]>
Commit | Line | Data |
---|---|---|
6c17629f DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
a47bc283 RS |
5 | X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, |
6 | X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, | |
7 | X509_VERIFY_PARAM_get_inh_flags, X509_VERIFY_PARAM_set_inh_flags, | |
8 | X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, | |
9 | X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_auth_level, | |
10 | X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time, | |
329f2f4a | 11 | X509_VERIFY_PARAM_get_time, |
a47bc283 | 12 | X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, |
278260bf | 13 | X509_VERIFY_PARAM_get0_host, |
a47bc283 | 14 | X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, |
5b748dea MC |
15 | X509_VERIFY_PARAM_set_hostflags, |
16 | X509_VERIFY_PARAM_get_hostflags, | |
17 | X509_VERIFY_PARAM_get0_peername, | |
278260bf DDO |
18 | X509_VERIFY_PARAM_get0_email, X509_VERIFY_PARAM_set1_email, |
19 | X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_get1_ip_asc, | |
a47bc283 RS |
20 | X509_VERIFY_PARAM_set1_ip_asc |
21 | - X509 verification parameters | |
6c17629f DSH |
22 | |
23 | =head1 SYNOPSIS | |
24 | ||
25 | #include <openssl/x509_vfy.h> | |
26 | ||
fbb82a60 | 27 | int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, |
a47bc283 | 28 | unsigned long flags); |
6c17629f | 29 | int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, |
a47bc283 | 30 | unsigned long flags); |
25d7cd1d | 31 | unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param); |
6c17629f | 32 | |
a47bc283 RS |
33 | int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, |
34 | uint32_t flags); | |
35 | uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param); | |
36 | ||
6c17629f DSH |
37 | int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); |
38 | int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); | |
39 | ||
40 | void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); | |
329f2f4a | 41 | time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param); |
6c17629f DSH |
42 | |
43 | int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, | |
e9b77246 | 44 | ASN1_OBJECT *policy); |
1bc74519 | 45 | int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, |
e9b77246 | 46 | STACK_OF(ASN1_OBJECT) *policies); |
6c17629f DSH |
47 | |
48 | void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); | |
49 | int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); | |
50 | ||
fbb82a60 | 51 | void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, |
e9b77246 | 52 | int auth_level); |
fbb82a60 VD |
53 | int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param); |
54 | ||
278260bf | 55 | char *X509_VERIFY_PARAM_get0_host(X509_VERIFY_PARAM *param, int n); |
397a8e74 | 56 | int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, |
1bc74519 | 57 | const char *name, size_t namelen); |
8abffa4a | 58 | int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, |
297c67fc | 59 | const char *name, size_t namelen); |
397a8e74 | 60 | void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, |
1bc74519 | 61 | unsigned int flags); |
4db296d9 | 62 | unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param); |
8cc86b81 | 63 | char *X509_VERIFY_PARAM_get0_peername(const X509_VERIFY_PARAM *param); |
278260bf | 64 | char *X509_VERIFY_PARAM_get0_email(X509_VERIFY_PARAM *param); |
397a8e74 | 65 | int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, |
e9b77246 | 66 | const char *email, size_t emaillen); |
278260bf | 67 | char *X509_VERIFY_PARAM_get1_ip_asc(X509_VERIFY_PARAM *param); |
397a8e74 | 68 | int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, |
1bc74519 | 69 | const unsigned char *ip, size_t iplen); |
297c67fc | 70 | int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc); |
397a8e74 | 71 | |
6c17629f DSH |
72 | =head1 DESCRIPTION |
73 | ||
