aboutsummaryrefslogtreecommitdiffstats
path: root/secure/usr.bin/openssl
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2015-10-30 20:51:33 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2015-10-30 20:51:33 +0000
commit7bded2db17780f5b59bc532689d8a9541f06901e (patch)
treee8d8b5ada49f5cdbf70d1e455c13f2625fdcdd45 /secure/usr.bin/openssl
parent50657fd342bcf1886e5b6d2c74605bbdd6b91bed (diff)
parente9fcefce9bb70f20c272a996443928c5f6ab8cd8 (diff)
downloadsrc-7bded2db17780f5b59bc532689d8a9541f06901e.tar.gz
src-7bded2db17780f5b59bc532689d8a9541f06901e.zip
Merge OpenSSL 1.0.2d.
Notes
Notes: svn path=/head/; revision=290207
Diffstat (limited to 'secure/usr.bin/openssl')
-rw-r--r--secure/usr.bin/openssl/man/CA.pl.12
-rw-r--r--secure/usr.bin/openssl/man/asn1parse.12
-rw-r--r--secure/usr.bin/openssl/man/c_rehash.137
-rw-r--r--secure/usr.bin/openssl/man/ca.12
-rw-r--r--secure/usr.bin/openssl/man/ciphers.182
-rw-r--r--secure/usr.bin/openssl/man/cms.155
-rw-r--r--secure/usr.bin/openssl/man/crl.12
-rw-r--r--secure/usr.bin/openssl/man/crl2pkcs7.12
-rw-r--r--secure/usr.bin/openssl/man/dgst.12
-rw-r--r--secure/usr.bin/openssl/man/dhparam.12
-rw-r--r--secure/usr.bin/openssl/man/dsa.12
-rw-r--r--secure/usr.bin/openssl/man/dsaparam.12
-rw-r--r--secure/usr.bin/openssl/man/ec.12
-rw-r--r--secure/usr.bin/openssl/man/ecparam.12
-rw-r--r--secure/usr.bin/openssl/man/enc.12
-rw-r--r--secure/usr.bin/openssl/man/errstr.12
-rw-r--r--secure/usr.bin/openssl/man/gendsa.12
-rw-r--r--secure/usr.bin/openssl/man/genpkey.116
-rw-r--r--secure/usr.bin/openssl/man/genrsa.12
-rw-r--r--secure/usr.bin/openssl/man/nseq.12
-rw-r--r--secure/usr.bin/openssl/man/ocsp.14
-rw-r--r--secure/usr.bin/openssl/man/openssl.12
-rw-r--r--secure/usr.bin/openssl/man/passwd.12
-rw-r--r--secure/usr.bin/openssl/man/pkcs12.12
-rw-r--r--secure/usr.bin/openssl/man/pkcs7.12
-rw-r--r--secure/usr.bin/openssl/man/pkcs8.115
-rw-r--r--secure/usr.bin/openssl/man/pkey.12
-rw-r--r--secure/usr.bin/openssl/man/pkeyparam.12
-rw-r--r--secure/usr.bin/openssl/man/pkeyutl.12
-rw-r--r--secure/usr.bin/openssl/man/rand.12
-rw-r--r--secure/usr.bin/openssl/man/req.16
-rw-r--r--secure/usr.bin/openssl/man/rsa.12
-rw-r--r--secure/usr.bin/openssl/man/rsautl.12
-rw-r--r--secure/usr.bin/openssl/man/s_client.126
-rw-r--r--secure/usr.bin/openssl/man/s_server.121
-rw-r--r--secure/usr.bin/openssl/man/s_time.12
-rw-r--r--secure/usr.bin/openssl/man/sess_id.12
-rw-r--r--secure/usr.bin/openssl/man/smime.14
-rw-r--r--secure/usr.bin/openssl/man/speed.12
-rw-r--r--secure/usr.bin/openssl/man/spkac.12
-rw-r--r--secure/usr.bin/openssl/man/ts.12
-rw-r--r--secure/usr.bin/openssl/man/tsget.12
-rw-r--r--secure/usr.bin/openssl/man/verify.140
-rw-r--r--secure/usr.bin/openssl/man/version.12
-rw-r--r--secure/usr.bin/openssl/man/x509.111
-rw-r--r--secure/usr.bin/openssl/man/x509v3_config.12
46 files changed, 270 insertions, 115 deletions
diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1
index feb02cfe70f6..d70ef8c76679 100644
--- a/secure/usr.bin/openssl/man/CA.pl.1
+++ b/secure/usr.bin/openssl/man/CA.pl.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "CA.PL 1"
-.TH CA.PL 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH CA.PL 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1
index 5cdea6869ce4..5b30f3d7cba3 100644
--- a/secure/usr.bin/openssl/man/asn1parse.1
+++ b/secure/usr.bin/openssl/man/asn1parse.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "ASN1PARSE 1"
-.TH ASN1PARSE 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH ASN1PARSE 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/c_rehash.1 b/secure/usr.bin/openssl/man/c_rehash.1
index 3b0365b44a89..1f26bb38db0f 100644
--- a/secure/usr.bin/openssl/man/c_rehash.1
+++ b/secure/usr.bin/openssl/man/c_rehash.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "C_REHASH 1"
-.TH C_REHASH 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH C_REHASH 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -143,12 +143,18 @@ c_rehash \- Create symbolic links to files named by the hash values
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBc_rehash\fR
+\&\fB[\-old]\fR
+\&\fB[\-h]\fR
+\&\fB[\-n]\fR
+\&\fB[\-v]\fR
[ \fIdirectory\fR...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
-\&\fBc_rehash\fR scans directories and calculates a hash value of each \f(CW\*(C`.pem\*(C'\fR
+\&\fBc_rehash\fR scans directories and calculates a hash value of each
+\&\f(CW\*(C`.pem\*(C'\fR, \f(CW\*(C`.crt\*(C'\fR, \f(CW\*(C`.cer\*(C'\fR, or \f(CW\*(C`.crl\*(C'\fR
file in the specified directory list and creates symbolic links
for each file, where the name of the link is the hash value.
+(If the platform does not support symbolic links, a copy is made.)
This utility is useful as many programs that use OpenSSL require
directories to be set up like this in order to find certificates.
.PP
@@ -166,6 +172,7 @@ is a hexadecimal character and \fBD\fR is a single decimal digit.
When processing a directory, \fBc_rehash\fR will first remove all links
that have a name in that syntax. If you have links in that format
used for other purposes, they will be removed.
+To skip the removal step, use the \fB\-n\fR flag.
Hashes for \s-1CRL\s0's look similar except the letter \fBr\fR appears after
the period, like this: \f(CW\*(C`HHHHHHHH.rD\*(C'\fR.
.PP
@@ -174,7 +181,7 @@ incrementing the \fBD\fR value. Duplicates are found by comparing the
full \s-1SHA\-1\s0 fingerprint. A warning will be displayed if a duplicate
is found.
.PP
-A warning will also be displayed if there are \fB.pem\fR files that
+A warning will also be displayed if there are files that
cannot be parsed as either a certificate or a \s-1CRL.\s0
.PP
The program uses the \fBopenssl\fR program to compute the hashes and
@@ -184,13 +191,31 @@ Any program can be used, it will be invoked as follows for either
a certificate or \s-1CRL:\s0
.PP
.Vb 2
-\& $OPENSSL x509 \-hash \-fingerprint \-noout \-in FFFFFF
-\& $OPENSSL crl \-hash \-fingerprint \-noout \-in FFFFFF
+\& $OPENSSL x509 \-hash \-fingerprint \-noout \-in FILENAME
+\& $OPENSSL crl \-hash \-fingerprint \-noout \-in FILENAME
.Ve
.PP
-where \fB\s-1FFFFFF\s0\fR is the filename. It must output the hash of the
+where \fB\s-1FILENAME\s0\fR is the filename. It must output the hash of the
file on the first line, and the fingerprint on the second,
optionally prefixed with some text and an equals sign.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-old\fR" 4
+.IX Item "-old"
+Use old-style hashing (\s-1MD5,\s0 as opposed to \s-1SHA\-1\s0) for generating
+links for releases before 1.0.0. Note that current versions will
+not use the old style.
+.IP "\fB\-h\fR" 4
+.IX Item "-h"
+Display a brief usage message.
+.IP "\fB\-n\fR" 4
+.IX Item "-n"
+Do not remove existing links.
+This is needed when keeping new and old-style links in the same directory.
+.IP "\fB\-v\fR" 4
+.IX Item "-v"
+Print messages about old links removed and new links created.
+By default, \fBc_rehash\fR only lists each directory as it is processed.
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
.IP "\fB\s-1OPENSSL\s0\fR" 4
diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1
index 76df602af231..0026b4ceeefc 100644
--- a/secure/usr.bin/openssl/man/ca.1
+++ b/secure/usr.bin/openssl/man/ca.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "CA 1"
-.TH CA 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH CA 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1
index a79ee7a954fa..ff87f0da51cb 100644
--- a/secure/usr.bin/openssl/man/ciphers.1
+++ b/secure/usr.bin/openssl/man/ciphers.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "CIPHERS 1"
-.TH CIPHERS 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH CIPHERS 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -281,13 +281,13 @@ cipher suites using \s-1RSA\s0 key exchange.
.IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4
.IX Item "kDHr, kDHd, kDH"
cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0
-and \s-1DSS\s0 keys or either respectively. Not implemented.
-.IP "\fBkEDH\fR" 4
-.IX Item "kEDH"
+and \s-1DSS\s0 keys or either respectively.
+.IP "\fBkDHE\fR, \fBkEDH\fR" 4
+.IX Item "kDHE, kEDH"
cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher
suites.
-.IP "\fB\s-1EDH\s0\fR" 4
-.IX Item "EDH"
+.IP "\fB\s-1DHE\s0\fR, \fB\s-1EDH\s0\fR" 4
+.IX Item "DHE, EDH"
cipher suites using authenticated ephemeral \s-1DH\s0 key agreement.
.IP "\fB\s-1ADH\s0\fR" 4
.IX Item "ADH"
@@ -300,12 +300,12 @@ cipher suites using \s-1DH,\s0 including anonymous \s-1DH,\s0 ephemeral \s-1DH\s
.IX Item "kECDHr, kECDHe, kECDH"
cipher suites using fixed \s-1ECDH\s0 key agreement signed by CAs with \s-1RSA\s0 and \s-1ECDSA\s0
keys or either respectively.
-.IP "\fBkEECDH\fR" 4
-.IX Item "kEECDH"
+.IP "\fBkECDHE\fR, \fBkEECDH\fR" 4
+.IX Item "kECDHE, kEECDH"
cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous
cipher suites.
-.IP "\fB\s-1EECDHE\s0\fR" 4
-.IX Item "EECDHE"
+.IP "\fB\s-1ECDHE\s0\fR, \fB\s-1EECDH\s0\fR" 4
+.IX Item "ECDHE, EECDH"
cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement.
.IP "\fB\s-1AECDH\s0\fR" 4
.IX Item "AECDH"
@@ -323,7 +323,7 @@ cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1D
.IP "\fBaDH\fR" 4
.IX Item "aDH"
cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry
-\&\s-1DH\s0 keys. Not implemented.
+\&\s-1DH\s0 keys.
.IP "\fBaECDH\fR" 4
.IX Item "aECDH"
cipher suites effectively using \s-1ECDH\s0 authentication, i.e. the certificates
@@ -401,6 +401,17 @@ cipher suites using \s-1GOST 28147\-89 MAC \s0\fBinstead of\fR \s-1HMAC.\s0
.IP "\fB\s-1PSK\s0\fR" 4
.IX Item "PSK"
cipher suites using pre-shared keys (\s-1PSK\s0).
+.IP "\fB\s-1SUITEB128\s0\fR, \fB\s-1SUITEB128ONLY\s0\fR, \fB\s-1SUITEB192\s0\fR" 4
+.IX Item "SUITEB128, SUITEB128ONLY, SUITEB192"
+enables suite B mode operation using 128 (permitting 192 bit mode by peer)
+128 bit (not permitting 192 bit by peer) or 192 bit level of security
+respectively. If used these cipherstrings should appear first in the cipher
+list and anything after them is ignored. Setting Suite B mode has additional
+consequences required to comply with \s-1RFC6460.\s0 In particular the supported
+signature algorithms is reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384,\s0
+only the elliptic curves P\-256 and P\-384 can be used and only the two suite B
+compliant ciphersuites (\s-1ECDHE\-ECDSA\-AES128\-GCM\-SHA256\s0 and
+\&\s-1ECDHE\-ECDSA\-AES256\-GCM\-SHA384\s0) are permissible.
.SH "CIPHER SUITE NAMES"
.IX Header "CIPHER SUITE NAMES"
The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
@@ -421,12 +432,10 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used.
\& SSL_RSA_WITH_DES_CBC_SHA DES\-CBC\-SHA
\& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA
\&
-\& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented.
-\& SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented.
-\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented.
-\& SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented.
-\& SSL_DH_RSA_WITH_DES_CBC_SHA Not implemented.
-\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented.
+\& SSL_DH_DSS_WITH_DES_CBC_SHA DH\-DSS\-DES\-CBC\-SHA
+\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH\-DSS\-DES\-CBC3\-SHA
+\& SSL_DH_RSA_WITH_DES_CBC_SHA DH\-RSA\-DES\-CBC\-SHA
+\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH\-RSA\-DES\-CBC3\-SHA
\& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-DSS\-DES\-CBC\-SHA
\& SSL_DHE_DSS_WITH_DES_CBC_SHA EDH\-DSS\-CBC\-SHA
\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA
@@ -483,10 +492,10 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used.
\& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA
\& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA
\&
-\& TLS_DH_DSS_WITH_AES_128_CBC_SHA Not implemented.
-\& TLS_DH_DSS_WITH_AES_256_CBC_SHA Not implemented.
-\& TLS_DH_RSA_WITH_AES_128_CBC_SHA Not implemented.
-\& TLS_DH_RSA_WITH_AES_256_CBC_SHA Not implemented.
+\& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH\-DSS\-AES128\-SHA
+\& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH\-DSS\-AES256\-SHA
+\& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH\-RSA\-AES128\-SHA
+\& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH\-RSA\-AES256\-SHA
\&
\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE\-DSS\-AES128\-SHA
\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE\-DSS\-AES256\-SHA
@@ -502,10 +511,10 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used.
\& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA
\& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA
\&
-\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA Not implemented.
-\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA Not implemented.
-\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA Not implemented.
-\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA Not implemented.
+\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH\-DSS\-CAMELLIA128\-SHA
+\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH\-DSS\-CAMELLIA256\-SHA
+\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH\-RSA\-CAMELLIA128\-SHA
+\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH\-RSA\-CAMELLIA256\-SHA
\&
\& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE\-DSS\-CAMELLIA128\-SHA
\& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE\-DSS\-CAMELLIA256\-SHA
@@ -520,8 +529,8 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used.
.Vb 1
\& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA
\&
-\& TLS_DH_DSS_WITH_SEED_CBC_SHA Not implemented.
-\& TLS_DH_RSA_WITH_SEED_CBC_SHA Not implemented.
+\& TLS_DH_DSS_WITH_SEED_CBC_SHA DH\-DSS\-SEED\-SHA
+\& TLS_DH_RSA_WITH_SEED_CBC_SHA DH\-RSA\-SEED\-SHA
\&
\& TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE\-DSS\-SEED\-SHA
\& TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE\-RSA\-SEED\-SHA
@@ -593,15 +602,15 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3.
\& TLS_RSA_WITH_AES_128_GCM_SHA256 AES128\-GCM\-SHA256
\& TLS_RSA_WITH_AES_256_GCM_SHA384 AES256\-GCM\-SHA384
\&
-\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 Not implemented.
-\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 Not implemented.
-\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 Not implemented.
-\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 Not implemented.
+\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH\-RSA\-AES128\-SHA256
+\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH\-RSA\-AES256\-SHA256
+\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 DH\-RSA\-AES128\-GCM\-SHA256
+\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 DH\-RSA\-AES256\-GCM\-SHA384
\&
-\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 Not implemented.
-\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 Not implemented.
-\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 Not implemented.
-\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 Not implemented.
+\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH\-DSS\-AES128\-SHA256
+\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH\-DSS\-AES256\-SHA256
+\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 DH\-DSS\-AES128\-GCM\-SHA256
+\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 DH\-DSS\-AES256\-GCM\-SHA384
\&
\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE\-RSA\-AES128\-SHA256
\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE\-RSA\-AES256\-SHA256
@@ -659,9 +668,6 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3.
.Ve
.SH "NOTES"
.IX Header "NOTES"
-The non-ephemeral \s-1DH\s0 modes are currently unimplemented in OpenSSL
-because there is no support for \s-1DH\s0 certificates.
