From c4de074e6385a86a43a30fee574e77f9dcabb022 Mon Sep 17 00:00:00 2001 From: Pauli Date: Thu, 30 Mar 2017 07:38:30 +1000 Subject: [PATCH] Documentation updates Fix capitilistion of list items. Wrap long lines. Add full stops to the ends of sentances. Change ciphersuite to cipher suite in all of doc. [skip ci] Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/3082) --- doc/man1/CA.pl.pod | 36 ++-- doc/man1/asn1parse.pod | 28 +-- doc/man1/ca.pod | 118 ++++++------ doc/man1/ciphers.pod | 52 ++--- doc/man1/cms.pod | 106 +++++------ doc/man1/crl.pod | 26 +-- doc/man1/crl2pkcs7.pod | 8 +- doc/man1/dgst.pod | 36 ++-- doc/man1/dhparam.pod | 14 +- doc/man1/dsa.pod | 16 +- doc/man1/dsaparam.pod | 16 +- doc/man1/ec.pod | 20 +- doc/man1/ecparam.pod | 6 +- doc/man1/gendsa.pod | 4 +- doc/man1/genpkey.pod | 16 +- doc/man1/genrsa.pod | 12 +- doc/man1/ocsp.pod | 86 +++++---- doc/man1/openssl.pod | 33 ++-- doc/man1/pkcs12.pod | 64 +++---- doc/man1/pkcs7.pod | 12 +- doc/man1/pkcs8.pod | 14 +- doc/man1/pkey.pod | 20 +- doc/man1/pkeyparam.pod | 8 +- doc/man1/pkeyutl.pod | 37 ++-- doc/man1/req.pod | 74 +++---- doc/man1/rsa.pod | 20 +- doc/man1/rsautl.pod | 26 +-- doc/man1/s_client.pod | 84 ++++---- doc/man1/s_server.pod | 46 +++-- doc/man1/s_time.pod | 18 +- doc/man1/sess_id.pod | 36 ++-- doc/man1/smime.pod | 86 ++++----- doc/man1/speed.pod | 4 +- doc/man1/spkac.pod | 22 +-- doc/man1/ts.pod | 3 +- doc/man1/verify.pod | 67 ++++--- doc/man1/version.pod | 14 +- doc/man1/x509.pod | 180 +++++++++--------- doc/man3/SSL_CIPHER_get_name.pod | 8 +- doc/man3/SSL_CTX_add1_chain_cert.pod | 4 +- .../SSL_CTX_set_ct_validation_callback.pod | 2 +- doc/man3/SSL_CTX_set_security_level.pod | 24 +-- doc/man3/SSL_CTX_set_split_send_fragment.pod | 2 +- doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 4 +- doc/man3/SSL_CTX_set_tmp_dh_callback.pod | 2 +- doc/man3/SSL_get_peer_signature_nid.pod | 2 +- 46 files changed, 760 insertions(+), 756 deletions(-) diff --git a/doc/man1/CA.pl.pod b/doc/man1/CA.pl.pod index a7f3970cb0..6949ec6228 100644 --- a/doc/man1/CA.pl.pod +++ b/doc/man1/CA.pl.pod @@ -42,28 +42,28 @@ by the use of some simple options. =item B, B<-h>, B<-help> -prints a usage message. +Prints a usage message. =item B<-newcert> -creates a new self signed certificate. The private key is written to the file +Creates a new self signed certificate. The private key is written to the file "newkey.pem" and the request written to the file "newreq.pem". This argument invokes B command. =item B<-newreq> -creates a new certificate request. The private key is written to the file +Creates a new certificate request. The private key is written to the file "newkey.pem" and the request written to the file "newreq.pem". Executes B command below the hood. =item B<-newreq-nodes> -is like B<-newreq> except that the private key will not be encrypted. +Is like B<-newreq> except that the private key will not be encrypted. Uses B command. =item B<-newca> -creates a new CA hierarchy for use with the B program (or the B<-signcert> +Creates a new CA hierarchy for use with the B program (or the B<-signcert> and B<-xsign> options). The user is prompted to enter the filename of the CA certificates (which should also contain the private key) or by hitting ENTER details of the CA will be prompted for. The relevant files and directories @@ -72,7 +72,7 @@ B and B commands are get invoked. =item B<-pkcs12> -create a PKCS#12 file containing the user certificate, private key and CA +Create a PKCS#12 file containing the user certificate, private key and CA certificate. It expects the user certificate and private key to be in the file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem, it creates a file "newcert.p12". This command can thus be called after the @@ -84,31 +84,31 @@ Delegates work to B command. =item B<-sign>, B<-signcert>, B<-xsign> -calls the B program to sign a certificate request. It expects the request +Calls the B program to sign a certificate request. It expects the request to be in the file "newreq.pem". The new certificate is written to the file "newcert.pem" except in the case of the B<-xsign> option when it is written to standard output. Leverages B command. =item B<-signCA> -this option is the same as the B<-signreq> option except it uses the configuration -file section B and so makes the signed request a valid CA certificate. This -is useful when creating intermediate CA from a root CA. -Extra params are passed on to B command. +This option is the same as the B<-signreq> option except it uses the +configuration file section B and so makes the signed request a +valid CA certificate. This is useful when creating intermediate CA from +a root CA. Extra params are passed on to B command. =item B<-signcert> -this option is the same as B<-sign> except it expects a self signed certificate +This option is the same as B<-sign> except it expects a self signed certificate to be present in the file "newreq.pem". Extra params are passed on to B and B commands. =item B<-crl> -generate a CRL. Executes B command. +Generate a CRL. Executes B command. =item B<-revoke certfile [reason]> -revoke the certificate contained in the specified B. An optional +Revoke the certificate contained in the specified B. An optional reason may be specified, and must be one of: B, B, B, B, B, B, B, or B. @@ -116,9 +116,9 @@ Leverages B command. =item B<-verify> -verifies certificates against the CA certificate for "demoCA". If no certificates -are specified on the command line it tries to verify the file "newcert.pem". -Invokes B command. +Verifies certificates against the CA certificate for "demoCA". If no +certificates are specified on the command line it tries to verify the file +"newcert.pem". Invokes B command. =item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> @@ -204,7 +204,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/asn1parse.pod b/doc/man1/asn1parse.pod index ee09a83cf7..602754e54d 100644 --- a/doc/man1/asn1parse.pod +++ b/doc/man1/asn1parse.pod @@ -39,56 +39,56 @@ Print out a usage message. =item B<-inform> B -the input format. B is binary format and B (the default) is base64 +The input format. B is binary format and B (the default) is base64 encoded. =item B<-in filename> -the input file, default is standard input +The input file, default is standard input. =item B<-out filename> -output file to place the DER encoded data into. If this +Output file to place the DER encoded data into. If this option is not present then no data will be output. This is most useful when combined with the B<-strparse> option. =item B<-noout> -don't output the parsed version of the input file. +Don't output the parsed version of the input file. =item B<-offset number> -starting offset to begin parsing, default is start of file. +Starting offset to begin parsing, default is start of file. =item B<-length number> -number of bytes to parse, default is until end of file. +Number of bytes to parse, default is until end of file. =item B<-i> -indents the output according to the "depth" of the structures. +Indents the output according to the "depth" of the structures. =item B<-oid filename> -a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this +A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this file is described in the NOTES section below. =item B<-dump> -dump unknown data in hex format. +Dump unknown data in hex format. =item B<-dlimit num> -like B<-dump>, but only the first B bytes are output. +Like B<-dump>, but only the first B bytes are output. =item B<-strparse offset> -parse the contents octets of the ASN.1 object starting at B. This +Parse the contents octets of the ASN.1 object starting at B. This option can be used multiple times to "drill down" into a nested structure. =item B<-genstr string>, B<-genconf file> -generate encoded data based on B, B or both using +Generate encoded data based on B, B or both using L format. If B only is present then the string is obtained from the default section using the name B. The encoded data is passed through the ASN1 parser and printed out as @@ -105,7 +105,7 @@ END marker in a PEM file. =item B<-item name> -attempt to decode and print the data as B. This can be used to +Attempt to decode and print the data as B. This can be used to print out the fields of any supported ASN.1 structure if the type is known. =back @@ -204,7 +204,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod index c09db826ec..f2c003b880 100644 --- a/doc/man1/ca.pod +++ b/doc/man1/ca.pod @@ -72,73 +72,73 @@ Print out a usage message. =item B<-verbose> -this prints extra details about the operations being performed. +This prints extra details about the operations being performed. =item B<-config filename> -specifies the configuration file to use. +Specifies the configuration file to use. Optional; for a description of the default value, see L. =item B<-name section> -specifies the configuration file section to use (overrides +Specifies the configuration file section to use (overrides B in the B section). =item B<-in filename> -an input filename containing a single certificate request to be +An input filename containing a single certificate request to be signed by the CA. =item B<-ss_cert filename> -a single self-signed certificate to be signed by the CA. +A single self-signed certificate to be signed by the CA. =item B<-spkac filename> -a file containing a single Netscape signed public key and challenge +A file containing a single Netscape signed public key and challenge and additional field values to be signed by the CA. See the B section for information on the required input and output format. =item B<-infiles> -if present this should be the last option, all subsequent arguments +If present this should be the last option, all subsequent arguments are taken as the names of files containing certificate requests. =item B<-out filename> -the output file to output certificates to. The default is standard +The output file to output certificates to. The default is standard output. The certificate details will also be printed out to this file in PEM format (except that B<-spkac> outputs DER format). =item B<-outdir directory> -the directory to output certificates to. The certificate will be +The directory to output certificates to. The certificate will be written to a filename consisting of the serial number in hex with ".pem" appended. =item B<-cert> -the CA certificate file. +The CA certificate file. =item B<-keyfile filename> -the private key to sign requests with. +The private key to sign requests with. =item B<-keyform PEM|DER> -the format of the data in the private key file. +The format of the data in the private key file. The default is PEM. =item B<-key password> -the password used to encrypt the private key. Since on some +The password used to encrypt the private key. Since on some systems the command line arguments are visible (e.g. Unix with the 'ps' utility) this option should be used with caution. =item B<-selfsign> -indicates the issued certificates are to be signed with the key +Indicates the issued certificates are to be signed with the key the certificate requests were signed with (given with B<-keyfile>). Certificate requests signed with a different key are ignored. If B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is @@ -152,43 +152,43 @@ self-signed certificate. =item