Allow proxy certs to be present when verifying a chain

Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 6ad8c48291622a6ccc51489b9a230c9a05ca5614)
author: Richard Levitte <levitte@openssl.org> 2016-06-19 10:55:43 +0200
committer: Richard Levitte <levitte@openssl.org> 2016-06-30 01:01:38 +0200
commit: 08327bfb261eea4a3c356d6ebff81d838f063d1b (patch)
tree: 67208a1c6fd5a8bc7b36bb38ba72c8032ea7c13e
parent: f7c95287b602191a971c1cec9427029b453a68e8 (diff)
2 files changed, 7 insertions, 0 deletions
diff --git a/apps/apps.c b/apps/apps.c
index 8ab4833668..ca9179e9a5 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2241,6 +2241,8 @@ int args_verify(char ***pargs, int *pargc,
         flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
     else if (!strcmp(arg, "-no_alt_chains"))
         flags |= X509_V_FLAG_NO_ALT_CHAINS;
+    else if (!strcmp(arg, "-allow_proxy_certs"))
+        flags |= X509_V_FLAG_ALLOW_PROXY_CERTS;
     else
         return 0;
 
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index 18eeee04b9..450dd7d809 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -23,6 +23,7 @@ B<openssl> B<verify>
 [B<-use_deltas>]
 [B<-policy_print>]
 [B<-no_alt_chains>]
+[B<-allow_proxy_certs>]
 [B<-untrusted file>]
 [B<-help>]
 [B<-issuer_checks>]
@@ -117,6 +118,10 @@ be found that is trusted. With this option that behaviour is suppressed so that
 only the first chain found is ever used. Using this option will force the
 behaviour to match that of previous OpenSSL versions.
 
+=item B<-allow_proxy_certs>
+
+Allow the verification of proxy certificates.
+
 =item B<-policy_print>
 
 Print out diagnostics related to policy processing.
author	Richard Levitte <levitte@openssl.org>	2016-06-19 10:55:43 +0200
committer	Richard Levitte <levitte@openssl.org>	2016-06-30 01:01:38 +0200
commit	08327bfb261eea4a3c356d6ebff81d838f063d1b (patch)
tree	67208a1c6fd5a8bc7b36bb38ba72c8032ea7c13e
parent	f7c95287b602191a971c1cec9427029b453a68e8 (diff)