Import OpenSSL 1.1.0h
This commit is contained in:
Steve Dower
@@ -248,10 +248,14 @@ check the signature anyway. A side effect of not checking the root CA
|
||||
signature is that disabled or unsupported message digests on the root CA
|
||||
are not treated as fatal errors.
|
||||
|
||||
If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain,
|
||||
L<X509_verify_cert(3)> will search the trust store for issuer certificates before
|
||||
searching the provided untrusted certificates.
|
||||
As of OpenSSL 1.1.0 this option is on by default and cannot be disabled.
|
||||
When B<X509_V_FLAG_TRUSTED_FIRST> is set, construction of the certificate chain
|
||||
in L<X509_verify_cert(3)> will search the trust store for issuer certificates
|
||||
before searching the provided untrusted certificates.
|
||||
Local issuer certificates are often more likely to satisfy local security
|
||||
requirements and lead to a locally trusted root.
|
||||
This is especially important when some certificates in the trust store have
|
||||
explicit trust settings (see "TRUST SETTINGS" in L<x509(1)>).
|
||||
As of OpenSSL 1.1.0 this option is on by default.
|
||||
|
||||
The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
|
||||
chains.
|
||||
@@ -263,6 +267,19 @@ found that is trusted.
|
||||
As of OpenSSL 1.1.0, with B<X509_V_FLAG_TRUSTED_FIRST> always set, this option
|
||||
has no effect.
|
||||
|
||||
The B<X509_V_FLAG_PARTIAL_CHAIN> flag causes intermediate certificates in the
|
||||
trust store to be treated as trust-anchors, in the same way as the self-signed
|
||||
root CA certificates.
|
||||
This makes it possible to trust certificates issued by an intermediate CA
|
||||
without having to trust its ancestor root CA.
|
||||
With OpenSSL 1.1.0 and later and <X509_V_FLAG_PARTIAL_CHAIN> set, chain
|
||||
construction stops as soon as the first certificate from the trust store is
|
||||
added to the chain, whether that certificate is a self-signed "root"
|
||||
certificate or a not self-signed intermediate certificate.
|
||||
Thus, when an intermediate certificate is found in the trust store, the
|
||||
verified chain passed to callbacks may be shorter than it otherwise would
|
||||
be without the B<X509_V_FLAG_PARTIAL_CHAIN> flag.
|
||||
|
||||
The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period
|
||||
of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time()
|
||||
is used to specify a verification time, the check is not suppressed.
|
||||
@@ -321,7 +338,8 @@ connections associated with an B<SSL_CTX> structure B<ctx>:
|
||||
L<X509_verify_cert(3)>,
|
||||
L<X509_check_host(3)>,
|
||||
L<X509_check_email(3)>,
|
||||
L<X509_check_ip(3)>
|
||||
L<X509_check_ip(3)>,
|
||||
L<x509(1)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
@@ -331,7 +349,7 @@ OpenSSL 1.1.0, and has no effect.
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
||||
Reference in New Issue
Block a user