Mark the X509_V_FLAG_CB_ISSUER_CHECK flag as deprecated

diff --git a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index 7a39050..08961eb 100644 (file)
--- a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.26 2022/07/13 21:17:03 schwarze Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.27 2022/12/01 05:33:55 tb Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: December 1 2022 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -590,16 +590,10 @@ A side effect of not checking the root CA signature is that disabled or
 unsupported message digests on the root CA are not treated as fatal
 errors.
 .Pp
-The
+The deprecated
 .Dv X509_V_FLAG_CB_ISSUER_CHECK
-flag enables debugging of certificate issuer checks.
-It is
-.Sy not
-needed unless you are logging certificate verification.
-If this flag is set then additional status codes will be sent to the
-verification callback and it
-.Sy must
-be prepared to handle such cases without assuming they are hard errors.
+flag used to enable debugging of certificate issuer checks.
+It is provided for binary backwards compatibility and has no effect.
 .Pp
 When
 .Dv X509_V_FLAG_TRUSTED_FIRST