From adfcb82ca6e01227d9ab08350b2815ee606dec6e Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 26 Jun 2021 15:50:34 +0200 Subject: [PATCH] openssl-verification-options.pod: Move reference to changes brought by OpenSSL 1.1.0 to HISTORY section Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/18764) --- doc/man1/openssl-verification-options.pod | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index a04e08f6d9b..f982e2ba786 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -73,8 +73,7 @@ B (SSL client use), B (SSL server use), B (S/MIME email use), B (object signer use), B (OCSP responder use), B (OCSP request use), B (TSA server use), and B. -As of OpenSSL 1.1.0, the last of these blocks all uses when rejected or -enables all uses when trusted. +The last of these blocks all uses when rejected or enables all uses when trusted. A certificate, which may be CA certificate or an end-entity certificate, is considered a trust anchor for the given use @@ -400,7 +399,7 @@ Allow the verification of proxy certificates. =item B<-trusted_first> -As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. +This option is on by default and cannot be disabled. When constructing the certificate chain, the trusted certificates specified via B<-CAfile>, B<-CApath>, B<-CAstore> or B<-trusted> are always used @@ -408,8 +407,7 @@ before any certificates specified via B<-untrusted>. =item B<-no_alt_chains> -As of OpenSSL 1.1.0, since B<-trusted_first> always on, this option has no -effect. +Since B<-trusted_first> always on, this option has no effect. =item B<-trusted> I @@ -730,6 +728,8 @@ L =head1 HISTORY +Since OpenSSL 1.1.0, the B<-trusted_first> option is always enabled. + The checks enabled by B<-x509_strict> have been extended in OpenSSL 3.0. =head1 COPYRIGHT -- 2.47.3