Commit graph

258 commits

Author SHA1 Message Date
Matt Caswell
9dee5244e1 Add documentation for some missing verify options
Fills in a couple of verify options that were lacking documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 79a55b1f27)

Conflicts:
	doc/apps/verify.pod
2015-07-07 22:07:14 +01:00
Matt Caswell
595487ea19 Remove export static DH ciphersuites
Remove support for the two export grade static DH ciphersuites. These two
ciphersuites were newly added (along with a number of other static DH
ciphersuites) to 1.0.2. However the two export ones have *never* worked
since they were introduced. It seems strange in any case to be adding new
export ciphersuites, and given "logjam" it also does not seem correct to
fix them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 13f8eb4730)

Conflicts:
	CHANGES
2015-05-23 00:01:45 +01:00
Emilia Kasper
b32aa8e63e dhparam: fix documentation
The default bitlength is now 2048. Also clarify that either the number
of bits or the generator must be present:

$ openssl dhparam -2
and
$ openssl dhparam 2048
generate parameters but
$ openssl dhparam
does not.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-20 14:54:51 +02:00
Matt Caswell
be856c0391 Add documentation for the -no_alt_chains option for various apps, as well as
the X509_V_FLAG_NO_ALT_CHAINS flag.

Conflicts:
	doc/apps/cms.pod
	doc/apps/ocsp.pod
	doc/apps/s_client.pod
	doc/apps/s_server.pod
	doc/apps/smime.pod
	doc/apps/verify.pod

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Dr. Stephen Henson
d3a9eaccc1 Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b68c30da0)
2015-03-24 12:27:13 +00:00
Dr. Stephen Henson
c0d69ddb33 additional configuration documentation
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 3d764db7a2)
2015-03-12 13:45:24 +00:00
Kurt Roeckx
f417997a32 Remove export ciphers from the DEFAULT cipher list
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-07 23:02:19 +01:00
Dr. Stephen Henson
36b619a06e Document -no_explicit
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 384dee5124)
2015-02-24 15:28:38 +00:00
Thorsten Glaser
dc00fb9d51 Document openssl dgst -hmac option
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 16:53:48 +01:00
André Guerreiro
4d3df37bc7 Add documentation on -timeout option in the ocsp utility
PR#3612

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit de87dd46c1)
2014-11-27 14:14:52 +00:00
Daniel Kahn Gillmor
0ec6898c67 Allow ECDHE and DHE as forward-compatible aliases for EECDH and EDH
see RT #3203

Future versions of OpenSSL use the canonical terms "ECDHE" and "DHE"
as configuration strings and compilation constants.  This patch
introduces aliases so that the stable 1.0.2 branch can be
forward-compatible with code and configuration scripts that use the
normalized terms, while avoiding changing any library output for
stable users.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-10 10:58:49 +01:00
Bodo Moeller
80fb4820cb Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 10:50:53 +02:00
Matthias Andree
ef720a67ab RT2272: Add old-style hash to c_rehash
In addition to Matthias's change, I also added -n to
not remove links. And updated the manpage.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a787c2590e)
2014-09-08 11:35:25 -04:00
Adam Williamson
157c345175 RT3511: doc fix; req default serial is random
RT842, closed back in 2004, changed the default serial number
to be a random number rather than zero.  Finally time to update
the doc

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3aba132d61)
2014-08-31 23:41:51 -04:00
TANABE Hiroyasu
8475416fe7 RT1325,2973: Add more extensions to c_rehash
Add .crt/.cer/.crl to the filenames parsed.

I also updated the podpage (since it didn't exist when
this ticket was first created, nor when it was re-created
seven years later).

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 80ec8d4e3e)
2014-08-31 00:37:54 -04:00
Rich Salz
6aa9dbab0f RT2119,3407: Updated to dgst.pod
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-08-30 10:05:19 -04:00
James Westby
c1071ab4f1 RT1941: c_rehash.pod is missing
Add the file written by James Westby, graciously contributed
under the terms of the OpenSSL license.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cf2239b3b3)
2014-08-30 09:51:36 -04:00
Dr. Stephen Henson
beac6cb5aa Clarify -Verify and PSK.
PR#3452
(cherry picked from commit ca2015a617)
2014-07-15 20:23:25 +01:00
Hubert Kario
cdae9a58e6 document -nextprotoneg option in man pages
Add description of the option to advertise support of
Next Protocol Negotiation extension (-nextprotoneg) to
man pages of s_client and s_server.

PR#3444
(cherry picked from commit 7efd0e777e)
2014-07-14 23:43:21 +01:00
Dr. Stephen Henson
fbe8ea3abe Document certificate status request options.
(cherry picked from commit cba3f1c739)
2014-07-06 22:45:20 +01:00
Dr. Stephen Henson
2cfbec1cae typo 2014-07-04 13:50:26 +01:00
Dr. Stephen Henson
22db480daf Remove all RFC5878 code.
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs.
2014-07-04 13:42:05 +01:00
Rich Salz
d107382214 Merge branch 'rsalz-docfixes' 2014-07-03 12:57:16 -04:00
Hubert Kario
4ceddeea6c backport changes to ciphers(1) man page
Backport of patch:
add ECC strings to ciphers(1), point out difference between DH and ECDH

and backport of other other assorted fixes to this man page

 * Make a clear distinction between DH and ECDH key exchange.
 * Group all key exchange cipher suite identifiers, first DH then ECDH
 * add descriptions for all supported *DH* identifiers
 * add ECDSA authentication descriptions
 * add example showing how to disable all suites that offer no
   authentication or encryption
 * update status of static DH (it's now supported)
 * backport descriptions of AES128, AES256, AESGCM
 * backport descriptions of CAMELLIA128, CAMELLIA256
 * backport listing of standard names for ECC cipher suites
   and TLSv1.2 cipher suites
 * backport description of PSK cipher suites
2014-06-10 20:55:14 +01:00
Matt Caswell
15e4565984 Fixed minor copy&paste error, and stray space causing rendering problem 2014-05-22 00:11:40 +01:00
Dr. Stephen Henson
cd302feb5d Change default cipher in smime app to des3.
PR#3357
(cherry picked from commit ca3ffd9670f2b589bf8cc04923f953e06d6fbc58)
2014-05-21 11:28:57 +01:00
Matt Caswell
a99d2a22e1 Moved note about lack of support for AEAD modes out of BUGS section to SUPPORTED CIPHERS section (bug has been fixed, but still no support for AEAD) 2014-05-15 21:15:21 +01:00
Jeffrey Walton
4907cf0845 Fix grammar error in verify pod. PR#3355 2014-05-14 22:58:19 +01:00
Jeffrey Walton
28b4820f70 Add information to BUGS section of enc documentation. PR#3354 2014-05-14 22:58:19 +01:00
Lubomir Rintel
15a4add72d POD: Fix item numbering
Newer pod2man considers =item [1-9] part of a numbered list, while =item
0 starts an unnumbered list. Add a zero effect formatting mark to override
this.

doc/apps/smime.pod around line 315: Expected text after =item, not a
number
...

PR#3146
2014-04-30 23:44:54 +01:00
mancha
e6a01b47e4 Fix version documentation.
Specify -f is for compilation flags. Add -d to synopsis section.

(cherry picked from commit 006397ea62bbcae22c8664d53c2222b808c4bdd1)

Closes #78.
2014-04-26 11:20:00 +01:00
Dr. Stephen Henson
6e85eba11b Document -debug_decrypt option.
(cherry picked from commit 0dd5b94aeb)
2014-04-16 12:35:54 +01:00
Dr. Stephen Henson
a4896327e3 Document -verify_return_error option.
(cherry picked from commit 4e6c12f308)
2014-04-07 13:03:54 +01:00
Dr. Stephen Henson
04f35a8909 Document new crl option.
(cherry picked from commit dbb7654dc1)
2014-04-03 13:35:48 +01:00
Dr. Stephen Henson
b60272b01f PKCS#8 support for alternative PRFs.
Add option to set an alternative to the default hmacWithSHA1 PRF
for PKCS#8 private key encryptions. This is used automatically
by PKCS8_encrypt if the nid specified is a PRF.

