Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
10 个月 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 c4de074e 编写于 作者: P Pauli 提交者: Richard Levitte
浏览文件
操作

Documentation updates 

Fix capitilistion of list items.
Wrap long lines.
Add full stops to the ends of sentances.
Change ciphersuite to cipher suite in all of doc.

[skip ci]
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3082)
上级 3cb47b4e
展开全部 隐藏空白更改
内联 并排
Showing with 760 addition and 756 deletion
doc/man1/CA.pl.pod
浏览文件 @ c4de074e
......@@ -42,28 +42,28 @@ by the use of some simple options.
=item B<?>, B<-h>, B<-help>
prints a usage message.
Prints a usage message.
=item B<-newcert>
creates a new self signed certificate. The private key is written to the file
Creates a new self signed certificate. The private key is written to the file
"newkey.pem" and the request written to the file "newreq.pem".
This argument invokes B<openssl req> command.
=item B<-newreq>
creates a new certificate request. The private key is written to the file
Creates a new certificate request. The private key is written to the file
"newkey.pem" and the request written to the file "newreq.pem".
Executes B<openssl req> command below the hood.
=item B<-newreq-nodes>
is like B<-newreq> except that the private key will not be encrypted.
Is like B<-newreq> except that the private key will not be encrypted.
Uses B<openssl req> command.
=item B<-newca>
creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
Creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
and B<-xsign> options). The user is prompted to enter the filename of the CA
certificates (which should also contain the private key) or by hitting ENTER
details of the CA will be prompted for. The relevant files and directories
......@@ -72,7 +72,7 @@ B<openssl req> and B<openssl ca> commands are get invoked.
=item B<-pkcs12>
create a PKCS#12 file containing the user certificate, private key and CA
Create a PKCS#12 file containing the user certificate, private key and CA
certificate. It expects the user certificate and private key to be in the
file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem,
it creates a file "newcert.p12". This command can thus be called after the
......@@ -84,31 +84,31 @@ Delegates work to B<openssl pkcs12> command.
=item B<-sign>, B<-signcert>, B<-xsign>
calls the B<ca> program to sign a certificate request. It expects the request
Calls the B<ca> program to sign a certificate request. It expects the request
to be in the file "newreq.pem". The new certificate is written to the file
"newcert.pem" except in the case of the B<-xsign> option when it is written
to standard output. Leverages B<openssl ca> command.
=item B<-signCA>
this option is the same as the B<-signreq> option except it uses the configuration
file section B<v3_ca> and so makes the signed request a valid CA certificate. This
is useful when creating intermediate CA from a root CA.
Extra params are passed on to B<openssl ca> command.
This option is the same as the B<-signreq> option except it uses the
configuration file section B<v3_ca> and so makes the signed request a
valid CA certificate. This is useful when creating intermediate CA from
a root CA. Extra params are passed on to B<openssl ca> command.
=item B<-signcert>
this option is the same as B<-sign> except it expects a self signed certificate
This option is the same as B<-sign> except it expects a self signed certificate
to be present in the file "newreq.pem".
Extra params are passed on to B<openssl x509> and B<openssl ca> commands.
=item B<-crl>
generate a CRL. Executes B<openssl ca> command.
Generate a CRL. Executes B<openssl ca> command.
=item B<-revoke certfile [reason]>
revoke the certificate contained in the specified B<certfile>. An optional
Revoke the certificate contained in the specified B<certfile>. An optional
reason may be specified, and must be one of: B<unspecified>,
B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
......@@ -116,9 +116,9 @@ Leverages B<openssl ca> command.
=item B<-verify>
verifies certificates against the CA certificate for "demoCA". If no certificates
are specified on the command line it tries to verify the file "newcert.pem".
Invokes B<openssl verify> command.
Verifies certificates against the CA certificate for "demoCA". If no
certificates are specified on the command line it tries to verify the file
"newcert.pem". Invokes B<openssl verify> command.
=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
......@@ -204,7 +204,7 @@ L<config(5)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/asn1parse.pod
浏览文件 @ c4de074e
......@@ -39,56 +39,56 @@ Print out a usage message.
=item B<-inform> B<DER|PEM>
the input format. B<DER> is binary format and B<PEM> (the default) is base64
The input format. B<DER> is binary format and B<PEM> (the default) is base64
encoded.
=item B<-in filename>
the input file, default is standard input
The input file, default is standard input.
=item B<-out filename>
output file to place the DER encoded data into. If this
Output file to place the DER encoded data into. If this
option is not present then no data will be output. This is most useful when
combined with the B<-strparse> option.
=item B<-noout>
don't output the parsed version of the input file.
Don't output the parsed version of the input file.
=item B<-offset number>
starting offset to begin parsing, default is start of file.
Starting offset to begin parsing, default is start of file.
