]>
Commit | Line | Data |
---|---|---|
13938ace DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
fa1194d3 | 5 | verify - Utility to verify certificates. |
13938ace DSH |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> B<verify> | |
13938ace | 10 | [B<-CAfile file>] |
2866441a HK |
11 | [B<-CApath directory>] |
12 | [B<-attime timestamp>] | |
cd028c8e | 13 | [B<-check_ss_sig>] |
8332f91c | 14 | [B<-CRLfile file>] |
79a55b1f | 15 | [B<-crl_download>] |
e5fa864f DSH |
16 | [B<-crl_check>] |
17 | [B<-crl_check_all>] | |
e5fa864f | 18 | [B<-explicit_policy>] |
e5fa864f | 19 | [B<-extended_crl>] |
13938ace | 20 | [B<-help>] |
2866441a HK |
21 | [B<-ignore_critical>] |
22 | [B<-inhibit_any>] | |
23 | [B<-inhibit_map>] | |
709e8595 | 24 | [B<-issuer_checks>] |
cd028c8e | 25 | [B<-partial_chain>] |
2866441a HK |
26 | [B<-policy arg>] |
27 | [B<-policy_check>] | |
28 | [B<-policy_print>] | |
29 | [B<-purpose purpose>] | |
cd028c8e HK |
30 | [B<-suiteB_128>] |
31 | [B<-suiteB_128_only>] | |
32 | [B<-suiteB_192>] | |
2866441a | 33 | [B<-trusted_first>] |
fa7b0111 | 34 | [B<-no_alt_chains>] |
2866441a | 35 | [B<-untrusted file>] |
79a55b1f | 36 | [B<-trusted file>] |
2866441a | 37 | [B<-use_deltas>] |
13938ace | 38 | [B<-verbose>] |
cd028c8e HK |
39 | [B<-verify_depth num>] |
40 | [B<-verify_email email>] | |
41 | [B<-verify_hostname hostname>] | |
42 | [B<-verify_ip ip>] | |
43 | [B<-verify_name name>] | |
2866441a | 44 | [B<-x509_strict>] |
7f3f41d8 | 45 | [B<-show_chain>] |
13938ace DSH |
46 | [B<->] |
47 | [certificates] | |
48 | ||
49 | ||
50 | =head1 DESCRIPTION | |
51 | ||
52 | The B<verify> command verifies certificate chains. | |
53 | ||
54 | =head1 COMMAND OPTIONS | |
55 | ||
56 | =over 4 | |
57 | ||
2866441a HK |
58 | =item B<-CAfile file> |
59 | ||
60 | A file of trusted certificates. The file should contain multiple certificates | |
61 | in PEM format concatenated together. | |
62 | ||
13938ace DSH |
63 | =item B<-CApath directory> |
64 | ||
65 | A directory of trusted certificates. The certificates should have names | |
66 | of the form: hash.0 or have symbolic links to them of this | |
67 | form ("hash" is the hashed certificate subject name: see the B<-hash> option | |
68 | of the B<x509> utility). Under Unix the B<c_rehash> script will automatically | |
69 | create symbolic links to a directory of certificates. | |
70 | ||
2866441a | 71 | =item B<-attime timestamp> |
13938ace | 72 | |
2866441a HK |
73 | Perform validation checks using time specified by B<timestamp> and not |
74 | current system time. B<timestamp> is the number of seconds since | |
75 | 01.01.1970 (UNIX time). | |
13938ace | 76 | |
2866441a | 77 | =item B<-check_ss_sig> |
13938ace | 78 | |
2866441a HK |
79 | Verify the signature on the self-signed root CA. This is disabled by default |
80 | because it doesn't add any security. | |
13938ace | 81 | |
8332f91c | 82 | =item B<-CRLfile file> |
fc1d88f0 RS |
83 | |
84 | File containing one or more CRL's (in PEM format) to load. | |
85 | ||
79a55b1f MC |
86 | =item B<-crl_download> |
87 | ||
88 | Attempt to download CRL information for this certificate. | |
89 | ||
2866441a | 90 | =item B<-crl_check> |
6d3d5793 | 91 | |
2866441a HK |
92 | Checks end entity certificate validity by attempting to look up a valid CRL. |
93 | If a valid CRL cannot be found an error occurs. | |
6d3d5793 | 94 | |
2866441a | 95 | =item B<-crl_check_all> |
13938ace | 96 | |
2866441a HK |
97 | Checks the validity of B<all> certificates in the chain by attempting |
98 | to look up valid CRLs. | |
99 | ||
100 | =item B<-explicit_policy> | |
101 | ||
102 | Set policy variable require-explicit-policy (see RFC5280). | |
103 | ||
104 | =item B<-extended_crl> | |
105 | ||
106 | Enable extended CRL features such as indirect CRLs and alternate CRL | |
107 | signing keys. | |
13938ace DSH |
108 | |
109 | =item B<-help> | |
110 | ||
3a778a29 | 111 | Print out a usage message. |
13938ace | 112 | |
2866441a | 113 | =item B<-ignore_critical> |
13938ace | 114 | |
2866441a HK |
115 | Normally if an unhandled critical extension is present which is not |
116 | supported by OpenSSL the certificate is rejected (as required by RFC5280). | |
117 | If this option is set critical extensions are ignored. | |
118 | ||
119 | =item B<-inhibit_any> | |
120 | ||
121 | Set policy variable inhibit-any-policy (see RFC5280). | |
122 | ||
123 | =item B<-inhibit_map> | |
124 | ||
125 | Set policy variable inhibit-policy-mapping (see RFC5280). | |
13938ace | 126 | |
709e8595 DSH |
127 | =item B<-issuer_checks> |
128 | ||
3a778a29 BL |
129 | Print out diagnostics relating to searches for the issuer certificate of the |
130 | current certificate. This shows why each candidate issuer certificate was | |
131 | rejected. The presence of rejection messages does not itself imply that | |
132 | anything is wrong; during the normal verification process, several | |
133 | rejections may take place. | |
709e8595 | 134 | |
2866441a | 135 | =item B<-partial_chain> |
9ed03faa | 136 | |
2866441a | 137 | Allow partial certificate chain if at least one certificate is in trusted store. |
9ed03faa | 138 | |
e5fa864f DSH |
139 | =item B<-policy arg> |
140 | ||
3a778a29 BL |
141 | Enable policy processing and add B<arg> to the user-initial-policy-set (see |
142 | RFC5280). The policy B<arg> can be an object name an OID in numeric form. | |
143 | This argument can appear more than once. | |
e5fa864f DSH |
144 | |
145 | =item B<-policy_check> | |
146 | ||
147 | Enables certificate policy processing. | |
148 | ||
e5fa864f DSH |
149 | =item B<-policy_print> |
150 | ||
3a778a29 | 151 | Print out diagnostics related to policy processing. |
e5fa864f | 152 | |
2866441a | 153 | =item B<-purpose purpose> |
e5fa864f | 154 | |
2866441a HK |
155 | The intended use for the certificate. If this option is not specified, |
156 | B<verify> will not consider certificate purpose during chain verification. | |
157 | Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>, | |
158 | B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more | |
159 | information. | |
e5fa864f | 160 | |
2866441a | 161 | =item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192> |
e5fa864f | 162 | |
2866441a HK |
163 | enable the Suite B mode operation at 128 bit Level of Security, 128 bit or |
164 | 192 bit, or only 192 bit Level of Security respectively. | |
165 | See RFC6460 for details. In particular the supported signature algorithms are | |
166 | reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves | |
167 | P-256 and P-384. | |
e5fa864f | 168 | |
2866441a | 169 | =item B<-trusted_first> |
e5fa864f | 170 | |
2866441a HK |
171 | Use certificates in CA file or CA directory before certificates in untrusted |
172 | file when building the trust chain to verify certificates. | |
173 | This is mainly useful in environments with Bridge CA or Cross-Certified CAs. | |
e5fa864f | 174 | |
fa7b0111 MC |
175 | =item B<-no_alt_chains> |
176 | ||
177 | When building a certificate chain, if the first certificate chain found is not | |
178 | trusted, then OpenSSL will continue to check to see if an alternative chain can | |
179 | be found that is trusted. With this option that behaviour is suppressed so that | |
180 | only the first chain found is ever used. Using this option will force the | |
181 | behaviour to match that of OpenSSL versions prior to 1.1.0. | |
182 | ||
2866441a | 183 | =item B<-untrusted file> |
e5fa864f | 184 | |
5b89036c RS |
185 | A file of untrusted certificates. The file should contain one or more |
186 | certificates in PEM format. | |
e5fa864f | 187 | |
79a55b1f MC |
188 | =item B<-trusted file> |
189 | ||
5b89036c RS |
190 | A file of trusted certificates. The file contain one or more |
191 | certificates in PEM format. | |
192 | With this option, no additional (e.g., default) certificate lists | |
193 | are consulted. That is, the only trusted issuers are those listed | |
194 | in B<file>. | |
195 | This option cannot be used with the B<-CAfile> or B<-CApath> options. | |
79a55b1f | 196 | |
e5fa864f DSH |
197 | =item B<-use_deltas> |
198 | ||
199 | Enable support for delta CRLs. | |
200 | ||
2866441a | 201 | =item B<-verbose> |
cd028c8e | 202 | |
2866441a | 203 | Print extra information about the operations being performed. |
cd028c8e HK |
204 | |
205 | =item B<-verify_depth num> | |
206 | ||
207 | Limit the maximum depth of the certificate chain to B<num> certificates. | |
208 | ||
209 | =item B<-verify_email email> | |
210 | ||
211 | Verify if the B<email> matches the email address in Subject Alternative Name or | |
115e4809 | 212 | the email in the subject Distinguished Name. |
cd028c8e HK |
213 | |
214 | =item B<-verify_hostname hostname> | |
215 | ||
216 | Verify if the B<hostname> matches DNS name in Subject Alternative Name or | |
217 | Common Name in the subject certificate. | |
218 | ||
219 | =item B<-verify_ip ip> | |
220 | ||
221 | Verify if the B<ip> matches the IP address in Subject Alternative Name of | |
222 | the subject certificate. | |
223 | ||
224 | =item B<-verify_name name> | |
225 | ||
226 | Use default verification options like trust model and required certificate | |
227 | policies identified by B<name>. | |
228 | Supported usages include: default, pkcs7, smime_sign, ssl_client, ssl_server. | |
229 | ||
2866441a HK |
230 | =item B<-x509_strict> |
231 | ||
232 | For strict X.509 compliance, disable non-compliant workarounds for broken | |
233 | certificates. | |
234 | ||
7f3f41d8 MC |
235 | =item B<-show_chain> |
236 | ||
237 | Display information about the certificate chain that has been built (if | |
238 | successful). Certificates in the chain that came from the untrusted list will be | |
239 | flagged as "untrusted". | |
240 | ||
13938ace DSH |
241 | =item B<-> |
242 | ||
3a778a29 | 243 | Indicates the last option. All arguments following this are assumed to be |
7b418a47 DSH |
244 | certificate files. This is useful if the first certificate filename begins |
245 | with a B<->. | |
13938ace DSH |
246 | |
247 | =item B<certificates> | |
248 | ||
3a778a29 BL |
249 | One or more certificates to verify. If no certificates are given, B<verify> |
250 | will attempt to read a certificate from standard input. Certificates must be | |
251 | in PEM format. | |
13938ace DSH |
252 | |
253 | =back | |
254 | ||
255 | =head1 VERIFY OPERATION | |
256 | ||
257 | The B<verify> program uses the same functions as the internal SSL and S/MIME | |
258 | verification, therefore this description applies to these verify operations | |
259 | too. | |
260 | ||
261 | There is one crucial difference between the verify operations performed | |
262 | by the B<verify> program: wherever possible an attempt is made to continue | |
263 | after an error whereas normally the verify operation would halt on the | |
264 | first error. This allows all the problems with a certificate chain to be | |
265 | determined. | |
266 | ||
267 | The verify operation consists of a number of separate steps. | |
268 | ||
269 | Firstly a certificate chain is built up starting from the supplied certificate | |
270 | and ending in the root CA. It is an error if the whole chain cannot be built | |
709e8595 DSH |
271 | up. The chain is built up by looking up the issuers certificate of the current |
272 | certificate. If a certificate is found which is its own issuer it is assumed | |
273 | to be the root CA. | |
274 | ||
275 | The process of 'looking up the issuers certificate' itself involves a number | |
276 | of steps. In versions of OpenSSL before 0.9.5a the first certificate whose | |
277 | subject name matched the issuer of the current certificate was assumed to be | |
278 | the issuers certificate. In OpenSSL 0.9.6 and later all certificates | |
279 | whose subject name matches the issuer name of the current certificate are | |
280 | subject to further tests. The relevant authority key identifier components | |
281 | of the current certificate (if present) must match the subject key identifier | |
282 | (if present) and issuer and serial number of the candidate issuer, in addition | |
283 | the keyUsage extension of the candidate issuer (if present) must permit | |
284 | certificate signing. | |
285 | ||
13938ace | 286 | The lookup first looks in the list of untrusted certificates and if no match |
19d2bb57 | 287 | is found the remaining lookups are from the trusted certificates. The root CA |
13938ace DSH |
288 | is always looked up in the trusted certificate list: if the certificate to |
289 | verify is a root certificate then an exact match must be found in the trusted | |
290 | list. | |
291 | ||
292 | The second operation is to check every untrusted certificate's extensions for | |
293 | consistency with the supplied purpose. If the B<-purpose> option is not included | |
294 | then no checks are done. The supplied or "leaf" certificate must have extensions | |
295 | compatible with the supplied purpose and all other certificates must also be valid | |
296 | CA certificates. The precise extensions required are described in more detail in | |
7b418a47 | 297 | the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility. |
13938ace DSH |
298 | |
299 | The third operation is to check the trust settings on the root CA. The root | |
19d2bb57 | 300 | CA should be trusted for the supplied purpose. For compatibility with previous |
13938ace DSH |
301 | versions of SSLeay and OpenSSL a certificate with no trust settings is considered |
302 | to be valid for all purposes. | |
303 | ||
304 | The final operation is to check the validity of the certificate chain. The validity | |
305 | period is checked against the current system time and the notBefore and notAfter | |
306 | dates in the certificate. The certificate signatures are also checked at this | |
307 | point. | |
308 | ||
309 | If all operations complete successfully then certificate is considered valid. If | |
310 | any operation fails then the certificate is not valid. | |
311 | ||
7b418a47 DSH |
312 | =head1 DIAGNOSTICS |
313 | ||
314 | When a verify operation fails the output messages can be somewhat cryptic. The | |
315 | general form of the error message is: | |
316 | ||
317 | server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) | |
318 | error 24 at 1 depth lookup:invalid CA certificate | |
319 | ||
320 | The first line contains the name of the certificate being verified followed by | |
321 | the subject name of the certificate. The second line contains the error number | |
322 | and the depth. The depth is number of the certificate being verified when a | |
323 | problem was detected starting with zero for the certificate being verified itself | |
324 | then 1 for the CA that signed the certificate and so on. Finally a text version | |
325 | of the error number is presented. | |
326 | ||
327 | An exhaustive list of the error codes and messages is shown below, this also | |
328 | includes the name of the error code as defined in the header file x509_vfy.h | |
329 | Some of the error codes are defined but never returned: these are described | |
330 | as "unused". | |
331 | ||
332 | =over 4 | |
333 | ||
334 | =item B<0 X509_V_OK: ok> | |
335 | ||
336 | the operation was successful. | |
337 | ||
338 | =item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate> | |
339 | ||
7d3d1788 DSH |
340 | the issuer certificate of a looked up certificate could not be found. This |
341 | normally means the list of trusted certificates is not complete. | |
7b418a47 | 342 | |
7c1722c6 | 343 | =item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL> |
7b418a47 | 344 | |
db50661f | 345 | the CRL of a certificate could not be found. |
7b418a47 DSH |
346 | |
347 | =item B<4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature> | |
348 | ||
349 | the certificate signature could not be decrypted. This means that the actual signature value | |
350 | could not be determined rather than it not matching the expected value, this is only | |
351 | meaningful for RSA keys. | |
352 | ||
19d2bb57 | 353 | =item B<5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature> |
7b418a47 DSH |
354 | |
355 | the CRL signature could not be decrypted: this means that the actual signature value | |
356 | could not be determined rather than it not matching the expected value. Unused. | |
357 | ||
358 | =item B<6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key> | |
359 | ||
360 | the public key in the certificate SubjectPublicKeyInfo could not be read. | |
361 | ||
362 | =item B<7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure> | |
363 | ||
364 | the signature of the certificate is invalid. | |
365 | ||
366 | =item B<8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure> | |
367 | ||
db50661f | 368 | the signature of the certificate is invalid. |
7b418a47 DSH |
369 | |
370 | =item B<9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid> | |
371 | ||
372 | the certificate is not yet valid: the notBefore date is after the current time. | |
373 | ||
e1c279b6 | 374 | =item B<10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired> |
7b418a47 | 375 | |
e1c279b6 | 376 | the certificate has expired: that is the notAfter date is before the current time. |
7b418a47 | 377 | |
e1c279b6 | 378 | =item B<11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid> |
7b418a47 | 379 | |
db50661f | 380 | the CRL is not yet valid. |
7b418a47 DSH |
381 | |
382 | =item B<12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired> | |
383 | ||
db50661f | 384 | the CRL has expired. |
7b418a47 DSH |
385 | |
386 | =item B<13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field> | |
387 | ||
388 | the certificate notBefore field contains an invalid time. | |
13938ace | 389 | |
7b418a47 DSH |
390 | =item B<14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field> |
391 | ||
392 | the certificate notAfter field contains an invalid time. | |
393 | ||
394 | =item B<15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field> | |
395 | ||
db50661f | 396 | the CRL lastUpdate field contains an invalid time. |
7b418a47 DSH |
397 | |
398 | =item B<16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field> | |
399 | ||
db50661f | 400 | the CRL nextUpdate field contains an invalid time. |
7b418a47 DSH |
401 | |
402 | =item B<17 X509_V_ERR_OUT_OF_MEM: out of memory> | |
403 | ||
19d2bb57 | 404 | an error occurred trying to allocate memory. This should never happen. |
7b418a47 DSH |
405 | |
406 | =item B<18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate> | |
407 | ||
408 | the passed certificate is self signed and the same certificate cannot be found in the list of | |
409 | trusted certificates. | |
410 | ||
411 | =item B<19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain> | |
412 | ||
413 | the certificate chain could be built up using the untrusted certificates but the root could not | |
414 | be found locally. | |
415 | ||
416 | =item B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate> | |
417 | ||
7d3d1788 DSH |
418 | the issuer certificate could not be found: this occurs if the issuer |
419 | certificate of an untrusted certificate cannot be found. | |
7b418a47 DSH |
420 | |
421 | =item B<21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate> | |
422 | ||
423 | no signatures could be verified because the chain contains only one certificate and it is not | |
424 | self signed. | |
425 | ||
426 | =item B<22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long> | |
427 | ||
428 | the certificate chain length is greater than the supplied maximum depth. Unused. | |
429 | ||
430 | =item B<23 X509_V_ERR_CERT_REVOKED: certificate revoked> | |
431 | ||
db50661f | 432 | the certificate has been revoked. |
7b418a47 DSH |
433 | |
434 | =item B<24 X509_V_ERR_INVALID_CA: invalid CA certificate> | |
435 | ||
436 | a CA certificate is invalid. Either it is not a CA or its extensions are not consistent | |
437 | with the supplied purpose. | |
438 | ||
439 | =item B<25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded> | |
440 | ||
441 | the basicConstraints pathlength parameter has been exceeded. | |
442 | ||
443 | =item B<26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose> | |
444 | ||
445 | the supplied certificate cannot be used for the specified purpose. | |
446 | ||
447 | =item B<27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted> | |
448 | ||
449 | the root CA is not marked as trusted for the specified purpose. | |
450 | ||
451 | =item B<28 X509_V_ERR_CERT_REJECTED: certificate rejected> | |
452 | ||
453 | the root CA is marked to reject the specified purpose. | |
454 | ||
709e8595 DSH |
455 | =item B<29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch> |
456 | ||
457 | the current candidate issuer certificate was rejected because its subject name | |
458 | did not match the issuer name of the current certificate. Only displayed when | |
459 | the B<-issuer_checks> option is set. | |
460 | ||
461 | =item B<30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch> | |
462 | ||
463 | the current candidate issuer certificate was rejected because its subject key | |
464 | identifier was present and did not match the authority key identifier current | |
465 | certificate. Only displayed when the B<-issuer_checks> option is set. | |
466 | ||
467 | =item B<31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch> | |
468 | ||
469 | the current candidate issuer certificate was rejected because its issuer name | |
470 | and serial number was present and did not match the authority key identifier | |
471 | of the current certificate. Only displayed when the B<-issuer_checks> option is set. | |
472 | ||
473 | =item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing> | |
474 | ||
475 | the current candidate issuer certificate was rejected because its keyUsage extension | |
476 | does not permit certificate signing. | |
477 | ||
7b418a47 DSH |
478 | =item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure> |
479 | ||
480 | an application specific error. Unused. | |
481 | ||
482 | =back | |
13938ace | 483 | |
709e8595 DSH |
484 | =head1 BUGS |
485 | ||
2af071c0 | 486 | Although the issuer checks are a considerable improvement over the old technique they still |
709e8595 DSH |
487 | suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that |
488 | trusted certificates with matching subject name must either appear in a file (as specified by the | |
115e4809 | 489 | B<-CAfile> option) or a directory (as specified by B<-CApath>). If they occur in both then only |
709e8595 DSH |
490 | the certificates in the file will be recognised. |
491 | ||
492 | Previous versions of OpenSSL assume certificates with matching subject name are identical and | |
493 | mishandled them. | |
494 | ||
7d3d1788 DSH |
495 | Previous versions of this documentation swapped the meaning of the |
496 | B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and | |
497 | B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. | |
498 | ||
13938ace DSH |
499 | =head1 SEE ALSO |
500 | ||
9b86974e | 501 | L<x509(1)> |
13938ace | 502 | |
fa7b0111 MC |
503 | =head1 HISTORY |
504 | ||
7f3f41d8 | 505 | The -show_chain option was first added to OpenSSL 1.1.0. |
fa7b0111 | 506 | |
13938ace | 507 | =cut |