RT3102: Document -verify_error_return flag

Also moved some options around so all the "verify" options.
are clumped together.

Reviewed-by: Matt Caswell <matt@openssl.org>

1 files changed, 18 insertions, 11 deletions

diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index a2e7945624..3085944e4b 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -53,6 +53,7 @@ B<openssl> B<s_server>
 [B<-trusted_first>]
 [B<-use_deltas>]
 [B<-verify_depth num>]
+[B<-verify_return_error>]
 [B<-verify_email email>]
 [B<-verify_hostname hostname>]
 [B<-verify_ip ip>]
@@ -185,17 +186,6 @@ disabling the ephemeral ECDH cipher suites.
 certain export cipher suites sometimes use a temporary RSA key, this option
 disables temporary RSA key generation.
 
-=item B<-verify depth>, B<-Verify depth>
-
-The verify depth to use. This specifies the maximum length of the
-client certificate chain and makes the server request a certificate from
-the client. With the B<-verify> option a certificate is requested but the
-client does not have to send one, with the B<-Verify> option the client
-must supply a certificate or an error occurs.
-
-If the ciphersuite cannot request a client certificate (for example an
-anonymous ciphersuite or PSK) this option has no effect.
-
 =item B<-crl_check>, B<-crl_check_all>
 
 Check the peer certificate has not been revoked by its CA.
@@ -215,6 +205,17 @@ and to use when attempting to build the server certificate chain. The list
 is also used in the list of acceptable client CAs passed to the client when
 a certificate is requested.
 
+=item B<-verify depth>, B<-Verify depth>
+
+The verify depth to use. This specifies the maximum length of the
+client certificate chain and makes the server request a certificate from
+the client. With the B<-verify> option a certificate is requested but the
+client does not have to send one, with the B<-Verify> option the client
+must supply a certificate or an error occurs.
+
+If the ciphersuite cannot request a client certificate (for example an
+anonymous ciphersuite or PSK) this option has no effect.
+
 =item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>,
 B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,
 B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
@@ -225,6 +226,12 @@ B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 Set different peer certificate verification options.
 See the L<B<verify>|verify(1)> manual page for details.
 
+=item B<-verify_return_error>
+
+Verification errors normally just print a message but allow the
+connection to continue, for debugging purposes.
+If this option is used, then verification errors close the connection.
+
 =item B<-state>
 
 prints out the SSL session states.