diff options
author | Ibrahim M. Ghazal <imgx64@gmail.com> | 2019-12-24 21:39:55 +0300 |
---|---|---|
committer | Ibrahim M. Ghazal <imgx64@gmail.com> | 2020-01-02 18:28:22 +0300 |
commit | 1fdde9170cbe36c9cd7bf9dc712836f591f7d511 (patch) | |
tree | abbfa239f9d2f092597f078440729952f0037a65 /doc/man1 | |
parent | e7b834b6bb0a32be694ebc8e614247c9af735c0f (diff) |
Add -iter option to pkcs12 command
Fixes #8194
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10130)
Diffstat (limited to 'doc/man1')
-rw-r--r-- | doc/man1/openssl-pkcs12.pod.in | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 16eb0accec..86c9de4670 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -25,8 +25,9 @@ B<openssl> B<pkcs12> [B<-nokeys>] [B<-info>] [B<-des> B<-des3> B<-idea> B<-aes128> B<-aes192> B<-aes256> B<-aria128> B<-aria192> B<-aria256> B<-camellia128> B<-camellia192> B<-camellia256> B<-nodes>] -[B<-noiter>] -[B<-maciter> | B<-nomaciter> | B<-nomac>] +[B<-iter> I<count> | B<-noiter> | B<-nomaciter>] +[B<-maciter>] +[B<-nomac>] [B<-twopass>] [B<-descert>] [B<-certpbe> I<cipher>] @@ -233,17 +234,19 @@ the use of signing only keys for SSL client authentication. Specify the MAC digest algorithm. If not included them SHA1 will be used. -=item B<-nomaciter>, B<-noiter> +=item B<-iter> I<count> -These options affect the iteration counts on the MAC and key algorithms. -Unless you wish to produce files compatible with MSIE 4.0 you should leave -these options alone. +This option specifies the iteration count for the encryption key and MAC. The +default value is 2048. To discourage attacks by using large dictionaries of common passwords the algorithm that derives keys from passwords can have an iteration count applied to it: this causes a certain part of the algorithm to be repeated and slows it down. The MAC is used to check the file integrity but since it will normally have the same password as the keys and certificates it could also be attacked. + +=item B<-nomaciter>, B<-noiter> + By default both MAC and encryption iteration counts are set to 2048, using these options the MAC and encryption iteration counts can be set to 1, since this reduces the file security you should not use these options unless you |