aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/apps/config.pod2
-rw-r--r--doc/apps/crl.pod5
-rw-r--r--doc/apps/ec.pod2
-rw-r--r--doc/apps/pkcs12.pod9
-rw-r--r--doc/apps/req.pod2
-rw-r--r--doc/apps/s_client.pod16
-rw-r--r--doc/apps/s_server.pod2
-rw-r--r--doc/apps/ts.pod4
-rw-r--r--doc/apps/tsget.pod2
-rw-r--r--doc/crypto/BN_BLINDING_new.pod2
-rw-r--r--doc/crypto/ERR_get_error.pod7
-rw-r--r--doc/crypto/EVP_BytesToKey.pod2
-rw-r--r--doc/crypto/EVP_EncryptInit.pod2
-rw-r--r--doc/crypto/X509_VERIFY_PARAM_set_flags.pod2
-rw-r--r--doc/crypto/pem.pod2
-rw-r--r--doc/ssl/SSL_CTX_set_verify.pod4
-rw-r--r--doc/ssl/SSL_set_shutdown.pod2
17 files changed, 45 insertions, 22 deletions
diff --git a/doc/apps/config.pod b/doc/apps/config.pod
index ace34b62bd2e..25c5381b9d6b 100644
--- a/doc/apps/config.pod
+++ b/doc/apps/config.pod
@@ -119,7 +119,7 @@ variable points to a section containing further ENGINE configuration
information.
The section pointed to by B<engines> is a table of engine names (though see
-B<engine_id> below) and further sections containing configuration informations
+B<engine_id> below) and further sections containing configuration information
specific to each ENGINE.
Each ENGINE specific section is used to set default algorithms, load
diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod
index a40c873b9568..1ad76a5f8c13 100644
--- a/doc/apps/crl.pod
+++ b/doc/apps/crl.pod
@@ -62,6 +62,11 @@ don't output the encoded version of the CRL.
output a hash of the issuer name. This can be use to lookup CRLs in
a directory by issuer name.
+=item B<-hash_old>
+
+outputs the "hash" of the CRL issuer name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
=item B<-issuer>
output the issuer name.
diff --git a/doc/apps/ec.pod b/doc/apps/ec.pod
index ba6dc4689bf0..5c7b45d4e75e 100644
--- a/doc/apps/ec.pod
+++ b/doc/apps/ec.pod
@@ -41,7 +41,7 @@ PKCS#8 private key format use the B<pkcs8> command.
This specifies the input format. The B<DER> option with a private key uses
an ASN.1 DER encoded SEC1 private key. When used with a public key it
-uses the SubjectPublicKeyInfo structur as specified in RFC 3280.
+uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.
diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod
index f69a5c5a4cda..8e0d91798ac4 100644
--- a/doc/apps/pkcs12.pod
+++ b/doc/apps/pkcs12.pod
@@ -67,7 +67,7 @@ by default.
The filename to write certificates and private keys to, standard output by
default. They are all written in PEM format.
-=item B<-pass arg>, B<-passin arg>
+=item B<-passin arg>
the PKCS#12 file (i.e. input file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
@@ -75,10 +75,15 @@ L<openssl(1)|openssl(1)>.
=item B<-passout arg>
-pass phrase source to encrypt any outputed private keys with. For more
+pass phrase source to encrypt any outputted private keys with. For more
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)|openssl(1)>.
+=item B<-password arg>
+
+With -export, -password is equivalent to -passout.
+Otherwise, -password is equivalent to -passin.
+
=item B<-noout>
this option inhibits output of the keys and certificates to the output file
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index ff48bbdf2855..0730d117b39c 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -303,7 +303,7 @@ Reverses effect of B<-asn1-kludge>
=item B<-newhdr>
-Adds the word B<NEW> to the PEM file header and footer lines on the outputed
+Adds the word B<NEW> to the PEM file header and footer lines on the outputted
request. Some software (Netscape certificate server) and some CAs need this.
