1*1dcdf01fSchristos=pod 2*1dcdf01fSchristos 3*1dcdf01fSchristos=head1 NAME 4*1dcdf01fSchristos 5*1dcdf01fSchristosX509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, 6*1dcdf01fSchristosX509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, 7*1dcdf01fSchristosX509_VERIFY_PARAM_get_inh_flags, X509_VERIFY_PARAM_set_inh_flags, 8*1dcdf01fSchristosX509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, 9*1dcdf01fSchristosX509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_auth_level, 10*1dcdf01fSchristosX509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time, 11*1dcdf01fSchristosX509_VERIFY_PARAM_get_time, 12*1dcdf01fSchristosX509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, 13*1dcdf01fSchristosX509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, 14*1dcdf01fSchristosX509_VERIFY_PARAM_set_hostflags, 15*1dcdf01fSchristosX509_VERIFY_PARAM_get_hostflags, 16*1dcdf01fSchristosX509_VERIFY_PARAM_get0_peername, 17*1dcdf01fSchristosX509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, 18*1dcdf01fSchristosX509_VERIFY_PARAM_set1_ip_asc 19*1dcdf01fSchristos- X509 verification parameters 20*1dcdf01fSchristos 21*1dcdf01fSchristos=head1 SYNOPSIS 22*1dcdf01fSchristos 23*1dcdf01fSchristos #include <openssl/x509_vfy.h> 24*1dcdf01fSchristos 25*1dcdf01fSchristos int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, 26*1dcdf01fSchristos unsigned long flags); 27*1dcdf01fSchristos int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, 28*1dcdf01fSchristos unsigned long flags); 29*1dcdf01fSchristos unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); 30*1dcdf01fSchristos 31*1dcdf01fSchristos int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, 32*1dcdf01fSchristos uint32_t flags); 33*1dcdf01fSchristos uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param); 34*1dcdf01fSchristos 35*1dcdf01fSchristos int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); 36*1dcdf01fSchristos int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); 37*1dcdf01fSchristos 38*1dcdf01fSchristos void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); 39*1dcdf01fSchristos time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param); 40*1dcdf01fSchristos 41*1dcdf01fSchristos int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, 42*1dcdf01fSchristos ASN1_OBJECT *policy); 43*1dcdf01fSchristos int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, 44*1dcdf01fSchristos STACK_OF(ASN1_OBJECT) *policies); 45*1dcdf01fSchristos 46*1dcdf01fSchristos void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); 47*1dcdf01fSchristos int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); 48*1dcdf01fSchristos 49*1dcdf01fSchristos void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, 50*1dcdf01fSchristos int auth_level); 51*1dcdf01fSchristos int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param); 52*1dcdf01fSchristos 53*1dcdf01fSchristos int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, 54*1dcdf01fSchristos const char *name, size_t namelen); 55*1dcdf01fSchristos int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, 56*1dcdf01fSchristos const char *name, size_t namelen); 57*1dcdf01fSchristos void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, 58*1dcdf01fSchristos unsigned int flags); 59*1dcdf01fSchristos unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param); 60*1dcdf01fSchristos char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); 61*1dcdf01fSchristos int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, 62*1dcdf01fSchristos const char *email, size_t emaillen); 63*1dcdf01fSchristos int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, 64*1dcdf01fSchristos const unsigned char *ip, size_t iplen); 65*1dcdf01fSchristos int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc); 66*1dcdf01fSchristos 67*1dcdf01fSchristos=head1 DESCRIPTION 68*1dcdf01fSchristos 69*1dcdf01fSchristosThese functions manipulate the B<X509_VERIFY_PARAM> structure associated with 70*1dcdf01fSchristosa certificate verification operation. 