387 lines
20 KiB
HTML
Executable File
387 lines
20 KiB
HTML
Executable File
<?xml version="1.0" ?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<title>X509_VERIFY_PARAM_set_flags</title>
|
|
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
|
<link rev="made" href="mailto:root@localhost" />
|
|
</head>
|
|
|
|
<body style="background-color: white">
|
|
|
|
|
|
<!-- INDEX BEGIN -->
|
|
<div name="index">
|
|
<p><a name="__index__"></a></p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="#name">NAME</a></li>
|
|
<li><a href="#synopsis">SYNOPSIS</a></li>
|
|
<li><a href="#description">DESCRIPTION</a></li>
|
|
<li><a href="#return_values">RETURN VALUES</a></li>
|
|
<li><a href="#verification_flags">VERIFICATION FLAGS</a></li>
|
|
<li><a href="#inheritance_flags">INHERITANCE FLAGS</a></li>
|
|
<li><a href="#notes">NOTES</a></li>
|
|
<li><a href="#bugs">BUGS</a></li>
|
|
<li><a href="#examples">EXAMPLES</a></li>
|
|
<li><a href="#see_also">SEE ALSO</a></li>
|
|
<li><a href="#history">HISTORY</a></li>
|
|
<li><a href="#copyright">COPYRIGHT</a></li>
|
|
</ul>
|
|
|
|
<hr name="index" />
|
|
</div>
|
|
<!-- INDEX END -->
|
|
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="name">NAME</a></h1>
|
|
<p>X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags,
|
|
X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose,
|
|
X509_VERIFY_PARAM_get_inh_flags, X509_VERIFY_PARAM_set_inh_flags,
|
|
X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth,
|
|
X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_auth_level,
|
|
X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time,
|
|
X509_VERIFY_PARAM_get_time,
|
|
X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies,
|
|
X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host,
|
|
X509_VERIFY_PARAM_set_hostflags,
|
|
X509_VERIFY_PARAM_get_hostflags,
|
|
X509_VERIFY_PARAM_get0_peername,
|
|
X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip,
|
|
X509_VERIFY_PARAM_set1_ip_asc
|
|
- X509 verification parameters</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
|
<pre>
|
|
#include <openssl/x509_vfy.h></pre>
|
|
<pre>
|
|
int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param,
|
|
unsigned long flags);
|
|
int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
|
|
unsigned long flags);
|
|
unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param);</pre>
|
|
<pre>
|
|
int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param,
|
|
uint32_t flags);
|
|
uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param);</pre>
|
|
<pre>
|
|
int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
|
|
int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);</pre>
|
|
<pre>
|
|
void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
|
|
time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param);</pre>
|
|
<pre>
|
|
int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
|
|
ASN1_OBJECT *policy);
|
|
int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
|
|
STACK_OF(ASN1_OBJECT) *policies);</pre>
|
|
<pre>
|
|
void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
|
|
int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);</pre>
|
|
<pre>
|
|
void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param,
|
|
int auth_level);
|
|
int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param);</pre>
|
|
<pre>
|
|
int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
|
|
const char *name, size_t namelen);
|
|
int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
|
|
const char *name, size_t namelen);
|
|
void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
|
|
unsigned int flags);
|
|
unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param);
|
|
char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param);
|
|
int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
|
|
const char *email, size_t emaillen);
|
|
int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
|
|
const unsigned char *ip, size_t iplen);
|
|
int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc);</pre>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="description">DESCRIPTION</a></h1>
|
|
<p>These functions manipulate the <strong>X509_VERIFY_PARAM</strong> structure associated with
|
|
a certificate verification operation.</p>
|
|
<p>The X509_VERIFY_PARAM_set_flags() function sets the flags in <strong>param</strong> by oring
|
|
it with <strong>flags</strong>. See the <strong>VERIFICATION FLAGS</strong> section for a complete
|
|
description of values the <strong>flags</strong> parameter can take.</p>
|
|
<p>X509_VERIFY_PARAM_get_flags() returns the flags in <strong>param</strong>.</p>
|
|
<p>X509_VERIFY_PARAM_get_inh_flags() returns the inheritance flags in <strong>param</strong>
|
|
which specifies how verification flags are copied from one structure to
|
|
another. X509_VERIFY_PARAM_set_inh_flags() sets the inheritance flags.
|
|
See the <strong>INHERITANCE FLAGS</strong> section for a description of these bits.</p>
|
|
<p>X509_VERIFY_PARAM_clear_flags() clears the flags <strong>flags</strong> in <strong>param</strong>.</p>
|
|
<p>X509_VERIFY_PARAM_set_purpose() sets the verification purpose in <strong>param</strong>
|
|
to <strong>purpose</strong>. This determines the acceptable purpose of the certificate
|
|
chain, for example SSL client or SSL server.</p>
|
|
<p>X509_VERIFY_PARAM_set_trust() sets the trust setting in <strong>param</strong> to
|
|
<strong>trust</strong>.</p>
|
|
<p>X509_VERIFY_PARAM_set_time() sets the verification time in <strong>param</strong> to
|
|
<strong>t</strong>. Normally the current time is used.</p>
|
|
<p>X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
|
|
by default) and adds <strong>policy</strong> to the acceptable policy set.</p>
|
|
<p>X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
|
|
by default) and sets the acceptable policy set to <strong>policies</strong>. Any existing
|
|
policy set is cleared. The <strong>policies</strong> parameter can be <strong>NULL</strong> to clear
|
|
an existing policy set.</p>
|
|
<p>X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to <strong>depth</strong>.
|
|
That is the maximum number of intermediate CA certificates that can appear in a
|
|
chain.
|
|
A maximal depth chain contains 2 more certificates than the limit, since
|
|
neither the end-entity certificate nor the trust-anchor count against this
|
|
limit.
|
|
Thus a <strong>depth</strong> limit of 0 only allows the end-entity certificate to be signed
|
|
directly by the trust-anchor, while with a <strong>depth</strong> limit of 1 there can be one
|
|
intermediate CA certificate between the trust-anchor and the end-entity
|
|
certificate.</p>
|
|
<p>X509_VERIFY_PARAM_set_auth_level() sets the authentication security level to
|
|
<strong>auth_level</strong>.
|
|
The authentication security level determines the acceptable signature and public
|
|
key strength when verifying certificate chains.
|
|
For a certificate chain to validate, the public keys of all the certificates
|
|
must meet the specified security level.
|
|
The signature algorithm security level is not enforced for the chain's <em>trust
|
|
anchor</em> certificate, which is either directly trusted or validated by means other
|
|
than its signature.
|
|
See <em>SSL_CTX_set_security_level(3)</em> for the definitions of the available
|
|
levels.
|
|
The default security level is -1, or "not set".
|
|
At security level 0 or lower all algorithms are acceptable.
|
|
Security level 1 requires at least 80-bit-equivalent security and is broadly
|
|
interoperable, though it will, for example, reject MD5 signatures or RSA keys
|
|
shorter than 1024 bits.</p>
|
|
<p>X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to
|
|
<strong>name</strong> clearing any previously specified hostname. If
|
|
<strong>name</strong> is NULL, or empty the list of hostnames is cleared, and
|
|
name checks are not performed on the peer certificate. If <strong>name</strong>
|
|
is NUL-terminated, <strong>namelen</strong> may be zero, otherwise <strong>namelen</strong>
|
|
must be set to the length of <strong>name</strong>.</p>
|
|
<p>When a hostname is specified,
|
|
certificate verification automatically invokes <em>X509_check_host(3)</em>
|
|
with flags equal to the <strong>flags</strong> argument given to
|
|
X509_VERIFY_PARAM_set_hostflags() (default zero). Applications
|
|
are strongly advised to use this interface in preference to explicitly
|
|
calling <em>X509_check_host(3)</em>, hostname checks may be out of scope
|
|
with the DANE-EE(3) certificate usage, and the internal check will
|
|
be suppressed as appropriate when DANE verification is enabled.</p>
|
|
<p>When the subject CommonName will not be ignored, whether as a result of the
|
|
<strong>X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT</strong> host flag, or because no DNS subject
|
|
alternative names are present in the certificate, any DNS name constraints in
|
|
issuer certificates apply to the subject CommonName as well as the subject
|
|
alternative name extension.</p>
|
|
<p>When the subject CommonName will be ignored, whether as a result of the
|
|
<strong>X509_CHECK_FLAG_NEVER_CHECK_SUBJECT</strong> host flag, or because some DNS subject
|
|
alternative names are present in the certificate, DNS name constraints in
|
|
issuer certificates will not be applied to the subject DN.
|
|
As described in X509_check_host(3) the <strong>X509_CHECK_FLAG_NEVER_CHECK_SUBJECT</strong>
|
|
flag takes precedence over the <strong>X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT</strong> flag.</p>
|
|
<p>X509_VERIFY_PARAM_get_hostflags() returns any host flags previously set via a
|
|
call to X509_VERIFY_PARAM_set_hostflags().</p>
|
|
<p>X509_VERIFY_PARAM_add1_host() adds <strong>name</strong> as an additional reference
|
|
identifier that can match the peer's certificate. Any previous names
|
|
set via X509_VERIFY_PARAM_set1_host() or X509_VERIFY_PARAM_add1_host()
|
|
are retained, no change is made if <strong>name</strong> is NULL or empty. When
|
|
multiple names are configured, the peer is considered verified when
|
|
any name matches.</p>
|
|
<p>X509_VERIFY_PARAM_get0_peername() returns the DNS hostname or subject
|
|
CommonName from the peer certificate that matched one of the reference
|
|
identifiers. When wildcard matching is not disabled, or when a
|
|
reference identifier specifies a parent domain (starts with ".")
|
|
rather than a hostname, the peer name may be a wildcard name or a
|
|
sub-domain of the reference identifier respectively. The return
|
|
string is allocated by the library and is no longer valid once the
|
|
associated <strong>param</strong> argument is freed. Applications must not free
|
|
the return value.</p>
|
|
<p>X509_VERIFY_PARAM_set1_email() sets the expected <a href="http://www.ietf.org/rfc/rfc822.txt" class="rfc">RFC822</a> email address to
|
|
<strong>email</strong>. If <strong>email</strong> is NUL-terminated, <strong>emaillen</strong> may be zero, otherwise
|
|
<strong>emaillen</strong> must be set to the length of <strong>email</strong>. When an email address
|
|
is specified, certificate verification automatically invokes
|
|
<em>X509_check_email(3)</em>.</p>
|
|
<p>X509_VERIFY_PARAM_set1_ip() sets the expected IP address to <strong>ip</strong>.
|
|
The <strong>ip</strong> argument is in binary format, in network byte-order and
|
|
<strong>iplen</strong> must be set to 4 for IPv4 and 16 for IPv6. When an IP
|
|
address is specified, certificate verification automatically invokes
|
|
<em>X509_check_ip(3)</em>.</p>
|
|
<p>X509_VERIFY_PARAM_set1_ip_asc() sets the expected IP address to
|
|
<strong>ipasc</strong>. The <strong>ipasc</strong> argument is a NUL-terminal ASCII string:
|
|
dotted decimal quad for IPv4 and colon-separated hexadecimal for
|
|
IPv6. The condensed "::" notation is supported for IPv6 addresses.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="return_values">RETURN VALUES</a></h1>
|
|
<p>X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(),
|
|
X509_VERIFY_PARAM_set_inh_flags(),
|
|
X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(),
|
|
X509_VERIFY_PARAM_add0_policy() X509_VERIFY_PARAM_set1_policies(),
|
|
X509_VERIFY_PARAM_set1_host(), X509_VERIFY_PARAM_add1_host(),
|
|
X509_VERIFY_PARAM_set1_email(), X509_VERIFY_PARAM_set1_ip() and
|
|
X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for
|
|
failure.</p>
|
|
<p>X509_VERIFY_PARAM_get_flags() returns the current verification flags.</p>
|
|
<p>X509_VERIFY_PARAM_get_hostflags() returns any current host flags.</p>
|
|
<p>X509_VERIFY_PARAM_get_inh_flags() returns the current inheritance flags.</p>
|
|
<p>X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return
|
|
values.</p>
|
|
<p>X509_VERIFY_PARAM_get_depth() returns the current verification depth.</p>
|
|
<p>X509_VERIFY_PARAM_get_auth_level() returns the current authentication security
|
|
level.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="verification_flags">VERIFICATION FLAGS</a></h1>
|
|
<p>The verification flags consists of zero or more of the following flags
|
|
ored together.</p>
|
|
<p><strong>X509_V_FLAG_CRL_CHECK</strong> enables CRL checking for the certificate chain leaf
|
|
certificate. An error occurs if a suitable CRL cannot be found.</p>
|
|
<p><strong>X509_V_FLAG_CRL_CHECK_ALL</strong> enables CRL checking for the entire certificate
|
|
chain.</p>
|
|
<p><strong>X509_V_FLAG_IGNORE_CRITICAL</strong> disabled critical extension checking. By default
|
|
any unhandled critical extensions in certificates or (if checked) CRLs results
|
|
in a fatal error. If this flag is set unhandled critical extensions are
|
|
ignored. <strong>WARNING</strong> setting this option for anything other than debugging
|
|
purposes can be a security risk. Finer control over which extensions are
|
|
supported can be performed in the verification callback.</p>
|
|
<p>The <strong>X509_V_FLAG_X509_STRICT</strong> flag disables workarounds for some broken
|
|
certificates and makes the verification strictly apply <strong>X509</strong> rules.</p>
|
|
<p><strong>X509_V_FLAG_ALLOW_PROXY_CERTS</strong> enables proxy certificate verification.</p>
|
|
<p><strong>X509_V_FLAG_POLICY_CHECK</strong> enables certificate policy checking, by default
|
|
no policy checking is performed. Additional information is sent to the
|
|
verification callback relating to policy checking.</p>
|
|
<p><strong>X509_V_FLAG_EXPLICIT_POLICY</strong>, <strong>X509_V_FLAG_INHIBIT_ANY</strong> and
|
|
<strong>X509_V_FLAG_INHIBIT_MAP</strong> set the <strong>require explicit policy</strong>, <strong>inhibit any
|
|
policy</strong> and <strong>inhibit policy mapping</strong> flags respectively as defined in
|
|
<strong>RFC3280</strong>. Policy checking is automatically enabled if any of these flags
|
|
are set.</p>
|
|
<p>If <strong>X509_V_FLAG_NOTIFY_POLICY</strong> is set and the policy checking is successful
|
|
a special status code is set to the verification callback. This permits it
|
|
to examine the valid policy tree and perform additional checks or simply
|
|
log it for debugging purposes.</p>
|
|
<p>By default some additional features such as indirect CRLs and CRLs signed by
|
|
different keys are disabled. If <strong>X509_V_FLAG_EXTENDED_CRL_SUPPORT</strong> is set
|
|
they are enabled.</p>
|
|
<p>If <strong>X509_V_FLAG_USE_DELTAS</strong> is set delta CRLs (if present) are used to
|
|
determine certificate status. If not set deltas are ignored.</p>
|
|
<p><strong>X509_V_FLAG_CHECK_SS_SIGNATURE</strong> enables checking of the root CA self signed
|
|
certificate signature. By default this check is disabled because it doesn't
|
|
add any additional security but in some cases applications might want to
|
|
check the signature anyway. A side effect of not checking the root CA
|
|
signature is that disabled or unsupported message digests on the root CA
|
|
are not treated as fatal errors.</p>
|
|
<p>When <strong>X509_V_FLAG_TRUSTED_FIRST</strong> is set, construction of the certificate chain
|
|
in <em>X509_verify_cert(3)</em> will search the trust store for issuer certificates
|
|
before searching the provided untrusted certificates.
|
|
Local issuer certificates are often more likely to satisfy local security
|
|
requirements and lead to a locally trusted root.
|
|
This is especially important when some certificates in the trust store have
|
|
explicit trust settings (see "TRUST SETTINGS" in <em>openssl-x509(1)</em>).
|
|
As of OpenSSL 1.1.0 this option is on by default.</p>
|
|
<p>The <strong>X509_V_FLAG_NO_ALT_CHAINS</strong> flag suppresses checking for alternative
|
|
chains.
|
|
By default, unless <strong>X509_V_FLAG_TRUSTED_FIRST</strong> is set, when building a
|
|
certificate chain, if the first certificate chain found is not trusted, then
|
|
OpenSSL will attempt to replace untrusted certificates supplied by the peer
|
|
with certificates from the trust store to see if an alternative chain can be
|
|
found that is trusted.