=item B<-batch>
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 4ebf7b585474..3215b2e8c96f 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -10,6 +10,7 @@ s_client - SSL/TLS client program
B<openssl> B<s_client>
[B<-connect host:port>]
[B<-verify depth>]
+[B<-verify_return_error>]
[B<-cert filename>]
[B<-certform DER|PEM>]
[B<-key filename>]
@@ -90,6 +91,11 @@ Currently the verify operation continues after errors so all the problems
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
+=item B<-verify_return_error>
+
+Return verification errors instead of continuing. This will typically
+abort the handshake with a fatal error.
+
=item B<-CApath directory>
The directory to use for server certificate verification. This directory
@@ -286,6 +292,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions
these will only be supported if its use is disabled, for example by using the
B<-no_sslv2> option.
+The B<s_client> utility is a test tool and is designed to continue the
+handshake after any certificate verification errors. As a result it will
+accept any certificate chain (trusted or not) sent by the peer. None test
+applications should B<not> do this as it makes them vulnerable to a MITM
+attack. This behaviour can be changed by with the B<-verify_return_error>
+option: any verify errors are then returned aborting the handshake.
+
=head1 BUGS
Because this program has a lot of options and also because some of
@@ -293,9 +306,6 @@ the techniques used are rather old, the C source of s_client is rather
hard to read and not a model of how things should be done. A typical
SSL client program would be much simpler.
-The B<-verify> option should really exit if the server verification
-fails.
-
The B<-prexit> option is a bit of a hack. We should really report
information whenever a session is renegotiated.
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 3e503e17e107..6758ba308016 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -111,7 +111,7 @@ by using an appropriate certificate.
=item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
-addtional certificate and private key format and passphrase respectively.
+additional certificate and private key format and passphrase respectively.
=item B<-nocert>
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index 7fb6caa96e54..d6aa47d3144d 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -352,7 +352,7 @@ switch always overrides the settings in the config file.
This is the main section and it specifies the name of another section
that contains all the options for the B<-reply> command. This default
-section can be overriden with the B<-section> command line switch. (Optional)
+section can be overridden with the B<-section> command line switch. (Optional)
=item B<oid_file>
@@ -453,7 +453,7 @@ included. Default is no. (Optional)
=head1 ENVIRONMENT VARIABLES
B<OPENSSL_CONF> contains the path of the configuration file and can be
-overriden by the B<-config> command line option.
+overridden by the B<-config> command line option.
=head1 EXAMPLES
diff --git a/doc/apps/tsget.pod b/doc/apps/tsget.pod
index b05957beea6b..56db985c4bb1 100644
--- a/doc/apps/tsget.pod
+++ b/doc/apps/tsget.pod
@@ -124,7 +124,7 @@ The name of an EGD socket to get random data from. (Optional)
=item [request]...
List of files containing B<RFC 3161> DER-encoded time stamp requests. If no
-requests are specifed only one request will be sent to the server and it will be
+requests are specified only one request will be sent to the server and it will be
read from the standard input. (Optional)
=back
diff --git a/doc/crypto/BN_BLINDING_new.pod b/doc/crypto/BN_BLINDING_new.pod
index 5f51fdb47065..da06e4446125 100644
--- a/doc/crypto/BN_BLINDING_new.pod
+++ b/doc/crypto/BN_BLINDING_new.pod
@@ -48,7 +48,7 @@ necessary parameters are set, by re-creating the blinding parameters.
BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>.
If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be
-returned in B<r> (this is useful if a B<RSA> object is shared amoung
+returned in B<r> (this is useful if a B<RSA> object is shared among
several threads). BN_BLINDING_invert_ex() multiplies B<n> with the
inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as
the inverse blinding.
diff --git a/doc/crypto/ERR_get_error.pod b/doc/crypto/ERR_get_error.pod
index 34443045fc0d..828ecf529b2e 100644
--- a/doc/crypto/ERR_get_error.pod
+++ b/doc/crypto/ERR_get_error.pod
@@ -52,8 +52,11 @@ ERR_get_error_line_data(), ERR_peek_error_line_data() and
ERR_get_last_error_line_data() store additional data and flags
associated with the error code in *B<data>
and *B<flags>, unless these are B<NULL>. *B<data> contains a string
-if *B<flags>&B<ERR_TXT_STRING>. If it has been allocated by OPENSSL_malloc(),
-*B<flags>&B<ERR_TXT_MALLOCED> is true.
