Diffstat (limited to 'secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3')
1 files changed, 12 insertions, 9 deletions
diff --git a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
index f31cdc125fcd..f61478c82762 100644
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
.\" Standard preamble:
@@ -133,7 +133,7 @@
.IX Title "X509_VERIFY_PARAM_SET_FLAGS 3"
-.TH X509_VERIFY_PARAM_SET_FLAGS 3 "2020-04-21" "1.1.1g" "OpenSSL"
+.TH X509_VERIFY_PARAM_SET_FLAGS 3 "2020-09-22" "1.1.1h" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -252,7 +252,7 @@ interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1
shorter than 1024 bits.
\&\fBX509_VERIFY_PARAM_set1_host()\fR sets the expected \s-1DNS\s0 hostname to
-\&\fBname\fR clearing any previously specified host name or names. If
+\&\fBname\fR clearing any previously specified hostname or names. If
\&\fBname\fR is \s-1NULL,\s0 or empty the list of hostnames is cleared, and
name checks are not performed on the peer certificate. If \fBname\fR
is NUL-terminated, \fBnamelen\fR may be zero, otherwise \fBnamelen\fR
@@ -385,12 +385,15 @@ they are enabled.
If \fBX509_V_FLAG_USE_DELTAS\fR is set delta CRLs (if present) are used to
determine certificate status. If not set deltas are ignored.
-\&\fBX509_V_FLAG_CHECK_SS_SIGNATURE\fR enables checking of the root \s-1CA\s0 self signed
-certificate signature. By default this check is disabled because it doesn't
+\&\fBX509_V_FLAG_CHECK_SS_SIGNATURE\fR requests checking the signature of
+the last certificate in a chain if the certificate is supposedly self-signed.
+This is prohibited and will result in an error if it is a non-conforming \s-1CA\s0
+certificate with key usage restrictions not including the keyCertSign bit.
+By default this check is disabled because it doesn't
add any additional security but in some cases applications might want to
-check the signature anyway. A side effect of not checking the root \s-1CA\s0
-signature is that disabled or unsupported message digests on the root \s-1CA\s0
-are not treated as fatal errors.
+check the signature anyway. A side effect of not checking the self-signature
+of such a certificate is that disabled or unsupported message digests used for
+the signature are not treated as fatal errors.
When \fBX509_V_FLAG_TRUSTED_FIRST\fR is set, construction of the certificate chain
in \fBX509_verify_cert\fR\|(3) will search the trust store for issuer certificates
@@ -492,7 +495,7 @@ and has no effect.
The \fBX509_VERIFY_PARAM_get_hostflags()\fR function was added in OpenSSL 1.1.0i.
.IX Header "COPYRIGHT"
-Copyright 2009\-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009\-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy