Merge documentation from OpenSSL for seven functions

that jsing@ recently exposed publicly in libcrypto. Requested by jsing@.
author: schwarze <> 2018-02-11 03:33:21 +0000
committer: schwarze <> 2018-02-11 03:33:21 +0000
commit: 11ceaf7112d0ef7a761e5f33fc5f84e8ffc22407 (patch)
tree: 5eab772889d1aefd4300aaabeb431652af3e59c1
parent: b0d8c2e5aa0a91148f7233a0f09e2308a390be43 (diff)
download: openbsd-11ceaf7112d0ef7a761e5f33fc5f84e8ffc22407.tar.gz
openbsd-11ceaf7112d0ef7a761e5f33fc5f84e8ffc22407.tar.bz2
openbsd-11ceaf7112d0ef7a761e5f33fc5f84e8ffc22407.zip
1 files changed, 196 insertions, 7 deletions
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index bb9b0e127b..b459e75863 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,8 +1,11 @@
-.\"     $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.5 2017/01/06 21:30:27 schwarze Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.6 2018/02/11 03:33:21 schwarze Exp $
-.\"     OpenSSL 2b4ffc65 Dec 23 19:28:30 2013 +0100
+.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
+.\" selective merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" Copyright (c) 2009, 2013 The OpenSSL Project.  All rights reserved.
+.\" and Viktor Dukhovni <viktor@dukhovni.org>.
+.\" Copyright (c) 2009, 2013, 2014, 2015, 2016, 2017 The OpenSSL Project.
+.\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -48,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 6 2017 $
+.Dd $Mdocdate: February 11 2018 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -61,7 +64,14 @@
 .Nm X509_VERIFY_PARAM_add0_policy ,
 .Nm X509_VERIFY_PARAM_set1_policies ,
 .Nm X509_VERIFY_PARAM_set_depth ,
-.Nm X509_VERIFY_PARAM_get_depth
+.Nm X509_VERIFY_PARAM_get_depth ,
+.Nm X509_VERIFY_PARAM_set1_host ,
+.Nm X509_VERIFY_PARAM_add1_host ,
+.Nm X509_VERIFY_PARAM_set_hostflags ,
+.Nm X509_VERIFY_PARAM_get0_peername ,
+.Nm X509_VERIFY_PARAM_set1_email ,
+.Nm X509_VERIFY_PARAM_set1_ip ,
+.Nm X509_VERIFY_PARAM_set1_ip_asc
 .Nd X509 verification parameters
 .Sh SYNOPSIS
 .In openssl/x509_vfy.h
@@ -113,6 +123,44 @@
 .Fo X509_VERIFY_PARAM_get_depth
 .Fa "const X509_VERIFY_PARAM *param"
 .Fc
+.Ft int
+.Fo X509_VERIFY_PARAM_set1_host
+.Fa "X509_VERIFY_PARAM *param"
+.Fa "const char *name"
+.Fa "size_t namelen"
+.Fc
+.Ft int
+.Fo X509_VERIFY_PARAM_add1_host
+.Fa "X509_VERIFY_PARAM *param"
+.Fa "const char *name"
+.Fa "size_t namelen"
+.Fc
+.Ft void
+.Fo X509_VERIFY_PARAM_set_hostflags
+.Fa "X509_VERIFY_PARAM *param"
+.Fa "unsigned int flags"
+.Fc
+.Ft char *
+.Fo X509_VERIFY_PARAM_get0_peername
+.Fa "X509_VERIFY_PARAM *param"
+.Fc
+.Ft int
+.Fo X509_VERIFY_PARAM_set1_email
+.Fa "X509_VERIFY_PARAM *param"
+.Fa "const char *email"
+.Fa "size_t emaillen"
+.Fc
+.Ft int
+.Fo X509_VERIFY_PARAM_set1_ip
+.Fa "X509_VERIFY_PARAM *param"
+.Fa "const unsigned char *ip"
+.Fa "size_t iplen"
+.Fc
+.Ft int
+.Fo X509_VERIFY_PARAM_set1_ip_asc
+.Fa "X509_VERIFY_PARAM *param"
+.Fa "const char *ipasc"
+.Fc
 .Sh DESCRIPTION
 These functions manipulate the
 .Vt X509_VERIFY_PARAM
@@ -182,14 +230,113 @@ sets the maximum verification depth to
 .Fa depth .
