From: Hubert Kario Date: Wed, 18 Jun 2014 17:55:03 +0000 (+0200) Subject: Document -trusted_first option in man pages and help. X-Git-Tag: master-post-reformat~689 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=6d3d5793673b225b2347ef45b74d0d9994f3132c Document -trusted_first option in man pages and help. Add -trusted_first description to help messages and man pages of tools that deal with certificate verification. --- diff --git a/apps/cms.c b/apps/cms.c index ddc3d5ec17..bb85a200ed 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -716,6 +716,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf (bio_err, "-trusted_first use locally trusted certificates first when building trust chain\n"); BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); #ifndef OPENSSL_NO_ENGINE diff --git a/apps/ocsp.c b/apps/ocsp.c index 64c31826f3..7968e272d8 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -626,6 +626,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-path path to use in OCSP request\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf (bio_err, "-trusted_first use locally trusted CA's first when building trust chain\n"); BIO_printf (bio_err, "-VAfile file validator certificates file\n"); BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); diff --git a/apps/s_client.c b/apps/s_client.c index eee0e2e779..de6a984feb 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -334,6 +334,7 @@ static void sc_usage(void) BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n"); BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); diff --git a/apps/s_server.c b/apps/s_server.c index 7c4f7bc7d7..f890aac5b5 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -526,6 +526,7 @@ static void sv_usage(void) BIO_printf(bio_err," -state - Print the SSL states\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err," -trusted_first - Use locally trusted CA's first when building trust chain\n"); BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); diff --git a/apps/smime.c b/apps/smime.c index d1ee48937e..94c2884fed 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -479,6 +479,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf (bio_err, "-trusted_first use locally trusted CA's first when building trust chain\n"); BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); #ifndef OPENSSL_NO_ENGINE diff --git a/apps/verify.c b/apps/verify.c index b754fe3e08..b9480bd812 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -245,7 +245,7 @@ int MAIN(int argc, char **argv) end: if (ret == 1) { - BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); + BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," [-engine e]"); #endif diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index a1c896c1e3..66be0bf2a5 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -35,6 +35,7 @@ B B [B<-print>] [B<-CAfile file>] [B<-CApath dir>] +[B<-trusted_first>] [B<-md digest>] [B<-[cipher]>] [B<-nointern>] @@ -429,9 +430,9 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> -Set various certificate chain valiadition option. See the +Set various certificate chain valiadition options. See the L|verify(1)> manual page for details. =back diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index af2e12e418..6939e55a2a 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -29,6 +29,7 @@ B B [B<-path>] [B<-CApath dir>] [B<-CAfile file>] +[B<-trusted_first>] [B<-VAfile file>] [B<-validity_period n>] [B<-status_age n>] @@ -138,6 +139,11 @@ or "/" by default. file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. +=item B<-trusted_first> + +Set certificate verification option. +See L|verify(1)> manual page for details. + =item B<-verify_other file> file containing additional certificates to search when attempting to locate diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 8964032cde..55c501e29d 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -18,6 +18,7 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] [B<-reconnect>] [B<-pause>] [B<-showcerts>] @@ -116,9 +117,9 @@ also used when building the client certificate chain. A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> -Set various certificate chain valiadition option. See the +Set various certificate chain valiadition options. See the L|verify(1)> manual page for details. =item B<-reconnect> diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index ad8dcdacef..1de307a0ff 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -34,6 +34,7 @@ B B [B<-state>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] [B<-nocert>] [B<-cipher cipherlist>] [B<-quiet>] @@ -183,6 +184,11 @@ and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested. +=item B<-trusted_first> + +Set certificate verification option. +See the L|verify(1)> manual page for details. + =item B<-state> prints out the SSL session states. diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index d39a59a90d..cc6f3aeaa4 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -15,6 +15,7 @@ B B [B<-pk7out>] [B<-[cipher]>] [B<-in file>] +[B<-trusted_first>] [B<-certfile file>] [B<-signer file>] [B<-recip file>] @@ -259,7 +260,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> Set various options of certificate chain verification. See L|verify(1)> manual page for details. diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index f35d402950..764e617c34 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -9,6 +9,7 @@ verify - Utility to verify certificates. B B [B<-CApath directory>] [B<-CAfile file>] +[B<-trusted_first>] [B<-purpose purpose>] [B<-policy arg>] [B<-ignore_critical>] @@ -57,6 +58,12 @@ in PEM format concatenated together. A file of untrusted certificates. The file should contain multiple certificates in PEM format concatenated together. +=item B<-trusted_first> + +Use certificates in CA file or CA directory before certificates in untrusted +file when building the trust chain to verify certificates. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + =item B<-purpose purpose> The intended use for the certificate. If this option is not specified,