generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Document -trusted_first option in man pages and help.

Browse Source 
Add -trusted_first description to help messages and man pages
of tools that deal with certificate verification.
This commit is contained in:
Hubert Kario 2014-06-18 19:55:03 +02:00 committed by Matt Caswell
parent 2d7153e8f9
commit 6d3d579367
12 changed files with 33 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
apps/cms.c
View File

@ -716,6 +716,7 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-text include or delete text MIME headers\n");
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
BIO_printf (bio_err, "-trusted_first use locally trusted certificates first when building trust chain\n");
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE

1
apps/ocsp.c
View File

@ -626,6 +626,7 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-path path to use in OCSP request\n"); BIO_printf (bio_err, "-path path to use in OCSP request\n");
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
BIO_printf (bio_err, "-trusted_first use locally trusted CA's first when building trust chain\n");
BIO_printf (bio_err, "-VAfile file validator certificates file\n"); BIO_printf (bio_err, "-VAfile file validator certificates file\n");
BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");

1
apps/s_client.c
View File

@ -334,6 +334,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n");
BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");

1
apps/s_server.c
View File

@ -526,6 +526,7 @@ static void sv_usage(void)
BIO_printf(bio_err," -state - Print the SSL states\n"); BIO_printf(bio_err," -state - Print the SSL states\n");
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err," -trusted_first - Use locally trusted CA's first when building trust chain\n");
BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n");
BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n");
BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");

1
apps/smime.c
View File

@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-text include or delete text MIME headers\n");
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
BIO_printf (bio_err, "-trusted_first use locally trusted CA's first when building trust chain\n");
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE

2
apps/verify.c
View File

@ -245,7 +245,7 @@ int MAIN(int argc, char **argv)
end: end:
if (ret == 1) { if (ret == 1) {
BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err," [-engine e]"); BIO_printf(bio_err," [-engine e]");
#endif #endif

5
doc/apps/cms.pod
View File

@ -35,6 +35,7 @@ B<openssl> B<cms>
[B<-print>] [B<-print>]
[B<-CAfile file>] [B<-CAfile file>]
[B<-CApath dir>] [B<-CApath dir>]
[B<-trusted_first>]
[B<-md digest>] [B<-md digest>]
[B<-[cipher]>] [B<-[cipher]>]
[B<-nointern>] [B<-nointern>]
@ -429,9 +430,9 @@ portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address. address matches that specified in the From: address.
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> =item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
Set various certificate chain valiadition option. See the Set various certificate chain valiadition options. See the
L<B<verify>|verify(1)> manual page for details. L<B<verify>|verify(1)> manual page for details.
=back =back

6
doc/apps/ocsp.pod
View File

@ -29,6 +29,7 @@ B<openssl> B<ocsp>
[B<-path>] [B<-path>]
[B<-CApath dir>] [B<-CApath dir>]
[B<-CAfile file>] [B<-CAfile file>]
[B<-trusted_first>]
[B<-VAfile file>] [B<-VAfile file>]
[B<-validity_period n>] [B<-validity_period n>]
[B<-status_age n>] [B<-status_age n>]
@ -138,6 +139,11 @@ or "/" by default.
file or pathname containing trusted CA certificates. These are used to verify file or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response. the signature on the OCSP response.
=item B<-trusted_first>
Set certificate verification option.
See L<B<verify>|verify(1)> manual page for details.
=item B<-verify_other file> =item B<-verify_other file>
file containing additional certificates to search when attempting to locate file containing additional certificates to search when attempting to locate

5
doc/apps/s_client.pod
View File

@ -18,6 +18,7 @@ B<openssl> B<s_client>
[B<-pass arg>] [B<-pass arg>]
[B<-CApath directory>] [B<-CApath directory>]
[B<-CAfile filename>] [B<-CAfile filename>]
[B<-trusted_first>]
[B<-reconnect>] [B<-reconnect>]
[B<-pause>] [B<-pause>]
[B<-showcerts>] [B<-showcerts>]
@ -116,9 +117,9 @@ also used when building the client certificate chain.
A file containing trusted certificates to use during server authentication A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain. and to use when attempting to build the client certificate chain.
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> =item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
Set various certificate chain valiadition option. See the Set various certificate chain valiadition options. See the
L<B<verify>|verify(1)> manual page for details. L<B<verify>|verify(1)> manual page for details.
=item B<-reconnect> =item B<-reconnect>

6
doc/apps/s_server.pod
View File

@ -34,6 +34,7 @@ B<openssl> B<s_server>
[B<-state>] [B<-state>]
[B<-CApath directory>] [B<-CApath directory>]
[B<-CAfile filename>] [B<-CAfile filename>]
[B<-trusted_first>]
[B<-nocert>] [B<-nocert>]
[B<-cipher cipherlist>] [B<-cipher cipherlist>]
[B<-quiet>] [B<-quiet>]
@ -183,6 +184,11 @@ and to use when attempting to build the server certificate chain. The list
is also used in the list of acceptable client CAs passed to the client when is also used in the list of acceptable client CAs passed to the client when
a certificate is requested. a certificate is requested.
=item B<-trusted_first>
Set certificate verification option.
See the L<B<verify>|verify(1)> manual page for details.
=item B<-state> =item B<-state>
prints out the SSL session states. prints out the SSL session states.

3
doc/apps/smime.pod
View File

@ -15,6 +15,7 @@ B<openssl> B<smime>
[B<-pk7out>] [B<-pk7out>]
[B<-[cipher]>] [B<-[cipher]>]
[B<-in file>] [B<-in file>]
[B<-trusted_first>]
[B<-certfile file>] [B<-certfile file>]
[B<-signer file>] [B<-signer file>]
[B<-recip file>] [B<-recip file>]
@ -259,7 +260,7 @@ portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address. address matches that specified in the From: address.
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> =item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
Set various options of certificate chain verification. See Set various options of certificate chain verification. See
L<B<verify>|verify(1)> manual page for details. L<B<verify>|verify(1)> manual page for details.

7
doc/apps/verify.pod
View File

@ -9,6 +9,7 @@ verify - Utility to verify certificates.
B<openssl> B<verify> B<openssl> B<verify>
[B<-CApath directory>] [B<-CApath directory>]
[B<-CAfile file>] [B<-CAfile file>]
[B<-trusted_first>]
[B<-purpose purpose>] [B<-purpose purpose>]
[B<-policy arg>] [B<-policy arg>]
[B<-ignore_critical>] [B<-ignore_critical>]
@ -57,6 +58,12 @@ in PEM format concatenated together.
A file of untrusted certificates. The file should contain multiple certificates A file of untrusted certificates. The file should contain multiple certificates
in PEM format concatenated together. in PEM format concatenated together.
=item B<-trusted_first>
Use certificates in CA file or CA directory before certificates in untrusted
file when building the trust chain to verify certificates.
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
=item B<-purpose purpose> =item B<-purpose purpose>
The intended use for the certificate. If this option is not specified, The intended use for the certificate. If this option is not specified,