1.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $ 2.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500 3.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 4.\" 5.\" This file is a derived work. 6.\" The changes are covered by the following Copyright and license: 7.\" 8.\" Copyright (c) 2018, 2021, 2022 Ingo Schwarze <schwarze@openbsd.org> 9.\" 10.\" Permission to use, copy, modify, and distribute this software for any 11.\" purpose with or without fee is hereby granted, provided that the above 12.\" copyright notice and this permission notice appear in all copies. 13.\" 14.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21.\" 22.\" The original file was written by Dr. Stephen Henson <steve@openssl.org> 23.\" and Viktor Dukhovni <viktor@dukhovni.org>. 24.\" Copyright (c) 2009, 2013, 2014, 2015, 2016, 2017 The OpenSSL Project. 25.\" All rights reserved. 26.\" 27.\" Redistribution and use in source and binary forms, with or without 28.\" modification, are permitted provided that the following conditions 29.\" are met: 30.\" 31.\" 1. Redistributions of source code must retain the above copyright 32.\" notice, this list of conditions and the following disclaimer. 33.\" 34.\" 2. Redistributions in binary form must reproduce the above copyright 35.\" notice, this list of conditions and the following disclaimer in 36.\" the documentation and/or other materials provided with the 37.\" distribution. 38.\" 39.\" 3. All advertising materials mentioning features or use of this 40.\" software must display the following acknowledgment: 41.\" "This product includes software developed by the OpenSSL Project 42.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 43.\" 44.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 45.\" endorse or promote products derived from this software without 46.\" prior written permission. For written permission, please contact 47.\" openssl-core@openssl.org. 48.\" 49.\" 5. Products derived from this software may not be called "OpenSSL" 50.\" nor may "OpenSSL" appear in their names without prior written 51.\" permission of the OpenSSL Project. 52.\" 53.\" 6. Redistributions of any form whatsoever must retain the following 54.\" acknowledgment: 55.\" "This product includes software developed by the OpenSSL Project 56.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" 57.\" 58.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 59.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 60.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 61.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 62.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 63.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 64.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 65.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 66.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 67.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 68.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 69.\" OF THE POSSIBILITY OF SUCH DAMAGE. 70.\" 71.Dd $Mdocdate: April 30 2023 $ 72.Dt X509_VERIFY_PARAM_SET_FLAGS 3 73.Os 74.Sh NAME 75.Nm X509_VERIFY_PARAM_get0_name , 76.Nm X509_VERIFY_PARAM_set1_name , 77.Nm X509_VERIFY_PARAM_set_flags , 78.Nm X509_VERIFY_PARAM_clear_flags , 79.Nm X509_VERIFY_PARAM_get_flags , 80.Nm X509_VERIFY_PARAM_set_purpose , 81.Nm X509_VERIFY_PARAM_set_trust , 82.Nm X509_VERIFY_PARAM_set_time , 83.Nm X509_VERIFY_PARAM_get_time , 84.Nm X509_VERIFY_PARAM_add0_policy , 85.Nm X509_VERIFY_PARAM_set1_policies , 86.Nm X509_VERIFY_PARAM_set_depth , 87.Nm X509_VERIFY_PARAM_get_depth , 88.Nm X509_VERIFY_PARAM_set_auth_level , 89.Nm X509_VERIFY_PARAM_set1_host , 90.Nm X509_VERIFY_PARAM_add1_host , 91.Nm X509_VERIFY_PARAM_set_hostflags , 92.Nm X509_VERIFY_PARAM_get0_peername , 93.Nm X509_VERIFY_PARAM_set1_email , 94.Nm X509_VERIFY_PARAM_set1_ip , 95.Nm X509_VERIFY_PARAM_set1_ip_asc 96.Nd X509 verification parameters 97.Sh SYNOPSIS 98.In openssl/x509_vfy.h 99.Ft const char * 100.Fo X509_VERIFY_PARAM_get0_name 101.Fa "const X509_VERIFY_PARAM *param" 102.Fc 103.Ft int 104.Fo X509_VERIFY_PARAM_set1_name 105.Fa "X509_VERIFY_PARAM *param" 106.Fa "const char *name" 107.Fc 108.Ft int 109.Fo X509_VERIFY_PARAM_set_flags 110.Fa "X509_VERIFY_PARAM *param" 111.Fa "unsigned long flags" 112.Fc 113.Ft int 114.Fo X509_VERIFY_PARAM_clear_flags 115.Fa "X509_VERIFY_PARAM *param" 116.Fa "unsigned long flags" 117.Fc 118.Ft unsigned long 119.Fo X509_VERIFY_PARAM_get_flags 120.Fa "X509_VERIFY_PARAM *param" 121.Fc 122.Ft int 123.Fo X509_VERIFY_PARAM_set_purpose 124.Fa "X509_VERIFY_PARAM *param" 125.Fa "int purpose" 126.Fc 127.Ft int 128.Fo X509_VERIFY_PARAM_set_trust 129.Fa "X509_VERIFY_PARAM *param" 130.Fa "int trust" 131.Fc 132.Ft void 133.Fo X509_VERIFY_PARAM_set_time 134.Fa "X509_VERIFY_PARAM *param" 135.Fa "time_t t" 136.Fc 137.Ft time_t 138.Fo X509_VERIFY_PARAM_get_time 139.Fa const X509_VERIFY_PARAM *param" 140.Fc 141.Ft int 142.Fo X509_VERIFY_PARAM_add0_policy 143.Fa "X509_VERIFY_PARAM *param" 144.Fa "ASN1_OBJECT *policy" 145.Fc 146.Ft int 147.Fo X509_VERIFY_PARAM_set1_policies 148.Fa "X509_VERIFY_PARAM *param" 149.Fa "STACK_OF(ASN1_OBJECT) *policies" 150.Fc 151.Ft void 152.Fo X509_VERIFY_PARAM_set_depth 153.Fa "X509_VERIFY_PARAM *param" 154.Fa "int depth" 155.Fc 156.Ft int 157.Fo X509_VERIFY_PARAM_get_depth 158.Fa "const X509_VERIFY_PARAM *param" 159.Fc 160.Ft void 161.Fo X509_VERIFY_PARAM_set_auth_level 162.Fa "X509_VERIFY_PARAM *param" 163.Fa "int auth_level" 164.Fc 165.Ft int 166.Fo X509_VERIFY_PARAM_set1_host 167.Fa "X509_VERIFY_PARAM *param" 168.Fa "const char *name" 169.Fa "size_t namelen" 170.Fc 171.Ft int 172.Fo X509_VERIFY_PARAM_add1_host 173.Fa "X509_VERIFY_PARAM *param" 174.Fa "const char *name" 175.Fa "size_t namelen" 176.Fc 177.Ft void 178.Fo X509_VERIFY_PARAM_set_hostflags 179.Fa "X509_VERIFY_PARAM *param" 180.Fa "unsigned int flags" 181.Fc 182.Ft char * 183.Fo X509_VERIFY_PARAM_get0_peername 184.Fa "X509_VERIFY_PARAM *param" 185.Fc 186.Ft int 187.Fo X509_VERIFY_PARAM_set1_email 188.Fa "X509_VERIFY_PARAM *param" 189.Fa "const char *email" 190.Fa "size_t emaillen" 191.Fc 192.Ft int 193.Fo X509_VERIFY_PARAM_set1_ip 194.Fa "X509_VERIFY_PARAM *param" 195.Fa "const unsigned char *ip" 196.Fa "size_t iplen" 197.Fc 198.Ft int 199.Fo X509_VERIFY_PARAM_set1_ip_asc 200.Fa "X509_VERIFY_PARAM *param" 201.Fa "const char *ipasc" 202.Fc 203.Sh DESCRIPTION 204These functions manipulate an 205.Vt X509_VERIFY_PARAM 206object associated with a certificate verification operation. 207.Pp 208.Fn X509_VERIFY_PARAM_get0_name 209returns the name of the given 210.Fa param 211object, usually describing its purpose, for example 212.Qq default , 213.Qq pkcs7 , 214.Qq smime_sign , 215.Qq ssl_client , 216or 217.Qq ssl_server . 218For user-defined objects, the returned pointer may be 219.Dv NULL 220even if the object is otherwise valid. 221.Pp 222.Fn X509_VERIFY_PARAM_set1_name 223sets the name of 224.Fa param 225to a copy of 226.Fa name , 227or to 228.Dv NULL 229if 230.Fa name 231is 232.Dv NULL . 233.Pp 234.Fn X509_VERIFY_PARAM_set_flags 235sets the flags in 236.Fa param 237by OR'ing it with 238.Fa flags . 239See the 240.Sx VERIFICATION FLAGS 241section for a complete description of values the 242.Fa flags 243parameter can take. 244.Pp 245If the 246.Fa flags 247argument includes any of the flags contained in 248.Dv X509_V_FLAG_POLICY_MASK , 249that is, any of 250.Dv X509_V_FLAG_POLICY_CHECK , 251.Dv X509_V_FLAG_EXPLICIT_POLICY , 252.Dv X509_V_FLAG_INHIBIT_ANY , 253and 254.Dv X509_V_FLAG_INHIBIT_MAP , 255then 256.Dv X509_V_FLAG_POLICY_CHECK 257is set in addition to the flags contained in the 258.Fa flags 259argument. 260.Pp 261.Fn X509_VERIFY_PARAM_get_flags 262returns the flags in 263.Fa param . 264.Pp 265.Fn X509_VERIFY_PARAM_clear_flags 266clears the specified 267.Fa flags 268in 269.Fa param . 270.Pp 271Calling this function can result in unusual internal states of the 272.Fa param 273object, for example having a verification time configured but having 274.Dv X509_V_FLAG_USE_CHECK_TIME 275unset, or having 276.Dv X509_V_FLAG_EXPLICIT_POLICY 277set but 278.Dv X509_V_FLAG_POLICY_CHECK 279unset, which may have surprising effects. 280.Pp 281.Fn X509_VERIFY_PARAM_set_purpose 282sets the verification 283.Fa purpose 284identifier in 285.Fa param . 286This determines the acceptable purpose of the certificate chain, for example 287.Dv X509_PURPOSE_SSL_CLIENT 288or 289.Dv X509_PURPOSE_SSL_SERVER . 290Standard purposes are listed in 291.Xr X509_check_purpose 3 , 292and additional purposes can be defined with 293.Xr X509_PURPOSE_add 3 . 294.Pp 295.Fn X509_VERIFY_PARAM_set_trust 296sets the trust setting in 297.Fa param 298to 299.Fa trust . 300.Pp 301.Fn X509_VERIFY_PARAM_set_time 302sets the flag 303.Dv X509_V_FLAG_USE_CHECK_TIME 304in 305.Fa param 306in addition to the flags already set and sets the verification time to 307.Fa t . 308If this function is not called, the current time is used instead, 309or the UNIX Epoch (January 1, 1970) if 310.Dv X509_V_FLAG_USE_CHECK_TIME 311is manually set using 312.Fn X509_VERIFY_PARAM_set_flags . 313.Pp 314.Fn X509_VERIFY_PARAM_add0_policy 315enables policy checking (it is disabled by default) and adds 316.Fa policy 317to the acceptable policy set. 318.Pp 319.Fn X509_VERIFY_PARAM_set1_policies 320enables policy checking (it is disabled by default) and sets the 321acceptable policy set to 322.Fa policies . 323Any existing policy set is cleared. 324The 325.Fa policies 326parameter can be 327.Dv NULL 328to clear an existing policy set. 329.Pp 330.Fn X509_VERIFY_PARAM_set_depth 331sets the maximum verification depth to 332.Fa depth . 333That is the maximum number of untrusted CA certificates that can appear 334in a chain. 335.Pp 336.Fn X509_VERIFY_PARAM_set_auth_level 337sets the security level as defined in 338.Xr SSL_CTX_set_security_level 3 339for certificate chain validation. 340For a certificate chain to validate, the public keys of all the 341certificates must meet the specified security level. 342The signature algorithm security level is not enforced for the 343chain's trust anchor certificate, which is either directly trusted 344or validated by means other than its signature. 345.Pp 346From the point of view of the X.509 library, 347the default security level is 0. 348However, the SSL library 349uses a different default security level of 1 and calls 350.Fn X509_VERIFY_PARAM_set_auth_level 351with its own level before validating a certificate chain. 352.Pp 353.Fn X509_VERIFY_PARAM_set1_host 354sets the expected DNS hostname to 355.Fa name 356clearing any previously specified hostname or names. 357If 358.Fa name 359is 360.Dv NULL 361or empty, the list of hostnames is cleared, and name checks are not 362performed on the peer certificate. 363.Fa namelen 364should be set to the length of 365.Fa name . 366For historical compatibility, if 367.Fa name 368is NUL-terminated, 369.Fa namelen 370may be specified as zero. 371When a hostname is specified, certificate verification automatically 372invokes 373.Xr X509_check_host 3 374with flags equal to the 375.Fa flags 376argument given to 377.Fn X509_VERIFY_PARAM_set_hostflags 378(default zero). 379.Fn X509_VERIFY_PARAM_set1_host 380will fail if 381.Fa name 382contains any embedded 0 bytes. 383.Pp 384.Fn X509_VERIFY_PARAM_add1_host 385adds 386.Fa name 387as an additional reference identifier that can match the peer's 388certificate. 389Any previous names set via 390.Fn X509_VERIFY_PARAM_set1_host 391and 392.Fn X509_VERIFY_PARAM_add1_host 393are retained. 394No change is made if 395.Fa name 396is 397.Dv NULL 398or empty. 399.Fa namelen 400should be set to the length of 401.Fa name . 402For historical compatibility, if 403.Fa name 404is NUL-terminated, 405.Fa namelen 406may be specified as zero. 407.Fn X509_VERIFY_PARAM_add1_host 408will fail if 409.Fa name 410contains any embedded 0 bytes. 411When multiple names are configured, the peer is considered verified when 412any name matches. 413.Pp 414.Fn X509_VERIFY_PARAM_get0_peername 415returns the DNS hostname or subject CommonName from the peer certificate 416that matched one of the reference identifiers. 417When wildcard matching is not disabled, or when a reference identifier 418specifies a parent domain (starts with ".") rather than a hostname, the 419peer name may be a wildcard name or a sub-domain of the reference 420identifier respectively. 421.Pp 422.Fn X509_VERIFY_PARAM_set1_email 423sets the expected RFC 822 email address to 424.Fa email . 425.Fa emaillen 426should be set to the length of 427.Fa email . 428For historical compatibility, if 429.Fa email 430is NUL-terminated, 431.Fa emaillen 432may be specified as zero, 433.Fn X509_VERIFY_PARAM_set1_email 434will fail if 435.Fa email 436is NULL, an empty string, or contains embedded 0 bytes. 437When an email address is specified, certificate verification 438automatically invokes 439.Xr X509_check_email 3 . 440.Pp 441.Fn X509_VERIFY_PARAM_set1_ip 442sets the expected IP address to 443.Fa ip . 444The 445.Fa ip 446argument is in binary format, in network byte-order, and 447.Fa iplen 448must be set to 4 for IPv4 and 16 for IPv6. 449.Fn X509_VERIFY_PARAM_set1_ip 450will fail if 451.Fa ip 452is NULL or if 453.Fa iplen 454is not 4 or 16. 455When an IP address is specified, 456certificate verification automatically invokes 457.Xr X509_check_ip 3 . 458.Pp 459.Fn X509_VERIFY_PARAM_set1_ip_asc 460sets the expected IP address to 461.Fa ipasc . 462The 463.Fa ipasc 464argument is a NUL-terminal ASCII string: 465dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6. 466The condensed "::" notation is supported for IPv6 addresses. 467.Fn X509_VERIFY_PARAM_set1_ip_asc 468will fail if 469.Fa ipasc 470is unparsable. 471.Sh RETURN VALUES 472.Fn X509_VERIFY_PARAM_set1_name , 473.Fn X509_VERIFY_PARAM_set_flags , 474.Fn X509_VERIFY_PARAM_clear_flags , 475.Fn X509_VERIFY_PARAM_set_purpose , 476.Fn X509_VERIFY_PARAM_set_trust , 477.Fn X509_VERIFY_PARAM_add0_policy , 478and 479.Fn X509_VERIFY_PARAM_set1_policies 480return 1 for success or 0 for failure. 481.Pp 482.Fn X509_VERIFY_PARAM_set1_host , 483.Fn X509_VERIFY_PARAM_add1_host , 484.Fn X509_VERIFY_PARAM_set1_email , 485.Fn X509_VERIFY_PARAM_set1_ip , 486and 487.Fn X509_VERIFY_PARAM_set1_ip_asc 488return 1 for success or 0 for failure. 489A failure from these routines will poison 490the 491.Vt X509_VERIFY_PARAM 492object so that future calls to 493.Xr X509_verify_cert 3 494using the poisoned object will fail. 495.Pp 496.Fn X509_VERIFY_PARAM_get_flags 497returns the current verification flags. 498.Pp 499.Fn X509_VERIFY_PARAM_get_time 500always returns the configured verification time. 501It does so even if the returned time will not be used because the flag 502.Dv X509_V_FLAG_USE_CHECK_TIME 503is unset. 504.Pp 505.Fn X509_VERIFY_PARAM_get_depth 506returns the current verification depth. 507.Pp 508.Fn X509_VERIFY_PARAM_get0_name 509and 510.Fn X509_VERIFY_PARAM_get0_peername 511return pointers to strings that are only valid 512during the lifetime of the given 513.Fa param 514object and that must not be freed by the application program. 515.Sh VERIFICATION FLAGS 516The verification flags consists of zero or more of the following 517flags OR'ed together. 518.Pp 519.Dv X509_V_FLAG_CRL_CHECK 520enables CRL checking for the certificate chain leaf certificate. 521An error occurs if a suitable CRL cannot be found. 522.Pp 523.Dv X509_V_FLAG_CRL_CHECK_ALL 524enables CRL checking for the entire certificate chain. 525.Pp 526.Dv X509_V_FLAG_IGNORE_CRITICAL 527disables critical extension checking. 528By default any unhandled critical extensions in certificates or (if 529checked) CRLs results in a fatal error. 530If this flag is set, unhandled critical extensions are ignored. 531.Sy WARNING : 532setting this option for anything other than debugging purposes can be a 533security risk. 534Finer control over which extensions are supported can be performed in 535the verification callback. 536.Pp 537The 538.Dv X509_V_FLAG_X509_STRICT 539flag disables workarounds for some broken certificates and makes the 540verification strictly apply X509 rules. 541.Pp 542.Dv X509_V_FLAG_ALLOW_PROXY_CERTS 543deprecated flag that used to 544enable proxy certificate verification. 545In LibreSSL, this flag has no effect. 546.Pp 547.Dv X509_V_FLAG_POLICY_CHECK 548enables certificate policy checking; by default no policy checking is 549performed. 550Additional information is sent to the verification callback relating to 551policy checking. 552.Pp 553.Dv X509_V_FLAG_EXPLICIT_POLICY , 554.Dv X509_V_FLAG_INHIBIT_ANY , 555and 556.Dv X509_V_FLAG_INHIBIT_MAP 557set the 558.Dq require explicit policy , 559.Dq inhibit any policy , 560and 561.Dq inhibit policy mapping 562flags, respectively, as defined in RFC 3280. 563These three flags are ignored unless 564.Dv X509_V_FLAG_POLICY_CHECK 565is also set. 566.Pp 567If 568.Dv X509_V_FLAG_NOTIFY_POLICY 569is set and policy checking is successful, a special status code is 570sent to the verification callback. 571.Pp 572By default some additional features such as indirect CRLs and CRLs 573signed by different keys are disabled. 574If 575.Dv X509_V_FLAG_EXTENDED_CRL_SUPPORT 576is set, they are enabled. 577.Pp 578If 579.Dv X509_V_FLAG_USE_DELTAS 580is set, delta CRLs (if present) are used to determine certificate 581status. 582If not set, deltas are ignored. 583.Pp 584.Dv X509_V_FLAG_CHECK_SS_SIGNATURE 585enables checking of the root CA self signed certificate signature. 586By default this check is disabled because it doesn't add any additional 587security but in some cases applications might want to check the 588signature anyway. 589A side effect of not checking the root CA signature is that disabled or 590unsupported message digests on the root CA are not treated as fatal 591errors. 592.Pp 593The deprecated 594.Dv X509_V_FLAG_CB_ISSUER_CHECK 595flag used to enable debugging of certificate issuer checks. 596It is provided for binary backwards compatibility and has no effect. 597.Pp 598When 599.Dv X509_V_FLAG_TRUSTED_FIRST 600is set, construction of the certificate chain in 601.Xr X509_verify_cert 3 602will search the trust store for issuer certificates before searching the 603provided untrusted certificates. 604Local issuer certificates are often more likely to satisfy local 605security requirements and lead to a locally trusted root. 606This is especially important when some certificates in the trust store 607have explicit trust settings; see the trust settings options of the 608.Cm x509 609command in 610.Xr openssl 1 . 611.Pp 612The 613.Dv X509_V_FLAG_NO_ALT_CHAINS 614flag suppresses checking for alternative chains. 615By default, unless 616.Dv X509_V_FLAG_TRUSTED_FIRST 617is set, when building a certificate chain, if the first certificate 618chain found is not trusted, then OpenSSL will attempt to replace 619untrusted certificates supplied by the peer with certificates from the 620trust store to see if an alternative chain can be found that is trusted. 