diff options
Diffstat (limited to 'crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod')
-rw-r--r-- | crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 7593dea7dab9..f6f304bf7bd0 100644 --- a/crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -129,7 +129,7 @@ interoperable, though it will, for example, reject MD5 signatures or RSA keys shorter than 1024 bits. X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to -B<name> clearing any previously specified host name or names. If +B<name> clearing any previously specified hostname or names. If B<name> is NULL, or empty the list of hostnames is cleared, and name checks are not performed on the peer certificate. If B<name> is NUL-terminated, B<namelen> may be zero, otherwise B<namelen> @@ -264,12 +264,15 @@ they are enabled. If B<X509_V_FLAG_USE_DELTAS> is set delta CRLs (if present) are used to determine certificate status. If not set deltas are ignored. -B<X509_V_FLAG_CHECK_SS_SIGNATURE> enables checking of the root CA self signed -certificate signature. By default this check is disabled because it doesn't +B<X509_V_FLAG_CHECK_SS_SIGNATURE> requests checking the signature of +the last certificate in a chain if the certificate is supposedly self-signed. +This is prohibited and will result in an error if it is a non-conforming CA +certificate with key usage restrictions not including the keyCertSign bit. +By default this check is disabled because it doesn't add any additional security but in some cases applications might want to -check the signature anyway. A side effect of not checking the root CA -signature is that disabled or unsupported message digests on the root CA -are not treated as fatal errors. +check the signature anyway. A side effect of not checking the self-signature +of such a certificate is that disabled or unsupported message digests used for +the signature are not treated as fatal errors. When B<X509_V_FLAG_TRUSTED_FIRST> is set, construction of the certificate chain in L<X509_verify_cert(3)> will search the trust store for issuer certificates @@ -376,7 +379,7 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. =head1 COPYRIGHT -Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy |