diff options
Diffstat (limited to 'openssl/doc/apps')
-rw-r--r-- | openssl/doc/apps/cms.pod | 27 | ||||
-rw-r--r-- | openssl/doc/apps/enc.pod | 4 | ||||
-rw-r--r-- | openssl/doc/apps/s_server.pod | 6 | ||||
-rw-r--r-- | openssl/doc/apps/smime.pod | 14 | ||||
-rw-r--r-- | openssl/doc/apps/verify.pod | 9 | ||||
-rw-r--r-- | openssl/doc/apps/version.pod | 3 | ||||
-rw-r--r-- | openssl/doc/apps/x509v3_config.pod | 4 |
7 files changed, 50 insertions, 17 deletions
diff --git a/openssl/doc/apps/cms.pod b/openssl/doc/apps/cms.pod index a09588a18..a76b3e0fd 100644 --- a/openssl/doc/apps/cms.pod +++ b/openssl/doc/apps/cms.pod @@ -90,6 +90,11 @@ decrypt mail using the supplied certificate and private key. Expects an encrypted mail message in MIME format for the input file. The decrypted mail is written to the output file. +=item B<-debug_decrypt> + +this option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used +with caution: see the notes section below. + =item B<-sign> sign mail using the supplied certificate and private key. Input file is @@ -446,32 +451,42 @@ Streaming is always used for the B<-sign> operation with detached data but since the content is no longer part of the CMS structure the encoding remains DER. +If the B<-decrypt> option is used without a recipient certificate then an +attempt is made to locate the recipient by trying each potential recipient +in turn using the supplied private key. To thwart the MMA attack +(Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are +tried whether they succeed or not and if no recipients match the message +is "decrypted" using a random key which will typically output garbage. +The B<-debug_decrypt> option can be used to disable the MMA attack protection +and return an error if no recipient can be found: this option should be used +with caution. For a fuller description see L<CMS_decrypt(3)|CMS_decrypt(3)>). + =head1 EXIT CODES =over 4 -=item 0 +=item Z<>0 the operation was completely successfully. -=item 1 +=item Z<>1 an error occurred parsing the command options. -=item 2 +=item Z<>2 one of the input files could not be read. -=item 3 +=item Z<>3 an error occurred creating the CMS file or when reading the MIME message. -=item 4 +=item Z<>4 an error occurred decrypting or verifying the message. -=item 5 +=item Z<>5 the message was verified correctly but an error occurred writing out the signers certificates. diff --git a/openssl/doc/apps/enc.pod b/openssl/doc/apps/enc.pod index 3dee4ed99..41791ad67 100644 --- a/openssl/doc/apps/enc.pod +++ b/openssl/doc/apps/enc.pod @@ -215,6 +215,10 @@ unsupported options (for example B<openssl enc -help>) includes a list of ciphers, supported by your versesion of OpenSSL, including ones provided by configured engines. +The B<enc> program does not support authenticated encryption modes +like CCM and GCM. The utility does not store or retrieve the +authentication tag. + base64 Base 64 diff --git a/openssl/doc/apps/s_server.pod b/openssl/doc/apps/s_server.pod index 6758ba308..f9b9ca532 100644 --- a/openssl/doc/apps/s_server.pod +++ b/openssl/doc/apps/s_server.pod @@ -44,6 +44,7 @@ B<openssl> B<s_server> [B<-no_ssl3>] [B<-no_tls1>] [B<-no_dhe>] +[B<-no_ecdhe>] [B<-bugs>] [B<-hack>] [B<-www>] @@ -131,6 +132,11 @@ a static set of parameters hard coded into the s_server program will be used. if this option is set then no DH parameters will be loaded effectively disabling the ephemeral DH cipher suites. +=item B<-no_ecdhe> + +if this option is set then no ECDH parameters will be loaded effectively +disabling the ephemeral ECDH cipher suites. + =item B<-no_tmp_rsa> certain export cipher suites sometimes use a temporary RSA key, this option diff --git a/openssl/doc/apps/smime.pod b/openssl/doc/apps/smime.pod index e4e89af84..d39a59a90 100644 --- a/openssl/doc/apps/smime.pod +++ b/openssl/doc/apps/smime.pod @@ -159,7 +159,7 @@ EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers supported by your version of OpenSSL. -If not specified 40 bit RC2 is used. Only used with B<-encrypt>. +If not specified triple DES is used. Only used with B<-encrypt>. =item B<-nointern> @@ -308,28 +308,28 @@ remains DER. =over 4 -=item 0 +=item Z<>0 the operation was completely successfully. -=item 1 +=item Z<>1 an error occurred parsing the command options. -=item 2 +=item Z<>2 one of the input files could not be read. -=item 3 +=item Z<>3 an error occurred creating the PKCS#7 file or when reading the MIME message. -=item 4 +=item Z<>4 an error occurred decrypting or verifying the message. -=item 5 +=item Z<>5 the message was verified correctly but an error occurred writing out the signers certificates. diff --git a/openssl/doc/apps/verify.pod b/openssl/doc/apps/verify.pod index da683004b..f35d40295 100644 --- a/openssl/doc/apps/verify.pod +++ b/openssl/doc/apps/verify.pod @@ -25,6 +25,7 @@ B<openssl> B<verify> [B<-untrusted file>] [B<-help>] [B<-issuer_checks>] +[B<-attime timestamp>] [B<-verbose>] [B<->] [certificates] @@ -80,6 +81,12 @@ rejected. The presence of rejection messages does not itself imply that anything is wrong; during the normal verification process, several rejections may take place. +=item B<-attime timestamp> + +Perform validation checks using time specified by B<timestamp> and not +current system time. B<timestamp> is the number of seconds since +01.01.1970 (UNIX time). + =item B<-policy arg> Enable policy processing and add B<arg> to the user-initial-policy-set (see @@ -386,7 +393,7 @@ an application specific error. Unused. =head1 BUGS -Although the issuer checks are a considerably improvement over the old technique they still +Although the issuer checks are a considerable improvement over the old technique they still suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that trusted certificates with matching subject name must either appear in a file (as specified by the B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only diff --git a/openssl/doc/apps/version.pod b/openssl/doc/apps/version.pod index e00324c44..58f543bc3 100644 --- a/openssl/doc/apps/version.pod +++ b/openssl/doc/apps/version.pod @@ -13,6 +13,7 @@ B<openssl version> [B<-o>] [B<-f>] [B<-p>] +[B<-d>] =head1 DESCRIPTION @@ -38,7 +39,7 @@ the date the current version of OpenSSL was built. option information: various options set when the library was built. -=item B<-c> +=item B<-f> compilation flags. diff --git a/openssl/doc/apps/x509v3_config.pod b/openssl/doc/apps/x509v3_config.pod index 0450067cf..13ff85b17 100644 --- a/openssl/doc/apps/x509v3_config.pod +++ b/openssl/doc/apps/x509v3_config.pod @@ -301,7 +301,7 @@ Example: O=Organisation CN=Some Name - + =head2 Certificate Policies. This is a I<raw> extension. All the fields of this extension can be set by @@ -390,7 +390,7 @@ Examples: nameConstraints=permitted;email:.somedomain.com nameConstraints=excluded;email:.com -issuingDistributionPoint = idp_section + =head2 OCSP No Check |