3 files changed, 13 insertions, 4 deletions

diff --git a/src/usr.bin/openssl/apps.c b/src/usr.bin/openssl/apps.c
index e1dcd48b37..2c228aad59 100644
--- a/src/usr.bin/openssl/apps.c
+++ b/src/usr.bin/openssl/apps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.c,v 1.56 2020/10/14 07:20:09 tb Exp $ */
+/* $OpenBSD: apps.c,v 1.57 2020/10/26 11:48:39 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -1916,6 +1916,8 @@ args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
                 flags |= X509_V_FLAG_POLICY_CHECK;
         else if (!strcmp(arg, "-explicit_policy"))
                 flags |= X509_V_FLAG_EXPLICIT_POLICY;
+        else if (!strcmp(arg, "-legacy_verify"))
+                flags |= X509_V_FLAG_LEGACY_VERIFY;
         else if (!strcmp(arg, "-inhibit_any"))
                 flags |= X509_V_FLAG_INHIBIT_ANY;
         else if (!strcmp(arg, "-inhibit_map"))
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index e364586f5a..474f00f493 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.125 2020/07/14 09:52:46 inoguchi Exp $
+.\" $OpenBSD: openssl.1,v 1.126 2020/10/26 11:48:39 tb Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: July 14 2020 $
+.Dd $Mdocdate: October 26 2020 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -5859,6 +5859,7 @@ The default is no.
 .Op Fl inhibit_any
 .Op Fl inhibit_map
 .Op Fl issuer_checks
+.Op Fl legacy_verify
 .Op Fl policy_check
 .Op Fl purpose Ar purpose
 .Op Fl trusted Ar file
@@ -5931,6 +5932,8 @@ showing why each candidate issuer certificate was rejected.
 The presence of rejection messages
 does not itself imply that anything is wrong:
 during the normal verify process several rejections may take place.
+.It Fl legacy_verify
+Use the legacy X.509 certificate chain verification code.
 .It Fl policy_check
 Enable certificate policy processing.
 .It Fl purpose Ar purpose
diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c
index 3da41b917a..e4443148ce 100644
--- a/src/usr.bin/openssl/verify.c
+++ b/src/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.8 2020/07/14 19:08:30 jsing Exp $ */
+/* $OpenBSD: verify.c,v 1.9 2020/10/26 11:48:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -193,6 +193,10 @@ static const struct option verify_shared_options[] = {
                 .desc = "Enable debugging of certificate issuer checks",
         },
         {
+                .name = "legacy_verify",
+                .desc = "Use legacy certificate chain verification",
+        },
+        {
                 .name = "policy",
                 .argname = "name",
                 .desc = "Add given policy to the acceptable set",