Update X509_VERIFY_PARAM_set_flags.pod

Change description of B<X509_V_FLAG_CRL_CHECK_ALL> to reflect its inability
to function without B<X509_V_FLAG_CRL_CHECK> being enabled as well.

Fixes #27056 (https://github.com/openssl/openssl/issues/27056)

CLA: trivial

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27098)

(cherry picked from commit b7d3c729b14ccd9d23437d8ae107020a4332af72)

diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 4627206174a508fc81096fd273b5003e0fb1e605..4b190a7d18f827a10e4efa1a9a73a2375aca6f12 100644 (file)
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -248,8 +248,8 @@ ored together.
 B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf
 certificate. An error occurs if a suitable CRL cannot be found.
 
-B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate
-chain.
+B<X509_V_FLAG_CRL_CHECK_ALL> expands CRL checking to the entire certificate
+chain if B<X509_V_FLAG_CRL_CHECK> has also been enabled, and is otherwise ignored.
 
 B<X509_V_FLAG_IGNORE_CRITICAL> disables critical extension checking. By default
 any unhandled critical extensions in certificates or (if checked) CRLs result