diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-03-18 22:09:41 -0400 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-03 11:35:35 -0400 |
| commit | fbb82a60dcbe820714a246ab3e7617eaf3a7b656 (patch) | |
| tree | 261c976e4e3d6dbea776b0fb54c635bd2a10eebd /doc/apps/verify.pod | |
| parent | 70dd3c6593d87e4cbb56b485717cb2cfff730f3e (diff) | |
| download | openssl-fbb82a60dcbe820714a246ab3e7617eaf3a7b656.tar.gz | |
Move peer chain security checks into x509_vfy.c
A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level. For verification of SSL peers, this
is automatically set from the SSL security level. Otherwise, for
now, the authentication security level remains at (effectively) 0
by default.
The new "-auth_level" verify(1) option is available in all the
command-line tools that support the standard verify(1) options.
New verify(1) tests added to check enforcement of chain signature
and public key security levels. Also added new tests of enforcement
of the verify_depth limit.
Updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'doc/apps/verify.pod')
| -rw-r--r-- | doc/apps/verify.pod | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index ecde35fe8a..96d6be4a4d 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -38,6 +38,7 @@ B<openssl> B<verify> [B<-trusted file>] [B<-use_deltas>] [B<-verbose>] +[B<-auth_level level>] [B<-verify_depth num>] [B<-verify_email email>] [B<-verify_hostname hostname>] @@ -227,9 +228,30 @@ Enable support for delta CRLs. Print extra information about the operations being performed. +=item B<-auth_level level> + +Set the certificate chain authentication security level to B<level>. +The authentication security level determines the acceptable signature and +public key strength when verifying certificate chains. +For a certificate chain to validate, the public keys of all the certificates +must meet the specified security B<level>. +The signature algorithm security level is enforced for all the certificates in +the chain except for the chain's I<trust anchor>, which is either directly +trusted or validated by means other than its signature. +See L<SSL_CTX_set_security_level(3)> for the definitions of the available +levels. +The default security level is -1, or "not set". +At security level 0 or lower all algorithms are acceptable. +Security level 1 requires at least 80-bit-equivalent security and is broadly +interoperable, though it will, for example, reject MD5 signatures or RSA keys +shorter than 1024 bits. + =item B<-verify_depth num> -Limit the maximum depth of the certificate chain to B<num> certificates. +Limit the certificate chain to B<num> intermediate CA certificates. +A maximal depth chain can have up to B<num+2> certificates, since neither the +end-entity certificate nor the trust-anchor certificate count against the +B<-verify_depth> limit. =item B<-verify_email email> |