diff options
| author | Todd Short <tshort@akamai.com> | 2021-01-27 14:23:33 -0500 |
|---|---|---|
| committer | Todd Short <todd.short@me.com> | 2023-03-28 13:49:54 -0400 |
| commit | 3c95ef22df55cb2d9dc64ce1f3be6e5a8ee63206 (patch) | |
| tree | 0f7fcff4ec4735c778595db4f4a85bce70715d8b /doc/man1 | |
| parent | 5ab3f71a33cb0140fc29ae9244cd4f8331c2f3a5 (diff) | |
RFC7250 (RPK) support
Add support for the RFC7250 certificate-type extensions.
Alows the use of only private keys for connection (i.e. certs not needed).
Add APIs
Add unit tests
Add documentation
Add s_client/s_server support
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18185)
Diffstat (limited to 'doc/man1')
| -rw-r--r-- | doc/man1/openssl-s_client.pod.in | 30 | ||||
| -rw-r--r-- | doc/man1/openssl-s_server.pod.in | 33 |
2 files changed, 56 insertions, 7 deletions
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 86b9aff91e..aa785d8b2f 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -132,6 +132,8 @@ B<openssl> B<s_client> {- $OpenSSL::safe::opt_provider_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -}[B<-ssl_client_engine> I<id>] {- $OpenSSL::safe::opt_v_synopsis -} +[B<-enable_server_rpk>] +[B<-enable_client_rpk>] [I<host>:I<port>] =head1 DESCRIPTION @@ -825,6 +827,22 @@ Specify engine to be used for client certificate operations. Verification errors are displayed, for debugging, but the command will proceed unless the B<-verify_return_error> option is used. +=item B<-enable_server_rpk> + +Enable support for receiving raw public keys (RFC7250) from the server. +Use of X.509 certificates by the server becomes optional, and servers that +support raw public keys may elect to use them. +Servers that don't support raw public keys or prefer to use X.509 +certificates can still elect to send X.509 certificates as usual. + +=item B<-enable_client_rpk> + +Enable support for sending raw public keys (RFC7250) to the server. +A raw public key will be sent by the client, if solicited by the server, +provided a suitable key and public certificate pair is configured. +Some servers may nevertheless not request any client credentials, +or may request a certificate. + =item I<host>:I<port> Rather than providing B<-connect>, the target hostname and optional port may @@ -940,13 +958,17 @@ The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect. The B<-engine> option was deprecated in OpenSSL 3.0. - -The B<-tfo>, B<-no_tx_cert_comp>, and B<-no_rx_cert_comp> options were added -in OpenSSL 3.2. +The +B<-enable_client_rpk>, +B<-enable_server_rpk>, +B<-no_rx_cert_comp>, +B<-no_tx_cert_comp>, +and B<-tfo> +options were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index a1e354908c..611b410cfd 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -151,6 +151,8 @@ B<openssl> B<s_server> {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +[B<-enable_server_rpk>] +[B<-enable_client_rpk>] =head1 DESCRIPTION @@ -867,6 +869,26 @@ If the server requests a client certificate, then verification errors are displayed, for debugging, but the command will proceed unless the B<-verify_return_error> option is used. +=item B<-enable_server_rpk> + +Enable support for sending raw public keys (RFC7250) to the client. +A raw public key will be sent by the server, if solicited by the client, +provided a suitable key and public certificate pair is configured. +Clients that don't support raw public keys or prefer to use X.509 +certificates can still elect to receive X.509 certificates as usual. + +Raw public keys are extracted from the configured certificate/private key. + +=item B<-enable_client_rpk> + +Enable support for receiving raw public keys (RFC7250) from the client. +Use of X.509 certificates by the client becomes optional, and clients that +support raw public keys may elect to use them. +Clients that don't support raw public keys or prefer to use X.509 +certificates can still elect to send X.509 certificates as usual. + +Raw public keys are extracted from the configured certificate/private key. + =back =head1 CONNECTED COMMANDS @@ -971,12 +993,17 @@ The The B<-srpvfile>, B<-srpuserseed>, and B<-engine> option were deprecated in OpenSSL 3.0. -The B<-tfo>, B<-no_tx_cert_comp>, and B<-no_rx_cert_comp> options were added -in OpenSSL 3.2. +The +B<-enable_client_rpk>, +B<-enable_server_rpk>, +B<-no_rx_cert_comp>, +B<-no_tx_cert_comp>, +and B<-tfo> +options were added in OpenSSL 3.2. =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy |