[openssl] master update
dev at ddvo.net
dev at ddvo.net
Mon Apr 20 09:34:52 UTC 2020
The branch master has been updated
via 0aa87e86832ebad4042e2f6298549d598c35b610 (commit)
via 2b264aee6f3b92f14cb3e3dc5b27d14831870923 (commit)
from b418980c3f5519c248afc40a575b89f629d56b45 (commit)
- Log -----------------------------------------------------------------
commit 0aa87e86832ebad4042e2f6298549d598c35b610
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Sat Mar 7 11:51:42 2020 +0100
Update comment on crls_http_cb() as it does support non-blocking I/O since #10667
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11273)
commit 2b264aee6f3b92f14cb3e3dc5b27d14831870923
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Mar 6 21:46:33 2020 +0100
Fix descriptions of credentials and verification options for various apps
fix doc of s_client and s_server credentials and verification options
fix doc of verification options also for s_time, x509, crl, req, ts, and verify
correcting and extending texts regarding untrusted and trusted certs,
making the order of options in the docs and help texts more consistent,
etc.
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11273)
-----------------------------------------------------------------------
Summary of changes:
apps/crl.c | 2 +-
apps/lib/apps.c | 5 +-
apps/req.c | 2 +-
apps/s_client.c | 20 +++----
apps/s_server.c | 48 ++++++++--------
apps/s_time.c | 2 +-
apps/ts.c | 2 +-
apps/verify.c | 14 ++---
apps/x509.c | 2 +-
doc/man1/openssl-s_client.pod.in | 85 +++++++++++++++-------------
doc/man1/openssl-s_server.pod.in | 117 +++++++++++++++++++++++++--------------
doc/man1/openssl-ts.pod.in | 2 +-
doc/man1/openssl-verify.pod.in | 15 ++---
doc/man1/openssl.pod | 4 +-
14 files changed, 183 insertions(+), 137 deletions(-)
diff --git a/apps/crl.c b/apps/crl.c
index 5e0a517a1b..95643a0e10 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -46,7 +46,7 @@ const OPTIONS crl_options[] = {
#ifndef OPENSSL_NO_MD5
{"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
#endif
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+ {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"", OPT_MD, '-', "Any supported digest"},
OPT_SECTION("CRL"),
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 7b400a413d..fc48b0b12e 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -1895,9 +1895,8 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
}
/*
- * Example of downloading CRLs from CRLDP: not usable for real world as it
- * always downloads, doesn't support non-blocking I/O and doesn't cache
- * anything.
+ * Example of downloading CRLs from CRLDP:
+ * not usable for real world as it always downloads and doesn't cache anything.
*/
static STACK_OF(X509_CRL) *crls_http_cb(const X509_STORE_CTX *ctx,
diff --git a/apps/req.c b/apps/req.c
index 4d65fc2831..e2555b6fbe 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -113,7 +113,7 @@ const OPTIONS req_options[] = {
{"config", OPT_CONFIG, '<', "Request template file"},
{"section", OPT_SECTION, 's', "Config section to use (default \"req\")"},
{"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+ {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"reqopt", OPT_REQOPT, 's', "Various request text options"},
{"text", OPT_TEXT, '-', "Text form of request"},
{"x509", OPT_X509, '-',
diff --git a/apps/s_client.c b/apps/s_client.c
index c06f2c824f..c051e65270 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -649,14 +649,17 @@ const OPTIONS s_client_options[] = {
{"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
OPT_SECTION("Identity"),
- {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
- {"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"},
+ {"cert", OPT_CERT, '<', "Client certificate file to use"},
{"certform", OPT_CERTFORM, 'F',
- "Certificate format (PEM or DER) PEM default"},
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
- {"key", OPT_KEY, 's', "Private key file to use, if not in -cert file"},
+ "Client certificate file format (PEM or DER) PEM default"},
+ {"cert_chain", OPT_CERT_CHAIN, '<',
