From 108ed9fced9bdce263cccc4abe667662283200fe Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Tue, 10 Dec 2024 12:12:18 +0100 Subject: [PATCH] fixup! X509: document non-standard behavior checking EKU extensions in CA and TA certs --- doc/man1/openssl-s_client.pod.in | 2 +- doc/man1/openssl-s_server.pod.in | 2 +- doc/man1/openssl-verification-options.pod | 9 ++++----- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index d2491c8fd93ff..1f7790b39b467 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -309,7 +309,7 @@ with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. By default, validation of server certificates and their chain -is done w.r.t. the (D)TLS Server> (C) purpose. +is done w.r.t. the (D)TLS Server (C) purpose. For details see L. diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index fa224657d600c..0d8dd9bd0a736 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -213,7 +213,7 @@ If the cipher suite cannot request a client certificate (for example an anonymous cipher suite or PSK) this option has no effect. By default, validation of any supplied client certificate and its chain -is done w.r.t. the (D)TLS Client> (C) purpose. +is done w.r.t. the (D)TLS Client (C) purpose. For details see L. =item B<-cert> I diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index 329a282597638..676fbb38a5526 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -26,7 +26,7 @@ starting from the I that is to be verified and ending in a certificate that due to some policy is trusted. Certificate validation can be performed in the context of a I, which is a high-level specification of the intended use of the target certificate, -such C for TLS servers, or (by default) for any purpose. +such as C for TLS servers, or (by default) for any purpose. The details of how each OpenSSL command handles errors are documented on the specific command page. @@ -590,8 +590,8 @@ and consequently the standard certification path validation described in its section 6 does not include EKU checks for CA certificates. The CA/Browser Forum requires for TLS server, S/MIME, and code signing use the presence of respective EKUs in subordinate CA certificates (while excluding -them for root CA certificates), which is self-contradictory because OTOH they -take over the certificate validity concept and path validation from RFC 5280. +them for root CA certificates), while taking over from RFC 5280 +the certificate validity concept and certificate path validation. For historic reasons, OpenSSL has its own way of interpreting and checking EKU extensions on CA certificates, which may change in the future. @@ -600,8 +600,7 @@ but in case the verification purpose is C, C, C, C, or C, it checks that any present EKU extension (that does not contain B) contains the respective EKU as detailed below. -Moreover, it does these checks even for trust anchor certificates, -for which the EKU extension (like most other extensions) should be irrelevant. +Moreover, it does these checks even for trust anchor certificates. =head3 Checks Implied by Specific Predefined Policies