Fix capitilistion of list items.
Wrap long lines.
Add full stops to the ends of sentances.
Change ciphersuite to cipher suite in all of doc.
[skip ci]
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3082)
46 files changed:
=item B<?>, B<-h>, B<-help>
=item B<?>, B<-h>, B<-help>
-creates a new self signed certificate. The private key is written to the file
+Creates a new self signed certificate. The private key is written to the file
"newkey.pem" and the request written to the file "newreq.pem".
This argument invokes B<openssl req> command.
=item B<-newreq>
"newkey.pem" and the request written to the file "newreq.pem".
This argument invokes B<openssl req> command.
=item B<-newreq>
-creates a new certificate request. The private key is written to the file
+Creates a new certificate request. The private key is written to the file
"newkey.pem" and the request written to the file "newreq.pem".
Executes B<openssl req> command below the hood.
=item B<-newreq-nodes>
"newkey.pem" and the request written to the file "newreq.pem".
Executes B<openssl req> command below the hood.
=item B<-newreq-nodes>
-is like B<-newreq> except that the private key will not be encrypted.
+Is like B<-newreq> except that the private key will not be encrypted.
Uses B<openssl req> command.
=item B<-newca>
Uses B<openssl req> command.
=item B<-newca>
-creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
+Creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
and B<-xsign> options). The user is prompted to enter the filename of the CA
certificates (which should also contain the private key) or by hitting ENTER
details of the CA will be prompted for. The relevant files and directories
and B<-xsign> options). The user is prompted to enter the filename of the CA
certificates (which should also contain the private key) or by hitting ENTER
details of the CA will be prompted for. The relevant files and directories
-create a PKCS#12 file containing the user certificate, private key and CA
+Create a PKCS#12 file containing the user certificate, private key and CA
certificate. It expects the user certificate and private key to be in the
file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem,
it creates a file "newcert.p12". This command can thus be called after the
certificate. It expects the user certificate and private key to be in the
file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem,
it creates a file "newcert.p12". This command can thus be called after the
=item B<-sign>, B<-signcert>, B<-xsign>
=item B<-sign>, B<-signcert>, B<-xsign>
-calls the B<ca> program to sign a certificate request. It expects the request
+Calls the B<ca> program to sign a certificate request. It expects the request
to be in the file "newreq.pem". The new certificate is written to the file
"newcert.pem" except in the case of the B<-xsign> option when it is written
to standard output. Leverages B<openssl ca> command.
=item B<-signCA>
to be in the file "newreq.pem". The new certificate is written to the file
"newcert.pem" except in the case of the B<-xsign> option when it is written
to standard output. Leverages B<openssl ca> command.
=item B<-signCA>
-this option is the same as the B<-signreq> option except it uses the configuration
-file section B<v3_ca> and so makes the signed request a valid CA certificate. This
-is useful when creating intermediate CA from a root CA.
-Extra params are passed on to B<openssl ca> command.
+This option is the same as the B<-signreq> option except it uses the
+configuration file section B<v3_ca> and so makes the signed request a
+valid CA certificate. This is useful when creating intermediate CA from
+a root CA. Extra params are passed on to B<openssl ca> command.
-this option is the same as B<-sign> except it expects a self signed certificate
+This option is the same as B<-sign> except it expects a self signed certificate
to be present in the file "newreq.pem".
Extra params are passed on to B<openssl x509> and B<openssl ca> commands.
=item B<-crl>
to be present in the file "newreq.pem".
Extra params are passed on to B<openssl x509> and B<openssl ca> commands.
=item B<-crl>
-generate a CRL. Executes B<openssl ca> command.
+Generate a CRL. Executes B<openssl ca> command.
=item B<-revoke certfile [reason]>
=item B<-revoke certfile [reason]>
-revoke the certificate contained in the specified B<certfile>. An optional
+Revoke the certificate contained in the specified B<certfile>. An optional
reason may be specified, and must be one of: B<unspecified>,
B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
reason may be specified, and must be one of: B<unspecified>,
B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
-verifies certificates against the CA certificate for "demoCA". If no certificates
-are specified on the command line it tries to verify the file "newcert.pem".
-Invokes B<openssl verify> command.
+Verifies certificates against the CA certificate for "demoCA". If no
+certificates are specified on the command line it tries to verify the file
+"newcert.pem". Invokes B<openssl verify> command.
=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item B<-inform> B<DER|PEM>
=item B<-inform> B<DER|PEM>
-
the input format. B<DER> is binary format and B<PEM> (the default) is base64
+
The input format. B<DER> is binary format and B<PEM> (the default) is base64
encoded.
=item B<-in filename>
encoded.
=item B<-in filename>
-the input file, default is standard input
+The input file, default is standard input.
-output file to place the DER encoded data into. If this
+Output file to place the DER encoded data into. If this
option is not present then no data will be output. This is most useful when
combined with the B<-strparse> option.
=item B<-noout>
option is not present then no data will be output. This is most useful when
combined with the B<-strparse> option.
=item B<-noout>
-don't output the parsed version of the input file.
+Don't output the parsed version of the input file.
-starting offset to begin parsing, default is start of file.
+Starting offset to begin parsing, default is start of file.
-number of bytes to parse, default is until end of file.
+Number of bytes to parse, default is until end of file.
-indents the output according to the "depth" of the structures.
+Indents the output according to the "depth" of the structures.
-a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
+A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
file is described in the NOTES section below.
=item B<-dump>
file is described in the NOTES section below.
=item B<-dump>
-dump unknown data in hex format.
+Dump unknown data in hex format.
-like B<-dump>, but only the first B<num> bytes are output.
+Like B<-dump>, but only the first B<num> bytes are output.
=item B<-strparse offset>
=item B<-strparse offset>
-parse the contents octets of the ASN.1 object starting at B<offset>. This
+Parse the contents octets of the ASN.1 object starting at B<offset>. This
option can be used multiple times to "drill down" into a nested structure.
=item B<-genstr string>, B<-genconf file>
option can be used multiple times to "drill down" into a nested structure.
=item B<-genstr string>, B<-genconf file>
-generate encoded data based on B<string>, B<file> or both using
+Generate encoded data based on B<string>, B<file> or both using
L<ASN1_generate_nconf(3)> format. If B<file> only is
present then the string is obtained from the default section using the name
B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
L<ASN1_generate_nconf(3)> format. If B<file> only is
present then the string is obtained from the default section using the name
B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
-
attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
+
Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
print out the fields of any supported ASN.1 structure if the type is known.
=back
print out the fields of any supported ASN.1 structure if the type is known.
=back
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-this prints extra details about the operations being performed.
+This prints extra details about the operations being performed.
=item B<-config filename>
=item B<-config filename>
-specifies the configuration file to use.
+Specifies the configuration file to use.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
=item B<-name section>
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
=item B<-name section>
-specifies the configuration file section to use (overrides
+Specifies the configuration file section to use (overrides
B<default_ca> in the B<ca> section).
=item B<-in filename>
B<default_ca> in the B<ca> section).
=item B<-in filename>
-an input filename containing a single certificate request to be
+An input filename containing a single certificate request to be
signed by the CA.
=item B<-ss_cert filename>
signed by the CA.
=item B<-ss_cert filename>
-a single self-signed certificate to be signed by the CA.
+A single self-signed certificate to be signed by the CA.
-a file containing a single Netscape signed public key and challenge
+A file containing a single Netscape signed public key and challenge
and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
section for information on the required input and output format.
=item B<-infiles>
and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
section for information on the required input and output format.
=item B<-infiles>
-if present this should be the last option, all subsequent arguments
+If present this should be the last option, all subsequent arguments
are taken as the names of files containing certificate requests.
=item B<-out filename>
are taken as the names of files containing certificate requests.
=item B<-out filename>
-the output file to output certificates to. The default is standard
+The output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
file in PEM format (except that B<-spkac> outputs DER format).
=item B<-outdir directory>
output. The certificate details will also be printed out to this
file in PEM format (except that B<-spkac> outputs DER format).
=item B<-outdir directory>
-the directory to output certificates to. The certificate will be
+The directory to output certificates to. The certificate will be
written to a filename consisting of the serial number in hex with
".pem" appended.
=item B<-cert>
written to a filename consisting of the serial number in hex with
".pem" appended.
=item B<-cert>
-the CA certificate file.
+The CA certificate file.
=item B<-keyfile filename>
=item B<-keyfile filename>
-the private key to sign requests with.
+The private key to sign requests with.
=item B<-keyform PEM|DER>
=item B<-keyform PEM|DER>
-the format of the data in the private key file.
+The format of the data in the private key file.
The default is PEM.
=item B<-key password>
The default is PEM.
=item B<-key password>
-the password used to encrypt the private key. Since on some
+The password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
the 'ps' utility) this option should be used with caution.
=item B<-selfsign>
systems the command line arguments are visible (e.g. Unix with
the 'ps' utility) this option should be used with caution.
=item B<-selfsign>
-indicates the issued certificates are to be signed with the key
+Indicates the issued certificates are to be signed with the key
the certificate requests were signed with (given with B<-keyfile>).
Certificate requests signed with a different key are ignored. If
B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
the certificate requests were signed with (given with B<-keyfile>).
Certificate requests signed with a different key are ignored. If
B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
-
the key password source. For more information about the format of B<arg>
+
The key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-notext>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-notext>
-don't output the text form of a certificate to the output file.
+Don't output the text form of a certificate to the output file.
-this allows the start date to be explicitly set. The format of the
+This allows the start date to be explicitly set. The format of the
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
=item B<-enddate date>
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
=item B<-enddate date>
-this allows the expiry date to be explicitly set. The format of the
+This allows the expiry date to be explicitly set. The format of the
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
=item B<-days arg>
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
=item B<-days arg>
-the number of days to certify the certificate for.
+The number of days to certify the certificate for.
-the message digest to use.
+The message digest to use.
Any digest supported by the OpenSSL B<dgst> command can be used.
This option also applies to CRLs.
=item B<-policy arg>
Any digest supported by the OpenSSL B<dgst> command can be used.
This option also applies to CRLs.
=item B<-policy arg>
-this option defines the CA "policy" to use. This is a section in
+This option defines the CA "policy" to use. This is a section in
the configuration file which decides which fields should be mandatory
or match the CA certificate. Check out the B<POLICY FORMAT> section
for more information.
=item B<-msie_hack>
the configuration file which decides which fields should be mandatory
or match the CA certificate. Check out the B<POLICY FORMAT> section
for more information.
=item B<-msie_hack>
-this is a legacy option to make B<ca> work with very old versions of
+This is a legacy option to make B<ca> work with very old versions of
the IE certificate enrollment control "certenr3". It used UniversalStrings
for almost everything. Since the old control has various security bugs
its use is strongly discouraged. The newer control "Xenroll" does not
the IE certificate enrollment control "certenr3". It used UniversalStrings
for almost everything. Since the old control has various security bugs
its use is strongly discouraged. The newer control "Xenroll" does not
-this sets the batch mode. In this mode no questions will be asked
+This sets the batch mode. In this mode no questions will be asked
and all certificates will be certified automatically.
=item B<-extensions section>
and all certificates will be certified automatically.
=item B<-extensions section>
-the section of the configuration file containing certificate extensions
+The section of the configuration file containing certificate extensions
to be added when a certificate is issued (defaults to B<x509_extensions>
unless the B<-extfile> option is used). If no extension section is
present then, a V1 certificate is created. If the extension section
to be added when a certificate is issued (defaults to B<x509_extensions>
unless the B<-extfile> option is used). If no extension section is
present then, a V1 certificate is created. If the extension section
-an additional configuration file to read certificate extensions from
+An additional configuration file to read certificate extensions from
(using the default section unless the B<-extensions> option is also
used).
=item B<-engine id>
(using the default section unless the B<-extensions> option is also
used).
=item B<-engine id>
-specifying an engine (by its unique B<id> string) will cause B<ca>
+Specifying an engine (by its unique B<id> string) will cause B<ca>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-subj arg>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-subj arg>
-supersedes subject name given in the request.
+Supersedes subject name given in the request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
=item B<-utf8>
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
=item B<-utf8>
-this option causes field values to be interpreted as UTF8 strings, by
+This option causes field values to be interpreted as UTF8 strings, by
default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
=item B<-create_serial>
default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
=item B<-create_serial>
-if reading serial from the text file as specified in the configuration
+If reading serial from the text file as specified in the configuration
fails, specifying this option creates a new random serial to be used as next
serial number.
fails, specifying this option creates a new random serial to be used as next
serial number.
-this option generates a CRL based on information in the index file.
+This option generates a CRL based on information in the index file.
-the number of days before the next CRL is due. That is the days from
+The number of days before the next CRL is due. That is the days from
now to place in the CRL nextUpdate field.
=item B<-crlhours num>
now to place in the CRL nextUpdate field.
=item B<-crlhours num>
-the number of hours before the next CRL is due.
+The number of hours before the next CRL is due.
=item B<-revoke filename>
=item B<-revoke filename>
-a filename containing a certificate to revoke.
+A filename containing a certificate to revoke.
-a filename containing a certificate to add a Valid certificate entry.
+A filename containing a certificate to add a Valid certificate entry.
-displays the revocation status of the certificate with the specified
+Displays the revocation status of the certificate with the specified
serial number and exits.
=item B<-updatedb>
serial number and exits.
=item B<-updatedb>
=item B<-crl_reason reason>
=item B<-crl_reason reason>
-revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
+Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
insensitive. Setting any revocation reason will make the CRL v2.
B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
insensitive. Setting any revocation reason will make the CRL v2.
=item B<-crlexts section>
=item B<-crlexts section>
-the section of the configuration file containing CRL extensions to
+The section of the configuration file containing CRL extensions to
include. If no CRL extension section is present then a V1 CRL is
created, if the CRL extension section is present (even if it is
empty) then a V2 CRL is created. The CRL extensions specified are
include. If no CRL extension section is present then a V1 CRL is
created, if the CRL extension section is present (even if it is
empty) then a V2 CRL is created. The CRL extensions specified are
-the same as the B<-outdir> command line option. It specifies
+The same as the B<-outdir> command line option. It specifies
the directory where new certificates will be placed. Mandatory.
=item B<certificate>
the directory where new certificates will be placed. Mandatory.
=item B<certificate>
-the same as B<-cert>. It gives the file containing the CA
+The same as B<-cert>. It gives the file containing the CA
certificate. Mandatory.
=item B<private_key>
certificate. Mandatory.
=item B<private_key>
-same as the B<-keyfile> option. The file containing the
+Same as the B<-keyfile> option. The file containing the
CA private key. Mandatory.
=item B<RANDFILE>
CA private key. Mandatory.
=item B<RANDFILE>
-a file used to read and write random number seed information, or
+A file used to read and write random number seed information, or
an EGD socket (see L<RAND_egd(3)>).
=item B<default_days>
an EGD socket (see L<RAND_egd(3)>).
=item B<default_days>
-the same as the B<-days> option. The number of days to certify
+The same as the B<-days> option. The number of days to certify
a certificate for.
=item B<default_startdate>
a certificate for.
=item B<default_startdate>
-the same as the B<-startdate> option. The start date to certify
+The same as the B<-startdate> option. The start date to certify
a certificate for. If not set the current time is used.
=item B<default_enddate>
a certificate for. If not set the current time is used.
=item B<default_enddate>
-the same as the B<-enddate> option. Either this option or
+The same as the B<-enddate> option. Either this option or
B<default_days> (or the command line equivalents) must be
present.
=item B<default_crl_hours default_crl_days>
B<default_days> (or the command line equivalents) must be
present.
=item B<default_crl_hours default_crl_days>
-the same as the B<-crlhours> and the B<-crldays> options. These
+The same as the B<-crlhours> and the B<-crldays> options. These
will only be used if neither command line option is present. At
least one of these must be present to generate a CRL.
=item B<default_md>
will only be used if neither command line option is present. At
least one of these must be present to generate a CRL.
=item B<default_md>
-the same as the B<-md> option. Mandatory.
+The same as the B<-md> option. Mandatory.
-the text database file to use. Mandatory. This file must be present
+The text database file to use. Mandatory. This file must be present
though initially it will be empty.
=item B<unique_subject>
though initially it will be empty.
=item B<unique_subject>
-if the value B<yes> is given, the valid certificate entries in the
+If the value B<yes> is given, the valid certificate entries in the
database must have unique subjects. if the value B<no> is given,
several valid certificate entries may have the exact same subject.
The default value is B<yes>, to be compatible with older (pre 0.9.8)
database must have unique subjects. if the value B<no> is given,
several valid certificate entries may have the exact same subject.
The default value is B<yes>, to be compatible with older (pre 0.9.8)
-a text file containing the next serial number to use in hex. Mandatory.
+A text file containing the next serial number to use in hex. Mandatory.
This file must be present and contain a valid serial number.
=item B<crlnumber>
This file must be present and contain a valid serial number.
=item B<crlnumber>
-a text file containing the next CRL number to use in hex. The crl number
+A text file containing the next CRL number to use in hex. The crl number
will be inserted in the CRLs only if this file exists. If this file is
present, it must contain a valid CRL number.
=item B<x509_extensions>
will be inserted in the CRLs only if this file exists. If this file is
present, it must contain a valid CRL number.
=item B<x509_extensions>
-the same as B<-extensions>.
+The same as B<-extensions>.
-the same as B<-crlexts>.
+The same as B<-crlexts>.
-the same as B<-preserveDN>
+The same as B<-preserveDN>
-the same as B<-noemailDN>. If you want the EMAIL field to be removed
+The same as B<-noemailDN>. If you want the EMAIL field to be removed
from the DN of the certificate simply set this to 'no'. If not present
the default is to allow for the EMAIL filed in the certificate's DN.
