Dev news

Commit 8e5f3a2418 for openssl.org

commit 8e5f3a2418ed677aed057b680227356588ef4931
Author: Josh Auler <jta2866@rit.edu>
Date:   Thu Mar 12 01:07:42 2026 -0400

    doc: clarify -CAfile and -verifyCAfile semantics in s_server

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Saša Nedvědický <sashan@openssl.org>
    MergeDate: Wed Apr 15 12:11:34 2026
    (Merged from https://github.com/openssl/openssl/pull/30405)

diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 3e53b4d9a0..a58b5759e9 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -342,6 +342,12 @@ see L<openssl-verify(1)> for more information.
 The URI of a store containing trusted certificates to use
 for verifying the server's certificate.

+When any of B<-verifyCAfile>, B<-verifyCApath>, or B<-verifyCAstore> is
+specified, they are loaded into a separate verification store (via
+L<SSL_CTX_set1_verify_cert_store(3)>) and used for server certificate
+verification instead of the store built from B<-CAfile>, B<-CApath>, and
+B<-CAstore>.
+
 =item B<-chainCAfile> I<file>

 A file in PEM format containing trusted certificates to use
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index ddb77f680a..48744484b1 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -341,8 +341,8 @@ Download CRLs from distribution points given in CDP extensions of certificates

 =item B<-verifyCAfile> I<filename>

-A file in PEM format CA containing trusted certificates to use
-for verifying client certificates.
+A file in PEM format containing trusted CA certificates (root and/or
+intermediate) used to verify the client certificate chain.

 =item B<-verifyCApath> I<dir>

@@ -356,6 +356,15 @@ see L<openssl-verify(1)> for more information.
 The URI of a store containing trusted certificates to use
 for verifying client certificates.

+When any of B<-verifyCAfile>, B<-verifyCApath>, or B<-verifyCAstore> is
+specified, they are loaded into a separate verification store (via
+L<SSL_CTX_set1_verify_cert_store(3)>) and used for client certificate
+verification instead of the store built from B<-CAfile>, B<-CApath>, and
+B<-CAstore>. Note that B<-CAfile> is the sole source of acceptable issuing
+CA names sent to the client in the Certificate Request message during the
+handshake; B<-CApath>, B<-CAstore>, and the B<-verifyCA*> options do not
+contribute to this list.
+
 =item B<-chainCAfile> I<file>

 A file in PEM format containing trusted certificates to use