Commit graph

979 commits

Author SHA1 Message Date
Dr. Stephen Henson
36b619a06e Document -no_explicit
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 384dee5124)
2015-02-24 15:28:38 +00:00
Dr. Stephen Henson
1f956f9cda typo
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 15b5d6585d)
2015-02-22 14:44:21 +00:00
Emilia Kasper
95929797a0 Fix hostname validation in the command-line tool to honour negative return values.
Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion
and result in a negative return value, which the "x509 -checkhost" command-line option
incorrectly interpreted as success.

Also update X509_check_host docs to reflect reality.

Thanks to Sean Burford (Google) for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 0923e7df9e)
2015-02-10 15:36:03 +01:00
Dr. Stephen Henson
3b740cebd5 Preliminary ASN1_TIME documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a724e79ed7)
2015-02-03 16:50:29 +00:00
Matt Caswell
6ca1dc9737 Provide documentation for all SSL(_CTX)?_(get|set)(_default)?_read_ahead
functions.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8507474564)
2015-01-27 14:30:25 +00:00
Rich Salz
6d09851694 Make OPENSSL_config truly ignore errors.
Per discussion: should not exit. Should not print to stderr.
Errors are ignored.  Updated doc to reflect that, and the fact
that this function is to be avoided.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit abdd677125)
2015-01-25 21:12:01 -05:00
Dr. Stephen Henson
4b4c1fcc88 Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-06 12:45:10 +00:00
Dr. Stephen Henson
cf95b2d66a Remove MS SGC
MS Server gated cryptography is obsolete and dates from the time of export
restrictions on strong encryption and is only used by ancient versions of
MSIE.
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 63eab8a620)
2015-01-02 23:01:38 +00:00
Thorsten Glaser
dc00fb9d51 Document openssl dgst -hmac option
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 16:53:48 +01:00
Alok Menghrajani
beef278bd7 Improves certificates HOWTO
* adds links to various related documents.
* fixes a few typos.
* rewords a few sentences.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 67472bd82b)
2014-12-22 16:26:03 +01:00
Richard Levitte
58191465ef Small typo
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit 7cfab40f43)
2014-12-22 15:36:42 +01:00
Emilia Kasper
bd34823e55 Clarify the return values for SSL_get_shared_curve.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 376e2ca3e3)
2014-12-05 18:31:57 +01:00
Richard Levitte
89e1e5c84d Correct some layout issues, convert all remaining tabs to appropriate amounts of spaces.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8123d158ab)
2014-11-28 17:04:15 +01:00
Alok Menghrajani
7cae6eeed0 Improves the proxy certificates howto doc.
The current documentation contains a bunch of spelling and grammar mistakes. I also
found it hard to understand some paragraphs, so here is my attempt to improve its
readability.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 03b637a730)
2014-11-28 17:04:15 +01:00
André Guerreiro
4d3df37bc7 Add documentation on -timeout option in the ocsp utility
PR#3612

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit de87dd46c1)
2014-11-27 14:14:52 +00:00
Matt Caswell
23cf88440c Updates to X509_NAME_get_index_by_NID.pod submitted by user Bernardh via the wiki
Minor changes made by Matt Caswell

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 6484958645)
2014-11-27 13:57:11 +00:00
Matt Caswell
bd8192604a Updates to X509_NAME_add_entry_by_txt.pod submitted by user Bernardh via the wiki
Minor changes made by Matt Caswell.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit f281b8df70)
2014-11-27 13:57:11 +00:00
Matt Caswell
8f8e7cec83 Updates to EVP_PKEY_encrypt.pod submitted by user Bernardh via the wiki
Minor changes made by Matt Caswell.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 34890ac18e)
2014-11-27 13:57:11 +00:00
Alok Menghrajani
2ad842b86a Fixes a minor typo in the EVP docs.
Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 5211e094de)
2014-11-12 21:05:01 +00:00
Daniel Kahn Gillmor
0ec6898c67 Allow ECDHE and DHE as forward-compatible aliases for EECDH and EDH
see RT #3203