=item B<msie_hack>
from the DN of the certificate simply set this to 'no'. If not present
the default is to allow for the EMAIL filed in the certificate's DN.
=item B<msie_hack>
-the same as B<-msie_hack>
+The same as B<-msie_hack>
-
the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
+
The same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
for more information.
=item B<name_opt>, B<cert_opt>
for more information.
=item B<name_opt>, B<cert_opt>
-these options allow the format used to display the certificate details
+These options allow the format used to display the certificate details
when asking the user to confirm signing. All the options supported by
the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
here, except the B<no_signame> and B<no_sigdump> are permanently set
when asking the user to confirm signing. All the options supported by
the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
here, except the B<no_signame> and B<no_sigdump> are permanently set
-determines how extensions in certificate requests should be handled.
+Determines how extensions in certificate requests should be handled.
If set to B<none> or this option is not present then extensions are
ignored and not copied to the certificate. If set to B<copy> then any
extensions present in the request that are not already present are copied
If set to B<none> or this option is not present then extensions are
ignored and not copied to the certificate. If set to B<copy> then any
extensions present in the request that are not already present are copied
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-Verbose output: For each ciphersuite, list details as provided by
+Verbose output: For each cipher suite, list details as provided by
L<SSL_CIPHER_description(3)>.
=item B<-V>
L<SSL_CIPHER_description(3)>.
=item B<-V>
-precede each ciphersuite by its standard name: only available is OpenSSL
+Precede each cipher suite by its standard name: only available is OpenSSL
is built with tracing enabled (B<enable-ssl-trace> argument to Configure).
=item B<cipherlist>
is built with tracing enabled (B<enable-ssl-trace> argument to Configure).
=item B<cipherlist>
-a cipher list to convert to a cipher preference list. If it is not included
+A cipher list to convert to a cipher preference list. If it is not included
then the default cipher list will be used. The format is described below.
=back
then the default cipher list will be used. The format is described below.
=back
The ciphers included in B<ALL>, but not enabled by default. Currently
this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
The ciphers included in B<ALL>, but not enabled by default. Currently
this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
-necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
+necessary). Note that RC4 based cipher suites are not built into OpenSSL by
default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL>
default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL>
-"high" encryption cipher suites. This currently means those with key lengths
+"High" encryption cipher suites. This currently means those with key lengths
larger than 128 bits, and some cipher suites with 128-bit keys.
=item B<MEDIUM>
larger than 128 bits, and some cipher suites with 128-bit keys.
=item B<MEDIUM>
-"medium" encryption cipher suites, currently some of those using 128 bit
+"Medium" encryption cipher suites, currently some of those using 128 bit
-"low" encryption cipher suites, currently those using 64 or 56 bit
+"Low" encryption cipher suites, currently those using 64 or 56 bit
encryption algorithms but excluding export cipher suites. All these
encryption algorithms but excluding export cipher suites. All these
-ciphersuites have been removed as of OpenSSL 1.1.0.
+cipher suites have been removed as of OpenSSL 1.1.0.
=item B<TLSv1.2>, B<TLSv1.0>, B<SSLv3>
=item B<TLSv1.2>, B<TLSv1.0>, B<SSLv3>
-Lists ciphersuites which are only supported in at least TLS v1.2, TLS v1.0 or
+Lists cipher suites which are only supported in at least TLS v1.2, TLS v1.0 or
-Note: there are no ciphersuites specific to TLS v1.1.
+Note: there are no cipher suites specific to TLS v1.1.
Since this is only the minimum version, if, for example, TLSv1.0 is negotiated
Since this is only the minimum version, if, for example, TLSv1.0 is negotiated
-then both TLSv1.0 and SSLv3.0 ciphersuites are available.
+then both TLSv1.0 and SSLv3.0 cipher suites are available.
Note: these cipher strings B<do not> change the negotiated version of SSL or
TLS, they only affect the list of available cipher suites.
Note: these cipher strings B<do not> change the negotiated version of SSL or
TLS, they only affect the list of available cipher suites.
-AES in Galois Counter Mode (GCM): these ciphersuites are only supported
+AES in Galois Counter Mode (GCM): these cipher suites are only supported
in TLS v1.2.
=item B<AESCCM>, B<AESCCM8>
AES in Cipher Block Chaining - Message Authentication Mode (CCM): these
in TLS v1.2.
=item B<AESCCM>, B<AESCCM8>
AES in Cipher Block Chaining - Message Authentication Mode (CCM): these
-ciphersuites are only supported in TLS v1.2. B<AESCCM> references CCM
+cipher
suites are only supported in TLS v1.2. B<AESCCM> references CCM
cipher suites using both 16 and 8 octet Integrity Check Value (ICV)
while B<AESCCM8> only references 8 octet ICV.
=item B<ARIA128>, B<ARIA256>, B<ARIA>
cipher suites using both 16 and 8 octet Integrity Check Value (ICV)
while B<AESCCM8> only references 8 octet ICV.
=item B<ARIA128>, B<ARIA256>, B<ARIA>
-cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit
+Cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit
ARIA.
=item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
ARIA.
=item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
-cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
+Cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
CAMELLIA.
=item B<CHACHA20>
CAMELLIA.
=item B<CHACHA20>
-cipher suites using ChaCha20.
+Cipher suites using ChaCha20.
-cipher suites using triple DES.
+Cipher suites using triple DES.
=item B<SHA256>, B<SHA384>
=item B<SHA256>, B<SHA384>
-Ciphersuites using SHA256 or SHA384.
+Cipher suites using SHA256 or SHA384.
RFC6460.
In particular the supported signature algorithms is reduced to support only
ECDSA and SHA256 or SHA384, only the elliptic curves P-256 and P-384 can be
RFC6460.
In particular the supported signature algorithms is reduced to support only
ECDSA and SHA256 or SHA384, only the elliptic curves P-256 and P-384 can be
-used and only the two suite B compliant ciphersuites
+used and only the two suite B compliant cipher suites
(ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are
permissible.
(ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are
permissible.
TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
-=head2 AES ciphersuites from RFC3268, extending TLS v1.0
+=head2 AES cipher suites from RFC3268, extending TLS v1.0
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA
-=head2 Camellia ciphersuites from RFC4132, extending TLS v1.0
+=head2 Camellia cipher suites from RFC4132, extending TLS v1.0
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA
-=head2 SEED ciphersuites from RFC4162, extending TLS v1.0
+=head2 SEED cipher suites from RFC4162, extending TLS v1.0
TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA
TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA
TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA
TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA
-=head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0
+=head2 GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0
Note: these ciphers require an engine which including GOST cryptographic
algorithms, such as the B<ccgost> engine, included in the OpenSSL distribution.
Note: these ciphers require an engine which including GOST cryptographic
algorithms, such as the B<ccgost> engine, included in the OpenSSL distribution.
ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE-ECDSA-AES128-CCM8
ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE-ECDSA-AES256-CCM8
ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE-ECDSA-AES128-CCM8
ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE-ECDSA-AES256-CCM8
-=head2 ARIA ciphersuites from RFC6209, extending TLS v1.2
+=head2 ARIA cipher suites from RFC6209, extending TLS v1.2
TLS_RSA_WITH_ARIA_128_CBC_SHA256 ARIA128-CBC-SHA256
TLS_RSA_WITH_ARIA_256_CBC_SHA384 ARIA256-CBC-SHA384
TLS_RSA_WITH_ARIA_128_CBC_SHA256 ARIA128-CBC-SHA256
TLS_RSA_WITH_ARIA_256_CBC_SHA384 ARIA256-CBC-SHA384
TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 ECDHE-RSA-ARIA128-CBC-SHA256
TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 ECDHE-RSA-ARIA256-CBC-SHA384
TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 ECDHE-RSA-ARIA128-CBC-SHA256
TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 ECDHE-RSA-ARIA256-CBC-SHA384
-=head2 Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2
+=head2 Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-RSA-CAMELLIA128-SHA256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-RSA-CAMELLIA256-SHA384
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-RSA-CAMELLIA128-SHA256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-RSA-CAMELLIA256-SHA384
-=head2 Pre-shared keying (PSK) ciphersuites
+=head2 Pre-shared keying (PSK) cipher suites
PSK_WITH_NULL_SHA PSK-NULL-SHA
DHE_PSK_WITH_NULL_SHA DHE-PSK-NULL-SHA
PSK_WITH_NULL_SHA PSK-NULL-SHA
DHE_PSK_WITH_NULL_SHA DHE-PSK-NULL-SHA
-encrypt mail for the given recipient certificates. Input file is the message
+Encrypt mail for the given recipient certificates. Input file is the message
to be encrypted. The output file is the encrypted mail in MIME format. The
actual CMS type is <B>EnvelopedData<B>.
to be encrypted. The output file is the encrypted mail in MIME format. The
actual CMS type is <B>EnvelopedData<B>.
-decrypt mail using the supplied certificate and private key. Expects an
+Decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in MIME format for the input file. The decrypted mail
is written to the output file.
=item B<-debug_decrypt>
encrypted mail message in MIME format for the input file. The decrypted mail
is written to the output file.
=item B<-debug_decrypt>
-this option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
+This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
with caution: see the notes section below.
=item B<-sign>
with caution: see the notes section below.
=item B<-sign>
-sign mail using the supplied certificate and private key. Input file is
+Sign mail using the supplied certificate and private key. Input file is
the message to be signed. The signed message in MIME format is written
to the output file.
=item B<-verify>
the message to be signed. The signed message in MIME format is written
to the output file.
=item B<-verify>
-verify signed mail. Expects a signed mail message on input and outputs
+Verify signed mail. Expects a signed mail message on input and outputs
the signed data. Both clear text and opaque signing is supported.
=item B<-cmsout>
the signed data. Both clear text and opaque signing is supported.
=item B<-cmsout>
-takes an input message and writes out a PEM encoded CMS structure.
+Takes an input message and writes out a PEM encoded CMS structure.
-resign a message: take an existing message and one or more new signers.
+Resign a message: take an existing message and one or more new signers.
-the input message to be encrypted or signed or the message to be decrypted
+The input message to be encrypted or signed or the message to be decrypted
or verified.
=item B<-inform SMIME|PEM|DER>
or verified.
=item B<-inform SMIME|PEM|DER>
-this specifies the input format for the CMS structure. The default
+This specifies the input format for the CMS structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
format change this to expect PEM and DER format CMS structures
instead. This currently only affects the input format of the CMS
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
format change this to expect PEM and DER format CMS structures
instead. This currently only affects the input format of the CMS
=item B<-rctform SMIME|PEM|DER>
=item B<-rctform SMIME|PEM|DER>
-specify the format for a signed receipt for use with the B<-receipt_verify>
+Specify the format for a signed receipt for use with the B<-receipt_verify>
operation.
=item B<-out filename>
operation.
=item B<-out filename>
-the message text that has been decrypted or verified or the output MIME
+The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
=item B<-outform SMIME|PEM|DER>
format message that has been signed or verified.
=item B<-outform SMIME|PEM|DER>
-this specifies the output format for the CMS structure. The default
+This specifies the output format for the CMS structure. The default
is B<SMIME> which writes an S/MIME format message. B<PEM> and B<DER>
format change this to write PEM and DER format CMS structures
instead. This currently only affects the output format of the CMS
is B<SMIME> which writes an S/MIME format message. B<PEM> and B<DER>
format change this to write PEM and DER format CMS structures
instead. This currently only affects the output format of the CMS
=item B<-stream -indef -noindef>
=item B<-stream -indef -noindef>
-the B<-stream> and B<-indef> options are equivalent and enable streaming I/O
+The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
the need to hold the entire contents in memory, potentially supporting very
large files. Streaming is automatically set for S/MIME signing with detached
for encoding operations. This permits single pass processing of data without
the need to hold the entire contents in memory, potentially supporting very
large files. Streaming is automatically set for S/MIME signing with detached
-disable streaming I/O where it would produce and indefinite length constructed
+Disable streaming I/O where it would produce and indefinite length constructed
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
-this option adds plain text (text/plain) MIME headers to the supplied
+This option adds plain text (text/plain) MIME headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
=item B<-noout>
message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
=item B<-noout>
-for the B<-cmsout> operation do not output the parsed CMS structure. This
+For the B<-cmsout> operation do not output the parsed CMS structure. This
is useful when combined with the B<-print> option or if the syntax of the CMS
structure is being checked.
=item B<-print>
is useful when combined with the B<-print> option or if the syntax of the CMS
structure is being checked.
=item B<-print>
-for the B<-cmsout> operation print out all fields of the CMS structure. This
+For the B<-cmsout> operation print out all fields of the CMS structure. This
is mainly useful for testing purposes.
=item B<-CAfile file>
is mainly useful for testing purposes.
=item B<-CAfile file>
-a file containing trusted CA certificates, only used with B<-verify>.
+A file containing trusted CA certificates, only used with B<-verify>.
-a directory containing trusted CA certificates, only used with
+A directory containing trusted CA certificates, only used with
B<-verify>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
B<-verify>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
-digest algorithm to use when signing or resigning. If not present then the
+Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
=item B<-[cipher]>
default digest algorithm for the signing key will be used (usually SHA1).
=item B<-[cipher]>
-the encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
+The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for a list of ciphers
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for a list of ciphers
-when verifying a message normally certificates (if any) included in
+When verifying a message normally certificates (if any) included in
the message are searched for the signing certificate. With this option
only the certificates specified in the B<-certfile> option are used.
The supplied certificates can still be used as untrusted CAs however.
=item B<-no_signer_cert_verify>
the message are searched for the signing certificate. With this option
only the certificates specified in the B<-certfile> option are used.
The supplied certificates can still be used as untrusted CAs however.
=item B<-no_signer_cert_verify>
-do not verify the signers certificate of a signed message.
+Do not verify the signers certificate of a signed message.
-when signing a message the signer's certificate is normally included
+When signing a message the signer's certificate is normally included
with this option it is excluded. This will reduce the size of the
signed message but the verifier must have a copy of the signers certificate
available locally (passed using the B<-certfile> option for example).
=item B<-noattr>
with this option it is excluded. This will reduce the size of the
signed message but the verifier must have a copy of the signers certificate
available locally (passed using the B<-certfile> option for example).
=item B<-noattr>
-normally when a message is signed a set of attributes are included which
+Normally when a message is signed a set of attributes are included which
include the signing time and supported symmetric algorithms. With this
option they are not included.
=item B<-nosmimecap>
include the signing time and supported symmetric algorithms. With this
option they are not included.
=item B<-nosmimecap>
-exclude the list of supported algorithms from signed attributes, other options
+Exclude the list of supported algorithms from signed attributes, other options
such as signing time and content type are still included.
=item B<-binary>
such as signing time and content type are still included.
=item B<-binary>
-normally the input message is converted to "canonical" format which is
+Normally the input message is converted to "canonical" format which is
effectively using CR and LF as end of line: as required by the S/MIME
specification. When this option is present no translation occurs. This
is useful when handling binary data which may not be in MIME format.
=item B<-crlfeol>
effectively using CR and LF as end of line: as required by the S/MIME
specification. When this option is present no translation occurs. This
is useful when handling binary data which may not be in MIME format.
=item B<-crlfeol>
-normally the output file uses a single B<LF> as end of line. When this
+Normally the output file uses a single B<LF> as end of line. When this
option is present B<CRLF> is used instead.
=item B<-asciicrlf>
option is present B<CRLF> is used instead.
=item B<-asciicrlf>
-when signing use ASCII CRLF format canonicalisation. This strips trailing
+When signing use ASCII CRLF format canonicalisation. This strips trailing
whitespace from all lines, deletes trailing blank lines at EOF and sets
the encapsulated content type. This option is normally used with detached
content and an output signature format of DER. This option is not normally
whitespace from all lines, deletes trailing blank lines at EOF and sets
the encapsulated content type. This option is normally used with detached
content and an output signature format of DER. This option is not normally
-when signing a message use opaque signing: this form is more resistant
+When signing a message use opaque signing: this form is more resistant
to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
=item B<-certfile file>
to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
=item B<-certfile file>
-allows additional certificates to be specified. When signing these will
+Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
=item B<-certsout file>
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
=item B<-certsout file>
-any certificates contained in the message are written to B<file>.
+Any certificates contained in the message are written to B<file>.
-a signing certificate when signing or resigning a message, this option can be
+A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
=item B<-recip file>
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
=item B<-recip file>
-when decrypting a message this specifies the recipients certificate. The
+When decrypting a message this specifies the recipients certificate. The
certificate must match one of the recipients of the message or an error
occurs.
certificate must match one of the recipients of the message or an error
occurs.
-use subject key identifier to identify certificates instead of issuer name and
+Use subject key identifier to identify certificates instead of issuer name and
serial number. The supplied certificate B<must> include a subject key
identifier extension. Supported by B<-sign> and B<-encrypt> options.
=item B<-receipt_request_all -receipt_request_first>
serial number. The supplied certificate B<must> include a subject key
identifier extension. Supported by B<-sign> and B<-encrypt> options.
=item B<-receipt_request_all -receipt_request_first>
-for B<-sign> option include a signed receipt request. Indicate requests should
+For B<-sign> option include a signed receipt request. Indicate requests should
be provided by all recipient or first tier recipients (those mailed directly
and not from a mailing list). Ignored it B<-receipt_request_from> is included.
=item B<-receipt_request_from emailaddress>
be provided by all recipient or first tier recipients (those mailed directly
and not from a mailing list). Ignored it B<-receipt_request_from> is included.
