Move manpages to man[1357] structure. Move manpages to manX directories Add Windows/VMS install fix from Richard Levitte Update README Fix typo's Remove some duplicates Reviewed-by: Richard Levitte <levitte@openssl.org>
Add Postgres support to -starttls Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
Dcoument -alpn flag Reviewed-by: Richard Levitte <levitte@openssl.org>
Make reference to other manpage more explicit Where -curves, etc., are defined: SSL_CONF_cmd Reviewed-by: Andy Polyakov <appro@openssl.org>
Add -dane_ee_no_namechecks s_client(1) option The DANE API supports a DANE_FLAG_NO_DANE_EE_NAMECHECKS option, but there was no way to exercise/enable it via s_client. This commit addresses that gap. Reviewed-by: Rich Salz <rsalz@openssl.org>
spelling fixes, just comments and readme. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1413)
Spelling fixes Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1219)
Doc nits cleanup, round 2 Fix some code examples, trailing whitespace Fix TBA sections in verify, remove others. Remove empty sections Use Mixed Case not ALL CAPS in head2 Enhance doc-nits script. Remove extra =cut line Reviewed-by: Richard Levitte <levitte@openssl.org>
Fix nits in pod files. Add doc-nit-check to help find future issues. Make podchecker be almost clean. Remove trailing whitespace. Tab expansion Reviewed-by: Richard Levitte <levitte@openssl.org>
Add copyright to manpages Reviewed-by: Richard Levitte <levitte@openssl.org>
GH875: Document -no_check_time Date: Tue Mar 15 15:19:44 2016 +0100 This commit updates the documentation of cms, ocsp, s_client, s_server, and verify to reflect the new "-no_check_time" option introduced in commit d35ff2c0ade0a12e84aaa2e9841b4983a2f3cf45 on 2015-07-31. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
Suppress CT callback as appropriate Suppress CT callbacks with aNULL or PSK ciphersuites that involve no certificates. Ditto when the certificate chain is validated via DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing when the chain is fails verification. Move and consolidate CT callbacks from libcrypto to libssl. We also simplify the interface to SSL_{,CTX_}_enable_ct() which can specify either a permissive mode that just collects information or a strict mode that requires at least one valid SCT or else asks to abort the connection. Simplified SCT processing and options in s_client(1) which now has just a simple pair of "-noct" vs. "-ct" options, the latter enables the permissive callback so that we can complete the handshake and report all relevant information. When printing SCTs, print the validation status if set and not valid. Signed-off-by: Rob Percival <robpercival@google.com> Reviewed-by: Emilia Käsper <emilia@openssl.org>
Move peer chain security checks into x509_vfy.c A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is automatically set from the SSL security level. Otherwise, for now, the authentication security level remains at (effectively) 0 by default. The new "-auth_level" verify(1) option is available in all the command-line tools that support the standard verify(1) options. New verify(1) tests added to check enforcement of chain signature and public key security levels. Also added new tests of enforcement of the verify_depth limit. Updated documentation. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Fixed a bunch of typos in the docs Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
Add documentation for new s_server/s_client options Document the new split_send_frag, max_pipelines and read_buf options. Reviewed-by: Tim Hudson <tjh@openssl.org>
Documentation for new CT s_client flags Reviewed-by: Ben Laurie <ben@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
Update documentation of SSL METHODs and ciphers Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Deprecate the -issuer_checks debugging option This was a developer debugging feature and was never a useful public interface. Added all missing X509 error codes to the verify(1) manpage, but many still need a description beyond the associated text string. Sorted the errors in x509_txt.c by error number. Reviewed-by: Stephen Henson <steve@openssl.org>
Suppress DANE TLSA reflection when verification fails As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa() are expected to return a negative match depth and nothing else when verification fails. However, this only happened when verification failed during chain construction. Errors in verification of the constructed chain did not have the intended effect on these functions. This commit updates the functions to check for verify_result == X509_V_OK, and no longer erases any accumulated match information when chain construction fails. Sophisticated developers can, with care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA info even when verification fail. They must of course first check and save the real error, and restore the original error as quickly as possible. Hiding by default seems to be the safer interface. Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED. This also changes the "-brief" output from s_client to include verification results and TLSA match information. Mentioned session resumption in code example in SSL_CTX_dane_enable(3). Also mentioned that depths returned are relative to the verified chain which is now available via SSL_get0_verified_chain(3). Added a few more test-cases to danetest, that exercise the new code. Resolved thread safety issue in use of static buffer in X509_verify_cert_error_string(). Fixed long-stating issue in apps/s_cb.c which always sets verify_error to either X509_V_OK or "chain to long", code elsewhere (e.g. s_time.c), seems to expect the actual error. [ The new chain construction code is expected to correctly generate "chain too long" errors, so at some point we need to drop the work-arounds, once SSL_set_verify_depth() is also fixed to propagate the depth to X509_STORE_CTX reliably. ] Reviewed-by: Rich Salz <rsalz@openssl.org>
GH628: Add -help to all apps docs. Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>