From: Josh Auler <jta2866@rit.edu>
Date: Thu, 12 Mar 2026 05:07:42 +0000 (-0400)
Subject: doc: clarify -CAfile and -verifyCAfile semantics in s_server
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;ds=sidebyside;p=thirdparty%2Fopenssl.git

doc: clarify -CAfile and -verifyCAfile semantics in s_server

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
MergeDate: Wed Apr 15 12:11:34 2026
(Merged from https://github.com/openssl/openssl/pull/30405)
---

diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 3e53b4d9a0..a58b5759e9 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -342,6 +342,12 @@ see L<openssl-verify(1)> for more information.
 The URI of a store containing trusted certificates to use
 for verifying the server's certificate.
 
+When any of B<-verifyCAfile>, B<-verifyCApath>, or B<-verifyCAstore> is
+specified, they are loaded into a separate verification store (via
+L<SSL_CTX_set1_verify_cert_store(3)>) and used for server certificate
+verification instead of the store built from B<-CAfile>, B<-CApath>, and
+B<-CAstore>.
+
 =item B<-chainCAfile> I<file>
 
 A file in PEM format containing trusted certificates to use
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index ddb77f680a..48744484b1 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -341,8 +341,8 @@ Download CRLs from distribution points given in CDP extensions of certificates
 
 =item B<-verifyCAfile> I<filename>
 
-A file in PEM format CA containing trusted certificates to use
-for verifying client certificates.
+A file in PEM format containing trusted CA certificates (root and/or
+intermediate) used to verify the client certificate chain.
 
 =item B<-verifyCApath> I<dir>
 
@@ -356,6 +356,15 @@ see L<openssl-verify(1)> for more information.
 The URI of a store containing trusted certificates to use
 for verifying client certificates.
 
+When any of B<-verifyCAfile>, B<-verifyCApath>, or B<-verifyCAstore> is
+specified, they are loaded into a separate verification store (via
+L<SSL_CTX_set1_verify_cert_store(3)>) and used for client certificate
+verification instead of the store built from B<-CAfile>, B<-CApath>, and
+B<-CAstore>. Note that B<-CAfile> is the sole source of acceptable issuing
+CA names sent to the client in the Certificate Request message during the
+handshake; B<-CApath>, B<-CAstore>, and the B<-verifyCA*> options do not
+contribute to this list.
+
 =item B<-chainCAfile> I<file>
 
 A file in PEM format containing trusted certificates to use