=item B<-receipt_request_from emailaddress>
-for B<-sign> option include a signed receipt request. Add an explicit email
+For B<-sign> option include a signed receipt request. Add an explicit email
address where receipts should be supplied.
=item B<-receipt_request_to emailaddress>
address where receipts should be supplied.
=item B<-receipt_request_to emailaddress>
-specify symmetric key to use. The key must be supplied in hex format and be
+Specify symmetric key to use. The key must be supplied in hex format and be
consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
-the key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
+The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
This option B<must> be present if the B<-secretkey> option is used with
B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
relevant key if it is not supplied then an attempt is used to decrypt any
This option B<must> be present if the B<-secretkey> option is used with
B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
relevant key if it is not supplied then an attempt is used to decrypt any
=item B<-econtent_type type>
=item B<-econtent_type type>
-set the encapsulated content type to B<type> if not supplied the B<Data> type
+Set the encapsulated content type to B<type> if not supplied the B<Data> type
is used. The B<type> argument can be any valid OID name in either text or
numerical format.
=item B<-inkey file>
is used. The B<type> argument can be any valid OID name in either text or
numerical format.
=item B<-inkey file>
-the private key to use when signing or decrypting. This must match the
+The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the B<-recip> or B<-signer> file. When signing this option can be used
corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the B<-recip> or B<-signer> file. When signing this option can be used
=item B<-keyopt name:opt>
=item B<-keyopt name:opt>
-for signing and encryption this option can be used multiple times to
+For signing and encryption this option can be used multiple times to
set customised parameters for the preceding key or certificate. It can
currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
or to modify default parameters for ECDH.
=item B<-passin arg>
set customised parameters for the preceding key or certificate. It can
currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
or to modify default parameters for ECDH.
=item B<-passin arg>
-
the private key password source. For more information about the format of B<arg>
+
The private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-rand file(s)>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-rand file(s)>
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-one or more certificates of message recipients: used when encrypting
+One or more certificates of message recipients: used when encrypting
a message.
=item B<-to, -from, -subject>
a message.
=item B<-to, -from, -subject>
-the relevant mail headers. These are included outside the signed
+The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
-the operation was completely successfully.
+The operation was completely successfully.
-an error occurred parsing the command options.
+An error occurred parsing the command options.
-one of the input files could not be read.
+One of the input files could not be read.
-an error occurred creating the CMS file or when reading the MIME
+An error occurred creating the CMS file or when reading the MIME
-an error occurred decrypting or verifying the message.
+An error occurred decrypting or verifying the message.
-the message was verified correctly but an error occurred writing out
+The message was verified correctly but an error occurred writing out
the signers certificates.
=back
the signers certificates.
=back
-Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-specifies the output filename to write to or standard output by
+Specifies the output filename to write to or standard output by
-print out the CRL in text form.
+Print out the CRL in text form.
-option which determines how the subject or issuer names are displayed. See
+Option which determines how the subject or issuer names are displayed. See
the description of B<-nameopt> in L<x509(1)>.
=item B<-noout>
the description of B<-nameopt> in L<x509(1)>.
=item B<-noout>
-don't output the encoded version of the CRL.
+Don't output the encoded version of the CRL.
-output a hash of the issuer name. This can be use to lookup CRLs in
+Output a hash of the issuer name. This can be use to lookup CRLs in
a directory by issuer name.
=item B<-hash_old>
a directory by issuer name.
=item B<-hash_old>
-outputs the "hash" of the CRL issuer name using the older algorithm
+Outputs the "hash" of the CRL issuer name using the older algorithm
as used by OpenSSL versions before 1.0.0.
=item B<-issuer>
as used by OpenSSL versions before 1.0.0.
=item B<-issuer>
-output the lastUpdate field.
+Output the lastUpdate field.
-output the nextUpdate field.
+Output the nextUpdate field.
-verify the signature on a CRL by looking up the issuing certificate in
-B<file>
+Verify the signature on a CRL by looking up the issuing certificate in
+B<file>.
-verify the signature on a CRL by looking up the issuing certificate in
+Verify the signature on a CRL by looking up the issuing certificate in
B<dir>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
B<dir>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-specifies the output filename to write the PKCS#7 structure to or standard
+Specifies the output filename to write the PKCS#7 structure to or standard
output by default.
=item B<-certfile filename>
output by default.
=item B<-certfile filename>
-
specifies a filename containing one or more certificates in B<PEM> format.
+
Specifies a filename containing one or more certificates in B<PEM> format.
All certificates in the file will be added to the PKCS#7 structure. This
option can be used more than once to read certificates form multiple
files.
=item B<-nocrl>
All certificates in the file will be added to the PKCS#7 structure. This
option can be used more than once to read certificates form multiple
files.
=item B<-nocrl>
-normally a CRL is included in the output file. With this option no CRL is
+Normally a CRL is included in the output file. With this option no CRL is
included in the output file and a CRL is not read from the input file.
=back
included in the output file and a CRL is not read from the input file.
=back
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-print out the digest in two digit groups separated by colons, only relevant if
+Print out the digest in two digit groups separated by colons, only relevant if
B<hex> format output is used.
=item B<-d>
B<hex> format output is used.
=item B<-d>
-print out BIO debugging information.
+Print out BIO debugging information.
-digest is to be output as a hex dump. This is the default case for a "normal"
+Digest is to be output as a hex dump. This is the default case for a "normal"
digest as opposed to a digital signature. See NOTES below for digital
signatures using B<-hex>.
=item B<-binary>
digest as opposed to a digital signature. See NOTES below for digital
signatures using B<-hex>.
=item B<-binary>
-output the digest or signature in binary form.
+Output the digest or signature in binary form.
-output the digest in the "coreutils" format used by programs like B<sha1sum>.
+Output the digest in the "coreutils" format used by programs like B<sha1sum>.
-filename to output to, or standard output by default.
+Filename to output to, or standard output by default.
-digitally sign the digest using the private key in "filename".
+Digitally sign the digest using the private key in "filename".
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
-
the private key password source. For more information about the format of B<arg>
+
The private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-verify filename>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-verify filename>
-verify the signature using the public key in "filename".
+Verify the signature using the public key in "filename".
The output is either "Verification OK" or "Verification Failure".
=item B<-prverify filename>
The output is either "Verification OK" or "Verification Failure".
=item B<-prverify filename>
-verify the signature using the private key in "filename".
+Verify the signature using the private key in "filename".
=item B<-signature filename>
=item B<-signature filename>
-the actual signature to verify.
+The actual signature to verify.
-create a hashed MAC using "key".
+Create a hashed MAC using "key".
-create MAC (keyed Message Authentication Code). The most popular MAC
+Create MAC (keyed Message Authentication Code). The most popular MAC
algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
which are not based on hash, for instance B<gost-mac> algorithm,
supported by B<ccgost> engine. MAC keys and other options should be set
algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
which are not based on hash, for instance B<gost-mac> algorithm,
supported by B<ccgost> engine. MAC keys and other options should be set
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
=item B<-fips-fingerprint>
=item B<-fips-fingerprint>
-compute HMAC using a specific key
-for certain OpenSSL-FIPS operations.
+Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
-file or files to digest. If no files are specified then standard input is
+File or files to digest. If no files are specified then standard input is
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item B<-rand> I<file(s)>
=item B<-rand> I<file(s)>
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-this option specifies that a parameter set should be generated of size
+This option specifies that a parameter set should be generated of size
I<numbits>. It must be the last option. If this option is present then
the input file is ignored and parameters are generated instead. If
this option is not present but a generator (B<-2> or B<-5>) is
I<numbits>. It must be the last option. If this option is present then
the input file is ignored and parameters are generated instead. If
this option is not present but a generator (B<-2> or B<-5>) is
-this option inhibits the output of the encoded version of the parameters.
+This option inhibits the output of the encoded version of the parameters.
-this option prints out the DH parameters in human readable form.
+This option prints out the DH parameters in human readable form.
-this option converts the parameters into C code. The parameters can then
+This option converts the parameters into C code. The parameters can then
be loaded by calling the get_dhNNNN() function.
=item B<-engine id>
be loaded by calling the get_dhNNNN() function.
=item B<-engine id>
-specifying an engine (by its unique B<id> string) will cause B<dhparam>
+Specifying an engine (by its unique B<id> string) will cause B<dhparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-
the input file password source. For more information about the format of B<arg>
+
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
-
the output file password source. For more information about the format of B<arg>
+
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
-prints out the public, private key components and parameters.
+Prints out the public, private key components and parameters.
-this option prevents output of the encoded version of the key.
+This option prevents output of the encoded version of the key.
-this option prints out the value of the public key component of the key.
+This option prints out the value of the public key component of the key.
-by default a private key is read from the input file: with this option a
+By default, a private key is read from the input file. With this option a
public key is read instead.
=item B<-pubout>
public key is read instead.
=item B<-pubout>
-by default a private key is output. With this option a public
+By default, a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
=item B<-engine id>
key will be output instead. This option is automatically set if the input is
a public key.
=item B<-engine id>
-specifying an engine (by its unique B<id> string) will cause B<dsa>
+Specifying an engine (by its unique B<id> string) will cause B<dsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-this option inhibits the output of the encoded version of the parameters.
+This option inhibits the output of the encoded version of the parameters.
-this option prints out the DSA parameters in human readable form.
+This option prints out the DSA parameters in human readable form.
-this option converts the parameters into C code. The parameters can then
+This option converts the parameters into C code. The parameters can then
be loaded by calling the get_dsaXXX() function.
=item B<-genkey>
be loaded by calling the get_dsaXXX() function.
=item B<-genkey>
-this option will generate a DSA either using the specified or generated
+This option will generate a DSA either using the specified or generated
parameters.
=item B<-rand file(s)>
parameters.
=item B<-rand file(s)>
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-this option specifies that a parameter set should be generated of size
+This option specifies that a parameter set should be generated of size
B<numbits>. It must be the last option. If this option is included then
the input file (if any) is ignored.
=item B<-engine id>
B<numbits>. It must be the last option. If this option is included then
the input file (if any) is ignored.
=item B<-engine id>
-specifying an engine (by its unique B<id> string) will cause B<dsaparam>
+Specifying an engine (by its unique B<id> string) will cause B<dsaparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-
the input file password source. For more information about the format of B<arg>
+
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
-
the output file password source. For more information about the format of B<arg>
+
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-des|-des3|-idea>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-des|-des3|-idea>
-prints out the public, private key components and parameters.
+Prints out the public, private key components and parameters.
-this option prevents output of the encoded version of the key.
+This option prevents output of the encoded version of the key.
-this option prints out the value of the public key component of the key.
+This option prints out the value of the public key component of the key.
-by default a private key is read from the input file: with this option a
+By default, a private key is read from the input file. With this option a
public key is read instead.
=item B<-pubout>
public key is read instead.
=item B<-pubout>
-by default a private key is output. With this option a public
+By default a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
key will be output instead. This option is automatically set if the input is
a public key.
-this option checks the consistency of an EC private or public key.
+This option checks the consistency of an EC private or public key.
-specifying an engine (by its unique B<id> string) will cause B<ec>
+Specifying an engine (by its unique B<id> string) will cause B<ec>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-specifying an engine (by its unique B<id> string) will cause B<ecparam>
+Specifying an engine (by its unique B<id> string) will cause B<ecparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-specifying an engine (by its unique B<id> string) will cause B<gendsa>
+Specifying an engine (by its unique B<id> string) will cause B<gendsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-
the output file password source. For more information about the format of B<arg>
+
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-cipher>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-cipher>
-specifying an engine (by its unique B<id> string) will cause B<genpkey>
+Specifying an engine (by its unique B<id> string) will cause B<genpkey>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
-public key algorithm to use such as RSA, DSA or DH. If used this option must
+Public key algorithm to use such as RSA, DSA or DH. If used this option must
precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
are mutually exclusive.
=item B<-pkeyopt opt:value>
precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
are mutually exclusive.
=item B<-pkeyopt opt:value>
-set the public key algorithm option B<opt> to B<value>. The precise set of
+Set the public key algorithm option B<opt> to B<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> below for more details.
=item B<-genparam>
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> below for more details.
=item B<-genparam>
-generate a set of parameters instead of a private key. If used this option must
+Generate a set of parameters instead of a private key. If used this option must
precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
=item B<-paramfile filename>
precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
=item B<-paramfile filename>
=item B<ec_paramgen_curve:curve>
=item B<ec_paramgen_curve:curve>
-the EC curve to use. OpenSSL supports NIST curve names such as "P-256".
+The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
=item B<ec_param_enc:encoding>
=item B<ec_param_enc:encoding>
-the encoding to use for parameters. The "encoding" parameter must be either
+The encoding to use for parameters. The "encoding" parameter must be either
"named_curve" or "explicit".
=back
"named_curve" or "explicit".
=back
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+The output file password source. For more information about the format
+
of B<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
-the public exponent to use, either 65537 or 3. The default is 65537.
+The public exponent to use, either 65537 or 3. The default is 65537.
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-specifying an engine (by its unique B<id> string) will cause B<genrsa>
+Specifying an engine (by its unique B<id> string) will cause B<genrsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<numbits>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<numbits>
-the size of the private key to generate in bits. This must be the last option
+The size of the private key to generate in bits. This must be the last option
specified. The default is 2048.
=back
specified. The default is 2048.
=back
=item B<-req_text>, B<-resp_text>, B<-text>
=item B<-req_text>, B<-resp_text>, B<-text>
-print out the text form of the OCSP request, response or both respectively.
+Print out the text form of the OCSP request, response or both respectively.
=item B<-reqout file>, B<-respout file>
=item B<-reqout file>, B<-respout file>
-write out the DER encoded certificate request or response to B<file>.
+Write out the DER encoded certificate request or response to B<file>.
=item B<-reqin file>, B<-respin file>
=item B<-reqin file>, B<-respin file>
-read OCSP request or response file from B<file>. These option are ignored
+Read OCSP request or response file from B<file>. These option are ignored
if OCSP request or response creation is implied by other options (for example
with B<serial>, B<cert> and B<host> options).
=item B<-url responder_url>
if OCSP request or response creation is implied by other options (for example
with B<serial>, B<cert> and B<host> options).
=item B<-url responder_url>
-specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
+Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
=item B<-host hostname:port>, B<-path pathname>
=item B<-host hostname:port>, B<-path pathname>
-if the B<host> option is present then the OCSP request is sent to the host
+If the B<host> option is present then the OCSP request is sent to the host
B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
=item B<-timeout seconds>
=item B<-timeout seconds>
-connection timeout to the OCSP responder in seconds
+Connection timeout to the OCSP responder in seconds
=item B<-CAfile file>, B<-CApath pathname>
=item B<-CAfile file>, B<-CApath pathname>
-file or pathname containing trusted CA certificates. These are used to verify
+File or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response.
=item B<-no-CAfile>
the signature on the OCSP response.
=item B<-no-CAfile>
=item B<-verify_other file>
=item B<-verify_other file>
-file containing additional certificates to search when attempting to locate
+File containing additional certificates to search when attempting to locate
the OCSP response signing certificate. Some responders omit the actual signer's
certificate from the response: this option can be used to supply the necessary
certificate in such cases.
=item B<-trust_other>
the OCSP response signing certificate. Some responders omit the actual signer's
certificate from the response: this option can be used to supply the necessary
certificate in such cases.
=item B<-trust_other>
-the certificates specified by the B<-verify_other> option should be explicitly
+The certificates specified by the B<-verify_other> option should be explicitly
trusted and no additional checks will be performed on them. This is useful
when the complete responder certificate chain is not available or trusting a
root CA is not appropriate.
=item B<-VAfile file>
trusted and no additional checks will be performed on them. This is useful
when the complete responder certificate chain is not available or trusting a
root CA is not appropriate.
=item B<-VAfile file>
-file containing explicitly trusted responder certificates. Equivalent to the
+File containing explicitly trusted responder certificates. Equivalent to the
B<-verify_other> and B<-trust_other> options.
=item B<-noverify>
B<-verify_other> and B<-trust_other> options.
=item B<-noverify>
-don't attempt to verify the OCSP response signature or the nonce values. This
-option will normally only be used for debugging since it disables all verification
-of the responders certificate.
+Don't attempt to verify the OCSP response signature or the nonce
+values. This option will normally only be used for debugging since it
+disables all verification of the responders certificate.
-ignore certificates contained in the OCSP response when searching for the
+Ignore certificates contained in the OCSP response when searching for the
signers certificate. With this option the signers certificate must be specified
with either the B<-verify_other> or B<-VAfile> options.
=item B<-no_signature_verify>
signers certificate. With this option the signers certificate must be specified
with either the B<-verify_other> or B<-VAfile> options.
=item B<-no_signature_verify>
-don't check the signature on the OCSP response. Since this option tolerates invalid
-signatures on OCSP responses it will normally only be used for testing purposes.
+Don't check the signature on the OCSP response. Since this option
+tolerates invalid signatures on OCSP responses it will normally only be
+used for testing purposes.
-don't verify the OCSP response signers certificate at all. Since this option allows
-the OCSP response to be signed by any certificate it should only be used for
-testing purposes.
+Don't verify the OCSP response signers certificate at all. Since this
+option allows the OCSP response to be signed by any certificate it should
+only be used for testing purposes.
-do not use certificates in the response as additional untrusted CA
+Do not use certificates in the response as additional untrusted CA
certificates.
=item B<-no_explicit>
certificates.
=item B<-no_explicit>
-do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
+Do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
-don't perform any additional checks on the OCSP response signers certificate.
+Don't perform any additional checks on the OCSP response signers certificate.
That is do not make any checks to see if the signers certificate is authorised
to provide the necessary status information: as a result this option should
only be used for testing purposes.