=item B<-length number>
number of bytes to parse, default is until end of file.
Number of bytes to parse, default is until end of file.
=item B<-i>
indents the output according to the "depth" of the structures.
Indents the output according to the "depth" of the structures.
=item B<-oid filename>
a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
file is described in the NOTES section below.
=item B<-dump>
dump unknown data in hex format.
Dump unknown data in hex format.
=item B<-dlimit num>
like B<-dump>, but only the first B<num> bytes are output.
Like B<-dump>, but only the first B<num> bytes are output.
=item B<-strparse offset>
parse the contents octets of the ASN.1 object starting at B<offset>. This
Parse the contents octets of the ASN.1 object starting at B<offset>. This
option can be used multiple times to "drill down" into a nested structure.
=item B<-genstr string>, B<-genconf file>
generate encoded data based on B<string>, B<file> or both using
Generate encoded data based on B<string>, B<file> or both using
L<ASN1_generate_nconf(3)> format. If B<file> only is
present then the string is obtained from the default section using the name
B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
......@@ -105,7 +105,7 @@ END marker in a PEM file.
=item B<-item name>
attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
print out the fields of any supported ASN.1 structure if the type is known.
=back
......@@ -204,7 +204,7 @@ L<ASN1_generate_nconf(3)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/ca.pod
浏览文件 @ c4de074e
......@@ -72,73 +72,73 @@ Print out a usage message.
=item B<-verbose>
this prints extra details about the operations being performed.
This prints extra details about the operations being performed.
=item B<-config filename>
specifies the configuration file to use.
Specifies the configuration file to use.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
=item B<-name section>
specifies the configuration file section to use (overrides
Specifies the configuration file section to use (overrides
B<default_ca> in the B<ca> section).
=item B<-in filename>
an input filename containing a single certificate request to be
An input filename containing a single certificate request to be
signed by the CA.
=item B<-ss_cert filename>
a single self-signed certificate to be signed by the CA.
A single self-signed certificate to be signed by the CA.
=item B<-spkac filename>
a file containing a single Netscape signed public key and challenge
A file containing a single Netscape signed public key and challenge
and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
section for information on the required input and output format.
=item B<-infiles>
if present this should be the last option, all subsequent arguments
If present this should be the last option, all subsequent arguments
are taken as the names of files containing certificate requests.
=item B<-out filename>
the output file to output certificates to. The default is standard
The output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
file in PEM format (except that B<-spkac> outputs DER format).
=item B<-outdir directory>
the directory to output certificates to. The certificate will be
The directory to output certificates to. The certificate will be
written to a filename consisting of the serial number in hex with
".pem" appended.
=item B<-cert>
the CA certificate file.
The CA certificate file.
=item B<-keyfile filename>
the private key to sign requests with.
The private key to sign requests with.
=item B<-keyform PEM|DER>
the format of the data in the private key file.
The format of the data in the private key file.
The default is PEM.
=item B<-key password>
the password used to encrypt the private key. Since on some
The password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
the 'ps' utility) this option should be used with caution.
=item B<-selfsign>
indicates the issued certificates are to be signed with the key
Indicates the issued certificates are to be signed with the key
the certificate requests were signed with (given with B<-keyfile>).
Certificate requests signed with a different key are ignored. If
B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
......@@ -152,43 +152,43 @@ self-signed certificate.
=item B<-passin arg>
the key password source. For more information about the format of B<arg>
The key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-notext>
don't output the text form of a certificate to the output file.
Don't output the text form of a certificate to the output file.
=item B<-startdate date>
this allows the start date to be explicitly set. The format of the
This allows the start date to be explicitly set. The format of the
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
=item B<-enddate date>
this allows the expiry date to be explicitly set. The format of the
This allows the expiry date to be explicitly set. The format of the
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
=item B<-days arg>
the number of days to certify the certificate for.
The number of days to certify the certificate for.
=item B<-md alg>
the message digest to use.
The message digest to use.
Any digest supported by the OpenSSL B<dgst> command can be used.
This option also applies to CRLs.
=item B<-policy arg>
this option defines the CA "policy" to use. This is a section in
This option defines the CA "policy" to use. This is a section in
the configuration file which decides which fields should be mandatory
or match the CA certificate. Check out the B<POLICY FORMAT> section
for more information.
=item B<-msie_hack>
this is a legacy option to make B<ca> work with very old versions of
This is a legacy option to make B<ca> work with very old versions of
the IE certificate enrollment control "certenr3". It used UniversalStrings
for almost everything. Since the old control has various security bugs
its use is strongly discouraged. The newer control "Xenroll" does not
......@@ -213,12 +213,12 @@ used in the configuration file to enable this behaviour.
=item B<-batch>
this sets the batch mode. In this mode no questions will be asked
This sets the batch mode. In this mode no questions will be asked
and all certificates will be certified automatically.
