X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=doc%2Fssl%2FSSL_CONF_cmd.pod;h=bebd20485cc249aeb6d2ed9259ef1e62f546d315;hb=87d9cafa332bd006086b56dc645c03fe7cfed654;hp=90a20d6c49479699e7e2e6ae27b677e9b9f7e406;hpb=45f55f6a5bdcec411ef08a6f8aae41d5d3d234ad;p=openssl.git diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index 90a20d6c49..bebd20485c 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -101,7 +101,7 @@ are permitted. Attempts to use the file B as the private key for the appropriate context. This option is only supported if certificate operations are permitted. Note: if no B<-key> option is set then a private key is -not loaded: it does not currently use the B<-cert> file. +not loaded unless the flag B is set. =item B<-dhparam> @@ -192,8 +192,14 @@ are permitted. Attempts to use the file B as the private key for the appropriate context. This option is only supported if certificate operations -are permitted. Note: if no B<-key> option is set then a private key is -not loaded: it does not currently use the B file. +are permitted. Note: if no B option is set then a private key is +not loaded unless the B is set. + +=item B, B, B, B + +These options indicate a file or directory used for building certificate +chains or verifying certificate chains. These options are only supported +if certificate operations are permitted. =item B @@ -306,6 +312,27 @@ B permits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to B. Set by default. +=item B + +The B argument is a comma separated list of flags to set. + +B enables peer verification: for clients only. + +B requests but does not require a certificate from the client. +Servers only. + +B requests and requires a certificate from the client: an error +occurs if the client does not present a certificate. Servers only. + +B requests a certificate from a client only on the initial connection: +not when renegotiating. Servers only. + +=item B, B + +A file or directory of certificates in PEM format whose names are used as the +set of acceptable names for client CAs. Servers only. This option is only +supported if certificate operations are permitted. + =back =head1 SUPPORTED COMMAND TYPES @@ -332,6 +359,11 @@ The value is a file name. The value is a directory name. +=item B + +The value string is not used e.g. a command line option which doesn't take an +argument. + =back =head1 NOTES @@ -339,16 +371,16 @@ The value is a directory name. The order of operations is significant. This can be used to set either defaults or values which cannot be overridden. For example if an application calls: - SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); + SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); SSL_CONF_cmd(ctx, userparam, uservalue); -it will disable SSLv2 support by default but the user can override it. If +it will disable SSLv3 support by default but the user can override it. If however the call sequence is: SSL_CONF_cmd(ctx, userparam, uservalue); - SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); + SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); -SSLv2 is B disabled and attempt to override this by the user are +SSLv3 is B disabled and attempt to override this by the user are ignored. By checking the return code of SSL_CTX_cmd() it is possible to query if a @@ -384,9 +416,9 @@ Set supported signature algorithms: SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); -Enable all protocols except SSLv3 and SSLv2: +Enable all protocols except SSLv3: - SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2"); + SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3"); Only enable TLSv1.2: @@ -425,11 +457,11 @@ SSL_CONF_finish() returns 1 for success and 0 for failure. =head1 SEE ALSO -L, -L, -L, -L, -L +L, +L, +L, +L, +L =head1 HISTORY @@ -438,4 +470,8 @@ SSL_CONF_cmd() was first added to OpenSSL 1.0.2 B doesn't have effect anymore since 1.1.0 but the define is kept for backward compatibility. +B was first added to OpenSSL 1.1.0. In earlier versions of +OpenSSL passing a command which didn't take an argument would return +B. + =cut