aboutsummaryrefslogtreecommitdiff
path: root/openssl/doc/apps
diff options
context:
space:
mode:
Diffstat (limited to 'openssl/doc/apps')
-rw-r--r--openssl/doc/apps/cms.pod27
-rw-r--r--openssl/doc/apps/enc.pod4
-rw-r--r--openssl/doc/apps/s_server.pod6
-rw-r--r--openssl/doc/apps/smime.pod14
-rw-r--r--openssl/doc/apps/verify.pod9
-rw-r--r--openssl/doc/apps/version.pod3
-rw-r--r--openssl/doc/apps/x509v3_config.pod4
7 files changed, 50 insertions, 17 deletions
diff --git a/openssl/doc/apps/cms.pod b/openssl/doc/apps/cms.pod
index a09588a18..a76b3e0fd 100644
--- a/openssl/doc/apps/cms.pod
+++ b/openssl/doc/apps/cms.pod
@@ -90,6 +90,11 @@ decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in MIME format for the input file. The decrypted mail
is written to the output file.
+=item B<-debug_decrypt>
+
+this option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
+with caution: see the notes section below.
+
=item B<-sign>
sign mail using the supplied certificate and private key. Input file is
@@ -446,32 +451,42 @@ Streaming is always used for the B<-sign> operation with detached data but
since the content is no longer part of the CMS structure the encoding
remains DER.
+If the B<-decrypt> option is used without a recipient certificate then an
+attempt is made to locate the recipient by trying each potential recipient
+in turn using the supplied private key. To thwart the MMA attack
+(Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are
+tried whether they succeed or not and if no recipients match the message
+is "decrypted" using a random key which will typically output garbage.
+The B<-debug_decrypt> option can be used to disable the MMA attack protection
+and return an error if no recipient can be found: this option should be used
+with caution. For a fuller description see L<CMS_decrypt(3)|CMS_decrypt(3)>).
+
=head1 EXIT CODES
=over 4
-=item 0
+=item Z<>0
the operation was completely successfully.
-=item 1
+=item Z<>1
an error occurred parsing the command options.
-=item 2
+=item Z<>2
one of the input files could not be read.
-=item 3
+=item Z<>3
an error occurred creating the CMS file or when reading the MIME
message.
-=item 4
+=item Z<>4
an error occurred decrypting or verifying the message.
-=item 5
+=item Z<>5
the message was verified correctly but an error occurred writing out
the signers certificates.
diff --git a/openssl/doc/apps/enc.pod b/openssl/doc/apps/enc.pod
index 3dee4ed99..41791ad67 100644
--- a/openssl/doc/apps/enc.pod
+++ b/openssl/doc/apps/enc.pod
@@ -215,6 +215,10 @@ unsupported options (for example B<openssl enc -help>) includes a
list of ciphers, supported by your versesion of OpenSSL, including
ones provided by configured engines.
+The B<enc> program does not support authenticated encryption modes
+like CCM and GCM. The utility does not store or retrieve the
+authentication tag.
+
base64 Base 64
diff --git a/openssl/doc/apps/s_server.pod b/openssl/doc/apps/s_server.pod
index 6758ba308..f9b9ca532 100644
--- a/openssl/doc/apps/s_server.pod
+++ b/openssl/doc/apps/s_server.pod
@@ -44,6 +44,7 @@ B<openssl> B<s_server>
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_dhe>]
+[B<-no_ecdhe>]
[B<-bugs>]
[B<-hack>]
[B<-www>]
@@ -131,6 +132,11 @@ a static set of parameters hard coded into the s_server program will be used.
if this option is set then no DH parameters will be loaded effectively
disabling the ephemeral DH cipher suites.
+=item B<-no_ecdhe>
+
+if this option is set then no ECDH parameters will be loaded effectively
+disabling the ephemeral ECDH cipher suites.
+
=item B<-no_tmp_rsa>
certain export cipher suites sometimes use a temporary RSA key, this option
diff --git a/openssl/doc/apps/smime.pod b/openssl/doc/apps/smime.pod
index e4e89af84..d39a59a90 100644
--- a/openssl/doc/apps/smime.pod
+++ b/openssl/doc/apps/smime.pod
@@ -159,7 +159,7 @@ EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers
supported by your version of OpenSSL.
-If not specified 40 bit RC2 is used. Only used with B<-encrypt>.
+If not specified triple DES is used. Only used with B<-encrypt>.
=item B<-nointern>
@@ -308,28 +308,28 @@ remains DER.
=over 4
-=item 0
+=item Z<>0
the operation was completely successfully.
-=item 1
+=item Z<>1
an error occurred parsing the command options.
-=item 2
+=item Z<>2
one of the input files could not be read.
-=item 3
+=item Z<>3
an error occurred creating the PKCS#7 file or when reading the MIME
message.
-=item 4
+=item Z<>4
an error occurred decrypting or verifying the message.
-=item 5
+=item Z<>5
the message was verified correctly but an error occurred writing out
the signers certificates.
diff --git a/openssl/doc/apps/verify.pod b/openssl/doc/apps/verify.pod
index da683004b..f35d40295 100644
--- a/openssl/doc/apps/verify.pod
+++ b/openssl/doc/apps/verify.pod
@@ -25,6 +25,7 @@ B<openssl> B<verify>
[B<-untrusted file>]
[B<-help>]
[B<-issuer_checks>]
+[B<-attime timestamp>]
[B<-verbose>]
[B<->]
[certificates]
@@ -80,6 +81,12 @@ rejected. The presence of rejection messages does not itself imply that
anything is wrong; during the normal verification process, several
rejections may take place.
+=item B<-attime timestamp>
+
+Perform validation checks using time specified by B<timestamp> and not
+current system time. B<timestamp> is the number of seconds since
+01.01.1970 (UNIX time).
+
=item B<-policy arg>
Enable policy processing and add B<arg> to the user-initial-policy-set (see
@@ -386,7 +393,7 @@ an application specific error. Unused.
=head1 BUGS
-Although the issuer checks are a considerably improvement over the old technique they still
+Although the issuer checks are a considerable improvement over the old technique they still
suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
trusted certificates with matching subject name must either appear in a file (as specified by the
B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only
diff --git a/openssl/doc/apps/version.pod b/openssl/doc/apps/version.pod
index e00324c44..58f543bc3 100644
--- a/openssl/doc/apps/version.pod
+++ b/openssl/doc/apps/version.pod
@@ -13,6 +13,7 @@ B<openssl version>
[B<-o>]
[B<-f>]
[B<-p>]
+[B<-d>]
=head1 DESCRIPTION
@@ -38,7 +39,7 @@ the date the current version of OpenSSL was built.
option information: various options set when the library was built.
-=item B<-c>
+=item B<-f>
compilation flags.
diff --git a/openssl/doc/apps/x509v3_config.pod b/openssl/doc/apps/x509v3_config.pod
index 0450067cf..13ff85b17 100644
--- a/openssl/doc/apps/x509v3_config.pod
+++ b/openssl/doc/apps/x509v3_config.pod
@@ -301,7 +301,7 @@ Example:
O=Organisation
CN=Some Name
-
+
=head2 Certificate Policies.
This is a I<raw> extension. All the fields of this extension can be set by
@@ -390,7 +390,7 @@ Examples:
nameConstraints=permitted;email:.somedomain.com
nameConstraints=excluded;email:.com
-issuingDistributionPoint = idp_section
+
=head2 OCSP No Check