aboutsummaryrefslogtreecommitdiffstats
path: root/doc/apps
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2010-02-28 18:49:43 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2010-02-28 18:49:43 +0000
commitf7a1b4761cf3f798e1b42d703d38221b47ce1eec (patch)
tree21770f10e7f26d05fc9b0fa96a7b6d7b107552c5 /doc/apps
parentf0c2a617dfb432d01bc5a716eb18dae12e6b45e3 (diff)
downloadsrc-f7a1b4761cf3f798e1b42d703d38221b47ce1eec.tar.gz
src-f7a1b4761cf3f798e1b42d703d38221b47ce1eec.zip
Import OpenSSL 0.9.8m.vendor/openssl/0.9.8m
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=204477 svn path=/vendor-crypto/openssl/0.9.8m/; revision=204478; tag=vendor/openssl/0.9.8m
Diffstat (limited to 'doc/apps')
-rw-r--r--doc/apps/enc.pod10
-rw-r--r--doc/apps/verify.pod17
2 files changed, 17 insertions, 10 deletions
diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod
index 4391c933600f..d3049e82e969 100644
--- a/doc/apps/enc.pod
+++ b/doc/apps/enc.pod
@@ -50,15 +50,13 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-salt>
-use a salt in the key derivation routines. This option should B<ALWAYS>
-be used unless compatibility with previous versions of OpenSSL or SSLeay
-is required. This option is only present on OpenSSL versions 0.9.5 or
-above.
+use a salt in the key derivation routines. This is the default.
=item B<-nosalt>
-don't use a salt in the key derivation routines. This is the default for
-compatibility with previous versions of OpenSSL and SSLeay.
+don't use a salt in the key derivation routines. This option B<SHOULD NOT> be
+used except for test purposes or compatibility with ancient versions of OpenSSL
+and SSLeay.
=item B<-e>
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index ff2629d2cf85..31875773e385 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -66,6 +66,11 @@ certificate was rejected. However the presence of rejection messages
does not itself imply that anything is wrong: during the normal
verify process several rejections may take place.
+=item B<-check_ss_sig>
+
+Verify the signature on the self-signed root CA. This is disabled by default
+because it doesn't add any security.
+
=item B<->
marks the last option. All arguments following this are assumed to be
@@ -166,8 +171,8 @@ the operation was successful.
=item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
-the issuer certificate could not be found: this occurs if the issuer certificate
-of an untrusted certificate cannot be found.
+the issuer certificate of a looked up certificate could not be found. This
+normally means the list of trusted certificates is not complete.
=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
@@ -244,8 +249,8 @@ be found locally.
=item B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
-the issuer certificate of a locally looked up certificate could not be found. This normally means
-the list of trusted certificates is not complete.
+the issuer certificate could not be found: this occurs if the issuer
+certificate of an untrusted certificate cannot be found.
=item B<21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
@@ -321,6 +326,10 @@ the certificates in the file will be recognised.
Previous versions of OpenSSL assume certificates with matching subject name are identical and
mishandled them.
+Previous versions of this documentation swapped the meaning of the
+B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
+B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
+
=head1 SEE ALSO
L<x509(1)|x509(1)>