-.PP
Some compiled versions of OpenSSL may not include all the ciphers
listed here because some ciphers were excluded at compile time.
.SH "EXAMPLES"
diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/cms.1
index 106bb70586de..bb4dae502b26 100644
--- a/secure/usr.bin/openssl/man/cms.1
+++ b/secure/usr.bin/openssl/man/cms.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "CMS 1"
-.TH CMS 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH CMS 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -194,6 +194,7 @@ cms \- CMS utility
[\fB\-secretkeyid id\fR]
[\fB\-econtent_type type\fR]
[\fB\-inkey file\fR]
+[\fB\-keyopt name:parameter\fR]
[\fB\-passin arg\fR]
[\fB\-rand file(s)\fR]
[\fBcert.pem...\fR]
@@ -412,8 +413,13 @@ verified then the signers certificates will be written to this file if the
verification was successful.
.IP "\fB\-recip file\fR" 4
.IX Item "-recip file"
-the recipients certificate when decrypting a message. This certificate
-must match one of the recipients of the message or an error occurs.
+when decrypting a message this specifies the recipients certificate. The
+certificate must match one of the recipients of the message or an error
+occurs.
+.Sp
+When encrypting a message this option may be used multiple times to specify
+each recipient. This form \fBmust\fR be used if customised parameters are
+required (for example to specify RSA-OAEP).
.IP "\fB\-keyid\fR" 4
.IX Item "-keyid"
use subject key identifier to identify certificates instead of issuer name and
@@ -462,6 +468,12 @@ corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used
multiple times to specify successive keys.
+.IP "\fB\-keyopt name:opt\fR" 4
+.IX Item "-keyopt name:opt"
+for signing and encryption this option can be used multiple times to
+set customised parameters for the preceding key or certificate. It can
+currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
+or to modify default parameters for \s-1ECDH.\s0
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
the private key password source. For more information about the format of \fBarg\fR
@@ -570,6 +582,10 @@ The \fB\-compress\fR option.
.PP
The \fB\-secretkey\fR option when used with \fB\-encrypt\fR.
.PP
+The use of \s-1PSS\s0 with \fB\-sign\fR.
+.PP
+The use of \s-1OAEP\s0 or non-RSA keys with \fB\-encrypt\fR.
+.PP
Additionally the \fB\-EncryptedData_create\fR and \fB\-data_create\fR type cannot
be processed by the older \fBsmime\fR command.
.SH "EXAMPLES"
@@ -676,6 +692,27 @@ Add a signer to an existing message:
.Vb 1
\& openssl cms \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg
.Ve
+.PP
+Sign mail using RSA-PSS:
+.PP
+.Vb 2
+\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
+\& \-signer mycert.pem \-keyopt rsa_padding_mode:pss
+.Ve
+.PP
+Create encrypted mail using RSA-OAEP:
+.PP
+.Vb 2
+\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e
+\& \-recip cert.pem \-keyopt rsa_padding_mode:oaep
+.Ve
+.PP
+Use \s-1SHA256 KDF\s0 with an \s-1ECDH\s0 certificate:
+.PP
+.Vb 2
+\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e
+\& \-recip ecdhcert.pem \-keyopt ecdh_kdf_md:sha256
+.Ve
.SH "BUGS"
.IX Header "BUGS"
The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've
@@ -700,4 +737,14 @@ No revocation checking is done on the signer's certificate.
The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
added in OpenSSL 1.0.0
.PP
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \fBkeyopt\fR option was first added in OpenSSL 1.1.0
+.PP
+The use of \fB\-recip\fR to specify the recipient when encrypting mail was first
+added to OpenSSL 1.1.0
+.PP
+Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0.
+.PP
+The use of non-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR was first added
+to OpenSSL 1.1.0.
+.PP
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1
index 564fce0475cf..352499aa7aa0 100644
--- a/secure/usr.bin/openssl/man/crl.1
+++ b/secure/usr.bin/openssl/man/crl.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "CRL 1"
-.TH CRL 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH CRL 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1
index 8c41ff998cbe..a768c92c69d0 100644
--- a/secure/usr.bin/openssl/man/crl2pkcs7.1
+++ b/secure/usr.bin/openssl/man/crl2pkcs7.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "CRL2PKCS7 1"
-.TH CRL2PKCS7 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH CRL2PKCS7 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1
index c2ec0a8c3da6..fdf1535936f8 100644
--- a/secure/usr.bin/openssl/man/dgst.1
+++ b/secure/usr.bin/openssl/man/dgst.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "DGST 1"
-.TH DGST 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH DGST 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1
index ba49bd459202..e89a3511abb1 100644
--- a/secure/usr.bin/openssl/man/dhparam.1
+++ b/secure/usr.bin/openssl/man/dhparam.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "DHPARAM 1"
-.TH DHPARAM 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH DHPARAM 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1
index 213c803cd965..da5df4221edf 100644
--- a/secure/usr.bin/openssl/man/dsa.1
+++ b/secure/usr.bin/openssl/man/dsa.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "DSA 1"
-.TH DSA 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH DSA 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1
index 2f76249a085e..20e8e68ca80e 100644
--- a/secure/usr.bin/openssl/man/dsaparam.1
+++ b/secure/usr.bin/openssl/man/dsaparam.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "DSAPARAM 1"
-.TH DSAPARAM 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH DSAPARAM 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/ec.1 b/secure/usr.bin/openssl/man/ec.1
index 99533b9283e4..24ced4b67bb3 100644
--- a/secure/usr.bin/openssl/man/ec.1
+++ b/secure/usr.bin/openssl/man/ec.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "EC 1"
-.TH EC 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH EC 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/ecparam.1 b/secure/usr.bin/openssl/man/ecparam.1
index b03dad471d18..a615b3f27743 100644
--- a/secure/usr.bin/openssl/man/ecparam.1
+++ b/secure/usr.bin/openssl/man/ecparam.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "ECPARAM 1"
-.TH ECPARAM 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH ECPARAM 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1
index 6a7103f8dfb6..c119e7e9a5c6 100644
--- a/secure/usr.bin/openssl/man/enc.1
+++ b/secure/usr.bin/openssl/man/enc.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "ENC 1"
-.TH ENC 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH ENC 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/errstr.1 b/secure/usr.bin/openssl/man/errstr.1
index 29b48ee88e32..c4f1e0aacf21 100644
--- a/secure/usr.bin/openssl/man/errstr.1
+++ b/secure/usr.bin/openssl/man/errstr.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "ERRSTR 1"
-.TH ERRSTR 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH ERRSTR 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1
index 70df1805ea2f..642e7ade73da 100644
--- a/secure/usr.bin/openssl/man/gendsa.1
+++ b/secure/usr.bin/openssl/man/gendsa.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "GENDSA 1"
-.TH GENDSA 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH GENDSA 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/genpkey.1 b/secure/usr.bin/openssl/man/genpkey.1
index 0a40a3f01ada..fd2264ec6f82 100644
--- a/secure/usr.bin/openssl/man/genpkey.1
+++ b/secure/usr.bin/openssl/man/genpkey.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "GENPKEY 1"
-.TH GENPKEY 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH GENPKEY 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -232,6 +232,14 @@ The number of bits in the prime parameter \fBp\fR.
