From fa7b01115bc33d9b40936688bb3c952dc93b645a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 27 Jan 2015 11:15:15 +0000 Subject: Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag. Reviewed-by: Dr. Stephen Henson --- doc/apps/verify.pod | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'doc/apps/verify.pod') diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index a5a00638be..d422913c08 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -30,6 +30,7 @@ B B [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] +[B<-no_alt_chains>] [B<-untrusted file>] [B<-use_deltas>] [B<-verbose>] @@ -164,6 +165,14 @@ Use certificates in CA file or CA directory before certificates in untrusted file when building the trust chain to verify certificates. This is mainly useful in environments with Bridge CA or Cross-Certified CAs. +=item B<-no_alt_chains> + +When building a certificate chain, if the first certificate chain found is not +trusted, then OpenSSL will continue to check to see if an alternative chain can +be found that is trusted. With this option that behaviour is suppressed so that +only the first chain found is ever used. Using this option will force the +behaviour to match that of OpenSSL versions prior to 1.1.0. + =item B<-untrusted file> A file of untrusted certificates. The file should contain multiple certificates @@ -469,4 +478,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.1.0. + =cut -- cgit v1.2.3