 That is the maximum number of untrusted CA certificates that can appear
 in a chain.
+.Pp
+.Fn X509_VERIFY_PARAM_set1_host
+sets the expected DNS hostname to
+.Fa name
+clearing any previously specified host name or names.
+If
+.Fa name
+is
+.Dv NULL
+or empty, the list of hostnames is cleared, and name checks are not
+performed on the peer certificate.
+If
+.Fa name
+is NUL-terminated,
+.Fa namelen
+may be zero, otherwise
+.Fa namelen
+must be set to the length of
+.Fa name .
+When a hostname is specified, certificate verification automatically
+invokes
+.Xr X509_check_host 3
+with flags equal to the
+.Fa flags
+argument given to
+.Fn X509_VERIFY_PARAM_set_hostflags
+(default zero).
+.Pp
+.Fn X509_VERIFY_PARAM_add1_host
+adds
+.Fa name
+as an additional reference identifier that can match the peer's
+certificate.
+Any previous names set via
+.Fn X509_VERIFY_PARAM_set1_host
+and
+.Fn X509_VERIFY_PARAM_add1_host
+are retained.
+No change is made if
+.Fa name
+is
+.Dv NULL
+or empty.
+When multiple names are configured, the peer is considered verified when
+any name matches.
+.Pp
+.Fn X509_VERIFY_PARAM_get0_peername
+returns the DNS hostname or subject CommonName from the peer certificate
+that matched one of the reference identifiers.
+When wildcard matching is not disabled, or when a reference identifier
+specifies a parent domain (starts with ".") rather than a hostname, the
+peer name may be a wildcard name or a sub-domain of the reference
+identifier respectively.
+The return string is allocated by the library and is no longer valid
+once the associated
+.Fa param
+argument is freed.
+Applications must not free the return value.
+.Pp
+.Fn X509_VERIFY_PARAM_set1_email
+sets the expected RFC822 email address to
+.Fa email .
+If
+.Fa email
+is NUL-terminated,
+.Fa emaillen
+may be zero, otherwise
+.Fa emaillen
+must be set to the length of
+.Fa email .
+When an email address is specified, certificate verification
+automatically invokes
+.Xr X509_check_email 3 .
+.Pp
+.Fn X509_VERIFY_PARAM_set1_ip
+sets the expected IP address to
+.Fa ip .
+The
+.Fa ip
+argument is in binary format, in network byte-order, and
+.Fa iplen
+must be set to 4 for IPv4 and 16 for IPv6.
+When an IP address is specified,
+certificate verification automatically invokes
+.Xr X509_check_ip 3 .
+.Pp
+.Fn X509_VERIFY_PARAM_set1_ip_asc
+sets the expected IP address to
+.Fa ipasc .
+The
+.Fa ipasc
+argument is a NUL-terminal ASCII string:
+dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6.
+The condensed "::" notation is supported for IPv6 addresses.
 .Sh RETURN VALUES
 .Fn X509_VERIFY_PARAM_set_flags ,
 .Fn X509_VERIFY_PARAM_clear_flags ,
 .Fn X509_VERIFY_PARAM_set_purpose ,
 .Fn X509_VERIFY_PARAM_set_trust ,
 .Fn X509_VERIFY_PARAM_add0_policy ,
+.Fn X509_VERIFY_PARAM_set1_policies ,
+.Fn X509_VERIFY_PARAM_set1_host ,
+.Fn X509_VERIFY_PARAM_add1_host ,
+.Fn X509_VERIFY_PARAM_set1_email ,
+.Fn X509_VERIFY_PARAM_set1_ip ,
 and
-.Fn X509_VERIFY_PARAM_set1_policies
+.Fn X509_VERIFY_PARAM_set1_ip_asc
 return 1 for success or 0 for failure.