=item B<-validity_period nsec>, B<-status_age age>
That is do not make any checks to see if the signers certificate is authorised
to provide the necessary status information: as a result this option should
only be used for testing purposes.
=item B<-validity_period nsec>, B<-status_age age>
-these options specify the range of times, in seconds, which will be tolerated
+These options specify the range of times, in seconds, which will be tolerated
in an OCSP response. Each certificate status response includes a B<notBefore>
time and an optional B<notAfter> time. The current time should fall between
these two values, but the interval between the two times may be only a few
in an OCSP response. Each certificate status response includes a B<notBefore>
time and an optional B<notAfter> time. The current time should fall between
these two values, but the interval between the two times may be only a few
-this option sets digest algorithm to use for certificate identification in the
+This option sets digest algorithm to use for certificate identification in the
OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
The default is SHA-1. This option may be used multiple times to specify the
digest used by subsequent certificate identifiers.
OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
The default is SHA-1. This option may be used multiple times to specify the
digest used by subsequent certificate identifiers.
=item B<-index indexfile>
=item B<-index indexfile>
-B<indexfile> is a text index file in B<ca> format containing certificate revocation
-information.
+The B<indexfile> parameter is the name of a text index file in B<ca>
+format containing certificate revocation information.
-If the B<index> option is specified the B<ocsp> utility is in responder mode, otherwise
-it is in client mode. The request(s) the responder processes can be either specified on
-the command line (using B<issuer> and B<serial> options), supplied in a file (using the
-B<reqin> option) or via external OCSP clients (if B<port> or B<url> is specified).
+If the B<index> option is specified the B<ocsp> utility is in responder
+mode, otherwise it is in client mode. The request(s) the responder
+processes can be either specified on the command line (using B<issuer>
+and B<serial> options), supplied in a file (using the B<reqin> option)
+or via external OCSP clients (if B<port> or B<url> is specified).
-If the B<index> option is present then the B<CA> and B<rsigner> options must also be
-present.
+If the B<index> option is present then the B<CA> and B<rsigner> options
+must also be present.
-Identify the signer certificate using the key ID, default is to use the subject name.
+Identify the signer certificate using the key ID, default is to use the
+subject name.
-The private key to sign OCSP responses with: if not present the file specified in the
-B<rsigner> option is used.
+The private key to sign OCSP responses with: if not present the file
+specified in the B<rsigner> option is used.
-Port to listen for OCSP requests on. The port may also be specified using the B<url>
-option.
+Port to listen for OCSP requests on. The port may also be specified
+using the B<url> option.
=item B<-nrequest number>
=item B<-nrequest number>
=item B<-nmin minutes>, B<-ndays days>
=item B<-nmin minutes>, B<-ndays days>
-Number of minutes or days when fresh revocation information is available: used in the
-B<nextUpdate> field. If neither option is present then the B<nextUpdate> field
-is omitted meaning fresh revocation information is immediately available.
+Number of minutes or days when fresh revocation information is available:
+used in the B<nextUpdate> field. If neither option is present then the
+B<nextUpdate> field is omitted meaning fresh revocation information is
+immediately available.
-Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-CMS (Cryptographic Message Syntax) utility
+CMS (Cryptographic Message Syntax) utility.
=item L<B<dhparam>|dhparam(1)>
Generation and Management of Diffie-Hellman Parameters. Superseded by
=item L<B<dhparam>|dhparam(1)>
Generation and Management of Diffie-Hellman Parameters. Superseded by
-L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
-
+L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>.
=item L<B<dsaparam>|dsaparam(1)>
DSA Parameter Generation and Management. Superseded by
=item L<B<dsaparam>|dsaparam(1)>
DSA Parameter Generation and Management. Superseded by
-L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
+L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>.
-EC (Elliptic curve) key processing
+EC (Elliptic curve) key processing.
=item L<B<ecparam>|ecparam(1)>
=item L<B<ecparam>|ecparam(1)>
-EC parameter manipulation and generation
+EC parameter manipulation and generation.
=item L<B<gendsa>|gendsa(1)>
Generation of DSA Private Key from Parameters. Superseded by
=item L<B<gendsa>|gendsa(1)>
Generation of DSA Private Key from Parameters. Superseded by
-L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>
+L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>.
=item L<B<genpkey>|genpkey(1)>
=item L<B<genpkey>|genpkey(1)>
-Create or examine a Netscape certificate sequence
+Create or examine a Netscape certificate sequence.
=item L<B<rsautl>|rsautl(1)>
RSA utility for signing, verification, encryption, and decryption. Superseded
=item L<B<rsautl>|rsautl(1)>
RSA utility for signing, verification, encryption, and decryption. Superseded
-by L<B<pkeyutl>|pkeyutl(1)>
+by L<B<pkeyutl>|pkeyutl(1)>.
=item L<B<s_client>|s_client(1)>
=item L<B<s_client>|s_client(1)>
=item L<B<spkac>|spkac(1)>
=item L<B<spkac>|spkac(1)>
-SPKAC printing and generating utility
+SPKAC printing and generating utility.
-Time Stamping Authority tool (client/server)
+Time Stamping Authority tool (client/server).
=item L<B<verify>|verify(1)>
=item L<B<verify>|verify(1)>
-
the actual password is B<password>. Since the password is visible
+
The actual password is B<password>. Since the password is visible
to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
=item B<env:var>
to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
=item B<env:var>
-obtain the password from the environment variable B<var>. Since
+Obtain the password from the environment variable B<var>. Since
the environment of other processes is visible on certain platforms
(e.g. ps under certain Unix OSes) this option should be used with caution.
=item B<file:pathname>
the environment of other processes is visible on certain platforms
(e.g. ps under certain Unix OSes) this option should be used with caution.
=item B<file:pathname>
-
the first line of B<pathname> is the password. If the same B<pathname>
+
The first line of B<pathname> is the password. If the same B<pathname>
argument is supplied to B<-passin> and B<-passout> arguments then the first
line will be used for the input password and the next line for the output
password. B<pathname> need not refer to a regular file: it could for example
argument is supplied to B<-passin> and B<-passout> arguments then the first
line will be used for the input password and the next line for the output
password. B<pathname> need not refer to a regular file: it could for example
-read the password from the file descriptor B<number>. This can be used to
+Read the password from the file descriptor B<number>. This can be used to
send the data via a pipe for example.
=item B<stdin>
send the data via a pipe for example.
=item B<stdin>
-read the password from standard input.
+Read the password from standard input.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-the PKCS#12 file (i.e. input file) password source. For more information about
+The PKCS#12 file (i.e. input file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passout arg>
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passout arg>
-pass phrase source to encrypt any outputted private keys with. For more
+Pass phrase source to encrypt any outputted private keys with. For more
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)>.
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)>.
-this option inhibits output of the keys and certificates to the output file
+This option inhibits output of the keys and certificates to the output file
version of the PKCS#12 file.
=item B<-clcerts>
version of the PKCS#12 file.
=item B<-clcerts>
-only output client certificates (not CA certificates).
+Only output client certificates (not CA certificates).
-only output CA certificates (not client certificates).
+Only output CA certificates (not client certificates).
-no certificates at all will be output.
+No certificates at all will be output.
-no private keys will be output.
+No private keys will be output.
-output additional information about the PKCS#12 file structure, algorithms used and
-iteration counts.
+Output additional information about the PKCS#12 file structure, algorithms
+used and iteration counts.
-use DES to encrypt private keys before outputting.
+Use DES to encrypt private keys before outputting.
-use triple DES to encrypt private keys before outputting, this is the default.
+Use triple DES to encrypt private keys before outputting, this is the default.
-use IDEA to encrypt private keys before outputting.
+Use IDEA to encrypt private keys before outputting.
=item B<-aes128>, B<-aes192>, B<-aes256>
=item B<-aes128>, B<-aes192>, B<-aes256>
-use AES to encrypt private keys before outputting.
+Use AES to encrypt private keys before outputting.
=item B<-aria128>, B<-aria192>, B<-aria256>
=item B<-aria128>, B<-aria192>, B<-aria256>
-use ARIA to encrypt private keys before outputting.
+Use ARIA to encrypt private keys before outputting.
=item B<-camellia128>, B<-camellia192>, B<-camellia256>
=item B<-camellia128>, B<-camellia192>, B<-camellia256>
-use Camellia to encrypt private keys before outputting.
+Use Camellia to encrypt private keys before outputting.
-don't encrypt the private keys at all.
+Don't encrypt the private keys at all.
-don't attempt to verify the integrity MAC before reading the file.
+Don't attempt to verify the integrity MAC before reading the file.
-prompt for separate integrity and encryption passwords: most software
+Prompt for separate integrity and encryption passwords: most software
always assumes these are the same so this option will render such
PKCS#12 files unreadable.
always assumes these are the same so this option will render such
PKCS#12 files unreadable.
-file to read private key from. If not present then a private key must be present
+File to read private key from. If not present then a private key must be present
in the input file.
=item B<-name friendlyname>
in the input file.
=item B<-name friendlyname>
=item B<-pass arg>, B<-passout arg>
=item B<-pass arg>, B<-passout arg>
-the PKCS#12 file (i.e. output file) password source. For more information about
+The PKCS#12 file (i.e. output file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passin password>
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passin password>
-pass phrase source to decrypt any input private keys with. For more information
+Pass phrase source to decrypt any input private keys with. For more information
about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-chain>
about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-chain>
-if this option is present then an attempt is made to include the entire
+If this option is present then an attempt is made to include the entire
certificate chain of the user certificate. The standard CA store is used
for this search. If the search fails it is considered a fatal error.
=item B<-descert>
certificate chain of the user certificate. The standard CA store is used
for this search. If the search fails it is considered a fatal error.
=item B<-descert>
-encrypt the certificate using triple DES, this may render the PKCS#12
+Encrypt the certificate using triple DES, this may render the PKCS#12
file unreadable by some "export grade" software. By default the private
key is encrypted using triple DES and the certificate using 40 bit RC2.
=item B<-keypbe alg>, B<-certpbe alg>
file unreadable by some "export grade" software. By default the private
key is encrypted using triple DES and the certificate using 40 bit RC2.
=item B<-keypbe alg>, B<-certpbe alg>
-these options allow the algorithm used to encrypt the private key and
+These options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
can be used (see B<NOTES> section for more information). If a cipher name
(as output by the B<list-cipher-algorithms> command is specified then it
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
can be used (see B<NOTES> section for more information). If a cipher name
(as output by the B<list-cipher-algorithms> command is specified then it
-specifies that the private key is to be used for key exchange or just signing.
+Specifies that the private key is to be used for key exchange or just signing.
This option is only interpreted by MSIE and similar MS software. Normally
"export grade" software will only allow 512 bit RSA keys to be used for
encryption purposes but arbitrary length keys for signing. The B<-keysig>
This option is only interpreted by MSIE and similar MS software. Normally
"export grade" software will only allow 512 bit RSA keys to be used for
encryption purposes but arbitrary length keys for signing. The B<-keysig>
-specify the MAC digest algorithm. If not included them SHA1 will be used.
+Specify the MAC digest algorithm. If not included them SHA1 will be used.
=item B<-nomaciter>, B<-noiter>
=item B<-nomaciter>, B<-noiter>
-these options affect the iteration counts on the MAC and key algorithms.
+These options affect the iteration counts on the MAC and key algorithms.
Unless you wish to produce files compatible with MSIE 4.0 you should leave
these options alone.
Unless you wish to produce files compatible with MSIE 4.0 you should leave
these options alone.
-don't attempt to provide the MAC integrity.
+Don't attempt to provide the MAC integrity.
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-Do not load the trusted CA certificates from the default file location
+Do not load the trusted CA certificates from the default file location.
-Do not load the trusted CA certificates from the default directory location
+Do not load the trusted CA certificates from the default directory location.
-write B<name> as a Microsoft CSP name.
+Write B<name> as a Microsoft CSP name.
-specifies the output filename to write to or standard output by
+Specifies the output filename to write to or standard output by
default.
=item B<-print_certs>
default.
=item B<-print_certs>
-prints out any certificates or CRLs contained in the file. They are
+Prints out any certificates or CRLs contained in the file. They are
preceded by their subject and issuer names in one line format.
=item B<-text>
preceded by their subject and issuer names in one line format.
=item B<-text>
-prints out certificates details in full rather than just subject and
+Prints out certificates details in full rather than just subject and
issuer names.
=item B<-noout>
issuer names.
=item B<-noout>
-don't output the encoded version of the PKCS#7 structure (or certificates
+Don't output the encoded version of the PKCS#7 structure (or certificates
is B<-print_certs> is set).
=item B<-engine id>
is B<-print_certs> is set).
=item B<-engine id>
-
specifying an engine (by its unique B<id> string) will cause B<pkcs7>
+
Specifying an engine (by its unique B<id> string) will cause B<pkcs7>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-
the input file password source. For more information about the format of B<arg>
+
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
-
the output file password source. For more information about the format of B<arg>
+
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-iter count>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-iter count>
-
specifying an engine (by its unique B<id> string) will cause B<pkcs8>
+
Specifying an engine (by its unique B<id> string) will cause B<pkcs8>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-scrypt>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-scrypt>
-uses the B<scrypt> algorithm for private key encryption using default
+Uses the B<scrypt> algorithm for private key encryption using default
parameters: currently N=16384, r=8 and p=1 and AES in CBC mode with a 256 bit
key. These parameters can be modified using the B<-scrypt_N>, B<-scrypt_r>,
B<-scrypt_p> and B<-v2> options.
parameters: currently N=16384, r=8 and p=1 and AES in CBC mode with a 256 bit
key. These parameters can be modified using the B<-scrypt_N>, B<-scrypt_r>,
B<-scrypt_p> and B<-v2> options.
-B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p>
+=item B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p>
-
sets the scrypt B<N>, B<r> or B<p> parameters.
+
Sets the scrypt B<N>, B<r> or B<p> parameters.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-
the input file password source. For more information about the format of B<arg>
+
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
=item B<-passout password>
=item B<-passout password>
-
the output file password source. For more information about the format of B<arg>
+
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-traditional>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-traditional>
-normally a private key is written using standard format: this is PKCS#8 form
+Normally a private key is written using standard format: this is PKCS#8 form
with the appropriate encryption algorithm (if any). If the B<-traditional>
option is specified then the older "traditional" format is used instead.
with the appropriate encryption algorithm (if any). If the B<-traditional>
option is specified then the older "traditional" format is used instead.
-prints out the various public or private key components in
+Prints out the various public or private key components in
plain text in addition to the encoded version.
=item B<-text_pub>
plain text in addition to the encoded version.
=item B<-text_pub>
-print out only public key components even if a private key is being processed.
+Print out only public key components even if a private key is being processed.
-do not output the encoded version of the key.
+Do not output the encoded version of the key.
-by default a private key is read from the input file: with this
+By default a private key is read from the input file: with this
option a public key is read instead.
=item B<-pubout>
option a public key is read instead.
=item B<-pubout>
-by default a private key is output: with this option a public
+By default a private key is output: with this option a public
key will be output instead. This option is automatically set if
the input is a public key.
=item B<-engine id>
key will be output instead. This option is automatically set if
the input is a public key.
=item B<-engine id>
-
specifying an engine (by its unique B<id> string) will cause B<pkey>
+
Specifying an engine (by its unique B<id> string) will cause B<pkey>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-prints out the parameters in plain text in addition to the encoded version.
+Prints out the parameters in plain text in addition to the encoded version.
-do not output the encoded version of the parameters.
+Do not output the encoded version of the parameters.
-
specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
+
Specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-specifies the output filename to write to or standard output by
+Specifies the output filename to write to or standard output by
default.
=item B<-sigfile file>
default.
=item B<-sigfile file>
-the input key file, by default it should be a private key.
+The input key file, by default it should be a private key.
=item B<-keyform PEM|DER|ENGINE>
=item B<-keyform PEM|DER|ENGINE>
-the key format PEM, DER or ENGINE. Default is PEM.
+The key format PEM, DER or ENGINE. Default is PEM.
-
the input key password source. For more information about the format of B<arg>
+
The input key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
-the peer key file, used by key derivation (agreement) operations.
+The peer key file, used by key derivation (agreement) operations.
=item B<-peerform PEM|DER|ENGINE>
=item B<-peerform PEM|DER|ENGINE>
-the peer key format PEM, DER or ENGINE. Default is PEM.
+The peer key format PEM, DER or ENGINE. Default is PEM.
-the input file is a public key.
+The input file is a public key.
-the input is a certificate containing a public key.
+The input is a certificate containing a public key.
-reverse the order of the input buffer. This is useful for some libraries
+Reverse the order of the input buffer. This is useful for some libraries
(such as CryptoAPI) which represent the buffer in little endian format.
=item B<-sign>
(such as CryptoAPI) which represent the buffer in little endian format.
=item B<-sign>
-sign the input data and output the signed result. This requires
+Sign the input data and output the signed result. This requires
a private key.
=item B<-verify>
a private key.
=item B<-verify>
-verify the input data against the signature file and indicate if the
+Verify the input data against the signature file and indicate if the
verification succeeded or failed.
=item B<-verifyrecover>
verification succeeded or failed.
=item B<-verifyrecover>
-verify the input data and output the recovered data.
+Verify the input data and output the recovered data.
-encrypt the input data using a public key.
+Encrypt the input data using a public key.
-decrypt the input data using a private key.
+Decrypt the input data using a private key.
-derive a shared secret using the peer key.
+Derive a shared secret using the peer key.
-asn1parse the output data, this is useful when combined with the
+Parse the ASN.1 output data, this is useful when combined with the
B<-verifyrecover> option when an ASN1 structure is signed.
