From 0daccd4dc1f1ac62181738a91714f35472e50f3c Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Thu, 28 Jan 2016 03:01:45 -0500 Subject: Check chain extensions also for trusted certificates This includes basic constraints, key usages, issuer EKUs and auxiliary trust OIDs (given a trust suitably related to the intended purpose). Added tests and updated documentation. Reviewed-by: Dr. Stephen Henson --- doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'doc/crypto/X509_VERIFY_PARAM_set_flags.pod') diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index a2219d2aae..53a063a48c 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -197,11 +197,20 @@ verification. If this flag is set then additional status codes will be sent to the verification callback and it B be prepared to handle such cases without assuming they are hard errors. +If B is set, when constructing the certificate chain, +L will search the trust store for issuer certificates before +searching the provided untrusted certificates. +As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. + The B flag suppresses checking for alternative -chains. By default, when building a certificate chain, if the first certificate -chain found is not trusted, then OpenSSL will continue to check to see if an -alternative chain can be found that is trusted. With this flag set the behaviour -will match that of OpenSSL versions prior to 1.1.0. +chains. +By default, unless B is set, when building a +certificate chain, if the first certificate chain found is not trusted, then +OpenSSL will attempt to replace untrusted certificates supplied by the peer +with certificates from the trust store to see if an alternative chain can be +found that is trusted. +As of OpenSSL 1.1.0, with B always set, this option +has no effect. The B flag suppresses checking the validity period of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time() -- cgit v1.2.3