.IP "\fBdh_paramgen_generator:value\fR" 4
.IX Item "dh_paramgen_generator:value"
The value to use for the generator \fBg\fR.
+.IP "\fBdh_rfc5114:num\fR" 4
+.IX Item "dh_rfc5114:num"
+If this option is set then the appropriate \s-1RFC5114\s0 parameters are used
+instead of generating new parameters. The value \fBnum\fR can take the
+values 1, 2 or 3 corresponding to \s-1RFC5114 DH\s0 parameters consisting of
+1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
+and 2048 bit group with 256 bit subgroup as mentioned in \s-1RFC5114\s0 sections
+2.1, 2.2 and 2.3 respectively.
.SH "EC PARAMETER GENERATION OPTIONS"
.IX Header "EC PARAMETER GENERATION OPTIONS"
.IP "\fBec_paramgen_curve:curve\fR" 4
@@ -308,6 +316,12 @@ Generate 1024 bit \s-1DH\s0 parameters:
\& \-pkeyopt dh_paramgen_prime_len:1024
.Ve
.PP
+Output \s-1RFC5114 2048\s0 bit \s-1DH\s0 parameters with 224 bit subgroup:
+.PP
+.Vb 1
+\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt dh_rfc5114:2
+.Ve
+.PP
Generate \s-1DH\s0 key from parameters:
.PP
.Vb 1
diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1
index babce6d56216..a701f160faf4 100644
--- a/secure/usr.bin/openssl/man/genrsa.1
+++ b/secure/usr.bin/openssl/man/genrsa.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "GENRSA 1"
-.TH GENRSA 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH GENRSA 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1
index 796efa4f9c4f..990d4f76e719 100644
--- a/secure/usr.bin/openssl/man/nseq.1
+++ b/secure/usr.bin/openssl/man/nseq.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "NSEQ 1"
-.TH NSEQ 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH NSEQ 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1
index d45193d3708b..f99ce3b92a51 100644
--- a/secure/usr.bin/openssl/man/ocsp.1
+++ b/secure/usr.bin/openssl/man/ocsp.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "OCSP 1"
-.TH OCSP 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH OCSP 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -489,4 +489,4 @@ second file.
.Ve
.SH "HISTORY"
.IX Header "HISTORY"
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1
index b2ae545de2fd..b307e037c417 100644
--- a/secure/usr.bin/openssl/man/openssl.1
+++ b/secure/usr.bin/openssl/man/openssl.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "OPENSSL 1"
-.TH OPENSSL 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH OPENSSL 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1
index 705a8e35ae92..54e355af1e34 100644
--- a/secure/usr.bin/openssl/man/passwd.1
+++ b/secure/usr.bin/openssl/man/passwd.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "PASSWD 1"
-.TH PASSWD 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH PASSWD 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1
index ac989642370d..85e4b736315d 100644
--- a/secure/usr.bin/openssl/man/pkcs12.1
+++ b/secure/usr.bin/openssl/man/pkcs12.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "PKCS12 1"
-.TH PKCS12 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH PKCS12 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1
index deee40d091df..d077174cc61c 100644
--- a/secure/usr.bin/openssl/man/pkcs7.1
+++ b/secure/usr.bin/openssl/man/pkcs7.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "PKCS7 1"
-.TH PKCS7 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH PKCS7 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1
index 5824bd710a51..5e3dfab28b46 100644
--- a/secure/usr.bin/openssl/man/pkcs8.1
+++ b/secure/usr.bin/openssl/man/pkcs8.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "PKCS8 1"
-.TH PKCS8 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH PKCS8 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -156,6 +156,7 @@ pkcs8 \- PKCS#8 format private key conversion tool
[\fB\-embed\fR]
[\fB\-nsdb\fR]
[\fB\-v2 alg\fR]
+[\fB\-v2prf alg\fR]
[\fB\-v1 alg\fR]
[\fB\-engine id\fR]
.SH "DESCRIPTION"
@@ -238,6 +239,11 @@ private keys with OpenSSL then this doesn't matter.
