The branch master has been updated via f517911d3106bdbc5052b1b85560eb6499e3b741 (commit) from eb48052ec96a7551391b5955f03f5ef70b3528f6 (commit)
- Log ----------------------------------------------------------------- commit f517911d3106bdbc5052b1b85560eb6499e3b741 Author: Viktor Dukhovni <openssl-us...@dukhovni.org> Date: Mon Dec 11 18:33:59 2017 -0500 Document the X509_V_FLAG_PARTIAL_CHAIN flag Also improved documentation of TRUSTED_FIRST Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Rich Salz <rs...@openssl.org> ----------------------------------------------------------------------- Summary of changes: doc/man3/X509_VERIFY_PARAM_set_flags.pod | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index a4e3061..947bd8a 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -248,10 +248,14 @@ check the signature anyway. A side effect of not checking the root CA signature is that disabled or unsupported message digests on the root CA are not treated as fatal errors. -If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain, -L<X509_verify_cert(3)> will search the trust store for issuer certificates before -searching the provided untrusted certificates. -As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. +When B<X509_V_FLAG_TRUSTED_FIRST> is set, construction of the certificate chain +in L<X509_verify_cert(3)> will search the trust store for issuer certificates +before searching the provided untrusted certificates. +Local issuer certificates are often more likely to satisfy local security +requirements and lead to a locally trusted root. +This is especially important when some certificates in the trust store have +explicit trust settings (see "TRUST SETTINGS" in L<x509(1)>). +As of OpenSSL 1.1.0 this option is on by default. The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative chains. @@ -263,6 +267,19 @@ found that is trusted. As of OpenSSL 1.1.0, with B<X509_V_FLAG_TRUSTED_FIRST> always set, this option has no effect. +The B<X509_V_FLAG_PARTIAL_CHAIN> flag causes intermediate certificates in the +trust store to be treated as trust-anchors, in the same way as the self-signed +root CA certificates. +This makes it possible to trust certificates issued by an intermediate CA +without having to trust its ancestor root CA. +With OpenSSL 1.1.0 and later and <X509_V_FLAG_PARTIAL_CHAIN> set, chain +construction stops as soon as the first certificate from the trust store is +added to the chain, whether that certificate is a self-signed "root" +certificate or a not self-signed intermediate certificate. +Thus, when an intermediate certificate is found in the trust store, the +verified chain passed to callbacks may be shorter than it otherwise would +be without the B<X509_V_FLAG_PARTIAL_CHAIN> flag. + The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time() is used to specify a verification time, the check is not suppressed. _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits