xref: /openbsd-src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 (revision 1a8dbaac879b9f3335ad7fb25429ce63ac1d6bac) 
1.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.15 2020/09/17 08:04:22 schwarze Exp $
2.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
3.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
4.\"
5.\" This file is a derived work.
6.\" The changes are covered by the following Copyright and license:
7.\"
8.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
9.\"
10.\" Permission to use, copy, modify, and distribute this software for any
11.\" purpose with or without fee is hereby granted, provided that the above
12.\" copyright notice and this permission notice appear in all copies.
13.\"
14.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
15.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
16.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
17.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
18.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
20.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21.\"
22.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
23.\" and Viktor Dukhovni <viktor@dukhovni.org>.
24.\" Copyright (c) 2009, 2013, 2014, 2015, 2016, 2017 The OpenSSL Project.
25.\" All rights reserved.
26.\"
27.\" Redistribution and use in source and binary forms, with or without
28.\" modification, are permitted provided that the following conditions
29.\" are met:
30.\"
31.\" 1. Redistributions of source code must retain the above copyright
32.\"    notice, this list of conditions and the following disclaimer.
33.\"
34.\" 2. Redistributions in binary form must reproduce the above copyright
35.\"    notice, this list of conditions and the following disclaimer in
36.\"    the documentation and/or other materials provided with the
37.\"    distribution.
38.\"
39.\" 3. All advertising materials mentioning features or use of this
40.\"    software must display the following acknowledgment:
41.\"    "This product includes software developed by the OpenSSL Project
42.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
43.\"
44.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
45.\"    endorse or promote products derived from this software without
46.\"    prior written permission. For written permission, please contact
47.\"    openssl-core@openssl.org.
48.\"
49.\" 5. Products derived from this software may not be called "OpenSSL"
50.\"    nor may "OpenSSL" appear in their names without prior written
51.\"    permission of the OpenSSL Project.
52.\"
53.\" 6. Redistributions of any form whatsoever must retain the following
54.\"    acknowledgment:
55.\"    "This product includes software developed by the OpenSSL Project
56.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
57.\"
58.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
59.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
60.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
61.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
62.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
63.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
64.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
65.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
66.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
67.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
68.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
69.\" OF THE POSSIBILITY OF SUCH DAMAGE.
70.\"
71.Dd $Mdocdate: September 17 2020 $
72.Dt X509_VERIFY_PARAM_SET_FLAGS 3
73.Os
74.Sh NAME
75.Nm X509_VERIFY_PARAM_new ,
76.Nm X509_VERIFY_PARAM_free ,
77.Nm X509_VERIFY_PARAM_get0_name ,
78.Nm X509_VERIFY_PARAM_set1_name ,
79.Nm X509_VERIFY_PARAM_set_flags ,
80.Nm X509_VERIFY_PARAM_clear_flags ,
81.Nm X509_VERIFY_PARAM_get_flags ,
82.Nm X509_VERIFY_PARAM_set_purpose ,
83.Nm X509_VERIFY_PARAM_set_trust ,
84.Nm X509_VERIFY_PARAM_set_time ,
85.Nm X509_VERIFY_PARAM_add0_policy ,
86.Nm X509_VERIFY_PARAM_set1_policies ,
87.Nm X509_VERIFY_PARAM_set_depth ,
88.Nm X509_VERIFY_PARAM_get_depth ,
89.Nm X509_VERIFY_PARAM_set1_host ,
90.Nm X509_VERIFY_PARAM_add1_host ,
91.Nm X509_VERIFY_PARAM_set_hostflags ,
92.Nm X509_VERIFY_PARAM_get0_peername ,
93.Nm X509_VERIFY_PARAM_set1_email ,
94.Nm X509_VERIFY_PARAM_set1_ip ,
95.Nm X509_VERIFY_PARAM_set1_ip_asc ,
96.Nm X509_VERIFY_PARAM_add0_table ,
97.Nm X509_VERIFY_PARAM_lookup ,
98.Nm X509_VERIFY_PARAM_get_count ,
99.Nm X509_VERIFY_PARAM_get0 ,
100.Nm X509_VERIFY_PARAM_table_cleanup
101.Nd X509 verification parameters
102.Sh SYNOPSIS
103.In openssl/x509_vfy.h
104.Ft X509_VERIFY_PARAM *
105.Fo X509_VERIFY_PARAM_new
106.Fa void
107.Fc
108.Ft void
109.Fo X509_VERIFY_PARAM_free
110.Fa "X509_VERIFY_PARAM *param"
111.Fc
112.Ft const char *
113.Fo X509_VERIFY_PARAM_get0_name
114.Fa "const X509_VERIFY_PARAM *param"
115.Fc
116.Ft int
117.Fo X509_VERIFY_PARAM_set1_name
118.Fa "X509_VERIFY_PARAM *param"
119.Fa "const char *name"
120.Fc
121.Ft int
122.Fo X509_VERIFY_PARAM_set_flags
123.Fa "X509_VERIFY_PARAM *param"
124.Fa "unsigned long flags"
125.Fc
126.Ft int
127.Fo X509_VERIFY_PARAM_clear_flags
128.Fa "X509_VERIFY_PARAM *param"
129.Fa "unsigned long flags"
130.Fc
131.Ft unsigned long
132.Fo X509_VERIFY_PARAM_get_flags
133.Fa "X509_VERIFY_PARAM *param"
134.Fc
135.Ft int
136.Fo X509_VERIFY_PARAM_set_purpose
137.Fa "X509_VERIFY_PARAM *param"
138.Fa "int purpose"
139.Fc
140.Ft int
141.Fo X509_VERIFY_PARAM_set_trust
142.Fa "X509_VERIFY_PARAM *param"
143.Fa "int trust"
144.Fc
145.Ft void
146.Fo X509_VERIFY_PARAM_set_time
147.Fa "X509_VERIFY_PARAM *param"
148.Fa "time_t t"
149.Fc
150.Ft int
151.Fo X509_VERIFY_PARAM_add0_policy
152.Fa "X509_VERIFY_PARAM *param"
153.Fa "ASN1_OBJECT *policy"
154.Fc
155.Ft int
156.Fo X509_VERIFY_PARAM_set1_policies
157.Fa "X509_VERIFY_PARAM *param"
158.Fa "STACK_OF(ASN1_OBJECT) *policies"
159.Fc
160.Ft void
161.Fo X509_VERIFY_PARAM_set_depth
162.Fa "X509_VERIFY_PARAM *param"
163.Fa "int depth"
164.Fc
165.Ft int
166.Fo X509_VERIFY_PARAM_get_depth
167.Fa "const X509_VERIFY_PARAM *param"
168.Fc
169.Ft int
170.Fo X509_VERIFY_PARAM_set1_host
171.Fa "X509_VERIFY_PARAM *param"
172.Fa "const char *name"
173.Fa "size_t namelen"
174.Fc
175.Ft int
176.Fo X509_VERIFY_PARAM_add1_host
177.Fa "X509_VERIFY_PARAM *param"
178.Fa "const char *name"
179.Fa "size_t namelen"
180.Fc
181.Ft void
182.Fo X509_VERIFY_PARAM_set_hostflags
183.Fa "X509_VERIFY_PARAM *param"
184.Fa "unsigned int flags"
185.Fc
186.Ft char *
187.Fo X509_VERIFY_PARAM_get0_peername
188.Fa "X509_VERIFY_PARAM *param"
189.Fc
190.Ft int
191.Fo X509_VERIFY_PARAM_set1_email
192.Fa "X509_VERIFY_PARAM *param"
193.Fa "const char *email"
194.Fa "size_t emaillen"
195.Fc
196.Ft int
197.Fo X509_VERIFY_PARAM_set1_ip
198.Fa "X509_VERIFY_PARAM *param"
199.Fa "const unsigned char *ip"
200.Fa "size_t iplen"
201.Fc
202.Ft int
203.Fo X509_VERIFY_PARAM_set1_ip_asc
204.Fa "X509_VERIFY_PARAM *param"
205.Fa "const char *ipasc"
206.Fc
207.Ft int
208.Fo X509_VERIFY_PARAM_add0_table
209.Fa "X509_VERIFY_PARAM *param"
210.Fc
211.Ft const X509_VERIFY_PARAM *
212.Fo X509_VERIFY_PARAM_lookup
213.Fa "const char *name"
214.Fc
215.Ft int
216.Fo X509_VERIFY_PARAM_get_count
217.Fa void
218.Fc
219.Ft const X509_VERIFY_PARAM *
220.Fo X509_VERIFY_PARAM_get0
221.Fa "int id"
222.Fc
223.Ft void
224.Fo X509_VERIFY_PARAM_table_cleanup
225.Fa void
226.Fc
227.Sh DESCRIPTION
228These functions manipulate an
229.Vt X509_VERIFY_PARAM
230object associated with a certificate verification operation.
231.Pp
232.Fn X509_VERIFY_PARAM_new
233allocates and initializes an empty
234.Vt X509_VERIFY_PARAM
235object.
236.Pp
237.Fn X509_VERIFY_PARAM_free
238clears all data contained in
239.Fa param
240and releases all memory used by it.
241If
242.Fa param
243is a
244.Dv NULL
245pointer, no action occurs.
246.Pp
247.Fn X509_VERIFY_PARAM_get0_name
248returns the name of the given
249.Fa param
250object, usually describing its purpose, for example
251.Qq default ,
252.Qq pkcs7 ,
253.Qq smime_sign ,
254.Qq ssl_client ,
255or
256.Qq ssl_server .
257For user-defined objects, the returned pointer may be
258.Dv NULL
259even if the object is otherwise valid.
260.Pp
261.Fn X509_VERIFY_PARAM_set1_name
262sets the name of
263.Fa param
264to a copy of
265.Fa name ,
266or to
267.Dv NULL
268if
269.Fa name
270is
271.Dv NULL .
272.Pp
273.Fn X509_VERIFY_PARAM_set_flags
274sets the flags in
275.Fa param
276by OR'ing it with
277.Fa flags .
278See the
279.Sx VERIFICATION FLAGS
280section for a complete description of values the
281.Fa flags
282parameter can take.
283.Pp
284.Fn X509_VERIFY_PARAM_get_flags
285returns the flags in
286.Fa param .
287.Pp
288.Fn X509_VERIFY_PARAM_clear_flags
289clears the flags
290.Fa flags
291in
292.Fa param .
293.Pp
294.Fn X509_VERIFY_PARAM_set_purpose
295sets the verification purpose in
296.Fa param
297to
298.Fa purpose .
299This determines the acceptable purpose of the certificate chain, for
300example SSL client or SSL server.
301.Pp
302.Fn X509_VERIFY_PARAM_set_trust
303sets the trust setting in
304.Fa param
305to
306.Fa trust .
307.Pp
308.Fn X509_VERIFY_PARAM_set_time
309sets the verification time in
310.Fa param
311to
312.Fa t .
313Normally the current time is used.
314.Pp
315.Fn X509_VERIFY_PARAM_add0_policy
316enables policy checking (it is disabled by default) and adds
317.Fa policy
318to the acceptable policy set.
319.Pp
320.Fn X509_VERIFY_PARAM_set1_policies
321enables policy checking (it is disabled by default) and sets the
322acceptable policy set to
323.Fa policies .
324Any existing policy set is cleared.
325The
326.Fa policies
327parameter can be
328.Dv NULL
329to clear an existing policy set.
330.Pp
331.Fn X509_VERIFY_PARAM_set_depth
332sets the maximum verification depth to
333.Fa depth .
334That is the maximum number of untrusted CA certificates that can appear
335in a chain.
336.Pp
337.Fn X509_VERIFY_PARAM_set1_host
338sets the expected DNS hostname to
339.Fa name
340clearing any previously specified hostname or names.
341If
342.Fa name
343is
344.Dv NULL
345or empty, the list of hostnames is cleared, and name checks are not
346performed on the peer certificate.
347.Fa namelen
348should be set to the length of
349.Fa name .
350For historical compatibility, if
351.Fa name
352is NUL-terminated,
353.Fa namelen
354may be specified as zero.
355When a hostname is specified, certificate verification automatically
356invokes
357.Xr X509_check_host 3
358with flags equal to the
359.Fa flags
360argument given to
361.Fn X509_VERIFY_PARAM_set_hostflags
362(default zero).
363.Fn X509_VERIFY_PARAM_set1_host
364will fail if
365.Fa name
366contains any embedded 0 bytes.
367.Pp
368.Fn X509_VERIFY_PARAM_add1_host
369adds
370.Fa name
371as an additional reference identifier that can match the peer's
372certificate.
373Any previous names set via
374.Fn X509_VERIFY_PARAM_set1_host
375and
376.Fn X509_VERIFY_PARAM_add1_host
377are retained.
378No change is made if
379.Fa name
380is
381.Dv NULL
382or empty.
383.Fa namelen
384should be set to the length of
385.Fa name .
386For historical compatibility, if
387.Fa name
388is NUL-terminated,
389.Fa namelen
390may be specified as zero.
391.Fn X509_VERIFY_PARAM_add1_host
392will fail if
393.Fa name
394contains any embedded 0 bytes.
395When multiple names are configured, the peer is considered verified when
396any name matches.
397.Pp
398.Fn X509_VERIFY_PARAM_get0_peername
399returns the DNS hostname or subject CommonName from the peer certificate
400that matched one of the reference identifiers.
401When wildcard matching is not disabled, or when a reference identifier
402specifies a parent domain (starts with ".") rather than a hostname, the
403peer name may be a wildcard name or a sub-domain of the reference
404identifier respectively.
405.Pp
406.Fn X509_VERIFY_PARAM_set1_email
407sets the expected RFC822 email address to
408.Fa email .
409.Fa emaillen
410should be set to the length of
411.Fa email .
412For historical compatibility, if
413.Fa email
414is NUL-terminated,
415.Fa emaillen
416may be specified as zero,
417.Fn X509_VERIFY_PARAM_set1_email
418will fail if
419.Fa email
420is NULL, an empty string, or contains embedded 0 bytes.
421When an email address is specified, certificate verification
422automatically invokes
423.Xr X509_check_email 3 .
424.Pp
425.Fn X509_VERIFY_PARAM_set1_ip
426sets the expected IP address to
427.Fa ip .
428The
429.Fa ip
430argument is in binary format, in network byte-order, and
431.Fa iplen
432must be set to 4 for IPv4 and 16 for IPv6.
433.Fn X509_VERIFY_PARAM_set1_ip
434will fail if
435.Fa ip
436is NULL or if
437.Fa iplen
438is not 4 or 16.
439When an IP address is specified,
440certificate verification automatically invokes
441.Xr X509_check_ip 3 .
442.Pp
443.Fn X509_VERIFY_PARAM_set1_ip_asc
444sets the expected IP address to
445.Fa ipasc .
446The
447.Fa ipasc
448argument is a NUL-terminal ASCII string:
449dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6.
450The condensed "::" notation is supported for IPv6 addresses.
451.Fn X509_VERIFY_PARAM_set1_ip_asc
452will fail if
453.Fa ipasc
454is unparsable.
455.Pp
456.Fn X509_VERIFY_PARAM_add0_table
457adds
458.Fa param
459to a static list of
460.Vt X509_VERIFY_PARAM
461objects maintained by the library.
462This function is extremely dangerous because contrary to the name
463of the function, if the list already contains an object that happens
464to have the same name, that old object is not only silently removed
465from the list, but also silently freed, which may silently invalidate
466various pointers existing elsewhere in the program.
467.Pp
468.Fn X509_VERIFY_PARAM_lookup
469searches this list for an object of the given
470.Fa name .
471If no match is found, the predefined objects built-in to the library
472are also inspected.
473.Pp
474.Fn X509_VERIFY_PARAM_get_count
475returns the sum of the number of objects on this list and the number
476of predefined objects built-in to the library.
477Note that this is not necessarily the total number of
478.Vt X509_VERIFY_PARAM
479objects existing in the program because there may be additional such
480objects that were never added to the list.
481.Pp
482.Fn X509_VERIFY_PARAM_get0
483accesses predefined and user-defined objects using
484.Fa id
485as an index, useful for looping over objects without knowing their names.
486An argument less than the number of predefined objects selects
487one of the predefined objects; a higher argument selects an object
488from the list.
489.Pp
490.Fn X509_VERIFY_PARAM_table_cleanup
491deletes all objects from this list.
492It is extremely dangerous because it also invalidates all data that
493was contained in all objects that were on the list and because it
494frees all these objects, which may invalidate various pointers
495existing elsewhere in the program.
496.Sh RETURN VALUES
497.Fn X509_VERIFY_PARAM_new
498returns a pointer to the new object, or
499.Dv NULL
500on allocation failure.
501.Pp
502.Fn X509_VERIFY_PARAM_set1_name ,
503.Fn X509_VERIFY_PARAM_set_flags ,
504.Fn X509_VERIFY_PARAM_clear_flags ,
505.Fn X509_VERIFY_PARAM_set_purpose ,
506.Fn X509_VERIFY_PARAM_set_trust ,
507.Fn X509_VERIFY_PARAM_add0_policy ,
508.Fn X509_VERIFY_PARAM_set1_policies ,
509and
510.Fn X509_VERIFY_PARAM_add0_table
511return 1 for success or 0 for failure.
512.Pp
513.Fn X509_VERIFY_PARAM_set1_host ,
514.Fn X509_VERIFY_PARAM_add1_host ,
515.Fn X509_VERIFY_PARAM_set1_email ,
516.Fn X509_VERIFY_PARAM_set1_ip ,
517and
518.Fn X509_VERIFY_PARAM_set1_ip_asc ,
519return 1 for success or 0 for failure.
520A failure from these routines will poison
521the
522.Vt X509_VERIFY_PARAM
523object so that future calls to
524.Xr X509_verify_cert 3
525using the poisoned object will fail.
526.Pp
527.Fn X509_VERIFY_PARAM_get_flags
528returns the current verification flags.
529.Pp
530.Fn X509_VERIFY_PARAM_get_depth
531returns the current verification depth.
532.Pp
533.Fn X509_VERIFY_PARAM_get0_name
534and
535.Fn X509_VERIFY_PARAM_get0_peername
536return pointers to strings that are only valid
537during the lifetime of the given
538.Fa param
539object and that must not be freed by the application program.
540.Pp
541.Fn X509_VERIFY_PARAM_lookup
542and
543.Fn X509_VERIFY_PARAM_get0
544return a pointer to an existing built-in or user-defined object, or
545.Dv NULL
546if no object with the given
547.Fa name
548is found, or if
549.Fa id
550is at least
551.Fn X509_VERIFY_PARAM_get_count .
552.Pp
553.Fn X509_VERIFY_PARAM_get_count
554returns a number of objects.
555.Sh VERIFICATION FLAGS
556The verification flags consists of zero or more of the following
557flags OR'ed together.
558.Pp
559.Dv X509_V_FLAG_CRL_CHECK
560enables CRL checking for the certificate chain leaf certificate.
561An error occurs if a suitable CRL cannot be found.
562.Pp
563.Dv X509_V_FLAG_CRL_CHECK_ALL
564enables CRL checking for the entire certificate chain.
565.Pp
566.Dv X509_V_FLAG_IGNORE_CRITICAL
567disables critical extension checking.
568By default any unhandled critical extensions in certificates or (if
569checked) CRLs results in a fatal error.
570If this flag is set unhandled critical extensions are ignored.
571.Sy WARNING :
572setting this option for anything other than debugging purposes can be a
573security risk.
574Finer control over which extensions are supported can be performed in
575the verification callback.
576.Pp
577The
578.Dv X509_V_FLAG_X509_STRICT
579flag disables workarounds for some broken certificates and makes the
580verification strictly apply X509 rules.
581.Pp
582.Dv X509_V_FLAG_ALLOW_PROXY_CERTS
583enables proxy certificate verification.
584.Pp
585.Dv X509_V_FLAG_POLICY_CHECK
586enables certificate policy checking; by default no policy checking is
587performed.
588Additional information is sent to the verification callback relating to
589policy checking.
590.Pp
591.Dv X509_V_FLAG_EXPLICIT_POLICY ,
592.Dv X509_V_FLAG_INHIBIT_ANY ,
593and
594.Dv X509_V_FLAG_INHIBIT_MAP
595set the
596.Dq require explicit policy ,
597.Dq inhibit any policy ,
598and
599.Dq inhibit policy mapping
600flags, respectively, as defined in RFC 3280.
601Policy checking is automatically enabled if any of these flags are set.
602.Pp
603If
604.Dv X509_V_FLAG_NOTIFY_POLICY
605is set and the policy checking is successful a special status code is
606set to the verification callback.
607This permits it to examine the valid policy tree and perform additional
608checks or simply log it for debugging purposes.
609.Pp
610By default some additional features such as indirect CRLs and CRLs
611signed by different keys are disabled.
612If
613.Dv X509_V_FLAG_EXTENDED_CRL_SUPPORT
614is set they are enabled.
615.Pp
616If
617.Dv X509_V_FLAG_USE_DELTAS
618is set, delta CRLs (if present) are used to determine certificate
619status.
620If not set, deltas are ignored.
621.Pp
622.Dv X509_V_FLAG_CHECK_SS_SIGNATURE
623enables checking of the root CA self signed certificate signature.
624By default this check is disabled because it doesn't add any additional
625security but in some cases applications might want to check the
626signature anyway.
627A side effect of not checking the root CA signature is that disabled or
628unsupported message digests on the root CA are not treated as fatal
629errors.
630.Pp
631The
632.Dv X509_V_FLAG_CB_ISSUER_CHECK
633flag enables debugging of certificate issuer checks.
634It is
635.Sy not
636needed unless you are logging certificate verification.
637If this flag is set then additional status codes will be sent to the
638verification callback and it
639.Sy must
640be prepared to handle such cases without assuming they are hard errors.
641.Pp
642When
643.Dv X509_V_FLAG_TRUSTED_FIRST
644is set, construction of the certificate chain in
645.Xr X509_verify_cert 3
646will search the trust store for issuer certificates before searching the
647provided untrusted certificates.
648Local issuer certificates are often more likely to satisfy local
649security requirements and lead to a locally trusted root.
650This is especially important when some certificates in the trust store
651have explicit trust settings; see the trust settings options of the
652.Cm x509
653command in
654.Xr openssl 1 .
655.Pp
656The
657.Dv X509_V_FLAG_NO_ALT_CHAINS
658flag suppresses checking for alternative chains.
659By default, unless
660.Dv X509_V_FLAG_TRUSTED_FIRST
661is set, when building a certificate chain, if the first certificate
662chain found is not trusted, then OpenSSL will attempt to replace
663untrusted certificates supplied by the peer with certificates from the
664trust store to see if an alternative chain can be found that is trusted.
665.Pp
666The
667.Dv X509_V_FLAG_PARTIAL_CHAIN
668flag causes intermediate certificates in the trust store to be treated
669as trust-anchors, in the same way as the self-signed root CA
670certificates.
671This makes it possible to trust certificates issued by an intermediate
672CA without having to trust its ancestor root CA.
673.Pp
674The
675.Dv X509_V_FLAG_NO_CHECK_TIME
676flag suppresses checking the validity period of certificates and CRLs
677against the current time.
678If
679.Fn X509_VERIFY_PARAM_set_time
680is used to specify a verification time, the check is not suppressed.
681.Sh EXAMPLES
682Enable CRL checking when performing certificate verification during
683SSL connections associated with an
684.Vt SSL_CTX
685structure
686.Fa ctx :
687.Bd -literal -offset indent
688X509_VERIFY_PARAM *param;
689
690param = X509_VERIFY_PARAM_new();
691X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
692SSL_CTX_set1_param(ctx, param);
693X509_VERIFY_PARAM_free(param);
694.Ed
695.Sh SEE ALSO
696.Xr SSL_set1_host 3 ,
697.Xr SSL_set1_param 3 ,
698.Xr X509_check_host 3 ,
699.Xr X509_STORE_CTX_set0_param 3 ,
700.Xr X509_STORE_set1_param 3 ,
701.Xr X509_verify_cert 3
702.Sh HISTORY
703.Fn X509_VERIFY_PARAM_new ,
704.Fn X509_VERIFY_PARAM_free ,
705.Fn X509_VERIFY_PARAM_set1_name ,
706.Fn X509_VERIFY_PARAM_set_flags ,
707.Fn X509_VERIFY_PARAM_set_purpose ,
708.Fn X509_VERIFY_PARAM_set_trust ,
709.Fn X509_VERIFY_PARAM_set_time ,
710.Fn X509_VERIFY_PARAM_add0_policy ,
711.Fn X509_VERIFY_PARAM_set1_policies ,
712.Fn X509_VERIFY_PARAM_set_depth ,
713.Fn X509_VERIFY_PARAM_get_depth ,
714.Fn X509_VERIFY_PARAM_add0_table ,
715.Fn X509_VERIFY_PARAM_lookup ,
716and
717.Fn X509_VERIFY_PARAM_table_cleanup
718first appeared in OpenSSL 0.9.8.
719.Fn X509_VERIFY_PARAM_clear_flags
720and
721.Fn X509_VERIFY_PARAM_get_flags
722first appeared in OpenSSL 0.9.8a.
723All these functions have been available since
724.Ox 4.5 .
725.Pp
726.Fn X509_VERIFY_PARAM_get0_name
727.Fn X509_VERIFY_PARAM_set1_host ,
728.Fn X509_VERIFY_PARAM_add1_host ,
729.Fn X509_VERIFY_PARAM_set_hostflags ,
730.Fn X509_VERIFY_PARAM_get0_peername ,
731.Fn X509_VERIFY_PARAM_set1_email ,
732.Fn X509_VERIFY_PARAM_set1_ip ,
733.Fn X509_VERIFY_PARAM_set1_ip_asc ,
734.Fn X509_VERIFY_PARAM_get_count ,
735and
736.Fn X509_VERIFY_PARAM_get0
737first appeared in OpenSSL 1.0.2 and have been available since
738.Ox 6.3 .
739.Sh BUGS
740Delta CRL checking is currently primitive.
741Only a single delta can be used and (partly due to limitations of
742.Vt X509_STORE )
743constructed CRLs are not maintained.
744.Pp
745If CRLs checking is enabled, CRLs are expected to be available in
746the corresponding
747.Vt X509_STORE
748structure.
749No attempt is made to download CRLs from the CRL distribution points
750extension.
751