diff options
| author | Shigeki Ohtsu <ohtsu@ohtsu.org> | 2018-03-27 23:34:31 +0900 |
|---|---|---|
| committer | Myles Borins <mylesborins@google.com> | 2018-03-27 20:17:18 -0400 |
| commit | d10b7f1cdf8824dc53fbdd4b4617c860f0d8cb80 (patch) | |
| tree | 7f4b716eff55fd05905240ebb0cc041688c93dfb /deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod | |
| parent | df62e69de73f4fb199f3b88727d13f6c52de332a (diff) | |
| download | android-node-v8-d10b7f1cdf8824dc53fbdd4b4617c860f0d8cb80.tar.gz android-node-v8-d10b7f1cdf8824dc53fbdd4b4617c860f0d8cb80.tar.bz2 android-node-v8-d10b7f1cdf8824dc53fbdd4b4617c860f0d8cb80.zip | |
deps: upgrade openssl sources to 1.0.2o
This replaces all sources of openssl-1.0.2o.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/19638
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rod Vagg <rod@vagg.org>
Diffstat (limited to 'deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod')
| -rw-r--r-- | deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 44792f91a1..10399ecbaf 100644 --- a/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -203,6 +203,27 @@ chain found is not trusted, then OpenSSL will continue to check to see if an alternative chain can be found that is trusted. With this flag set the behaviour will match that of OpenSSL versions prior to 1.0.2b. +The B<X509_V_FLAG_TRUSTED_FIRST> flag causes chain construction to look for +issuers in the trust store before looking at the untrusted certificates +provided as part of the the peer chain. +Though it is not on by default in OpenSSL 1.0.2, applications should generally +set this flag. +Local issuer certificates are often more likely to satisfy local security +requirements and lead to a locally trusted root. +This is especially important When some certificates in the trust store have +explicit trust settings (see "TRUST SETTINGS" in L<x509(1)>). + +The B<X509_V_FLAG_PARTIAL_CHAIN> flag causes intermediate certificates in the +trust store to be treated as trust-anchors, in the same way as the self-signed +root CA certificates. +This makes it possible to trust certificates issued by an intermediate CA +without having to trust its ancestor root CA. +With OpenSSL 1.0.2, chain construction continues as long as there are +additional trusted issuers in the trust store, and the last trusted issuer +becomes the trust-anchor. +Thus, even when an intermediate certificate is found in the trust store, the +verified chain passed to callbacks may still be anchored by a root CA. + =head1 NOTES The above functions should be used to manipulate verification parameters @@ -235,7 +256,8 @@ connections associated with an B<SSL_CTX> structure B<ctx>: L<X509_verify_cert(3)|X509_verify_cert(3)>, L<X509_check_host(3)|X509_check_host(3)>, L<X509_check_email(3)|X509_check_email(3)>, -L<X509_check_ip(3)|X509_check_ip(3)> +L<X509_check_ip(3)|X509_check_ip(3)>, +L<x509(1)|x509(1)> =head1 HISTORY |