Future versions of OpenSSL use the canonical terms "ECDHE" and "DHE"
as configuration strings and compilation constants.  This patch
introduces aliases so that the stable 1.0.2 branch can be
forward-compatible with code and configuration scripts that use the
normalized terms, while avoiding changing any library output for
stable users.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-10 10:58:49 +01:00
Bodo Moeller
981545e1e7 Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-21 22:39:26 +02:00
Bodo Moeller
80fb4820cb Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 10:50:53 +02:00
Rich Salz
20d1c8111f RT3462: Document actions when data==NULL
If data is NULL, return the size needed to hold the
derived key.  No other API to do this, so document
the behavior.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 5aed169305)
2014-10-03 10:39:32 -04:00
Rich Salz
a4ee5bbc77 RT2309: Fix podpage MMNNFFPPS->MNNFFPPS
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 9208640a36)
2014-09-30 16:31:44 -04:00
Dr. Stephen Henson
255401756d Use correct function name: CMS_add1_signer()
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5886354dcc)
2014-09-25 00:06:46 +01:00
Emilia Kasper
e774a3055b Add i2d_re_X509_tbs
i2d_re_X509_tbs re-encodes the TBS portion of the certificate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 95b1752cc7)
2014-09-23 18:20:26 +02:00
Matthias Andree
ef720a67ab RT2272: Add old-style hash to c_rehash
In addition to Matthias's change, I also added -n to
not remove links. And updated the manpage.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a787c2590e)
2014-09-08 11:35:25 -04:00
Rich Salz
f28c48d07e RT468: SSL_CTX_sess_set_cache_size wrong
The documentation is wrong about what happens when the
session cache fills up.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit e9edfc4196)
2014-09-08 11:26:19 -04:00
Scott Schaefer
61a44b76a0 RT2518: fix pod2man errors
pod2man now complains when item tags are not sequential.
Also complains about missing =back and other tags.
Silence the warnings; most were already done.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit fe7573042f)
2014-09-08 11:18:58 -04:00
Rich Salz
dd3c21b2d2 RT1834: Fix PKCS7_verify return value
The function returns 0 or 1, only.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit b0e659cfac)
2014-09-08 10:43:32 -04:00
Adam Williamson
157c345175 RT3511: doc fix; req default serial is random
RT842, closed back in 2004, changed the default serial number
to be a random number rather than zero.  Finally time to update
the doc

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3aba132d61)
2014-08-31 23:41:51 -04:00
TANABE Hiroyasu
8475416fe7 RT1325,2973: Add more extensions to c_rehash
Add .crt/.cer/.crl to the filenames parsed.

I also updated the podpage (since it didn't exist when
this ticket was first created, nor when it was re-created
seven years later).

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 80ec8d4e3e)
2014-08-31 00:37:54 -04:00
Rich Salz
6aa9dbab0f RT2119,3407: Updated to dgst.pod
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-08-30 10:05:19 -04:00
James Westby
c1071ab4f1 RT1941: c_rehash.pod is missing
Add the file written by James Westby, graciously contributed
under the terms of the OpenSSL license.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cf2239b3b3)
2014-08-30 09:51:36 -04:00
Rich Salz
5decce4db0 RT2379: Bug in BIO_set_accept_port.pod
The doc says that port can be "*" to mean any port.
That's wrong.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 07e3b31fae)
2014-08-29 16:46:16 -04:00
Dr. Stephen Henson
8fb57b29d6 Custom extension documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit f3f56c2a87)
2014-08-28 18:10:21 +01:00
Matt Caswell
2083f7c465 RT3065: automatically generate a missing EC public key
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit ed383f847156940e93f256fed78599873a4a9b28)
2014-08-27 19:50:15 +02:00
Mihai Militaru
dc5c3d7370 RT2210: Add missing EVP_cleanup to example
I also removed some trailing whitespace and cleaned
up the "see also" list.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 7b3e11c544)
2014-08-27 13:25:36 -04:00
David Gatwood
0a64a864b4 RT1744: SSL_CTX_set_dump_dh() doc feedback
The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2014-08-26 13:38:27 -04:00
Jan Schaumann
dec128313b RT1804: fix EXAMPLE in EVP_EncryptInit.pod
The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors.  Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-25 10:26:17 -04:00
Matt Caswell
1d4f214eaf Typo fixes to evp documentation.
This patch was submitted by user "Kox" via the wiki

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2dd8cb3b95)
2014-08-24 21:26:02 +01:00
Emilia Kasper
108e907645 Improve EVP_PKEY_sign documentation
Clarify the intended use of EVP_PKEY_sign. Make the code example compile.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit d64c533a20)
2014-08-22 15:05:55 +02:00
Tim Hudson
2be9425514 Minor documentation update removing "really" and a
statement of opinion rather than a fact.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8d133e4b6)
2014-07-21 20:25:14 +10:00
Dr. Stephen Henson
be12cb3e24 Fix documentation for RSA_set_method(3)
PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)
2014-07-19 18:25:53 +01:00
Jeffrey Walton
6ccd120f5f Fix typo, add reference.
PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d48e78f0cf)
2014-07-17 12:08:26 +01:00
Matt Caswell
b11c24110c Add Matt Caswell's fingerprint, and general update on the fingerprints file to bring it up to date
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3bd548192a)
2014-07-15 23:22:49 +01:00
Dr. Stephen Henson
beac6cb5aa Clarify -Verify and PSK.
PR#3452
(cherry picked from commit ca2015a617)
2014-07-15 20:23:25 +01:00
Hubert Kario
cdae9a58e6 document -nextprotoneg option in man pages
Add description of the option to advertise support of
Next Protocol Negotiation extension (-nextprotoneg) to
man pages of s_client and s_server.

PR#3444
(cherry picked from commit 7efd0e777e)
2014-07-14 23:43:21 +01:00
Viktor Dukhovni
3ebcecf5c4 Improve X509_check_host() documentation.
Based on feedback from Jeffrey Walton.

(cherry picked from commit b73ac02735)
2014-07-07 20:35:49 +10:00
Viktor Dukhovni
e83c913723 Update API to use (char *) for email addresses and hostnames
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().

(cherry picked from commit 297c67fcd8)
2014-07-07 19:20:34 +10:00