Commit 017a06c7 authored by Matt Caswell's avatar Matt Caswell
Browse files

Add -no_alt_chains option to apps to implement the new 


X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
certificate chains, the first chain found will be the one used. Without this
flag, if the first chain found is not trusted then we will keep looking to
see if we can build an alternative chain instead.

Conflicts:
	apps/cms.c
	apps/ocsp.c
	apps/s_client.c
	apps/s_server.c
	apps/smime.c
	apps/verify.c

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent dfd3322d

apps/apps.c

+2 −0
Original line number Diff line number Diff line
@@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *pargc, 
        flags |= X509_V_FLAG_SUITEB_192_LOS;

    else if (!strcmp(arg, "-partial_chain"))

        flags |= X509_V_FLAG_PARTIAL_CHAIN;

    else if (!strcmp(arg, "-no_alt_chains"))

        flags |= X509_V_FLAG_NO_ALT_CHAINS;

    else

        return 0;

apps/cms.c

+2 −0
Original line number Diff line number Diff line
@@ -645,6 +645,8 @@ int MAIN(int argc, char **argv) 
        BIO_printf(bio_err,

                   "-CApath dir    trusted certificates directory\n");

        BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");

        BIO_printf(bio_err,

                   "-no_alt_chains only ever use the first certificate chain found\n");

        BIO_printf(bio_err,

                   "-crl_check     check revocation status of signer's certificate using CRLs\n");

        BIO_printf(bio_err,

apps/ocsp.c

+2 −0
Original line number Diff line number Diff line
@@ -535,6 +535,8 @@ int MAIN(int argc, char **argv) 
                   "-CApath dir          trusted certificates directory\n");

        BIO_printf(bio_err,

                   "-CAfile file         trusted certificates file\n");

        BIO_printf(bio_err,

                   "-no_alt_chains       only ever use the first certificate chain found\n");

        BIO_printf(bio_err,

                   "-VAfile file         validator certificates file\n");

        BIO_printf(bio_err,

apps/s_client.c

+2 −0
Original line number Diff line number Diff line
@@ -331,6 +331,8 @@ static void sc_usage(void) 
               " -pass arg     - private key file pass phrase source\n");

    BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");

    BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");

    BIO_printf(bio_err,

               " -no_alt_chains - only ever use the first certificate chain found\n");

    BIO_printf(bio_err,

               " -reconnect    - Drop and re-make the connection with the same Session-ID\n");

    BIO_printf(bio_err,

apps/s_server.c

+2 −0
Original line number Diff line number Diff line
@@ -553,6 +553,8 @@ static void sv_usage(void) 
    BIO_printf(bio_err, " -state        - Print the SSL states\n");

    BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");

    BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");

    BIO_printf(bio_err,

               " -no_alt_chains - only ever use the first certificate chain found\n");

    BIO_printf(bio_err,

               " -nocert       - Don't use any certificates (Anon-DH)\n");

    BIO_printf(bio_err,