diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-03-06 21:46:33 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-04-20 11:33:53 +0200 |
| commit | 2b264aee6f3b92f14cb3e3dc5b27d14831870923 (patch) | |
| tree | 0cb1dffa4bf93ee37417a29ea1240932e42f34e6 | |
| parent | b418980c3f5519c248afc40a575b89f629d56b45 (diff) | |
Fix descriptions of credentials and verification options for various apps
fix doc of s_client and s_server credentials and verification options
fix doc of verification options also for s_time, x509, crl, req, ts, and verify
correcting and extending texts regarding untrusted and trusted certs,
making the order of options in the docs and help texts more consistent,
etc.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11273)
| -rw-r--r-- | apps/crl.c | 2 | ||||
| -rw-r--r-- | apps/req.c | 2 | ||||
| -rw-r--r-- | apps/s_client.c | 20 | ||||
| -rw-r--r-- | apps/s_server.c | 48 | ||||
| -rw-r--r-- | apps/s_time.c | 2 | ||||
| -rw-r--r-- | apps/ts.c | 2 | ||||
| -rw-r--r-- | apps/verify.c | 14 | ||||
| -rw-r--r-- | apps/x509.c | 2 | ||||
| -rw-r--r-- | doc/man1/openssl-s_client.pod.in | 85 | ||||
| -rw-r--r-- | doc/man1/openssl-s_server.pod.in | 117 | ||||
| -rw-r--r-- | doc/man1/openssl-ts.pod.in | 2 | ||||
| -rw-r--r-- | doc/man1/openssl-verify.pod.in | 15 | ||||
| -rw-r--r-- | doc/man1/openssl.pod | 4 |
13 files changed, 181 insertions, 134 deletions
diff --git a/apps/crl.c b/apps/crl.c index 5e0a517a1b..95643a0e10 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -46,7 +46,7 @@ const OPTIONS crl_options[] = { #ifndef OPENSSL_NO_MD5 {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"}, #endif - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, {"", OPT_MD, '-', "Any supported digest"}, OPT_SECTION("CRL"), diff --git a/apps/req.c b/apps/req.c index 4d65fc2831..e2555b6fbe 100644 --- a/apps/req.c +++ b/apps/req.c @@ -113,7 +113,7 @@ const OPTIONS req_options[] = { {"config", OPT_CONFIG, '<', "Request template file"}, {"section", OPT_SECTION, 's', "Config section to use (default \"req\")"}, {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, {"reqopt", OPT_REQOPT, 's', "Various request text options"}, {"text", OPT_TEXT, '-', "Text form of request"}, {"x509", OPT_X509, '-', diff --git a/apps/s_client.c b/apps/s_client.c index c06f2c824f..c051e65270 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -649,14 +649,17 @@ const OPTIONS s_client_options[] = { {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"}, OPT_SECTION("Identity"), - {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"}, - {"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"}, + {"cert", OPT_CERT, '<', "Client certificate file to use"}, {"certform", OPT_CERTFORM, 'F', - "Certificate format (PEM or DER) PEM default"}, - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, - {"key", OPT_KEY, 's', "Private key file to use, if not in -cert file"}, + "Client certificate file format (PEM or DER) PEM default"}, + {"cert_chain", OPT_CERT_CHAIN, '<', + "Client certificate chain file (in PEM format)"}, + {"build_chain", OPT_BUILD_CHAIN, '-', "Build client certificate chain"}, + {"key", OPT_KEY, 's', "Private key file to use; default is: -cert file"}, {"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"}, {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, + {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"}, + {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"}, @@ -801,8 +804,8 @@ const OPTIONS s_client_options[] = { {"verify_return_error", OPT_VERIFY_RET_ERROR, '-', "Close connection on verification error"}, {"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"}, - {"cert_chain", OPT_CERT_CHAIN, '<', - "Certificate chain file (in PEM format)"}, + {"chainCAfile", OPT_CHAINCAFILE, '<', + "CA file for certificate chain (PEM format)"}, {"chainCApath", OPT_CHAINCAPATH, '/', "Use dir as certificate store path to build CA certificate chain"}, {"chainCAstore", OPT_CHAINCASTORE, ':', @@ -813,9 +816,6 @@ const OPTIONS s_client_options[] = { "Use dir as certificate store path to verify CA certificate"}, {"verifyCAstore", OPT_VERIFYCASTORE, ':', "CA store URI for certificate verification"}, - {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"}, - {"chainCAfile", OPT_CHAINCAFILE, '<', - "CA file for certificate chain (PEM format)"}, OPT_X_OPTIONS, OPT_PROV_OPTIONS, diff --git a/apps/s_server.c b/apps/s_server.c index d2864bc689..830acadd32 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -802,31 +802,36 @@ const OPTIONS s_server_options[] = { {"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"}, {"Verify", OPT_UPPER_V_VERIFY, 'n', "Turn on peer certificate verification, must have a cert"}, - {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT}, + {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, + {"cert", OPT_CERT, '<', "Server certificate file to use; default is " TEST_CERT}, {"cert2", OPT_CERT2, '<', "Certificate file to use for servername; default is" TEST_CERT2}, - {"key2", OPT_KEY2, '<', - "-Private Key file to use for servername if not in -cert2"}, - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"certform", OPT_CERTFORM, 'F', + "Server certificate file format (PEM or DER) PEM default"}, + {"cert_chain", OPT_CERT_CHAIN, '<', + "Server certificate chain file in PEM format"}, + {"build_chain", OPT_BUILD_CHAIN, '-', "Build server certificate chain"}, {"serverinfo", OPT_SERVERINFO, 's', "PEM serverinfo file for certificate"}, - {"certform", OPT_CERTFORM, 'F', - "Certificate format (PEM or DER) PEM default"}, {"key", OPT_KEY, 's', - "Private Key if not in -cert; default is " TEST_CERT}, + "Private key file to use; default is -cert file or else" TEST_CERT}, + {"key2", OPT_KEY2, '<', + "-Private Key file to use for servername if not in -cert2"}, {"keyform", OPT_KEYFORM, 'f', "Key format (PEM, DER or ENGINE) PEM default"}, {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, {"dcert", OPT_DCERT, '<', - "Second certificate file to use (usually for DSA)"}, - {"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"}, + "Second server certificate file to use (usually for DSA)"}, {"dcertform", OPT_DCERTFORM, 'F', - "Second certificate format (PEM or DER) PEM default"}, + "Second server certificate file format (PEM or DER) PEM default"}, + {"dcert_chain", OPT_DCERT_CHAIN, '<', + "second server certificate chain file in PEM format"}, {"dkey", OPT_DKEY, '<', "Second private key file to use (usually for DSA)"}, {"dkeyform", OPT_DKEYFORM, 'F', - "Second key format (PEM, DER or ENGINE) PEM default"}, + "Second key file format (PEM, DER or ENGINE) PEM default"}, {"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"}, + {"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"}, {"servername", OPT_SERVERNAME, 's', "Servername for HostName TLS extension"}, {"servername_fatal", OPT_SERVERNAME_FATAL, '-', @@ -850,12 +855,17 @@ const OPTIONS s_server_options[] = { {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', "Export len bytes of keying material (default 20)"}, {"CRL", OPT_CRL, '<', "CRL file to use"}, + {"CRLform", OPT_CRLFORM, 'F', "CRL file format (PEM or DER); default PEM"}, {"crl_download", OPT_CRL_DOWNLOAD, '-', - "Download CRL from distribution points"}, + "Download CRLs from distribution points in certificate CDP entries"}, + {"chainCAfile", OPT_CHAINCAFILE, '<', + "CA file for certificate chain (PEM format)"}, {"chainCApath", OPT_CHAINCAPATH, '/', "use dir as certificate store path to build CA certificate chain"}, {"chainCAstore", OPT_CHAINCASTORE, ':', "use URI as certificate store to build CA certificate chain"}, + {"verifyCAfile", OPT_VERIFYCAFILE, '<', + "CA file for certificate verification (PEM format)"}, {"verifyCApath", OPT_VERIFYCAPATH, '/', "use dir as certificate store path to verify CA certificate"}, {"verifyCAstore", OPT_VERIFYCASTORE, ':', @@ -863,13 +873,10 @@ const OPTIONS s_server_options[] = { {"no_cache", OPT_NO_CACHE, '-', "Disable session cache"}, {"ext_cache", OPT_EXT_CACHE, '-', "Disable internal cache, setup and use external cache"}, - {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"}, {"verify_return_error", OPT_VERIFY_RET_ERROR, '-', "Close connection on verification error"}, {"verify_quiet", OPT_VERIFY_QUIET, '-', "No verify output except verify errors"}, - {"verifyCAfile", OPT_VERIFYCAFILE, '<', - "CA file for certificate verification (PEM format)"}, {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"}, {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"}, @@ -990,13 +997,6 @@ const OPTIONS s_server_options[] = { OPT_R_OPTIONS, OPT_S_OPTIONS, OPT_V_OPTIONS, - {"cert_chain", OPT_CERT_CHAIN, '<', - "certificate chain file in PEM format"}, - {"dcert_chain", OPT_DCERT_CHAIN, '<', - "second certificate chain file in PEM format"}, - {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"}, - {"chainCAfile", OPT_CHAINCAFILE, '<', - "CA file for certificate chain (PEM format)"}, OPT_X_OPTIONS, OPT_PROV_OPTIONS, {NULL} @@ -1244,7 +1244,7 @@ int s_server_main(int argc, char *argv[]) s_key_file = opt_arg(); break; case OPT_KEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_key_format)) + if (!opt_format(opt_arg(), OPT_FMT_PDE, &s_key_format)) goto opthelp; break; case OPT_PASS: @@ -1266,7 +1266,7 @@ int s_server_main(int argc, char *argv[]) s_dcert_file = opt_arg(); break; case OPT_DKEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dkey_format)) + if (!opt_format(opt_arg(), OPT_FMT_PDE, &s_dkey_format)) goto opthelp; break; case OPT_DPASS: diff --git a/apps/s_time.c b/apps/s_time.c index 28e82f7cae..643155674f 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -86,7 +86,7 @@ const OPTIONS s_time_options[] = { {"www", OPT_WWW, 's', "Fetch specified page from the site"}, OPT_SECTION("Certificate"), - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"}, {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"}, {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"}, @@ -97,8 +97,8 @@ const OPTIONS ts_options[] = { {"inkey", OPT_INKEY, 's', "File with private key for reply"}, {"signer", OPT_SIGNER, 's', "Signer certificate file"}, {"chain", OPT_CHAIN, '<', "File with signer CA chain"}, - {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"}, {"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"}, + {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"}, {"CAstore", OPT_CASTORE, ':', "URI to trusted CA store"}, {"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"}, {"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"}, diff --git a/apps/verify.c b/apps/verify.c index f626009f55..1e154069c1 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -45,24 +45,24 @@ const OPTIONS verify_options[] = { #endif {"verbose", OPT_VERBOSE, '-', "Print extra information about the operations being performed."}, - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, OPT_SECTION("Certificate chain"), - {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"}, + {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"}, {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"}, + {"CApath", OPT_CAPATH, '/', "A directory of files with trusted certificates"}, {"CAstore", OPT_CASTORE, ':', "URI to a store of trusted certificates"}, {"no-CAfile", OPT_NOCAFILE, '-', - "Do not load the default certificates file"}, + "Do not load the default trusted certificates file"}, {"no-CApath", OPT_NOCAPATH, '-', - "Do not load certificates from the default certificates directory"}, + "Do not load trusted certificates from the default directory"}, {"no-CAstore", OPT_NOCAPATH, '-', - "Do not load certificates from the default certificates store"}, + "Do not load trusted certificates from the default certificates store"}, {"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"}, - {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"}, {"CRLfile", OPT_CRLFILE, '<', "File containing one or more CRL's (in PEM format) to load"}, {"crl_download", OPT_CRL_DOWNLOAD, '-', - "Attempt to download CRL information for this certificate"}, + "Try downloading CRL information for certificates via their CDP entries"}, {"show_chain", OPT_SHOW_CHAIN, '-', "Display information about the certificate chain"}, diff --git a/apps/x509.c b/apps/x509.c index e2a68828e3..996e89e4d9 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -117,7 +117,7 @@ const OPTIONS x509_options[] = { {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', "Print old-style (MD5) subject hash value"}, #endif - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, OPT_SECTION("Certificate"), {"startdate", OPT_STARTDATE, '-', "Set notBefore field"}, diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 982c54ae9e..f66e6e5d63 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -30,22 +30,21 @@ B<openssl> B<s_client> [B<-verifyCAstore> I<uri>] [B<-cert> I<filename>] [B<-certform> B<DER>|B<PEM>] +[B<-cert_chain> I<filename>] +[B<-build_chain>] [B<-CRL> I<filename>] [B<-CRLform> B<DER>|B<PEM>] [B<-crl_download>] [B<-key> I<filename>] -[B<-keyform> B<DER>|B<PEM>] -[B<-cert_chain> I<filename>] -[B<-build_chain>] +[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] [B<-pass> I<arg>] -[B<-chainCApath> I<directory>] [B<-chainCAfile> I<filename>] +[B<-chainCApath> I<directory>] [B<-chainCAstore> I<uri>] [B<-requestCAfile> I<filename>] [B<-dane_tlsa_domain> I<domain>] [B<-dane_tlsa_rrdata> I<rrdata>] [B<-dane_ee_no_namechecks>] -[B<-build_chain>] [B<-reconnect>] [B<-showcerts>] [B<-prexit>] @@ -236,12 +235,25 @@ ClientHello message. Cannot be used in conjunction with the B<-servername> or =item B<-cert> I<certname> -The certificate to use, if one is requested by the server. The default is -not to use a certificate. +The client certificate to use, if one is requested by the server. +The default is not to use a certificate. -=item B<-certform> I<format> +The chain for the client certificate may be specified using B<-cert_chain>. -The certificate format to use: DER or PEM. PEM is the default. +=item B<-certform> B<DER>|B<PEM> + +The client certificate file format to use; the default is B<PEM>. +see L<openssl(1)/Format Options>. + +=item B<-cert_chain> + +A file containing untrusted certificates to use when attempting to build the +certificate chain related to the certificate specified via the B<-cert> option. + +=item B<-build_chain> + +Specify whether the application should build the client certificate chain to be +provided to the server. =item B<-CRL> I<filename> @@ -249,7 +261,7 @@ CRL file to use to check the server's certificate. =item B<-CRLform> B<DER>|B<PEM> -The CRL format; the default is B<PEM>. +The CRL file format; the default is B<PEM>. See L<openssl(1)/Format Options> for details. =item B<-crl_download> @@ -258,25 +270,14 @@ Download CRL from distribution points in the certificate. =item B<-key> I<keyfile> -The private key to use. If not specified then the certificate file will -be used. +The client private key file to use. +If not specified then the certificate file will be used to read also the key. -=item B<-keyform> I<format> +=item B<-keyform> B<DER>|B<PEM>|B<ENGINE> The key format; the default is B<PEM>. See L<openssl(1)/Format Options> for details. -=item B<-cert_chain> - -A file containing trusted certificates to use when attempting to build the -client/server certificate chain related to the certificate specified via the -B<-cert> option. - -=item B<-build_chain> - -Specify whether the application should build the certificate chain to be -provided to the server. - =item B<-pass> I<arg> the private key password source. For more information about the format of I<arg> @@ -301,32 +302,42 @@ Limit verify output to only errors. =item B<-verifyCAfile> I<filename> -CA file for verifying the server's certificate, in PEM format. +A file in PEM format containing trusted certificates to use +for verifying the server's certificate. =item B<-verifyCApath> I<dir> -Use the specified directory as a certificate store path to verify -the server's CA certificate. +A directory containing trusted certificates to use +for verifying the server's certificate. +This directory must be in "hash format", +see L<openssl-verify(1)> for more information. =item B<-verifyCAstore> I<uri> -Use the specified URI as a store URI to verify the server's certificate. - +The URI of a store containing trusted certificates to use +for verifying the server's certificate. -=item B<-chainCApath> I<directory> +=item B<-chainCAfile> I<file> -The directory to use for building the chain provided to the server. This -directory must be in "hash format", see L<openssl-verify(1)> for more -information. +A file in PEM format containing trusted certificates to use +when attempting to build the client certificate chain. -=item B<-chainCAfile> I<file> +=item B<-chainCApath> I<directory> -A file containing trusted certificates to use when attempting to build the -client certificate chain. +A directory containing trusted certificates to use +for building the client certificate chain provided to the server. +This directory must be in "hash format", +see L<openssl-verify(1)> for more information. =item B<-chainCAstore> I<uri> -The URI to use when attempting to build the client certificate chain. +The URI of a store containing trusted certificates to use +when attempting to build the client certificate chain. +The URI may indicate a single certificate, as well as a collection of them. +With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or +B<-chainCApath>, depending on if the URI indicates a directory or a +single file. +See L<ossl_store-file(7)> for more information on the C<file:> scheme. =item B<-requestCAfile> I<file> diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 0fd22d4689..c7c78562c1 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -19,16 +19,20 @@ B<openssl> B<s_server> [B<-verify> I<int>] [B<-Verify> I<int>] [B<-cert> I<infile>] -[B<-naccept> I<+int>] -[B<-serverinfo> I<val>] +[B<-cert2> I<infile>] [B<-certform> B<DER>|B<PEM>] +[B<-cert_chain> I<infile>] +[B<-build_chain>] +[B<-serverinfo> I<val>] [B<-key> I<infile>] -[B<-keyform> B<DER>|B<PEM>] +[B<-key2> I<infile>] +[B<-keyform> B<DER>|B<PEM>|B<ENGINE>] [B<-pass> I<val>] [B<-dcert> I<infile>] [B<-dcertform> B<DER>|B<PEM>] +[B<-dcert_chain> I<infile>] [B<-dkey> I<infile>] -[B<-dkeyform> B<DER>|B<PEM>] +[B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>] [B<-dpass> I<val>] [B<-nbio_test>] [B<-crlf>] @@ -44,29 +48,24 @@ B<openssl> B<s_server> [B<-http_server_binmode>] [B<-servername>] [B<-servername_fatal>] -[B<-cert2> I<infile>] -[B<-key2> I<infile>] [B<-tlsextdebug>] [B<-HTTP>] [B<-id_prefix> I<val>] [B<-keymatexport> I<val>] [B<-keymatexportlen> I<+int>] -[B<-CRLform> B<DER>|B<PEM>] [B<-CRL> I<infile>] +[B<-CRLform> B<DER>|B<PEM>] [B<-crl_download>] -[B<-cert_chain> I<infile>] -[B<-dcert_chain> I<infile>] +[B<-chainCAfile> I<infile>] [B<-chainCApath> I<dir>] -[B<-verifyCApath> I<dir>] [B<-chainCAstore> I<uri>] +[B<-verifyCAfile> I<infile>] +[B<-verifyCApath> I<dir>] [B<-verifyCAstore> I<uri>] [B<-no_cache>] [B<-ext_cache>] [B<-verify_return_error>] [B<-verify_quiet>] -[B<-build_chain>] -[B<-chainCAfile> I<infile>] -[B<-verifyCAfile> I<infile>] [B<-ign_eof>] [B<-no_ign_eof>] [B<-status>] @@ -84,6 +83,7 @@ B<openssl> B<s_server> [B<-max_send_frag> I<+int>] [B<-split_send_frag> I<+int>] [B<-max_pipelines> I<+int>] +[B<-naccept> I<+int>] [B<-read_buf> I<+int>] [B<-bugs>] [B<-no_comp>] @@ -219,22 +219,21 @@ certificate and some require a certificate with a certain public key type: for example the DSS cipher suites require a certificate containing a DSS (DSA) key. If not specified then the filename F<server.pem> will be used. +=item B<-certform> B<DER>|B<PEM> + +The server certificate file format; the default is B<PEM>. +See L<openssl(1)/Format Options> for details. + =item B<-cert_chain> -A file containing trusted certificates to use when attempting to build the -client/server certificate chain related to the certificate specified via the -B<-cert> option. +A file containing untrusted certificates to use when attempting to build the +certificate chain related to the certificate specified via the B<-cert> option. =item B<-build_chain> -Specify whether the application should build the certificate chain to be +Specify whether the application should build the server certificate chain to be provided to the client. -=item B<-naccept> I<+int> - -The server will exit after receiving the specified number of connections, -default unlimited. - =item B<-serverinfo> I<val> A file containing one or more blocks of PEM data. Each PEM block @@ -243,17 +242,12 @@ followed by "length" bytes of extension data). If the client sends an empty TLS ClientHello extension matching the type, the corresponding ServerHello extension will be returned. -=item B<-certform> B<DER>|B<PEM>, B<-CRLForm> B<DER>|B<PEM> - -The certificate and CRL format; the default is PEM. -See L<openssl(1)/Format Options> for details. - =item B<-key> I<infile> The private key to use. If not specified then the certificate file will be used. -=item B<-keyform> B<DER>|B<PEM> +=item B<-keyform> B<DER>|B<PEM>|B<ENGINE> The key format; the default is B<PEM>. See L<openssl(1)/Format Options> for details. @@ -277,14 +271,19 @@ by using an appropriate certificate. =item B<-dcert_chain> -A file containing trusted certificates to use when attempting to build the +A file containing untrusted certificates to use when attempting to build the server certificate chain when a certificate specified via the B<-dcert> option is in use. -=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM> +=item B<-dcertform> B<DER>|B<PEM> + +The format of the additional certificate file; the default is B<PEM>. +See L<openssl(1)/Format Options>. + +=item B<-dkeyform> B<DER>|B<PEM>|B<ENGINE> -The format of the certificate and private key; the default is B<PEM> -see L<openssl(1)/Format Options>. +The format of the additional private key; the default is B<PEM>. +See L<openssl(1)/Format Options>. =item B<-dpass> I<val> @@ -316,22 +315,53 @@ File to send output of B<-msg> or B<-trace> to, default standard output. Prints the SSL session states. -=item B<-chainCApath> I<dir> +=item B<-CRL> I<infile> + +The CRL file to use. + +=item B<-CRLform> B<DER>|B<PEM> + +The CRL file format; the default is B<PEM>. +See L<openssl(1)/Format Options> for details. + +=item B<-crl_download> + +Download CRLs from distribution points given in CDP extensions of certificates -The directory to use for building the chain provided to the client. This -directory must be in "hash format", see L<openssl-verify(1)> for more -information. +=item B<-verifyCAfile> I<filename> + +A file in PEM format CA containing trusted certificates to use +for verifying client certificates. + +=item B<-verifyCApath> I<dir> + +A directory containing trusted certificates to use +for verifying client certificates. +This directory must be in "hash format", +see L<openssl-verify(1)> for more information. + +=item B<-verifyCAstore> I<uri> + +The URI of a store containing trusted certificates to use +for verifying client certificates. =item B<-chainCAfile> I<file> -A file containing trusted certificates to