=item B<-extensions section>
the section of the configuration file containing certificate extensions
The section of the configuration file containing certificate extensions
to be added when a certificate is issued (defaults to B<x509_extensions>
unless the B<-extfile> option is used). If no extension section is
present then, a V1 certificate is created. If the extension section
......@@ -228,33 +228,33 @@ extension section format.
=item B<-extfile file>
an additional configuration file to read certificate extensions from
An additional configuration file to read certificate extensions from
(using the default section unless the B<-extensions> option is also
used).
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<ca>
Specifying an engine (by its unique B<id> string) will cause B<ca>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-subj arg>
supersedes subject name given in the request.
Supersedes subject name given in the request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
=item B<-utf8>
this option causes field values to be interpreted as UTF8 strings, by
This option causes field values to be interpreted as UTF8 strings, by
default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
=item B<-create_serial>
if reading serial from the text file as specified in the configuration
If reading serial from the text file as specified in the configuration
fails, specifying this option creates a new random serial to be used as next
serial number.
......@@ -275,28 +275,28 @@ If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
=item B<-gencrl>
this option generates a CRL based on information in the index file.
This option generates a CRL based on information in the index file.
=item B<-crldays num>
the number of days before the next CRL is due. That is the days from
The number of days before the next CRL is due. That is the days from
now to place in the CRL nextUpdate field.
=item B<-crlhours num>
the number of hours before the next CRL is due.
The number of hours before the next CRL is due.
=item B<-revoke filename>
a filename containing a certificate to revoke.
A filename containing a certificate to revoke.
=item B<-valid filename>
a filename containing a certificate to add a Valid certificate entry.
A filename containing a certificate to add a Valid certificate entry.
=item B<-status serial>
displays the revocation status of the certificate with the specified
Displays the revocation status of the certificate with the specified
serial number and exits.
=item B<-updatedb>
......@@ -305,7 +305,7 @@ Updates the database index to purge expired certificates.
=item B<-crl_reason reason>
revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
insensitive. Setting any revocation reason will make the CRL v2.
......@@ -332,7 +332,7 @@ B<CACompromise>.
=item B<-crlexts section>
the section of the configuration file containing CRL extensions to
The section of the configuration file containing CRL extensions to
include. If no CRL extension section is present then a V1 CRL is
created, if the CRL extension section is present (even if it is
empty) then a V2 CRL is created. The CRL extensions specified are
......@@ -383,58 +383,58 @@ and long names are the same when this option is used.
=item B<new_certs_dir>
the same as the B<-outdir> command line option. It specifies
The same as the B<-outdir> command line option. It specifies
the directory where new certificates will be placed. Mandatory.
=item B<certificate>
the same as B<-cert>. It gives the file containing the CA
The same as B<-cert>. It gives the file containing the CA
certificate. Mandatory.
=item B<private_key>
same as the B<-keyfile> option. The file containing the
Same as the B<-keyfile> option. The file containing the
CA private key. Mandatory.
=item B<RANDFILE>
a file used to read and write random number seed information, or
A file used to read and write random number seed information, or
an EGD socket (see L<RAND_egd(3)>).
=item B<default_days>
the same as the B<-days> option. The number of days to certify
The same as the B<-days> option. The number of days to certify
a certificate for.
=item B<default_startdate>
the same as the B<-startdate> option. The start date to certify
The same as the B<-startdate> option. The start date to certify
a certificate for. If not set the current time is used.
=item B<default_enddate>
the same as the B<-enddate> option. Either this option or
The same as the B<-enddate> option. Either this option or
B<default_days> (or the command line equivalents) must be
present.
=item B<default_crl_hours default_crl_days>
the same as the B<-crlhours> and the B<-crldays> options. These
The same as the B<-crlhours> and the B<-crldays> options. These
will only be used if neither command line option is present. At
least one of these must be present to generate a CRL.
=item B<default_md>
the same as the B<-md> option. Mandatory.
The same as the B<-md> option. Mandatory.
=item B<database>
the text database file to use. Mandatory. This file must be present
The text database file to use. Mandatory. This file must be present
though initially it will be empty.
=item B<unique_subject>
if the value B<yes> is given, the valid certificate entries in the
If the value B<yes> is given, the valid certificate entries in the
database must have unique subjects. if the value B<no> is given,
several valid certificate entries may have the exact same subject.
The default value is B<yes>, to be compatible with older (pre 0.9.8)
......@@ -444,45 +444,45 @@ the B<-selfsign> command line option.
=item B<serial>
a text file containing the next serial number to use in hex. Mandatory.
A text file containing the next serial number to use in hex. Mandatory.
This file must be present and contain a valid serial number.