=item B<-engine id>
B<-verifyrecover> option when an ASN1 structure is signed.
=item B<-engine id>
-
specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
+
Specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-
the input file password source. For more information about the format of B<arg>
+
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
-
the output file password source. For more information about the format of B<arg>
+
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-text>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-text>
-prints out the certificate request in text form.
+Prints out the certificate request in text form.
-prints out the request subject (or certificate subject if B<-x509> is
+Prints out the request subject (or certificate subject if B<-x509> is
specified)
=item B<-pubkey>
specified)
=item B<-pubkey>
-this option prevents output of the encoded version of the request.
+This option prevents output of the encoded version of the request.
-this option prints out the value of the modulus of the public key
+This option prints out the value of the modulus of the public key
contained in the request.
=item B<-verify>
contained in the request.
=item B<-verify>
-verifies the signature on the request.
+Verifies the signature on the request.
-this option generates a new certificate request. It will prompt
+This option generates a new certificate request. It will prompt
the user for the relevant field values. The actual fields
prompted for and their maximum and minimum sizes are specified
in the configuration file and any requested extensions.
the user for the relevant field values. The actual fields
prompted for and their maximum and minimum sizes are specified
in the configuration file and any requested extensions.
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-this option creates a new certificate request and a new private
+This option creates a new certificate request and a new private
key. The argument takes one of several forms. B<rsa:nbits>, where
B<nbits> is the number of bits, generates an RSA key B<nbits>
in size. If B<nbits> is omitted, i.e. B<-newkey rsa> specified,
key. The argument takes one of several forms. B<rsa:nbits>, where
B<nbits> is the number of bits, generates an RSA key B<nbits>
in size. If B<nbits> is omitted, i.e. B<-newkey rsa> specified,
=item B<-pkeyopt opt:value>
=item B<-pkeyopt opt:value>
-set the public key algorithm option B<opt> to B<value>. The precise set of
+Set the public key algorithm option B<opt> to B<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
for more details.
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
for more details.
=item B<-keyform PEM|DER>
=item B<-keyform PEM|DER>
-the format of the private key file specified in the B<-key>
+The format of the private key file specified in the B<-key>
argument. PEM is the default.
=item B<-keyout filename>
argument. PEM is the default.
=item B<-keyout filename>
-this gives the filename to write the newly created private key to.
+This gives the filename to write the newly created private key to.
If this option is not specified then the filename present in the
configuration file is used.
=item B<-nodes>
If this option is not specified then the filename present in the
configuration file is used.
=item B<-nodes>
-if this option is specified then if a private key is created it
+If this option is specified then if a private key is created it
will not be encrypted.
=item B<-[digest]>
will not be encrypted.
=item B<-[digest]>
-this specifies the message digest to sign the request.
+This specifies the message digest to sign the request.
Any digest supported by the OpenSSL B<dgst> command can be used.
This overrides the digest algorithm specified in
the configuration file.
Any digest supported by the OpenSSL B<dgst> command can be used.
This overrides the digest algorithm specified in
the configuration file.
=item B<-config filename>
=item B<-config filename>
-this allows an alternative configuration file to be specified.
+This allows an alternative configuration file to be specified.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
=item B<-subj arg>
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
=item B<-subj arg>
-sets subject name for new request or supersedes the subject name
+Sets subject name for new request or supersedes the subject name
when processing a request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
=item B<-multivalue-rdn>
when processing a request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
=item B<-multivalue-rdn>
-this option causes the -subj argument to be interpreted with full
+This option causes the -subj argument to be interpreted with full
support for multivalued RDNs. Example:
I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
support for multivalued RDNs. Example:
I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
-this option outputs a self signed certificate instead of a certificate
+This option outputs a self signed certificate instead of a certificate
request. This is typically used to generate a test certificate or
a self signed root CA. The extensions added to the certificate
(if any) are specified in the configuration file. Unless specified
request. This is typically used to generate a test certificate or
a self signed root CA. The extensions added to the certificate
(if any) are specified in the configuration file. Unless specified
-when the B<-x509> option is being used this specifies the number of
+When the B<-x509> option is being used this specifies the number of
days to certify the certificate for. The default is 30 days.
=item B<-set_serial n>
days to certify the certificate for. The default is 30 days.
=item B<-set_serial n>
-serial number to use when outputting a self signed certificate. This
+Serial number to use when outputting a self signed certificate. This
may be specified as a decimal value or a hex value if preceded by B<0x>.
=item B<-extensions section>
=item B<-reqexts section>
may be specified as a decimal value or a hex value if preceded by B<0x>.
=item B<-extensions section>
=item B<-reqexts section>
-these options specify alternative sections to include certificate
+These options specify alternative sections to include certificate
extensions (if the B<-x509> option is present) or certificate
request extensions. This allows several different sections to
be used in the same configuration file to specify requests for
extensions (if the B<-x509> option is present) or certificate
request extensions. This allows several different sections to
be used in the same configuration file to specify requests for
-a poison extension will be added to the certificate, making it a
+A poison extension will be added to the certificate, making it a
"pre-certificate" (see RFC6962). This can be submitted to Certificate
Transparency logs in order to obtain signed certificate timestamps (SCTs).
These SCTs can then be embedded into the pre-certificate as an extension, before
"pre-certificate" (see RFC6962). This can be submitted to Certificate
Transparency logs in order to obtain signed certificate timestamps (SCTs).
These SCTs can then be embedded into the pre-certificate as an extension, before
-this option causes field values to be interpreted as UTF8 strings, by
+This option causes field values to be interpreted as UTF8 strings, by
default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
=item B<-nameopt option>
default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
=item B<-nameopt option>
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
=item B<-reqopt>
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
=item B<-reqopt>
-customise the output format used with B<-text>. The B<option> argument can be
+Customise the output format used with B<-text>. The B<option> argument can be
a single option or multiple options separated by commas.
See discussion of the B<-certopt> parameter in the L<x509(1)>
a single option or multiple options separated by commas.
See discussion of the B<-certopt> parameter in the L<x509(1)>
-print extra details about the operations being performed.
+Print extra details about the operations being performed.
-specifying an engine (by its unique B<id> string) will cause B<req>
+Specifying an engine (by its unique B<id> string) will cause B<req>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-keygen_engine id>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-keygen_engine id>
-specifies an engine (by its unique B<id> string) which would be used
+Specifies an engine (by its unique B<id> string) which would be used
for key generation operations.
=back
for key generation operations.
=back
-this specifies the configuration file section containing a list of
+This specifies the configuration file section containing a list of
extensions to add to the certificate request. It can be overridden
by the B<-reqexts> command line switch. See the
L<x509v3_config(5)> manual page for details of the
extensions to add to the certificate request. It can be overridden
by the B<-reqexts> command line switch. See the
L<x509v3_config(5)> manual page for details of the
-this specifies the configuration file section containing a list of
+This specifies the configuration file section containing a list of
extensions to add to certificate generated when the B<-x509> switch
is used. It can be overridden by the B<-extensions> command line switch.
=item B<prompt>
extensions to add to certificate generated when the B<-x509> switch
is used. It can be overridden by the B<-extensions> command line switch.
=item B<prompt>
-if set to the value B<no> this disables prompting of certificate fields
+If set to the value B<no> this disables prompting of certificate fields
and just takes values from the config file directly. It also changes the
expected format of the B<distinguished_name> and B<attributes> sections.
=item B<utf8>
and just takes values from the config file directly. It also changes the
expected format of the B<distinguished_name> and B<attributes> sections.
=item B<utf8>
-if set to the value B<yes> then field values to be interpreted as UTF8
+If set to the value B<yes> then field values to be interpreted as UTF8
strings, by default they are interpreted as ASCII. This means that
the field values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
=item B<attributes>
strings, by default they are interpreted as ASCII. This means that
the field values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
=item B<attributes>
-this specifies the section containing any request attributes: its format
+This specifies the section containing any request attributes: its format
is the same as B<distinguished_name>. Typically these may contain the
challengePassword or unstructuredName types. They are currently ignored
by OpenSSL's request signing utilities but some CAs might want them.
is the same as B<distinguished_name>. Typically these may contain the
challengePassword or unstructuredName types. They are currently ignored
by OpenSSL's request signing utilities but some CAs might want them.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-
the input file password source. For more information about the format of B<arg>
+
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
=item B<-passout password>
=item B<-passout password>
-
the output file password source. For more information about the format of B<arg>
+
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
-prints out the various public or private key components in
+Prints out the various public or private key components in
plain text in addition to the encoded version.
=item B<-noout>
plain text in addition to the encoded version.
=item B<-noout>
-this option prevents output of the encoded version of the key.
+This option prevents output of the encoded version of the key.
-this option prints out the value of the modulus of the key.
+This option prints out the value of the modulus of the key.
-this option checks the consistency of an RSA private key.
+This option checks the consistency of an RSA private key.
-by default a private key is read from the input file: with this
+By default a private key is read from the input file: with this
option a public key is read instead.
=item B<-pubout>
option a public key is read instead.
=item B<-pubout>
-by default a private key is output: with this option a public
+By default a private key is output: with this option a public
key will be output instead. This option is automatically set if
the input is a public key.
=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out>
key will be output instead. This option is automatically set if
the input is a public key.
=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out>
-like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
+Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
-specifying an engine (by its unique B<id> string) will cause B<rsa>
+Specifying an engine (by its unique B<id> string) will cause B<rsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-specifies the output filename to write to or standard output by
+Specifies the output filename to write to or standard output by
default.
=item B<-inkey file>
default.
=item B<-inkey file>
-the input key file, by default it should be an RSA private key.
+The input key file, by default it should be an RSA private key.
=item B<-keyform PEM|DER|ENGINE>
=item B<-keyform PEM|DER|ENGINE>
-the key format PEM, DER or ENGINE.
+The key format PEM, DER or ENGINE.
-the input file is an RSA public key.
+The input file is an RSA public key.
-the input is a certificate containing an RSA public key.
+The input is a certificate containing an RSA public key.
-sign the input data and output the signed result. This requires
+Sign the input data and output the signed result. This requires
an RSA private key.
=item B<-verify>
an RSA private key.
=item B<-verify>
-verify the input data and output the recovered data.
+Verify the input data and output the recovered data.
-encrypt the input data using an RSA public key.
+Encrypt the input data using an RSA public key.
-decrypt the input data using an RSA private key.
+Decrypt the input data using an RSA private key.
=item B<-pkcs, -oaep, -ssl, -raw>
=item B<-pkcs, -oaep, -ssl, -raw>
-the padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
+The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
special padding used in SSL v2 backwards compatible handshakes,
or no padding, respectively.
For signatures, only B<-pkcs> and B<-raw> can be used.
=item B<-hexdump>
special padding used in SSL v2 backwards compatible handshakes,
or no padding, respectively.
For signatures, only B<-pkcs> and B<-raw> can be used.
=item B<-hexdump>
-hex dump the output data.
+Hex dump the output data.
-asn1parse the output data, this is useful when combined with the
+Parse the ASN.1 output data, this is useful when combined with the
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
-reconnects to the same server 5 times using the same session ID, this can
+Reconnects to the same server 5 times using the same session ID, this can
be used as a test that session caching is working.
=item B<-showcerts>
be used as a test that session caching is working.
=item B<-showcerts>
-display the whole server certificate chain: normally only the server
+Display the whole server certificate chain: normally only the server
certificate itself is displayed.
=item B<-prexit>
certificate itself is displayed.
=item B<-prexit>
-print session information when the program exits. This will always attempt
+Print session information when the program exits. This will always attempt
to print out information even if the connection fails. Normally information
will only be printed out once if the connection succeeds. This option is useful
because the cipher in use may be renegotiated or the connection may fail
to print out information even if the connection fails. Normally information
will only be printed out once if the connection succeeds. This option is useful
because the cipher in use may be renegotiated or the connection may fail
-prints out the SSL session states.
+Prints out the SSL session states.
-print extensive debugging information including a hex dump of all traffic.
+Print extensive debugging information including a hex dump of all traffic.
-show all protocol messages with hex dump.
+Show all protocol messages with hex dump.
-show verbose trace output of protocol messages. OpenSSL needs to be compiled
+Show verbose trace output of protocol messages. OpenSSL needs to be compiled
with B<enable-ssl-trace> for this option to work.
=item B<-msgfile>
with B<enable-ssl-trace> for this option to work.
=item B<-msgfile>
-file to send output of B<-msg> or B<-trace> to, default standard output.
+File to send output of B<-msg> or B<-trace> to, default standard output.
-turns on non-blocking I/O
+Turns on non-blocking I/O
-this option translated a line feed from the terminal into CR+LF as required
+This option translated a line feed from the terminal into CR+LF as required
by some servers.
=item B<-ign_eof>
by some servers.
=item B<-ign_eof>
-inhibit shutting down the connection when end of file is reached in the
+Inhibit shutting down the connection when end of file is reached in the
-inhibit printing of session and certificate information. This implicitly
+Inhibit printing of session and certificate information. This implicitly
turns on B<-ign_eof> as well.
=item B<-no_ign_eof>
turns on B<-ign_eof> as well.
=item B<-no_ign_eof>
-shut down the connection when end of file is reached in the input.
+Shut down the connection when end of file is reached in the input.
Can be used to override the implicit B<-ign_eof> after B<-quiet>.
=item B<-psk_identity identity>
Can be used to override the implicit B<-ign_eof> after B<-quiet>.
=item B<-psk_identity identity>
-switch on asynchronous mode. Cryptographic operations will be performed
+Switch on asynchronous mode. Cryptographic operations will be performed
asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).
asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
maximum number of pipelines defined by max_pipelines. This only has an effect if
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
maximum number of pipelines defined by max_pipelines. This only has an effect if
-a suitable ciphersuite has been negotiated, an engine that supports pipelining
+a suitable cipher suite has been negotiated, an engine that supports pipelining
has been loaded, and max_pipelines is greater than 1. See
L<SSL_CTX_set_split_send_fragment(3)> for further information.
has been loaded, and max_pipelines is greater than 1. See
L<SSL_CTX_set_split_send_fragment(3)> for further information.
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
-engine) and a suitable ciphersuite has been negotiated. The default value is 1.
+engine) and a suitable cipher suite has been negotiated. The default value is 1.
See L<SSL_CTX_set_max_pipelines(3)> for further information.
=item B<-read_buf int>
See L<SSL_CTX_set_max_pipelines(3)> for further information.
=item B<-read_buf int>
-there are several known bug in SSL and TLS implementations. Adding this
+There are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
=item B<-comp>
option enables various workarounds.
=item B<-comp>
-only provide a brief summary of connection parameters instead of the
+Only provide a brief summary of connection parameters instead of the
normal verbose output.
=item B<-sigalgs sigalglist>
normal verbose output.
=item B<-sigalgs sigalglist>
=item B<-cipher cipherlist>
=item B<-cipher cipherlist>
-this allows the cipher list sent by the client to be modified. Although
+This allows the cipher list sent by the client to be modified. Although
the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.
=item B<-starttls protocol>
the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.
=item B<-starttls protocol>
-send the protocol-specific message(s) to switch to TLS for communication.
+Send the protocol-specific message(s) to switch to TLS for communication.
B<protocol> is a keyword for the intended protocol. Currently, the only
supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
"irc", "postgres", "lmtp", "nntp", "sieve" and "ldap".
B<protocol> is a keyword for the intended protocol. Currently, the only
supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
"irc", "postgres", "lmtp", "nntp", "sieve" and "ldap".
-print out a hex dump of any TLS extensions received from the server.
+Print out a hex dump of any TLS extensions received from the server.
-disable RFC4507bis session ticket support.
+Disable RFC4507bis session ticket support.
=item B<-sess_out filename>
=item B<-sess_out filename>
-output SSL session to B<filename>
+Output SSL session to B<filename>.
=item B<-sess_in sess.pem>
=item B<-sess_in sess.pem>
-load SSL session from B<filename>. The client will attempt to resume a
+Load SSL session from B<filename>. The client will attempt to resume a
connection from this session.
=item B<-engine id>
connection from this session.
=item B<-engine id>
-specifying an engine (by its unique B<id> string) will cause B<s_client>
+Specifying an engine (by its unique B<id> string) will cause B<s_client>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-rand file(s)>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-rand file(s)>
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
=item B<-serverinfo types>
=item B<-serverinfo types>
-a list of comma-separated TLS Extension Types (numbers between 0 and
+A list of comma-separated TLS Extension Types (numbers between 0 and
65535). Each type will be sent as an empty ClientHello TLS Extension.
The server's response (if any) will be encoded and displayed as a PEM
file.
=item B<-status>
65535). Each type will be sent as an empty ClientHello TLS Extension.
The server's response (if any) will be encoded and displayed as a PEM
file.
=item B<-status>
-sends a certificate status request to the server (OCSP stapling). The server
+Sends a certificate status request to the server (OCSP stapling). The server
response (if any) is printed out.
=item B<-alpn protocols>, B<-nextprotoneg protocols>
response (if any) is printed out.
=item B<-alpn protocols>, B<-nextprotoneg protocols>
-these flags enable the
-Enable the Application-Layer Protocol Negotiation or Next Protocol
-Negotiation extension, respectively. ALPN is the IETF standard and
-replaces NPN.
-The B<protocols> list is a
-comma-separated protocol names that the client should advertise
-support for. The list should contain most wanted protocols first.
-Protocol names are printable ASCII strings, for example "http/1.1" or
-"spdy/3".
-Empty list of protocols is treated specially and will cause the client to
-advertise support for the TLS extension but disconnect just after
-receiving ServerHello with a list of server supported protocols.
