diff options
| author | jkim <jkim@FreeBSD.org> | 2015-10-30 20:51:33 +0000 |
|---|---|---|
| committer | jkim <jkim@FreeBSD.org> | 2015-10-30 20:51:33 +0000 |
| commit | 6b741bee156148072e0e9588e7c9f4a9d66d1ab9 (patch) | |
| tree | e8d8b5ada49f5cdbf70d1e455c13f2625fdcdd45 /secure/usr.bin | |
| parent | 979d5cd34dadfb0b78c606ecca3ec8d3a6ca245f (diff) | |
| parent | 64cb0c902e312216cdc4c826fc0be9ba9e1bf4da (diff) | |
| download | FreeBSD-src-6b741bee156148072e0e9588e7c9f4a9d66d1ab9.zip FreeBSD-src-6b741bee156148072e0e9588e7c9f4a9d66d1ab9.tar.gz | |
Merge OpenSSL 1.0.2d.
Diffstat (limited to 'secure/usr.bin')
46 files changed, 270 insertions, 115 deletions
diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1 index feb02cf..d70ef8c 100644 --- a/secure/usr.bin/openssl/man/CA.pl.1 +++ b/secure/usr.bin/openssl/man/CA.pl.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "CA.PL 1" -.TH CA.PL 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH CA.PL 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1 index 5cdea68..5b30f3d 100644 --- a/secure/usr.bin/openssl/man/asn1parse.1 +++ b/secure/usr.bin/openssl/man/asn1parse.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "ASN1PARSE 1" -.TH ASN1PARSE 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH ASN1PARSE 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/c_rehash.1 b/secure/usr.bin/openssl/man/c_rehash.1 index 3b0365b..1f26bb3 100644 --- a/secure/usr.bin/openssl/man/c_rehash.1 +++ b/secure/usr.bin/openssl/man/c_rehash.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "C_REHASH 1" -.TH C_REHASH 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH C_REHASH 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,12 +143,18 @@ c_rehash \- Create symbolic links to files named by the hash values .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBc_rehash\fR +\&\fB[\-old]\fR +\&\fB[\-h]\fR +\&\fB[\-n]\fR +\&\fB[\-v]\fR [ \fIdirectory\fR...] .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fBc_rehash\fR scans directories and calculates a hash value of each \f(CW\*(C`.pem\*(C'\fR +\&\fBc_rehash\fR scans directories and calculates a hash value of each +\&\f(CW\*(C`.pem\*(C'\fR, \f(CW\*(C`.crt\*(C'\fR, \f(CW\*(C`.cer\*(C'\fR, or \f(CW\*(C`.crl\*(C'\fR file in the specified directory list and creates symbolic links for each file, where the name of the link is the hash value. +(If the platform does not support symbolic links, a copy is made.) This utility is useful as many programs that use OpenSSL require directories to be set up like this in order to find certificates. .PP @@ -166,6 +172,7 @@ is a hexadecimal character and \fBD\fR is a single decimal digit. When processing a directory, \fBc_rehash\fR will first remove all links that have a name in that syntax. If you have links in that format used for other purposes, they will be removed. +To skip the removal step, use the \fB\-n\fR flag. Hashes for \s-1CRL\s0's look similar except the letter \fBr\fR appears after the period, like this: \f(CW\*(C`HHHHHHHH.rD\*(C'\fR. .PP @@ -174,7 +181,7 @@ incrementing the \fBD\fR value. Duplicates are found by comparing the full \s-1SHA\-1\s0 fingerprint. A warning will be displayed if a duplicate is found. .PP -A warning will also be displayed if there are \fB.pem\fR files that +A warning will also be displayed if there are files that cannot be parsed as either a certificate or a \s-1CRL.\s0 .PP The program uses the \fBopenssl\fR program to compute the hashes and @@ -184,13 +191,31 @@ Any program can be used, it will be invoked as follows for either a certificate or \s-1CRL:\s0 .PP .Vb 2 -\& $OPENSSL x509 \-hash \-fingerprint \-noout \-in FFFFFF -\& $OPENSSL crl \-hash \-fingerprint \-noout \-in FFFFFF +\& $OPENSSL x509 \-hash \-fingerprint \-noout \-in FILENAME +\& $OPENSSL crl \-hash \-fingerprint \-noout \-in FILENAME .Ve .PP -where \fB\s-1FFFFFF\s0\fR is the filename. It must output the hash of the +where \fB\s-1FILENAME\s0\fR is the filename. It must output the hash of the file on the first line, and the fingerprint on the second, optionally prefixed with some text and an equals sign. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-old\fR" 4 +.IX Item "-old" +Use old-style hashing (\s-1MD5,\s0 as opposed to \s-1SHA\-1\s0) for generating +links for releases before 1.0.0. Note that current versions will +not use the old style. +.IP "\fB\-h\fR" 4 +.IX Item "-h" +Display a brief usage message. +.IP "\fB\-n\fR" 4 +.IX Item "-n" +Do not remove existing links. +This is needed when keeping new and old-style links in the same directory. +.IP "\fB\-v\fR" 4 +.IX Item "-v" +Print messages about old links removed and new links created. +By default, \fBc_rehash\fR only lists each directory as it is processed. .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" .IP "\fB\s-1OPENSSL\s0\fR" 4 diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1 index 76df602..0026b4c 100644 --- a/secure/usr.bin/openssl/man/ca.1 +++ b/secure/usr.bin/openssl/man/ca.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "CA 1" -.TH CA 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH CA 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1 index a79ee7a..ff87f0d 100644 --- a/secure/usr.bin/openssl/man/ciphers.1 +++ b/secure/usr.bin/openssl/man/ciphers.