diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-28 03:01:45 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-31 21:23:23 -0500 |
commit | 0daccd4dc1f1ac62181738a91714f35472e50f3c (patch) | |
tree | 5b7c2b6c5db0c2caf223ea978db03559b5eb90f8 /doc/apps | |
parent | 1b4cf96f9b82ec3b06e7902bb21620a09cadd94e (diff) |
Check chain extensions also for trusted certificates
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).
Added tests and updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'doc/apps')
-rw-r--r-- | doc/apps/verify.pod | 26 | ||||
-rw-r--r-- | doc/apps/x509.pod | 9 |
2 files changed, 22 insertions, 13 deletions
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index e15a5de968..6d54592687 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -198,14 +198,16 @@ When constructing the certificate chain, use the trusted certificates specified via B<-CAfile>, B<-CApath> or B<-trusted> before any certificates specified via B<-untrusted>. This can be useful in environments with Bridge or Cross-Certified CAs. +As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. =item B<-no_alt_chains> -When building a certificate chain, if the first certificate chain found is not -trusted, then OpenSSL will continue to check to see if an alternative chain can -be found that is trusted. With this option that behaviour is suppressed so that -only the first chain found is ever used. Using this option will force the -behaviour to match that of OpenSSL versions prior to 1.1.0. +By default, unless B<-trusted_first> is specified, when building a certificate +chain, if the first certificate chain found is not trusted, then OpenSSL will +attempt to replace untrusted issuer certificates with certificates from the +trust store to see if an alternative chain can be found that is trusted. +As of OpenSSL 1.1.0, with B<-trusted_first> always on, this option has no +effect. =item B<-untrusted file> @@ -264,13 +266,17 @@ the subject certificate. Use default verification policies like trust model and required certificate policies identified by B<name>. +The trust model determines which auxiliary trust or reject OIDs are applicable +to verifying the given certificate chain. +See the B<-addtrust> and B<-addreject> options of the L<x509(1)> command-line +utility. Supported policy names include: B<default>, B<pkcs7>, B<smime_sign>, B<ssl_client>, B<ssl_server>. -This checks not only the purpose of the leaf certificate, but also the -trust settings of the trusted CAs. -When in doubt, use this option rather than B<-purpose>. -The B<-verify_name> option more closely matches how certificates are checked in -e.g. SSL and S/MIME. +These mimics the combinations of purpose and trust settings used in SSL, CMS +and S/MIME. +As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not +specified, so the B<-verify_name> options are functionally equivalent to the +corresponding B<-purpose> settings. =item B<-x509_strict> diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index 1c98e9decf..637eedc947 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -289,9 +289,12 @@ clears all the prohibited or rejected uses of the certificate. =item B<-addtrust arg> -adds a trusted certificate use. Any object name can be used here -but currently only B<clientAuth> (SSL client use), B<serverAuth> -(SSL server use) and B<emailProtection> (S/MIME email) are used. +adds a trusted certificate use. +Any object name can be used here but currently only B<clientAuth> (SSL client +use), B<serverAuth> (SSL server use), B<emailProtection> (S/MIME email) and +B<anyExtendedKeyUsage> are used. +As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or +enables all purposes when trusted. Other OpenSSL applications may define additional uses. =item B<-addreject arg> |