Add option to pkcs8 utility.

Update docs.
2014-03-01 23:14:08 +00:00
Scott Schaefer
0413ea5801 Fix various spelling errors
(cherry picked from commit 2b4ffc659e)
2014-02-14 22:35:15 +00:00
Scott Schaefer
2f6fba6772 Document pkcs12 -password behavior
apps/pkcs12.c accepts -password as an argument.  The document author
almost certainly meant to write "-password, -passin".

However, that is not correct, either.  Actually the code treats
-password as equivalent to -passin, EXCEPT when -export is also
specified, in which case -password as equivalent to -passout.
(cherry picked from commit 856c6dfb09)
2014-02-14 22:35:15 +00:00
Scott Deboy
038bec784e Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.

(cherry picked from commit 36086186a9)
Conflicts:
	Configure
	apps/s_client.c
	apps/s_server.c
	ssl/ssl.h
	ssl/ssl3.h
	ssl/ssltest.c
2014-02-08 16:12:15 -08:00
Dr. Stephen Henson
024dbfd44c Document RSAPublicKey_{in,out} options.
(cherry picked from commit 7040d73d22987532faa503630d6616cf2788c975)
2013-11-09 15:09:22 +00:00
Dr. Stephen Henson
a78b21fc67 Update cms docs.
(cherry picked from commit dfcb42c68e)
2013-10-01 14:01:19 +01:00
Dr. Stephen Henson
dddb38834e Update cms docs.
Document use of -keyopt to use RSA-PSS and RSA-OAEP modes.
(cherry picked from commit 4bf4a6501c)
2013-10-01 14:01:18 +01:00
Dr. Stephen Henson
c9ea4df8f9 Document -force_pubkey option.
(cherry picked from commit b093a06866bf632a97a9a0286e2d08f69c3cf7dd)
2013-08-21 13:41:17 +01:00
Trevor
e27711cfdd Trying cherrypick:
Add support for arbitrary TLS extensions.

Contributed by Trevor Perrin.

Conflicts:

	CHANGES
	ssl/ssl.h
	ssl/ssltest.c
	test/testssl

Fix compilation due to #endif.

Cherrypicking more stuff.

Cleanup of custom extension stuff.

serverinfo rejects non-empty extensions.

Omit extension if no relevant serverinfo data.

Improve error-handling in serverinfo callback.

Cosmetic cleanups.

s_client documentation.

s_server documentation.

SSL_CTX_serverinfo documentation.

Cleaup -1 and NULL callback handling for custom extensions, add tests.

Cleanup ssl_rsa.c serverinfo code.

Whitespace cleanup.

Improve comments in ssl.h for serverinfo.

Whitespace.

Cosmetic cleanup.

Reject non-zero-len serverinfo extensions.

Whitespace.

Make it build.

Conflicts:

	test/testssl
2013-07-03 11:53:30 +01:00
Ben Laurie
4e72220fd6 Documentation improvements by Chris Palmer (Google). 2012-12-14 13:29:17 +00:00
Ben Laurie
5dca1e338c Document -pubkey option. 2012-12-13 16:16:48 +00:00
Dr. Stephen Henson
1d5f3f4640 correct docs 2012-11-19 20:06:57 +00:00
Dr. Stephen Henson
cdb41713a4 Document RFC5114 "generation" options.
(backport from HEAD)
2012-04-07 20:42:17 +00:00
Andy Polyakov
1fb07a7de8 doc/apps: formatting fixes [from HEAD].
PR: 2683
Submitted by: Annie Yousar
2012-01-11 21:58:42 +00:00
Dr. Stephen Henson
0172ad2902 Minor documentation fixes, PR#2345 2010-10-04 13:28:27 +00:00
Dr. Stephen Henson
d9aa352ff0 Minor documentation fixes, PR#2344 2010-10-04 13:24:07 +00:00