|
|
As of OpenSSL 1.1.0, with <strong>X509_V_FLAG_TRUSTED_FIRST</strong> always set, this option
|
|
has no effect.</p>
|
|
<p>The <strong>X509_V_FLAG_PARTIAL_CHAIN</strong> flag causes intermediate certificates in the
|
|
trust store to be treated as trust-anchors, in the same way as the self-signed
|
|
root CA certificates.
|
|
This makes it possible to trust certificates issued by an intermediate CA
|
|
without having to trust its ancestor root CA.
|
|
With OpenSSL 1.1.0 and later and <X509_V_FLAG_PARTIAL_CHAIN> set, chain
|
|
construction stops as soon as the first certificate from the trust store is
|
|
added to the chain, whether that certificate is a self-signed "root"
|
|
certificate or a not self-signed intermediate certificate.
|
|
Thus, when an intermediate certificate is found in the trust store, the
|
|
verified chain passed to callbacks may be shorter than it otherwise would
|
|
be without the <strong>X509_V_FLAG_PARTIAL_CHAIN</strong> flag.</p>
|
|
<p>The <strong>X509_V_FLAG_NO_CHECK_TIME</strong> flag suppresses checking the validity period
|
|
of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time()
|
|
is used to specify a verification time, the check is not suppressed.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="inheritance_flags">INHERITANCE FLAGS</a></h1>
|
|
<p>These flags specify how parameters are "inherited" from one structure to
|
|
another.</p>
|
|
<p>If <strong>X509_VP_FLAG_ONCE</strong> is set then the current setting is zeroed
|
|
after the next call.</p>
|
|
<p>If <strong>X509_VP_FLAG_LOCKED</strong> is set then no values are copied. This overrides
|
|
all of the following flags.</p>
|
|
<p>If <strong>X509_VP_FLAG_DEFAULT</strong> is set then anything set in the source is copied
|
|
to the destination. Effectively the values in "to" become default values
|
|
which will be used only if nothing new is set in "from". This is the
|
|
default.</p>
|
|
<p>If <strong>X509_VP_FLAG_OVERWRITE</strong> is set then all value are copied across whether
|
|
they are set or not. Flags is still Ored though.</p>
|
|
<p>If <strong>X509_VP_FLAG_RESET_FLAGS</strong> is set then the flags value is copied instead
|
|
of ORed.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="notes">NOTES</a></h1>
|
|
<p>The above functions should be used to manipulate verification parameters
|
|
instead of functions which work in specific structures such as
|
|
X509_STORE_CTX_set_flags() which are likely to be deprecated in a future
|
|
release.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="bugs">BUGS</a></h1>
|
|
<p>Delta CRL checking is currently primitive. Only a single delta can be used and
|
|
(partly due to limitations of <strong>X509_STORE</strong>) constructed CRLs are not
|
|
maintained.</p>
|
|
<p>If CRLs checking is enable CRLs are expected to be available in the
|
|
corresponding <strong>X509_STORE</strong> structure. No attempt is made to download
|
|
CRLs from the CRL distribution points extension.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="examples">EXAMPLES</a></h1>
|
|
<p>Enable CRL checking when performing certificate verification during SSL
|
|
connections associated with an <strong>SSL_CTX</strong> structure <strong>ctx</strong>:</p>
|
|
<pre>
|
|
X509_VERIFY_PARAM *param;</pre>
|
|
<pre>
|
|
param = X509_VERIFY_PARAM_new();
|
|
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
|
|
SSL_CTX_set1_param(ctx, param);
|
|
X509_VERIFY_PARAM_free(param);</pre>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="see_also">SEE ALSO</a></h1>
|
|
<p><em>X509_verify_cert(3)</em>,
|
|
<em>X509_check_host(3)</em>,
|
|
<em>X509_check_email(3)</em>,
|
|
<em>X509_check_ip(3)</em>,
|
|
<em>openssl-x509(1)</em></p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="history">HISTORY</a></h1>
|
|
<p>The <strong>X509_V_FLAG_NO_ALT_CHAINS</strong> flag was added in OpenSSL 1.1.0.
|
|
The flag <strong>X509_V_FLAG_CB_ISSUER_CHECK</strong> was deprecated in OpenSSL 1.1.0
|
|
and has no effect.</p>
|
|
<p>The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="copyright">COPYRIGHT</a></h1>
|
|
<p>Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved.</p>
|
|
<p>Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
|
|
|
|
</body>
|
|
|
|
</html>
|