71*1dcdf01fSchristos 72*1dcdf01fSchristosThe X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring 73*1dcdf01fSchristosit with B<flags>. See the B<VERIFICATION FLAGS> section for a complete 74*1dcdf01fSchristosdescription of values the B<flags> parameter can take. 75*1dcdf01fSchristos 76*1dcdf01fSchristosX509_VERIFY_PARAM_get_flags() returns the flags in B<param>. 77*1dcdf01fSchristos 78*1dcdf01fSchristosX509_VERIFY_PARAM_get_inh_flags() returns the inheritance flags in B<param> 79*1dcdf01fSchristoswhich specifies how verification flags are copied from one structure to 80*1dcdf01fSchristosanother. X509_VERIFY_PARAM_set_inh_flags() sets the inheritance flags. 81*1dcdf01fSchristosSee the B<INHERITANCE FLAGS> section for a description of these bits. 82*1dcdf01fSchristos 83*1dcdf01fSchristosX509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>. 84*1dcdf01fSchristos 85*1dcdf01fSchristosX509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param> 86*1dcdf01fSchristosto B<purpose>. This determines the acceptable purpose of the certificate 87*1dcdf01fSchristoschain, for example SSL client or SSL server. 88*1dcdf01fSchristos 89*1dcdf01fSchristosX509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to 90*1dcdf01fSchristosB<trust>. 91*1dcdf01fSchristos 92*1dcdf01fSchristosX509_VERIFY_PARAM_set_time() sets the verification time in B<param> to 93*1dcdf01fSchristosB<t>. Normally the current time is used. 94*1dcdf01fSchristos 95*1dcdf01fSchristosX509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled 96*1dcdf01fSchristosby default) and adds B<policy> to the acceptable policy set. 97*1dcdf01fSchristos 98*1dcdf01fSchristosX509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled 99*1dcdf01fSchristosby default) and sets the acceptable policy set to B<policies>. Any existing 100*1dcdf01fSchristospolicy set is cleared. The B<policies> parameter can be B<NULL> to clear 101*1dcdf01fSchristosan existing policy set. 102*1dcdf01fSchristos 103*1dcdf01fSchristosX509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B<depth>. 104*1dcdf01fSchristosThat is the maximum number of intermediate CA certificates that can appear in a 105*1dcdf01fSchristoschain. 106*1dcdf01fSchristosA maximal depth chain contains 2 more certificates than the limit, since 107*1dcdf01fSchristosneither the end-entity certificate nor the trust-anchor count against this 108*1dcdf01fSchristoslimit. 109*1dcdf01fSchristosThus a B<depth> limit of 0 only allows the end-entity certificate to be signed 110*1dcdf01fSchristosdirectly by the trust-anchor, while with a B<depth> limit of 1 there can be one 111*1dcdf01fSchristosintermediate CA certificate between the trust-anchor and the end-entity 112*1dcdf01fSchristoscertificate. 113*1dcdf01fSchristos 114*1dcdf01fSchristosX509_VERIFY_PARAM_set_auth_level() sets the authentication security level to 115*1dcdf01fSchristosB<auth_level>. 116*1dcdf01fSchristosThe authentication security level determines the acceptable signature and public 117*1dcdf01fSchristoskey strength when verifying certificate chains. 118*1dcdf01fSchristosFor a certificate chain to validate, the public keys of all the certificates 119*1dcdf01fSchristosmust meet the specified security level. 120*1dcdf01fSchristosThe signature algorithm security level is not enforced for the chain's I<trust 121*1dcdf01fSchristosanchor> certificate, which is either directly trusted or validated by means other 122*1dcdf01fSchristosthan its signature. 123*1dcdf01fSchristosSee L<SSL_CTX_set_security_level(3)> for the definitions of the available 124*1dcdf01fSchristoslevels. 125*1dcdf01fSchristosThe default security level is -1, or "not set". 126*1dcdf01fSchristosAt security level 0 or lower all algorithms are acceptable. 127*1dcdf01fSchristosSecurity level 1 requires at least 80-bit-equivalent security and is broadly 128*1dcdf01fSchristosinteroperable, though it will, for example, reject MD5 signatures or RSA keys 129*1dcdf01fSchristosshorter than 1024 bits. 130*1dcdf01fSchristos 131*1dcdf01fSchristosX509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to 132*1dcdf01fSchristosB<name> clearing any previously specified hostname or names. If 133*1dcdf01fSchristosB<name> is NULL, or empty the list of hostnames is cleared, and 134*1dcdf01fSchristosname checks are not performed on the peer certificate. If B<name> 135*1dcdf01fSchristosis NUL-terminated, B<namelen> may be zero, otherwise B<namelen> 136*1dcdf01fSchristosmust be set to the length of B<name>. 137*1dcdf01fSchristos 138*1dcdf01fSchristosWhen a hostname is specified, 139*1dcdf01fSchristoscertificate verification automatically invokes L<X509_check_host(3)> 140*1dcdf01fSchristoswith flags equal to the B<flags> argument given to 141*1dcdf01fSchristosX509_VERIFY_PARAM_set_hostflags() (default zero). Applications 142*1dcdf01fSchristosare strongly advised to use this interface in preference to explicitly 143*1dcdf01fSchristoscalling L<X509_check_host(3)>, hostname checks may be out of scope 144*1dcdf01fSchristoswith the DANE-EE(3) certificate usage, and the internal check will 145*1dcdf01fSchristosbe suppressed as appropriate when DANE verification is enabled. 146*1dcdf01fSchristos 147*1dcdf01fSchristosWhen the subject CommonName will not be ignored, whether as a result of the 148*1dcdf01fSchristosB<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> host flag, or because no DNS subject 149*1dcdf01fSchristosalternative names are present in the certificate, any DNS name constraints in 150*1dcdf01fSchristosissuer certificates apply to the subject CommonName as well as the subject 151*1dcdf01fSchristosalternative name extension. 152*1dcdf01fSchristos 153*1dcdf01fSchristosWhen the subject CommonName will be ignored, whether as a result of the 154*1dcdf01fSchristosB<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> host flag, or because some DNS subject 155*1dcdf01fSchristosalternative names are present in the certificate, DNS name constraints in 156*1dcdf01fSchristosissuer certificates will not be applied to the subject DN. 157*1dcdf01fSchristosAs described in X509_check_host(3) the B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> 158*1dcdf01fSchristosflag takes precedence over the B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> flag. 159*1dcdf01fSchristos 160*1dcdf01fSchristosX509_VERIFY_PARAM_get_hostflags() returns any host flags previously set via a 161*1dcdf01fSchristoscall to X509_VERIFY_PARAM_set_hostflags(). 