 .Pp
 .Fn X509_VERIFY_PARAM_get_flags
@@ -288,6 +435,46 @@ If this flag is set then additional status codes will be sent to the
 verification callback and it
 .Sy must
 be prepared to handle such cases without assuming they are hard errors.
+.Pp
+When
+.Dv X509_V_FLAG_TRUSTED_FIRST
+is set, construction of the certificate chain in
+.Xr X509_verify_cert 3
+will search the trust store for issuer certificates before searching the
+provided untrusted certificates.
+Local issuer certificates are often more likely to satisfy local
+security requirements and lead to a locally trusted root.
+This is especially important when some certificates in the trust store
+have explicit trust settings; see the trust settings options of the
+.Cm x509
+command in
+.Xr openssl 1 .
+.Pp
+The
+.Dv X509_V_FLAG_NO_ALT_CHAINS
+flag suppresses checking for alternative chains.
+By default, unless
+.Dv X509_V_FLAG_TRUSTED_FIRST
+is set, when building a certificate chain, if the first certificate
+chain found is not trusted, then OpenSSL will attempt to replace
+untrusted certificates supplied by the peer with certificates from the
+trust store to see if an alternative chain can be found that is trusted.
+.Pp
+The
+.Dv X509_V_FLAG_PARTIAL_CHAIN
+flag causes intermediate certificates in the trust store to be treated
+as trust-anchors, in the same way as the self-signed root CA
+certificates.
+This makes it possible to trust certificates issued by an intermediate
+CA without having to trust its ancestor root CA.
+.Pp
+The
+.Dv X509_V_FLAG_NO_CHECK_TIME
+flag suppresses checking the validity period of certificates and CRLs
+against the current time.
+If
+.Fn X509_VERIFY_PARAM_set_time
+is used to specify a verification time, the check is not suppressed.
 .Sh EXAMPLES
 Enable CRL checking when performing certificate verification during
 SSL connections associated with an
@@ -296,12 +483,14 @@ structure
 .Fa ctx :
 .Bd -literal -offset indent
 X509_VERIFY_PARAM *param;
 param = X509_VERIFY_PARAM_new();
 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
 SSL_CTX_set1_param(ctx, param);
 X509_VERIFY_PARAM_free(param);
 .Ed
 .Sh SEE ALSO
+.Xr X509_check_host 3 ,
 .Xr X509_verify_cert 3
 .Sh BUGS
 Delta CRL checking is currently primitive.
author	schwarze <>	2018-02-11 03:33:21 +0000
committer	schwarze <>	2018-02-11 03:33:21 +0000
commit	11ceaf7112d0ef7a761e5f33fc5f84e8ffc22407 (patch)
tree	5eab772889d1aefd4300aaabeb431652af3e59c1
parent	b0d8c2e5aa0a91148f7233a0f09e2308a390be43 (diff)
download	openbsd-11ceaf7112d0ef7a761e5f33fc5f84e8ffc22407.tar.gz openbsd-11ceaf7112d0ef7a761e5f33fc5f84e8ffc22407.tar.bz2 openbsd-11ceaf7112d0ef7a761e5f33fc5f84e8ffc22407.zip

diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index bb9b0e127b..b459e75863 100644 --- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,8 +1,11 @@
1	.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.5 2017/01/06 21:30:27 schwarze Exp $	1	.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.6 2018/02/11 03:33:21 schwarze Exp $
2	.\" OpenSSL 2b4ffc65 Dec 23 19:28:30 2013 +0100	2	.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
		3	.\" selective merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
3	.\"	4	.\"
4	.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.	5	.\" This file was written by Dr. Stephen Henson <steve@openssl.org>
5	.\" Copyright (c) 2009, 2013 The OpenSSL Project. All rights reserved.	6	.\" and Viktor Dukhovni <viktor@dukhovni.org>.
		7	.\" Copyright (c) 2009, 2013, 2014, 2015, 2016, 2017 The OpenSSL Project.
		8	.\" All rights reserved.
