diff options
author | slontis <shane.lontis@oracle.com> | 2023-02-08 17:22:43 +1000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-03-07 18:24:45 +0100 |
commit | 50ea5cdcb735916591e35a04c1f5a659bf253ddc (patch) | |
tree | 8cdfdf314aa83a346256e15dcf36a18c8e931bea /doc/man1/openssl-fipsinstall.pod.in | |
parent | de13699370183ab565f548267afa57e25a921ca9 (diff) |
Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.
Fixes #19989
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20241)
Diffstat (limited to 'doc/man1/openssl-fipsinstall.pod.in')
-rw-r--r-- | doc/man1/openssl-fipsinstall.pod.in | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index af18f361e6..8b066453f9 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -21,6 +21,7 @@ B<openssl fipsinstall> [B<-quiet>] [B<-no_conditional_errors>] [B<-no_security_checks>] +[B<-ems_check>] [B<-self_test_onload>] [B<-self_test_oninstall>] [B<-corrupt_desc> I<selftest_description>] @@ -165,6 +166,15 @@ fails as described above. Configure the module to not perform run-time security checks as described above. +Enabling the configuration option "no-fips-securitychecks" provides another way to +turn off the check at compile time. + +=item B<-ems_check> + +Configure the module to enable a run-time Extended Master Secret (EMS) check +when using the TLS1_PRF KDF algorithm. This check is disabled by default. +See RFC 7627 for information related to EMS. + =item B<-self_test_onload> Do not write the two fields related to the "test status indicator" and |