More bugfixes from the doc-fix merge; errors found by DrH, thanks.
This commit is contained in:
Rich Salz
@@ -23,26 +23,17 @@ B<openssl> B<s_client>
|
|||||||
[B<-crl_check>]
|
[B<-crl_check>]
|
||||||
[B<-crl_check_all>]
|
[B<-crl_check_all>]
|
||||||
[B<-explicit_policy>]
|
[B<-explicit_policy>]
|
||||||
[B<-extended_crl>]
|
|
||||||
[B<-ignore_critical>]
|
[B<-ignore_critical>]
|
||||||
[B<-inhibit_any>]
|
[B<-inhibit_any>]
|
||||||
[B<-inhibit_map>]
|
[B<-inhibit_map>]
|
||||||
[B<-issuer_checks>]
|
[B<-issuer_checks>]
|
||||||
[B<-partial_chain>]
|
|
||||||
[B<-policy arg>]
|
[B<-policy arg>]
|
||||||
[B<-policy_check>]
|
[B<-policy_check>]
|
||||||
[B<-policy_print>]
|
[B<-policy_print>]
|
||||||
[B<-purpose purpose>]
|
[B<-purpose purpose>]
|
||||||
[B<-suiteB_128>]
|
|
||||||
[B<-suiteB_128_only>]
|
|
||||||
[B<-suiteB_192>]
|
|
||||||
[B<-trusted_first>]
|
[B<-trusted_first>]
|
||||||
[B<-use_deltas>]
|
[B<-use_deltas>]
|
||||||
[B<-verify_depth num>]
|
[B<-verify_depth num>]
|
||||||
[B<-verify_email email>]
|
|
||||||
[B<-verify_hostname hostname>]
|
|
||||||
[B<-verify_ip ip>]
|
|
||||||
[B<-verify_name name>]
|
|
||||||
[B<-x509_strict>]
|
[B<-x509_strict>]
|
||||||
[B<-reconnect>]
|
[B<-reconnect>]
|
||||||
[B<-pause>]
|
[B<-pause>]
|
||||||
@@ -71,9 +62,6 @@ B<openssl> B<s_client>
|
|||||||
[B<-sess_out filename>]
|
[B<-sess_out filename>]
|
||||||
[B<-sess_in filename>]
|
[B<-sess_in filename>]
|
||||||
[B<-rand file(s)>]
|
[B<-rand file(s)>]
|
||||||
[B<-serverinfo types>]
|
|
||||||
[B<-auth>]
|
|
||||||
[B<-auth_require_reneg>]
|
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
@@ -138,12 +126,12 @@ A file containing trusted certificates to use during server authentication
|
|||||||
and to use when attempting to build the client certificate chain.
|
and to use when attempting to build the client certificate chain.
|
||||||
|
|
||||||
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
|
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
|
||||||
B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
|
B<explicit_policy>, B<-ignore_critical>, B<-inhibit_any>,
|
||||||
B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
|
B<-inhibit_map>, B<-issuer_checks>, B<-policy>,
|
||||||
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
|
B<-policy_check>, B<-policy_print>, B<-purpose>,
|
||||||
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
|
B<-trusted_first>, B<-use_deltas>,
|
||||||
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
|
B<-verify_depth>,
|
||||||
B<-verify_name>, B<-x509_strict>
|
B<-x509_strict>
|
||||||
|
|
||||||
Set various certificate chain valiadition options. See the
|
Set various certificate chain valiadition options. See the
|
||||||
L<B<verify>|verify(1)> manual page for details.
|
L<B<verify>|verify(1)> manual page for details.
|
||||||
@@ -185,15 +173,6 @@ print extensive debugging information including a hex dump of all traffic.
|
|||||||
|
|
||||||
show all protocol messages with hex dump.
|
show all protocol messages with hex dump.
|
||||||
|
|
||||||
=item B<-trace>
|
|
||||||
|
|
||||||
show verbose trace output of protocol messages. OpenSSL needs to be compiled
|
|
||||||
with B<enable-ssl-trace> for this option to work.
|
|
||||||
|
|
||||||
=item B<-msgfile>
|
|
||||||
|
|
||||||
file to send output of B<-msg> or B<-trace> to, default standard output.
|
|
||||||
|
|
||||||
=item B<-nbio_test>
|
=item B<-nbio_test>
|
||||||
|
|
||||||
tests non-blocking I/O
|
tests non-blocking I/O
|
||||||
@@ -217,16 +196,6 @@ input.
|
|||||||
inhibit printing of session and certificate information. This implicitly
|
inhibit printing of session and certificate information. This implicitly
|
||||||
turns on B<-ign_eof> as well.
|
turns on B<-ign_eof> as well.
|
||||||
|
|
||||||
=item B<-psk_identity identity>
|
|
||||||
|
|
||||||
Use the PSK identity B<identity> when using a PSK cipher suite.
|
|
||||||
|
|
||||||
=item B<-psk key>
|
|
||||||
|
|
||||||
Use the PSK key B<key> when using a PSK cipher suite. The key is
|
|
||||||
given as a hexadecimal number without leading 0x, for example -psk
|
|
||||||
1a2b3c4d.
|
|
||||||
|
|
||||||
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
|
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
|
||||||
|
|
||||||
these options disable the use of certain SSL or TLS protocols. By default
|
these options disable the use of certain SSL or TLS protocols. By default
|
||||||
@@ -243,11 +212,6 @@ support SSL v2 and may need the B<-ssl2> option.
|
|||||||
there are several known bug in SSL and TLS implementations. Adding this
|
there are several known bug in SSL and TLS implementations. Adding this
|
||||||
option enables various workarounds.
|
option enables various workarounds.
|
||||||
|
|
||||||
=item B<-brief>
|
|
||||||
|
|
||||||
only provide a brief summary of connection parameters instead of the
|
|
||||||
normal verbose output.
|
|
||||||
|
|
||||||
=item B<-cipher cipherlist>
|
=item B<-cipher cipherlist>
|
||||||
|
|
||||||
this allows the cipher list sent by the client to be modified. Although
|
this allows the cipher list sent by the client to be modified. Although
|
||||||
@@ -300,22 +264,6 @@ Multiple files can be specified separated by a OS-dependent character.
|
|||||||
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
|
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
|
||||||
all others.
|
all others.
|
||||||
|
|
||||||
=item B<-serverinfo types>
|
|
||||||
|
|
||||||
a list of comma-separated TLS Extension Types (numbers between 0 and
|
|
||||||
65535). Each type will be sent as an empty ClientHello TLS Extension.
|
|
||||||
The server's response (if any) will be encoded and displayed as a PEM
|
|
||||||
file.
|
|
||||||
|
|
||||||
=item B<-auth>
|
|
||||||
|
|
||||||
send RFC 5878 client and server authorization extensions in the Client Hello as well as
|
|
||||||
supplemental data if the server also sent the authorization extensions in the Server Hello.
|
|
||||||
|
|
||||||
=item B<-auth_require_reneg>
|
|
||||||
|
|
||||||
only send RFC 5878 client and server authorization extensions during renegotiation.
|
|
||||||
|
|
||||||
=back
|
=back
|
||||||
|
|
||||||
=head1 CONNECTED COMMANDS
|
=head1 CONNECTED COMMANDS
|
||||||
|
|||||||
@@ -14,29 +14,20 @@ B<openssl> B<verify>
|
|||||||
[B<-crl_check>]
|
[B<-crl_check>]
|
||||||
[B<-crl_check_all>]
|
[B<-crl_check_all>]
|
||||||
[B<-explicit_policy>]
|
[B<-explicit_policy>]
|
||||||
[B<-extended_crl>]
|
|
||||||
[B<-help>]
|
[B<-help>]
|
||||||
[B<-ignore_critical>]
|
[B<-ignore_critical>]
|
||||||
[B<-inhibit_any>]
|
[B<-inhibit_any>]
|
||||||
[B<-inhibit_map>]
|
[B<-inhibit_map>]
|
||||||
[B<-issuer_checks>]
|
[B<-issuer_checks>]
|
||||||
[B<-partial_chain>]
|
|
||||||
[B<-policy arg>]
|
[B<-policy arg>]
|
||||||
[B<-policy_check>]
|
[B<-policy_check>]
|
||||||
[B<-policy_print>]
|
[B<-policy_print>]
|
||||||
[B<-purpose purpose>]
|
[B<-purpose purpose>]
|
||||||
[B<-suiteB_128>]
|
|
||||||
[B<-suiteB_128_only>]
|
|
||||||
[B<-suiteB_192>]
|
|
||||||
[B<-trusted_first>]
|
[B<-trusted_first>]
|
||||||
[B<-untrusted file>]
|
[B<-untrusted file>]
|
||||||
[B<-use_deltas>]
|
[B<-use_deltas>]
|
||||||
[B<-verbose>]
|
[B<-verbose>]
|
||||||
[B<-verify_depth num>]
|
[B<-verify_depth num>]
|
||||||
[B<-verify_email email>]
|
|
||||||
[B<-verify_hostname hostname>]
|
|
||||||
[B<-verify_ip ip>]
|
|
||||||
[B<-verify_name name>]
|
|
||||||
[B<-x509_strict>]
|
[B<-x509_strict>]
|
||||||
[B<->]
|
[B<->]
|
||||||
[certificates]
|
[certificates]
|
||||||
@@ -88,11 +79,6 @@ to look up valid CRLs.
