diff options
Diffstat (limited to 'doc/crypto/X509_VERIFY_PARAM_set_flags.pod')
-rw-r--r-- | doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index a2219d2aae..53a063a48c 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -197,11 +197,20 @@ verification. If this flag is set then additional status codes will be sent to the verification callback and it B<must> be prepared to handle such cases without assuming they are hard errors. +If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain, +L<X509_verify_cert(3)> will search the trust store for issuer certificates before +searching the provided untrusted certificates. +As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. + The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative -chains. By default, when building a certificate chain, if the first certificate -chain found is not trusted, then OpenSSL will continue to check to see if an -alternative chain can be found that is trusted. With this flag set the behaviour -will match that of OpenSSL versions prior to 1.1.0. +chains. +By default, unless B<X509_V_FLAG_TRUSTED_FIRST> is set, when building a +certificate chain, if the first certificate chain found is not trusted, then +OpenSSL will attempt to replace untrusted certificates supplied by the peer +with certificates from the trust store to see if an alternative chain can be +found that is trusted. +As of OpenSSL 1.1.0, with B<X509_V_FLAG_TRUSTED_FIRST> always set, this option +has no effect. The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time() |