diff options
author | Rich Salz <rsalz@akamai.com> | 2014-08-27 14:23:39 -0400 |
---|---|---|
committer | Rich Salz <rsalz@akamai.com> | 2014-08-28 17:11:25 -0400 |
commit | 8d4193305b1634a0fb397cb8806cd7dedbff34ef (patch) | |
tree | 5ffcfd03dd769f438b31fdf1c2903c25daf6b37c /doc | |
parent | f47e203975133ddbae3cde20c8c3c0516f62066c (diff) |
RT3102: Document -verify_error_return flag
Also moved some options around so all the "verify" options.
are clumped together.
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/apps/s_server.pod | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index a2e7945624..3085944e4b 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -53,6 +53,7 @@ B<openssl> B<s_server> [B<-trusted_first>] [B<-use_deltas>] [B<-verify_depth num>] +[B<-verify_return_error>] [B<-verify_email email>] [B<-verify_hostname hostname>] [B<-verify_ip ip>] @@ -185,17 +186,6 @@ disabling the ephemeral ECDH cipher suites. certain export cipher suites sometimes use a temporary RSA key, this option disables temporary RSA key generation. -=item B<-verify depth>, B<-Verify depth> - -The verify depth to use. This specifies the maximum length of the -client certificate chain and makes the server request a certificate from -the client. With the B<-verify> option a certificate is requested but the -client does not have to send one, with the B<-Verify> option the client -must supply a certificate or an error occurs. - -If the ciphersuite cannot request a client certificate (for example an -anonymous ciphersuite or PSK) this option has no effect. - =item B<-crl_check>, B<-crl_check_all> Check the peer certificate has not been revoked by its CA. @@ -215,6 +205,17 @@ and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested. +=item B<-verify depth>, B<-Verify depth> + +The verify depth to use. This specifies the maximum length of the +client certificate chain and makes the server request a certificate from +the client. With the B<-verify> option a certificate is requested but the +client does not have to send one, with the B<-Verify> option the client +must supply a certificate or an error occurs. + +If the ciphersuite cannot request a client certificate (for example an +anonymous ciphersuite or PSK) this option has no effect. + =item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, @@ -225,6 +226,12 @@ B<-verify_ip>, B<-verify_name>, B<-x509_strict> Set different peer certificate verification options. See the L<B<verify>|verify(1)> manual page for details. +=item B<-verify_return_error> + +Verification errors normally just print a message but allow the +connection to continue, for debugging purposes. +If this option is used, then verification errors close the connection. + =item B<-state> prints out the SSL session states. |