Add documentation for the -no_alt_chains option for various apps, as well as

the X509_V_FLAG_NO_ALT_CHAINS flag. Reviewed-by: N Dr. Stephen Henson <steve@openssl.org>

Add documentation for the -no_alt_chains option for various apps, as well as
the X509_V_FLAG_NO_ALT_CHAINS flag. Reviewed-by: N Dr. Stephen Henson <steve@openssl.org>
fa7b0111 · Matt Caswell · 25690b7f · fa7b0111 · fa7b0111 · fa7b0111
7 changed file
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -54,6 +54,7 @@ B<openssl> B<cms>
 [B<-suiteB_128_only>]
 [B<-suiteB_192>]
 [B<-trusted_first>]
+[B<-no_alt_chains>]
 [B<-use_deltas>]
 [B<-verify_depth num>]
 [B<-verify_email email>]
@@ -459,11 +460,11 @@ address matches that specified in the From: address.
 B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
 B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
-B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
-B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
+B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
+B<-verify_ip>, B<-verify_name>, B<-x509_strict>

-Set various certificate chain valiadition options. See the
+Set various certificate chain validation options. See the
 L<B<verify>|verify(1)> manual page for details.

 =back
@@ -697,4 +698,6 @@ Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0.
 The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
 to OpenSSL 1.1.0.

+The -no_alt_chains options was first added to OpenSSL 1.1.0.
+
 =cut
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -48,6 +48,7 @@ B<openssl> B<ocsp>
 [B<-suiteB_128_only>]
 [B<-suiteB_192>]
 [B<-trusted_first>]
+[B<-no_alt_chains>]
 [B<-use_deltas>]
 [B<-verify_depth num>]
 [B<-verify_email email>]
@@ -173,9 +174,9 @@ the signature on the OCSP response.
 B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
 B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
-B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
-B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
+B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
+B<-verify_ip>, B<-verify_name>, B<-x509_strict>

 Set different certificate verification options.
 See L<B<verify>|verify(1)> manual page for details.
@@ -416,3 +417,9 @@ second file.

 openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
     -reqin req.der -respout resp.der
+
+=head1 HISTORY
+
+The -no_alt_chains options was first added to OpenSSL 1.1.0.
+
+=cut
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -19,7 +19,6 @@ B<openssl> B<s_client>
 [B<-pass arg>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
-[B<-trusted_first>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-crl_check>]
@@ -39,6 +38,7 @@ B<openssl> B<s_client>
 [B<-suiteB_128_only>]
 [B<-suiteB_192>]
 [B<-trusted_first>]
+[B<-no_alt_chains>]
 [B<-use_deltas>]
 [B<-verify_depth num>]
 [B<-verify_email email>]
@@ -155,11 +155,11 @@ and to use when attempting to build the client certificate chain.
 B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
 B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
-B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
-B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
+B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
+B<-verify_ip>, B<-verify_name>, B<-x509_strict>

-Set various certificate chain valiadition options. See the
+Set various certificate chain validation options. See the
 L<B<verify>|verify(1)> manual page for details.

 =item B<-reconnect>
@@ -411,4 +411,8 @@ information whenever a session is renegotiated.

 L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>

+=head1 HISTORY
+
+The -no_alt_chains options was first added to OpenSSL 1.1.0.
+
 =cut
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -51,6 +51,7 @@ B<openssl> B<s_server>
 [B<-suiteB_128_only>]
 [B<-suiteB_192>]
 [B<-trusted_first>]
+[B<-no_alt_chains>]
 [B<-use_deltas>]
 [B<-verify_depth num>]
 [B<-verify_return_error>]
@@ -218,8 +219,8 @@ anonymous ciphersuite or PSK) this option has no effect.
 B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,
 B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
 B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-no_alt_chains>, B<-use_deltas>, B<-verify_depth>, B<-verify_email>,
+B<-verify_hostname>, B<-verify_ip>, B<-verify_name>, B<-x509_strict>

 Set different peer certificate verification options.
 See the L<B<verify>|verify(1)> manual page for details.
@@ -481,4 +482,8 @@ unknown cipher suites a client says it supports.

 L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>

+=head1 HISTORY
+
+The -no_alt_chains options was first added to OpenSSL 1.1.0.
+
 =cut
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -36,6 +36,7 @@ B<openssl> B<smime>
 [B<-suiteB_128_only>]
 [B<-suiteB_192>]
 [B<-trusted_first>]
+[B<-no_alt_chains>]
 [B<-use_deltas>]
 [B<-verify_depth num>]
 [B<-verify_email email>]
@@ -291,9 +292,9 @@ address matches that specified in the From: address.
 B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
 B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
-B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
-B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
+B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
+B<-verify_ip>, B<-verify_name>, B<-x509_strict>

 Set various options of certificate chain verification. See
 L<B<verify>|verify(1)> manual page for details.
@@ -475,5 +476,6 @@ structures may cause parsing errors.
 The use of multiple B<-signer> options and the B<-resign> command were first
 added in OpenSSL 1.0.0

+The -no_alt_chains options was first added to OpenSSL 1.1.0.

 =cut
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -30,6 +30,7 @@ B<openssl> B<verify>
 [B<-suiteB_128_only>]
 [B<-suiteB_192>]
 [B<-trusted_first>]
+[B<-no_alt_chains>]
 [B<-untrusted file>]
 [B<-use_deltas>]
 [B<-verbose>]
@@ -164,6 +165,14 @@ Use certificates in CA file or CA directory before certificates in untrusted
 file when building the trust chain to verify certificates.
 This is mainly useful in environments with Bridge CA or Cross-Certified CAs.

+=item B<-no_alt_chains>
+
+When building a certificate chain, if the first certificate chain found is not
+trusted, then OpenSSL will continue to check to see if an alternative chain can
+be found that is trusted. With this option that behaviour is suppressed so that
+only the first chain found is ever used. Using this option will force the
+behaviour to match that of OpenSSL versions prior to 1.1.0. 
+
 =item B<-untrusted file>

 A file of untrusted certificates. The file should contain multiple certificates
@@ -469,4 +478,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.

 L<x509(1)|x509(1)>

+=head1 HISTORY
+
+The -no_alt_chains options was first added to OpenSSL 1.1.0.
+
 =cut
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -197,6 +197,12 @@ verification. If this flag is set then additional status codes will be sent
 to the verification callback and it B<must> be prepared to handle such cases
 without assuming they are hard errors.

+The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
+chains. By default, when building a certificate chain, if the first certificate
+chain found is not trusted, then OpenSSL will continue to check to see if an
+alternative chain can be found that is trusted. With this flag set the behaviour
+will match that of OpenSSL versions prior to 1.1.0.
+
 =head1 NOTES

 The above functions should be used to manipulate verification parameters
@@ -233,6 +239,6 @@ L<X509_check_ip(3)|X509_check_ip(3)>

 =head1 HISTORY

-TBA
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0

 =cut