.Sp
The \fBalg\fR argument is the encryption algorithm to use, valid values include
\&\fBdes\fR, \fBdes3\fR and \fBrc2\fR. It is recommended that \fBdes3\fR is used.
+.IP "\fB\-v2prf alg\fR" 4
+.IX Item "-v2prf alg"
+This option sets the \s-1PRF\s0 algorithm to use with PKCS#5 v2.0. A typical value
+values would be \fBhmacWithSHA256\fR. If this option isn't set then the default
+for the cipher is used or \fBhmacWithSHA1\fR if there is no default.
.IP "\fB\-v1 alg\fR" 4
.IX Item "-v1 alg"
This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
@@ -308,6 +314,13 @@ Convert a private from traditional to PKCS#5 v2.0 format using triple
\& openssl pkcs8 \-in key.pem \-topk8 \-v2 des3 \-out enckey.pem
.Ve
.PP
+Convert a private from traditional to PKCS#5 v2.0 format using \s-1AES\s0 with
+256 bits in \s-1CBC\s0 mode and \fBhmacWithSHA256\fR \s-1PRF:\s0
+.PP
+.Vb 1
+\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-v2prf hmacWithSHA256 \-out enckey.pem
+.Ve
+.PP
Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
(\s-1DES\s0):
.PP
diff --git a/secure/usr.bin/openssl/man/pkey.1 b/secure/usr.bin/openssl/man/pkey.1
index f270aeb7edfb..77b824cb5fa5 100644
--- a/secure/usr.bin/openssl/man/pkey.1
+++ b/secure/usr.bin/openssl/man/pkey.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "PKEY 1"
-.TH PKEY 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH PKEY 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkeyparam.1 b/secure/usr.bin/openssl/man/pkeyparam.1
index 8b7d5bca297d..2df7904c86f0 100644
--- a/secure/usr.bin/openssl/man/pkeyparam.1
+++ b/secure/usr.bin/openssl/man/pkeyparam.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "PKEYPARAM 1"
-.TH PKEYPARAM 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH PKEYPARAM 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkeyutl.1 b/secure/usr.bin/openssl/man/pkeyutl.1
index 058292b6bab0..64ec80ee161b 100644
--- a/secure/usr.bin/openssl/man/pkeyutl.1
+++ b/secure/usr.bin/openssl/man/pkeyutl.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "PKEYUTL 1"
-.TH PKEYUTL 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH PKEYUTL 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1
index 6161b7664d12..a1c30f605bad 100644
--- a/secure/usr.bin/openssl/man/rand.1
+++ b/secure/usr.bin/openssl/man/rand.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "RAND 1"
-.TH RAND 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH RAND 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1
index 38d9849fe9f0..a404c1c45f8f 100644
--- a/secure/usr.bin/openssl/man/req.1
+++ b/secure/usr.bin/openssl/man/req.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "REQ 1"
-.TH REQ 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH REQ 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -340,8 +340,8 @@ this option outputs a self signed certificate instead of a certificate
request. This is typically used to generate a test certificate or
a self signed root \s-1CA.\s0 The extensions added to the certificate
(if any) are specified in the configuration file. Unless specified
-using the \fBset_serial\fR option \fB0\fR will be used for the serial
-number.
+using the \fBset_serial\fR option, a large random number will be used for
+the serial number.
.IP "\fB\-days n\fR" 4
.IX Item "-days n"
when the \fB\-x509\fR option is being used this specifies the number of
diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1
index b240fb7fc206..339cbf8f6037 100644
--- a/secure/usr.bin/openssl/man/rsa.1
+++ b/secure/usr.bin/openssl/man/rsa.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "RSA 1"
-.TH RSA 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH RSA 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1
index 368ba0284049..b9cc868a83f3 100644
--- a/secure/usr.bin/openssl/man/rsautl.1
+++ b/secure/usr.bin/openssl/man/rsautl.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "RSAUTL 1"
-.TH RSAUTL 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH RSAUTL 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1
index 266d5671f248..31064e2c9be4 100644
--- a/secure/usr.bin/openssl/man/s_client.1
+++ b/secure/usr.bin/openssl/man/s_client.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "S_CLIENT 1"
-.TH S_CLIENT 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH S_CLIENT 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -173,6 +173,9 @@ s_client \- SSL/TLS client program
[\fB\-no_ssl2\fR]
[\fB\-no_ssl3\fR]
[\fB\-no_tls1\fR]
+[\fB\-no_tls1_1\fR]
+[\fB\-no_tls1_2\fR]
+[\fB\-fallback_scsv\fR]
[\fB\-bugs\fR]
[\fB\-cipher cipherlist\fR]
[\fB\-serverpref\fR]
@@ -183,6 +186,7 @@ s_client \- SSL/TLS client program
[\fB\-sess_out filename\fR]
[\fB\-sess_in filename\fR]
[\fB\-rand file(s)\fR]
+[\fB\-serverinfo types\fR]
[\fB\-status\fR]
[\fB\-nextprotoneg protocols\fR]
.SH "DESCRIPTION"
@@ -301,16 +305,18 @@ Use the \s-1PSK\s0 identity \fBidentity\fR when using a \s-1PSK\s0 cipher suite.
Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is
given as a hexadecimal number without leading 0x, for example \-psk
1a2b3c4d.
-.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
-.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
+.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4
+.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2"
these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
the initial handshake uses a method which should be compatible with all
servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
.Sp
-Unfortunately there are a lot of ancient and broken servers in use which
+Unfortunately there are still ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only
-work if \s-1TLS\s0 is turned off with the \fB\-no_tls\fR option others will only
-support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option.
+work if \s-1TLS\s0 is turned off.