|
|||||||
|
|
||||||
Set policy variable require-explicit-policy (see RFC5280).
|
Set policy variable require-explicit-policy (see RFC5280).
|
||||||
|
|
||||||
=item B<-extended_crl>
|
|
||||||
|
|
||||||
Enable extended CRL features such as indirect CRLs and alternate CRL
|
|
||||||
signing keys.
|
|
||||||
|
|
||||||
=item B<-help>
|
=item B<-help>
|
||||||
|
|
||||||
Print out a usage message.
|
Print out a usage message.
|
||||||
@@ -119,10 +105,6 @@ rejected. The presence of rejection messages does not itself imply that
|
|||||||
anything is wrong; during the normal verification process, several
|
anything is wrong; during the normal verification process, several
|
||||||
rejections may take place.
|
rejections may take place.
|
||||||
|
|
||||||
=item B<-partial_chain>
|
|
||||||
|
|
||||||
Allow partial certificate chain if at least one certificate is in trusted store.
|
|
||||||
|
|
||||||
=item B<-policy arg>
|
=item B<-policy arg>
|
||||||
|
|
||||||
Enable policy processing and add B<arg> to the user-initial-policy-set (see
|
Enable policy processing and add B<arg> to the user-initial-policy-set (see
|
||||||
@@ -145,14 +127,6 @@ Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>,
|
|||||||
B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
|
B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
|
||||||
information.
|
information.
|
||||||
|
|
||||||
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
|
|
||||||
|
|
||||||
enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
|
|
||||||
192 bit, or only 192 bit Level of Security respectively.
|
|
||||||
See RFC6460 for details. In particular the supported signature algorithms are
|
|
||||||
reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
|
|
||||||
P-256 and P-384.
|
|
||||||
|
|
||||||
=item B<-trusted_first>
|
=item B<-trusted_first>
|
||||||
|
|
||||||
Use certificates in CA file or CA directory before certificates in untrusted
|
Use certificates in CA file or CA directory before certificates in untrusted
|
||||||
@@ -176,27 +150,6 @@ Print extra information about the operations being performed.
|
|||||||
|
|
||||||
Limit the maximum depth of the certificate chain to B<num> certificates.
|
Limit the maximum depth of the certificate chain to B<num> certificates.
|
||||||
|
|
||||||
=item B<-verify_email email>
|
|
||||||
|
|
||||||
Verify if the B<email> matches the email address in Subject Alternative Name or
|
|
||||||
the email in the subject Distinguished Name.
|
|
||||||
|
|
||||||
=item B<-verify_hostname hostname>
|
|
||||||
|
|
||||||
Verify if the B<hostname> matches DNS name in Subject Alternative Name or
|
|
||||||
Common Name in the subject certificate.
|
|
||||||
|
|
||||||
=item B<-verify_ip ip>
|
|
||||||
|
|
||||||
Verify if the B<ip> matches the IP address in Subject Alternative Name of
|
|
||||||
the subject certificate.
|
|
||||||
|
|
||||||
=item B<-verify_name name>
|
|
||||||
|
|
||||||
Use default verification options like trust model and required certificate
|
|
||||||
policies identified by B<name>.
|
|
||||||
Supported usages include: default, pkcs7, smime_sign, ssl_client, ssl_server.
|
|
||||||
|
|
||||||
=item B<-x509_strict>
|
=item B<-x509_strict>
|
||||||
|
|
||||||
For strict X.509 compliance, disable non-compliant workarounds for broken
|
For strict X.509 compliance, disable non-compliant workarounds for broken
|
||||||
|
|||||||
Reference in New Issue
Block a user