162*1dcdf01fSchristos 163*1dcdf01fSchristosX509_VERIFY_PARAM_add1_host() adds B<name> as an additional reference 164*1dcdf01fSchristosidentifier that can match the peer's certificate. Any previous names 165*1dcdf01fSchristosset via X509_VERIFY_PARAM_set1_host() or X509_VERIFY_PARAM_add1_host() 166*1dcdf01fSchristosare retained, no change is made if B<name> is NULL or empty. When 167*1dcdf01fSchristosmultiple names are configured, the peer is considered verified when 168*1dcdf01fSchristosany name matches. 169*1dcdf01fSchristos 170*1dcdf01fSchristosX509_VERIFY_PARAM_get0_peername() returns the DNS hostname or subject 171*1dcdf01fSchristosCommonName from the peer certificate that matched one of the reference 172*1dcdf01fSchristosidentifiers. When wildcard matching is not disabled, or when a 173*1dcdf01fSchristosreference identifier specifies a parent domain (starts with ".") 174*1dcdf01fSchristosrather than a hostname, the peer name may be a wildcard name or a 175*1dcdf01fSchristossub-domain of the reference identifier respectively. The return 176*1dcdf01fSchristosstring is allocated by the library and is no longer valid once the 177*1dcdf01fSchristosassociated B<param> argument is freed. Applications must not free 178*1dcdf01fSchristosthe return value. 179*1dcdf01fSchristos 180*1dcdf01fSchristosX509_VERIFY_PARAM_set1_email() sets the expected RFC822 email address to 181*1dcdf01fSchristosB<email>. If B<email> is NUL-terminated, B<emaillen> may be zero, otherwise 182*1dcdf01fSchristosB<emaillen> must be set to the length of B<email>. When an email address 183*1dcdf01fSchristosis specified, certificate verification automatically invokes 184*1dcdf01fSchristosL<X509_check_email(3)>. 185*1dcdf01fSchristos 186*1dcdf01fSchristosX509_VERIFY_PARAM_set1_ip() sets the expected IP address to B<ip>. 187*1dcdf01fSchristosThe B<ip> argument is in binary format, in network byte-order and 188*1dcdf01fSchristosB<iplen> must be set to 4 for IPv4 and 16 for IPv6. When an IP 189*1dcdf01fSchristosaddress is specified, certificate verification automatically invokes 190*1dcdf01fSchristosL<X509_check_ip(3)>. 191*1dcdf01fSchristos 192*1dcdf01fSchristosX509_VERIFY_PARAM_set1_ip_asc() sets the expected IP address to 193*1dcdf01fSchristosB<ipasc>. The B<ipasc> argument is a NUL-terminal ASCII string: 194*1dcdf01fSchristosdotted decimal quad for IPv4 and colon-separated hexadecimal for 195*1dcdf01fSchristosIPv6. The condensed "::" notation is supported for IPv6 addresses. 196*1dcdf01fSchristos 197*1dcdf01fSchristos=head1 RETURN VALUES 198*1dcdf01fSchristos 199*1dcdf01fSchristosX509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), 200*1dcdf01fSchristosX509_VERIFY_PARAM_set_inh_flags(), 201*1dcdf01fSchristosX509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(), 202*1dcdf01fSchristosX509_VERIFY_PARAM_add0_policy() X509_VERIFY_PARAM_set1_policies(), 203*1dcdf01fSchristosX509_VERIFY_PARAM_set1_host(), X509_VERIFY_PARAM_add1_host(), 204*1dcdf01fSchristosX509_VERIFY_PARAM_set1_email(), X509_VERIFY_PARAM_set1_ip() and 205*1dcdf01fSchristosX509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for 206*1dcdf01fSchristosfailure. 207*1dcdf01fSchristos 208*1dcdf01fSchristosX509_VERIFY_PARAM_get_flags() returns the current verification flags. 209*1dcdf01fSchristos 210*1dcdf01fSchristosX509_VERIFY_PARAM_get_hostflags() returns any current host flags. 211*1dcdf01fSchristos 212*1dcdf01fSchristosX509_VERIFY_PARAM_get_inh_flags() returns the current inheritance flags. 213*1dcdf01fSchristos 214*1dcdf01fSchristosX509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return 215*1dcdf01fSchristosvalues. 216*1dcdf01fSchristos 217*1dcdf01fSchristosX509_VERIFY_PARAM_get_depth() returns the current verification depth. 