+These flags enable the Enable the Application-Layer Protocol Negotiation
+or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
+IETF standard and replaces NPN.
+The B<protocols> list is a comma-separated list of protocol names that
+the client should advertise support for. The list should contain the most
+desirable protocols first. Protocol names are printable ASCII strings,
+for example "http/1.1" or "spdy/3".
+An empty list of protocols is treated specially and will cause the
+client to advertise support for the TLS extension but disconnect just
+after receiving ServerHello with a list of server supported protocols.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-Do not load the trusted CA certificates from the default file location
+Do not load the trusted CA certificates from the default file location.
-Do not load the trusted CA certificates from the default directory location
+Do not load the trusted CA certificates from the default directory location.
=item B<-verify depth>, B<-Verify depth>
=item B<-verify depth>, B<-Verify depth>
client does not have to send one, with the B<-Verify> option the client
must supply a certificate or an error occurs.
client does not have to send one, with the B<-Verify> option the client
must supply a certificate or an error occurs.
-If the ciphersuite cannot request a client certificate (for example an
-anonymous ciphersuite or PSK) this option has no effect.
+If the cipher suite cannot request a client certificate (for example an
+anonymous cipher suite or PSK) this option has no effect.
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
-Turns on non blocking I/O
+Turns on non blocking I/O.
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
maximum number of pipelines defined by max_pipelines. This only has an effect if
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
maximum number of pipelines defined by max_pipelines. This only has an effect if
-a suitable ciphersuite has been negotiated, an engine that supports pipelining
+a suitable cipher suite has been negotiated, an engine that supports pipelining
has been loaded, and max_pipelines is greater than 1. See
L<SSL_CTX_set_split_send_fragment(3)> for further information.
has been loaded, and max_pipelines is greater than 1. See
L<SSL_CTX_set_split_send_fragment(3)> for further information.
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
-engine) and a suitable ciphersuite has been negotiated. The default value is 1.
+engine) and a suitable cipher suite has been negotiated. The default value is 1.
See L<SSL_CTX_set_max_pipelines(3)> for further information.
=item B<-read_buf int>
See L<SSL_CTX_set_max_pipelines(3)> for further information.
=item B<-read_buf int>
=item B<-client_sigalgs sigalglist>
Signature algorithms to support for client certificate authentication
=item B<-client_sigalgs sigalglist>
Signature algorithms to support for client certificate authentication
=item B<-named_curve curve>
=item B<-named_curve curve>
=item B<-alpn protocols>, B<-nextprotoneg protocols>
=item B<-alpn protocols>, B<-nextprotoneg protocols>
-these flags enable the
-Enable the Application-Layer Protocol Negotiation or Next Protocol
-Negotiation extension, respectively. ALPN is the IETF standard and
-replaces NPN.
-The B<protocols> list is a
-comma-separated list of supported protocol names.
-The list should contain most wanted protocols first.
+These flags enable the Enable the Application-Layer Protocol Negotiation
+or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
+IETF standard and replaces NPN.
+The B<protocols> list is a comma-separated list of supported protocol
+names. The list should contain the most desirable protocols first.
Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
-end the current SSL connection but still accept new connections.
+End the current SSL connection but still accept new connections.
-end the current SSL connection and exit.
+End the current SSL connection and exit.
-renegotiate the SSL session.
+Renegotiate the SSL session.
-renegotiate the SSL session and request a client certificate.
+Renegotiate the SSL session and request a client certificate.
-send some plain text down the underlying TCP connection: this should
+Send some plain text down the underlying TCP connection: this should
cause the client to disconnect due to a protocol violation.
=item B<S>
cause the client to disconnect due to a protocol violation.
=item B<S>
-print out some session cache status information.
+Print out some session cache status information.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
-performs the timing test using a new session ID for each connection.
+Performs the timing test using a new session ID for each connection.
If neither B<-new> nor B<-reuse> are specified, they are both on by default
and executed in sequence.
=item B<-reuse>
If neither B<-new> nor B<-reuse> are specified, they are both on by default
and executed in sequence.
=item B<-reuse>
-performs the timing test using the same session ID; this can be used as a test
+Performs the timing test using the same session ID; this can be used as a test
that session caching is working. If neither B<-new> nor B<-reuse> are
specified, they are both on by default and executed in sequence.
=item B<-nbio>
that session caching is working. If neither B<-new> nor B<-reuse> are
specified, they are both on by default and executed in sequence.
=item B<-nbio>
-turns on non-blocking I/O.
+Turns on non-blocking I/O.
-these options disable the use of certain SSL or TLS protocols. By default
+These options disable the use of certain SSL or TLS protocols. By default
the initial handshake uses a method which should be compatible with all
servers and permit them to use SSL v3 or TLS as appropriate.
The timing program is not as rich in options to turn protocols on and off as
the initial handshake uses a method which should be compatible with all
servers and permit them to use SSL v3 or TLS as appropriate.
The timing program is not as rich in options to turn protocols on and off as
-there are several known bug in SSL and TLS implementations. Adding this
+There are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
=item B<-cipher cipherlist>
option enables various workarounds.
=item B<-cipher cipherlist>
-this allows the cipher list sent by the client to be modified. Although
+This allows the cipher list sent by the client to be modified. Although
the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client.
See the L<ciphers(1)> command for more information.
=item B<-time length>
the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client.
See the L<ciphers(1)> command for more information.
=item B<-time length>
-specifies how long (in seconds) B<s_time> should establish connections and
+Specifies how long (in seconds) B<s_time> should establish connections and
optionally transfer payload data from a server. Server and client performance
and the link speed determine how many connections B<s_time> can establish.
optionally transfer payload data from a server. Server and client performance
and the link speed determine how many connections B<s_time> can establish.
-Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-prints out the various public or private key components in
+Prints out the various public or private key components in
plain text in addition to the encoded version.
=item B<-cert>
plain text in addition to the encoded version.
=item B<-cert>
-if a certificate is present in the session it will be output using this option,
+If a certificate is present in the session it will be output using this option,
if the B<-text> option is also present then it will be printed out in text form.
=item B<-noout>
if the B<-text> option is also present then it will be printed out in text form.
=item B<-noout>
-this option prevents output of the encoded version of the session.
+This option prevents output of the encoded version of the session.
-this option can set the session id so the output session information uses the
+This option can set the session id so the output session information uses the
supplied ID. The ID can be any string of characters. This option won't normally
be used.
supplied ID. The ID can be any string of characters. This option won't normally
be used.
-this is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
+This is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
-the cipher used this is the actual raw SSL or TLS cipher code, see the SSL
+The cipher used this is the actual raw SSL or TLS cipher code, see the SSL
or TLS specifications for more information.
=item B<Session-ID>
or TLS specifications for more information.
=item B<Session-ID>
-the SSL session ID in hex format.
+The SSL session ID in hex format.
-the session ID context in hex format.
+The session ID context in hex format.
-this is the SSL session master key.
+This is the SSL session master key.
-this is the session start time represented as an integer in standard Unix format.
+This is the session start time represented as an integer in standard
+Unix format.
=item B<Verify return code>
=item B<Verify return code>
-this is the return code when an SSL client certificate is verified.
+This is the return code when an SSL client certificate is verified.
-----BEGIN SSL SESSION PARAMETERS-----
-----END SSL SESSION PARAMETERS-----
-----BEGIN SSL SESSION PARAMETERS-----
-----END SSL SESSION PARAMETERS-----
-Since the SSL session output contains the master key it is possible to read the contents
-of an encrypted session using this information. Therefore appropriate security precautions
-should be taken if the information is being output by a "real" application. This is
-however strongly discouraged and should only be used for debugging purposes.
+Since the SSL session output contains the master key it is
+possible to read the contents of an encrypted session using this
+information. Therefore appropriate security precautions should be taken if
+the information is being output by a "real" application. This is however
+strongly discouraged and should only be used for debugging purposes.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-encrypt mail for the given recipient certificates. Input file is the message
+Encrypt mail for the given recipient certificates. Input file is the message
to be encrypted. The output file is the encrypted mail in MIME format.
Note that no revocation check is done for the recipient cert, so if that
to be encrypted. The output file is the encrypted mail in MIME format.
Note that no revocation check is done for the recipient cert, so if that
-decrypt mail using the supplied certificate and private key. Expects an
+Decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in MIME format for the input file. The decrypted mail
is written to the output file.
=item B<-sign>
encrypted mail message in MIME format for the input file. The decrypted mail
is written to the output file.
=item B<-sign>
-sign mail using the supplied certificate and private key. Input file is
+Sign mail using the supplied certificate and private key. Input file is
the message to be signed. The signed message in MIME format is written
to the output file.
=item B<-verify>
the message to be signed. The signed message in MIME format is written
to the output file.
=item B<-verify>
-verify signed mail. Expects a signed mail message on input and outputs
+Verify signed mail. Expects a signed mail message on input and outputs
the signed data. Both clear text and opaque signing is supported.
=item B<-pk7out>
the signed data. Both clear text and opaque signing is supported.
=item B<-pk7out>
-takes an input message and writes out a PEM encoded PKCS#7 structure.
+Takes an input message and writes out a PEM encoded PKCS#7 structure.
-resign a message: take an existing message and one or more new signers.
+Resign a message: take an existing message and one or more new signers.
-the input message to be encrypted or signed or the MIME message to
+The input message to be encrypted or signed or the MIME message to
be decrypted or verified.
=item B<-inform SMIME|PEM|DER>
be decrypted or verified.
=item B<-inform SMIME|PEM|DER>
-this specifies the input format for the PKCS#7 structure. The default
+This specifies the input format for the PKCS#7 structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
format change this to expect PEM and DER format PKCS#7 structures
instead. This currently only affects the input format of the PKCS#7
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
format change this to expect PEM and DER format PKCS#7 structures
instead. This currently only affects the input format of the PKCS#7
-the message text that has been decrypted or verified or the output MIME
+The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
=item B<-outform SMIME|PEM|DER>
format message that has been signed or verified.
=item B<-outform SMIME|PEM|DER>
-this specifies the output format for the PKCS#7 structure. The default
+This specifies the output format for the PKCS#7 structure. The default
is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
format change this to write PEM and DER format PKCS#7 structures
instead. This currently only affects the output format of the PKCS#7
is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
format change this to write PEM and DER format PKCS#7 structures
instead. This currently only affects the output format of the PKCS#7
=item B<-stream -indef -noindef>
=item B<-stream -indef -noindef>
-the B<-stream> and B<-indef> options are equivalent and enable streaming I/O
+The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
the need to hold the entire contents in memory, potentially supporting very
large files. Streaming is automatically set for S/MIME signing with detached
for encoding operations. This permits single pass processing of data without
the need to hold the entire contents in memory, potentially supporting very
large files. Streaming is automatically set for S/MIME signing with detached
-disable streaming I/O where it would produce and indefinite length constructed
+Disable streaming I/O where it would produce and indefinite length constructed
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
-this option adds plain text (text/plain) MIME headers to the supplied
+This option adds plain text (text/plain) MIME headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
=item B<-CAfile file>
message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
=item B<-CAfile file>
-a file containing trusted CA certificates, only used with B<-verify>.
+A file containing trusted CA certificates, only used with B<-verify>.
-a directory containing trusted CA certificates, only used with
+A directory containing trusted CA certificates, only used with
B<-verify>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
=item B<-no-CAfile>
B<-verify>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
=item B<-no-CAfile>
-Do not load the trusted CA certificates from the default file location
+Do not load the trusted CA certificates from the default file location.
-Do not load the trusted CA certificates from the default directory location
+Do not load the trusted CA certificates from the default directory location.
-digest algorithm to use when signing or resigning. If not present then the
+Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
=item B<-[cipher]>
default digest algorithm for the signing key will be used (usually SHA1).
=item B<-[cipher]>
-the encryption algorithm to use. For example DES (56 bits) - B<-des>,
+The encryption algorithm to use. For example DES (56 bits) - B<-des>,
triple DES (168 bits) - B<-des3>,
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for list of ciphers
triple DES (168 bits) - B<-des3>,
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for list of ciphers
-when verifying a message normally certificates (if any) included in
+When verifying a message normally certificates (if any) included in
the message are searched for the signing certificate. With this option
only the certificates specified in the B<-certfile> option are used.
The supplied certificates can still be used as untrusted CAs however.
=item B<-noverify>
the message are searched for the signing certificate. With this option
only the certificates specified in the B<-certfile> option are used.
The supplied certificates can still be used as untrusted CAs however.
=item B<-noverify>
-do not verify the signers certificate of a signed message.
+Do not verify the signers certificate of a signed message.
-do not do chain verification of signers certificates: that is don't
+Do not do chain verification of signers certificates: that is don't
use the certificates in the signed message as untrusted CAs.
=item B<-nosigs>
use the certificates in the signed message as untrusted CAs.
=item B<-nosigs>
-don't try to verify the signatures on the message.
+Don't try to verify the signatures on the message.
-when signing a message the signer's certificate is normally included
+When signing a message the signer's certificate is normally included
with this option it is excluded. This will reduce the size of the
signed message but the verifier must have a copy of the signers certificate
available locally (passed using the B<-certfile> option for example).
=item B<-noattr>
with this option it is excluded. This will reduce the size of the
signed message but the verifier must have a copy of the signers certificate
available locally (passed using the B<-certfile> option for example).
=item B<-noattr>
-normally when a message is signed a set of attributes are included which
+Normally when a message is signed a set of attributes are included which
include the signing time and supported symmetric algorithms. With this
option they are not included.
=item B<-binary>
include the signing time and supported symmetric algorithms. With this
option they are not included.
=item B<-binary>
-normally the input message is converted to "canonical" format which is
+Normally the input message is converted to "canonical" format which is
effectively using CR and LF as end of line: as required by the S/MIME
specification. When this option is present no translation occurs. This
is useful when handling binary data which may not be in MIME format.
=item B<-crlfeol>
effectively using CR and LF as end of line: as required by the S/MIME
specification. When this option is present no translation occurs. This
is useful when handling binary data which may not be in MIME format.
=item B<-crlfeol>
-normally the output file uses a single B<LF> as end of line. When this
+Normally the output file uses a single B<LF> as end of line. When this
option is present B<CRLF> is used instead.
=item B<-nodetach>
option is present B<CRLF> is used instead.
=item B<-nodetach>
-when signing a message use opaque signing: this form is more resistant
+When signing a message use opaque signing: this form is more resistant
to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
=item B<-certfile file>
to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
=item B<-certfile file>
-allows additional certificates to be specified. When signing these will
+Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
=item B<-signer file>
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
=item B<-signer file>
-a signing certificate when signing or resigning a message, this option can be
+A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
=item B<-recip file>
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
=item B<-recip file>
-the recipients certificate when decrypting a message. This certificate
+The recipients certificate when decrypting a message. This certificate
must match one of the recipients of the message or an error occurs.
=item B<-inkey file>
must match one of the recipients of the message or an error occurs.
=item B<-inkey file>
-the private key to use when signing or decrypting. This must match the
+The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the B<-recip> or B<-signer> file. When signing this option can be used
corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the B<-recip> or B<-signer> file. When signing this option can be used
-
the private key password source. For more information about the format of B<arg>
+
The private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-rand file(s)>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-rand file(s)>
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-one or more certificates of message recipients: used when encrypting
+One or more certificates of message recipients: used when encrypting
a message.
=item B<-to, -from, -subject>
a message.
=item B<-to, -from, -subject>
-the relevant mail headers. These are included outside the signed
+The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
-the operation was completely successfully.
+The operation was completely successfully.
-an error occurred parsing the command options.
+An error occurred parsing the command options.
-one of the input files could not be read.
+One of the input files could not be read.
-an error occurred creating the PKCS#7 file or when reading the MIME
+An error occurred creating the PKCS#7 file or when reading the MIME
-an error occurred decrypting or verifying the message.
+An error occurred decrypting or verifying the message.
-the message was verified correctly but an error occurred writing out
+The message was verified correctly but an error occurred writing out
the signers certificates.
=back
the signers certificates.
=back
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-specifying an engine (by its unique B<id> string) will cause B<speed>
+Specifying an engine (by its unique B<id> string) will cause B<speed>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-specifies the output filename to write to or standard output by
+Specifies the output filename to write to or standard output by
default.
=item B<-key keyfile>
default.
=item B<-key keyfile>
-create an SPKAC file using the private key in B<keyfile>. The
+Create an SPKAC file using the private key in B<keyfile>. The
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
=item B<-passin password>
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
=item B<-passin password>
-
the input file password source. For more information about the format of B<arg>
+
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-challenge string>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-challenge string>
-specifies the challenge string if an SPKAC is being created.
+Specifies the challenge string if an SPKAC is being created.
=item B<-spkac spkacname>
=item B<-spkac spkacname>
-allows an alternative name form the variable containing the
+Allows an alternative name form the variable containing the
SPKAC. The default is "SPKAC". This option affects both
generated and input SPKAC files.
=item B<-spksect section>
SPKAC. The default is "SPKAC". This option affects both
generated and input SPKAC files.
=item B<-spksect section>
-allows an alternative name form the section containing the
+Allows an alternative name form the section containing the
SPKAC. The default is the default section.
=item B<-noout>
SPKAC. The default is the default section.
=item B<-noout>
-don't output the text version of the SPKAC (not used if an
+Don't output the text version of the SPKAC (not used if an
SPKAC is being created).
=item B<-pubkey>
SPKAC is being created).
=item B<-pubkey>
-output the public key of an SPKAC (not used if an SPKAC is
+Output the public key of an SPKAC (not used if an SPKAC is
being created).
=item B<-verify>
being created).
