diff options
author | Rich Salz <rsalz@akamai.com> | 2019-10-12 17:45:56 -0400 |
---|---|---|
committer | Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> | 2020-01-23 23:18:33 +0100 |
commit | 21d08b9ee9c0f7fabcad27b5d0b0c8c16f7dd1e9 (patch) | |
tree | 41077d218df34536e5b057a8e8f5c984e4c9f66f /doc/man1 | |
parent | cf0843c09101fa7a1718c4423543358b7fe1876a (diff) |
Update man3/verify documentation, error text
Move the x509_V_ERR_xxx definitions from openssl-verify to
X509_STORE_CTX_get_error.pod. Add some missing ones. Consistently
start with a lowercase letter, unless it's an acronym.
Fix some markup mistakes in X509_verify_cert.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10132)
Diffstat (limited to 'doc/man1')
-rw-r--r-- | doc/man1/openssl-cms.pod.in | 41 | ||||
-rw-r--r-- | doc/man1/openssl-dgst.pod.in | 11 | ||||
-rw-r--r-- | doc/man1/openssl-ocsp.pod.in | 42 | ||||
-rw-r--r-- | doc/man1/openssl-s_client.pod.in | 45 | ||||
-rw-r--r-- | doc/man1/openssl-s_server.pod.in | 54 | ||||
-rw-r--r-- | doc/man1/openssl-s_time.pod.in | 6 | ||||
-rw-r--r-- | doc/man1/openssl-smime.pod.in | 39 | ||||
-rw-r--r-- | doc/man1/openssl-ts.pod.in | 63 | ||||
-rw-r--r-- | doc/man1/openssl-verify.pod.in | 664 | ||||
-rw-r--r-- | doc/man1/openssl.pod | 255 |
10 files changed, 326 insertions, 894 deletions
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 56fe42c788..3a919edae5 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -39,34 +39,6 @@ B<openssl> B<cms> [B<-text>] [B<-noout>] [B<-print>] -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-no_alt_chains>] -[B<-use_deltas>] -[B<-auth_level> I<num>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] -[B<-x509_strict>] [B<-md> I<digest>] [B<-I<cipher>>] [B<-nointern>] @@ -78,7 +50,6 @@ B<openssl> B<cms> [B<-crlfeol>] [B<-asciicrlf>] [B<-nodetach>] -[B<-certfile> I<file>] [B<-certsout> I<file>] [B<-signer> I<file>] [B<-recip> I<file>] @@ -97,6 +68,7 @@ B<openssl> B<cms> [B<-to> I<addr>] [B<-from> I<addr>] [B<-subject> I<subj>] +{- $OpenSSL::safe::opt_v_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} [I<cert.pem> ...] @@ -462,16 +434,9 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, -B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> +{- $OpenSSL::safe::opt_v_item -} -Set various certificate chain validation options. See the -L<openssl-verify(1)> manual page for details. +Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_trust_item -} diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index a954b8b253..bd7b41cb37 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -27,6 +27,7 @@ B<openssl> B<dgst>|I<digest> [B<-hmac> I<key>] [B<-fips-fingerprint>] [B<-engine> I<id>] +[B<-engine_impl> I<id>] {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} [I<file> ...] @@ -170,17 +171,17 @@ option. Compute HMAC using a specific key for certain OpenSSL-FIPS operations. -=item B<-engine_impl> - -When used with the B<-engine> option, it specifies to also use -engine I<id> for digest operations. - {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_engine_item -} The engine is not used for digests unless the B<-engine_impl> option is used or it is configured to do so, see L<config(5)/Engine Configuration Module>. +=item B<-engine_impl> + +When used with the B<-engine> option, it specifies to also use +engine I<id> for digest operations. + =item I<file> ... File or files to digest. If no files are specified then standard input is diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index fb32ffef71..a866a38ebc 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -31,34 +31,6 @@ B<openssl> B<ocsp> [B<-multi> I<process-count>] [B<-header>] [B<-path>] -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-no_alt_chains>] -[B<-use_deltas>] -[B<-auth_level> I<num>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] -[B<-x509_strict>] [B<-VAfile> I<file>] [B<-validity_period> I<n>] [B<-status_age> I<n>] @@ -88,6 +60,7 @@ B<openssl> B<ocsp> [B<-rcid> I<digest>] [B<-I<digest>>] {- $OpenSSL::safe::opt_trust_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} =for openssl ifdef multi @@ -206,17 +179,6 @@ each child is willing to wait for the client's OCSP response. This option is available on POSIX systems (that support the fork() and other required unix system-calls). -=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, -B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> - -Set different certificate verification options. -See L<openssl-verify(1)> manual page for details. - =item B<-verify_other> I<file> File containing additional certificates to search when attempting to locate @@ -307,6 +269,8 @@ digest used by subsequent certificate identifiers. {- $OpenSSL::safe::opt_trust_item -} +{- $OpenSSL::safe::opt_v_item -} + =back =head2 OCSP Server Options diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 779f91700f..48157d0fdd 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -36,35 +36,7 @@ B<openssl> B<s_client> [B<-dane_tlsa_domain> I<domain>] [B<-dane_tlsa_rrdata> I<rrdata>] [B<-dane_ee_no_namechecks>] -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-no_alt_chains>] -[B<-use_deltas>] -[B<-auth_level> I<num>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] [B<-build_chain>] -[B<-x509_strict>] [B<-reconnect>] [B<-showcerts>] [B<-debug>] @@ -119,6 +91,7 @@ B<openssl> B<s_client> {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} [I<host>:I<port>] =for openssl ifdef engine ssl_client_engine ct noct ctlogfile @@ -347,17 +320,6 @@ records already make it possible for a remote domain to redirect client connections to any server of its choice, and in any case SMTP and XMPP clients do not execute scripts downloaded from remote servers. -=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, -B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> - -Set various certificate chain validation options. See the -L<openssl-verify(1)> manual page for details. - =item B<-reconnect> Reconnects to the same server 5 times using the same session ID, this can @@ -668,6 +630,11 @@ happen whether or not a certificate has been provided via B<-cert>. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_v_item -} + +Verification errors are displayed, for debugging, but the command will +proceed unless the B<-verify_return_error> option is used. + =item I<host>:I<port> Rather than providing B<-connect>, the target hostname and optional port may diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 47343585bd..a35ddf289e 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -107,36 +107,6 @@ B<openssl> B<s_server> [B<-dhparam> I<infile>] [B<-record_padding> I<val>] [B<-debug_broken_protocol>] -[B<-policy> I<val>] -[B<-purpose> I<val>] -[B<-verify_name> I<val>] -[B<-verify_depth> I<int>] -[B<-auth_level> I<int>] -[B<-attime> I<intmax>] -[B<-verify_hostname> I<val>] -[B<-verify_email> I<val>] -[B<-verify_ip>] -[B<-ignore_critical>] -[B<-issuer_checks>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-policy_check>] -[B<-explicit_policy>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-x509_strict>] -[B<-extended_crl>] -[B<-use_deltas>] -[B<-policy_print>] -[B<-check_ss_sig>] -[B<-trusted_first>] -[B<-suiteB_128_only>] -[B<-suiteB_128>] -[B<-suiteB_192>] -[B<-partial_chain>] -[B<-no_alt_chains>] -[B<-no_check_time>] -[B<-allow_proxy_certs>] [B<-nbio>] [B<-psk_identity> I<val>] [B<-psk_hint> I<val>] @@ -161,6 +131,7 @@ B<openssl> B<s_server> [B<-http_server_binmode>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_version_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} {- $OpenSSL::safe::opt_x_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} @@ -565,23 +536,6 @@ load the parameters from the server certificate file. If this fails then a static set of parameters hard coded into this command will be used. -=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, -B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> - -Set different peer certificate verification options. -See the L<openssl-verify(1)> manual page for details. - -=item B<-crl_check>, B<-crl_check_all> - -Check the peer certificate has not been revoked by its CA. -The CRL(s) are appended to the certificate file. With the B<-crl_check_all> -option all CRLs of all CAs in the chain are checked. - =item B<-nbio> Turns on non blocking I/O. @@ -692,6 +646,12 @@ by the client in binary mode. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_v_item -} + +If the server requests a client certificate, then +verification errors are displayed, for debugging, but the command will +proceed unless the B<-verify_return_error> option is used. + =back =head1 CONNECTED COMMANDS diff --git a/doc/man1/openssl-s_time.pod.in b/doc/man1/openssl-s_time.pod.in index ed1c012f8e..1d87c8c0dd 100644 --- a/doc/man1/openssl-s_time.pod.in +++ b/doc/man1/openssl-s_time.pod.in @@ -72,12 +72,6 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. -=item B<-CApath> I<directory> - -The directory to use for server certificate verification. This directory -must be in "hash format", see L<openssl-verify(1)> for more information. -These are also used when building the client certificate chain. - =item B<-new> Performs the timing test using a new session ID for each connection. diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index 5653c0f68c..55bd34f72e 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -19,33 +19,6 @@ B<openssl> B<smime> [B<-crlfeol>] [B<-I<cipher>>] [B<-in> I<file>] -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-no_alt_chains>] -[B<-use_deltas>] -[B<-auth_level> I<num>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] -[B<-x509_strict>] [B<-certfile> I<file>] [B<-signer> I<file>] [B<-recip> I< file>] @@ -66,6 +39,7 @@ B<openssl> B<smime> [B<-md> I<digest>] {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} I<cert.pem> ... =for openssl ifdef engine @@ -283,16 +257,9 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, -B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> +{- $OpenSSL::safe::opt_v_item -} -Set various options of certificate chain verification. See -L<openssl-verify(1)> manual page for details. +Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_trust_item -} diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 53781126fa..b9c3692c62 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -33,6 +33,7 @@ B<-reply> [B<-chain> I<certs_file.pem>] [B<-tspolicy> I<object_id>] [B<-in> I<response.tsr>] +[B<-untrusted> I<file>] [B<-token_in>] [B<-out> I<response.tsr>] [B<-token_out>] @@ -46,42 +47,8 @@ B<-verify> [B<-queryfile> I<request.tsq>] [B<-in> I<response.tsr>] [B<-token_in>] -[B<-CApath> I<trusted_cert_path>] -[B<-CAfile> I<trusted_certs.pem>] -[B<-CAstore> I<trusted_certs_uri>] -[B<-untrusted> I<cert_file.pem>] -[I<verify options>] - -I<verify options:> -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-issuer_checks>] -[B<-no_alt_chains>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-use_deltas>] -[B<-auth_level> I<num>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] -[B<-x509_strict>] +{- $OpenSSL::safe::opt_trust_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} =for openssl ifdef engine @@ -344,12 +311,6 @@ This flag can be used together with the B<-in> option and indicates that the input is a DER encoded timestamp token (ContentInfo) instead of a timestamp response (TimeStampResp). (Optional) -=item B<-CAfile> I<file>, B<-CApath> I<dir>, B<-CAstore> I<uri> - -See L<openssl(1)/Trusted Certificate Options> for more information. - -At least one of B<-CApath>, B<-CAfile> or B<-CAstore> must be specified. - =item B<-untrusted> I<cert_file.pem> Set of additional untrusted certificates in PEM format which may be @@ -358,17 +319,13 @@ certificate. This file must contain the TSA signing certificate and all intermediate CA certificates unless the response includes them. (Optional) -=item I<verify options> - -The options B<-attime>, B<-check_ss_sig>, B<-crl_check>, -B<-crl_check_all>, B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, -B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-no_alt_chains>, -B<-no_check_time>, B<-partial_chain>, B<-policy>, B<-policy_check>, -B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>, -B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, B<-auth_level>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, and B<-x509_strict> can be used to control timestamp -verification. See L<openssl-verify(1)>. +{- $OpenSSL::safe::opt_trust_item -} + +At least one of B<-CApath>, B<-CAfile> or B<-CAstore> must be specified. + +{- $OpenSSL::safe::opt_v_item -} + +Any verification errors cause the command to exit. =back diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in index ab8257a5e4..3f13f307e1 100644 --- a/doc/man1/openssl-verify.pod.in +++ b/doc/man1/openssl-verify.pod.in @@ -9,46 +9,18 @@ openssl-verify - Utility to verify certificates B<openssl> B<verify> [B<-help>] -[B<-allow_proxy_certs>] -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] [B<-CRLfile> I<file>] [B<-crl_download>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-no_alt_chains>] -[B<-untrusted> I<file>] -[B<-trusted> I<file>] -[B<-use_deltas>] -[B<-verbose>] -[B<-auth_level> I<level>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] -[B<-x509_strict>] [B<-show_chain>] -[B<-sm2-id> I<string>] -[B<-sm2-hex-id> I<hex-string>] +[B<-sm2-id> I<hexstring>] +[B<-sm2-hex-id> I<hexstring>] +[B<-verbose>] +[B<-trusted> I<file>] +[B<-untrusted> I<file>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} [B<-->] [I<certificate> ...] @@ -66,20 +38,9 @@ This command verifies certificate chains. Print out a usage message. -=item B<-allow_proxy_certs> - -Allow the verification of proxy certificates. - -=item B<-attime> I<timestamp> +=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath> -Perform validation checks using time specified by I<timestamp> and not -current system time. I<timestamp> is the number of seconds since -01.01.1970 (UNIX time). - -=item B<-check_ss_sig> - -Verify the signature on the self-signed root CA. This is disabled by default -because it doesn't add any security. +See L<openssl(1)/Trusted Certificate Options> for more information. =item B<-CRLfile> I<file> @@ -91,285 +52,61 @@ I<file>s. Attempt to download CRL information for this certificate. -=item B<-crl_check> - -Checks end entity certificate validity by attempting to look up a valid CRL. -If a valid CRL cannot be found an error occurs. - -=item B<-crl_check_all> - -Checks the validity of B<all> certificates in the chain by attempting -to look up valid CRLs. - -=item B<-explicit_policy> - -Set policy variable require-explicit-policy (see RFC5280). - -=item B<-extended_crl> - -Enable extended CRL features such as indirect CRLs and alternate CRL -signing keys. - -=item B<-ignore_critical> - -Normally if an unhandled critical extension is present which is not -supported by OpenSSL the certificate is rejected (as required by RFC5280). -If this option is set critical extensions are ignored. - -=item B<-inhibit_any> - -Set policy variable inhibit-any-policy (see RFC5280). - -=item B<-inhibit_map> - -Set policy variable inhibit-policy-mapping (see RFC5280). - -=item B<-no_check_time> - -This option suppresses checking the validity period of certificates and CRLs -against the current time. If option B<-attime> is used to specify -a verification time, the check is not suppressed. - -=item B<-partial_chain> - -Allow verification to succeed even if a I<complete> chain cannot be built to a -self-signed trust-anchor, provided it is possible to construct a chain to a -trusted certificate that might not be self-signed. - -=item B<-policy> I<arg> - -Enable policy processing and add I<arg> to the user-initial-policy-set (see -RFC5280). The policy I<arg> can be an object name an OID in numeric form. -This argument can appear more than once. - -=item B<-policy_check> - -Enables certificate policy processing. - -=item B<-policy_print> - -Print out diagnostics related to policy processing. - -=item B<-purpose> I<purpose> - -The intended use for the certificate. If this option is not specified, -this command will not consider certificate purpose during chain -verification. -Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>, -B<smimesign>, B<smimeencrypt>. See the L</VERIFY OPERATION> section for more -information. - -=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192> - -Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or -192 bit, or only 192 bit Level of Security respectively. -See RFC6460 for details. In particular the supported signature algorithms are -reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves -P-256 and P-384. - -=item B<-trusted_first> - -When constructing the certificate chain, use the trusted certificates specified -via B<-CAfile>, B<-CApath>, B<-CAstore> or B<-trusted> before any certificates -specified via B<-untrusted>. -This can be useful in environments with Bridge or Cross-Certified CAs. -As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. - -=item B<-no_alt_chains> - -By default, unless B<-trusted_first> is specified, when building a certificate -chain, if the first certificate chain found is not trusted, then OpenSSL will -attempt to replace untrusted issuer certificates with certificates from the -trust store to see if an alternative chain can be found that is trusted. -As of OpenSSL 1.1.0, with B<-trusted_first> always on, this option has no -effect. - -=item B<-untrusted> I<file> - -A I<file> of additional untrusted certificates (intermediate issuer CAs) used -to construct a certificate chain from the subject certificate to a trust-anchor. -The I<file> should contain one or more certificates in PEM format. -This option can be specified more than once to include untrusted certificates -from multiple I<file>s. - -=item B<-trusted> I<file> - -A I<file> of trusted certificates, which must be self-signed, unless the -B<-partial_chain> option is specified. -The I<file> contains one or more certificates in PEM format. -With this option, no additional (e.g., default) certificate lists are -consulted. -That is, the only trust-anchors are those listed in I<file>. -This option can be specified