From: Rich Salz Date: Wed, 27 Aug 2014 18:23:39 +0000 (-0400) Subject: RT3102: Document -verify_error_return flag X-Git-Tag: master-post-reformat~440 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=8d4193305b1634a0fb397cb8806cd7dedbff34ef RT3102: Document -verify_error_return flag Also moved some options around so all the "verify" options. are clumped together. Reviewed-by: Matt Caswell --- diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index a2e7945624..3085944e4b 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -53,6 +53,7 @@ B B [B<-trusted_first>] [B<-use_deltas>] [B<-verify_depth num>] +[B<-verify_return_error>] [B<-verify_email email>] [B<-verify_hostname hostname>] [B<-verify_ip ip>] @@ -185,17 +186,6 @@ disabling the ephemeral ECDH cipher suites. certain export cipher suites sometimes use a temporary RSA key, this option disables temporary RSA key generation. -=item B<-verify depth>, B<-Verify depth> - -The verify depth to use. This specifies the maximum length of the -client certificate chain and makes the server request a certificate from -the client. With the B<-verify> option a certificate is requested but the -client does not have to send one, with the B<-Verify> option the client -must supply a certificate or an error occurs. - -If the ciphersuite cannot request a client certificate (for example an -anonymous ciphersuite or PSK) this option has no effect. - =item B<-crl_check>, B<-crl_check_all> Check the peer certificate has not been revoked by its CA. @@ -215,6 +205,17 @@ and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested. +=item B<-verify depth>, B<-Verify depth> + +The verify depth to use. This specifies the maximum length of the +client certificate chain and makes the server request a certificate from +the client. With the B<-verify> option a certificate is requested but the +client does not have to send one, with the B<-Verify> option the client +must supply a certificate or an error occurs. + +If the ciphersuite cannot request a client certificate (for example an +anonymous ciphersuite or PSK) this option has no effect. + =item B<-attime>, B<-check_ss_sig>, B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, @@ -225,6 +226,12 @@ B<-verify_ip>, B<-verify_name>, B<-x509_strict> Set different peer certificate verification options. See the L|verify(1)> manual page for details. +=item B<-verify_return_error> + +Verification errors normally just print a message but allow the +connection to continue, for debugging purposes. +If this option is used, then verification errors close the connection. + =item B<-state> prints out the SSL session states.