6	.\"	9	.\"
7	.\" Redistribution and use in source and binary forms, with or without	10	.\" Redistribution and use in source and binary forms, with or without
8	.\" modification, are permitted provided that the following conditions	11	.\" modification, are permitted provided that the following conditions
@@ -48,7 +51,7 @@
48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	51	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	52	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
50	.\"	53	.\"
51	.Dd $Mdocdate: January 6 2017 $	54	.Dd $Mdocdate: February 11 2018 $
52	.Dt X509_VERIFY_PARAM_SET_FLAGS 3	55	.Dt X509_VERIFY_PARAM_SET_FLAGS 3
53	.Os	56	.Os
54	.Sh NAME	57	.Sh NAME
@@ -61,7 +64,14 @@
61	.Nm X509_VERIFY_PARAM_add0_policy ,	64	.Nm X509_VERIFY_PARAM_add0_policy ,
62	.Nm X509_VERIFY_PARAM_set1_policies ,	65	.Nm X509_VERIFY_PARAM_set1_policies ,
63	.Nm X509_VERIFY_PARAM_set_depth ,	66	.Nm X509_VERIFY_PARAM_set_depth ,
64	.Nm X509_VERIFY_PARAM_get_depth	67	.Nm X509_VERIFY_PARAM_get_depth ,
		68	.Nm X509_VERIFY_PARAM_set1_host ,
		69	.Nm X509_VERIFY_PARAM_add1_host ,
		70	.Nm X509_VERIFY_PARAM_set_hostflags ,
		71	.Nm X509_VERIFY_PARAM_get0_peername ,
		72	.Nm X509_VERIFY_PARAM_set1_email ,
		73	.Nm X509_VERIFY_PARAM_set1_ip ,
		74	.Nm X509_VERIFY_PARAM_set1_ip_asc
65	.Nd X509 verification parameters	75	.Nd X509 verification parameters
66	.Sh SYNOPSIS	76	.Sh SYNOPSIS
67	.In openssl/x509_vfy.h	77	.In openssl/x509_vfy.h
@@ -113,6 +123,44 @@
113	.Fo X509_VERIFY_PARAM_get_depth	123	.Fo X509_VERIFY_PARAM_get_depth
114	.Fa "const X509_VERIFY_PARAM *param"	124	.Fa "const X509_VERIFY_PARAM *param"
115	.Fc	125	.Fc
		126	.Ft int
		127	.Fo X509_VERIFY_PARAM_set1_host
		128	.Fa "X509_VERIFY_PARAM *param"
		129	.Fa "const char *name"
		130	.Fa "size_t namelen"
		131	.Fc
		132	.Ft int
		133	.Fo X509_VERIFY_PARAM_add1_host
		134	.Fa "X509_VERIFY_PARAM *param"
		135	.Fa "const char *name"
		136	.Fa "size_t namelen"
		137	.Fc
		138	.Ft void
		139	.Fo X509_VERIFY_PARAM_set_hostflags
		140	.Fa "X509_VERIFY_PARAM *param"
		141	.Fa "unsigned int flags"
		142	.Fc
		143	.Ft char *
		144	.Fo X509_VERIFY_PARAM_get0_peername
		145	.Fa "X509_VERIFY_PARAM *param"
		146	.Fc
		147	.Ft int
		148	.Fo X509_VERIFY_PARAM_set1_email
		149	.Fa "X509_VERIFY_PARAM *param"
		150	.Fa "const char *email"
		151	.Fa "size_t emaillen"
		152	.Fc
		153	.Ft int
		154	.Fo X509_VERIFY_PARAM_set1_ip
		155	.Fa "X509_VERIFY_PARAM *param"
		156	.Fa "const unsigned char *ip"
		157	.Fa "size_t iplen"
		158	.Fc
		159	.Ft int
		160	.Fo X509_VERIFY_PARAM_set1_ip_asc
		161	.Fa "X509_VERIFY_PARAM *param"
		162	.Fa "const char *ipasc"
		163	.Fc
116	.Sh DESCRIPTION	164	.Sh DESCRIPTION
117	These functions manipulate the	165	These functions manipulate the
118	.Vt X509_VERIFY_PARAM	166	.Vt X509_VERIFY_PARAM
@@ -182,14 +230,113 @@ sets the maximum verification depth to
182	.Fa depth .	230	.Fa depth .