+if *B<flags>&B<ERR_TXT_STRING> is true.
+
+An application B<MUST NOT> free the *B<data> pointer (or any other pointers
+returned by these functions) with OPENSSL_free() as freeing is handled
+automatically by the error library.
=head1 RETURN VALUES
diff --git a/doc/crypto/EVP_BytesToKey.pod b/doc/crypto/EVP_BytesToKey.pod
index d375c46e03d5..0ea7d55c0f1f 100644
--- a/doc/crypto/EVP_BytesToKey.pod
+++ b/doc/crypto/EVP_BytesToKey.pod
@@ -17,7 +17,7 @@ EVP_BytesToKey - password based encryption routine
EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
the cipher to derive the key and IV for. B<md> is the message digest to use.
-The B<salt> paramter is used as a salt in the derivation: it should point to
+The B<salt> parameter is used as a salt in the derivation: it should point to
an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
B<datal> bytes which is used to derive the keying data. B<count> is the
iteration count to use. The derived key and IV will be written to B<key>
diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod
index 8271d3dfc417..1c4bf184a1b0 100644
--- a/doc/crypto/EVP_EncryptInit.pod
+++ b/doc/crypto/EVP_EncryptInit.pod
@@ -152,7 +152,7 @@ does not remain in memory.
EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a
similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and
-EVP_CipherInit_ex() except the B<ctx> paramter does not need to be
+EVP_CipherInit_ex() except the B<ctx> parameter does not need to be
initialized and they always use the default cipher implementation.
EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index b68eece03387..46cac2bea2be 100644
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -113,7 +113,7 @@ a special status code is set to the verification callback. This permits it
to examine the valid policy tree and perform additional checks or simply
log it for debugging purposes.
-By default some addtional features such as indirect CRLs and CRLs signed by
+By default some additional features such as indirect CRLs and CRLs signed by
different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set
they are enabled.
diff --git a/doc/crypto/pem.pod b/doc/crypto/pem.pod
index d5b189611956..54414a3f6f37 100644
--- a/doc/crypto/pem.pod
+++ b/doc/crypto/pem.pod
@@ -201,7 +201,7 @@ handle PKCS#8 format encrypted and unencrypted keys too.
PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey()
write a private key in an EVP_PKEY structure in PKCS#8
EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption
-algorithms. The B<cipher> argument specifies the encryption algoritm to
+algorithms. The B<cipher> argument specifies the encryption algorithm to
use: unlike all other PEM routines the encryption is applied at the
PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no
encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead.
diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod
index 81566839d3d8..6fd6c0321551 100644
--- a/doc/ssl/SSL_CTX_set_verify.pod
+++ b/doc/ssl/SSL_CTX_set_verify.pod
@@ -169,8 +169,8 @@ that will always continue the TLS/SSL handshake regardless of verification
failure, if wished. The callback realizes a verification depth limit with
more informational output.
-All verification errors are printed, informations about the certificate chain
-are printed on request.
+All verification errors are printed; information about the certificate chain
+is printed on request.
The example is realized for a server that does allow but not require client
certificates.
diff --git a/doc/ssl/SSL_set_shutdown.pod b/doc/ssl/SSL_set_shutdown.pod
index 011a022a12c3..fe013085d39d 100644
--- a/doc/ssl/SSL_set_shutdown.pod
+++ b/doc/ssl/SSL_set_shutdown.pod
@@ -24,7 +24,7 @@ The shutdown state of an ssl connection is a bitmask of:
=over 4
-=item 0
+=item Z<>0
No shutdown setting, yet.