diff options
Diffstat (limited to 'openssl/doc')
| -rw-r--r-- | openssl/doc/apps/config.pod | 2 | ||||
| -rw-r--r-- | openssl/doc/apps/crl.pod | 5 | ||||
| -rw-r--r-- | openssl/doc/apps/ec.pod | 2 | ||||
| -rw-r--r-- | openssl/doc/apps/pkcs12.pod | 9 | ||||
| -rw-r--r-- | openssl/doc/apps/req.pod | 2 | ||||
| -rw-r--r-- | openssl/doc/apps/s_client.pod | 16 | ||||
| -rw-r--r-- | openssl/doc/apps/s_server.pod | 2 | ||||
| -rw-r--r-- | openssl/doc/apps/ts.pod | 4 | ||||
| -rw-r--r-- | openssl/doc/apps/tsget.pod | 2 | ||||
| -rw-r--r-- | openssl/doc/crypto/BN_BLINDING_new.pod | 2 | ||||
| -rw-r--r-- | openssl/doc/crypto/ERR_get_error.pod | 7 | ||||
| -rw-r--r-- | openssl/doc/crypto/EVP_BytesToKey.pod | 2 | ||||
| -rw-r--r-- | openssl/doc/crypto/EVP_EncryptInit.pod | 2 | ||||
| -rw-r--r-- | openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 2 | ||||
| -rw-r--r-- | openssl/doc/crypto/pem.pod | 2 | ||||
| -rw-r--r-- | openssl/doc/ssl/SSL_CTX_set_verify.pod | 4 | ||||
| -rw-r--r-- | openssl/doc/ssl/SSL_set_shutdown.pod | 2 |
17 files changed, 45 insertions, 22 deletions
diff --git a/openssl/doc/apps/config.pod b/openssl/doc/apps/config.pod index ace34b62b..25c5381b9 100644 --- a/openssl/doc/apps/config.pod +++ b/openssl/doc/apps/config.pod @@ -119,7 +119,7 @@ variable points to a section containing further ENGINE configuration information. The section pointed to by B<engines> is a table of engine names (though see -B<engine_id> below) and further sections containing configuration informations +B<engine_id> below) and further sections containing configuration information specific to each ENGINE. Each ENGINE specific section is used to set default algorithms, load diff --git a/openssl/doc/apps/crl.pod b/openssl/doc/apps/crl.pod index a40c873b9..1ad76a5f8 100644 --- a/openssl/doc/apps/crl.pod +++ b/openssl/doc/apps/crl.pod @@ -62,6 +62,11 @@ don't output the encoded version of the CRL. output a hash of the issuer name. This can be use to lookup CRLs in a directory by issuer name. +=item B<-hash_old> + +outputs the "hash" of the CRL issuer name using the older algorithm +as used by OpenSSL versions before 1.0.0. + =item B<-issuer> output the issuer name. diff --git a/openssl/doc/apps/ec.pod b/openssl/doc/apps/ec.pod index ba6dc4689..5c7b45d4e 100644 --- a/openssl/doc/apps/ec.pod +++ b/openssl/doc/apps/ec.pod @@ -41,7 +41,7 @@ PKCS#8 private key format use the B<pkcs8> command. This specifies the input format. The B<DER> option with a private key uses an ASN.1 DER encoded SEC1 private key. When used with a public key it -uses the SubjectPublicKeyInfo structur as specified in RFC 3280. +uses the SubjectPublicKeyInfo structure as specified in RFC 3280. The B<PEM> form is the default format: it consists of the B<DER> format base64 encoded with additional header and footer lines. In the case of a private key PKCS#8 format is also accepted. diff --git a/openssl/doc/apps/pkcs12.pod b/openssl/doc/apps/pkcs12.pod index f69a5c5a4..8e0d91798 100644 --- a/openssl/doc/apps/pkcs12.pod +++ b/openssl/doc/apps/pkcs12.pod @@ -67,7 +67,7 @@ by default. The filename to write certificates and private keys to, standard output by default. They are all written in PEM format. -=item B<-pass arg>, B<-passin arg> +=item B<-passin arg> the PKCS#12 file (i.e. input file) password source. For more information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in @@ -75,10 +75,15 @@ L<openssl(1)|openssl(1)>. =item B<-passout arg> -pass phrase source to encrypt any outputed private keys with. For more +pass phrase source to encrypt any outputted private keys with. For more information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. +=item B<-password arg> + +With -export, -password is equivalent to -passout. +Otherwise, -password is equivalent to -passin. + =item B<-noout> this option inhibits output of the keys and certificates to the output file diff --git a/openssl/doc/apps/req.pod b/openssl/doc/apps/req.pod index ff48bbdf2..0730d117b 100644 --- a/openssl/doc/apps/req.pod +++ b/openssl/doc/apps/req.pod @@ -303,7 +303,7 @@ Reverses effect of B<-asn1-kludge> =item B<-newhdr> -Adds the word B<NEW> to the PEM file header and footer lines on the outputed +Adds the word B<NEW> to the PEM file header and footer lines on the outputted request. Some software (Netscape certificate server) and some CAs need this. =item B<-batch> diff --git