diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-05-20 08:11:47 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-06-13 15:13:21 +0200 |
commit | 6d934add347c7d07fbe0e7a0ced1fdc9813ad640 (patch) | |
tree | 7cf3bd10abe93888830f30d9cb8886156c305dbc /doc | |
parent | 0d17c2f4bc81552202dcf359e7552f3a64ecf4f2 (diff) |
Check expected sender not only for signature-protected CMP messages
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/openssl-cmp.pod.in | 3 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_CTX_new.pod | 2 |
2 files changed, 2 insertions, 3 deletions
diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index e6cfe00bfc..aac322b528 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -521,8 +521,7 @@ as far as any of those is present, else the NULL-DN as last resort. =item B<-expect_sender> I<name> -Distinguished Name (DN) -expected in the sender field of signature-protected response messages. +Distinguished Name (DN) expected in the sender field of CMP response messages. Defaults to the subject DN of the pinned B<-srvcert>, if any. The argument must be formatted as I</type0=value0/type1=value1/type2=...>, diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index b8acf692f8..f8fee277e2 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -391,7 +391,7 @@ as default value for the recipient of CMP requests and as default value for the expected sender of CMP responses. OSSL_CMP_CTX_set1_expected_sender() sets the Distinguished Name (DN) -expected in the sender field of signature-protected response messages. +expected in the sender field of CMP response messages. Defaults to the subject of the pinned server certificate B<-srvcert>, if any. This can be used to make sure that only a particular entity is accepted as CMP message signer, and attackers are not able to use arbitrary certificates |