From 6ad8c48291622a6ccc51489b9a230c9a05ca5614 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 19 Jun 2016 10:55:43 +0200 Subject: [PATCH] Allow proxy certs to be present when verifying a chain Reviewed-by: Rich Salz --- apps/apps.c | 2 ++ doc/apps/verify.pod | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/apps/apps.c b/apps/apps.c index b1dd97038f..0385490306 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2374,6 +2374,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_PARTIAL_CHAIN; else if (!strcmp(arg, "-no_alt_chains")) flags |= X509_V_FLAG_NO_ALT_CHAINS; + else if (!strcmp(arg, "-allow_proxy_certs")) + flags |= X509_V_FLAG_ALLOW_PROXY_CERTS; else return 0; diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index bffa6c0ec4..b3767325ae 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -27,6 +27,7 @@ B B [B<-use_deltas>] [B<-policy_print>] [B<-no_alt_chains>] +[B<-allow_proxy_certs>] [B<-untrusted file>] [B<-help>] [B<-issuer_checks>] @@ -139,6 +140,10 @@ be found that is trusted. With this option that behaviour is suppressed so that only the first chain found is ever used. Using this option will force the behaviour to match that of previous OpenSSL versions. +=item B<-allow_proxy_certs> + +Allow the verification of proxy certificates. + =item B<-trusted file> A file of additional trusted certificates. The file should contain multiple -- 2.40.0