diff options
| -rw-r--r-- | usr.bin/openssl/apps.c | 4 | ||||
| -rw-r--r-- | usr.bin/openssl/openssl.1 | 7 | ||||
| -rw-r--r-- | usr.bin/openssl/verify.c | 6 |
3 files changed, 13 insertions, 4 deletions
diff --git a/usr.bin/openssl/apps.c b/usr.bin/openssl/apps.c index e1dcd48b37a..2c228aad598 100644 --- a/usr.bin/openssl/apps.c +++ b/usr.bin/openssl/apps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.c,v 1.56 2020/10/14 07:20:09 tb Exp $ */ +/* $OpenBSD: apps.c,v 1.57 2020/10/26 11:48:39 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -1916,6 +1916,8 @@ args_verify(char ***pargs, int *pargc, int *badarg, BIO *err, flags |= X509_V_FLAG_POLICY_CHECK; else if (!strcmp(arg, "-explicit_policy")) flags |= X509_V_FLAG_EXPLICIT_POLICY; + else if (!strcmp(arg, "-legacy_verify")) + flags |= X509_V_FLAG_LEGACY_VERIFY; else if (!strcmp(arg, "-inhibit_any")) flags |= X509_V_FLAG_INHIBIT_ANY; else if (!strcmp(arg, "-inhibit_map")) diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1 index e364586f5ad..474f00f4935 100644 --- a/usr.bin/openssl/openssl.1 +++ b/usr.bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.125 2020/07/14 09:52:46 inoguchi Exp $ +.\" $OpenBSD: openssl.1,v 1.126 2020/10/26 11:48:39 tb Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -110,7 +110,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: July 14 2020 $ +.Dd $Mdocdate: October 26 2020 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -5859,6 +5859,7 @@ The default is no. .Op Fl inhibit_any .Op Fl inhibit_map .Op Fl issuer_checks +.Op Fl legacy_verify .Op Fl policy_check .Op Fl purpose Ar purpose .Op Fl trusted Ar file @@ -5931,6 +5932,8 @@ showing why each candidate issuer certificate was rejected. The presence of rejection messages does not itself imply that anything is wrong: during the normal verify process several rejections may take place. +.It Fl legacy_verify +Use the legacy X.509 certificate chain verification code. .It Fl policy_check Enable certificate policy processing. .It Fl purpose Ar purpose diff --git a/usr.bin/openssl/verify.c b/usr.bin/openssl/verify.c index 3da41b917a2..e4443148ce3 100644 --- a/usr.bin/openssl/verify.c +++ b/usr.bin/openssl/verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: verify.c,v 1.8 2020/07/14 19:08:30 jsing Exp $ */ +/* $OpenBSD: verify.c,v 1.9 2020/10/26 11:48:39 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -193,6 +193,10 @@ static const struct option verify_shared_options[] = { .desc = "Enable debugging of certificate issuer checks", }, { + .name = "legacy_verify", + .desc = "Use legacy certificate chain verification", + }, + { .name = "policy", .argname = "name", .desc = "Add given policy to the acceptable set", |