Deprecate the -issuer_checks debugging option

This was a developer debugging feature and was never a useful public
interface.

Added all missing X509 error codes to the verify(1) manpage, but
many still need a description beyond the associated text string.

Sorted the errors in x509_txt.c by error number.

Reviewed-by: Stephen Henson <steve@openssl.org>

1 files changed, 2 insertions, 6 deletions

diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index 53a063a48c..6fb33edd91 100644
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -191,12 +191,6 @@ check the signature anyway. A side effect of not checking the root CA
 signature is that disabled or unsupported message digests on the root CA
 are not treated as fatal errors.
 
-The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate
-issuer checks. It is B<not> needed unless you are logging certificate
-verification. If this flag is set then additional status codes will be sent
-to the verification callback and it B<must> be prepared to handle such cases
-without assuming they are hard errors.
-
 If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain,
 L<X509_verify_cert(3)> will search the trust store for issuer certificates before
 searching the provided untrusted certificates.
@@ -253,5 +247,7 @@ L<X509_check_ip(3)>
 =head1 HISTORY
 
 The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0
+The legacy B<X509_V_FLAG_CB_ISSUER_CHECK> flag is deprecated as of
+OpenSSL 1.1.0, and has no effect.
 
 =cut