218*1dcdf01fSchristos 219*1dcdf01fSchristosX509_VERIFY_PARAM_get_auth_level() returns the current authentication security 220*1dcdf01fSchristoslevel. 221*1dcdf01fSchristos 222*1dcdf01fSchristos=head1 VERIFICATION FLAGS 223*1dcdf01fSchristos 224*1dcdf01fSchristosThe verification flags consists of zero or more of the following flags 225*1dcdf01fSchristosored together. 226*1dcdf01fSchristos 227*1dcdf01fSchristosB<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf 228*1dcdf01fSchristoscertificate. An error occurs if a suitable CRL cannot be found. 229*1dcdf01fSchristos 230*1dcdf01fSchristosB<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate 231*1dcdf01fSchristoschain. 232*1dcdf01fSchristos 233*1dcdf01fSchristosB<X509_V_FLAG_IGNORE_CRITICAL> disabled critical extension checking. By default 234*1dcdf01fSchristosany unhandled critical extensions in certificates or (if checked) CRLs results 235*1dcdf01fSchristosin a fatal error. If this flag is set unhandled critical extensions are 236*1dcdf01fSchristosignored. B<WARNING> setting this option for anything other than debugging 237*1dcdf01fSchristospurposes can be a security risk. Finer control over which extensions are 238*1dcdf01fSchristossupported can be performed in the verification callback. 239*1dcdf01fSchristos 240*1dcdf01fSchristosThe B<X509_V_FLAG_X509_STRICT> flag disables workarounds for some broken 241*1dcdf01fSchristoscertificates and makes the verification strictly apply B<X509> rules. 242*1dcdf01fSchristos 243*1dcdf01fSchristosB<X509_V_FLAG_ALLOW_PROXY_CERTS> enables proxy certificate verification. 244*1dcdf01fSchristos 245*1dcdf01fSchristosB<X509_V_FLAG_POLICY_CHECK> enables certificate policy checking, by default 246*1dcdf01fSchristosno policy checking is performed. Additional information is sent to the 247*1dcdf01fSchristosverification callback relating to policy checking. 248*1dcdf01fSchristos 249*1dcdf01fSchristosB<X509_V_FLAG_EXPLICIT_POLICY>, B<X509_V_FLAG_INHIBIT_ANY> and 250*1dcdf01fSchristosB<X509_V_FLAG_INHIBIT_MAP> set the B<require explicit policy>, B<inhibit any 251*1dcdf01fSchristospolicy> and B<inhibit policy mapping> flags respectively as defined in 252*1dcdf01fSchristosB<RFC3280>. Policy checking is automatically enabled if any of these flags 253*1dcdf01fSchristosare set. 254*1dcdf01fSchristos 255*1dcdf01fSchristosIf B<X509_V_FLAG_NOTIFY_POLICY> is set and the policy checking is successful 256*1dcdf01fSchristosa special status code is set to the verification callback. This permits it 257*1dcdf01fSchristosto examine the valid policy tree and perform additional checks or simply 258*1dcdf01fSchristoslog it for debugging purposes. 259*1dcdf01fSchristos 260*1dcdf01fSchristosBy default some additional features such as indirect CRLs and CRLs signed by 261*1dcdf01fSchristosdifferent keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set 262*1dcdf01fSchristosthey are enabled. 263*1dcdf01fSchristos 264*1dcdf01fSchristosIf B<X509_V_FLAG_USE_DELTAS> is set delta CRLs (if present) are used to 265*1dcdf01fSchristosdetermine certificate status. If not set deltas are ignored. 266*1dcdf01fSchristos 267*1dcdf01fSchristosB<X509_V_FLAG_CHECK_SS_SIGNATURE> requests checking the signature of 268*1dcdf01fSchristosthe last certificate in a chain if the certificate is supposedly self-signed. 