a/openssl/doc/apps/s_client.pod b/openssl/doc/apps/s_client.pod index 4ebf7b585..3215b2e8c 100644 --- a/openssl/doc/apps/s_client.pod +++ b/openssl/doc/apps/s_client.pod @@ -10,6 +10,7 @@ s_client - SSL/TLS client program B<openssl> B<s_client> [B<-connect host:port>] [B<-verify depth>] +[B<-verify_return_error>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key filename>] @@ -90,6 +91,11 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. +=item B<-verify_return_error> + +Return verification errors instead of continuing. This will typically +abort the handshake with a fatal error. + =item B<-CApath directory> The directory to use for server certificate verification. This directory @@ -286,6 +292,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions these will only be supported if its use is disabled, for example by using the B<-no_sslv2> option. +The B<s_client> utility is a test tool and is designed to continue the +handshake after any certificate verification errors. As a result it will +accept any certificate chain (trusted or not) sent by the peer. None test +applications should B<not> do this as it makes them vulnerable to a MITM +attack. This behaviour can be changed by with the B<-verify_return_error> +option: any verify errors are then returned aborting the handshake. + =head1 BUGS Because this program has a lot of options and also because some of @@ -293,9 +306,6 @@ the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. A typical SSL client program would be much simpler. -The B<-verify> option should really exit if the server verification -fails. - The B<-prexit> option is a bit of a hack. We should really report information whenever a session is renegotiated. diff --git a/openssl/doc/apps/s_server.pod b/openssl/doc/apps/s_server.pod index 3e503e17e..6758ba308 100644 --- a/openssl/doc/apps/s_server.pod +++ b/openssl/doc/apps/s_server.pod @@ -111,7 +111,7 @@ by using an appropriate certificate. =item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg> -addtional certificate and private key format and passphrase respectively. +additional certificate and private key format and passphrase respectively. =item B<-nocert> diff --git a/openssl/doc/apps/ts.pod b/openssl/doc/apps/ts.pod index 7fb6caa96..d6aa47d31 100644 --- a/openssl/doc/apps/ts.pod +++ b/openssl/doc/apps/ts.pod @@ -352,7 +352,7 @@ switch always overrides the settings in the config file. This is the main section and it specifies the name of another section that contains all the options for the B<-reply> command. This default -section can be overriden with the B<-section> command line switch. (Optional) +section can be overridden with the B<-section> command line switch. (Optional) =item B<oid_file> @@ -453,7 +453,7 @@ included. Default is no. (Optional) =head1 ENVIRONMENT VARIABLES B<OPENSSL_CONF> contains the path of the configuration file and can be -overriden by the B<-config> command line option. +overridden by the B<-config> command line option. =head1 EXAMPLES diff --git a/openssl/doc/apps/tsget.pod b/openssl/doc/apps/tsget.pod index b05957bee..56db985c4 100644 --- a/openssl/doc/apps/tsget.pod +++ b/openssl/doc/apps/tsget.pod @@ -124,7 +124,7 @@ The name of an EGD socket to get random data from. (Optional) =item [request]... List of files containing B<RFC 3161> DER-encoded time stamp requests. If no -requests are specifed only one request will be sent to the server and it will be +requests are specified only one request will be sent to the server and it will be read from the standard input. (Optional) =back diff --git a/openssl/doc/crypto/BN_BLINDING_new.pod b/openssl/doc/crypto/BN_BLINDING_new.pod index 5f51fdb47..da06e4446 100644 --- a/openssl/doc/crypto/BN_BLINDING_new.pod +++ b/openssl/doc/crypto/BN_BLINDING_new.pod @@ -48,7 +48,7 @@ necessary parameters are set, by re-creating the blinding parameters. BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>. If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be -returned in B<r> (this is useful if a B<RSA> object is shared amoung +returned in B<r> (this is useful if a B<RSA> object is shared among several threads). BN_BLINDING_invert_ex() multiplies B<n> with the inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as the inverse blinding. diff --git a/openssl/doc/crypto/ERR_get_error.pod b/openssl/doc/crypto/ERR_get_error.pod index 34443045f..828ecf529 100644 --- a/openssl/doc/crypto/ERR_get_error.pod +++ b/openssl/doc/crypto/ERR_get_error.pod @@ -52,8 +52,11 @@ ERR_get_error_line_data(), ERR_peek_error_line_data() and ERR_get_last_error_line_data() store additional data and flags associated with the error code in *B<data> and *B<flags>, unless these are B<NULL>. *B<data> contains a string -if *B<flags>&B<ERR_TXT_STRING>. If it has been allocated by OPENSSL_malloc(), -*B<flags>&B<ERR_TXT_MALLOCED> is true. +if *B<flags>&B<ERR_TXT_STRING> is true. + +An application B<MUST NOT> free the *B<data> pointer (or any other pointers +returned by these functions) with OPENSSL_free() as freeing is handled +automatically by the error library. =head1 RETURN VALUES diff --git a/openssl/doc/crypto/EVP_BytesToKey.pod b/openssl/doc/crypto/EVP_BytesToKey.pod index d375c46e0..0ea7d55c0 100644 --- a/openssl/doc/crypto/EVP_BytesToKey.pod +++ b/openssl/doc/crypto/EVP_BytesToKey.pod @@ -17,7 +17,7 @@ EVP_BytesToKey - password based encryption routine EVP_BytesToKey() derives a key and IV from various parameters. B<type> is the cipher to derive the key and IV for. B<md> is the message digest to use. -The B<salt> paramter is used as a salt in the derivation: it should point to +The B<salt> parameter is used as a salt in the derivation: it should point to an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing B<datal> bytes which is used to derive the keying data. B<count> is the iteration count to use. The derived key and IV will be written to B<key> diff --git a/openssl/doc/crypto/EVP_EncryptInit.pod b/openssl/doc/crypto/EVP_EncryptInit.pod index 8271d3dfc..1c4bf184a 100644 --- a/openssl/doc/crypto/EVP_EncryptInit.pod +++ b/openssl/doc/crypto/EVP_EncryptInit.pod @@ -152,7 +152,7 @@ does not remain in memory. EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and -EVP_CipherInit_ex() except the B<ctx> paramter does not need to be +EVP_CipherInit_ex() except the B<ctx> parameter does not need to be initialized and they always use the default cipher implementation. EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a diff --git a/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index b68eece03..46cac2bea 100644 --- a/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -113,7 +113,7 @@ a special status code is set to the verification callback. This permits it to examine the valid policy tree and perform additional checks or simply log it for debugging purposes. -By default some addtional features such as indirect CRLs and CRLs signed by +By default some additional features such as indirect CRLs and CRLs signed by different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set they are enabled. diff --git a/openssl/doc/crypto/pem.pod b/openssl/doc/crypto/pem.pod index d5b189611..54414a3f6 100644 --- a/openssl/doc/crypto/pem.pod +++ b/openssl/doc/crypto/pem.pod @@ -201,7 +201,7 @@ handle PKCS#8 format encrypted and unencrypted keys too. PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey() write a private key in an EVP_PKEY structure in PKCS#8 EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption -algorithms. The B<cipher> argument specifies the encryption algoritm to +algorithms. The B<cipher> argument specifies the encryption algorithm to use: unlike all other PEM routines the encryption is applied at the PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead. diff --git a/openssl/doc/ssl/SSL_CTX_set_verify.pod b/openssl/doc/ssl/SSL_CTX_set_verify.pod index 81566839d..6fd6c0321 100644 --- a/openssl/doc/ssl/SSL_CTX_set_verify.pod +++ b/openssl/doc/ssl/SSL_CTX_set_verify.pod @@ -169,8 +169,8 @@ that will always continue the TLS/SSL handshake regardless of verification failure, if wished. The callback realizes a verification depth limit with more informational output. -All verification errors are printed, informations about the certificate chain -are printed on request. +All verification errors are printed; information about the certificate chain +is printed on request. The example is realized for a server that does allow but not require client certificates. diff --git a/openssl/doc/ssl/SSL_set_shutdown.pod b/openssl/doc/ssl/SSL_set_shutdown.pod index 011a022a1..fe013085d 100644 --- a/openssl/doc/ssl/SSL_set_shutdown.pod +++ b/openssl/doc/ssl/SSL_set_shutdown.pod @@ -24,7 +24,7 @@ The shutdown state of an ssl connection is a bitmask of: =over 4 -=item 0 +=item Z<>0 No shutdown setting, yet. |