diff options
-rw-r--r-- | crypto/x509/x509_txt.c | 21 | ||||
-rw-r--r-- | doc/man1/openssl-cms.pod.in | 41 | ||||
-rw-r--r-- | doc/man1/openssl-dgst.pod.in | 11 | ||||
-rw-r--r-- | doc/man1/openssl-ocsp.pod.in | 42 | ||||
-rw-r--r-- | doc/man1/openssl-s_client.pod.in | 45 | ||||
-rw-r--r-- | doc/man1/openssl-s_server.pod.in | 54 | ||||
-rw-r--r-- | doc/man1/openssl-s_time.pod.in | 6 | ||||
-rw-r--r-- | doc/man1/openssl-smime.pod.in | 39 | ||||
-rw-r--r-- | doc/man1/openssl-ts.pod.in | 63 | ||||
-rw-r--r-- | doc/man1/openssl-verify.pod.in | 664 | ||||
-rw-r--r-- | doc/man1/openssl.pod | 255 | ||||
-rw-r--r-- | doc/man3/X509_STORE_CTX_get_error.pod | 206 | ||||
-rw-r--r-- | doc/man3/X509_verify_cert.pod | 25 | ||||
-rw-r--r-- | doc/perlvars.pm | 8 |
14 files changed, 514 insertions, 966 deletions
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 767d33b48a..2c82f8648b 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -111,9 +111,9 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_NO_EXPLICIT_POLICY: return "no explicit policy"; case X509_V_ERR_DIFFERENT_CRL_SCOPE: - return "Different CRL scope"; + return "different CRL scope"; case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: - return "Unsupported extension feature"; + return "unsupported extension feature"; case X509_V_ERR_UNNESTED_RESOURCE: return "RFC 3779 resource not subset of parent's resources"; case X509_V_ERR_PERMITTED_VIOLATION: @@ -133,7 +133,7 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_CRL_PATH_VALIDATION_ERROR: return "CRL path validation error"; case X509_V_ERR_PATH_LOOP: - return "Path Loop"; + return "path loop"; case X509_V_ERR_SUITE_B_INVALID_VERSION: return "Suite B: certificate version invalid"; case X509_V_ERR_SUITE_B_INVALID_ALGORITHM: @@ -147,13 +147,13 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: return "Suite B: cannot sign P-384 with P-256"; case X509_V_ERR_HOSTNAME_MISMATCH: - return "Hostname mismatch"; + return "hostname mismatch"; case X509_V_ERR_EMAIL_MISMATCH: - return "Email address mismatch"; + return "email address mismatch"; case X509_V_ERR_IP_ADDRESS_MISMATCH: return "IP address mismatch"; case X509_V_ERR_DANE_NO_MATCH: - return "No matching DANE TLSA records"; + return "no matching DANE TLSA records"; case X509_V_ERR_EE_KEY_TOO_SMALL: return "EE certificate key too weak"; case X509_V_ERR_CA_KEY_TOO_SMALL: @@ -161,9 +161,9 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_CA_MD_TOO_WEAK: return "CA signature digest algorithm too weak"; case X509_V_ERR_INVALID_CALL: - return "Invalid certificate verification context"; + return "invalid certificate verification context"; case X509_V_ERR_STORE_LOOKUP: - return "Issuer certificate lookup error"; + return "issuer certificate lookup error"; case X509_V_ERR_NO_VALID_SCTS: return "Certificate Transparency required, but no valid SCTs found"; case X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION: @@ -175,10 +175,9 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_OCSP_CERT_UNKNOWN: return "OCSP unknown cert"; case X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH: - return "Subject signature algorithm and issuer public key algorithm mismatch"; + return "subject signature algorithm and issuer public key algorithm mismatch"; case X509_V_ERR_NO_ISSUER_PUBLIC_KEY: - return "Issuer certificate doesn't have a public key"; - + return "issuer certificate doesn't have a public key"; default: /* Printing an error number into a static buffer is not thread-safe */ return "unknown certificate verification error"; diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 56fe42c788..3a919edae5 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -39,34 +39,6 @@ B<openssl> B<cms> [B<-text>] [B<-noout>] [B<-print>] -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-no_alt_chains>] -[B<-use_deltas>] -[B<-auth_level> I<num>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] -[B<-x509_strict>] [B<-md> I<digest>] [B<-I<cipher>>] [B<-nointern>] @@ -78,7 +50,6 @@ B<openssl> B<cms> [B<-crlfeol>] [B<-asciicrlf>] [B<-nodetach>] -[B<-certfile> I<file>] [B<-certsout> I<file>] [B<-signer> I<file>] [B<-recip> I<file>] @@ -97,6 +68,7 @@ B<openssl> B<cms> [B<-to> I<addr>] [B<-from> I<addr>] [B<-subject> I<subj>] +{- $OpenSSL::safe::opt_v_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} [I<cert.pem> ...] @@ -462,16 +434,9 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, -B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> +{- $OpenSSL::safe::opt_v_item -} -Set various certificate chain validation options. See the -L<openssl-verify(1)> manual page for