Deprecate the -issuer_checks debugging option

This was a developer debugging feature and was never a useful public
interface.

Added all missing X509 error codes to the verify(1) manpage, but
many still need a description beyond the associated text string.

Sorted the errors in x509_txt.c by error number.

Reviewed-by: Stephen Henson <steve@openssl.org>

2 files changed, 2 insertions, 3 deletions

diff --git a/apps/apps.h b/apps/apps.h
index 3c132e7a9b..d4c2b11b8b 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -207,8 +207,7 @@ void wait_for_async(SSL *s);
             "check peer certificate matches \"ipaddr\"" }, \
         { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
             "Disable critical extension checking"}, \
-        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', \
-            "Enable debugging of certificate issuer checks"}, \
+        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \
         { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
         { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
         { "policy_check", OPT_V_POLICY_CHECK, '-', "Enable certificate policy checking"}, \
diff --git a/apps/opt.c b/apps/opt.c
index 49db5b66e4..3525b969c6 100644
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -557,7 +557,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
         break;
     case OPT_V_ISSUER_CHECKS:
-        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
+        /* NOP, deprecated */
         break;
     case OPT_V_CRL_CHECK:
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);