=item B<-verify>
-verifies the digital signature on the supplied SPKAC.
+Verifies the digital signature on the supplied SPKAC.
-specifying an engine (by its unique B<id> string) will cause B<spkac>
+Specifying an engine (by its unique B<id> string) will cause B<spkac>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
This option specifies a previously created time stamp request in DER
format that will be printed into the output file. Useful when you need
to examine the content of a request in human-readable
This option specifies a previously created time stamp request in DER
format that will be printed into the output file. Useful when you need
to examine the content of a request in human-readable
format. (Optional)
=item B<-out> request.tsq
format. (Optional)
=item B<-out> request.tsq
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-Do not load the trusted CA certificates from the default file location
+Do not load the trusted CA certificates from the default file location.
-Do not load the trusted CA certificates from the default directory location
+Do not load the trusted CA certificates from the default directory location.
=item B<-allow_proxy_certs>
=item B<-allow_proxy_certs>
-Allow the verification of proxy certificates
+Allow the verification of proxy certificates.
=item B<-attime timestamp>
=item B<-attime timestamp>
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
-enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
+Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
192 bit, or only 192 bit Level of Security respectively.
See RFC6460 for details. In particular the supported signature algorithms are
reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
192 bit, or only 192 bit Level of Security respectively.
See RFC6460 for details. In particular the supported signature algorithms are
reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE>
=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE>
-The certificate signature could not be decrypted. This means that the actual signature value
-could not be determined rather than it not matching the expected value, this is only
-meaningful for RSA keys.
+The certificate signature could not be decrypted. This means that the
+actual signature value could not be determined rather than it not matching
+the expected value, this is only meaningful for RSA keys.
=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE>
=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE>
-The CRL signature could not be decrypted: this means that the actual signature value
-could not be determined rather than it not matching the expected value. Unused.
+The CRL signature could not be decrypted: this means that the actual
+signature value could not be determined rather than it not matching the
+expected value. Unused.
=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY>
=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY>
=item B<X509_V_ERR_CERT_NOT_YET_VALID>
=item B<X509_V_ERR_CERT_NOT_YET_VALID>
-The certificate is not yet valid: the notBefore date is after the current time.
+The certificate is not yet valid: the notBefore date is after the
+current time.
=item B<X509_V_ERR_CERT_HAS_EXPIRED>
=item B<X509_V_ERR_CERT_HAS_EXPIRED>
-The certificate has expired: that is the notAfter date is before the current time.
+The certificate has expired: that is the notAfter date is before the
+current time.
=item B<X509_V_ERR_CRL_NOT_YET_VALID>
=item B<X509_V_ERR_CRL_NOT_YET_VALID>
=item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT>
=item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT>
-The passed certificate is self-signed and the same certificate cannot be found in the list of
-trusted certificates.
+The passed certificate is self-signed and the same certificate cannot
+be found in the list of trusted certificates.
=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN>
=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN>
-The certificate chain could be built up using the untrusted certificates but the root could not
-be found locally.
+The certificate chain could be built up using the untrusted certificates
+but the root could not be found locally.
=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY>
=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY>
=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE>
=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE>
-No signatures could be verified because the chain contains only one certificate and it is not
-self signed.
+No signatures could be verified because the chain contains only one
+certificate and it is not self signed.
=item B<X509_V_ERR_CERT_CHAIN_TOO_LONG>
=item B<X509_V_ERR_CERT_CHAIN_TOO_LONG>
-The certificate chain length is greater than the supplied maximum depth. Unused.
+The certificate chain length is greater than the supplied maximum
+depth. Unused.
=item B<X509_V_ERR_CERT_REVOKED>
=item B<X509_V_ERR_CERT_REVOKED>
=item B<X509_V_ERR_INVALID_CA>
=item B<X509_V_ERR_INVALID_CA>
-A CA certificate is invalid. Either it is not a CA or its extensions are not consistent
-with the supplied purpose.
+A CA certificate is invalid. Either it is not a CA or its extensions
+are not consistent with the supplied purpose.
=item B<X509_V_ERR_PATH_LENGTH_EXCEEDED>
=item B<X509_V_ERR_PATH_LENGTH_EXCEEDED>
=item B<X509_V_ERR_CERT_UNTRUSTED>
=item B<X509_V_ERR_CERT_UNTRUSTED>
-the root CA is not marked as trusted for the specified purpose.
+The root CA is not marked as trusted for the specified purpose.
=item B<X509_V_ERR_CERT_REJECTED>
=item B<X509_V_ERR_CERT_REJECTED>
=item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH>
=item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH>
-not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
B<-issuer_checks> option.
=item B<X509_V_ERR_AKID_SKID_MISMATCH>
B<-issuer_checks> option.
=item B<X509_V_ERR_AKID_SKID_MISMATCH>
-Although the issuer checks are a considerable improvement over the old technique they still
-suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
-trusted certificates with matching subject name must either appear in a file (as specified by the
-B<-CAfile> option) or a directory (as specified by B<-CApath>). If they occur in both then only
-the certificates in the file will be recognised.
+Although the issuer checks are a considerable improvement over the old
+technique they still suffer from limitations in the underlying X509_LOOKUP
+API. One consequence of this is that trusted certificates with matching
+subject name must either appear in a file (as specified by the B<-CAfile>
+option) or a directory (as specified by B<-CApath>). If they occur in
+both then only the certificates in the file will be recognised.
-Previous versions of OpenSSL assume certificates with matching subject name are identical and
-mishandled them.
+Previous versions of OpenSSL assume certificates with matching subject
+name are identical and mishandled them.
Previous versions of this documentation swapped the meaning of the
B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
Previous versions of this documentation swapped the meaning of the
B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-all information, this is the same as setting all the other flags.
+All information, this is the same as setting all the other flags.
-the current OpenSSL version.
+The current OpenSSL version.
-the date the current version of OpenSSL was built.
+The date the current version of OpenSSL was built.
-option information: various options set when the library was built.
+Option information: various options set when the library was built.
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
This affects any signing or display option that uses a message
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
Any digest supported by the OpenSSL B<dgst> command can be used.
This affects any signing or display option that uses a message
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
Any digest supported by the OpenSSL B<dgst> command can be used.
-specifying an engine (by its unique B<id> string) will cause B<x509>
+Specifying an engine (by its unique B<id> string) will cause B<x509>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-prints out the certificate in text form. Full details are output including the
+Prints out the certificate in text form. Full details are output including the
public key, signature algorithms, issuer and subject names, serial number
any extensions present and any trust settings.
=item B<-certopt option>
public key, signature algorithms, issuer and subject names, serial number
any extensions present and any trust settings.
=item B<-certopt option>
-customise the output format used with B<-text>. The B<option> argument can be
-a single option or multiple options separated by commas. The B<-certopt> switch
-may be also be used more than once to set multiple options. See the B<TEXT OPTIONS>
-section for more information.
+Customise the output format used with B<-text>. The B<option> argument
+can be a single option or multiple options separated by commas. The
+B<-certopt> switch may be also be used more than once to set multiple
+options. See the B<TEXT OPTIONS> section for more information.
-this option prevents output of the encoded version of the request.
+This option prevents output of the encoded version of the request.
-outputs the certificate's SubjectPublicKeyInfo block in PEM format.
+Outputs the certificate's SubjectPublicKeyInfo block in PEM format.
-this option prints out the value of the modulus of the public key
+This option prints out the value of the modulus of the public key
contained in the certificate.
=item B<-serial>
contained in the certificate.
=item B<-serial>
-outputs the certificate serial number.
+Outputs the certificate serial number.
-outputs the "hash" of the certificate subject name. This is used in OpenSSL to
+Outputs the "hash" of the certificate subject name. This is used in OpenSSL to
form an index to allow certificates in a directory to be looked up by subject
name.
=item B<-issuer_hash>
form an index to allow certificates in a directory to be looked up by subject
name.
=item B<-issuer_hash>
-outputs the "hash" of the certificate issuer name.
+Outputs the "hash" of the certificate issuer name.
-outputs the OCSP hash values for the subject name and public key.
+Outputs the OCSP hash values for the subject name and public key.
-synonym for "-subject_hash" for backward compatibility reasons.
+Synonym for "-subject_hash" for backward compatibility reasons.
=item B<-subject_hash_old>
=item B<-subject_hash_old>
-outputs the "hash" of the certificate subject name using the older algorithm
+Outputs the "hash" of the certificate subject name using the older algorithm
as used by OpenSSL versions before 1.0.0.
=item B<-issuer_hash_old>
as used by OpenSSL versions before 1.0.0.
=item B<-issuer_hash_old>
-outputs the "hash" of the certificate issuer name using the older algorithm
+Outputs the "hash" of the certificate issuer name using the older algorithm
as used by OpenSSL versions before 1.0.0.
=item B<-subject>
as used by OpenSSL versions before 1.0.0.
=item B<-subject>
-outputs the subject name.
+Outputs the subject name.
-outputs the issuer name.
+Outputs the issuer name.
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the B<NAME OPTIONS> section for more information.
=item B<-email>
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the B<NAME OPTIONS> section for more information.
=item B<-email>
-outputs the email address(es) if any.
+Outputs the email address(es) if any.
-outputs the OCSP responder address(es) if any.
+Outputs the OCSP responder address(es) if any.
-prints out the start date of the certificate, that is the notBefore date.
+Prints out the start date of the certificate, that is the notBefore date.
-prints out the expiry date of the certificate, that is the notAfter date.
+Prints out the expiry date of the certificate, that is the notAfter date.
-prints out the start and expiry dates of a certificate.
+Prints out the start and expiry dates of a certificate.
-
checks if the certificate expires within the next B<arg> seconds and exits
+
Checks if the certificate expires within the next B<arg> seconds and exits
non-zero if yes it will expire or zero if not.
=item B<-fingerprint>
non-zero if yes it will expire or zero if not.
=item B<-fingerprint>
-prints out the digest of the DER encoded version of the whole certificate
+Prints out the digest of the DER encoded version of the whole certificate
(see digest options).
=item B<-C>
(see digest options).
=item B<-C>
-this outputs the certificate in the form of a C source file.
+This outputs the certificate in the form of a C source file.
-this causes B<x509> to output a B<trusted> certificate. An ordinary
+This causes B<x509> to output a B<trusted> certificate. An ordinary
or trusted certificate can be input but by default an ordinary
certificate is output and any trust settings are discarded. With the
B<-trustout> option a trusted certificate is output. A trusted
or trusted certificate can be input but by default an ordinary
certificate is output and any trust settings are discarded. With the
B<-trustout> option a trusted certificate is output. A trusted
-sets the alias of the certificate. This will allow the certificate
+Sets the alias of the certificate. This will allow the certificate
to be referred to using a nickname for example "Steve's Certificate".
=item B<-alias>
to be referred to using a nickname for example "Steve's Certificate".
=item B<-alias>
-outputs the certificate alias, if any.
+Outputs the certificate alias, if any.
-clears all the permitted or trusted uses of the certificate.
+Clears all the permitted or trusted uses of the certificate.
-clears all the prohibited or rejected uses of the certificate.
+Clears all the prohibited or rejected uses of the certificate.
-adds a trusted certificate use.
+Adds a trusted certificate use.
Any object name can be used here but currently only B<clientAuth> (SSL client
use), B<serverAuth> (SSL server use), B<emailProtection> (S/MIME email) and
B<anyExtendedKeyUsage> are used.
Any object name can be used here but currently only B<clientAuth> (SSL client
use), B<serverAuth> (SSL server use), B<emailProtection> (S/MIME email) and
B<anyExtendedKeyUsage> are used.
-adds a prohibited use. It accepts the same values as the B<-addtrust>
+Adds a prohibited use. It accepts the same values as the B<-addtrust>
option.
=item B<-purpose>
option.
=item B<-purpose>
-this option performs tests on the certificate extensions and outputs
+This option performs tests on the certificate extensions and outputs
the results. For a more complete description see the B<CERTIFICATE
EXTENSIONS> section.
the results. For a more complete description see the B<CERTIFICATE
EXTENSIONS> section.
=item B<-signkey filename>
=item B<-signkey filename>
-this option causes the input file to be self signed using the supplied
+This option causes the input file to be self signed using the supplied
private key.
If the input file is a certificate it sets the issuer name to the
private key.
If the input file is a certificate it sets the issuer name to the
-
the key password source. For more information about the format of B<arg>
+
The key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-clrext>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-clrext>
-delete any extensions from a certificate. This option is used when a
+Delete any extensions from a certificate. This option is used when a
certificate is being created from another certificate (for example with
the B<-signkey> or the B<-CA> options). Normally all extensions are
retained.
=item B<-keyform PEM|DER>
certificate is being created from another certificate (for example with
the B<-signkey> or the B<-CA> options). Normally all extensions are
retained.
=item B<-keyform PEM|DER>
-specifies the format (DER or PEM) of the private key file used in the
+Specifies the format (DER or PEM) of the private key file used in the
B<-signkey> option.
=item B<-days arg>
B<-signkey> option.
=item B<-days arg>
-specifies the number of days to make a certificate valid for. The default
+Specifies the number of days to make a certificate valid for. The default
is 30 days.
=item B<-x509toreq>
is 30 days.
=item B<-x509toreq>
-converts a certificate into a certificate request. The B<-signkey> option
+Converts a certificate into a certificate request. The B<-signkey> option
is used to pass the required private key.
=item B<-req>
is used to pass the required private key.
=item B<-req>
-by default a certificate is expected on input. With this option a
+By default a certificate is expected on input. With this option a
certificate request is expected instead.
=item B<-set_serial n>
certificate request is expected instead.
=item B<-set_serial n>
-specifies the serial number to use. This option can be used with either
+Specifies the serial number to use. This option can be used with either
the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA>
option the serial number file (as specified by the B<-CAserial> or
B<-CAcreateserial> options) is not used.
the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA>
option the serial number file (as specified by the B<-CAserial> or
B<-CAcreateserial> options) is not used.
-specifies the CA certificate to be used for signing. When this option is
+Specifies the CA certificate to be used for signing. When this option is
present B<x509> behaves like a "mini CA". The input file is signed by this
CA using this option: that is its issuer name is set to the subject name
of the CA and it is digitally signed using the CAs private key.
present B<x509> behaves like a "mini CA". The input file is signed by this
CA using this option: that is its issuer name is set to the subject name
of the CA and it is digitally signed using the CAs private key.
-sets the CA private key to sign a certificate with. If this option is
+Sets the CA private key to sign a certificate with. If this option is
not specified then it is assumed that the CA private key is present in
the CA certificate file.
=item B<-CAserial filename>
not specified then it is assumed that the CA private key is present in
the CA certificate file.
=item B<-CAserial filename>
-sets the CA serial number file to use.
+Sets the CA serial number file to use.
When the B<-CA> option is used to sign a certificate it uses a serial
number specified in a file. This file consist of one line containing
When the B<-CA> option is used to sign a certificate it uses a serial
number specified in a file. This file consist of one line containing
-with this option the CA serial number file is created if it does not exist:
+With this option the CA serial number file is created if it does not exist:
it will contain the serial number "02" and the certificate being signed will
have the 1 as its serial number. If the B<-CA> option is specified
and the serial number file does not exist a random number is generated;
it will contain the serial number "02" and the certificate being signed will
have the 1 as its serial number. If the B<-CA> option is specified
and the serial number file does not exist a random number is generated;
=item B<-extfile filename>
=item B<-extfile filename>
-file containing certificate extensions to use. If not specified then
+File containing certificate extensions to use. If not specified then
no extensions are added to the certificate.
=item B<-extensions section>
no extensions are added to the certificate.
=item B<-extensions section>
-the section to add certificate extensions from. If this option is not
+The section to add certificate extensions from. If this option is not
specified then the extensions should either be contained in the unnamed
(default) section or the default section should contain a variable called
"extensions" which contains the section to use. See the
specified then the extensions should either be contained in the unnamed
(default) section or the default section should contain a variable called
"extensions" which contains the section to use. See the
=item B<-force_pubkey key>
=item B<-force_pubkey key>
-when a certificate is created set its public key to B<key> instead of the
+When a certificate is created set its public key to B<key> instead of the
key in the certificate or certificate request. This option is useful for
creating certificates where the algorithm can't normally sign requests, for
example DH.
key in the certificate or certificate request. This option is useful for
creating certificates where the algorithm can't normally sign requests, for
example DH.
-displays names compatible with RFC2253 equivalent to B<esc_2253>, B<esc_ctrl>,
+Displays names compatible with RFC2253 equivalent to B<esc_2253>, B<esc_ctrl>,
B<esc_msb>, B<utf8>, B<dump_nostr>, B<dump_unknown>, B<dump_der>,
B<sep_comma_plus>, B<dn_rev> and B<sname>.
=item B<oneline>
B<esc_msb>, B<utf8>, B<dump_nostr>, B<dump_unknown>, B<dump_der>,
B<sep_comma_plus>, B<dn_rev> and B<sname>.
=item B<oneline>
-a oneline format which is more readable than RFC2253. It is equivalent to
+A oneline format which is more readable than RFC2253. It is equivalent to
specifying the B<esc_2253>, B<esc_ctrl>, B<esc_msb>, B<utf8>, B<dump_nostr>,
B<dump_der>, B<use_quote>, B<sep_comma_plus_space>, B<space_eq> and B<sname>
options. This is the I<default> of no name options are given explicitly.
=item B<multiline>
specifying the B<esc_2253>, B<esc_ctrl>, B<esc_msb>, B<utf8>, B<dump_nostr>,
B<dump_der>, B<use_quote>, B<sep_comma_plus_space>, B<space_eq> and B<sname>
options. This is the I<default> of no name options are given explicitly.
