Add -no_alt_chains option to apps to implement the new
X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead. Conflicts: apps/cms.c apps/ocsp.c apps/s_client.c apps/s_server.c apps/smime.c apps/verify.c Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Matt Caswell
parent
dfd3322d72
commit
017a06c7d1
7 changed files with 13 additions and 1 deletions
|
|
@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *pargc,
|
|||
flags |= X509_V_FLAG_SUITEB_192_LOS;
|
||||
else if (!strcmp(arg, "-partial_chain"))
|
||||
flags |= X509_V_FLAG_PARTIAL_CHAIN;
|
||||
else if (!strcmp(arg, "-no_alt_chains"))
|
||||
flags |= X509_V_FLAG_NO_ALT_CHAINS;
|
||||
else
|
||||
return 0;
|
||||
|
||||
|
|
|
|||
|
|
@ -645,6 +645,8 @@ int MAIN(int argc, char **argv)
|
|||
BIO_printf(bio_err,
|
||||
"-CApath dir trusted certificates directory\n");
|
||||
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
|
||||
BIO_printf(bio_err,
|
||||
"-no_alt_chains only ever use the first certificate chain found\n");
|
||||
BIO_printf(bio_err,
|
||||
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||
BIO_printf(bio_err,
|
||||
|
|
|
|||
|
|
@ -535,6 +535,8 @@ int MAIN(int argc, char **argv)
|
|||
"-CApath dir trusted certificates directory\n");
|
||||
BIO_printf(bio_err,
|
||||
"-CAfile file trusted certificates file\n");
|
||||
BIO_printf(bio_err,
|
||||
"-no_alt_chains only ever use the first certificate chain found\n");
|
||||
BIO_printf(bio_err,
|
||||
"-VAfile file validator certificates file\n");
|
||||
BIO_printf(bio_err,
|
||||
|
|
|
|||
|
|
@ -331,6 +331,8 @@ static void sc_usage(void)
|
|||
" -pass arg - private key file pass phrase source\n");
|
||||
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
|
||||
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
|
||||
BIO_printf(bio_err,
|
||||
" -no_alt_chains - only ever use the first certificate chain found\n");
|
||||
BIO_printf(bio_err,
|
||||
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
||||
BIO_printf(bio_err,
|
||||
|
|
|
|||
|
|
@ -553,6 +553,8 @@ static void sv_usage(void)
|
|||
BIO_printf(bio_err, " -state - Print the SSL states\n");
|
||||
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
|
||||
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
|
||||
BIO_printf(bio_err,
|
||||
" -no_alt_chains - only ever use the first certificate chain found\n");
|
||||
BIO_printf(bio_err,
|
||||
" -nocert - Don't use any certificates (Anon-DH)\n");
|
||||
BIO_printf(bio_err,
|
||||
|
|
|
|||
|
|
@ -441,6 +441,8 @@ int MAIN(int argc, char **argv)
|
|||
BIO_printf(bio_err,
|
||||
"-CApath dir trusted certificates directory\n");
|
||||
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
|
||||
BIO_printf(bio_err,
|
||||
"-no_alt_chains only ever use the first certificate chain found\n");
|
||||
BIO_printf(bio_err,
|
||||
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||
BIO_printf(bio_err,
|
||||
|
|
|
|||
|
|
@ -232,7 +232,7 @@ int MAIN(int argc, char **argv)
|
|||
if (ret == 1) {
|
||||
BIO_printf(bio_err,
|
||||
"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
|
||||
BIO_printf(bio_err, " [-attime timestamp]");
|
||||
BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
BIO_printf(bio_err, " [-engine e]");
|
||||
#endif
|
||||
|
|
|
|||
Loading…
Reference in a new issue