more than once to include trusted certificates -from multiple I<file>s. -This option implies the B<-no-CAfile>, B<-no-CApath> and B<-no-CAstore> options. -This option cannot be used in combination with any of the B<-CAfile>, -B<-CApath> or B<-CAstore> options. - -=item B<-use_deltas> - -Enable support for delta CRLs. - -=item B<-verbose> - -Print extra information about the operations being performed. - -=item B<-auth_level> I<level> - -Set the certificate chain authentication security level to I<level>. -The authentication security level determines the acceptable signature and -public key strength when verifying certificate chains. -For a certificate chain to validate, the public keys of all the certificates -must meet the specified security I<level>. -The signature algorithm security level is enforced for all the certificates in -the chain except for the chain's I<trust anchor>, which is either directly -trusted or validated by means other than its signature. -See L<SSL_CTX_set_security_level(3)> for the definitions of the available -levels. -The default security level is -1, or "not set". -At security level 0 or lower all algorithms are acceptable. -Security level 1 requires at least 80-bit-equivalent security and is broadly -interoperable, though it will, for example, reject MD5 signatures or RSA keys -shorter than 1024 bits. - -=item B<-verify_depth> I<num> - -Limit the certificate chain to I<num> intermediate CA certificates. -A maximal depth chain can have up to I<num>+2 certificates, since neither the -end-entity certificate nor the trust-anchor certificate count against the -B<-verify_depth> limit. - -=item B<-verify_email> I<email> - -Verify if I<email> matches the email address in Subject Alternative Name or -the email in the subject Distinguished Name. - -=item B<-verify_hostname> I<hostname> - -Verify if I<hostname> matches DNS name in Subject Alternative Name or -Common Name in the subject certificate. - -=item B<-verify_ip> I<ip> - -Verify if I<ip> matches the IP address in Subject Alternative Name of -the subject certificate. - -=item B<-verify_name> I<name> - -Use default verification policies like trust model and required certificate -policies identified by I<name>. -The trust model determines which auxiliary trust or reject OIDs are applicable -to verifying the given certificate chain. -See the B<-addtrust> and B<-addreject> options for L<openssl-x509(1)>. -Supported policy names include: B<default>, B<pkcs7>, B<smime_sign>, -B<ssl_client>, B<ssl_server>. -These mimics the combinations of purpose and trust settings used in SSL, CMS -and S/MIME. -As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not -specified, so the B<-verify_name> options are functionally equivalent to the -corresponding B<-purpose> settings. - -=item B<-x509_strict> - -For strict X.509 compliance, disable non-compliant workarounds for broken -certificates. - =item B<-show_chain> Display information about the certificate chain that has been built (if successful). Certificates in the chain that came from the untrusted list will be flagged as "untrusted". -=item B<-sm2-id> +=item B<-sm2-id> I<hexstring> Specify the ID string to use when verifying an SM2 certificate. The ID string is required by the SM2 signature algorithm for signing and verification. -=item B<-sm2-hex-id> +=item B<-sm2-hex-id> I<hexstring> Specify a binary ID string to use when signing or verifying using an SM2 certificate. The argument for this option is string of hexadecimal digits. -{- $OpenSSL::safe::opt_name_item -} +=item B<-verbose> -{- $OpenSSL::safe::opt_trust_item -} +Print extra information about the operations being performed. + +=item B<-trusted> I<file> + +A file of trusted certificates. + +=item B<-untrusted> I<file> + +A file of untrusted certificates. + +{- $OpenSSL::safe::opt_name_item -} {- $OpenSSL::safe::opt_engine_item -} To load certificates or CRLs that require engine support, specify the B<-engine> option before any of the B<-trusted>, B<-untrusted> or B<-CRLfile> options. +{- $OpenSSL::safe::opt_trust_item -} + +{- $OpenSSL::safe::opt_v_item -} + =item B<--> Indicates the last option. All arguments following this are assumed to be certificate files. This is useful if the first certificate filename begins -with a B<-->. +with a B<->. =item I<certificate> ... One or more certificates to verify. If no certificates are given, this command will attempt to read a certificate from standard input. Certificates must be in PEM format. +If a certificate chain has multiple problems, this program tries to |