=item B<multiline>
-a multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,
+A multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,
B<space_eq>, B<lname> and B<align>.
=item B<esc_2253>
B<space_eq>, B<lname> and B<align>.
=item B<esc_2253>
-escape the "special" characters required by RFC2253 in a field. That is
+Escape the "special" characters required by RFC2253 in a field. That is
B<,+"E<lt>E<gt>;>. Additionally B<#> is escaped at the beginning of a string
and a space character at the beginning or end of a string.
=item B<esc_2254>
B<,+"E<lt>E<gt>;>. Additionally B<#> is escaped at the beginning of a string
and a space character at the beginning or end of a string.
=item B<esc_2254>
-escape the "special" characters required by RFC2254 in a field. That is
+Escape the "special" characters required by RFC2254 in a field. That is
the B<NUL> character as well as and B<()*>.
=item B<esc_ctrl>
the B<NUL> character as well as and B<()*>.
=item B<esc_ctrl>
-escape control characters. That is those with ASCII values less than
+Escape control characters. That is those with ASCII values less than
0x20 (space) and the delete (0x7f) character. They are escaped using the
RFC2253 \XX notation (where XX are two hex digits representing the
character value).
=item B<esc_msb>
0x20 (space) and the delete (0x7f) character. They are escaped using the
RFC2253 \XX notation (where XX are two hex digits representing the
character value).
=item B<esc_msb>
-escape characters with the MSB set, that is with ASCII values larger than
+Escape characters with the MSB set, that is with ASCII values larger than
-escapes some characters by surrounding the whole string with B<"> characters,
+Escapes some characters by surrounding the whole string with B<"> characters,
without the option all escaping is done with the B<\> character.
=item B<utf8>
without the option all escaping is done with the B<\> character.
=item B<utf8>
-convert all strings to UTF8 format first. This is required by RFC2253. If
+Convert all strings to UTF8 format first. This is required by RFC2253. If
you are lucky enough to have a UTF8 compatible terminal then the use
of this option (and B<not> setting B<esc_msb>) may result in the correct
display of multibyte (international) characters. Is this option is not
you are lucky enough to have a UTF8 compatible terminal then the use
of this option (and B<not> setting B<esc_msb>) may result in the correct
display of multibyte (international) characters. Is this option is not
-this option does not attempt to interpret multibyte characters in any
+This option does not attempt to interpret multibyte characters in any
way. That is their content octets are merely dumped as though one octet
represents each character. This is useful for diagnostic purposes but
will result in rather odd looking output.
=item B<show_type>
way. That is their content octets are merely dumped as though one octet
represents each character. This is useful for diagnostic purposes but
will result in rather odd looking output.
=item B<show_type>
-show the type of the ASN1 character string. The type precedes the
+Show the type of the ASN1 character string. The type precedes the
field contents. For example "BMPSTRING: Hello World".
=item B<dump_der>
field contents. For example "BMPSTRING: Hello World".
=item B<dump_der>
-when this option is set any fields that need to be hexdumped will
+When this option is set any fields that need to be hexdumped will
be dumped using the DER encoding of the field. Otherwise just the
content octets will be displayed. Both options use the RFC2253
B<#XXXX...> format.
=item B<dump_nostr>
be dumped using the DER encoding of the field. Otherwise just the
content octets will be displayed. Both options use the RFC2253
B<#XXXX...> format.
=item B<dump_nostr>
-dump non character string types (for example OCTET STRING) if this
+Dump non character string types (for example OCTET STRING) if this
option is not set then non character string types will be displayed
as though each content octet represents a single character.
=item B<dump_all>
option is not set then non character string types will be displayed
as though each content octet represents a single character.
=item B<dump_all>
-dump all fields. This option when used with B<dump_der> allows the
+Dump all fields. This option when used with B<dump_der> allows the
DER encoding of the structure to be unambiguously determined.
=item B<dump_unknown>
DER encoding of the structure to be unambiguously determined.
=item B<dump_unknown>
-dump any field whose OID is not recognised by OpenSSL.
+Dump any field whose OID is not recognised by OpenSSL.
=item B<sep_comma_plus>, B<sep_comma_plus_space>, B<sep_semi_plus_space>,
B<sep_multiline>
=item B<sep_comma_plus>, B<sep_comma_plus_space>, B<sep_semi_plus_space>,
B<sep_multiline>
-these options determine the field separators. The first character is
+These options determine the field separators. The first character is
between RDNs and the second between multiple AVAs (multiple AVAs are
very rare and their use is discouraged). The options ending in
"space" additionally place a space after the separator to make it
between RDNs and the second between multiple AVAs (multiple AVAs are
very rare and their use is discouraged). The options ending in
"space" additionally place a space after the separator to make it
-reverse the fields of the DN. This is required by RFC2253. As a side
+Reverse the fields of the DN. This is required by RFC2253. As a side
effect this also reverses the order of multiple AVAs but this is
permissible.
=item B<nofname>, B<sname>, B<lname>, B<oid>
effect this also reverses the order of multiple AVAs but this is
permissible.
=item B<nofname>, B<sname>, B<lname>, B<oid>
-these options alter how the field name is displayed. B<nofname> does
+These options alter how the field name is displayed. B<nofname> does
not display the field at all. B<sname> uses the "short name" form
(CN for commonName for example). B<lname> uses the long form.
B<oid> represents the OID in numerical form and is useful for
not display the field at all. B<sname> uses the "short name" form
(CN for commonName for example). B<lname> uses the long form.
B<oid> represents the OID in numerical form and is useful for
-align field values for a more readable output. Only usable with
+Align field values for a more readable output. Only usable with
B<sep_multiline>.
=item B<space_eq>
B<sep_multiline>.
=item B<space_eq>
-places spaces round the B<=> character which follows the field
+Places spaces round the B<=> character which follows the field
-use the old format. This is equivalent to specifying no output options at all.
+Use the old format. This is equivalent to specifying no output options at all.
-don't print header information: that is the lines saying "Certificate" and "Data".
+Don't print header information: that is the lines saying "Certificate"
+and "Data".
-don't print out the version number.
+Don't print out the version number.
-don't print out the serial number.
+Don't print out the serial number.
-don't print out the signature algorithm used.
+Don't print out the signature algorithm used.
-don't print the validity, that is the B<notBefore> and B<notAfter> fields.
+Don't print the validity, that is the B<notBefore> and B<notAfter> fields.
-don't print out the subject name.
+Don't print out the subject name.
-don't print out the issuer name.
+Don't print out the issuer name.
-don't print out the public key.
+Don't print out the public key.
-don't give a hexadecimal dump of the certificate signature.
+Don't give a hexadecimal dump of the certificate signature.
-don't print out certificate trust information.
+Don't print out certificate trust information.
-don't print out any X509V3 extensions.
+Don't print out any X509V3 extensions.
-retain default extension behaviour: attempt to print out unsupported certificate extensions.
+Retain default extension behaviour: attempt to print out unsupported
+certificate extensions.
-print an error message for unsupported certificate extensions.
+Print an error message for unsupported certificate extensions.
-hex dump unsupported extensions.
+Hex dump unsupported extensions.
-the value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>,
+The value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>,
B<no_header>, and B<no_version>.
=back
B<no_header>, and B<no_version>.
=back
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
version that first defined the cipher. It returns "(NONE)" if B<cipher> is NULL.
SSL_CIPHER_get_cipher_nid() returns the cipher NID corresponding to B<c>.
version that first defined the cipher. It returns "(NONE)" if B<cipher> is NULL.
SSL_CIPHER_get_cipher_nid() returns the cipher NID corresponding to B<c>.
-If there is no cipher (e.g. for ciphersuites with no encryption) then
+If there is no cipher (e.g. for cipher suites with no encryption) then
B<NID_undef> is returned.
SSL_CIPHER_get_digest_nid() returns the digest NID corresponding to the MAC
B<NID_undef> is returned.
SSL_CIPHER_get_digest_nid() returns the digest NID corresponding to the MAC
-used by B<c>. If there is no digest (e.g. for AEAD ciphersuites) then
+used by B<c>. If there is no digest (e.g. for AEAD cipher suites) then
B<NID_undef> is returned.
SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method
used by B<c>. If there is no key exchange, then B<NID_undef> is returned.
If any appropriate key exchange algorithm can be used (as in the case of TLS 1.3
B<NID_undef> is returned.
SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method
used by B<c>. If there is no key exchange, then B<NID_undef> is returned.
If any appropriate key exchange algorithm can be used (as in the case of TLS 1.3
-ciphersuites) B<NID_kx_any> is returned. Examples (not comprehensive):
+cipher suites) B<NID_kx_any> is returned. Examples (not comprehensive):
SSL_CIPHER_get_auth_nid() returns the authentication NID corresponding to the method
used by B<c>. If there is no authentication, then B<NID_undef> is returned.
If any appropriate authentication algorithm can be used (as in the case of
SSL_CIPHER_get_auth_nid() returns the authentication NID corresponding to the method
used by B<c>. If there is no authentication, then B<NID_undef> is returned.
If any appropriate authentication algorithm can be used (as in the case of
-TLS 1.3 ciphersuites) B<NID_auth_any> is returned. Examples (not comprehensive):
+TLS 1.3 cipher suites) B<NID_auth_any> is returned. Examples (not comprehensive):
NID_auth_rsa
NID_auth_ecdsa
NID_auth_rsa
NID_auth_ecdsa
SSL_set_current_cert() also supports the option B<SSL_CERT_SET_SERVER>.
If B<ssl> is a server and has sent a certificate to a connected client
this option sets that certificate to the current certificate and returns 1.
SSL_set_current_cert() also supports the option B<SSL_CERT_SET_SERVER>.
If B<ssl> is a server and has sent a certificate to a connected client
this option sets that certificate to the current certificate and returns 1.
-If the negotiated ciphersuite is anonymous (and thus no certificate will
+If the negotiated cipher suite is anonymous (and thus no certificate will
be sent) 2 is returned and the current certificate is unchanged. If B<ssl>
is not a server or a certificate has not been sent 0 is returned and
the current certificate is unchanged.
be sent) 2 is returned and the current certificate is unchanged. If B<ssl>
is not a server or a certificate has not been sent 0 is returned and
the current certificate is unchanged.
=head1 RETURN VALUES
SSL_set_current_cert() with B<SSL_CERT_SET_SERVER> return 1 for success, 2 if
=head1 RETURN VALUES
SSL_set_current_cert() with B<SSL_CERT_SET_SERVER> return 1 for success, 2 if
-no server certificate is used because the ciphersuites is anonymous and 0
+no server certificate is used because the cipher suites is anonymous and 0
for failure.
SSL_CTX_build_cert_chain() and SSL_build_cert_chain() return 1 for success
for failure.
SSL_CTX_build_cert_chain() and SSL_build_cert_chain() return 1 for success
validation will not occur.
No callback will be invoked when the peer presents no certificate, e.g. by
validation will not occur.
No callback will be invoked when the peer presents no certificate, e.g. by
-employing an anonymous (aNULL) ciphersuite.
+employing an anonymous (aNULL) cipher suite.
In that case the handshake continues as it would had no callback been
requested.
Callbacks are also not invoked when the peer certificate chain is invalid or
In that case the handshake continues as it would had no callback been
requested.
Callbacks are also not invoked when the peer certificate chain is invalid or
The security level corresponds to a minimum of 80 bits of security. Any
parameters offering below 80 bits of security are excluded. As a result RSA,
DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
The security level corresponds to a minimum of 80 bits of security. Any
parameters offering below 80 bits of security are excluded. As a result RSA,
DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
-are prohibited. All export ciphersuites are prohibited since they all offer
-less than 80 bits of security. SSL version 2 is prohibited. Any ciphersuite
+are prohibited. All export cipher suites are prohibited since they all offer
+less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite
using MD5 for the MAC is also prohibited.
=item B<Level 2>
Security level set to 112 bits of security. As a result RSA, DSA and DH keys
shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
using MD5 for the MAC is also prohibited.
=item B<Level 2>
Security level set to 112 bits of security. As a result RSA, DSA and DH keys
shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
-In addition to the level 1 exclusions any ciphersuite using RC4 is also
+In addition to the level 1 exclusions any cipher suite using RC4 is also
prohibited. SSL version 3 is also not allowed. Compression is disabled.
=item B<Level 3>
Security level set to 128 bits of security. As a result RSA, DSA and DH keys
shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited.
prohibited. SSL version 3 is also not allowed. Compression is disabled.
=item B<Level 3>
Security level set to 128 bits of security. As a result RSA, DSA and DH keys
shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited.
-In addition to the level 2 exclusions ciphersuites not offering forward
+In addition to the level 2 exclusions cipher suites not offering forward
secrecy are prohibited. TLS versions below 1.1 are not permitted. Session
tickets are disabled.
=item B<Level 4>
secrecy are prohibited. TLS versions below 1.1 are not permitted. Session
tickets are disabled.
=item B<Level 4>
-Security level set to 192 bits of security. As a result RSA, DSA and DH keys
-shorter than 7680 bits and ECC keys shorter than 384 bits are prohibited.
-Ciphersuites using SHA1 for the MAC are prohibited. TLS versions below 1.2 are
-not permitted.
+Security level set to 192 bits of security. As a result RSA, DSA and
+DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are
+prohibited. Cipher suites using SHA1 for the MAC are prohibited. TLS
+versions below 1.2 are not permitted.
avoided.
The bits of security limits affect all relevant parameters including
avoided.
The bits of security limits affect all relevant parameters including
-ciphersuite encryption algorithms, supported ECC curves, supported
+cipher suite encryption algorithms, supported ECC curves, supported
signature algorithms, DH parameter sizes, certificate key sizes and
signature algorithms. This limit applies no matter what other custom
signature algorithms, DH parameter sizes, certificate key sizes and
signature algorithms. This limit applies no matter what other custom
-settings an application has set: so if the ciphersuite is set to B<ALL>
-then only ciphersuites consistent with the security level are permissible.
+settings an application has set: so if the cipher
suite is set to B<ALL>
+then only cipher suites consistent with the security level are permissible.
See SP800-57 for how the security limits are related to individual
algorithms.
See SP800-57 for how the security limits are related to individual
algorithms.
algorithms which can severely degrade performance. For example 256 bits
of security requires the use of RSA keys of at least 15360 bits in size.
algorithms which can severely degrade performance. For example 256 bits
of security requires the use of RSA keys of at least 15360 bits in size.
-Some restrictions can be gracefully handled: for example ciphersuites
+Some restrictions can be gracefully handled: for example cipher suites
offering insufficient security are not sent by the client and will not
be selected by the server. Other restrictions such as the peer certificate
key size or the DH parameter size will abort the handshake with a fatal
offering insufficient security are not sent by the client and will not
be selected by the server. Other restrictions such as the peer certificate
key size or the DH parameter size will abort the handshake with a fatal
in the range 1 - SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also
automatically turn on "read_ahead" (see L<SSL_CTX_set_read_ahead(3)>). This is
explained further below. OpenSSL will only every use more than one pipeline if
in the range 1 - SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also
automatically turn on "read_ahead" (see L<SSL_CTX_set_read_ahead(3)>). This is
explained further below. OpenSSL will only every use more than one pipeline if
-a ciphersuite is negotiated that uses a pipeline capable cipher provided by an
+a cipher suite is negotiated that uses a pipeline capable cipher provided by an
engine.
Pipelining operates slightly differently for reading encrypted data compared to
engine.
Pipelining operates slightly differently for reading encrypted data compared to
If an attacker can obtain the key used to encrypt a session ticket, they can
obtain the master secret for any ticket using that key and decrypt any traffic
If an attacker can obtain the key used to encrypt a session ticket, they can
obtain the master secret for any ticket using that key and decrypt any traffic
-using that session: even if the ciphersuite supports forward secrecy. As
+using that session: even if the cipher suite supports forward secrecy. As
a result applications may wish to use multiple keys and avoid using long term
keys stored in files.
Applications can use longer keys to maintain a consistent level of security.
a result applications may wish to use multiple keys and avoid using long term
keys stored in files.
Applications can use longer keys to maintain a consistent level of security.
-For example if a ciphersuite uses 256 bit ciphers but only a 128 bit ticket key
+For example if a cipher suite uses 256 bit ciphers but only a 128 bit ticket key
the overall security is only 128 bits because breaking the ticket key will
enable an attacker to obtain the session keys.
the overall security is only 128 bits because breaking the ticket key will
enable an attacker to obtain the session keys.
Previous versions of the callback used B<is_export> and B<keylength>
parameters to control parameter generation for export and non-export
Previous versions of the callback used B<is_export> and B<keylength>
parameters to control parameter generation for export and non-export
-cipher suites. Modern servers that do not support export ciphersuites
+cipher suites. Modern servers that do not support export cipher suites
are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use
the callback but ignore B<keylength> and B<is_export> and simply
supply at least 2048-bit parameters in the callback.
are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use
the callback but ignore B<keylength> and B<is_export> and simply
supply at least 2048-bit parameters in the callback.
=head1 RETURN VALUES
These functions return 1 for success and 0 for failure. There are several
=head1 RETURN VALUES
These functions return 1 for success and 0 for failure. There are several
-possible reasons for failure: the ciphersuite has no signature (e.g. it
+possible reasons for failure: the cipher suite has no signature (e.g. it
uses RSA key exchange or is anonymous), the TLS version is below 1.2 or
the functions were called before the peer signed a message.
uses RSA key exchange or is anonymous), the TLS version is below 1.2 or
the functions were called before the peer signed a message.
projects / openssl.git / commitdiff