diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2017-12-11 18:33:59 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2017-12-13 10:50:39 -0500 |
commit | f517911d3106bdbc5052b1b85560eb6499e3b741 (patch) | |
tree | dac12cabef8bdef2a6dcb3c9ab22a0f9a367c4fe /doc | |
parent | eb48052ec96a7551391b5955f03f5ef70b3528f6 (diff) | |
download | openssl-f517911d3106bdbc5052b1b85560eb6499e3b741.tar.gz |
Document the X509_V_FLAG_PARTIAL_CHAIN flag
Also improved documentation of TRUSTED_FIRST
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/X509_VERIFY_PARAM_set_flags.pod | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index a4e30614cd..947bd8a232 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -248,10 +248,14 @@ check the signature anyway. A side effect of not checking the root CA signature is that disabled or unsupported message digests on the root CA are not treated as fatal errors. -If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain, -L<X509_verify_cert(3)> will search the trust store for issuer certificates before -searching the provided untrusted certificates. -As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. +When B<X509_V_FLAG_TRUSTED_FIRST> is set, construction of the certificate chain +in L<X509_verify_cert(3)> will search the trust store for issuer certificates +before searching the provided untrusted certificates. +Local issuer certificates are often more likely to satisfy local security +requirements and lead to a locally trusted root. +This is especially important when some certificates in the trust store have +explicit trust settings (see "TRUST SETTINGS" in L<x509(1)>). +As of OpenSSL 1.1.0 this option is on by default. The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative chains. @@ -263,6 +267,19 @@ found that is trusted. As of OpenSSL 1.1.0, with B<X509_V_FLAG_TRUSTED_FIRST> always set, this option has no effect. +The B<X509_V_FLAG_PARTIAL_CHAIN> flag causes intermediate certificates in the +trust store to be treated as trust-anchors, in the same way as the self-signed +root CA certificates. +This makes it possible to trust certificates issued by an intermediate CA +without having to trust its ancestor root CA. +With OpenSSL 1.1.0 and later and <X509_V_FLAG_PARTIAL_CHAIN> set, chain +construction stops as soon as the first certificate from the trust store is +added to the chain, whether that certificate is a self-signed "root" +certificate or a not self-signed intermediate certificate. +Thus, when an intermediate certificate is found in the trust store, the +verified chain passed to callbacks may be shorter than it otherwise would +be without the B<X509_V_FLAG_PARTIAL_CHAIN> flag. + The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time() is used to specify a verification time, the check is not suppressed. |