path: root/doc/apps
diff options
authorSimon L. B. Nielsen <simon@FreeBSD.org>2008-09-21 14:56:30 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2008-09-21 14:56:30 +0000
commitbb1499d2aac1d25a95b8573ff425751f06f159e1 (patch)
treea136b5b2317abe8eb83b021afe5e088230fd67e2 /doc/apps
parentee266f1253f9cc49430572463d26f72910dfb49e (diff)
Vendor import of OpenSSL 0.9.8i.vendor/openssl/0.9.8i
Notes: svn path=/vendor-crypto/openssl/dist/; revision=183234 svn path=/vendor-crypto/openssl/0.9.8i/; revision=193572; tag=vendor/openssl/0.9.8i
Diffstat (limited to 'doc/apps')
9 files changed, 112 insertions, 15 deletions
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index e16eadef21ee..694e433ef392 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -105,7 +105,7 @@ The following is a list of all permitted cipher strings and their meanings.
=item B<DEFAULT>
the default cipher list. This is determined at compile time and is normally
-B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string
+B<AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH>. This must be the first cipher string
@@ -209,6 +209,10 @@ anonymous DH cipher suites.
cipher suites using AES.
+=item B<CAMELLIA>
+cipher suites using Camellia.
=item B<3DES>
cipher suites using triple DES.
@@ -229,6 +233,10 @@ cipher suites using RC2.
cipher suites using IDEA.
+=item B<SEED>
+cipher suites using SEED.
=item B<MD5>
cipher suites using MD5.
@@ -237,10 +245,6 @@ cipher suites using MD5.
cipher suites using SHA1.
-=item B<Camellia>
-cipher suites using Camellia.
@@ -323,10 +327,10 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
+ TLS_DH_DSS_WITH_AES_128_CBC_SHA Not implemented.
+ TLS_DH_DSS_WITH_AES_256_CBC_SHA Not implemented.
+ TLS_DH_RSA_WITH_AES_128_CBC_SHA Not implemented.
+ TLS_DH_RSA_WITH_AES_256_CBC_SHA Not implemented.
@@ -354,6 +358,18 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
+=head2 SEED ciphersuites from RFC4162, extending TLS v1.0
+ TLS_DH_DSS_WITH_SEED_CBC_SHA Not implemented.
+ TLS_DH_RSA_WITH_SEED_CBC_SHA Not implemented.
=head2 Additional Export 1024 and other cipher suites
Note: these ciphers can also be used in SSL v3.
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index b0d198724c6b..908cd2a6d657 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -18,6 +18,7 @@ B<openssl> B<dgst>
[B<-verify filename>]
[B<-prverify filename>]
[B<-signature filename>]
+[B<-hmac key>]
@@ -78,6 +79,10 @@ verify the signature using the the private key in "filename".
the actual signature to verify.
+=item B<-hmac key>
+create a hashed MAC using "key".
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod
index c43da5b3f1ee..4391c933600f 100644
--- a/doc/apps/enc.pod
+++ b/doc/apps/enc.pod
@@ -227,6 +227,14 @@ Blowfish and RC5 algorithms use a 128 bit key.
rc5-ecb RC5 cipher in ECB mode
rc5-ofb RC5 cipher in OFB mode
+ aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode
+ aes-[128|192|256] Alias for aes-[128|192|256]-cbc
+ aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode
+ aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
+ aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
+ aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode
+ aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode
Just base64 encode a binary file:
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 4f266058e536..b58ddc1788cb 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -73,7 +73,7 @@ specify output filename, default is standard output.
This specifies the current issuer certificate. This option can be used
multiple times. The certificate specified in B<filename> must be in
-PEM format.
+PEM format. This option B<MUST> come before any B<-cert> options.
=item B<-cert filename>
@@ -146,7 +146,7 @@ certificate in such cases.
=item B<-trust_other>
-the certificates specified by the B<-verify_certs> option should be explicitly
+the certificates specified by the B<-verify_other> option should be explicitly
trusted and no additional checks will be performed on them. This is useful
when the complete responder certificate chain is not available or trusting a
root CA is not appropriate.
@@ -154,7 +154,7 @@ root CA is not appropriate.
=item B<-VAfile file>
file containing explicitly trusted responder certificates. Equivalent to the
-B<-verify_certs> and B<-trust_other> options.
+B<-verify_other> and B<-trust_other> options.
=item B<-noverify>
@@ -166,7 +166,7 @@ of the responders certificate.
ignore certificates contained in the OCSP response when searching for the
signers certificate. With this option the signers certificate must be specified
-with either the B<-verify_certs> or B<-VAfile> options.
