X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fapps%2Fconfig.pod;h=e238e15125500f38adb29561bc51e6d2526f869b;hp=d5cce54f44a8927e538e792671736964c27a5da9;hb=a528d4f0a9a71405f3ca06e20cbd27aa1b8c0df9;hpb=3d764db7a24e3dca1a3ee57202ce3c818d592141 diff --git a/doc/apps/config.pod b/doc/apps/config.pod index d5cce54f44..e238e15125 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -56,7 +56,7 @@ the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized. =head1 OPENSSL LIBRARY CONFIGURATION -In OpenSSL 0.9.7 and later applications can automatically configure certain +Applications can automatically configure certain aspects of OpenSSL using the master OpenSSL configuration file, or optionally an alternative configuration file. The B utility includes this functionality: any sub command uses the master OpenSSL configuration file @@ -106,7 +106,7 @@ as any compliant applications. For example: some_new_oid = 1.2.3.4 some_other_oid = 1.2.3.5 -In OpenSSL 0.9.8 it is also possible to set the value to the long name followed +It is also possible to set the value to the long name followed by a comma and the numerical OID form. For example: shortName = some object long name, 1.2.3.4 @@ -277,6 +277,59 @@ priority and B used if neither is defined: # The above value is used if TEMP isn't in the environment tmpfile=${ENV::TEMP}/tmp.filename +Simple OpenSSL library configuration example to enter FIPS mode: + + # Default appname: should match "appname" parameter (if any) + # supplied to CONF_modules_load_file et al. + openssl_conf = openssl_conf_section + + [openssl_conf_section] + # Configuration module list + alg_section = evp_sect + + [evp_sect] + # Set to "yes" to enter FIPS mode if supported + fips_mode = yes + +Note: in the above example you will get an error in non FIPS capable versions +of OpenSSL. + +More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: + + # Default appname: should match "appname" parameter (if any) + # supplied to CONF_modules_load_file et al. + openssl_conf = openssl_conf_section + + [openssl_conf_section] + # Configuration module list + alg_section = evp_sect + oid_section = new_oids + + [evp_sect] + # This will have no effect as FIPS mode is off by default. + # Set to "yes" to enter FIPS mode, if supported + fips_mode = no + + [new_oids] + # New OID, just short name + newoid1 = 1.2.3.4.1 + # New OID shortname and long name + newoid2 = New OID 2 long name, 1.2.3.4.2 + +The above examples can be used with with any application supporting library +configuration if "openssl_conf" is modified to match the appropriate "appname". + +For example if the second sample file above is saved to "example.cnf" then +the command line: + + OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1 + +will output: + + 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1 + +showing that the OID "newoid1" has been added as "1.2.3.4.1". + =head1 BUGS Currently there is no way to include characters using the octal B<\nnn> @@ -292,6 +345,6 @@ file. =head1 SEE ALSO -L, L, L +L, L, L =cut