74 | These functions manipulate the B<X509_VERIFY_PARAM> structure associated with | |
1bc74519 | 75 | a certificate verification operation. |
6c17629f DSH |
76 | |
77 | The X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring | |
0495a3ec | 78 | it with B<flags>. See L</VERIFICATION FLAGS> for a complete |
6c17629f DSH |
79 | description of values the B<flags> parameter can take. |
80 | ||
81 | X509_VERIFY_PARAM_get_flags() returns the flags in B<param>. | |
82 | ||
a47bc283 RS |
83 | X509_VERIFY_PARAM_get_inh_flags() returns the inheritance flags in B<param> |
84 | which specifies how verification flags are copied from one structure to | |
85 | another. X509_VERIFY_PARAM_set_inh_flags() sets the inheritance flags. | |
86 | See the B<INHERITANCE FLAGS> section for a description of these bits. | |
87 | ||
6c17629f DSH |
88 | X509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>. |
89 | ||
90 | X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param> | |
91 | to B<purpose>. This determines the acceptable purpose of the certificate | |
4acda863 | 92 | chain, for example B<X509_PURPOSE_SSL_CLIENT>. |
6c17629f | 93 | |
1bc74519 | 94 | X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to |
6c17629f DSH |
95 | B<trust>. |
96 | ||
97 | X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to | |
98 | B<t>. Normally the current time is used. | |
99 | ||
100 | X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled | |
101 | by default) and adds B<policy> to the acceptable policy set. | |
102 | ||
103 | X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled | |
104 | by default) and sets the acceptable policy set to B<policies>. Any existing | |
105 | policy set is cleared. The B<policies> parameter can be B<NULL> to clear | |
106 | an existing policy set. | |
107 | ||
108 | X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B<depth>. | |
fbb82a60 | 109 | That is the maximum number of intermediate CA certificates that can appear in a |
6c17629f | 110 | chain. |
fbb82a60 | 111 | A maximal depth chain contains 2 more certificates than the limit, since |
0ad69cd6 | 112 | neither the end-entity certificate nor the trust-anchor count against this |
fbb82a60 VD |
113 | limit. |
114 | Thus a B<depth> limit of 0 only allows the end-entity certificate to be signed | |
ade08735 DDO |
115 | directly by the trust anchor, while with a B<depth> limit of 1 there can be one |
116 | intermediate CA certificate between the trust anchor and the end-entity | |
fbb82a60 VD |
117 | certificate. |
118 | ||
119 | X509_VERIFY_PARAM_set_auth_level() sets the authentication security level to | |
120 | B<auth_level>. | |
121 | The authentication security level determines the acceptable signature and public | |
122 | key strength when verifying certificate chains. | |
123 | For a certificate chain to validate, the public keys of all the certificates | |
124 | must meet the specified security level. | |
125 | The signature algorithm security level is not enforced for the chain's I<trust | |
126 | anchor> certificate, which is either directly trusted or validated by means other | |
127 | than its signature. | |
128 | See L<SSL_CTX_set_security_level(3)> for the definitions of the available | |
129 | levels. | |
130 | The default security level is -1, or "not set". | |
131 | At security level 0 or lower all algorithms are acceptable. | |
132 | Security level 1 requires at least 80-bit-equivalent security and is broadly | |
133 | interoperable, though it will, for example, reject MD5 signatures or RSA keys | |
134 | shorter than 1024 bits. | |
6c17629f | 135 | |
278260bf DDO |
136 | X509_VERIFY_PARAM_get0_host() returns the B<n>th expected DNS hostname that has |
137 | been set using X509_VERIFY_PARAM_set1_host() or X509_VERIFY_PARAM_add1_host(). | |
138 | To obtain all names start with B<n> = 0 and increment B<n> as long as no NULL | |
139 | pointer is returned. | |