B<-passin arg> -the key password source. For more information about the format of B +The key password source. For more information about the format of B see the B section in L. =item B<-notext> -don't output the text form of a certificate to the output file. +Don't output the text form of a certificate to the output file. =item B<-startdate date> -this allows the start date to be explicitly set. The format of the +This allows the start date to be explicitly set. The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure). =item B<-enddate date> -this allows the expiry date to be explicitly set. The format of the +This allows the expiry date to be explicitly set. The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure). =item B<-days arg> -the number of days to certify the certificate for. +The number of days to certify the certificate for. =item B<-md alg> -the message digest to use. +The message digest to use. Any digest supported by the OpenSSL B command can be used. This option also applies to CRLs. =item B<-policy arg> -this option defines the CA "policy" to use. This is a section in +This option defines the CA "policy" to use. This is a section in the configuration file which decides which fields should be mandatory or match the CA certificate. Check out the B section for more information. =item B<-msie_hack> -this is a legacy option to make B work with very old versions of +This is a legacy option to make B work with very old versions of the IE certificate enrollment control "certenr3". It used UniversalStrings for almost everything. Since the old control has various security bugs its use is strongly discouraged. The newer control "Xenroll" does not @@ -213,12 +213,12 @@ used in the configuration file to enable this behaviour. =item B<-batch> -this sets the batch mode. In this mode no questions will be asked +This sets the batch mode. In this mode no questions will be asked and all certificates will be certified automatically. =item B<-extensions section> -the section of the configuration file containing certificate extensions +The section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to B unless the B<-extfile> option is used). If no extension section is present then, a V1 certificate is created. If the extension section @@ -228,33 +228,33 @@ extension section format. =item B<-extfile file> -an additional configuration file to read certificate extensions from +An additional configuration file to read certificate extensions from (using the default section unless the B<-extensions> option is also used). =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. =item B<-subj arg> -supersedes subject name given in the request. +Supersedes subject name given in the request. The arg must be formatted as I, characters may be escaped by \ (backslash), no spaces are skipped. =item B<-utf8> -this option causes field values to be interpreted as UTF8 strings, by +This option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings. =item B<-create_serial> -if reading serial from the text file as specified in the configuration +If reading serial from the text file as specified in the configuration fails, specifying this option creates a new random serial to be used as next serial number. @@ -275,28 +275,28 @@ If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. =item B<-gencrl> -this option generates a CRL based on information in the index file. +This option generates a CRL based on information in the index file. =item B<-crldays num> -the number of days before the next CRL is due. That is the days from +The number of days before the next CRL is due. That is the days from now to place in the CRL nextUpdate field. =item B<-crlhours num> -the number of hours before the next CRL is due. +The number of hours before the next CRL is due. =item B<-revoke filename> -a filename containing a certificate to revoke. +A filename containing a certificate to revoke. =item B<-valid filename> -a filename containing a certificate to add a Valid certificate entry. +A filename containing a certificate to add a Valid certificate entry. =item B<-status serial> -displays the revocation status of the certificate with the specified +Displays the revocation status of the certificate with the specified serial number and exits. =item B<-updatedb> @@ -305,7 +305,7 @@ Updates the database index to purge expired certificates. =item B<-crl_reason reason> -revocation reason, where B is one of: B, B, +Revocation reason, where B is one of: B, B, B, B, B, B, B or B. The matching of B is case insensitive. Setting any revocation reason will make the CRL v2. @@ -332,7 +332,7 @@ B. =item B<-crlexts section> -the section of the configuration file containing CRL extensions to +The section of the configuration file containing CRL extensions to include. If no CRL extension section is present then a V1 CRL is created, if the CRL extension section is present (even if it is empty) then a V2 CRL is created. The CRL extensions specified are @@ -383,58 +383,58 @@ and long names are the same when this option is used. =item B -the same as the B<-outdir> command line option. It specifies +The same as the B<-outdir> command line option. It specifies the directory where new certificates will be placed. Mandatory. =item B -the same as B<-cert>. It gives the file containing the CA +The same as B<-cert>. It gives the file containing the CA certificate. Mandatory. =item B -same as the B<-keyfile> option. The file containing the +Same as the B<-keyfile> option. The file containing the CA private key. Mandatory. =item B -a file used to read and write random number seed information, or +A file used to read and write random number seed information, or an EGD socket (see L). =item B -the same as the B<-days> option. The number of days to certify +The same as the B<-days> option. The number of days to certify a certificate for. =item B -the same as the B<-startdate> option. The start date to certify +The same as the B<-startdate> option. The start date to certify a certificate for. If not set the current time is used. =item B -the same as the B<-enddate> option. Either this option or +The same as the B<-enddate> option. Either this option or B (or the command line equivalents) must be present. =item B -the same as the B<-crlhours> and the B<-crldays> options. These +The same as the B<-crlhours> and the B<-crldays> options. These will only be used if neither command line option is present. At least one of these must be present to generate a CRL. =item B -the same as the B<-md> option. Mandatory. +The same as the B<-md> option. Mandatory. =item B -the text database file to use. Mandatory. This file must be present +The text database file to use. Mandatory. This file must be present though initially it will be empty. =item B -if the value B is given, the valid certificate entries in the +If the value B is given, the valid certificate entries in the database must have unique subjects. if the value B is given, several valid certificate entries may have the exact same subject. The default value is B, to be compatible with older (pre 0.9.8) @@ -444,45 +444,45 @@ the B<-selfsign> command line option. =item B -a text file containing the next serial number to use in hex. Mandatory. +A text file containing the next serial number to use in hex. Mandatory. This file must be present and contain a valid serial number. =item B -a text file containing the next CRL number to use in hex. The crl number +A text file containing the next CRL number to use in hex. The crl number will be inserted in the CRLs only if this file exists. If this file is present, it must contain a valid CRL number. =item B -the same as B<-extensions>. +The same as B<-extensions>. =item B -the same as B<-crlexts>. +The same as B<-crlexts>. =item B -the same as B<-preserveDN> +The same as B<-preserveDN> =item B -the same as B<-noemailDN>. If you want the EMAIL field to be removed +The same as B<-noemailDN>. If you want the EMAIL field to be removed from the DN of the certificate simply set this to 'no'. If not present the default is to allow for the EMAIL filed in the certificate's DN. =item B -the same as B<-msie_hack> +The same as B<-msie_hack> =item B -the same as B<-policy>. Mandatory. See the B section +The same as B<-policy>. Mandatory. See the B section for more information. =item B, B -these options allow the format used to display the certificate details +These options allow the format used to display the certificate details when asking the user to confirm signing. All the options supported by the B utilities B<-nameopt> and B<-certopt> switches can be used here, except the B and B are permanently set @@ -499,7 +499,7 @@ multicharacter string types and does not display extensions. =item B -determines how extensions in certificate requests should be handled. +Determines how extensions in certificate requests should be handled. If set to B or this option is not present then extensions are ignored and not copied to the certificate. If set to B then any extensions present in the request that are not already present are copied @@ -709,7 +709,7 @@ L, L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod index 6fea82433c..4774a546f5 100644 --- a/doc/man1/ciphers.pod +++ b/doc/man1/ciphers.pod @@ -63,7 +63,7 @@ When combined with B<-s> includes cipher suites which require SRP. =item B<-v> -Verbose output: For each ciphersuite, list details as provided by +Verbose output: For each cipher suite, list details as provided by L. =item B<-V> @@ -97,12 +97,12 @@ TLSv1.1 were negotiated. =item B<-stdname> -precede each ciphersuite by its standard name: only available is OpenSSL +Precede each cipher suite by its standard name: only available is OpenSSL is built with tracing enabled (B argument to Configure). =item B -a cipher list to convert to a cipher preference list. If it is not included +A cipher list to convert to a cipher preference list. If it is not included then the default cipher list will be used. The format is described below. =back @@ -168,7 +168,7 @@ When used, this must be the first cipherstring specified. The ciphers included in B, but not enabled by default. Currently this includes all RC4 and anonymous ciphers. Note that this rule does not cover B, which is not included by B (use B if -necessary). Note that RC4 based ciphersuites are not built into OpenSSL by +necessary). Note that RC4 based cipher suites are not built into OpenSSL by default (see the enable-weak-ssl-ciphers option to Configure). =item B @@ -183,19 +183,19 @@ The cipher suites not enabled by B, currently B. =item B -"high" encryption cipher suites. This currently means those with key lengths +"High" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys. =item B -"medium" encryption cipher suites, currently some of those using 128 bit +"Medium" encryption cipher suites, currently some of those using 128 bit encryption. =item B -"low" encryption cipher suites, currently those using 64 or 56 bit +"Low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites. All these -ciphersuites have been removed as of OpenSSL 1.1.0. +cipher suites have been removed as of OpenSSL 1.1.0. =item B, B @@ -272,11 +272,11 @@ keys. =item B, B, B -Lists ciphersuites which are only supported in at least TLS v1.2, TLS v1.0 or +Lists cipher suites which are only supported in at