+with either the B<-verify_other> or B<-VAfile> options.
=item B<-no_signature_verify>
diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod
index dc0f49ddca63..964cdf0f027d 100644
--- a/doc/apps/openssl.pod
+++ b/doc/apps/openssl.pod
@@ -227,6 +227,22 @@ SHA Digest
SHA-1 Digest
+=item B<sha224>
+SHA-224 Digest
+=item B<sha256>
+SHA-256 Digest
+=item B<sha384>
+SHA-384 Digest
+=item B<sha512>
+SHA-512 Digest
diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod
index a7c1681d9859..1a498c2f62e0 100644
--- a/doc/apps/rsautl.pod
+++ b/doc/apps/rsautl.pod
@@ -152,7 +152,7 @@ The final BIT STRING contains the actual signature. It can be extracted with:
The certificate public key can be extracted with:
- openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem
+ openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem
The signature can be analysed with:
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index c17a83a22581..c44d357cf754 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -38,6 +38,10 @@ B<openssl> B<s_client>
[B<-cipher cipherlist>]
[B<-starttls protocol>]
[B<-engine id>]
+[B<-sess_out filename>]
+[B<-sess_in filename>]
[B<-rand file(s)>]
@@ -186,6 +190,26 @@ send the protocol-specific message(s) to switch to TLS for communication.
B<protocol> is a keyword for the intended protocol. Currently, the only
supported keywords are "smtp", "pop3", "imap", and "ftp".
+=item B<-tlsextdebug>
+print out a hex dump of any TLS extensions received from the server. Note: this
+option is only available if extension support is explicitly enabled at compile
+=item B<-no_ticket>
+disable RFC4507bis session ticket support. Note: this option is only available
+if extension support is explicitly enabled at compile time
+=item B<-sess_out filename>
+output SSL session to B<filename>
+=item B<-sess_in sess.pem>
+load SSL session from B<filename>. The client will attempt to resume a
+connection from this session.
=item B<-engine id>
specifying an engine (by it's unique B<id> string) will cause B<s_client>
@@ -246,6 +270,13 @@ on the command line is no guarantee that the certificate works.
If there are problems verifying a server certificate then the
B<-showcerts> option can be used to show the whole chain.
+Since the SSLv23 client hello cannot include compression methods or extensions
+these will only be supported if its use is disabled, for example by using the
+B<-no_sslv2> option.
+TLS extensions are only supported in OpenSSL 0.9.8 if they are explictly
+enabled at compile time using for example the B<enable-tlsext> switch.
=head1 BUGS
Because this program has a lot of options and also because some of
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 7c1a9581d961..fdcc170e2832 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -12,6 +12,8 @@ B<openssl> B<s_server>
[B<-context id>]
[B<-verify depth>]
[B<-Verify depth>]
[B<-cert filename>]
[B<-certform DER|PEM>]
[B<-key keyfile>]
@@ -48,6 +50,8 @@ B<openssl> B<s_server>
[B<-engine id>]
[B<-id_prefix arg>]
[B<-rand file(s)>]
@@ -140,6 +144,12 @@ the client. With the B<-verify> option a certificate is requested but the
client does not have to send one, with the B<-Verify> option the client
must supply a certificate or an error occurs.
+=item B<-crl_check>, B<-crl_check_all>
+Check the peer certificate has not been revoked by its CA.
+The CRL(s) are appended to the certificate file. With the B<-crl_check_all>
+option all CRLs of all CAs in the chain are checked.
=item B<-CApath directory>
The directory to use for client certificate verification. This directory
@@ -205,6 +215,14 @@ also included in the server list is used. Because the client specifies
the preference order, the order of the server cipherlist irrelevant. See
the B<ciphers> command for more information.
+=item B<-tlsextdebug>
+print out a hex dump of any TLS extensions received from the server.
+=item B<-no_ticket>
+disable RFC4507bis session ticket support.
=item B<-www>
sends a status message back to the client when it connects. This includes
@@ -307,6 +325,9 @@ mean any CA is acceptable. This is useful for debugging purposes.
The session parameters can printed out using the B<sess_id> program.
+TLS extensions are only supported in OpenSSL 0.9.8 if they are explictly
+enabled at compile time using for example the B<enable-tlsext> switch.
=head1 BUGS
Because this program has a lot of options and also because some of
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index ea5c29c15021..ff2629d2cf85 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -169,7 +169,7 @@ the operation was successful.
the issuer certificate could not be found: this occurs if the issuer certificate
of an untrusted certificate cannot be found.
-=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL>
+=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
the CRL of a certificate could not be found. Unused.