From: Kyle Mullen <kam3634@rit.edu>
Date: Tue, 18 Mar 2025 13:29:25 +0000 (-0400)
Subject: Update X509_VERIFY_PARAM_set_flags.pod
X-Git-Tag: openssl-3.4.2~128
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cee281f70b5101b09f9d0a7e034932aa5e04bc5f;p=thirdparty%2Fopenssl.git

Update X509_VERIFY_PARAM_set_flags.pod

Change description of B<X509_V_FLAG_CRL_CHECK_ALL> to reflect its inability
to function without B<X509_V_FLAG_CRL_CHECK> being enabled as well.

Fixes #27056 (https://github.com/openssl/openssl/issues/27056)

CLA: trivial

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27098)

(cherry picked from commit b7d3c729b14ccd9d23437d8ae107020a4332af72)
---

diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index fcbbfc4c306..571d16e5224 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -248,8 +248,8 @@ ored together.
 B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf
 certificate. An error occurs if a suitable CRL cannot be found.
 
-B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate
-chain.
+B<X509_V_FLAG_CRL_CHECK_ALL> expands CRL checking to the entire certificate
+chain if B<X509_V_FLAG_CRL_CHECK> has also been enabled, and is otherwise ignored.
 
 B<X509_V_FLAG_IGNORE_CRITICAL> disables critical extension checking. By default
 any unhandled critical extensions in certificates or (if checked) CRLs result