140 | ||
8abffa4a | 141 | X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to |
9c0586d5 | 142 | B<name> clearing any previously specified hostname. If |
8abffa4a VD |
143 | B<name> is NULL, or empty the list of hostnames is cleared, and |
144 | name checks are not performed on the peer certificate. If B<name> | |
145 | is NUL-terminated, B<namelen> may be zero, otherwise B<namelen> | |
55a6250f VD |
146 | must be set to the length of B<name>. |
147 | ||
148 | When a hostname is specified, | |
8abffa4a VD |
149 | certificate verification automatically invokes L<X509_check_host(3)> |
150 | with flags equal to the B<flags> argument given to | |
35cb565a | 151 | X509_VERIFY_PARAM_set_hostflags() (default zero). Applications |
8abffa4a | 152 | are strongly advised to use this interface in preference to explicitly |
55a6250f | 153 | calling L<X509_check_host(3)>, hostname checks may be out of scope |
8abffa4a | 154 | with the DANE-EE(3) certificate usage, and the internal check will |
55a6250f VD |
155 | be suppressed as appropriate when DANE verification is enabled. |
156 | ||
157 | When the subject CommonName will not be ignored, whether as a result of the | |
158 | B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> host flag, or because no DNS subject | |
159 | alternative names are present in the certificate, any DNS name constraints in | |
160 | issuer certificates apply to the subject CommonName as well as the subject | |
161 | alternative name extension. | |
162 | ||
163 | When the subject CommonName will be ignored, whether as a result of the | |
164 | B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> host flag, or because some DNS subject | |
165 | alternative names are present in the certificate, DNS name constraints in | |
166 | issuer certificates will not be applied to the subject DN. | |
167 | As described in X509_check_host(3) the B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> | |
6e501c47 | 168 | flag takes precedence over the B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> flag. |
8abffa4a | 169 | |
5b748dea MC |
170 | X509_VERIFY_PARAM_get_hostflags() returns any host flags previously set via a |
171 | call to X509_VERIFY_PARAM_set_hostflags(). | |
172 | ||
8abffa4a | 173 | X509_VERIFY_PARAM_add1_host() adds B<name> as an additional reference |
186bb907 | 174 | identifier that can match the peer's certificate. Any previous names |
8abffa4a VD |
175 | set via X509_VERIFY_PARAM_set1_host() or X509_VERIFY_PARAM_add1_host() |
176 | are retained, no change is made if B<name> is NULL or empty. When | |
177 | multiple names are configured, the peer is considered verified when | |
178 | any name matches. | |
397a8e74 | 179 | |
6e661d45 VD |
180 | X509_VERIFY_PARAM_get0_peername() returns the DNS hostname or subject |
181 | CommonName from the peer certificate that matched one of the reference | |
182 | identifiers. When wildcard matching is not disabled, or when a | |
183 | reference identifier specifies a parent domain (starts with ".") | |
184 | rather than a hostname, the peer name may be a wildcard name or a | |
185 | sub-domain of the reference identifier respectively. The return | |
186 | string is allocated by the library and is no longer valid once the | |
187 | associated B<param> argument is freed. Applications must not free | |
188 | the return value. | |
189 | ||
278260bf DDO |
190 | X509_VERIFY_PARAM_get0_email() returns the expected RFC822 email address. |
191 | ||
397a8e74 | 192 | X509_VERIFY_PARAM_set1_email() sets the expected RFC822 email address to |
df24f29a | 193 | B<email>. If B<email> is NUL-terminated, B<emaillen> may be zero, otherwise |
397a8e74 VD |
194 | B<emaillen> must be set to the length of B<email>. When an email address |
195 | is specified, certificate verification automatically invokes | |
196 | L<X509_check_email(3)>. | |
197 | ||
278260bf DDO |
198 | X509_VERIFY_PARAM_get1_ip_asc() returns the expected IP address as a string. |
199 | The caller is responsible for freeing it. | |
200 | ||
397a8e74 VD |
201 | X509_VERIFY_PARAM_set1_ip() sets the expected IP address to B<ip>. |
202 | The B<ip> argument is in binary format, in network byte-order and | |
203 | B<iplen> must be set to 4 for IPv4 and 16 for IPv6. When an IP | |
204 | address is specified, certificate verification automatically invokes | |
205 | L<X509_check_ip(3)>. | |
206 | ||
207 | X509_VERIFY_PARAM_set1_ip_asc() sets the expected IP address to | |
208 | B<ipasc>. The B<ipasc> argument is a NUL-terminal ASCII string: | |
209 | dotted decimal quad for IPv4 and colon-separated hexadecimal for | |
210 | IPv6. The condensed "::" notation is supported for IPv6 addresses. | |
211 | ||
6c17629f DSH |
212 | =head1 RETURN VALUES |
213 | ||
397a8e74 | 214 | X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), |
a47bc283 | 215 | X509_VERIFY_PARAM_set_inh_flags(), |
6c17629f | 216 | X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(), |
397a8e74 | 217 | X509_VERIFY_PARAM_add0_policy() X509_VERIFY_PARAM_set1_policies(), |
919ba009 | 218 | X509_VERIFY_PARAM_set1_host(), X509_VERIFY_PARAM_add1_host(), |
397a8e74 VD |
219 | X509_VERIFY_PARAM_set1_email(), X509_VERIFY_PARAM_set1_ip() and |
220 | X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for | |
221 | failure. | |
6c17629f | 222 | |
278260bf | 223 | X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and |
e304aa87 | 224 | X509_VERIFY_PARAM_get1_ip_asc(), return the string pointers specified above |
278260bf DDO |
225 | or NULL if the respective value has not been set or on error. |
226 | ||
6c17629f DSH |
227 | X509_VERIFY_PARAM_get_flags() returns the current verification flags. |
228 | ||
5b748dea MC |
229 | X509_VERIFY_PARAM_get_hostflags() returns any current host flags. |
230 | ||
a47bc283 RS |
231 | X509_VERIFY_PARAM_get_inh_flags() returns the current inheritance flags. |
232 | ||
6c17629f DSH |
233 | X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return |
234 | values. | |
235 | ||
236 | X509_VERIFY_PARAM_get_depth() returns the current verification depth. | |
237 | ||
fbb82a60 VD |
238 | X509_VERIFY_PARAM_get_auth_level() returns the current authentication security |
239 | level. | |
240 | ||
6c17629f DSH |
241 | =head1 VERIFICATION FLAGS |
242 | ||
243 | The verification flags consists of zero or more of the following flags | |
244 | ored together. | |
245 | ||
246 | B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf | |
1bc74519 | 247 | certificate. An error occurs if a suitable CRL cannot be found. |
6c17629f DSH |
248 | |
249 | B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate | |
250 | chain. | |
251 | ||
252 | B<X509_V_FLAG_IGNORE_CRITICAL> disabled critical extension checking. By default | |
253 | any unhandled critical extensions in certificates or (if checked) CRLs results | |
254 | in a fatal error. If this flag is set unhandled critical extensions are | |
255 | ignored. B<WARNING> setting this option for anything other than debugging | |
256 | purposes can be a security risk. Finer control over which extensions are | |
257 | supported can be performed in the verification callback. | |
258 | ||
186bb907 | 259 | The B<X509_V_FLAG_X509_STRICT> flag disables workarounds for some broken |
6c17629f DSH |
260 | certificates and makes the verification strictly apply B<X509> rules. |
261 | ||
262 | B<X509_V_FLAG_ALLOW_PROXY_CERTS> enables proxy certificate verification. | |
263 | ||
264 | B<X509_V_FLAG_POLICY_CHECK> enables certificate policy checking, by default | |
186bb907 | 265 | no policy checking is performed. Additional information is sent to the |
6c17629f DSH |
266 | verification callback relating to policy checking. |
267 | ||
268 | B<X509_V_FLAG_EXPLICIT_POLICY>, B<X509_V_FLAG_INHIBIT_ANY> and | |
269 | B<X509_V_FLAG_INHIBIT_MAP> set the B<require explicit policy>, B<inhibit any | |