+ "Client certificate chain file (in PEM format)"},
+ {"build_chain", OPT_BUILD_CHAIN, '-', "Build client certificate chain"},
+ {"key", OPT_KEY, 's', "Private key file to use; default is: -cert file"},
{"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"},
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
+ {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
+ {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
@@ -801,8 +804,8 @@ const OPTIONS s_client_options[] = {
{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
"Close connection on verification error"},
{"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"},
- {"cert_chain", OPT_CERT_CHAIN, '<',
- "Certificate chain file (in PEM format)"},
+ {"chainCAfile", OPT_CHAINCAFILE, '<',
+ "CA file for certificate chain (PEM format)"},
{"chainCApath", OPT_CHAINCAPATH, '/',
"Use dir as certificate store path to build CA certificate chain"},
{"chainCAstore", OPT_CHAINCASTORE, ':',
@@ -813,9 +816,6 @@ const OPTIONS s_client_options[] = {
"Use dir as certificate store path to verify CA certificate"},
{"verifyCAstore", OPT_VERIFYCASTORE, ':',
"CA store URI for certificate verification"},
- {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
- {"chainCAfile", OPT_CHAINCAFILE, '<',
- "CA file for certificate chain (PEM format)"},
OPT_X_OPTIONS,
OPT_PROV_OPTIONS,
diff --git a/apps/s_server.c b/apps/s_server.c
index d2864bc689..830acadd32 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -802,31 +802,36 @@ const OPTIONS s_server_options[] = {
{"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"},
{"Verify", OPT_UPPER_V_VERIFY, 'n',
"Turn on peer certificate verification, must have a cert"},
- {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT},
+ {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
+ {"cert", OPT_CERT, '<', "Server certificate file to use; default is " TEST_CERT},
{"cert2", OPT_CERT2, '<',
"Certificate file to use for servername; default is" TEST_CERT2},
- {"key2", OPT_KEY2, '<',
- "-Private Key file to use for servername if not in -cert2"},
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+ {"certform", OPT_CERTFORM, 'F',
+ "Server certificate file format (PEM or DER) PEM default"},
+ {"cert_chain", OPT_CERT_CHAIN, '<',
+ "Server certificate chain file in PEM format"},
+ {"build_chain", OPT_BUILD_CHAIN, '-', "Build server certificate chain"},
{"serverinfo", OPT_SERVERINFO, 's',
"PEM serverinfo file for certificate"},
- {"certform", OPT_CERTFORM, 'F',
- "Certificate format (PEM or DER) PEM default"},
{"key", OPT_KEY, 's',
- "Private Key if not in -cert; default is " TEST_CERT},
+ "Private key file to use; default is -cert file or else" TEST_CERT},
+ {"key2", OPT_KEY2, '<',
+ "-Private Key file to use for servername if not in -cert2"},
{"keyform", OPT_KEYFORM, 'f',
"Key format (PEM, DER or ENGINE) PEM default"},
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
{"dcert", OPT_DCERT, '<',
- "Second certificate file to use (usually for DSA)"},
- {"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
+ "Second server certificate file to use (usually for DSA)"},
{"dcertform", OPT_DCERTFORM, 'F',
- "Second certificate format (PEM or DER) PEM default"},
+ "Second server certificate file format (PEM or DER) PEM default"},
+ {"dcert_chain", OPT_DCERT_CHAIN, '<',
+ "second server certificate chain file in PEM format"},
{"dkey", OPT_DKEY, '<',
"Second private key file to use (usually for DSA)"},
{"dkeyform", OPT_DKEYFORM, 'F',
- "Second key format (PEM, DER or ENGINE) PEM default"},
+ "Second key file format (PEM, DER or ENGINE) PEM default"},
{"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"},
+ {"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
{"servername", OPT_SERVERNAME, 's',
"Servername for HostName TLS extension"},
{"servername_fatal", OPT_SERVERNAME_FATAL, '-',
@@ -850,12 +855,17 @@ const OPTIONS s_server_options[] = {
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
"Export len bytes of keying material (default 20)"},
{"CRL", OPT_CRL, '<', "CRL file to use"},
+ {"CRLform", OPT_CRLFORM, 'F', "CRL file format (PEM or DER); default PEM"},
{"crl_download", OPT_CRL_DOWNLOAD, '-',
- "Download CRL from distribution points"},
+ "Download CRLs from distribution points in certificate CDP entries"},
+ {"chainCAfile", OPT_CHAINCAFILE, '<',
+ "CA file for certificate chain (PEM format)"},
{"chainCApath", OPT_CHAINCAPATH, '/',
"use dir as certificate store path to build CA certificate chain"},
{"chainCAstore", OPT_CHAINCASTORE, ':',
"use URI as certificate store to build CA certificate chain"},
+ {"verifyCAfile", OPT_VERIFYCAFILE, '<',
+ "CA file for certificate verification (PEM format)"},
{"verifyCApath", OPT_VERIFYCAPATH, '/',
"use dir as certificate store path to verify CA certificate"},
{"verifyCAstore", OPT_VERIFYCASTORE, ':',
@@ -863,13 +873,10 @@ const OPTIONS s_server_options[] = {
{"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
{"ext_cache", OPT_EXT_CACHE, '-',
"Disable internal cache, setup and use external cache"},
- {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"},
{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
"Close connection on verification error"},
{"verify_quiet", OPT_VERIFY_QUIET, '-',
"No verify output except verify errors"},
- {"verifyCAfile", OPT_VERIFYCAFILE, '<',
- "CA file for certificate verification (PEM format)"},
{"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
@@ -990,13 +997,6 @@ const OPTIONS s_server_options[] = {
OPT_R_OPTIONS,
OPT_S_OPTIONS,
OPT_V_OPTIONS,
- {"cert_chain", OPT_CERT_CHAIN, '<',
- "certificate chain file in PEM format"},
- {"dcert_chain", OPT_DCERT_CHAIN, '<',
- "second certificate chain file in PEM format"},
- {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
- {"chainCAfile", OPT_CHAINCAFILE, '<',
- "CA file for certificate chain (PEM format)"},
OPT_X_OPTIONS,
OPT_PROV_OPTIONS,
{NULL}
@@ -1244,7 +1244,7 @@ int s_server_main(int argc, char *argv[])
s_key_file = opt_arg();
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_key_format))
+ if (!opt_format(opt_arg(), OPT_FMT_PDE, &s_key_format))
goto opthelp;
break;
case OPT_PASS:
@@ -1266,7 +1266,7 @@ int s_server_main(int argc, char *argv[])
s_dcert_file = opt_arg();
break;
case OPT_DKEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dkey_format))
+ if (!opt_format(opt_arg(), OPT_FMT_PDE, &s_dkey_format))
goto opthelp;
break;
case OPT_DPASS:
diff --git a/apps/s_time.c b/apps/s_time.c
index 28e82f7cae..643155674f 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -86,7 +86,7 @@ const OPTIONS s_time_options[] = {
{"www", OPT_WWW, 's', "Fetch specified page from the site"},
OPT_SECTION("Certificate"),
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+ {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
{"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"},
{"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
{"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
diff --git a/apps/ts.c b/apps/ts.c
index 2f21433a6b..29e2314ee8 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -97,8 +97,8 @@ const OPTIONS ts_options[] = {
{"inkey", OPT_INKEY, 's', "File with private key for reply"},
{"signer", OPT_SIGNER, 's', "Signer certificate file"},
{"chain", OPT_CHAIN, '<', "File with signer CA chain"},
- {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
{"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
+ {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
{"CAstore", OPT_CASTORE, ':', "URI to trusted CA store"},
{"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
{"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"},
diff --git a/apps/verify.c b/apps/verify.c
index f626009f55..1e154069c1 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -45,24 +45,24 @@ const OPTIONS verify_options[] = {
#endif
{"verbose", OPT_VERBOSE, '-',
"Print extra information about the operations being performed."},
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+ {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
OPT_SECTION("Certificate chain"),
- {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"},
