Commit c6a39046 authored by Matt Caswell's avatar Matt Caswell Committed by Kurt Roeckx
Browse files

Add -no_alt_chains option to apps to implement the new... 


Add -no_alt_chains option to apps to implement the new X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead.

Reviewed-by: default avatarDr. Stephen Henson <steve@openssl.org>
Reviewed-by: default avatarKurt Roeckx <kurt@roeckx.be>

Conflicts:
	apps/cms.c
	apps/ocsp.c
	apps/s_client.c
	apps/s_server.c
	apps/smime.c
	apps/verify.c
parent cf1bf3f0

apps/apps.c

+2 −0
Original line number Diff line number Diff line
@@ -2238,6 +2238,8 @@ int args_verify(char ***pargs, int *pargc, 
        flags |= X509_V_FLAG_NOTIFY_POLICY;

    else if (!strcmp(arg, "-check_ss_sig"))

        flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;

    else if (!strcmp(arg, "-no_alt_chains"))

        flags |= X509_V_FLAG_NO_ALT_CHAINS;

    else

        return 0;

apps/cms.c

+2 −0
Original line number Diff line number Diff line
@@ -580,6 +580,8 @@ int MAIN(int argc, char **argv) 
        BIO_printf(bio_err,

                   "-CApath dir    trusted certificates directory\n");

        BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");

        BIO_printf(bio_err,

                   "-no_alt_chains only ever use the first certificate chain found\n");

        BIO_printf(bio_err,

                   "-crl_check     check revocation status of signer's certificate using CRLs\n");

        BIO_printf(bio_err,

apps/ocsp.c

+2 −0
Original line number Diff line number Diff line
@@ -518,6 +518,8 @@ int MAIN(int argc, char **argv) 
                   "-CApath dir          trusted certificates directory\n");

        BIO_printf(bio_err,

                   "-CAfile file         trusted certificates file\n");

        BIO_printf(bio_err,

                   "-no_alt_chains       only ever use the first certificate chain found\n");

        BIO_printf(bio_err,

                   "-VAfile file         validator certificates file\n");

        BIO_printf(bio_err,

apps/s_client.c

+2 −0
Original line number Diff line number Diff line
@@ -322,6 +322,8 @@ static void sc_usage(void) 
               " -pass arg     - private key file pass phrase source\n");

    BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");

    BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");

    BIO_printf(bio_err,

               " -no_alt_chains - only ever use the first certificate chain found\n");

    BIO_printf(bio_err,

               " -reconnect    - Drop and re-make the connection with the same Session-ID\n");

    BIO_printf(bio_err,

apps/s_server.c

+2 −0
Original line number Diff line number Diff line
@@ -540,6 +540,8 @@ static void sv_usage(void) 
    BIO_printf(bio_err, " -state        - Print the SSL states\n");

    BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");

    BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");

    BIO_printf(bio_err,

               " -no_alt_chains - only ever use the first certificate chain found\n");

    BIO_printf(bio_err,

               " -nocert       - Don't use any certificates (Anon-DH)\n");

    BIO_printf(bio_err,