621.Pp 622The 623.Dv X509_V_FLAG_PARTIAL_CHAIN 624flag causes intermediate certificates in the trust store to be treated 625as trust-anchors, in the same way as the self-signed root CA 626certificates. 627This makes it possible to trust certificates issued by an intermediate 628CA without having to trust its ancestor root CA. 629.Pp 630If 631.Dv X509_V_FLAG_USE_CHECK_TIME 632is set, the validity period of certificates and CRLs is checked. 633In this case, 634.Dv X509_V_FLAG_NO_CHECK_TIME 635is ignored. 636If the validation time was set with 637.Fn X509_VERIFY_PARAM_set_time , 638that time is used. 639If 640.Fn X509_VERIFY_PARAM_set_time 641was not called, the UNIX Epoch (January 1, 1970) is used. 642.Pp 643If neither 644.Dv X509_V_FLAG_USE_CHECK_TIME 645nor 646.Dv X509_V_FLAG_NO_CHECK_TIME 647is set, the validity period of certificates and CRLs is checked 648using the current time. 649This is the default behaviour. 650In this case, if a validation time was set with 651.Fn X509_VERIFY_PARAM_set_time 652but 653.Dv X509_V_FLAG_USE_CHECK_TIME 654was later cleared with 655.Fn X509_VERIFY_PARAM_clear_flags , 656the configured validation time is ignored 657and the current time is used anyway. 658.Pp 659If 660.Dv X509_V_FLAG_USE_CHECK_TIME 661is not set but 662.Dv X509_V_FLAG_NO_CHECK_TIME 663is set, the validity period of certificates and CRLs is not checked 664at all, and like in the previous case, any configured validation 665time is ignored. 666.Sh EXAMPLES 667Enable CRL checking when performing certificate verification during 668SSL connections associated with an 669.Vt SSL_CTX 670structure 671.Fa ctx : 672.Bd -literal -offset indent 673X509_VERIFY_PARAM *param; 674 675param = X509_VERIFY_PARAM_new(); 676X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); 677SSL_CTX_set1_param(ctx, param); 678X509_VERIFY_PARAM_free(param); 679.Ed 680.Sh SEE ALSO 681.Xr SSL_set1_host 3 , 682.Xr SSL_set1_param 3 , 683.Xr X509_check_host 3 , 684.Xr X509_STORE_CTX_new 3 , 685.Xr X509_STORE_new 3 , 686.Xr X509_verify_cert 3 , 687.Xr X509_VERIFY_PARAM_new 3 688.Sh HISTORY 689.Fn X509_VERIFY_PARAM_set1_name , 690.Fn X509_VERIFY_PARAM_set_flags , 691.Fn X509_VERIFY_PARAM_set_purpose , 692.Fn X509_VERIFY_PARAM_set_trust , 693.Fn X509_VERIFY_PARAM_set_time , 694.Fn X509_VERIFY_PARAM_add0_policy , 695.Fn X509_VERIFY_PARAM_set1_policies , 696.Fn X509_VERIFY_PARAM_set_depth , 697and 698.Fn X509_VERIFY_PARAM_get_depth 699first appeared in OpenSSL 0.9.8. 700.Fn X509_VERIFY_PARAM_clear_flags 701and 702.Fn X509_VERIFY_PARAM_get_flags 703first appeared in OpenSSL 0.9.8a. 704All these functions have been available since 705.Ox 4.5 . 706.Pp 707.Fn X509_VERIFY_PARAM_get0_name , 708.Fn X509_VERIFY_PARAM_set1_host , 709.Fn X509_VERIFY_PARAM_add1_host , 710.Fn X509_VERIFY_PARAM_set_hostflags , 711.Fn X509_VERIFY_PARAM_get0_peername , 712.Fn X509_VERIFY_PARAM_set1_email , 713.Fn X509_VERIFY_PARAM_set1_ip , 714and 715.Fn X509_VERIFY_PARAM_set1_ip_asc 716first appeared in OpenSSL 1.0.2 and have been available since 717.Ox 6.3 . 718.Pp 719.Fn X509_VERIFY_PARAM_set_auth_level 720first appeared in OpenSSL 1.1.0 and 721.Fn X509_VERIFY_PARAM_get_time 722in OpenSSL 1.1.0d. 723Both functions have been available since 724.Ox 7.2 . 725.Sh BUGS 726Delta CRL checking is currently primitive. 727Only a single delta can be used and (partly due to limitations of 728.Vt X509_STORE ) 729constructed CRLs are not maintained. 730.Pp 731If CRLs checking is enabled, CRLs are expected to be available in 732the corresponding 733.Vt X509_STORE 734structure. 735No attempt is made to download CRLs from the CRL distribution points 736extension. 737