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "CIPHERS 1" -.TH CIPHERS 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH CIPHERS 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -281,13 +281,13 @@ cipher suites using \s-1RSA\s0 key exchange. .IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4 .IX Item "kDHr, kDHd, kDH" cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0 -and \s-1DSS\s0 keys or either respectively. Not implemented. -.IP "\fBkEDH\fR" 4 -.IX Item "kEDH" +and \s-1DSS\s0 keys or either respectively. +.IP "\fBkDHE\fR, \fBkEDH\fR" 4 +.IX Item "kDHE, kEDH" cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher suites. -.IP "\fB\s-1EDH\s0\fR" 4 -.IX Item "EDH" +.IP "\fB\s-1DHE\s0\fR, \fB\s-1EDH\s0\fR" 4 +.IX Item "DHE, EDH" cipher suites using authenticated ephemeral \s-1DH\s0 key agreement. .IP "\fB\s-1ADH\s0\fR" 4 .IX Item "ADH" @@ -300,12 +300,12 @@ cipher suites using \s-1DH,\s0 including anonymous \s-1DH,\s0 ephemeral \s-1DH\s .IX Item "kECDHr, kECDHe, kECDH" cipher suites using fixed \s-1ECDH\s0 key agreement signed by CAs with \s-1RSA\s0 and \s-1ECDSA\s0 keys or either respectively. -.IP "\fBkEECDH\fR" 4 -.IX Item "kEECDH" +.IP "\fBkECDHE\fR, \fBkEECDH\fR" 4 +.IX Item "kECDHE, kEECDH" cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous cipher suites. -.IP "\fB\s-1EECDHE\s0\fR" 4 -.IX Item "EECDHE" +.IP "\fB\s-1ECDHE\s0\fR, \fB\s-1EECDH\s0\fR" 4 +.IX Item "ECDHE, EECDH" cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement. .IP "\fB\s-1AECDH\s0\fR" 4 .IX Item "AECDH" @@ -323,7 +323,7 @@ cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1D .IP "\fBaDH\fR" 4 .IX Item "aDH" cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry -\&\s-1DH\s0 keys. Not implemented. +\&\s-1DH\s0 keys. .IP "\fBaECDH\fR" 4 .IX Item "aECDH" cipher suites effectively using \s-1ECDH\s0 authentication, i.e. the certificates @@ -401,6 +401,17 @@ cipher suites using \s-1GOST 28147\-89 MAC \s0\fBinstead of\fR \s-1HMAC.\s0 .IP "\fB\s-1PSK\s0\fR" 4 .IX Item "PSK" cipher suites using pre-shared keys (\s-1PSK\s0). +.IP "\fB\s-1SUITEB128\s0\fR, \fB\s-1SUITEB128ONLY\s0\fR, \fB\s-1SUITEB192\s0\fR" 4 +.IX Item "SUITEB128, SUITEB128ONLY, SUITEB192" +enables suite B mode operation using 128 (permitting 192 bit mode by peer) +128 bit (not permitting 192 bit by peer) or 192 bit level of security +respectively. If used these cipherstrings should appear first in the cipher +list and anything after them is ignored. Setting Suite B mode has additional +consequences required to comply with \s-1RFC6460.\s0 In particular the supported +signature algorithms is reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384,\s0 +only the elliptic curves P\-256 and P\-384 can be used and only the two suite B +compliant ciphersuites (\s-1ECDHE\-ECDSA\-AES128\-GCM\-SHA256\s0 and +\&\s-1ECDHE\-ECDSA\-AES256\-GCM\-SHA384\s0) are permissible. .SH "CIPHER SUITE NAMES" .IX Header "CIPHER SUITE NAMES" The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the @@ -421,12 +432,10 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. \& SSL_RSA_WITH_DES_CBC_SHA DES\-CBC\-SHA \& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA \& -\& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. -\& SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented. -\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. -\& SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. -\& SSL_DH_RSA_WITH_DES_CBC_SHA Not implemented. -\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. +\& SSL_DH_DSS_WITH_DES_CBC_SHA DH\-DSS\-DES\-CBC\-SHA +\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH\-DSS\-DES\-CBC3\-SHA +\& SSL_DH_RSA_WITH_DES_CBC_SHA DH\-RSA\-DES\-CBC\-SHA +\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH\-RSA\-DES\-CBC3\-SHA \& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-DSS\-DES\-CBC\-SHA \& SSL_DHE_DSS_WITH_DES_CBC_SHA EDH\-DSS\-CBC\-SHA \& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA @@ -483,10 +492,10 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. \& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA \& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA \& -\& TLS_DH_DSS_WITH_AES_128_CBC_SHA Not implemented. -\& TLS_DH_DSS_WITH_AES_256_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_AES_128_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_AES_256_CBC_SHA Not implemented. +\& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH\-DSS\-AES128\-SHA +\& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH\-DSS\-AES256\-SHA +\& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH\-RSA\-AES128\-SHA +\& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH\-RSA\-AES256\-SHA \& \& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE\-DSS\-AES128\-SHA \& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE\-DSS\-AES256\-SHA @@ -502,10 +511,10 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. \& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA \& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA \& -\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA Not implemented. -\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA Not implemented. +\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH\-DSS\-CAMELLIA128\-SHA +\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH\-DSS\-CAMELLIA256\-SHA +\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH\-RSA\-CAMELLIA128\-SHA +\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH\-RSA\-CAMELLIA256\-SHA \& \& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE\-DSS\-CAMELLIA128\-SHA \& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE\-DSS\-CAMELLIA256\-SHA @@ -520,8 +529,8 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. .Vb 1 \& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA \& -\& TLS_DH_DSS_WITH_SEED_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_SEED_CBC_SHA Not implemented. +\& TLS_DH_DSS_WITH_SEED_CBC_SHA DH\-DSS\-SEED\-SHA +\& TLS_DH_RSA_WITH_SEED_CBC_SHA DH\-RSA\-SEED\-SHA \& \& TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE\-DSS\-SEED\-SHA \& TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE\-RSA\-SEED\-SHA @@ -593,15 +602,15 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3. \& TLS_RSA_WITH_AES_128_GCM_SHA256 AES128\-GCM\-SHA256 \& TLS_RSA_WITH_AES_256_GCM_SHA384 AES256\-GCM\-SHA384 \& -\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 Not implemented. -\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 Not implemented. -\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 Not implemented. -\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 Not implemented. +\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH\-RSA\-AES128\-SHA256 +\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH\-RSA\-AES256\-SHA256 +\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 DH\-RSA\-AES128\-GCM\-SHA256 +\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 DH\-RSA\-AES256\-GCM\-SHA384 \& -\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 Not implemented. -\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 Not implemented. -\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 Not implemented. -\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 Not implemented. +\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH\-DSS\-AES128\-SHA256 +\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH\-DSS\-AES256\-SHA256 +\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 DH\-DSS\-AES128\-GCM\-SHA256 +\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 DH\-DSS\-AES256\-GCM\-SHA384 \& \& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE\-RSA\-AES128\-SHA256 \& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE\-RSA\-AES256\-SHA256 @@ -659,9 +668,6 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3. .Ve .SH "NOTES" .IX Header "NOTES" -The non-ephemeral \s-1DH\s0 modes are currently unimplemented in OpenSSL -because there is no support for \s-1DH\s0 certificates. -.PP Some compiled versions of OpenSSL may not include all the ciphers listed here because some ciphers were excluded at compile time. .SH "EXAMPLES" diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/cms.1 index 106bb70..bb4dae5 100644 --- a/secure/usr.bin/openssl/man/cms.1 +++ b/secure/usr.bin/openssl/man/cms.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "CMS 1" -.TH CMS 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH CMS 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -194,6 +194,7 @@ cms \- CMS utility [\fB\-secretkeyid id\fR] [\fB\-econtent_type type\fR] [\fB\-inkey file\fR] +[\fB\-keyopt name:parameter\fR] [\fB\-passin arg\fR] [\fB\-rand file(s)\fR] [\fBcert.pem...\fR] @@ -412,8 +413,13 @@ verified then the signers certificates will be written to this file if the verification was successful. .IP "\fB\-recip file\fR" 4 .IX Item "-recip file" -the recipients certificate when decrypting a message. This certificate -must match one of the recipients of the message or an error occurs. +when decrypting a message this specifies the recipients certificate. The +certificate must match one of the recipients of the message or an error +occurs. +.Sp +When encrypting a message this option may be used multiple times to specify +each recipient. This form \fBmust\fR be used if customised parameters are +required (for example to specify RSA-OAEP). .IP "\fB\-keyid\fR" 4 .IX Item "-keyid" use subject key identifier to identify certificates instead of issuer name and @@ -462,6 +468,12 @@ corresponding certificate. If this option is not specified then the private key must be included in the certificate file specified with the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used multiple times to specify successive keys. +.IP "\fB\-keyopt name:opt\fR" 4 +.IX Item "-keyopt name:opt" +for signing and encryption this option can be used multiple times to +set customised parameters for the preceding key or certificate. It can +currently be used to set RSA-PSS for signing, RSA-OAEP for encryption +or to modify default parameters for \s-1ECDH.\s0 .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" the private key password source. For more information about the format of \fBarg\fR @@ -570,6 +582,10 @@ The \fB\-compress\fR option. .PP The \fB\-secretkey\fR option when used with \fB\-encrypt\fR. .PP +The use of \s-1PSS\s0 with \fB\-sign\fR. +.PP +The use of \s-1OAEP\s0 or non-RSA keys with \fB\-encrypt\fR. +.PP Additionally the \fB\-EncryptedData_create\fR and \fB\-data_create\fR type cannot be processed by the older \fBsmime\fR command. .SH "EXAMPLES" @@ -676,6 +692,27 @@ Add a signer to an existing message: .Vb 1 \& openssl cms \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg .Ve +.PP +Sign mail using RSA-PSS: +.PP +.Vb 2 +\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e +\& \-signer mycert.pem \-keyopt rsa_padding_mode:pss +.Ve +.PP +Create encrypted mail using RSA-OAEP: +.PP +.Vb 2 +\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e +\& \-recip cert.pem \-keyopt rsa_padding_mode:oaep +.Ve +.PP +Use \s-1SHA256 KDF\s0 with an \s-1ECDH\s0 certificate: +.PP +.Vb 2 +\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e +\& \-recip ecdhcert.pem \-keyopt ecdh_kdf_md:sha256 +.Ve .SH "BUGS" .IX Header "BUGS" The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've @@ -700,4 +737,14 @@ No revocation checking is done on the signer's certificate. The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first added in OpenSSL 1.0.0 .PP -The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. +The \fBkeyopt\fR option was first added in OpenSSL 1.1.0 +.PP +The use of \fB\-recip\fR to specify the recipient when encrypting mail was first +added to OpenSSL 1.1.0 +.PP +Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. +.PP +The use of non-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR was first added +to OpenSSL 1.1.0. +.PP +The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1 index 564fce0..352499a 100644 --- a/secure/usr.bin/openssl/man/crl.1 +++ b/secure/usr.bin/openssl/man/crl.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "CRL 1" -.TH CRL 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH CRL 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1 index 8c41ff9..a768c92 100644 --- a/secure/usr.bin/openssl/man/crl2pkcs7.1 +++ b/secure/usr.bin/openssl/man/crl2pkcs7.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "CRL2PKCS7 1" -.TH CRL2PKCS7 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH CRL2PKCS7 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1 index c2ec0a8..fdf1535 100644 --- a/secure/usr.bin/openssl/man/dgst.1 +++ b/secure/usr.bin/openssl/man/dgst.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "DGST 1" -.TH DGST 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH DGST 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1 index ba49bd4..e89a351 100644 --- a/secure/usr.bin/openssl/man/dhparam.1 +++ b/secure/usr.bin/openssl/man/dhparam.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "DHPARAM 1" -.TH DHPARAM 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH DHPARAM 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1 index 213c803..da5df42 100644 --- a/secure/usr.bin/openssl/man/dsa.1 +++ b/secure/usr.bin/openssl/man/dsa.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "DSA 1" -.TH DSA 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH DSA 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1 index 2f76249..20e8e68 100644 --- a/secure/usr.bin/openssl/man/dsaparam.1 +++ b/secure/usr.bin/openssl/man/dsaparam.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "DSAPARAM 1" -.TH DSAPARAM 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH DSAPARAM 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/ec.1 b/secure/usr.bin/openssl/man/ec.1 index 99533b9..24ced4b 100644 --- a/secure/usr.bin/openssl/man/ec.1 +++ b/secure/usr.bin/openssl/man/ec.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EC 1" -.TH EC 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH EC 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/ecparam.1 b/secure/usr.bin/openssl/man/ecparam.1 index b03dad4..a615b3f 100644 --- a/secure/usr.bin/openssl/man/ecparam.1 +++ b/secure/usr.bin/openssl/man/ecparam.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "ECPARAM 1" -.TH ECPARAM 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH ECPARAM 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1 index 6a7103f..c119e7e 100644 --- a/secure/usr.bin/openssl/man/enc.1 +++ b/secure/usr.bin/openssl/man/enc.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "ENC 1" -.TH ENC 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH ENC 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/errstr.1 b/secure/usr.bin/openssl/man/errstr.1 index 29b48ee..c4f1e0a 100644 --- a/secure/usr.bin/openssl/man/errstr.1 +++ b/secure/usr.bin/openssl/man/errstr.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "ERRSTR 1" -.TH ERRSTR 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH ERRSTR 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1 index 70df180..642e7ad 100644 --- a/secure/usr.bin/openssl/man/gendsa.1 +++ b/secure/usr.bin/openssl/man/gendsa.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "GENDSA 1" -.TH GENDSA 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH GENDSA 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/genpkey.1 b/secure/usr.bin/openssl/man/genpkey.1 index 0a40a3f..fd2264e 100644 --- a/secure/usr.bin/openssl/man/genpkey.1 +++ b/secure/usr.bin/openssl/man/genpkey.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "GENPKEY 1" -.TH GENPKEY 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH GENPKEY 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -232,6 +232,14 @@ The number of bits in the prime parameter \fBp\fR. .IP "\fBdh_paramgen_generator:value\fR" 4 .IX Item "dh_paramgen_generator:value" The value to use for the generator \fBg\fR. +.IP "\fBdh_rfc5114:num\fR" 4 +.IX Item "dh_rfc5114:num" +If this option is set then the appropriate \s-1RFC5114\s0 parameters are used +instead of generating new parameters. The value \fBnum\fR can take the +values 1, 2 or 3 corresponding to \s-1RFC5114 DH\s0 parameters consisting of +1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup +and 2048 bit group with 256 bit subgroup as mentioned in \s-1RFC5114\s0 sections +2.1, 2.2 and 2.3 respectively. .SH "EC PARAMETER GENERATION OPTIONS" .IX Header "EC PARAMETER GENERATION OPTIONS" .IP "\fBec_paramgen_curve:curve\fR" 4 @@ -308,6 +316,12 @@ Generate 1024 bit \s-1DH\s0 parameters: \& \-pkeyopt dh_paramgen_prime_len:1024 .Ve .PP +Output \s-1RFC5114 2048\s0 bit \s-1DH\s0 parameters with 224 bit subgroup: +.PP +.Vb 1 +\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt dh_rfc5114:2 +.Ve +.PP Generate \s-1DH\s0 key from parameters: .PP .Vb 1 diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1 index babce6d..a701f16 100644 --- a/secure/usr.bin/openssl/man/genrsa.1 +++ b/secure/usr.bin/openssl/man/genrsa.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "GENRSA 1" -.TH GENRSA 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH GENRSA 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1 index 796efa4..990d4f7 100644 --- a/secure/usr.bin/openssl/man/nseq.1 +++ b/secure/usr.bin/openssl/man/nseq.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "NSEQ 1" -.TH NSEQ 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH NSEQ 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1 index d45193d..f99ce3b 100644 --- a/secure/usr.bin/openssl/man/ocsp.1 +++ b/secure/usr.bin/openssl/man/ocsp.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "OCSP 1" -.TH OCSP 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH OCSP 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -489,4 +489,4 @@ second file. .Ve .SH "HISTORY" .IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. +The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1 index b2ae545..b307e03 100644 --- a/secure/usr.bin/openssl/man/openssl.1 +++ b/secure/usr.bin/openssl/man/openssl.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "OPENSSL 1" -.TH OPENSSL 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH OPENSSL 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1 index 705a8e3..54e355a 100644 --- a/secure/usr.bin/openssl/man/passwd.1 +++ b/secure/usr.bin/openssl/man/passwd.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "PASSWD 1" -.TH PASSWD 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH PASSWD 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1 index ac98964..85e4b73 100644 --- a/secure/usr.bin/openssl/man/pkcs12.1 +++ b/secure/usr.bin/openssl/man/pkcs12.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "PKCS12 1" -.TH PKCS12 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH PKCS12 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1 index deee40d..d077174 100644 --- a/secure/usr.bin/openssl/man/pkcs7.1 +++ b/secure/usr.bin/openssl/man/pkcs7.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "PKCS7 1" -.TH PKCS7 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH PKCS7 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1 index 5824bd7..5e3dfab 100644 --- a/secure/usr.bin/openssl/man/pkcs8.1 +++ b/secure/usr.bin/openssl/man/pkcs8.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "PKCS8 1" -.TH PKCS8 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH PKCS8 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -156,6 +156,7 @@ pkcs8 \- PKCS#8 format private key conversion tool [\fB\-embed\fR] [\fB\-nsdb\fR] [\fB\-v2 alg\fR] +[\fB\-v2prf alg\fR] [\fB\-v1 alg\fR] [\fB\-engine id\fR] .SH "DESCRIPTION" @@ -238,6 +239,11 @@ private keys with OpenSSL then this doesn't matter. .Sp The \fBalg\fR argument is the encryption algorithm to use, valid values include \&\fBdes\fR, \fBdes3\fR and \fBrc2\fR. It is recommended that \fBdes3\fR is used. +.IP "\fB\-v2prf alg\fR" 4 +.IX Item "-v2prf alg" +This option sets the \s-1PRF\s0 algorithm to use with PKCS#5 v2.0. A typical value +values would be \fBhmacWithSHA256\fR. If this option isn't set then the default +for the cipher is used or \fBhmacWithSHA1\fR if there is no default. .IP "\fB\-v1 alg\fR" 4 .IX Item "-v1 alg" This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete @@ -308,6 +314,13 @@ Convert a private from traditional to PKCS#5 v2.0 format using triple \& openssl pkcs8 \-in key.pem \-topk8 \-v2 des3 \-out enckey.pem .Ve .PP +Convert a private from traditional to PKCS#5 v2.0 format using \s-1AES\s0 with +256 bits in \s-1CBC\s0 mode and \fBhmacWithSHA256\fR \s-1PRF:\s0 +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-v2prf hmacWithSHA256 \-out enckey.pem +.Ve +.PP Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm (\s-1DES\s0): .PP diff --git a/secure/usr.bin/openssl/man/pkey.1 b/secure/usr.bin/openssl/man/pkey.1 index f270aeb..77b824c 100644 --- a/secure/usr.bin/openssl/man/pkey.1 +++ b/secure/usr.bin/openssl/man/pkey.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "PKEY 1" -.TH PKEY 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH PKEY 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/pkeyparam.1 b/secure/usr.bin/openssl/man/pkeyparam.1 index 8b7d5bc..2df7904 100644 --- a/secure/usr.bin/openssl/man/pkeyparam.1 +++ b/secure/usr.bin/openssl/man/pkeyparam.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "PKEYPARAM 1" -.TH PKEYPARAM 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH PKEYPARAM 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/pkeyutl.1 b/secure/usr.bin/openssl/man/pkeyutl.1 index 058292b..64ec80e 100644 --- a/secure/usr.bin/openssl/man/pkeyutl.1 +++ b/secure/usr.bin/openssl/man/pkeyutl.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "PKEYUTL 1" -.TH PKEYUTL 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH PKEYUTL 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1 index 6161b76..a1c30f6 100644 --- a/secure/usr.bin/openssl/man/rand.1 +++ b/secure/usr.bin/openssl/man/rand.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "RAND 1" -.TH RAND 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH RAND 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1 index 38d9849..a404c1c 100644 --- a/secure/usr.bin/openssl/man/req.1 +++ b/secure/usr.bin/openssl/man/req.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "REQ 1" -.TH REQ 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH REQ 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -340,8 +340,8 @@ this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root \s-1CA.\s0 The extensions added to the certificate (if any) are specified in the configuration file. Unless specified -using the \fBset_serial\fR option \fB0\fR will be used for the serial -number. +using the \fBset_serial\fR option, a large random number will be used for +the serial number. .IP "\fB\-days n\fR" 4 .IX Item "-days n" when the \fB\-x509\fR option is being used this specifies the number of diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1 index b240fb7..339cbf8 100644 --- a/secure/usr.bin/openssl/man/rsa.1 +++ b/secure/usr.bin/openssl/man/rsa.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "RSA 1" -.TH RSA 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH RSA 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1 index 368ba02..b9cc868 100644 --- a/secure/usr.bin/openssl/man/rsautl.1 +++ b/secure/usr.bin/openssl/man/rsautl.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "RSAUTL 1" -.TH RSAUTL 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH RSAUTL 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1 index 266d567..31064e2 100644 --- a/secure/usr.bin/openssl/man/s_client.1 +++ b/secure/usr.bin/openssl/man/s_client.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "S_CLIENT 1" -.TH S_CLIENT 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH S_CLIENT 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -173,6 +173,9 @@ s_client \- SSL/TLS client program [\fB\-no_ssl2\fR] [\fB\-no_ssl3\fR] [\fB\-no_tls1\fR] +[\fB\-no_tls1_1\fR] +[\fB\-no_tls1_2\fR] +[\fB\-fallback_scsv\fR] [\fB\-bugs\fR] [\fB\-cipher cipherlist\fR] [\fB\-serverpref\fR] @@ -183,6 +186,7 @@ s_client \- SSL/TLS client program [\fB\-sess_out filename\fR] [\fB\-sess_in filename\fR] [\fB\-rand file(s)\fR] +[\fB\-serverinfo types\fR] [\fB\-status\fR] [\fB\-nextprotoneg protocols\fR] .SH "DESCRIPTION" @@ -301,16 +305,18 @@ Use the \s-1PSK\s0 identity \fBidentity\fR when using a \s-1PSK\s0 cipher suite. Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is given as a hexadecimal number without leading 0x, for example \-psk 1a2b3c4d. -.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4 -.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1" +.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4 +.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2" these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default the initial handshake uses a method which should be compatible with all servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate. .Sp -Unfortunately there are a lot of ancient and broken servers in use which +Unfortunately there are still ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only -work if \s-1TLS\s0 is turned off with the \fB\-no_tls\fR option others will only -support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option. +work if \s-1TLS\s0 is turned off. +.IP "\fB\-fallback_scsv\fR" 4 +.IX Item "-fallback_scsv" +Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello. .IP "\fB\-bugs\fR" 4 .IX Item "-bugs" there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this @@ -355,6 +361,12 @@ generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). Multiple files can be specified separated by a OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "\fB\-serverinfo types\fR" 4 +.IX Item "-serverinfo types" +a list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and +65535). Each type will be sent as an empty ClientHello \s-1TLS\s0 Extension. +The server's response (if any) will be encoded and displayed as a \s-1PEM\s0 +file. .IP "\fB\-status\fR" 4 .IX Item "-status" sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server @@ -437,4 +449,4 @@ information whenever a session is renegotiated. \&\fIsess_id\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1) .SH "HISTORY" .IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. +The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1 index e2c2c39..0f3b3c1 100644 --- a/secure/usr.bin/openssl/man/s_server.1 +++ b/secure/usr.bin/openssl/man/s_server.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "S_SERVER 1" -.TH S_SERVER 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH S_SERVER 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -181,7 +181,6 @@ s_server \- SSL/TLS server program [\fB\-no_ssl3\fR] [\fB\-no_tls1\fR] [\fB\-no_dhe\fR] -[\fB\-no_ecdhe\fR] [\fB\-bugs\fR] [\fB\-hack\fR] [\fB\-www\fR] @@ -192,6 +191,8 @@ s_server \- SSL/TLS server program [\fB\-no_ticket\fR] [\fB\-id_prefix arg\fR] [\fB\-rand file(s)\fR] +[\fB\-serverinfo file\fR] +[\fB\-no_resumption_on_reneg\fR] [\fB\-status\fR] [\fB\-status_verbose\fR] [\fB\-status_timeout nsec\fR] @@ -258,10 +259,6 @@ a static set of parameters hard coded into the s_server program will be used. .IX Item "-no_dhe" if this option is set then no \s-1DH\s0 parameters will be loaded effectively disabling the ephemeral \s-1DH\s0 cipher suites. -.IP "\fB\-no_ecdhe\fR" 4 -.IX Item "-no_ecdhe" -if this option is set then no \s-1ECDH\s0 parameters will be loaded effectively -disabling the ephemeral \s-1ECDH\s0 cipher suites. .IP "\fB\-no_tmp_rsa\fR" 4 .IX Item "-no_tmp_rsa" certain export cipher suites sometimes use a temporary \s-1RSA\s0 key, this option @@ -390,6 +387,16 @@ generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). Multiple files can be specified separated by a OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "\fB\-serverinfo file\fR" 4 +.IX Item "-serverinfo file" +a file containing one or more blocks of \s-1PEM\s0 data. Each \s-1PEM\s0 block +must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length, +followed by \*(L"length\*(R" bytes of extension data). If the client sends +an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding +ServerHello extension will be returned. +.IP "\fB\-no_resumption_on_reneg\fR" 4 +.IX Item "-no_resumption_on_reneg" +set \s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0 flag. .IP "\fB\-status\fR" 4 .IX Item "-status" enables certificate status request support (aka \s-1OCSP\s0 stapling). @@ -476,4 +483,4 @@ unknown cipher suites a client says it supports. \&\fIsess_id\fR\|(1), \fIs_client\fR\|(1), \fIciphers\fR\|(1) .SH "HISTORY" .IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. +The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/s_time.1 index 109df0f..38a26e9 100644 --- a/secure/usr.bin/openssl/man/s_time.1 +++ b/secure/usr.bin/openssl/man/s_time.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "S_TIME 1" -.TH S_TIME 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH S_TIME 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1 index 1e25ad2..365ece1 100644 --- a/secure/usr.bin/openssl/man/sess_id.1 +++ b/secure/usr.bin/openssl/man/sess_id.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SESS_ID 1" -.TH SESS_ID 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH SESS_ID 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1 index 86c0230..3c97bbd 100644 --- a/secure/usr.bin/openssl/man/smime.1 +++ b/secure/usr.bin/openssl/man/smime.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SMIME 1" -.TH SMIME 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH SMIME 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -550,4 +550,4 @@ structures may cause parsing errors. The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first added in OpenSSL 1.0.0 .PP -The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. +The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1 index 874e4f2..5eb4866 100644 --- a/secure/usr.bin/openssl/man/speed.1 +++ b/secure/usr.bin/openssl/man/speed.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SPEED 1" -.TH SPEED 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH SPEED 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1 index f466ab5..e29183f 100644 --- a/secure/usr.bin/openssl/man/spkac.1 +++ b/secure/usr.bin/openssl/man/spkac.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "SPKAC 1" -.TH SPKAC 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH SPKAC 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/ts.1 b/secure/usr.bin/openssl/man/ts.1 index fcc6d22..677663d 100644 --- a/secure/usr.bin/openssl/man/ts.1 +++ b/secure/usr.bin/openssl/man/ts.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "TS 1" -.TH TS 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH TS 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/tsget.1 b/secure/usr.bin/openssl/man/tsget.1 index 597a74d..b8baff5 100644 --- a/secure/usr.bin/openssl/man/tsget.1 +++ b/secure/usr.bin/openssl/man/tsget.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "TSGET 1" -.TH TSGET 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH TSGET 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1 index dc602b4..0b8fa29 100644 --- a/secure/usr.bin/openssl/man/verify.1 +++ b/secure/usr.bin/openssl/man/verify.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "VERIFY 1" -.TH VERIFY 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH VERIFY 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -148,6 +148,10 @@ verify \- Utility to verify certificates. [\fB\-purpose purpose\fR] [\fB\-policy arg\fR] [\fB\-ignore_critical\fR] +[\fB\-attime timestamp\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crlfile file\fR] +[\fB\-crl_download\fR] [\fB\-crl_check\fR] [\fB\-crl_check_all\fR] [\fB\-policy_check\fR] @@ -162,7 +166,7 @@ verify \- Utility to verify certificates. [\fB\-untrusted file\fR] [\fB\-help\fR] [\fB\-issuer_checks\fR] -[\fB\-attime timestamp\fR] +[\fB\-trusted file\fR] [\fB\-verbose\fR] [\fB\-\fR] [certificates] @@ -181,9 +185,28 @@ create symbolic links to a directory of certificates. .IP "\fB\-CAfile file\fR A file of trusted certificates. The file should contain multiple certificates in \s-1PEM\s0 format concatenated together." 4 .IX Item "-CAfile file A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together." .PD 0 +.IP "\fB\-attime timestamp\fR" 4 +.IX Item "-attime timestamp" +.PD +Perform validation checks using time specified by \fBtimestamp\fR and not +current system time. \fBtimestamp\fR is the number of seconds since +01.01.1970 (\s-1UNIX\s0 time). +.IP "\fB\-check_ss_sig\fR" 4 +.IX Item "-check_ss_sig" +Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by default +because it doesn't add any security. +.IP "\fB\-crlfile file\fR" 4 +.IX Item "-crlfile file" +File containing one or more \s-1CRL\s0's (in \s-1PEM\s0 format) to load. +.IP "\fB\-crl_download\fR" 4 +.IX Item "-crl_download" +Attempt to download \s-1CRL\s0 information for this certificate. +.IP "\fB\-crl_check\fR" 4 +.IX Item "-crl_check" +Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0 +If a valid \s-1CRL\s0 cannot be found an error occurs. .IP "\fB\-untrusted file\fR" 4 .IX Item "-untrusted file" -.PD A file of untrusted certificates. The file should contain multiple certificates in \s-1PEM\s0 format concatenated together. .IP "\fB\-purpose purpose\fR" 4 @@ -206,11 +229,6 @@ current certificate. This shows why each candidate issuer certificate was rejected. The presence of rejection messages does not itself imply that anything is wrong; during the normal verification process, several rejections may take place. -.IP "\fB\-attime timestamp\fR" 4 -.IX Item "-attime timestamp" -Perform validation checks using time specified by \fBtimestamp\fR and not -current system time. \fBtimestamp\fR is the number of seconds since -01.01.1970 (\s-1UNIX\s0 time). .IP "\fB\-policy arg\fR" 4 .IX Item "-policy arg" Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see @@ -235,6 +253,10 @@ trusted, then OpenSSL will continue to check to see if an alternative chain can be found that is trusted. With this option that behaviour is suppressed so that only the first chain found is ever used. Using this option will force the behaviour to match that of previous OpenSSL versions. +.IP "\fB\-trusted file\fR" 4 +.IX Item "-trusted file" +A file of additional trusted certificates. The file should contain multiple +certificates in \s-1PEM\s0 format concatenated together. .IP "\fB\-policy_print\fR" 4 .IX Item "-policy_print" Print out diagnostics related to policy processing. @@ -487,4 +509,4 @@ Previous versions of this documentation swapped the meaning of the \&\fIx509\fR\|(1) .SH "HISTORY" .IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. +The \-no_alt_chains options was first added to OpenSSL 1.0.2b. diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1 index 79305bb..401bde5 100644 --- a/secure/usr.bin/openssl/man/version.1 +++ b/secure/usr.bin/openssl/man/version.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "VERSION 1" -.TH VERSION 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH VERSION 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1 index 9306e41..27b8a8e 100644 --- a/secure/usr.bin/openssl/man/x509.1 +++ b/secure/usr.bin/openssl/man/x509.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "X509 1" -.TH X509 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH X509 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -186,6 +186,7 @@ x509 \- Certificate display and signing utility [\fB\-CAkey filename\fR] [\fB\-CAcreateserial\fR] [\fB\-CAserial filename\fR] +[\fB\-force_pubkey key\fR] [\fB\-text\fR] [\fB\-certopt option\fR] [\fB\-C\fR] @@ -482,6 +483,14 @@ specified then the extensions should either be contained in the unnamed \&\*(L"extensions\*(R" which contains the section to use. See the \&\fIx509v3_config\fR\|(5) manual page for details of the extension section format. +.IP "\fB\-force_pubkey key\fR" 4 +.IX Item "-force_pubkey key" +when a certificate is created set its public key to \fBkey\fR instead of the +key in the certificate or certificate request. This option is useful for +creating certificates where the algorithm can't normally sign requests, for +example \s-1DH.\s0 +.Sp +The format or \fBkey\fR can be specified using the \fB\-keyform\fR option. .SS "\s-1NAME OPTIONS\s0" .IX Subsection "NAME OPTIONS" The \fBnameopt\fR command line switch determines how the subject and issuer diff --git a/secure/usr.bin/openssl/man/x509v3_config.1 b/secure/usr.bin/openssl/man/x509v3_config.1 index 9e149f5..3eb624d 100644 --- a/secure/usr.bin/openssl/man/x509v3_config.1 +++ b/secure/usr.bin/openssl/man/x509v3_config.1 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "X509V3_CONFIG 1" -.TH X509V3_CONFIG 1 "2015-07-09" "1.0.1p" "OpenSSL" +.TH X509V3_CONFIG 1 "2015-07-09" "1.0.2d" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l |