+.IP "\fB\-fallback_scsv\fR" 4
+.IX Item "-fallback_scsv"
+Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello.
.IP "\fB\-bugs\fR" 4
.IX Item "-bugs"
there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
@@ -355,6 +361,12 @@ generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
Multiple files can be specified separated by a OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
+.IP "\fB\-serverinfo types\fR" 4
+.IX Item "-serverinfo types"
+a list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and
+65535). Each type will be sent as an empty ClientHello \s-1TLS\s0 Extension.
+The server's response (if any) will be encoded and displayed as a \s-1PEM\s0
+file.
.IP "\fB\-status\fR" 4
.IX Item "-status"
sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server
@@ -437,4 +449,4 @@ information whenever a session is renegotiated.
\&\fIsess_id\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1
index e2c2c392e847..0f3b3c1b2fe1 100644
--- a/secure/usr.bin/openssl/man/s_server.1
+++ b/secure/usr.bin/openssl/man/s_server.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "S_SERVER 1"
-.TH S_SERVER 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH S_SERVER 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -181,7 +181,6 @@ s_server \- SSL/TLS server program
[\fB\-no_ssl3\fR]
[\fB\-no_tls1\fR]
[\fB\-no_dhe\fR]
-[\fB\-no_ecdhe\fR]
[\fB\-bugs\fR]
[\fB\-hack\fR]
[\fB\-www\fR]
@@ -192,6 +191,8 @@ s_server \- SSL/TLS server program
[\fB\-no_ticket\fR]
[\fB\-id_prefix arg\fR]
[\fB\-rand file(s)\fR]
+[\fB\-serverinfo file\fR]
+[\fB\-no_resumption_on_reneg\fR]
[\fB\-status\fR]
[\fB\-status_verbose\fR]
[\fB\-status_timeout nsec\fR]
@@ -258,10 +259,6 @@ a static set of parameters hard coded into the s_server program will be used.
.IX Item "-no_dhe"
if this option is set then no \s-1DH\s0 parameters will be loaded effectively
disabling the ephemeral \s-1DH\s0 cipher suites.
-.IP "\fB\-no_ecdhe\fR" 4
-.IX Item "-no_ecdhe"
-if this option is set then no \s-1ECDH\s0 parameters will be loaded effectively
-disabling the ephemeral \s-1ECDH\s0 cipher suites.
.IP "\fB\-no_tmp_rsa\fR" 4
.IX Item "-no_tmp_rsa"
certain export cipher suites sometimes use a temporary \s-1RSA\s0 key, this option
@@ -390,6 +387,16 @@ generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
Multiple files can be specified separated by a OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
+.IP "\fB\-serverinfo file\fR" 4
+.IX Item "-serverinfo file"
+a file containing one or more blocks of \s-1PEM\s0 data. Each \s-1PEM\s0 block
+must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length,
+followed by \*(L"length\*(R" bytes of extension data). If the client sends
+an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding
+ServerHello extension will be returned.
+.IP "\fB\-no_resumption_on_reneg\fR" 4
+.IX Item "-no_resumption_on_reneg"
+set \s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0 flag.
.IP "\fB\-status\fR" 4
.IX Item "-status"
enables certificate status request support (aka \s-1OCSP\s0 stapling).
@@ -476,4 +483,4 @@ unknown cipher suites a client says it supports.
\&\fIsess_id\fR\|(1), \fIs_client\fR\|(1), \fIciphers\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/s_time.1
index 109df0f47375..38a26e9cd53d 100644
--- a/secure/usr.bin/openssl/man/s_time.1
+++ b/secure/usr.bin/openssl/man/s_time.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "S_TIME 1"
-.TH S_TIME 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH S_TIME 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1
index 1e25ad29fd9f..365ece142afb 100644
--- a/secure/usr.bin/openssl/man/sess_id.1
+++ b/secure/usr.bin/openssl/man/sess_id.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "SESS_ID 1"
-.TH SESS_ID 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH SESS_ID 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1
index 86c02302eedb..3c97bbd7c76d 100644
--- a/secure/usr.bin/openssl/man/smime.1
+++ b/secure/usr.bin/openssl/man/smime.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "SMIME 1"
-.TH SMIME 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH SMIME 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -550,4 +550,4 @@ structures may cause parsing errors.
The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
added in OpenSSL 1.0.0
.PP
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1
index 874e4f2dd629..5eb48667f1dc 100644
--- a/secure/usr.bin/openssl/man/speed.1
+++ b/secure/usr.bin/openssl/man/speed.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "SPEED 1"
-.TH SPEED 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH SPEED 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1
index f466ab598916..e29183fbf71d 100644
--- a/secure/usr.bin/openssl/man/spkac.1
+++ b/secure/usr.bin/openssl/man/spkac.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "SPKAC 1"
-.TH SPKAC 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH SPKAC 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/ts.1 b/secure/usr.bin/openssl/man/ts.1
index fcc6d22fb97b..677663dbd5e3 100644
--- a/secure/usr.bin/openssl/man/ts.1
+++ b/secure/usr.bin/openssl/man/ts.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "TS 1"
-.TH TS 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH TS 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/tsget.1 b/secure/usr.bin/openssl/man/tsget.1
index 597a74dec6e2..b8baff555015 100644
--- a/secure/usr.bin/openssl/man/tsget.1
+++ b/secure/usr.bin/openssl/man/tsget.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "TSGET 1"
-.TH TSGET 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH TSGET 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1
index dc602b457ff8..0b8fa2939664 100644
--- a/secure/usr.bin/openssl/man/verify.1
+++ b/secure/usr.bin/openssl/man/verify.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "VERIFY 1"
-.TH VERIFY 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH VERIFY 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -148,6 +148,10 @@ verify \- Utility to verify certificates.
[\fB\-purpose purpose\fR]
[\fB\-policy arg\fR]
[\fB\-ignore_critical\fR]
+[\fB\-attime timestamp\fR]
+[\fB\-check_ss_sig\fR]
+[\fB\-crlfile file\fR]
+[\fB\-crl_download\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-policy_check\fR]
@@ -162,7 +166,7 @@ verify \- Utility to verify certificates.
[\fB\-untrusted file\fR]
[\fB\-help\fR]
[\fB\-issuer_checks\fR]
-[\fB\-attime timestamp\fR]
+[\fB\-trusted file\fR]
[\fB\-verbose\fR]
[\fB\-\fR]
[certificates]
@@ -181,9 +185,28 @@ create symbolic links to a directory of certificates.
.IP "\fB\-CAfile file\fR A file of trusted certificates. The file should contain multiple certificates in \s-1PEM\s0 format concatenated together." 4
.IX Item "-CAfile file A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together."
.PD 0
+.IP "\fB\-attime timestamp\fR" 4
+.IX Item "-attime timestamp"
+.PD
+Perform validation checks using time specified by \fBtimestamp\fR and not
+current system time. \fBtimestamp\fR is the number of seconds since
+01.01.1970 (\s-1UNIX\s0 time).
+.IP "\fB\-check_ss_sig\fR" 4
+.IX Item "-check_ss_sig"
+Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by default
+because it doesn't add any security.
+.IP "\fB\-crlfile file\fR" 4
+.IX Item "-crlfile file"
+File containing one or more \s-1CRL\s0's (in \s-1PEM\s0 format) to load.
+.IP "\fB\-crl_download\fR" 4
+.IX Item "-crl_download"
+Attempt to download \s-1CRL\s0 information for this certificate.
+.IP "\fB\-crl_check\fR" 4
+.IX Item "-crl_check"
+Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0
+If a valid \s-1CRL\s0 cannot be found an error occurs.
.IP "\fB\-untrusted file\fR" 4
.IX Item "-untrusted file"
-.PD
A file of untrusted certificates. The file should contain multiple certificates
in \s-1PEM\s0 format concatenated together.
.IP "\fB\-purpose purpose\fR" 4
@@ -206,11 +229,6 @@ current certificate. This shows why each candidate issuer certificate was
rejected. The presence of rejection messages does not itself imply that
anything is wrong; during the normal verification process, several
rejections may take place.
-.IP "\fB\-attime timestamp\fR" 4
-.IX Item "-attime timestamp"
-Perform validation checks using time specified by \fBtimestamp\fR and not
-current system time. \fBtimestamp\fR is the number of seconds since
-01.01.1970 (\s-1UNIX\s0 time).
.IP "\fB\-policy arg\fR" 4
.IX Item "-policy arg"
Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see
@@ -235,6 +253,10 @@ trusted, then OpenSSL will continue to check to see if an alternative chain can
be found that is trusted. With this option that behaviour is suppressed so that
only the first chain found is ever used. Using this option will force the
behaviour to match that of previous OpenSSL versions.
+.IP "\fB\-trusted file\fR" 4
+.IX Item "-trusted file"
+A file of additional trusted certificates. The file should contain multiple
+certificates in \s-1PEM\s0 format concatenated together.
.IP "\fB\-policy_print\fR" 4
.IX Item "-policy_print"
Print out diagnostics related to policy processing.
@@ -487,4 +509,4 @@ Previous versions of this documentation swapped the meaning of the
\&\fIx509\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1
index 79305bb60f93..401bde5544a4 100644
--- a/secure/usr.bin/openssl/man/version.1
+++ b/secure/usr.bin/openssl/man/version.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "VERSION 1"
-.TH VERSION 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH VERSION 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1
index 9306e414521c..27b8a8ee5486 100644
--- a/secure/usr.bin/openssl/man/x509.1
+++ b/secure/usr.bin/openssl/man/x509.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "X509 1"
-.TH X509 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH X509 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -186,6 +186,7 @@ x509 \- Certificate display and signing utility
[\fB\-CAkey filename\fR]
[\fB\-CAcreateserial\fR]
[\fB\-CAserial filename\fR]
+[\fB\-force_pubkey key\fR]
[\fB\-text\fR]
[\fB\-certopt option\fR]
[\fB\-C\fR]
@@ -482,6 +483,14 @@ specified then the extensions should either be contained in the unnamed
\&\*(L"extensions\*(R" which contains the section to use. See the
\&\fIx509v3_config\fR\|(5) manual page for details of the
extension section format.
+.IP "\fB\-force_pubkey key\fR" 4
+.IX Item "-force_pubkey key"
+when a certificate is created set its public key to \fBkey\fR instead of the
+key in the certificate or certificate request. This option is useful for
+creating certificates where the algorithm can't normally sign requests, for
+example \s-1DH.\s0
+.Sp
+The format or \fBkey\fR can be specified using the \fB\-keyform\fR option.
.SS "\s-1NAME OPTIONS\s0"
.IX Subsection "NAME OPTIONS"
The \fBnameopt\fR command line switch determines how the subject and issuer
diff --git a/secure/usr.bin/openssl/man/x509v3_config.1 b/secure/usr.bin/openssl/man/x509v3_config.1
index 9e149f5b3001..3eb624dfa647 100644
--- a/secure/usr.bin/openssl/man/x509v3_config.1
+++ b/secure/usr.bin/openssl/man/x509v3_config.1
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "X509V3_CONFIG 1"
-.TH X509V3_CONFIG 1 "2015-07-09" "1.0.1p" "OpenSSL"
+.TH X509V3_CONFIG 1 "2015-07-09" "1.0.2d" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l