least TLS v1.2, TLS v1.0 or SSL v3.0 respectively. -Note: there are no ciphersuites specific to TLS v1.1. +Note: there are no cipher suites specific to TLS v1.1. Since this is only the minimum version, if, for example, TLSv1.0 is negotiated -then both TLSv1.0 and SSLv3.0 ciphersuites are available. +then both TLSv1.0 and SSLv3.0 cipher suites are available. Note: these cipher strings B change the negotiated version of SSL or TLS, they only affect the list of available cipher suites. @@ -287,33 +287,33 @@ cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES. =item B -AES in Galois Counter Mode (GCM): these ciphersuites are only supported +AES in Galois Counter Mode (GCM): these cipher suites are only supported in TLS v1.2. =item B, B AES in Cipher Block Chaining - Message Authentication Mode (CCM): these -ciphersuites are only supported in TLS v1.2. B references CCM +cipher suites are only supported in TLS v1.2. B references CCM cipher suites using both 16 and 8 octet Integrity Check Value (ICV) while B only references 8 octet ICV. =item B, B, B -cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit +Cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit ARIA. =item B, B, B -cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit +Cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit CAMELLIA. =item B -cipher suites using ChaCha20. +Cipher suites using ChaCha20. =item B<3DES> -cipher suites using triple DES. +Cipher suites using triple DES. =item B @@ -346,7 +346,7 @@ Cipher suites using SHA1. =item B, B -Ciphersuites using SHA256 or SHA384. +Cipher suites using SHA256 or SHA384. =item B @@ -393,7 +393,7 @@ Setting Suite B mode has additional consequences required to comply with RFC6460. In particular the supported signature algorithms is reduced to support only ECDSA and SHA256 or SHA384, only the elliptic curves P-256 and P-384 can be -used and only the two suite B compliant ciphersuites +used and only the two suite B compliant cipher suites (ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are permissible. @@ -444,7 +444,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA -=head2 AES ciphersuites from RFC3268, extending TLS v1.0 +=head2 AES cipher suites from RFC3268, extending TLS v1.0 TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA @@ -462,7 +462,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA -=head2 Camellia ciphersuites from RFC4132, extending TLS v1.0 +=head2 Camellia cipher suites from RFC4132, extending TLS v1.0 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA @@ -480,7 +480,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA -=head2 SEED ciphersuites from RFC4162, extending TLS v1.0 +=head2 SEED cipher suites from RFC4162, extending TLS v1.0 TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA @@ -492,7 +492,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA -=head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0 +=head2 GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0 Note: these ciphers require an engine which including GOST cryptographic algorithms, such as the B engine, included in the OpenSSL distribution. @@ -585,7 +585,7 @@ Note: these ciphers can also be used in SSL v3. ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE-ECDSA-AES128-CCM8 ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE-ECDSA-AES256-CCM8 -=head2 ARIA ciphersuites from RFC6209, extending TLS v1.2 +=head2 ARIA cipher suites from RFC6209, extending TLS v1.2 TLS_RSA_WITH_ARIA_128_CBC_SHA256 ARIA128-CBC-SHA256 TLS_RSA_WITH_ARIA_256_CBC_SHA384 ARIA256-CBC-SHA384 @@ -600,14 +600,14 @@ Note: these ciphers can also be used in SSL v3. TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 ECDHE-RSA-ARIA128-CBC-SHA256 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 ECDHE-RSA-ARIA256-CBC-SHA384 -=head2 Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2 +=head2 Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-RSA-CAMELLIA128-SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-RSA-CAMELLIA256-SHA384 -=head2 Pre-shared keying (PSK) ciphersuites +=head2 Pre-shared keying (PSK) cipher suites PSK_WITH_NULL_SHA PSK-NULL-SHA DHE_PSK_WITH_NULL_SHA DHE-PSK-NULL-SHA diff --git a/doc/man1/cms.pod b/doc/man1/cms.pod index b97120a0e4..21e5bdea9e 100644 --- a/doc/man1/cms.pod +++ b/doc/man1/cms.pod @@ -118,7 +118,7 @@ Print out a usage message. =item B<-encrypt> -encrypt mail for the given recipient certificates. Input file is the message +Encrypt mail for the given recipient certificates. Input file is the message to be encrypted. The output file is the encrypted mail in MIME format. The actual CMS type is EnvelopedData. @@ -127,33 +127,33 @@ key has been compromised, others may be able to decrypt the text. =item B<-decrypt> -decrypt mail using the supplied certificate and private key. Expects an +Decrypt mail using the supplied certificate and private key. Expects an encrypted mail message in MIME format for the input file. The decrypted mail is written to the output file. =item B<-debug_decrypt> -this option sets the B flag. This option should be used +This option sets the B flag. This option should be used with caution: see the notes section below. =item B<-sign> -sign mail using the supplied certificate and private key. Input file is +Sign mail using the supplied certificate and private key. Input file is the message to be signed. The signed message in MIME format is written to the output file. =item B<-verify> -verify signed mail. Expects a signed mail message on input and outputs +Verify signed mail. Expects a signed mail message on input and outputs the signed data. Both clear text and opaque signing is supported. =item B<-cmsout> -takes an input message and writes out a PEM encoded CMS structure. +Takes an input message and writes out a PEM encoded CMS structure. =item B<-resign> -resign a message: take an existing message and one or more new signers. +Resign a message: take an existing message and one or more new signers. =item B<-data_create> @@ -201,12 +201,12 @@ to the B<-verify> operation. =item B<-in filename> -the input message to be encrypted or signed or the message to be decrypted +The input message to be encrypted or signed or the message to be decrypted or verified. =item B<-inform SMIME|PEM|DER> -this specifies the input format for the CMS structure. The default +This specifies the input format for the CMS structure. The default is B which reads an S/MIME format message. B and B format change this to expect PEM and DER format CMS structures instead. This currently only affects the input format of the CMS @@ -215,17 +215,17 @@ B<-encrypt> or B<-sign>) this option has no effect. =item B<-rctform SMIME|PEM|DER> -specify the format for a signed receipt for use with the B<-receipt_verify> +Specify the format for a signed receipt for use with the B<-receipt_verify> operation. =item B<-out filename> -the message text that has been decrypted or verified or the output MIME +The message text that has been decrypted or verified or the output MIME format message that has been signed or verified. =item B<-outform SMIME|PEM|DER> -this specifies the output format for the CMS structure. The default +This specifies the output format for the CMS structure. The default is B which writes an S/MIME format message. B and B format change this to write PEM and DER format CMS structures instead. This currently only affects the output format of the CMS @@ -234,7 +234,7 @@ B<-verify> or B<-decrypt>) this option has no effect. =item B<-stream -indef -noindef> -the B<-stream> and B<-indef> options are equivalent and enable streaming I/O +The B<-stream> and B<-indef> options are equivalent and enable streaming I/O for encoding operations. This permits single pass processing of data without the need to hold the entire contents in memory, potentially supporting very large files. Streaming is automatically set for S/MIME signing with detached @@ -243,7 +243,7 @@ other operations. =item B<-noindef> -disable streaming I/O where it would produce and indefinite length constructed +Disable streaming I/O where it would produce and indefinite length constructed encoding. This option currently has no effect. In future streaming will be enabled by default on all relevant operations and this option will disable it. @@ -257,29 +257,29 @@ is S/MIME and it uses the multipart/signed MIME content type. =item B<-text> -this option adds plain text (text/plain) MIME headers to the supplied +This option adds plain text (text/plain) MIME headers to the supplied message if encrypting or signing. If decrypting or verifying it strips off text headers: if the decrypted or verified message is not of MIME type text/plain then an error occurs. =item B<-noout> -for the B<-cmsout> operation do not output the parsed CMS structure. This +For the B<-cmsout> operation do not output the parsed CMS structure. This is useful when combined with the B<-print> option or if the syntax of the CMS structure is being checked. =item B<-print> -for the B<-cmsout> operation print out all fields of the CMS structure. This +For the B<-cmsout> operation print out all fields of the CMS structure. This is mainly useful for testing purposes. =item B<-CAfile file> -a file containing trusted CA certificates, only used with B<-verify>. +A file containing trusted CA certificates, only used with B<-verify>. =item B<-CApath dir> -a directory containing trusted CA certificates, only used with +A directory containing trusted CA certificates, only used with B<-verify>. This directory must be a standard certificate directory: that is a hash of each subject name (using B) should be linked to each certificate. @@ -294,12 +294,12 @@ Do not load the trusted CA certificates from the default directory location =item B<-md digest> -digest algorithm to use when signing or resigning. If not present then the +Digest algorithm to use when signing or resigning. If not present then the default digest algorithm for the signing key will be used (usually SHA1). =item B<-[cipher]> -the encryption algorithm to use. For example triple DES (168 bits) - B<-des3> +The encryption algorithm to use. For example triple DES (168 bits) - B<-des3> or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the EVP_get_cipherbyname() function) can also be used preceded by a dash, for example B<-aes-128-cbc>. See L|enc(1)> for a list of ciphers @@ -310,48 +310,48 @@ B<-EncryptedData_create> commands. =item B<-nointern> -when verifying a message normally certificates (if any) included in +When verifying a message normally certificates (if any) included in the message are searched for the signing certificate. With this option only the certificates specified in the B<-certfile> option are used. The supplied certificates can still be used as untrusted CAs however. =item B<-no_signer_cert_verify> -do not verify the signers certificate of a signed message. +Do not verify the signers certificate of a signed message. =item B<-nocerts> -when signing a message the signer's certificate is normally included +When signing a message the signer's certificate is normally included with this option it is excluded. This will reduce the size of the signed message but the verifier must have a copy of the signers certificate available locally (passed using the B<-certfile> option for example). =item B<-noattr> -normally