diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-02-09 14:17:13 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-02-10 12:34:06 -0500 |
commit | d33def662443c4b534c6b261a3b01f3960339c78 (patch) | |
tree | 4e95fd943d9df02700d60d5dbb493a6a2d4dec05 /doc/crypto/X509_VERIFY_PARAM_set_flags.pod | |
parent | 056be06b4dfd7eaf7914febd043e9b446e1ed772 (diff) |
Deprecate the -issuer_checks debugging option
This was a developer debugging feature and was never a useful public
interface.
Added all missing X509 error codes to the verify(1) manpage, but
many still need a description beyond the associated text string.
Sorted the errors in x509_txt.c by error number.
Reviewed-by: Stephen Henson <steve@openssl.org>
Diffstat (limited to 'doc/crypto/X509_VERIFY_PARAM_set_flags.pod')
-rw-r--r-- | doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 53a063a48c..6fb33edd91 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -191,12 +191,6 @@ check the signature anyway. A side effect of not checking the root CA signature is that disabled or unsupported message digests on the root CA are not treated as fatal errors. -The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate -issuer checks. It is B<not> needed unless you are logging certificate -verification. If this flag is set then additional status codes will be sent -to the verification callback and it B<must> be prepared to handle such cases -without assuming they are hard errors. - If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain, L<X509_verify_cert(3)> will search the trust store for issuer certificates before searching the provided untrusted certificates. @@ -253,5 +247,7 @@ L<X509_check_ip(3)> =head1 HISTORY The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0 +The legacy B<X509_V_FLAG_CB_ISSUER_CHECK> flag is deprecated as of +OpenSSL 1.1.0, and has no effect. =cut |