270 | policy> and B<inhibit policy mapping> flags respectively as defined in | |
271 | B<RFC3280>. Policy checking is automatically enabled if any of these flags | |
272 | are set. | |
273 | ||
274 | If B<X509_V_FLAG_NOTIFY_POLICY> is set and the policy checking is successful | |
275 | a special status code is set to the verification callback. This permits it | |
276 | to examine the valid policy tree and perform additional checks or simply | |
277 | log it for debugging purposes. | |
278 | ||
2b4ffc65 | 279 | By default some additional features such as indirect CRLs and CRLs signed by |
6c17629f DSH |
280 | different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set |
281 | they are enabled. | |
282 | ||
186bb907 | 283 | If B<X509_V_FLAG_USE_DELTAS> is set delta CRLs (if present) are used to |
6c17629f DSH |
284 | determine certificate status. If not set deltas are ignored. |
285 | ||
0b670a21 DDO |
286 | B<X509_V_FLAG_CHECK_SS_SIGNATURE> requests checking the signature of |
287 | the last certificate in a chain if the certificate is supposedly self-signed. | |
288 | This is prohibited and will result in an error if it is a non-conforming CA | |
289 | certificate with key usage restrictions not including the I<keyCertSign> bit. | |
290 | By default this check is disabled because it doesn't | |
6c17629f | 291 | add any additional security but in some cases applications might want to |
0b670a21 DDO |
292 | check the signature anyway. A side effect of not checking the self-signature |
293 | of such a certificate is that disabled or unsupported message digests used for | |
294 | the signature are not treated as fatal errors. | |
6c17629f | 295 | |
ade08735 DDO |
296 | When B<X509_V_FLAG_TRUSTED_FIRST> is set, which is always the case since |
297 | OpenSSL 1.1.0, construction of the certificate chain | |
298 | in L<X509_verify_cert(3)> searches the trust store for issuer certificates | |
f517911d VD |
299 | before searching the provided untrusted certificates. |
300 | Local issuer certificates are often more likely to satisfy local security | |
301 | requirements and lead to a locally trusted root. | |
302 | This is especially important when some certificates in the trust store have | |
1903a9b7 | 303 | explicit trust settings (see "TRUST SETTINGS" in L<openssl-x509(1)>). |
0daccd4d | 304 | |
ade08735 DDO |
305 | The B<X509_V_FLAG_NO_ALT_CHAINS> flag could have been used before OpenSSL 1.1.0 |
306 | to suppress checking for alternative chains. | |
0daccd4d VD |
307 | By default, unless B<X509_V_FLAG_TRUSTED_FIRST> is set, when building a |
308 | certificate chain, if the first certificate chain found is not trusted, then | |
309 | OpenSSL will attempt to replace untrusted certificates supplied by the peer | |
310 | with certificates from the trust store to see if an alternative chain can be | |
311 | found that is trusted. | |
312 | As of OpenSSL 1.1.0, with B<X509_V_FLAG_TRUSTED_FIRST> always set, this option | |
313 | has no effect. | |
fa7b0111 | 314 | |
ade08735 DDO |
315 | The B<X509_V_FLAG_PARTIAL_CHAIN> flag causes non-self-signed certificates in the |
316 | trust store to be treated as trust anchors, in the same way as self-signed | |
f517911d | 317 | root CA certificates. |
ade08735 DDO |
318 | This makes it possible to trust self-issued certificates as well as certificates |
319 | issued by an intermediate CA without having to trust their ancestor root CA. | |
f9ac6f69 | 320 | With OpenSSL 1.1.0 and later and B<X509_V_FLAG_PARTIAL_CHAIN> set, chain |
ade08735 DDO |
321 | construction stops as soon as the first certificate contained in the trust store |
322 | is added to the chain, whether that certificate is a self-signed "root" | |
323 | certificate or a not self-signed "intermediate" or self-issued certificate. | |
f517911d VD |
324 | Thus, when an intermediate certificate is found in the trust store, the |