when a message is signed a set of attributes are included which +Normally when a message is signed a set of attributes are included which include the signing time and supported symmetric algorithms. With this option they are not included. =item B<-nosmimecap> -exclude the list of supported algorithms from signed attributes, other options +Exclude the list of supported algorithms from signed attributes, other options such as signing time and content type are still included. =item B<-binary> -normally the input message is converted to "canonical" format which is +Normally the input message is converted to "canonical" format which is effectively using CR and LF as end of line: as required by the S/MIME specification. When this option is present no translation occurs. This is useful when handling binary data which may not be in MIME format. =item B<-crlfeol> -normally the output file uses a single B as end of line. When this +Normally the output file uses a single B as end of line. When this option is present B is used instead. =item B<-asciicrlf> -when signing use ASCII CRLF format canonicalisation. This strips trailing +When signing use ASCII CRLF format canonicalisation. This strips trailing whitespace from all lines, deletes trailing blank lines at EOF and sets the encapsulated content type. This option is normally used with detached content and an output signature format of DER. This option is not normally @@ -360,31 +360,31 @@ content format is detected. =item B<-nodetach> -when signing a message use opaque signing: this form is more resistant +When signing a message use opaque signing: this form is more resistant to translation by mail relays but it cannot be read by mail agents that do not support S/MIME. Without this option cleartext signing with the MIME type multipart/signed is used. =item B<-certfile file> -allows additional certificates to be specified. When signing these will +Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for the signers certificates. The certificates should be in PEM format. =item B<-certsout file> -any certificates contained in the message are written to B. +Any certificates contained in the message are written to B. =item B<-signer file> -a signing certificate when signing or resigning a message, this option can be +A signing certificate when signing or resigning a message, this option can be used multiple times if more than one signer is required. If a message is being verified then the signers certificates will be written to this file if the verification was successful. =item B<-recip file> -when decrypting a message this specifies the recipients certificate. The +When decrypting a message this specifies the recipients certificate. The certificate must match one of the recipients of the message or an error occurs. @@ -394,19 +394,19 @@ required (for example to specify RSA-OAEP). =item B<-keyid> -use subject key identifier to identify certificates instead of issuer name and +Use subject key identifier to identify certificates instead of issuer name and serial number. The supplied certificate B include a subject key identifier extension. Supported by B<-sign> and B<-encrypt> options. =item B<-receipt_request_all -receipt_request_first> -for B<-sign> option include a signed receipt request. Indicate requests should +For B<-sign> option include a signed receipt request. Indicate requests should be provided by all recipient or first tier recipients (those mailed directly and not from a mailing list). Ignored it B<-receipt_request_from> is included. =item B<-receipt_request_from emailaddress> -for B<-sign> option include a signed receipt request. Add an explicit email +For B<-sign> option include a signed receipt request. Add an explicit email address where receipts should be supplied. =item B<-receipt_request_to emailaddress> @@ -421,7 +421,7 @@ requests. =item B<-secretkey key> -specify symmetric key to use. The key must be supplied in hex format and be +Specify symmetric key to use. The key must be supplied in hex format and be consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt> B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the @@ -429,7 +429,7 @@ content encryption key using an AES key in the B type. =item B<-secretkeyid id> -the key identifier for the supplied symmetric key for B type. +The key identifier for the supplied symmetric key for B type. This option B be present if the B<-secretkey> option is used with B<-encrypt>. With B<-decrypt> operations the B is used to locate the relevant key if it is not supplied then an attempt is used to decrypt any @@ -437,13 +437,13 @@ B structures. =item B<-econtent_type type> -set the encapsulated content type to B if not supplied the B type +Set the encapsulated content type to B if not supplied the B type is used. The B argument can be any valid OID name in either text or numerical format. =item B<-inkey file> -the private key to use when signing or decrypting. This must match the +The private key to use when signing or decrypting. This must match the corresponding certificate. If this option is not specified then the private key must be included in the certificate file specified with the B<-recip> or B<-signer> file. When signing this option can be used @@ -451,19 +451,19 @@ multiple times to specify successive keys. =item B<-keyopt name:opt> -for signing and encryption this option can be used multiple times to +For signing and encryption this option can be used multiple times to set customised parameters for the preceding key or certificate. It can currently be used to set RSA-PSS for signing, RSA-OAEP for encryption or to modify default parameters for ECDH. =item B<-passin arg> -the private key password source. For more information about the format of B +The private key password source. For more information about the format of B see the B section in L. =item B<-rand file(s)> -a file or files containing random data used to seed the random number +A file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for @@ -471,12 +471,12 @@ all others. =item B -one or more certificates of message recipients: used when encrypting +One or more certificates of message recipients: used when encrypting a message. =item B<-to, -from, -subject> -the relevant mail headers. These are included outside the signed +The relevant mail headers. These are included outside the signed portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. @@ -548,28 +548,28 @@ with caution. For a fuller description see L). =item Z<>0 -the operation was completely successfully. +The operation was completely successfully. =item Z<>1 -an error occurred parsing the command options. +An error occurred parsing the command options. =item Z<>2 -one of the input files could not be read. +One of the input files could not be read. =item Z<>3 -an error occurred creating the CMS file or when reading the MIME +An error occurred creating the CMS file or when reading the MIME message. =item Z<>4 -an error occurred decrypting or verifying the message. +An error occurred decrypting or verifying the message. =item Z<>5 -the message was verified correctly but an error occurred writing out +The message was verified correctly but an error occurred writing out the signers certificates. =back @@ -727,7 +727,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/crl.pod b/doc/man1/crl.pod index 2fad2101ee..1f5f4dd278 100644 --- a/doc/man1/crl.pod +++ b/doc/man1/crl.pod @@ -52,52 +52,52 @@ option is not specified. =item B<-out filename> -specifies the output filename to write to or standard output by +Specifies the output filename to write to or standard output by default. =item B<-text> -print out the CRL in text form. +Print out the CRL in text form. =item B<-nameopt option> -option which determines how the subject or issuer names are displayed. See +Option which determines how the subject or issuer names are displayed. See the description of B<-nameopt> in L. =item B<-noout> -don't output the encoded version of the CRL. +Don't output the encoded version of the CRL. =item B<-hash> -output a hash of the issuer name. This can be use to lookup CRLs in +Output a hash of the issuer name. This can be use to lookup CRLs in a directory by issuer name. =item B<-hash_old> -outputs the "hash" of the CRL issuer name using the older algorithm +Outputs the "hash" of the CRL issuer name using the older algorithm as used by OpenSSL versions before 1.0.0. =item B<-issuer> -output the issuer name. +Output the issuer name. =item B<-lastupdate> -output the lastUpdate field. +Output the lastUpdate field. =item B<-nextupdate> -output the nextUpdate field. +Output the nextUpdate field. =item B<-CAfile file> -verify the signature on a CRL by looking up the issuing certificate in -B +Verify the signature on a CRL by looking up the issuing certificate in +B. =item B<-CApath dir> -verify the signature on a CRL by looking up the issuing certificate in +Verify the signature on a CRL by looking up the issuing certificate in B. This directory must be a standard certificate directory: that is a hash of each subject name (using B) should be linked to each certificate. @@ -132,7 +132,7 @@ L, L, L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/crl2pkcs7.pod b/doc/man1/crl2pkcs7.pod index 8c679ea8fd..11d7cc942b 100644 --- a/doc/man1/crl2pkcs7.pod +++ b/doc/man1/crl2pkcs7.pod @@ -48,19 +48,19 @@ option is not specified. =item B<-out filename> -specifies the output filename to write the PKCS#7 structure to or standard +Specifies the output filename to write the PKCS#7 structure to or standard output by default. =item B<-certfile filename> -specifies a filename containing one or more certificates in B format. +Specifies a filename containing one or more certificates in B format. All certificates in the file will be added to the PKCS#7 structure. This option can be used more than once to read certificates form multiple files. =item B<-nocrl> -normally a CRL is included in the output file. With this option no CRL is +Normally a CRL is included in the output file. With this option no CRL is included in the output file and a CRL is not read from the input file. =back @@ -95,7 +95,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/dgst.pod b/doc/man1/dgst.pod index 3f1b02ca51..9faaf346b1 100644 --- a/doc/man1/dgst.pod +++ b/doc/man1/dgst.pod @@ -59,34 +59,34 @@ supported digests, use the command I. =item B<-c> -print out the digest in two digit groups separated by colons, only relevant if +Print out the digest in two digit groups separated by colons, only relevant if B format output is used. =item B<-d> -print out BIO debugging information. +Print out BIO debugging information. =item B<-hex> -digest is to be output as a hex dump. This is the default case for a "normal" +Digest is to be output as a hex dump. This is the default case for a "normal" digest as opposed to a digital signature. See NOTES below for digital signatures using B<-hex>. =item B<-binary> -output the digest or signature in binary form. +Output the digest or signature in binary form. =item B<-r> -output the digest in the "coreutils" format used by programs like B. +Output the digest in the "coreutils" format used by programs like B. =item B<-out filename> -filename to output to, or standard output by default. +Filename to output to, or standard output by default. =item B<-sign filename> -digitally sign the digest using the private key in "filename". +Digitally sign the digest using the private key in "filename". =item B<-keyform arg> @@ -98,32 +98,31 @@ and ENGINE formats are supported. Pass options to the signature algorithm during sign or verify operations. Names and values of these options are algorithm-specific. - =item B<-passin arg> -the private key password source. For more information about the format of B +The private key password source. For more information about the format of B see the B section in L. =item B<-verify filename> -verify the signature using the public key in "filename". +Verify the signature using the public key in "filename". The output is either "Verification OK" or "Verification Failure". =item B<-prverify filename> -verify the signature using the private key in "filename". +Verify the signature using the private key in "filename". =item B<-signature filename> -the actual signature to verify. +The actual signature to verify. =item B<-hmac key> -create a hashed MAC using "key". +Create a hashed MAC using "key". =item B<-mac alg> -create MAC (keyed Message Authentication Code). The most popular MAC +Create MAC (keyed Message Authentication Code). The most popular MAC algorithm is HMAC (hash-based MAC), but there are other MAC algorithms which are not based on hash, for instance B algorithm, supported by B engine. MAC keys and other options should be set @@ -152,7 +151,7 @@ for example exactly 32 chars for gost-mac. =item B<-rand file(s)> -a file or files containing random data used to seed the random number +A file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for @@ -160,8 +159,7 @@ all others. =item B<-fips-fingerprint> -compute HMAC using a specific key -for certain OpenSSL-FIPS operations. +Compute HMAC using a specific key for certain OpenSSL-FIPS operations. =item B<-engine id> @@ -177,7 +175,7 @@ engine B for digest operations. =item B -file or files to digest. If no files are specified then standard input is +File or files to digest. If no files are specified then standard input is used. =back @@ -230,7 +228,7 @@ The FIPS-related options were removed in OpenSSL 1.1.0 =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/dhparam.pod b/doc/man1/dhparam.pod index addd88a540..a6317a95a5 100644 --- a/doc/man1/dhparam.pod +++ b/doc/man1/dhparam.pod @@ -84,7 +84,7 @@ default generator 2. =item B<-rand> I -a file or files containing random data used to seed the random number +A file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for @@ -92,7 +92,7 @@ all others. =item I -this option specifies that a parameter set should be generated of size +This option specifies that a parameter set should be generated of size I. It must be the last option. If this option is present then the input file is ignored and parameters are generated instead. If this option is not present but a generator (B<-2> or B<-5>) is @@ -100,20 +100,20 @@ present, parameters are generated with a default length of 2048 bits. =item B<-noout> -this option inhibits the output of the encoded version of the parameters. +This option inhibits the output of the encoded version of the parameters. =item B<-text> -this option prints out the DH parameters in human readable form. +This option prints out the DH parameters in human readable form. =item B<-C> -this option converts the parameters into C code. The parameters can then +This option converts the parameters into C code. The parameters can then be loaded by calling the get_dhNNNN() function. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -149,7 +149,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/dsa.pod b/doc/man1/dsa.pod index b85298773e..2f8df0c3eb 100644 --- a/doc/man1/dsa.pod +++ b/doc/man1/dsa.pod @@ -73,7 +73,7 @@ prompted for. =item B<-passin arg> -the input file password source. For more information about the format of B +The input file password source. For more information about the format of B see the B section in L. =item B<-out filename> @@ -85,7 +85,7 @@ filename. =item B<-passout arg> -the output file password source. For more information about the format of B +The output file password source. For more information about the format of B see the B section in L. =item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> @@ -100,30 +100,30 @@ These options can only be used with PEM format output files. =item B<-text> -prints out the public, private key components and parameters. +Prints out the public, private key components and parameters. =item B<-noout> -this option prevents output of the encoded version of the key. +This option prevents output of the encoded version of the key. =item B<-modulus> -this option prints out the value of the public key component of the key. +This option prints out the value of the public key component of the key. =item B<-pubin> -by default a private key is read from the input file: with this option a +By default, a private key is read from the input file. With this option a public key is read instead. =item B<-pubout> -by default a private key is output. With this option a public +By default, a private key is output. With this option a public key will be output instead. This option is automatically set if the input is a public key. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. diff --git a/doc/man1/dsaparam.pod b/doc/man1/dsaparam.pod index 08ad47faa6..0a34c29411 100644 --- a/doc/man1/dsaparam.pod +++ b/doc/man1/dsaparam.pod @@ -58,25 +58,25 @@ as the input filename. =item B<-noout> -this option inhibits the output of the encoded version of the parameters. +This option inhibits the output of the encoded version of the parameters. =item B<-text> -this option prints out the DSA parameters in human readable form. +This option prints out the DSA parameters in human readable form. =item B<-C> -this option converts the parameters into C code. The parameters can then +This option converts the parameters into C code. The parameters can then be loaded by calling the get_dsaXXX() function. =item B<-genkey> -this option will generate a DSA either using the specified or generated +This option will generate a DSA either using the specified or generated parameters. =item B<-rand file(s)> -a file or files containing random data used to seed the random number +A file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for @@ -84,13 +84,13 @@ all others. =item B -this option specifies that a parameter set should be generated of size +This option specifies that a parameter set should be generated of size B. It must be the last option. If this option is included then the input file (if any) is ignored. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -114,7 +114,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/ec.pod b/doc/man1/ec.pod index a5f920e841..99cf9d0fda 100644 --- a/doc/man1/ec.pod +++ b/doc/man1/ec.pod @@ -66,7 +66,7 @@ prompted for. =item B<-passin arg> -the input file password source. For more information about the format of B +The input file password source. For more information about the format of B see the B section in L. =item B<-out filename> @@ -78,7 +78,7 @@ filename. =item B<-passout arg> -the output file password source. For more information about the format of B +The output file password source. For more information about the format of B see the B section in L. =item B<-des|-des3|-idea> @@ -94,24 +94,24 @@ These options can only be used with PEM format output files. =item B<-text> -prints out the public, private key components and parameters. +Prints out the public, private key components and parameters. =item B<-noout> -this option prevents output of the encoded version of the key. +This option prevents output of the encoded version of the key. =item B<-modulus> -this option prints out the value of the public key component of the key. +This option prints out the value of the public key component of the key. =item B<-pubin> -by default a private key is read from the input file: with this option a +By default, a private key is read from the input file. With this option a public key is read instead. =item B<-pubout> -by default a private key is output. With this option a public +By default a private key is output. With this option a public key will be output instead. This option is automatically set if the input is a public key. @@ -141,11 +141,11 @@ This option omits the public key components from the private key output. =item B<-check> -this option checks the consistency of an EC private or public key. +This option checks the consistency of an EC private or public key. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -196,7 +196,7 @@ L, L, L =head1 COPYRIGHT -Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/ecparam.pod b/doc/man1/ecparam.pod index 5167896403..7e0d074542 100644 --- a/doc/man1/ecparam.pod +++ b/doc/man1/ecparam.pod @@ -118,7 +118,7 @@ This option will generate an EC private key using the specified parameters. =item B<-rand file(s)> -a file or files containing random data used to seed the random number +A file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for @@ -126,7 +126,7 @@ all others. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -175,7 +175,7 @@ L, L =head1 COPYRIGHT -Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/gendsa.pod b/doc/man1/gendsa.pod index a148b208d4..1068ffdfd0 100644 --- a/doc/man1/gendsa.pod +++ b/doc/man1/gendsa.pod @@ -51,7 +51,7 @@ If none of these options is specified no encryption is used. =item B<-rand file(s)> -a file or files containing random data used to seed the random number +A file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for @@ -59,7 +59,7 @@ all others. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. diff --git a/doc/man1/genpkey.pod b/doc/man1/genpkey.pod index 8df09054b2..50a7b1bb6d 100644 --- a/doc/man1/genpkey.pod +++ b/doc/man1/genpkey.pod @@ -42,7 +42,7 @@ This specifies the output format DER or PEM. =item B<-pass arg> -the output file password source. For more information about the format of B +The output file password source. For more information about the format of B see the B section in L. =item B<-cipher> @@ -52,7 +52,7 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. If used this option should precede all other @@ -60,19 +60,19 @@ options. =item B<-algorithm alg> -public key algorithm to use such as RSA, DSA or DH. If used this option must +Public key algorithm to use such as RSA, DSA or DH. If used this option must precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> are mutually exclusive. =item B<-pkeyopt opt:value> -set the public key algorithm option B to B. The precise set of +Set the public key algorithm option B to B. The precise set of options supported depends on the public key algorithm used and its implementation. See B below for more details. =item B<-genparam> -generate a set of parameters instead of a private key. If used this option must +Generate a set of parameters instead of a private key. If used this option must precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options. =item B<-paramfile filename> @@ -179,11 +179,11 @@ key from a named curve without the need to use an explicit parameter file. =item B -the EC curve to use. OpenSSL supports NIST curve names such as "P-256". +The EC curve to use. OpenSSL supports NIST curve names such as "P-256". =item B -the encoding to use for parameters. The "encoding" parameter must be either +The encoding to use for parameters. The "encoding" parameter must be either "named_curve" or "explicit". =back @@ -292,7 +292,7 @@ were added in OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/genrsa.pod b/doc/man1/genrsa.pod index f4ed9593ae..4e44fe51d6 100644 --- a/doc/man1/genrsa.pod +++ b/doc/man1/genrsa.pod @@ -47,8 +47,8 @@ standard output is used. =item B<-passout arg> -the output file password source. For more information about the format of B -see the B section in L. +The output file password source. For more information about the format +of B see the B section in L. =item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> @@ -59,11 +59,11 @@ for if it is not supplied via the B<-passout> argument. =item B<-F4|-3> -the public exponent to use, either 65537 or 3. The default is 65537. +The public exponent to use, either 65537 or 3. The default is 65537. =item B<-rand file(s)> -a file or files containing random data used to seed the random number +A file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for @@ -71,14 +71,14 @@ all others. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. =item B -the size of the private key to generate in bits. This must be the last option +The size of the private key to generate in bits. This must be the last option specified. The default is 2048. =back diff --git a/doc/man1/ocsp.pod b/doc/man1/ocsp.pod index ec82088fae..058462f318 100644 --- a/doc/man1/ocsp.pod +++ b/doc/man1/ocsp.pod @@ -153,25 +153,25 @@ a nonce is automatically added specifying B overrides this. =item B<-req_text>, B<-resp_text>, B<-text> -print out the text form of the OCSP request, response or both respectively. +Print out the text form of the OCSP request, response or both respectively. =item B<-reqout file>, B<-respout file> -write out the DER encoded certificate request or response to B. +Write out the DER encoded certificate request or response to B. =item B<-reqin file>, B<-respin file> -read OCSP request or response file from B. These option are ignored +Read OCSP request or response file from B. These option are ignored if OCSP request or response creation is implied by other options (for example with B, B and B options). =item B<-url responder_url> -specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. +Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. =item B<-host hostname:port>, B<-path pathname> -if the B option is present then the OCSP request is sent to the host +If the B option is present then the OCSP request is sent to the host B on port B. B specifies the HTTP path name to use or "/" by default. This is equivalent to specifying B<-url> with scheme http:// and the given hostname, port, and pathname. @@ -184,11 +184,11 @@ This may be repeated. =item B<-timeout seconds> -connection timeout to the OCSP responder in seconds +Connection timeout to the OCSP responder in seconds =item B<-CAfile file>, B<-CApath pathname> -file or pathname containing trusted CA certificates. These are used to verify +File or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. =item B<-no-CAfile> @@ -212,65 +212,66 @@ See L manual page for details. =item B<-verify_other file> -file containing additional certificates to search when attempting to locate +File containing additional certificates to search when attempting to locate the OCSP response signing certificate. Some responders omit the actual signer's certificate from the response: this option can be used to supply the necessary certificate in such cases. =item B<-trust_other> -the certificates specified by the B<-verify_other> option should be explicitly +The certificates specified by the B<-verify_other> option should be explicitly trusted and no additional checks will be performed on them. This is useful when the complete responder certificate chain is not available or trusting a root CA is not appropriate. =item B<-VAfile file> -file containing explicitly trusted responder certificates. Equivalent to the +File containing explicitly trusted responder certificates. Equivalent to the B<-verify_other> and B<-trust_other> options. =item B<-noverify> -don't attempt to verify the OCSP response signature or the nonce values. This -option will normally only be used for debugging since it disables all verification -of the responders certificate. +Don't attempt to verify the OCSP response signature or the nonce +values. This option will normally only be used for debugging since it +disables all verification of the responders certificate. =item B<-no_intern> -ignore certificates contained in the OCSP response when searching for the +Ignore certificates contained in the OCSP response when searching for the signers certificate. With this option the signers certificate must be specified with either the B<-verify_other> or B<-VAfile> options. =item B<-no_signature_verify> -don't check the signature on the OCSP response. Since this option tolerates invalid -signatures on OCSP responses it will normally only be used for testing purposes. +Don't check the signature on the OCSP response. Since this option +tolerates invalid signatures on OCSP responses it will normally only be +used for testing purposes. =item B<-no_cert_verify> -don't verify the OCSP response signers certificate at all. Since this option allows -the OCSP response to be signed by any certificate it should only be used for -testing purposes. +Don't verify the OCSP response signers certificate at all. Since this +option allows the OCSP response to be signed by any certificate it should +only be used for testing purposes. =item B<-no_chain> -do not use certificates in the response as additional untrusted CA +Do not use certificates in the response as additional untrusted CA certificates. =item B<-no_explicit> -do not explicitly trust the root CA if it is set to be trusted for OCSP signing. +Do not explicitly trust the root CA if it is set to be trusted for OCSP signing. =item B<-no_cert_checks> -don't perform any additional checks on the OCSP response signers certificate. +Don't perform any additional checks on the OCSP response signers certificate. That is do not make any checks to see if the signers certificate is authorised to provide the necessary status information: as a result this option should only be used for testing purposes. =item B<-validity_period nsec>, B<-status_age age> -these options specify the range of times, in seconds, which will be tolerated +These options specify the range of times, in seconds, which will be tolerated in an OCSP response. Each certificate status response includes a B time and an optional B time. The current time should fall between these two values, but the interval between the two times may be only a few @@ -286,7 +287,7 @@ By default this additional check is not performed. =item B<-[digest]> -this option sets digest algorithm to use for certificate identification in the +This option sets digest algorithm to use for certificate identification in the OCSP request. Any digest supported by the OpenSSL B command can be used. The default is SHA-1. This option may be used multiple times to specify the digest used by subsequent certificate identifiers. @@ -299,16 +300,17 @@ digest used by subsequent certificate identifiers. =item B<-index indexfile> -B is a text index file in B format containing certificate revocation -information. +The B parameter is the name of a text index file in B +format containing certificate revocation information. -If the B option is specified the B utility is in responder mode, otherwise -it is in client mode. The request(s) the responder processes can be either specified on -the command line (using B and B options), supplied in a file (using the -B option) or via external OCSP clients (if B or B is specified). +If the B option is specified the B utility is in responder +mode, otherwise it is in client mode. The request(s) the responder +processes can be either specified on the command line (using B +and B options), supplied in a file (using the B option) +or via external OCSP clients (if B or B is specified). -If the B option is present then the B and B options must also be -present. +If the B option is present then the B and B options +must also be present. =item B<-CA file> @@ -328,17 +330,18 @@ Don't include any certificates in the OCSP response. =item B<-resp_key_id> -Identify the signer certificate using the key ID, default is to use the subject name. +Identify the signer certificate using the key ID, default is to use the +subject name. =item B<-rkey file> -The private key to sign OCSP responses with: if not present the file specified in the -B option is used. +The private key to sign OCSP responses with: if not present the file +specified in the B option is used. =item B<-port portnum> -Port to listen for OCSP requests on. The port may also be specified using the B -option. +Port to listen for OCSP requests on. The port may also be specified +using the B option. =item B<-nrequest number> @@ -346,9 +349,10 @@ The OCSP server will exit after receiving B requests, default unlimited. =item B<-nmin minutes>, B<-ndays days> -Number of minutes or days when fresh revocation information is available: used in the -B field. If neither option is present then the B field -is omitted meaning fresh revocation information is immediately available. +Number of minutes or days when fresh revocation information is available: +used in the B field. If neither option is present then the +B field is omitted meaning fresh revocation information is +immediately available. =back @@ -456,7 +460,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index da07cd5caf..bfac312c93 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -91,7 +91,7 @@ Cipher Suite Description Determination. =item L|cms(1)> -CMS (Cryptographic Message Syntax) utility +CMS (Cryptographic Message Syntax) utility. =item L|crl(1)> @@ -113,8 +113,7 @@ Obsoleted by L|dhparam(1)>. =item L|dhparam(1)> Generation and Management of Diffie-Hellman Parameters. Superseded by -L|genpkey(1)> and L|pkeyparam(1)> - +L|genpkey(1)> and L|pkeyparam(1)>. =item L|dsa(1)> @@ -123,15 +122,15 @@ DSA Data Management. =item L|dsaparam(1)> DSA Parameter Generation and Management. Superseded by -L|genpkey(1)> and L|pkeyparam(1)> +L|genpkey(1)> and L|pkeyparam(1)>. =item L|ec(1)> -EC (Elliptic curve) key processing +EC (Elliptic curve) key processing. =item L|ecparam(1)> -EC parameter manipulation and generation +EC parameter manipulation and generation. =item L|enc(1)> @@ -153,7 +152,7 @@ Obsoleted by L|dhparam(1)>. =item L|gendsa(1)> Generation of DSA Private Key from Parameters. Superseded by -L|genpkey(1)> and L|pkey(1)> +L|genpkey(1)> and L|pkey(1)>. =item L|genpkey(1)> @@ -165,7 +164,7 @@ Generation of RSA Private Key. Superseded by L|genpkey(1)>. =item L|nseq(1)> -Create or examine a Netscape certificate sequence +Create or examine a Netscape certificate sequence. =item L|ocsp(1)> @@ -211,7 +210,7 @@ RSA key management. =item L|rsautl(1)> RSA utility for signing, verification, encryption, and decryption. Superseded -by L|pkeyutl(1)> +by L|pkeyutl(1)>. =item L|s_client(1)> @@ -247,11 +246,11 @@ Algorithm Speed Measurement. =item L|spkac(1)> -SPKAC printing and generating utility +SPKAC printing and generating utility. =item L|ts(1)> -Time Stamping Authority tool (client/server) +Time Stamping Authority tool (client/server). =item L|verify(1)> @@ -388,19 +387,19 @@ terminal with echoing turned off. =item B -the actual password is B. Since the password is visible +The actual password is B. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. =item B -obtain the password from the environment variable B. Since +Obtain the password from the environment variable B. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. =item B -the first line of B is the password. If the same B +The first line of B is the password. If the same B argument is supplied to B<-passin> and B<-passout> arguments then the first line will be used for the input password and the next line for the output password. B need not refer to a regular file: it could for example @@ -408,12 +407,12 @@ refer to a device or named pipe. =item B -read the password from the file descriptor B. This can be used to +Read the password from the file descriptor B. This can be used to send the data via a pipe for example. =item B -read the password from standard input. +Read the password from standard input. =back @@ -441,7 +440,7 @@ manual pages. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/pkcs12.pod b/doc/man1/pkcs12.pod index 82e64daacf..80373f2034 100644 --- a/doc/man1/pkcs12.pod +++ b/doc/man1/pkcs12.pod @@ -75,13 +75,13 @@ default. They are all written in PEM format. =item B<-passin arg> -the PKCS#12 file (i.e. input file) password source. For more information about +The PKCS#12 file (i.e. input file) password source. For more information about the format of B see the B section in L. =item B<-passout arg> -pass phrase source to encrypt any outputted private keys with. For more +Pass phrase source to encrypt any outputted private keys with. For more information about the format of B see the B section in L. @@ -92,65 +92,65 @@ Otherwise, -password is equivalent to -passin. =item B<-noout> -this option inhibits output of the keys and certificates to the output file +This option inhibits output of the keys and certificates to the output file version of the PKCS#12 file. =item B<-clcerts> -only output client certificates (not CA certificates). +Only output client certificates (not CA certificates). =item B<-cacerts> -only output CA certificates (not client certificates). +Only output CA certificates (not client certificates). =item B<-nocerts> -no certificates at all will be output. +No certificates at all will be output. =item B<-nokeys> -no private keys will be output. +No private keys will be output. =item B<-info> -output additional information about the PKCS#12 file structure, algorithms used and -iteration counts. +Output additional information about the PKCS#12 file structure, algorithms +used and iteration counts. =item B<-des> -use DES to encrypt private keys before outputting. +Use DES to encrypt private keys before outputting. =item B<-des3> -use triple DES to encrypt private keys before outputting, this is the default. +Use triple DES to encrypt private keys before outputting, this is the default. =item B<-idea> -use IDEA to encrypt private keys before outputting. +Use IDEA to encrypt private keys before outputting. =item B<-aes128>, B<-aes192>, B<-aes256> -use AES to encrypt private keys before outputting. +Use AES to encrypt private keys before outputting. =item B<-aria128>, B<-aria192>, B<-aria256> -use ARIA to encrypt private keys before outputting. +Use ARIA to encrypt private keys before outputting. =item B<-camellia128>, B<-camellia192>, B<-camellia256> -use Camellia to encrypt private keys before outputting. +Use Camellia to encrypt private keys before outputting. =item B<-nodes> -don't encrypt the private keys at all. +Don't encrypt the private keys at all. =item B<-nomacver> -don't attempt to verify the integrity MAC before reading the file. +Don't attempt to verify the integrity MAC before reading the file. =item B<-twopass> -prompt for separate integrity and encryption passwords: most software +Prompt for separate integrity and encryption passwords: most software always assumes these are the same so this option will render such PKCS#12 files unreadable. @@ -179,7 +179,7 @@ certificates are present they will also be included in the PKCS#12 file. =item B<-inkey filename> -file to read private key from. If not present then a private key must be present +File to read private key from. If not present then a private key must be present in the input file. =item B<-name friendlyname> @@ -200,31 +200,31 @@ displays them. =item B<-pass arg>, B<-passout arg> -the PKCS#12 file (i.e. output file) password source. For more information about +The PKCS#12 file (i.e. output file) password source. For more information about the format of B see the B section in L. =item B<-passin password> -pass phrase source to decrypt any input private keys with. For more information +Pass phrase source to decrypt any input private keys with. For more information about the format of B see the B section in L. =item B<-chain> -if this option is present then an attempt is made to include the entire +If this option is present then an attempt is made to include the entire certificate chain of the user certificate. The standard CA store is used for this search. If the search fails it is considered a fatal error. =item B<-descert> -encrypt the certificate using triple DES, this may render the PKCS#12 +Encrypt the certificate using triple DES, this may render the PKCS#12 file unreadable by some "export grade" software. By default the private key is encrypted using triple DES and the certificate using 40 bit RC2. =item B<-keypbe alg>, B<-certpbe alg> -these options allow the algorithm used to encrypt the private key and +These options allow the algorithm used to encrypt the private key and certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name can be used (see B section for more information). If a cipher name (as output by the B command is specified then it @@ -233,7 +233,7 @@ use PKCS#12 algorithms. =item B<-keyex|-keysig> -specifies that the private key is to be used for key exchange or just signing. +Specifies that the private key is to be used for key exchange or just signing. This option is only interpreted by MSIE and similar MS software. Normally "export grade" software will only allow 512 bit RSA keys to be used for encryption purposes but arbitrary length keys for signing. The B<-keysig> @@ -244,11 +244,11 @@ the use of signing only keys for SSL client authentication. =item B<-macalg digest> -specify the MAC digest algorithm. If not included them SHA1 will be used. +Specify the MAC digest algorithm. If not included them SHA1 will be used. =item B<-nomaciter>, B<-noiter> -these options affect the iteration counts on the MAC and key algorithms. +These options affect the iteration counts on the MAC and key algorithms. Unless you wish to produce files compatible with MSIE 4.0 you should leave these options alone. @@ -271,11 +271,11 @@ to be needed to use MAC iterations counts but they are now used by default. =item B<-nomac> -don't attempt to provide the MAC integrity. +Don't attempt to provide the MAC integrity. =item B<-rand file(s)> -a file or files containing random data used to seed the random number +A file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for @@ -293,15 +293,15 @@ linked to each certificate. =item B<-no-CAfile> -Do not load the trusted CA certificates from the default file location +Do not load the trusted CA certificates from the default file location. =item B<-no-CApath> -Do not load the trusted CA certificates from the default directory location +Do not load the trusted CA certificates from the default directory location. =item B<-CSP name> -write B as a Microsoft CSP name. +Write B as a Microsoft CSP name. =back diff --git a/doc/man1/pkcs7.pod b/doc/man1/pkcs7.pod index d238946b34..184ac142e2 100644 --- a/doc/man1/pkcs7.pod +++ b/doc/man1/pkcs7.pod @@ -47,27 +47,27 @@ option is not specified. =item B<-out filename> -specifies the output filename to write to or standard output by +Specifies the output filename to write to or standard output by default. =item B<-print_certs> -prints out any certificates or CRLs contained in the file. They are +Prints out any certificates or CRLs contained in the file. They are preceded by their subject and issuer names in one line format. =item B<-text> -prints out certificates details in full rather than just subject and +Prints out certificates details in full rather than just subject and issuer names. =item B<-noout> -don't output the encoded version of the PKCS#7 structure (or certificates +Don't output the encoded version of the PKCS#7 structure (or certificates is B<-print_certs> is set). =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -109,7 +109,7 @@ L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/pkcs8.pod b/doc/man1/pkcs8.pod index dee64a0019..ebdcea98b7 100644 --- a/doc/man1/pkcs8.pod +++ b/doc/man1/pkcs8.pod @@ -69,7 +69,7 @@ prompted for. =item B<-passin arg> -the input file password source. For more information about the format of B +The input file password source. For more information about the format of B see the B section in L. =item B<-out filename> @@ -81,7 +81,7 @@ filename. =item B<-passout arg> -the output file password source. For more information about the format of B +The output file password source. For more information about the format of B see the B section in L. =item B<-iter count> @@ -124,21 +124,21 @@ If not specified PKCS#5 v2.0 form is used. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. =item B<-scrypt> -uses the B algorithm for private key encryption using default +Uses the B algorithm for private key encryption using default parameters: currently N=16384, r=8 and p=1 and AES in CBC mode with a 256 bit key. These parameters can be modified using the B<-scrypt_N>, B<-scrypt_r>, B<-scrypt_p> and B<-v2> options. -B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p> +=item B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p> -sets the scrypt B, B or B

parameters. +Sets the scrypt B, B or B

parameters. =back @@ -291,7 +291,7 @@ The B<-iter> option was added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/pkey.pod b/doc/man1/pkey.pod index 2119c70c7a..a09736d01e 100644 --- a/doc/man1/pkey.pod +++ b/doc/man1/pkey.pod @@ -53,7 +53,7 @@ prompted for. =item B<-passin arg> -the input file password source. For more information about the format of B +The input file password source. For more information about the format of B see the B section in L. =item B<-out filename> @@ -65,12 +65,12 @@ filename. =item B<-passout password> -the output file password source. For more information about the format of B +The output file password source. For more information about the format of B see the B section in L. =item B<-traditional> -normally a private key is written using standard format: this is PKCS#8 form +Normally a private key is written using standard format: this is PKCS#8 form with the appropriate encryption algorithm (if any). If the B<-traditional> option is specified then the older "traditional" format is used instead. @@ -81,31 +81,31 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B. =item B<-text> -prints out the various public or private key components in +Prints out the various public or private key components in plain text in addition to the encoded version. =item B<-text_pub> -print out only public key components even if a private key is being processed. +Print out only public key components even if a private key is being processed. =item B<-noout> -do not output the encoded version of the key. +Do not output the encoded version of the key. =item B<-pubin> -by default a private key is read from the input file: with this +By default a private key is read from the input file: with this option a public key is read instead. =item B<-pubout> -by default a private key is output: with this option a public +By default a private key is output: with this option a public key will be output instead. This option is automatically set if the input is a public key. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -145,7 +145,7 @@ L, L, L =head1 COPYRIGHT -Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/pkeyparam.pod b/doc/man1/pkeyparam.pod index 755915ff9b..d3440ea7a8 100644 --- a/doc/man1/pkeyparam.pod +++ b/doc/man1/pkeyparam.pod @@ -39,15 +39,15 @@ this option is not specified. =item B<-text> -prints out the parameters in plain text in addition to the encoded version. +Prints out the parameters in plain text in addition to the encoded version. =item B<-noout> -do not output the encoded version of the parameters. +Do not output the encoded version of the parameters. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -72,7 +72,7 @@ L, L, L =head1 COPYRIGHT -Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod index 310c5ccdcb..ee8a58825f 100644 --- a/doc/man1/pkeyutl.pod +++ b/doc/man1/pkeyutl.pod @@ -53,7 +53,7 @@ if this option is not specified. =item B<-out filename> -specifies the output filename to write to or standard output by +Specifies the output filename to write to or standard output by default. =item B<-sigfile file> @@ -62,64 +62,63 @@ Signature file, required for B operations only =item B<-inkey file> -the input key file, by default it should be a private key. +The input key file, by default it should be a private key. =item B<-keyform PEM|DER|ENGINE> -the key format PEM, DER or ENGINE. Default is PEM. +The key format PEM, DER or ENGINE. Default is PEM. =item B<-passin arg> -the input key password source. For more information about the format of B +The input key password source. For more information about the format of B see the B section in L. - =item B<-peerkey file> -the peer key file, used by key derivation (agreement) operations. +The peer key file, used by key derivation (agreement) operations. =item B<-peerform PEM|DER|ENGINE> -the peer key format PEM, DER or ENGINE. Default is PEM. +The peer key format PEM, DER or ENGINE. Default is PEM. =item B<-pubin> -the input file is a public key. +The input file is a public key. =item B<-certin> -the input is a certificate containing a public key. +The input is a certificate containing a public key. =item B<-rev> -reverse the order of the input buffer. This is useful for some libraries +Reverse the order of the input buffer. This is useful for some libraries (such as CryptoAPI) which represent the buffer in little endian format. =item B<-sign> -sign the input data and output the signed result. This requires +Sign the input data and output the signed result. This requires a private key. =item B<-verify> -verify the input data against the signature file and indicate if the +Verify the input data against the signature file and indicate if the verification succeeded or failed. =item B<-verifyrecover> -verify the input data and output the recovered data. +Verify the input data and output the recovered data. =item B<-encrypt> -encrypt the input data using a public key. +Encrypt the input data using a public key. =item B<-decrypt> -decrypt the input data using a private key. +Decrypt the input data using a private key. =item B<-derive> -derive a shared secret using the peer key. +Derive a shared secret using the peer key. =item B<-kdf algorithm> @@ -144,12 +143,12 @@ hex dump the output data. =item B<-asn1parse> -asn1parse the output data, this is useful when combined with the +Parse the ASN.1 output data, this is useful when combined with the B<-verifyrecover> option when an ASN1 structure is signed. =item B<-engine id> -specifying an engine (by its unique B string) will cause B +Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -308,7 +307,7 @@ L, L =head1 COPYRIGHT -Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/req.pod b/doc/man1/req.pod index 641d8f62bc..f9e424b2b4 100644 --- a/doc/man1/req.pod +++ b/doc/man1/req.pod @@ -81,7 +81,7 @@ options (B<-new> and B<-newkey>) are not specified. =item B<-passin arg> -the input file password source. For more information about the format of B +The input file password source. For more information about the format of B see the B section in L. =item B<-out filename> @@ -91,38 +91,38 @@ default. =item B<-passout arg> -the output file password source. For more information about the format of B +The output file password source. For more information about the format of B see the B section in L. =item B<-text> -prints out the certificate request in text form. +Prints out the certificate request in text form. =item B<-subject> -prints out the request subject (or certificate subject if B<-x509> is +Prints out the request subject (or certificate subject if B<-x509> is specified) =item B<-pubkey> -outputs the public key. +Outputs the public key. =item B<-noout> -this option prevents output of the encoded version of the request. +This option prevents output of the encoded version of the request. =item B<-modulus> -this option prints out the value of the modulus of the public key +This option prints out the value of the modulus of the public key contained in the request. =item B<-verify> -verifies the signature on the request. +Verifies the signature on the request. =item B<-new> -this option generates a new certificate request. It will prompt +This option generates a new certificate request. It will prompt the user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are specified in the configuration file and any requested extensions. @@ -132,7 +132,7 @@ key using information specified in the configuration file. =item B<-rand file(s)> -a file or files containing random data used to seed the random number +A file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for @@ -140,7 +140,7 @@ all others. =item B<-newkey arg> -this option creates a new certificate request and a new private +This option creates a new certificate request and a new private key. The argument takes one of several forms. B, where B is the number of bits, generates an RSA key B in size. If B is omitted, i.e. B<-newkey rsa> specified, @@ -166,7 +166,7 @@ specified by B<-pkeyopt paramset:X> =item B<-pkeyopt opt:value> -set the public key algorithm option B to B. The precise set of +Set the public key algorithm option B to B. The precise set of options supported depends on the public key algorithm used and its implementation. See B in the B manual page for more details. @@ -178,23 +178,23 @@ accepts PKCS#8 format private keys for PEM format files. =item B<-keyform PEM|DER> -the format of the private key file specified in the B<-key> +The format of the private key file specified in the B<-key> argument. PEM is the default. =item B<-keyout filename> -this gives the filename to write the newly created private key to. +This gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used. =item B<-nodes> -if this option is specified then if a private key is created it +If this option is specified then if a private key is created it will not be encrypted. =item B<-[digest]> -this specifies the message digest to sign the request. +This specifies the message digest to sign the request. Any digest supported by the OpenSSL B command can be used. This overrides the digest algorithm specified in the configuration file. @@ -205,20 +205,20 @@ GOST R 34.11-94 (B<-md_gost94>). =item B<-config filename> -this allows an alternative configuration file to be specified. +This allows an alternative configuration file to be specified. Optional; for a description of the default value, see L. =item B<-subj arg> -sets subject name for new request or supersedes the subject name +Sets subject name for new request or supersedes the subject name when processing a request. The arg must be formatted as I, characters may be escaped by \ (backslash), no spaces are skipped. =item B<-multivalue-rdn> -this option causes the -subj argument to be interpreted with full +This option causes the -subj argument to be interpreted with full support for multivalued RDNs. Example: I @@ -227,7 +227,7 @@ If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. =item B<-x509> -this option outputs a self signed certificate instead of a certificate +This option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified @@ -236,19 +236,19 @@ the serial number. =item B<-days n> -when the B<-x509> option is being used this specifies the number of +When the B<-x509> option is being used this specifies the number of days to certify the certificate for. The default is 30 days. =item B<-set_serial n> -serial number to use when outputting a self signed certificate. This +Serial number to use when outputting a self signed certificate. This may be specified as a decimal value or a hex value if preceded by B<0x>. =item B<-extensions section> =item B<-reqexts section> -these options specify alternative sections to include certificate +These options specify alternative sections to include certificate extensions (if the B<-x509> option is present) or certificate request extensions. This allows several different sections to be used in the same configuration file to specify requests for @@ -256,7 +256,7 @@ a variety of purposes. =item B<-precert> -a poison extension will be added to the certificate, making it a +A poison extension will be added to the certificate, making it a "pre-certificate" (see RFC6962). This can be submitted to Certificate Transparency logs in order to obtain signed certificate timestamps (SCTs). These SCTs can then be embedded into the pre-certificate as an extension, before @@ -266,21 +266,21 @@ This implies the B<-new> flag. =item B<-utf8> -this option causes field values to be interpreted as UTF8 strings, by +This option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings. =item B<-nameopt option> -option which determines how the subject or issuer names are displayed. The +Option which determines how the subject or issuer names are displayed. The B

-send some plain text down the underlying TCP connection: this should +Send some plain text down the underlying TCP connection: this should cause the client to disconnect due to a protocol violation. =item B -print out some session cache status information. +Print out some session cache status information. =back @@ -642,7 +640,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/s_time.pod b/doc/man1/s_time.pod index 9d5dbc3070..8661a00a95 100644 --- a/doc/man1/s_time.pod +++ b/doc/man1/s_time.pod @@ -73,7 +73,7 @@ will never fail due to a server certificate verify failure. =item B<-nameopt option> -option which determines how the subject or issuer names are displayed. The +Option which determines how the subject or issuer names are displayed. The B