183	That is the maximum number of untrusted CA certificates that can appear	231	That is the maximum number of untrusted CA certificates that can appear
184	in a chain.	232	in a chain.
		233	.Pp
		234	.Fn X509_VERIFY_PARAM_set1_host
		235	sets the expected DNS hostname to
		236	.Fa name
		237	clearing any previously specified host name or names.
		238	If
		239	.Fa name
		240	is
		241	.Dv NULL
		242	or empty, the list of hostnames is cleared, and name checks are not
		243	performed on the peer certificate.
		244	If
		245	.Fa name
		246	is NUL-terminated,
		247	.Fa namelen
		248	may be zero, otherwise
		249	.Fa namelen
		250	must be set to the length of
		251	.Fa name .
		252	When a hostname is specified, certificate verification automatically
		253	invokes
		254	.Xr X509_check_host 3
		255	with flags equal to the
		256	.Fa flags
		257	argument given to
		258	.Fn X509_VERIFY_PARAM_set_hostflags
		259	(default zero).
		260	.Pp
		261	.Fn X509_VERIFY_PARAM_add1_host
		262	adds
		263	.Fa name
		264	as an additional reference identifier that can match the peer's
		265	certificate.
		266	Any previous names set via
		267	.Fn X509_VERIFY_PARAM_set1_host
		268	and
		269	.Fn X509_VERIFY_PARAM_add1_host
		270	are retained.
		271	No change is made if
		272	.Fa name
		273	is
		274	.Dv NULL
		275	or empty.
		276	When multiple names are configured, the peer is considered verified when
		277	any name matches.
		278	.Pp
		279	.Fn X509_VERIFY_PARAM_get0_peername
		280	returns the DNS hostname or subject CommonName from the peer certificate
		281	that matched one of the reference identifiers.
		282	When wildcard matching is not disabled, or when a reference identifier
		283	specifies a parent domain (starts with ".") rather than a hostname, the
		284	peer name may be a wildcard name or a sub-domain of the reference
		285	identifier respectively.
		286	The return string is allocated by the library and is no longer valid
		287	once the associated
		288	.Fa param
		289	argument is freed.
		290	Applications must not free the return value.
		291	.Pp
		292	.Fn X509_VERIFY_PARAM_set1_email
		293	sets the expected RFC822 email address to
		294	.Fa email .
		295	If
		296	.Fa email
		297	is NUL-terminated,
		298	.Fa emaillen
		299	may be zero, otherwise
		300	.Fa emaillen
		301	must be set to the length of
		302	.Fa email .
		303	When an email address is specified, certificate verification
		304	automatically invokes
		305	.Xr X509_check_email 3 .
		306	.Pp
		307	.Fn X509_VERIFY_PARAM_set1_ip
		308	sets the expected IP address to
		309	.Fa ip .
		310	The
		311	.Fa ip
		312	argument is in binary format, in network byte-order, and
		313	.Fa iplen
		314	must be set to 4 for IPv4 and 16 for IPv6.
		315	When an IP address is specified,
		316	certificate verification automatically invokes
		317	.Xr X509_check_ip 3 .
		318	.Pp
		319	.Fn X509_VERIFY_PARAM_set1_ip_asc
		320	sets the expected IP address to
		321	.Fa ipasc .
		322	The
		323	.Fa ipasc
		324	argument is a NUL-terminal ASCII string:
		325	dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6.
		326	The condensed "::" notation is supported for IPv6 addresses.
185	.Sh RETURN VALUES	327	.Sh RETURN VALUES
186	.Fn X509_VERIFY_PARAM_set_flags ,	328	.Fn X509_VERIFY_PARAM_set_flags ,
187	.Fn X509_VERIFY_PARAM_clear_flags ,	329	.Fn X509_VERIFY_PARAM_clear_flags ,
188	.Fn X509_VERIFY_PARAM_set_purpose ,	330	.Fn X509_VERIFY_PARAM_set_purpose ,
189	.Fn X509_VERIFY_PARAM_set_trust ,	331	.Fn X509_VERIFY_PARAM_set_trust ,
190	.Fn X509_VERIFY_PARAM_add0_policy ,	332	.Fn X509_VERIFY_PARAM_add0_policy ,
		333	.Fn X509_VERIFY_PARAM_set1_policies ,
		334	.Fn X509_VERIFY_PARAM_set1_host ,
		335	.Fn X509_VERIFY_PARAM_add1_host ,
		336	.Fn X509_VERIFY_PARAM_set1_email ,
		337	.Fn X509_VERIFY_PARAM_set1_ip ,
191	and	338	and
192	.Fn X509_VERIFY_PARAM_set1_policies	339	.Fn X509_VERIFY_PARAM_set1_ip_asc
193	return 1 for success or 0 for failure.	340	return 1 for success or 0 for failure.
194	.Pp	341	.Pp
195	.Fn X509_VERIFY_PARAM_get_flags	342	.Fn X509_VERIFY_PARAM_get_flags
@@ -288,6 +435,46 @@ If this flag is set then additional status codes will be sent to the
288	verification callback and it	435	verification callback and it
289	.Sy must	436	.Sy must
290	be prepared to handle such cases without assuming they are hard errors.	437	be prepared to handle such cases without assuming they are hard errors.
		438	.Pp
		439	When
		440	.Dv X509_V_FLAG_TRUSTED_FIRST
		441	is set, construction of the certificate chain in
		442	.Xr X509_verify_cert 3
		443	will search the trust store for issuer certificates before searching the
		444	provided untrusted certificates.
		445	Local issuer certificates are often more likely to satisfy local
		446	security requirements and lead to a locally trusted root.
		447	This is especially important when some certificates in the trust store
		448	have explicit trust settings; see the trust settings options of the
		449	.Cm x509
		450	command in
		451	.Xr openssl 1 .
		452	.Pp
		453	The
		454	.Dv X509_V_FLAG_NO_ALT_CHAINS
		455	flag suppresses checking for alternative chains.
		456	By default, unless
		457	.Dv X509_V_FLAG_TRUSTED_FIRST
		458	is set, when building a certificate chain, if the first certificate
		459	chain found is not trusted, then OpenSSL will attempt to replace
		460	untrusted certificates supplied by the peer with certificates from the
		461	trust store to see if an alternative chain can be found that is trusted.
		462	.Pp
		463	The
		464	.Dv X509_V_FLAG_PARTIAL_CHAIN
		465	flag causes intermediate certificates in the trust store to be treated
		466	as trust-anchors, in the same way as the self-signed root CA
		467	certificates.
		468	This makes it possible to trust certificates issued by an intermediate
		469	CA without having to trust its ancestor root CA.
		470	.Pp
		471	The
		472	.Dv X509_V_FLAG_NO_CHECK_TIME
		473	flag suppresses checking the validity period of certificates and CRLs
		474	against the current time.
		475	If
		476	.Fn X509_VERIFY_PARAM_set_time
		477	is used to specify a verification time, the check is not suppressed.
291	.Sh EXAMPLES	478	.Sh EXAMPLES
292	Enable CRL checking when performing certificate verification during	479	Enable CRL checking when performing certificate verification during
293	SSL connections associated with an	480	SSL connections associated with an
@@ -296,12 +483,14 @@ structure
296	.Fa ctx :	483	.Fa ctx :
297	.Bd -literal -offset indent	484	.Bd -literal -offset indent
298	X509_VERIFY_PARAM *param;	485	X509_VERIFY_PARAM *param;
		486
299	param = X509_VERIFY_PARAM_new();	487	param = X509_VERIFY_PARAM_new();
300	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);	488	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
301	SSL_CTX_set1_param(ctx, param);	489	SSL_CTX_set1_param(ctx, param);
302	X509_VERIFY_PARAM_free(param);	490	X509_VERIFY_PARAM_free(param);
303	.Ed	491	.Ed
304	.Sh SEE ALSO	492	.Sh SEE ALSO
		493	.Xr X509_check_host 3 ,
305	.Xr X509_verify_cert 3	494	.Xr X509_verify_cert 3
306	.Sh BUGS	495	.Sh BUGS
307	Delta CRL checking is currently primitive.	496	Delta CRL checking is currently primitive.