use when attempting to build the -server certificate chain. +A file in PEM format containing trusted certificates to use +when attempting to build the server certificate chain. + +=item B<-chainCApath> I<dir> + +A directory containing trusted certificates to use +for building the server certificate chain provided to the client. +This directory must be in "hash format", +see L<openssl-verify(1)> for more information. =item B<-chainCAstore> I<uri> -The URI to a store to use for building the chain provided to the client. -The URI may indicate a single certificate, as well as a collection of -them. +The URI of a store containing trusted certificates to use +for building the server certificate chain provided to the client. +The URI may indicate a single certificate, as well as a collection of them. With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or B<-chainCApath>, depending on if the URI indicates a directory or a single file. @@ -462,6 +492,11 @@ an effect if an engine has been loaded that supports pipelining (e.g. the dasync engine) and a suitable cipher suite has been negotiated. The default value is 1. See L<SSL_CTX_set_max_pipelines(3)> for further information. +=item B<-naccept> I<+int> + +The server will exit after receiving the specified number of connections, +default unlimited. + =item B<-read_buf> I<+int> The default read buffer size to be used for connections. This will only have an diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 38fcf530fe..8437862c2c 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -37,7 +37,6 @@ B<-reply> [B<-chain> I<certs_file.pem>] [B<-tspolicy> I<object_id>] [B<-in> I<response.tsr>] -[B<-untrusted> I<file>] [B<-token_in>] [B<-out> I<response.tsr>] [B<-token_out>] @@ -52,6 +51,7 @@ B<-verify> [B<-queryfile> I<request.tsq>] [B<-in> I<response.tsr>] [B<-token_in>] +[B<-untrusted> I<file>] [B<-CAfile> I<file>] [B<-CApath> I<dir>] [B<-CAstore> I<uri>] diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in index 821f88dae9..2b824c0370 100644 --- a/doc/man1/openssl-verify.pod.in +++ b/doc/man1/openssl-verify.pod.in @@ -38,10 +38,6 @@ This command verifies certificate chains. Print out a usage message. -=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath> - -See L<openssl(1)/Trusted Certificate Options> for more information. - =item B<-CRLfile> I<file> The I<file> should contain one or more CRLs in PEM format. @@ -50,7 +46,7 @@ I<file>s. =item B<-crl_download> -Attempt to download CRL information for this certificate. +Attempt to download CRL information for certificates via their CDP entries. =item B<-show_chain> @@ -64,11 +60,16 @@ Print extra information about the operations being performed. =item B<-trusted> I<file> -A file of trusted certificates. +A file of trusted certificates in PEM format. +This option can be specified more than once to load certificates from multiple +I<file>s. =item B<-untrusted> I<file> -A file of untrusted certificates. +A file of untrusted certificates in PEM format to use for chain building. +This option can be specified more than once to load certificates from multiple +I<file>s. + =item B<-vfyopt> I<nm>:I<v> diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index c05fc29f67..c8de9016fb 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -977,8 +977,8 @@ effect. Parse I<file> as a set of one or more certificates in PEM format. All certificates must be self-signed, unless the B<-partial_chain> option is specified. -This option implies the B<-no-CAfile> and B<-no-CApath> options and it -cannot be used with either the B<-CAfile> or B<-CApath> options, so +This option implies the B<-no-CAfile>, B<-no-CApath>, and B<-no-CAstore> options +and it cannot be used with the B<-CAfile>, B<-CApath> or B<-CAstore> options, so only certificates in the file are trust anchors. This option may be used multiple times. |