find_issuer(): When returning an expired issuer, take the most recently expired one

Also point out in the documenting comment that a non-expired issuer is preferred. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13805)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2021-01-07 20:02:39 +0100
committer: Dr. David von Oheimb <dev@ddvo.net> 2021-01-14 14:34:00 +0100
commit: c476c06f507a2c64a59c8cc86f2109aa00cf5133 (patch)
tree: 83787ab13dc20913c16fc816d1a442ea7e4b674a /doc
parent: f5f4fbaa44af055e0658c6810b91aa8607e8383a (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod
index af1c7e3a43..620eacf5cc 100644
--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@@ -36,6 +36,8 @@ name of the current certificate are subject to further tests.
 The relevant authority key identifier components of the current certificate
 (if present) must match the subject key identifier (if present)
 and issuer and serial number of the candidate issuer certificate.
+If there is such a certificate, the first one found that is currently valid
+is taken, otherwise the one that expired most recently of all such certificates.
 
 The lookup first searches for issuer certificates in the trust store.
 If it does not find a match there it consults
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2021-01-07 20:02:39 +0100
committer	Dr. David von Oheimb <dev@ddvo.net>	2021-01-14 14:34:00 +0100
commit	c476c06f507a2c64a59c8cc86f2109aa00cf5133 (patch)
tree	83787ab13dc20913c16fc816d1a442ea7e4b674a /doc
parent	f5f4fbaa44af055e0658c6810b91aa8607e8383a (diff)