269*1dcdf01fSchristosThis is prohibited and will result in an error if it is a non-conforming CA 270*1dcdf01fSchristoscertificate with key usage restrictions not including the keyCertSign bit. 271*1dcdf01fSchristosBy default this check is disabled because it doesn't 272*1dcdf01fSchristosadd any additional security but in some cases applications might want to 273*1dcdf01fSchristoscheck the signature anyway. A side effect of not checking the self-signature 274*1dcdf01fSchristosof such a certificate is that disabled or unsupported message digests used for 275*1dcdf01fSchristosthe signature are not treated as fatal errors. 276*1dcdf01fSchristos 277*1dcdf01fSchristosWhen B<X509_V_FLAG_TRUSTED_FIRST> is set, construction of the certificate chain 278*1dcdf01fSchristosin L<X509_verify_cert(3)> will search the trust store for issuer certificates 279*1dcdf01fSchristosbefore searching the provided untrusted certificates. 280*1dcdf01fSchristosLocal issuer certificates are often more likely to satisfy local security 281*1dcdf01fSchristosrequirements and lead to a locally trusted root. 282*1dcdf01fSchristosThis is especially important when some certificates in the trust store have 283*1dcdf01fSchristosexplicit trust settings (see "TRUST SETTINGS" in L<x509(1)>). 284*1dcdf01fSchristosAs of OpenSSL 1.1.0 this option is on by default. 285*1dcdf01fSchristos 286*1dcdf01fSchristosThe B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative 287*1dcdf01fSchristoschains. 288*1dcdf01fSchristosBy default, unless B<X509_V_FLAG_TRUSTED_FIRST> is set, when building a 289*1dcdf01fSchristoscertificate chain, if the first certificate chain found is not trusted, then 290*1dcdf01fSchristosOpenSSL will attempt to replace untrusted certificates supplied by the peer 291*1dcdf01fSchristoswith certificates from the trust store to see if an alternative chain can be 292*1dcdf01fSchristosfound that is trusted. 293*1dcdf01fSchristosAs of OpenSSL 1.1.0, with B<X509_V_FLAG_TRUSTED_FIRST> always set, this option 294*1dcdf01fSchristoshas no effect. 295*1dcdf01fSchristos 296*1dcdf01fSchristosThe B<X509_V_FLAG_PARTIAL_CHAIN> flag causes intermediate certificates in the 297*1dcdf01fSchristostrust store to be treated as trust-anchors, in the same way as the self-signed 298*1dcdf01fSchristosroot CA certificates. 299*1dcdf01fSchristosThis makes it possible to trust certificates issued by an intermediate CA 300*1dcdf01fSchristoswithout having to trust its ancestor root CA. 301*1dcdf01fSchristosWith OpenSSL 1.1.0 and later and <X509_V_FLAG_PARTIAL_CHAIN> set, chain 302*1dcdf01fSchristosconstruction stops as soon as the first certificate from the trust store is 303*1dcdf01fSchristosadded to the chain, whether that certificate is a self-signed "root" 304*1dcdf01fSchristoscertificate or a not self-signed intermediate certificate. 305*1dcdf01fSchristosThus, when an intermediate certificate is found in the trust store, the 306*1dcdf01fSchristosverified chain passed to callbacks may be shorter than it otherwise would 307*1dcdf01fSchristosbe without the B<X509_V_FLAG_PARTIAL_CHAIN> flag. 308*1dcdf01fSchristos 309*1dcdf01fSchristosThe B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period 310*1dcdf01fSchristosof certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time() 311*1dcdf01fSchristosis used to specify a verification time, the check is not suppressed. 312*1dcdf01fSchristos 313*1dcdf01fSchristos=head1 INHERITANCE FLAGS 314*1dcdf01fSchristos 315*1dcdf01fSchristosThese flags specify how parameters are "inherited" from one structure to 316*1dcdf01fSchristosanother. 317*1dcdf01fSchristos 318*1dcdf01fSchristosIf B<X509_VP_FLAG_ONCE> is set then the current setting is zeroed 319*1dcdf01fSchristosafter the next call. 320*1dcdf01fSchristos 321*1dcdf01fSchristosIf B<X509_VP_FLAG_LOCKED> is set then no values are copied. This overrides 322*1dcdf01fSchristosall of the following flags. 323*1dcdf01fSchristos 324*1dcdf01fSchristosIf B<X509_VP_FLAG_DEFAULT> is set then anything set in the source is copied 325*1dcdf01fSchristosto the destination. Effectively the values in "to" become default values 326*1dcdf01fSchristoswhich will be used only if nothing new is set in "from". This is the 327*1dcdf01fSchristosdefault. 328*1dcdf01fSchristos 329*1dcdf01fSchristosIf B<X509_VP_FLAG_OVERWRITE> is set then all value are copied across whether 330*1dcdf01fSchristosthey are set or not. Flags is still Ored though. 331*1dcdf01fSchristos 332*1dcdf01fSchristosIf B<X509_VP_FLAG_RESET_FLAGS> is set then the flags value is copied instead 333*1dcdf01fSchristosof ORed. 334*1dcdf01fSchristos 335*1dcdf01fSchristos=head1 NOTES 336*1dcdf01fSchristos 337*1dcdf01fSchristosThe above functions should be used to manipulate verification parameters 338*1dcdf01fSchristosinstead of functions which work in specific structures such as 339*1dcdf01fSchristosX509_STORE_CTX_set_flags() which are likely to be deprecated in a future 340*1dcdf01fSchristosrelease. 341*1dcdf01fSchristos 342*1dcdf01fSchristos=head1 BUGS 343*1dcdf01fSchristos 344*1dcdf01fSchristosDelta CRL checking is currently primitive. Only a single delta can be used and 345*1dcdf01fSchristos(partly due to limitations of B<X509_STORE>) constructed CRLs are not 346*1dcdf01fSchristosmaintained. 347*1dcdf01fSchristos 348*1dcdf01fSchristosIf CRLs checking is enable CRLs are expected to be available in the 349*1dcdf01fSchristoscorresponding B<X509_STORE> structure. No attempt is made to download 350*1dcdf01fSchristosCRLs from the CRL distribution points extension. 351*1dcdf01fSchristos 352*1dcdf01fSchristos=head1 EXAMPLES 353*1dcdf01fSchristos 354*1dcdf01fSchristosEnable CRL checking when performing certificate verification during SSL 355*1dcdf01fSchristosconnections associated with an B<SSL_CTX> structure B<ctx>: 356*1dcdf01fSchristos 357*1dcdf01fSchristos X509_VERIFY_PARAM *param; 358*1dcdf01fSchristos 359*1dcdf01fSchristos param = X509_VERIFY_PARAM_new(); 360*1dcdf01fSchristos X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); 361*1dcdf01fSchristos SSL_CTX_set1_param(ctx, param); 362*1dcdf01fSchristos X509_VERIFY_PARAM_free(param); 363*1dcdf01fSchristos 364*1dcdf01fSchristos=head1 SEE ALSO 365*1dcdf01fSchristos 366*1dcdf01fSchristosL<X509_verify_cert(3)>, 367*1dcdf01fSchristosL<X509_check_host(3)>, 368*1dcdf01fSchristosL<X509_check_email(3)>, 369*1dcdf01fSchristosL<X509_check_ip(3)>, 370*1dcdf01fSchristosL<x509(1)> 371*1dcdf01fSchristos 372*1dcdf01fSchristos=head1 HISTORY 373*1dcdf01fSchristos 374*1dcdf01fSchristosThe B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0. 375*1dcdf01fSchristosThe flag B<X509_V_FLAG_CB_ISSUER_CHECK> was deprecated in OpenSSL 1.1.0 376*1dcdf01fSchristosand has no effect. 377*1dcdf01fSchristos 378*1dcdf01fSchristosThe X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. 379*1dcdf01fSchristos 380*1dcdf01fSchristos=head1 COPYRIGHT 381*1dcdf01fSchristos 382*1dcdf01fSchristosCopyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. 383*1dcdf01fSchristos 384*1dcdf01fSchristosLicensed under the OpenSSL license (the "License"). You may not use 385*1dcdf01fSchristosthis file except in compliance with the License. You can obtain a copy 386*1dcdf01fSchristosin the file LICENSE in the source distribution or at 387*1dcdf01fSchristosL<https://www.openssl.org/source/license.html>. 388*1dcdf01fSchristos 389*1dcdf01fSchristos=cut 390