details. +Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_trust_item -} diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index a954b8b253..bd7b41cb37 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -27,6 +27,7 @@ B<openssl> B<dgst>|I<digest> [B<-hmac> I<key>] [B<-fips-fingerprint>] [B<-engine> I<id>] +[B<-engine_impl> I<id>] {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} [I<file> ...] @@ -170,17 +171,17 @@ option. Compute HMAC using a specific key for certain OpenSSL-FIPS operations. -=item B<-engine_impl> - -When used with the B<-engine> option, it specifies to also use -engine I<id> for digest operations. - {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_engine_item -} The engine is not used for digests unless the B<-engine_impl> option is used or it is configured to do so, see L<config(5)/Engine Configuration Module>. +=item B<-engine_impl> + +When used with the B<-engine> option, it specifies to also use +engine I<id> for digest operations. + =item I<file> ... File or files to digest. If no files are specified then standard input is diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index fb32ffef71..a866a38ebc 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -31,34 +31,6 @@ B<openssl> B<ocsp> [B<-multi> I<process-count>] [B<-header>] [B<-path>] -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-no_alt_chains>] -[B<-use_deltas>] -[B<-auth_level> I<num>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] -[B<-x509_strict>] [B<-VAfile> I<file>] [B<-validity_period> I<n>] [B<-status_age> I<n>] @@ -88,6 +60,7 @@ B<openssl> B<ocsp> [B<-rcid> I<digest>] [B<-I<digest>>] {- $OpenSSL::safe::opt_trust_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} =for openssl ifdef multi @@ -206,17 +179,6 @@ each child is willing to wait for the client's OCSP response. This option is available on POSIX systems (that support the fork() and other required unix system-calls). -=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, -B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> - -Set different certificate verification options. -See L<openssl-verify(1)> manual page for details. - =item B<-verify_other> I<file> File containing additional certificates to search when attempting to locate @@ -307,6 +269,8 @@ digest used by subsequent certificate identifiers. {- $OpenSSL::safe::opt_trust_item -} +{- $OpenSSL::safe::opt_v_item -} + =back =head2 OCSP Server Options diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 779f91700f..48157d0fdd 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -36,35 +36,7 @@ B<openssl> B<s_client> [B<-dane_tlsa_domain> I<domain>] [B<-dane_tlsa_rrdata> I<rrdata>] [B<-dane_ee_no_namechecks>] -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-no_alt_chains>] -[B<-use_deltas>] -[B<-auth_level> I<num>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] [B<-build_chain>] -[B<-x509_strict>] [B<-reconnect>] [B<-showcerts>] [B<-debug>] @@ -119,6 +91,7 @@ B<openssl> B<s_client> {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} [I<host>:I<port>] =for openssl ifdef engine ssl_client_engine ct noct ctlogfile @@ -347,17 +320,6 @@ records already make it possible for a remote domain to redirect client connections to any server of its choice, and in any case SMTP and XMPP clients do not execute scripts downloaded from remote servers. -=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, -B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> - -Set various certificate chain validation options. See the -L<openssl-verify(1)> manual page for details. - =item B<-reconnect> Reconnects to the same server 5 times using the same session ID, this can @@ -668,6 +630,11 @@ happen whether or not a certificate has been provided via B<-cert>. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_v_item -} + +Verification errors are displayed, for debugging, but the command will +proceed unless the B<-verify_return_error> option is used. + =item I<host>:I<port> Rather than providing B<-connect>, the target hostname and optional port may diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 47343585bd..a35ddf289e 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -107,36 +107,6 @@ B<openssl> B<s_server> [B<-dhparam> I<infile>] [B<-record_padding> I<val>] [B<-debug_broken_protocol>] -[B<-policy> I<val>] -[B<-purpose> I<val>] -[B<-verify_name> I<val>] -[B<-verify_depth> I<int>] -[B<-auth_level> I<int>] -[B<-attime> I<intmax>] -[B<-verify_hostname> I<val>] -[B<-verify_email> I<val>] -[B<-verify_ip>] -[B<-ignore_critical>] -[B<-issuer_checks>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-policy_check>] -[B<-explicit_policy>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-x509_strict>] -[B<-extended_crl>] -[B<-use_deltas>] -[B<-policy_print>] -[B<-check_ss_sig>] -[B<-trusted_first>] -[B<-suiteB_128_only>] -[B<-suiteB_128>] -[B<-suiteB_192>] -[B<-partial_chain>] -[B<-no_alt_chains>] -[B<-no_check_time>] -[B<-allow_proxy_certs>] [B<-nbio>] [B<-psk_identity> I<val>] [B<-psk_hint> I<val>] @@ -161,6 +131,7 @@ B<openssl> B<s_server> [B<-http_server_binmode>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_version_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} {- $OpenSSL::safe::opt_x_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} @@ -565,23 +536,6 @@ load the parameters from the server certificate file. If this fails then a static set of parameters hard coded into this command will be used. -=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, -B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> - -Set different peer certificate verification options. -See the L<openssl-verify(1)> manual page for details. - -=item B<-crl_check>, B<-crl_check_all> - -Check the peer certificate has not been revoked by its CA. -The CRL(s) are appended to the certificate file. With the B<-crl_check_all> -option all CRLs of all CAs in the chain are checked. - =item B<-nbio> Turns on non blocking I/O. @@ -692,6 +646,12 @@ by the client in binary mode. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_v_item -} + +If the server requests a client certificate, then +verification errors are displayed, for debugging, but the command will +proceed unless the B<-verify_return_error> option is used. + =back =head1 CONNECTED COMMANDS diff --git a/doc/man1/openssl-s_time.pod.in b/doc/man1/openssl-s_time.pod.in index ed1c012f8e..1d87c8c0dd 100644 --- a/doc/man1/openssl-s_time.pod.in +++ b/doc/man1/openssl-s_time.pod.in @@ -72,12 +72,6 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. -=item B<-CApath> I<directory> - -The directory to use for server certificate verification. This directory -must be in "hash format", see L<openssl-verify(1)> for more information. -These are also used when building the client certificate chain. - =item B<-new> Performs the timing test using a new session ID for each connection. diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index 5653c0f68c..55bd34f72e 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -19,33 +19,6 @@ B<openssl> B<smime> [B<-crlfeol>] [B<-I<cipher>>] [B<-in> I<file>] -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-no_alt_chains>] -[B<-use_deltas>] -[B<-auth_level> I<num>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] -[B<-x509_strict>] [B<-certfile> I<file>] [B<-signer> I<file>] [B<-recip> I< file>] @@ -66,6 +39,7 @@ B<openssl> B<smime> [B<-md> I<digest>] {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} I<cert.pem> ... =for openssl ifdef engine @@ -283,16 +257,9 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, -B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> +{- $OpenSSL::safe::opt_v_item -} -Set various options of certificate chain verification. See -L<openssl-verify(1)> manual page for details. +Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_trust_item -} diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 53781126fa..b9c3692c62 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -33,6 +33,7 @@ B<-reply> [B<-chain> I<certs_file.pem>] [B<-tspolicy> I<object_id>] [B<-in> I<response.tsr>] +[B<-untrusted> I<file>] [B<-token_in>] [B<-out> I<response.tsr>] [B<-token_out>] @@ -46,42 +47,8 @@ B<-verify> [B<-queryfile> I<request.tsq>] [B<-in> I<response.tsr>] [B<-token_in>] -[B<-CApath> I<trusted_cert_path>] -[B<-CAfile> I<trusted_certs.pem>] -[B<-CAstore> I<trusted_certs_uri>] -[B<-untrusted> I<cert_file.pem>] -[I<verify options>] - -I<verify options:> -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-issuer_checks>] -[B<-no_alt_chains>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-use_deltas>] -[B<-auth_level> I<num>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] -[B<-x509_strict>] +{- $OpenSSL::safe::opt_trust_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} =for openssl ifdef engine @@ -344,12 +311,6 @@ This flag can be used together with the B<-in> option and indicates that the input is a DER encoded timestamp token (ContentInfo) instead of a timestamp response (TimeStampResp). (Optional) -=item B<-CAfile> I<file>, B<-CApath> I<dir>, B<-CAstore> I<uri> - -See L<openssl(1)/Trusted Certificate Options> for more information. - -At least one of B<-CApath>, B<-CAfile> or B<-CAstore> must be specified. - =item B<-untrusted> I<cert_file.pem> Set of additional untrusted certificates in PEM format which may be @@ -358,17 +319,13 @@ certificate. This file must contain the TSA signing certificate and all intermediate CA certificates unless the response includes them. (Optional) -=item I<verify options> - -The options B<-attime>, B<-check_ss_sig>, B<-crl_check>, -B<-crl_check_all>, B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, -B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-no_alt_chains>, -B<-no_check_time>, B<-partial_chain>, B<-policy>, B<-policy_check>, -B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>, -B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, B<-auth_level>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, and B<-x509_strict> can be used to control timestamp -verification. See L<openssl-verify(1)>. +{- $OpenSSL::safe::opt_trust_item -} + +At least one of B<-CApath>, B<-CAfile> or B<-CAstore> must be specified. + +{- $OpenSSL::safe::opt_v_item -} + +Any verification errors cause the command to exit. =back diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in index ab8257a5e4..3f13f307e1 100644 --- a/doc/man1/openssl-verify.pod.in +++ b/doc/man1/openssl-verify.pod.in @@ -9,46 +9,18 @@ openssl-verify - Utility to verify certificates B<openssl> B<verify> [B<-help>] -[B<-allow_proxy_certs>] -[B<-attime> I<timestamp>] -[B<-check_ss_sig>] [B<-CRLfile> I<file>] [B<-crl_download>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-explicit_policy>] -[B<-extended_crl>] -[B<-ignore_critical>] -[B<-inhibit_any>] -[B<-inhibit_map>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy> I<arg>] -[B<-policy_check>] -[B<-policy_print>] -[B<-purpose> I<purpose>] -[B<-suiteB_128>] -[B<-suiteB_128_only>] -[B<-suiteB_192>] -[B<-trusted_first>] -[B<-no_alt_chains>] -[B<-untrusted> I<file>] -[B<-trusted> I<file>] -[B<-use_deltas>] -[B<-verbose>] -[B<-auth_level> I<level>] -[B<-verify_depth> I<num>] -[B<-verify_email> I<email>] -[B<-verify_hostname> I<hostname>] -[B<-verify_ip> I<ip>] -[B<-verify_name> I<name>] -[B<-x509_strict>] [B<-show_chain>] -[B<-sm2-id> I<string>] -[B<-sm2-hex-id> I<hex-string>] +[B<-sm2-id> I<hexstring>] +[B<-sm2-hex-id> I<hexstring>] +[B<-verbose>] +[B<-trusted> I<file>] +[B<-untrusted> I<file>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} [B<-->] [I<certificate> ...] @@ -66,20 +38,9 @@ This command verifies certificate chains. Print out a usage message. -=item B<-allow_proxy_certs> - -Allow the verification of proxy certificates. - -=item B<-attime> I<timestamp> +=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath> -Perform validation checks using time specified by I<timestamp> and not -current system time. I<timestamp> is the number of seconds since -01.01.1970 (UNIX time). - -=item B<-check_ss_sig> - -Verify the signature on the self-signed root CA. This is disabled by default -because it doesn't add any security. +See L<openssl(1)/Trusted Certificate Options> for more information. =item B<-CRLfile> I<file> @@ -91,285 +52,61 @@ I<file>s. Attempt to download CRL information for this certificate. -=item B<-crl_check> - -Checks end entity certificate validity by attempting to look up a valid CRL. -If a valid CRL cannot be found an error occurs. - -=item B<-crl_check_all> - -Checks the validity of B<all> certificates in the chain by attempting -to look up valid CRLs. - -=item B<-explicit_policy> - -Set policy variable require-explicit-policy (see RFC5280). - -=item B<-extended_crl> - -Enable extended CRL features such as indirect CRLs and alternate CRL -signing keys. - -=item B<-ignore_critical> - -Normally if an unhandled critical extension is present which is not -supported by OpenSSL the certificate is rejected (as required by RFC5280). -If this option is set critical extensions are ignored. - -=item B<-inhibit_any> - -Set policy variable inhibit-any-policy (see RFC5280). - -=item B<-inhibit_map> - -Set policy variable inhibit-policy-mapping (see RFC5280). - -=item B<-no_check_time> - -This option suppresses checking the validity period of certificates and CRLs -against the current time. If option B<-attime> is used to specify -a verification time, the check is not suppressed. - -=item B<-partial_chain> - -Allow verification to succeed even if a I<complete> chain cannot be built to a -self-signed trust-anchor, provided it is possible to construct a chain to a -trusted certificate that might not be self-signed. - -=item B<-policy> I<arg> - -Enable policy processing and add I<arg> to the user-initial-policy-set (see -RFC5280). The policy I<arg> can