[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Viktor Dukhovni viktor at openssl.org
Wed Dec 13 15:53:32 UTC 2017

The branch OpenSSL_1_0_2-stable has been updated
       via  71d53e8ba5b9eeca9151f516f061ecdcbedbab00 (commit)
      from  b6adfa043fcd33960c277a75984701e87d06fa33 (commit)

- Log -----------------------------------------------------------------
commit 71d53e8ba5b9eeca9151f516f061ecdcbedbab00
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Mon Dec 11 19:05:35 2017 -0500

    Document the X509_V_FLAG_PARTIAL_CHAIN flag
    Also documented X509_V_FLAG_TRUSTED_FIRST
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>


Summary of changes:
 doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index 44792f9..b7edfb4 100644
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -203,6 +203,27 @@ chain found is not trusted, then OpenSSL will continue to check to see if an
 alternative chain can be found that is trusted. With this flag set the behaviour
 will match that of OpenSSL versions prior to 1.0.2b.
+The B<X509_V_FLAG_TRUSTED_FIRST> flag causes chain construction to look for
+issuers in the trust store before looking at the untrusted certificates
+provided as part of the the peer chain.
+Though it is not on by default in OpenSSL 1.0.2, applications should generally
+set this flag.
+Local issuer certificates are often more likely to satisfy local security
+requirements and lead to a locally trusted root.
+This is especially important When some certificates in the trust store have
+explicit trust settings (see "TRUST SETTINGS" in L<x509(1)>).
+The B<X509_V_FLAG_PARTIAL_CHAIN> flag causes intermediate certificates in the
+trust store to be treated as trust-anchors, in the same way as the self-signed
+root CA certificates.
+This makes it possible to trust certificates issued by an intermediate CA
+without having to trust its ancestor root CA.
+With OpenSSL 1.0.2, chain construction continues as long as there are
+additional trusted issuers in the trust store, and the last trusted issuer
+becomes the trust-anchor.
+Thus, even when an intermediate certificate is found in the trust store, the
+verified chain passed to callbacks may still be anchored by a root CA.
 =head1 NOTES
 The above functions should be used to manipulate verification parameters
@@ -236,6 +257,7 @@ L<X509_verify_cert(3)|X509_verify_cert(3)>,
 =head1 HISTORY

More information about the openssl-commits mailing list