aboutsummaryrefslogtreecommitdiffstats
path: root/doc/man3/X509_VERIFY_PARAM_set_flags.pod
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man3/X509_VERIFY_PARAM_set_flags.pod')
-rw-r--r--doc/man3/X509_VERIFY_PARAM_set_flags.pod17
1 files changed, 10 insertions, 7 deletions
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 7593dea7dab9..f6f304bf7bd0 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -129,7 +129,7 @@ interoperable, though it will, for example, reject MD5 signatures or RSA keys
shorter than 1024 bits.
X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to
-B<name> clearing any previously specified host name or names. If
+B<name> clearing any previously specified hostname or names. If
B<name> is NULL, or empty the list of hostnames is cleared, and
name checks are not performed on the peer certificate. If B<name>
is NUL-terminated, B<namelen> may be zero, otherwise B<namelen>
@@ -264,12 +264,15 @@ they are enabled.
If B<X509_V_FLAG_USE_DELTAS> is set delta CRLs (if present) are used to
determine certificate status. If not set deltas are ignored.
-B<X509_V_FLAG_CHECK_SS_SIGNATURE> enables checking of the root CA self signed
-certificate signature. By default this check is disabled because it doesn't
+B<X509_V_FLAG_CHECK_SS_SIGNATURE> requests checking the signature of
+the last certificate in a chain if the certificate is supposedly self-signed.
+This is prohibited and will result in an error if it is a non-conforming CA
+certificate with key usage restrictions not including the keyCertSign bit.
+By default this check is disabled because it doesn't
add any additional security but in some cases applications might want to
-check the signature anyway. A side effect of not checking the root CA
-signature is that disabled or unsupported message digests on the root CA
-are not treated as fatal errors.
+check the signature anyway. A side effect of not checking the self-signature
+of such a certificate is that disabled or unsupported message digests used for
+the signature are not treated as fatal errors.
When B<X509_V_FLAG_TRUSTED_FIRST> is set, construction of the certificate chain
in L<X509_verify_cert(3)> will search the trust store for issuer certificates
@@ -376,7 +379,7 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
=head1 COPYRIGHT
-Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy