diff options
Diffstat (limited to 'openssl/doc/apps')
-rw-r--r-- | openssl/doc/apps/ciphers.pod | 2 | ||||
-rw-r--r-- | openssl/doc/apps/cms.pod | 5 | ||||
-rw-r--r-- | openssl/doc/apps/config.pod | 53 | ||||
-rw-r--r-- | openssl/doc/apps/dhparam.pod | 13 | ||||
-rw-r--r-- | openssl/doc/apps/ocsp.pod | 11 | ||||
-rw-r--r-- | openssl/doc/apps/s_client.pod | 7 | ||||
-rw-r--r-- | openssl/doc/apps/s_server.pod | 9 | ||||
-rw-r--r-- | openssl/doc/apps/smime.pod | 4 | ||||
-rw-r--r-- | openssl/doc/apps/verify.pod | 13 |
9 files changed, 107 insertions, 10 deletions
diff --git a/openssl/doc/apps/ciphers.pod b/openssl/doc/apps/ciphers.pod index e9280bc50..1c26e3b3d 100644 --- a/openssl/doc/apps/ciphers.pod +++ b/openssl/doc/apps/ciphers.pod @@ -365,10 +365,8 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA - SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-DH-DSS-DES-CBC-SHA SSL_DH_DSS_WITH_DES_CBC_SHA DH-DSS-DES-CBC-SHA SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH-DSS-DES-CBC3-SHA - SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DH-RSA-DES-CBC-SHA SSL_DH_RSA_WITH_DES_CBC_SHA DH-RSA-DES-CBC-SHA SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH-RSA-DES-CBC3-SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA diff --git a/openssl/doc/apps/cms.pod b/openssl/doc/apps/cms.pod index 76dbf2ca3..4eaedbcd3 100644 --- a/openssl/doc/apps/cms.pod +++ b/openssl/doc/apps/cms.pod @@ -35,6 +35,7 @@ B<openssl> B<cms> [B<-print>] [B<-CAfile file>] [B<-CApath dir>] +[B<-no_alt_chains>] [B<-md digest>] [B<-[cipher]>] [B<-nointern>] @@ -419,7 +420,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various certificate chain valiadition option. See the L<B<verify>|verify(1)> manual page for details. @@ -655,4 +656,6 @@ Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to OpenSSL 1.0.2b. + =cut diff --git a/openssl/doc/apps/config.pod b/openssl/doc/apps/config.pod index d5cce54f4..e12591528 100644 --- a/openssl/doc/apps/config.pod +++ b/openssl/doc/apps/config.pod @@ -277,6 +277,59 @@ priority and B</tmp> used if neither is defined: # The above value is used if TEMP isn't in the environment tmpfile=${ENV::TEMP}/tmp.filename +Simple OpenSSL library configuration example to enter FIPS mode: + + # Default appname: should match "appname" parameter (if any) + # supplied to CONF_modules_load_file et al. + openssl_conf = openssl_conf_section + + [openssl_conf_section] + # Configuration module list + alg_section = evp_sect + + [evp_sect] + # Set to "yes" to enter FIPS mode if supported + fips_mode = yes + +Note: in the above example you will get an error in non FIPS capable versions +of OpenSSL. + +More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: + + # Default appname: should match "appname" parameter (if any) + # supplied to CONF_modules_load_file et al. + openssl_conf = openssl_conf_section + + [openssl_conf_section] + # Configuration module list + alg_section = evp_sect + oid_section = new_oids + + [evp_sect] + # This will have no effect as FIPS mode is off by default. + # Set to "yes" to enter FIPS mode, if supported + fips_mode = no + + [new_oids] + # New OID, just short name + newoid1 = 1.2.3.4.1 + # New OID shortname and long name + newoid2 = New OID 2 long name, 1.2.3.4.2 + +The above examples can be used with with any application supporting library +configuration if "openssl_conf" is modified to match the appropriate "appname". + +For example if the second sample file above is saved to "example.cnf" then +the command line: + + OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1 + +will output: + + 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1 + +showing that the OID "newoid1" has been added as "1.2.3.4.1". + =head1 BUGS Currently there is no way to include characters using the octal B<\nnn> diff --git a/openssl/doc/apps/dhparam.pod b/openssl/doc/apps/dhparam.pod index 6e27cf5c1..1cd4c7666 100644 --- a/openssl/doc/apps/dhparam.pod +++ b/openssl/doc/apps/dhparam.pod @@ -71,8 +71,10 @@ check if the parameters are valid primes and generator. =item B<-2>, B<-5> -The generator to use, either 2 or 5. 2 is the default. If present then the -input file is ignored and parameters are generated instead. +The generator to use, either 2 or 5. If present then the +input file is ignored and parameters are generated instead. If not +present but B<numbits> is present, parameters are generated with the +default generator 2. =item B<-rand> I<file(s)> @@ -85,9 +87,10 @@ all others. =item I<numbits> this option specifies that a parameter set should be generated of size -I<numbits>. It must be the last option. If not present then a value of 512 -is used. If this option is present then the input file is ignored and -parameters are generated instead. +I<numbits>. It must be the last option. If this option is present then +the input file is ignored and parameters are generated instead. If +this option is not present but a generator (B<-2> or B<-5>) is +present, parameters are generated with a default length of 2048 bits. =item B<-noout> diff --git a/openssl/doc/apps/ocsp.pod b/openssl/doc/apps/ocsp.pod index 2372b373c..4639502a0 100644 --- a/openssl/doc/apps/ocsp.pod +++ b/openssl/doc/apps/ocsp.pod @@ -29,6 +29,7 @@ B<openssl> B<ocsp> [B<-path>] [B<-CApath dir>] [B<-CAfile file>] +[B<-no_alt_chains>]] [B<-VAfile file>] [B<-validity_period n>] [B<-status_age n>] @@ -143,6 +144,10 @@ connection timeout to the OCSP responder in seconds file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. +=item B<-no_alt_chains> + +See L<B<verify>|verify(1)> manual page for details. + =item B<-verify_other file> file containing additional certificates to search when attempting to locate @@ -379,3 +384,9 @@ second file. openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -reqin req.der -respout resp.der + +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.2b. + +=cut diff --git a/openssl/doc/apps/s_client.pod b/openssl/doc/apps/s_client.pod index aad59b181..84d052706 100644 --- a/openssl/doc/apps/s_client.pod +++ b/openssl/doc/apps/s_client.pod @@ -19,6 +19,7 @@ B<openssl> B<s_client> [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-no_alt_chains>] [B<-reconnect>] [B<-pause>] [B<-showcerts>] @@ -120,7 +121,7 @@ also used when building the client certificate chain. A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various certificate chain valiadition option. See the L<B<verify>|verify(1)> manual page for details. @@ -361,4 +362,8 @@ information whenever a session is renegotiated. L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)> +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.2b. + =cut diff --git a/openssl/doc/apps/s_server.pod b/openssl/doc/apps/s_server.pod index b37f410fb..baca77924 100644 --- a/openssl/doc/apps/s_server.pod +++ b/openssl/doc/apps/s_server.pod @@ -33,6 +33,7 @@ B<openssl> B<s_server> [B<-state>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-no_alt_chains>] [B<-nocert>] [B<-cipher cipherlist>] [B<-serverpref>] @@ -174,6 +175,10 @@ and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested. +=item B<-no_alt_chains> + +See the L<B<verify>|verify(1)> manual page for details. + =item B<-state> prints out the SSL session states. @@ -406,4 +411,8 @@ unknown cipher suites a client says it supports. L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)> +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.2b. + =cut diff --git a/openssl/doc/apps/smime.pod b/openssl/doc/apps/smime.pod index d39a59a90..d5618c8ff 100644 --- a/openssl/doc/apps/smime.pod +++ b/openssl/doc/apps/smime.pod @@ -15,6 +15,7 @@ B<openssl> B<smime> [B<-pk7out>] [B<-[cipher]>] [B<-in file>] +[B<-no_alt_chains>] [B<-certfile file>] [B<-signer file>] [B<-recip file>] @@ -259,7 +260,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various options of certificate chain verification. See L<B<verify>|verify(1)> manual page for details. @@ -441,5 +442,6 @@ structures may cause parsing errors. The use of multiple B<-signer> options and the B<-resign> command were first added in OpenSSL 1.0.0 +The -no_alt_chains options was first added to OpenSSL 1.0.2b. =cut diff --git a/openssl/doc/apps/verify.pod b/openssl/doc/apps/verify.pod index df0153435..df1b86dfe 100644 --- a/openssl/doc/apps/verify.pod +++ b/openssl/doc/apps/verify.pod @@ -25,6 +25,7 @@ B<openssl> B<verify> [B<-extended_crl>] [B<-use_deltas>] [B<-policy_print>] +[B<-no_alt_chains>] [B<-untrusted file>] [B<-help>] [B<-issuer_checks>] @@ -124,6 +125,14 @@ Set policy variable inhibit-any-policy (see RFC5280). Set policy variable inhibit-policy-mapping (see RFC5280). +=item B<-no_alt_chains> + +When building a certificate chain, if the first certificate chain found is not +trusted, then OpenSSL will continue to check to see if an alternative chain can +be found that is trusted. With this option that behaviour is suppressed so that +only the first chain found is ever used. Using this option will force the +behaviour to match that of previous OpenSSL versions. + =item B<-policy_print> Print out diagnostics related to policy processing. @@ -425,4 +434,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. L<x509(1)|x509(1)> +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.2b. + =cut |