476,6 @@ structures may cause parsing errors.
|
||||
The use of multiple B<-signer> options and the B<-resign> command were first
|
||||
added in OpenSSL 1.0.0
|
||||
|
||||
The -no_alt_chains options was first added to OpenSSL 1.1.0.
|
||||
|
||||
=cut
|
||||
|
||||
@ -30,6 +30,7 @@ B<openssl> B<verify>
|
||||
[B<-suiteB_128_only>]
|
||||
[B<-suiteB_192>]
|
||||
[B<-trusted_first>]
|
||||
[B<-no_alt_chains>]
|
||||
[B<-untrusted file>]
|
||||
[B<-use_deltas>]
|
||||
[B<-verbose>]
|
||||
@ -164,6 +165,14 @@ Use certificates in CA file or CA directory before certificates in untrusted
|
||||
file when building the trust chain to verify certificates.
|
||||
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||
|
||||
=item B<-no_alt_chains>
|
||||
|
||||
When building a certificate chain, if the first certificate chain found is not
|
||||
trusted, then OpenSSL will continue to check to see if an alternative chain can
|
||||
be found that is trusted. With this option that behaviour is suppressed so that
|
||||
only the first chain found is ever used. Using this option will force the
|
||||
behaviour to match that of OpenSSL versions prior to 1.1.0.
|
||||
|
||||
=item B<-untrusted file>
|
||||
|
||||
A file of untrusted certificates. The file should contain multiple certificates
|
||||
@ -469,4 +478,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
|
||||
|
||||
L<x509(1)|x509(1)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
The -no_alt_chains options was first added to OpenSSL 1.1.0.
|
||||
|
||||
=cut
|
||||
|
||||
@ -197,6 +197,12 @@ verification. If this flag is set then additional status codes will be sent
|
||||
to the verification callback and it B<must> be prepared to handle such cases
|
||||
without assuming they are hard errors.
|
||||
|
||||
The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
|
||||
chains. By default, when building a certificate chain, if the first certificate
|
||||
chain found is not trusted, then OpenSSL will continue to check to see if an
|
||||
alternative chain can be found that is trusted. With this flag set the behaviour
|
||||
will match that of OpenSSL versions prior to 1.1.0.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
The above functions should be used to manipulate verification parameters
|
||||
@ -233,6 +239,6 @@ L<X509_check_ip(3)|X509_check_ip(3)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
TBA
|
||||
The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0
|
||||
|
||||
=cut
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user