325 | verified chain passed to callbacks may be shorter than it otherwise would | |
326 | be without the B<X509_V_FLAG_PARTIAL_CHAIN> flag. | |
327 | ||
d35ff2c0 DW |
328 | The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period |
329 | of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time() | |
330 | is used to specify a verification time, the check is not suppressed. | |
331 | ||
a47bc283 RS |
332 | =head1 INHERITANCE FLAGS |
333 | ||
69687aa8 | 334 | These flags specify how parameters are "inherited" from one structure to |
a47bc283 RS |
335 | another. |
336 | ||
337 | If B<X509_VP_FLAG_ONCE> is set then the current setting is zeroed | |
338 | after the next call. | |
339 | ||
340 | If B<X509_VP_FLAG_LOCKED> is set then no values are copied. This overrides | |
341 | all of the following flags. | |
342 | ||
343 | If B<X509_VP_FLAG_DEFAULT> is set then anything set in the source is copied | |
344 | to the destination. Effectively the values in "to" become default values | |
345 | which will be used only if nothing new is set in "from". This is the | |
346 | default. | |
347 | ||
348 | If B<X509_VP_FLAG_OVERWRITE> is set then all value are copied across whether | |
349 | they are set or not. Flags is still Ored though. | |
350 | ||
351 | If B<X509_VP_FLAG_RESET_FLAGS> is set then the flags value is copied instead | |
352 | of ORed. | |
353 | ||
6c17629f DSH |
354 | =head1 NOTES |
355 | ||
356 | The above functions should be used to manipulate verification parameters | |
a95d7574 RS |
357 | instead of functions which work in specific structures such as |
358 | X509_STORE_CTX_set_flags() which are likely to be deprecated in a future | |
359 | release. | |
6c17629f DSH |
360 | |
361 | =head1 BUGS | |
362 | ||
363 | Delta CRL checking is currently primitive. Only a single delta can be used and | |
1bc74519 | 364 | (partly due to limitations of B<X509_STORE>) constructed CRLs are not |
6c17629f DSH |
365 | maintained. |
366 | ||
367 | If CRLs checking is enable CRLs are expected to be available in the | |
368 | corresponding B<X509_STORE> structure. No attempt is made to download | |
369 | CRLs from the CRL distribution points extension. | |
370 | ||
cda77422 | 371 | =head1 EXAMPLES |
6c17629f | 372 | |
1bc74519 | 373 | Enable CRL checking when performing certificate verification during SSL |
9074df86 | 374 | connections associated with an B<SSL_CTX> structure B<ctx>: |
6c17629f | 375 | |
2947af32 | 376 | X509_VERIFY_PARAM *param; |
e9b77246 | 377 | |
2947af32 BB |
378 | param = X509_VERIFY_PARAM_new(); |
379 | X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); | |
380 | SSL_CTX_set1_param(ctx, param); | |
381 | X509_VERIFY_PARAM_free(param); | |
6c17629f DSH |
382 | |
383 | =head1 SEE ALSO | |
384 | ||
9b86974e RS |
385 | L<X509_verify_cert(3)>, |
386 | L<X509_check_host(3)>, | |
387 | L<X509_check_email(3)>, | |
cc94da4e | 388 | L<X509_check_ip(3)>, |
1903a9b7 | 389 | L<openssl-x509(1)> |
6c17629f DSH |
390 | |
391 | =head1 HISTORY | |
392 | ||
fc5ecadd DMSP |
393 | The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0. |
394 | The flag B<X509_V_FLAG_CB_ISSUER_CHECK> was deprecated in OpenSSL 1.1.0 | |
395 | and has no effect. | |
6c17629f | 396 | |
fc5ecadd | 397 | The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. |
5b748dea | 398 | |
278260bf DDO |
399 | The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), |
400 | and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. | |
401 | ||
e2f92610 RS |
402 | =head1 COPYRIGHT |
403 | ||
38fc02a7 | 404 | Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 405 | |
4746f25a | 406 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
407 | this file except in compliance with the License. You can obtain a copy |
408 | in the file LICENSE in the source distribution or at | |
409 | L<https://www.openssl.org/source/license.html>. | |
410 | ||
411 | =cut |