generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

RT3102: Document -verify_error_return flag

Browse Source 
Also moved some options around so all the "verify" options.
are clumped together.

Reviewed-by: Matt Caswell <matt@openssl.org>
This commit is contained in:
Rich Salz 2014-08-27 14:23:39 -04:00
parent f47e203975
commit 8d4193305b
1 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
doc/apps/s_server.pod
View File

@ -53,6 +53,7 @@ B<openssl> B<s_server>
[B<-trusted_first>] [B<-trusted_first>]
[B<-use_deltas>] [B<-use_deltas>]
[B<-verify_depth num>] [B<-verify_depth num>]
[B<-verify_return_error>]
[B<-verify_email email>] [B<-verify_email email>]
[B<-verify_hostname hostname>] [B<-verify_hostname hostname>]
[B<-verify_ip ip>] [B<-verify_ip ip>]
@ -185,17 +186,6 @@ disabling the ephemeral ECDH cipher suites.
certain export cipher suites sometimes use a temporary RSA key, this option certain export cipher suites sometimes use a temporary RSA key, this option
disables temporary RSA key generation. disables temporary RSA key generation.
=item B<-verify depth>, B<-Verify depth>
The verify depth to use. This specifies the maximum length of the
client certificate chain and makes the server request a certificate from
the client. With the B<-verify> option a certificate is requested but the
client does not have to send one, with the B<-Verify> option the client
must supply a certificate or an error occurs.
If the ciphersuite cannot request a client certificate (for example an
anonymous ciphersuite or PSK) this option has no effect.
=item B<-crl_check>, B<-crl_check_all> =item B<-crl_check>, B<-crl_check_all>
Check the peer certificate has not been revoked by its CA. Check the peer certificate has not been revoked by its CA.
@ -215,6 +205,17 @@ and to use when attempting to build the server certificate chain. The list
is also used in the list of acceptable client CAs passed to the client when is also used in the list of acceptable client CAs passed to the client when
a certificate is requested. a certificate is requested.
=item B<-verify depth>, B<-Verify depth>
The verify depth to use. This specifies the maximum length of the
client certificate chain and makes the server request a certificate from
the client. With the B<-verify> option a certificate is requested but the
client does not have to send one, with the B<-Verify> option the client
must supply a certificate or an error occurs.
If the ciphersuite cannot request a client certificate (for example an
anonymous ciphersuite or PSK) this option has no effect.
=item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>, =item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>,
B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,
B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
@ -225,6 +226,12 @@ B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set different peer certificate verification options. Set different peer certificate verification options.
See the L<B<verify>|verify(1)> manual page for details. See the L<B<verify>|verify(1)> manual page for details.
=item B<-verify_return_error>
Verification errors normally just print a message but allow the
connection to continue, for debugging purposes.
If this option is used, then verification errors close the connection.
=item B<-state> =item B<-state>
prints out the SSL session states. prints out the SSL session states.