summaryrefslogtreecommitdiffstats
path: root/doc/man1/verify.pod
AgeCommit message (Collapse)Author
2020-12-03x509_vfy.c: Restore rejection of expired trusted (root) certificateDr. David von Oheimb
The certificate path validation procedure specified in RFC 5280 does not include checking the validity period of the trusted (root) certificate. Still it is common good practice to perform this check. Also OpenSSL did this until version 1.1.1h, yet commit e2590c3a162eb118c36b09c2168164283aa099b4 accidentally killed it. The current commit restores the previous behavior. It also removes the cause of that bug, namely counter-intuitive design of the internal function check_issued(), which was complicated by checks that actually belong to some other internal function, namely find_issuer(). Moreover, this commit adds a regression check and proper documentation of the root cert validity period check feature, which had been missing so far. Fixes #13471 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13585)
2020-09-22Update copyright yearMatt Caswell
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12949)
2020-07-24Fix typos and repeated wordsGustaf Neumann
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12370)
2020-07-16x509_vfy.c: Improve key usage checks in internal_verify() of cert chainsDr. David von Oheimb
If a presumably self-signed cert is last in chain we verify its signature only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the signature verification, but not in case it is a (non-conforming) self-issued CA certificate with a key usage extension that does not include keyCertSign. Make clear when we must verify the signature of a certificate and when we must adhere to key usage restrictions of the 'issuing' cert. Add some comments for making internal_verify() easier to understand. Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12357)
2018-12-15man: harmonize the various formulations in the HISTORY sectionsDr. Matthias St. Pierre
While stereotyped repetitions are frowned upon in literature, they serve a useful purpose in manual pages, because it is easier for the user to find certain information if it is always presented in the same way. For that reason, this commit harmonizes the varying formulations in the HISTORY section about which functions, flags, etc. were added in which OpenSSL version. It also attempts to make the pod files more grep friendly by avoiding to insert line breaks between the symbol names and the corresponding version number in which they were introduced (wherever possible). Some punctuation and typographical errors were fixed on the way. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7854)
2017-10-18Additional name for all commandsRich Salz
Add openssl-foo as a name for the openssl "foo" command. Addresses an issue found by a usability study to be published. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4553)
2017-04-12OCSP Updates: error codes and multiple certificatesTodd Short
RT3877: Add X509 OCSP error codes and messages Add additional OCSP error codes for X509 verify usage RT3867: Support Multiple CA certs in ocsp app Add the ability to read multiple CA certs from a single file in the ocsp app. Update some missing X509 errors in documentation. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/941)
2017-03-30Documentation updatesPauli
Fix capitilistion of list items. Wrap long lines. Add full stops to the ends of sentances. Change ciphersuite to cipher suite in all of doc. [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3082)
2017-02-20Added '-nameopt' option to the verify command.Dmitry Belyavskiy
It makes possible to print the certificate's DN correctly in case of verification errors. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2656)
2016-12-13Fix various doc nits.Rich Salz
find-doc-nits warns if you don't give a "what to do flag" Don't use regexps for section names, just strings: More consistency. Rename "COMMAND OPTIONS" to OPTIONS. Fix a couple of other nit-level things. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2076)
2016-10-26Move manpages to man[1357] structure.Rich Salz
Move manpages to manX directories Add Windows/VMS install fix from Richard Levitte Update README Fix typo's Remove some duplicates Reviewed-by: Richard Levitte <levitte@openssl.org>
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-20 18:17:02 +0000