+ {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"},
{"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"},
+ {"CApath", OPT_CAPATH, '/', "A directory of files with trusted certificates"},
{"CAstore", OPT_CASTORE, ':', "URI to a store of trusted certificates"},
{"no-CAfile", OPT_NOCAFILE, '-',
- "Do not load the default certificates file"},
+ "Do not load the default trusted certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
- "Do not load certificates from the default certificates directory"},
+ "Do not load trusted certificates from the default directory"},
{"no-CAstore", OPT_NOCAPATH, '-',
- "Do not load certificates from the default certificates store"},
+ "Do not load trusted certificates from the default certificates store"},
{"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"},
- {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"},
{"CRLfile", OPT_CRLFILE, '<',
"File containing one or more CRL's (in PEM format) to load"},
{"crl_download", OPT_CRL_DOWNLOAD, '-',
- "Attempt to download CRL information for this certificate"},
+ "Try downloading CRL information for certificates via their CDP entries"},
{"show_chain", OPT_SHOW_CHAIN, '-',
"Display information about the certificate chain"},
diff --git a/apps/x509.c b/apps/x509.c
index e2a68828e3..996e89e4d9 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -117,7 +117,7 @@ const OPTIONS x509_options[] = {
{"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
"Print old-style (MD5) subject hash value"},
#endif
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+ {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
OPT_SECTION("Certificate"),
{"startdate", OPT_STARTDATE, '-', "Set notBefore field"},
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 982c54ae9e..f66e6e5d63 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -30,22 +30,21 @@ B<openssl> B<s_client>
[B<-verifyCAstore> I<uri>]
[B<-cert> I<filename>]
[B<-certform> B<DER>|B<PEM>]
+[B<-cert_chain> I<filename>]
+[B<-build_chain>]
[B<-CRL> I<filename>]
[B<-CRLform> B<DER>|B<PEM>]
[B<-crl_download>]
[B<-key> I<filename>]
-[B<-keyform> B<DER>|B<PEM>]
-[B<-cert_chain> I<filename>]
-[B<-build_chain>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-pass> I<arg>]
-[B<-chainCApath> I<directory>]
[B<-chainCAfile> I<filename>]
+[B<-chainCApath> I<directory>]
[B<-chainCAstore> I<uri>]
[B<-requestCAfile> I<filename>]
[B<-dane_tlsa_domain> I<domain>]
[B<-dane_tlsa_rrdata> I<rrdata>]
[B<-dane_ee_no_namechecks>]
-[B<-build_chain>]
[B<-reconnect>]
[B<-showcerts>]
[B<-prexit>]
@@ -236,12 +235,25 @@ ClientHello message. Cannot be used in conjunction with the B<-servername> or
=item B<-cert> I<certname>
-The certificate to use, if one is requested by the server. The default is
-not to use a certificate.
+The client certificate to use, if one is requested by the server.
+The default is not to use a certificate.
-=item B<-certform> I<format>
+The chain for the client certificate may be specified using B<-cert_chain>.
-The certificate format to use: DER or PEM. PEM is the default.
+=item B<-certform> B<DER>|B<PEM>
+
+The client certificate file format to use; the default is B<PEM>.
+see L<openssl(1)/Format Options>.
+
+=item B<-cert_chain>
+
+A file containing untrusted certificates to use when attempting to build the
+certificate chain related to the certificate specified via the B<-cert> option.
+
+=item B<-build_chain>
+
+Specify whether the application should build the client certificate chain to be
+provided to the server.
=item B<-CRL> I<filename>
@@ -249,7 +261,7 @@ CRL file to use to check the server's certificate.
=item B<-CRLform> B<DER>|B<PEM>
-The CRL format; the default is B<PEM>.
+The CRL file format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-crl_download>
@@ -258,25 +270,14 @@ Download CRL from distribution points in the certificate.
=item B<-key> I<keyfile>
-The private key to use. If not specified then the certificate file will
-be used.
+The client private key file to use.
+If not specified then the certificate file will be used to read also the key.
-=item B<-keyform> I<format>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
-=item B<-cert_chain>
-
-A file containing trusted certificates to use when attempting to build the
-client/server certificate chain related to the certificate specified via the
-B<-cert> option.
-
-=item B<-build_chain>
-
-Specify whether the application should build the certificate chain to be
-provided to the server.
-
=item B<-pass> I<arg>
the private key password source. For more information about the format of I<arg>
@@ -301,32 +302,42 @@ Limit verify output to only errors.
=item B<-verifyCAfile> I<filename>
-CA file for verifying the server's certificate, in PEM format.
+A file in PEM format containing trusted certificates to use
+for verifying the server's certificate.
=item B<-verifyCApath> I<dir>
-Use the specified directory as a certificate store path to verify
-the server's CA certificate.
+A directory containing trusted certificates to use
+for verifying the server's certificate.
+This directory must be in "hash format",
+see L<openssl-verify(1)> for more information.
=item B<-verifyCAstore> I<uri>
-Use the specified URI as a store URI to verify the server's certificate.
-
+The URI of a store containing trusted certificates to use
+for verifying the server's certificate.
-=item B<-chainCApath> I<directory>
+=item B<-chainCAfile> I<file>
-The directory to use for building the chain provided to the server. This
-directory must be in "hash format", see L<openssl-verify(1)> for more
-information.
+A file in PEM format containing trusted certificates to use
+when attempting to build the client certificate chain.
-=item B<-chainCAfile> I<file>
+=item B<-chainCApath> I<directory>
-A file containing trusted certificates to use when attempting to build the
-client certificate chain.
+A directory containing trusted certificates to use
+for building the client certificate chain provided to the server.
+This directory must be in "hash format",
+see L<openssl-verify(1)> for more information.
=item B<-chainCAstore> I<uri>
-The URI to use when attempting to build the client certificate chain.
+The URI of a store containing trusted certificates to use
+when attempting to build the client certificate chain.
+The URI may indicate a single certificate, as well as a collection of them.
+With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
+B<-chainCApath>, depending on if the URI indicates a directory or a
+single file.
+See L<ossl_store-file(7)> for more information on the C<file:> scheme.
=item B<-requestCAfile> I<file>
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index 0fd22d4689..c7c78562c1 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -19,16 +19,20 @@ B<openssl> B<s_server>
[B<-verify> I<int>]
[B<-Verify> I<int>]
[B<-cert> I<infile>]
-[B<-naccept> I<+int>]
-[B<-serverinfo> I<val>]
+[B<-cert2> I<infile>]
[B<-certform> B<DER>|B<PEM>]
+[B<-cert_chain> I<infile>]
+[B<-build_chain>]
+[B<-serverinfo> I<val>]
[B<-key> I<infile>]
-[B<-keyform> B<DER>|B<PEM>]
+[B<-key2> I<infile>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-pass> I<val>]
[B<-dcert> I<infile>]
[B<-dcertform> B<DER>|B<PEM>]
+[B<-dcert_chain> I<infile>]
[B<-dkey> I<infile>]
-[B<-dkeyform> B<DER>|B<PEM>]
+[B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-dpass> I<val>]
[B<-nbio_test>]
[B<-crlf>]
@@ -44,29 +48,24 @@ B<openssl> B<s_server>
[B<-http_server_binmode>]
[B<-servername>]
[B<-servername_fatal>]
-[B<-cert2> I<infile>]
-[B<-key2> I<infile>]
[B<-tlsextdebug>]
[B<-HTTP>]
[B<-id_prefix> I<val>]
[B<-keymatexport> I<val>]
[B<-keymatexportlen> I<+int>]
-[B<-CRLform> B<DER>|B<PEM>]
[B<-CRL> I<infile>]
+[B<-CRLform> B<DER>|B<PEM>]
[B<-crl_download>]
-[B<-cert_chain> I<infile>]
-[B<-dcert_chain> I<infile>]
+[B<-chainCAfile> I<infile>]
[B<-chainCApath> I<dir>]
-[B<-verifyCApath> I<dir>]
[B<-chainCAstore> I<uri>]
+[B<-verifyCAfile> I<infile>]
+[B<-verifyCApath> I<dir>]
[B<-verifyCAstore> I<uri>]
[B<-no_cache>]
[B<-ext_cache>]
[B<-verify_return_error>]
[B<-verify_quiet>]
-[B<-build_chain>]
-[B<-chainCAfile> I<infile>]
-[B<-verifyCAfile> I<infile>]
[B<-ign_eof>]
[B<-no_ign_eof>]
[B<-status>]
@@ -84,6 +83,7 @@ B<openssl> B<s_server>
[B<-max_send_frag> I<+int>]
[B<-split_send_frag> I<+int>]
[B<-max_pipelines> I<+int>]
+[B<-naccept> I<+int>]
[B<-read_buf> I<+int>]
[B<-bugs>]
[B<-no_comp>]
@@ -219,22 +219,21 @@ certificate and some require a certificate with a certain public key type:
for example the DSS cipher suites require a certificate containing a DSS
(DSA) key. If not specified then the filename F<server.pem> will be used.