be an object name an OID in numeric form. -This argument can appear more than once. - -=item B<-policy_check> - -Enables certificate policy processing. - -=item B<-policy_print> - -Print out diagnostics related to policy processing. - -=item B<-purpose> I<purpose> - -The intended use for the certificate. If this option is not specified, -this command will not consider certificate purpose during chain -verification. -Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>, -B<smimesign>, B<smimeencrypt>. See the L</VERIFY OPERATION> section for more -information. - -=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192> - -Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or -192 bit, or only 192 bit Level of Security respectively. -See RFC6460 for details. In particular the supported signature algorithms are -reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves -P-256 and P-384. - -=item B<-trusted_first> - -When constructing the certificate chain, use the trusted certificates specified -via B<-CAfile>, B<-CApath>, B<-CAstore> or B<-trusted> before any certificates -specified via B<-untrusted>. -This can be useful in environments with Bridge or Cross-Certified CAs. -As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. - -=item B<-no_alt_chains> - -By default, unless B<-trusted_first> is specified, when building a certificate -chain, if the first certificate chain found is not trusted, then OpenSSL will -attempt to replace untrusted issuer certificates with certificates from the -trust store to see if an alternative chain can be found that is trusted. -As of OpenSSL 1.1.0, with B<-trusted_first> always on, this option has no -effect. - -=item B<-untrusted> I<file> - -A I<file> of additional untrusted certificates (intermediate issuer CAs) used -to construct a certificate chain from the subject certificate to a trust-anchor. -The I<file> should contain one or more certificates in PEM format. -This option can be specified more than once to include untrusted certificates -from multiple I<file>s. - -=item B<-trusted> I<file> - -A I<file> of trusted certificates, which must be self-signed, unless the -B<-partial_chain> option is specified. -The I<file> contains one or more certificates in PEM format. -With this option, no additional (e.g., default) certificate lists are -consulted. -That is, the only trust-anchors are those listed in I<file>. -This option can be specified more than once to include trusted certificates -from multiple I<file>s. -This option implies the B<-no-CAfile>, B<-no-CApath> and B<-no-CAstore> options. -This option cannot be used in combination with any of the B<-CAfile>, -B<-CApath> or B<-CAstore> options. - -=item B<-use_deltas> - -Enable support for delta CRLs. - -=item B<-verbose> - -Print extra information about the operations being performed. - -=item B<-auth_level> I<level> - -Set the certificate chain authentication security level to I<level>. -The authentication security level determines the acceptable signature and -public key strength when verifying certificate chains. -For a certificate chain to validate, the public keys of all the certificates -must meet the specified security I<level>. -The signature algorithm security level is enforced for all the certificates in -the chain except for the chain's I<trust anchor>, which is either directly -trusted or validated by means other than its signature. -See L<SSL_CTX_set_security_level(3)> for the definitions of the available -levels. -The default security level is -1, or "not set". -At security level 0 or lower all algorithms are acceptable. -Security level 1 requires at least 80-bit-equivalent security and is broadly -interoperable, though it will, for example, reject MD5 signatures or RSA keys -shorter than 1024 bits. - -=item B<-verify_depth> I<num> - -Limit the certificate chain to I<num> intermediate CA certificates. -A maximal depth chain can have up to I<num>+2 certificates, since neither the -end-entity certificate nor the trust-anchor certificate count against the -B<-verify_depth> limit. - -=item B<-verify_email> I<email> - -Verify if I<email> matches the email address in Subject Alternative Name or -the email in the subject Distinguished Name. - -=item B<-verify_hostname> I<hostname> - -Verify if I<hostname> matches DNS name in Subject Alternative Name or -Common Name in the subject certificate. - -=item B<-verify_ip> I<ip> - -Verify if I<ip> matches the IP address in Subject Alternative Name of -the subject certificate. - -=item B<-verify_name> I<name> - -Use default verification policies like trust model and required certificate |