From d33def662443c4b534c6b261a3b01f3960339c78 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Tue, 9 Feb 2016 14:17:13 -0500 Subject: Deprecate the -issuer_checks debugging option This was a developer debugging feature and was never a useful public interface. Added all missing X509 error codes to the verify(1) manpage, but many still need a description beyond the associated text string. Sorted the errors in x509_txt.c by error number. Reviewed-by: Stephen Henson --- apps/apps.h | 3 +-- apps/opt.c | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) (limited to 'apps') diff --git a/apps/apps.h b/apps/apps.h index 3c132e7a9b..d4c2b11b8b 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -207,8 +207,7 @@ void wait_for_async(SSL *s); "check peer certificate matches \"ipaddr\"" }, \ { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \ "Disable critical extension checking"}, \ - { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', \ - "Enable debugging of certificate issuer checks"}, \ + { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \ { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \ { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \ { "policy_check", OPT_V_POLICY_CHECK, '-', "Enable certificate policy checking"}, \ diff --git a/apps/opt.c b/apps/opt.c index 49db5b66e4..3525b969c6 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -557,7 +557,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm) X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL); break; case OPT_V_ISSUER_CHECKS: - X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK); + /* NOP, deprecated */ break; case OPT_V_CRL_CHECK: X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK); -- cgit v1.2.3