Add -no_alt_chains option to apps to implement the new

X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-01-27 11:50:38 +0100
committer: Matt Caswell <matt@openssl.org> 2015-02-25 10:15:02 +0100
commit: 25690b7f5f3d78a52c1377b823b40c6a0e12022b (patch)
tree: 7ec3978b77d913ea6b4af6a3da6efb4acaf1e0cc /apps/smime.c
parent: Add flag to inhibit checking for alternate certificate chains. Setting this (diff)
download: openssl-25690b7f5f3d78a52c1377b823b40c6a0e12022b.tar.xz
openssl-25690b7f5f3d78a52c1377b823b40c6a0e12022b.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/apps/smime.c b/apps/smime.c
index 5efe51f7d7..930978fd9b 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -444,6 +444,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-trusted_first use locally trusted CA's first when building trust chain\n");
         BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
+        BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,
                    "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
author	Matt Caswell <matt@openssl.org>	2015-01-27 11:50:38 +0100
committer	Matt Caswell <matt@openssl.org>	2015-02-25 10:15:02 +0100
commit	25690b7f5f3d78a52c1377b823b40c6a0e12022b (patch)
tree	7ec3978b77d913ea6b4af6a3da6efb4acaf1e0cc /apps/smime.c
parent	Add flag to inhibit checking for alternate certificate chains. Setting this (diff)
download	openssl-25690b7f5f3d78a52c1377b823b40c6a0e12022b.tar.xz openssl-25690b7f5f3d78a52c1377b823b40c6a0e12022b.zip