+=item B<-certform> B<DER>|B<PEM>
+
+The server certificate file format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
=item B<-cert_chain>
-A file containing trusted certificates to use when attempting to build the
-client/server certificate chain related to the certificate specified via the
-B<-cert> option.
+A file containing untrusted certificates to use when attempting to build the
+certificate chain related to the certificate specified via the B<-cert> option.
=item B<-build_chain>
-Specify whether the application should build the certificate chain to be
+Specify whether the application should build the server certificate chain to be
provided to the client.
-=item B<-naccept> I<+int>
-
-The server will exit after receiving the specified number of connections,
-default unlimited.
-
=item B<-serverinfo> I<val>
A file containing one or more blocks of PEM data. Each PEM block
@@ -243,17 +242,12 @@ followed by "length" bytes of extension data). If the client sends
an empty TLS ClientHello extension matching the type, the corresponding
ServerHello extension will be returned.
-=item B<-certform> B<DER>|B<PEM>, B<-CRLForm> B<DER>|B<PEM>
-
-The certificate and CRL format; the default is PEM.
-See L<openssl(1)/Format Options> for details.
-
=item B<-key> I<infile>
The private key to use. If not specified then the certificate file will
be used.
-=item B<-keyform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
@@ -277,14 +271,19 @@ by using an appropriate certificate.
=item B<-dcert_chain>
-A file containing trusted certificates to use when attempting to build the
+A file containing untrusted certificates to use when attempting to build the
server certificate chain when a certificate specified via the B<-dcert> option
is in use.
-=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>
+=item B<-dcertform> B<DER>|B<PEM>
+
+The format of the additional certificate file; the default is B<PEM>.
+See L<openssl(1)/Format Options>.
+
+=item B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>
-The format of the certificate and private key; the default is B<PEM>
-see L<openssl(1)/Format Options>.
+The format of the additional private key; the default is B<PEM>.
+See L<openssl(1)/Format Options>.
=item B<-dpass> I<val>
@@ -316,22 +315,53 @@ File to send output of B<-msg> or B<-trace> to, default standard output.
Prints the SSL session states.
-=item B<-chainCApath> I<dir>
+=item B<-CRL> I<infile>
+
+The CRL file to use.
+
+=item B<-CRLform> B<DER>|B<PEM>
+
+The CRL file format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-crl_download>
+
+Download CRLs from distribution points given in CDP extensions of certificates
-The directory to use for building the chain provided to the client. This
-directory must be in "hash format", see L<openssl-verify(1)> for more
-information.
+=item B<-verifyCAfile> I<filename>
+
+A file in PEM format CA containing trusted certificates to use
+for verifying client certificates.
+
+=item B<-verifyCApath> I<dir>
+
+A directory containing trusted certificates to use
+for verifying client certificates.
+This directory must be in "hash format",
+see L<openssl-verify(1)> for more information.
+
+=item B<-verifyCAstore> I<uri>
+
+The URI of a store containing trusted certificates to use
+for verifying client certificates.
=item B<-chainCAfile> I<file>
-A file containing trusted certificates to use when attempting to build the
-server certificate chain.
+A file in PEM format containing trusted certificates to use
+when attempting to build the server certificate chain.
+
+=item B<-chainCApath> I<dir>
+
+A directory containing trusted certificates to use
+for building the server certificate chain provided to the client.
+This directory must be in "hash format",
+see L<openssl-verify(1)> for more information.
=item B<-chainCAstore> I<uri>
-The URI to a store to use for building the chain provided to the client.
-The URI may indicate a single certificate, as well as a collection of
-them.
+The URI of a store containing trusted certificates to use
+for building the server certificate chain provided to the client.
+The URI may indicate a single certificate, as well as a collection of them.
With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
B<-chainCApath>, depending on if the URI indicates a directory or a
single file.
@@ -462,6 +492,11 @@ an effect if an engine has been loaded that supports pipelining (e.g. the dasync
engine) and a suitable cipher suite has been negotiated. The default value is 1.
See L<SSL_CTX_set_max_pipelines(3)> for further information.
+=item B<-naccept> I<+int>
+
+The server will exit after receiving the specified number of connections,
+default unlimited.
+
=item B<-read_buf> I<+int>
The default read buffer size to be used for connections. This will only have an
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index 38fcf530fe..8437862c2c 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -37,7 +37,6 @@ B<-reply>
[B<-chain> I<certs_file.pem>]
[B<-tspolicy> I<object_id>]
[B<-in> I<response.tsr>]
-[B<-untrusted> I<file>]
[B<-token_in>]
[B<-out> I<response.tsr>]
[B<-token_out>]
@@ -52,6 +51,7 @@ B<-verify>
[B<-queryfile> I<request.tsq>]
[B<-in> I<response.tsr>]
[B<-token_in>]
+[B<-untrusted> I<file>]
[B<-CAfile> I<file>]
[B<-CApath> I<dir>]
[B<-CAstore> I<uri>]
diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in
index 821f88dae9..2b824c0370 100644
--- a/doc/man1/openssl-verify.pod.in
+++ b/doc/man1/openssl-verify.pod.in
@@ -38,10 +38,6 @@ This command verifies certificate chains.
Print out a usage message.
-=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
-
-See L<openssl(1)/Trusted Certificate Options> for more information.
-
=item B<-CRLfile> I<file>
The I<file> should contain one or more CRLs in PEM format.
@@ -50,7 +46,7 @@ I<file>s.
=item B<-crl_download>
-Attempt to download CRL information for this certificate.
+Attempt to download CRL information for certificates via their CDP entries.
=item B<-show_chain>
@@ -64,11 +60,16 @@ Print extra information about the operations being performed.
=item B<-trusted> I<file>
-A file of trusted certificates.
+A file of trusted certificates in PEM format.
+This option can be specified more than once to load certificates from multiple
+I<file>s.
=item B<-untrusted> I<file>
-A file of untrusted certificates.
+A file of untrusted certificates in PEM format to use for chain building.
+This option can be specified more than once to load certificates from multiple
+I<file>s.
+
=item B<-vfyopt> I<nm>:I<v>
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index c05fc29f67..c8de9016fb 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -977,8 +977,8 @@ effect.
Parse I<file> as a set of one or more certificates in PEM format.
All certificates must be self-signed, unless the
B<-partial_chain> option is specified.
-This option implies the B<-no-CAfile> and B<-no-CApath> options and it
-cannot be used with either the B<-CAfile> or B<-CApath> options, so
+This option implies the B<-no-CAfile>, B<-no-CApath>, and B<-no-CAstore> options
+and it cannot be used with the B<-CAfile>, B<-CApath> or B<-CAstore> options, so
only certificates in the file are trust anchors.
This option may be used multiple times.
More information about the openssl-commits
mailing list