From: Richard Levitte <levitte@openssl.org>
Date: Sun, 19 Jun 2016 08:55:43 +0000 (+0200)
Subject: Allow proxy certs to be present when verifying a chain
X-Git-Tag: OpenSSL_1_0_2i~122
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ad8c48291622a6ccc51489b9a230c9a05ca5614;p=thirdparty%2Fopenssl.git

Allow proxy certs to be present when verifying a chain

Reviewed-by: Rich Salz <rsalz@openssl.org>
---

diff --git a/apps/apps.c b/apps/apps.c
index b1dd97038f7..0385490306d 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2374,6 +2374,8 @@ int args_verify(char ***pargs, int *pargc,
         flags |= X509_V_FLAG_PARTIAL_CHAIN;
     else if (!strcmp(arg, "-no_alt_chains"))
         flags |= X509_V_FLAG_NO_ALT_CHAINS;
+    else if (!strcmp(arg, "-allow_proxy_certs"))
+        flags |= X509_V_FLAG_ALLOW_PROXY_CERTS;
     else
         return 0;
 
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index bffa6c0ec40..b3767325ae0 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -27,6 +27,7 @@ B<openssl> B<verify>
 [B<-use_deltas>]
 [B<-policy_print>]
 [B<-no_alt_chains>]
+[B<-allow_proxy_certs>]
 [B<-untrusted file>]
 [B<-help>]
 [B<-issuer_checks>]
@@ -139,6 +140,10 @@ be found that is trusted. With this option that behaviour is suppressed so that
 only the first chain found is ever used. Using this option will force the
 behaviour to match that of previous OpenSSL versions.
 
+=item B<-allow_proxy_certs>
+
+Allow the verification of proxy certificates.
+
 =item B<-trusted file>
 
 A file of additional trusted certificates. The file should contain multiple