=item B<crlnumber>
a text file containing the next CRL number to use in hex. The crl number
A text file containing the next CRL number to use in hex. The crl number
will be inserted in the CRLs only if this file exists. If this file is
present, it must contain a valid CRL number.
=item B<x509_extensions>
the same as B<-extensions>.
The same as B<-extensions>.
=item B<crl_extensions>
the same as B<-crlexts>.
The same as B<-crlexts>.
=item B<preserve>
the same as B<-preserveDN>
The same as B<-preserveDN>
=item B<email_in_dn>
the same as B<-noemailDN>. If you want the EMAIL field to be removed
The same as B<-noemailDN>. If you want the EMAIL field to be removed
from the DN of the certificate simply set this to 'no'. If not present
the default is to allow for the EMAIL filed in the certificate's DN.
=item B<msie_hack>
the same as B<-msie_hack>
The same as B<-msie_hack>
=item B<policy>
the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
The same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
for more information.
=item B<name_opt>, B<cert_opt>
these options allow the format used to display the certificate details
These options allow the format used to display the certificate details
when asking the user to confirm signing. All the options supported by
the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
here, except the B<no_signame> and B<no_sigdump> are permanently set
......@@ -499,7 +499,7 @@ multicharacter string types and does not display extensions.
=item B<copy_extensions>
determines how extensions in certificate requests should be handled.
Determines how extensions in certificate requests should be handled.
If set to B<none> or this option is not present then extensions are
ignored and not copied to the certificate. If set to B<copy> then any
extensions present in the request that are not already present are copied
......@@ -709,7 +709,7 @@ L<config(5)>, L<x509v3_config(5)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/ciphers.pod
浏览文件 @ c4de074e
......@@ -63,7 +63,7 @@ When combined with B<-s> includes cipher suites which require SRP.
=item B<-v>
Verbose output: For each ciphersuite, list details as provided by
Verbose output: For each cipher suite, list details as provided by
L<SSL_CIPHER_description(3)>.
=item B<-V>
......@@ -97,12 +97,12 @@ TLSv1.1 were negotiated.
=item B<-stdname>
precede each ciphersuite by its standard name: only available is OpenSSL
Precede each cipher suite by its standard name: only available is OpenSSL
is built with tracing enabled (B<enable-ssl-trace> argument to Configure).
=item B<cipherlist>
a cipher list to convert to a cipher preference list. If it is not included
A cipher list to convert to a cipher preference list. If it is not included
then the default cipher list will be used. The format is described below.
=back
......@@ -168,7 +168,7 @@ When used, this must be the first cipherstring specified.
The ciphers included in B<ALL>, but not enabled by default. Currently
this includes all RC4 and anonymous ciphers. Note that this rule does
not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
necessary). Note that RC4 based cipher suites are not built into OpenSSL by
default (see the enable-weak-ssl-ciphers option to Configure).
=item B<ALL>
......@@ -183,19 +183,19 @@ The cipher suites not enabled by B<ALL>, currently B<eNULL>.
=item B<HIGH>
"high" encryption cipher suites. This currently means those with key lengths
"High" encryption cipher suites. This currently means those with key lengths
larger than 128 bits, and some cipher suites with 128-bit keys.
=item B<MEDIUM>
"medium" encryption cipher suites, currently some of those using 128 bit
"Medium" encryption cipher suites, currently some of those using 128 bit
encryption.
=item B<LOW>
"low" encryption cipher suites, currently those using 64 or 56 bit
"Low" encryption cipher suites, currently those using 64 or 56 bit
encryption algorithms but excluding export cipher suites. All these
ciphersuites have been removed as of OpenSSL 1.1.0.
cipher suites have been removed as of OpenSSL 1.1.0.
=item B<eNULL>, B<NULL>
......@@ -272,11 +272,11 @@ keys.
=item B<TLSv1.2>, B<TLSv1.0>, B<SSLv3>
Lists ciphersuites which are only supported in at least TLS v1.2, TLS v1.0 or
Lists cipher suites which are only supported in at least TLS v1.2, TLS v1.0 or
SSL v3.0 respectively.
Note: there are no ciphersuites specific to TLS v1.1.
Note: there are no cipher suites specific to TLS v1.1.
Since this is only the minimum version, if, for example, TLSv1.0 is negotiated
then both TLSv1.0 and SSLv3.0 ciphersuites are available.
then both TLSv1.0 and SSLv3.0 cipher suites are available.
Note: these cipher strings B<do not> change the negotiated version of SSL or
TLS, they only affect the list of available cipher suites.
......@@ -287,33 +287,33 @@ cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.
=item B<AESGCM>
AES in Galois Counter Mode (GCM): these ciphersuites are only supported
AES in Galois Counter Mode (GCM): these cipher suites are only supported
in TLS v1.2.
=item B<AESCCM>, B<AESCCM8>
AES in Cipher Block Chaining - Message Authentication Mode (CCM): these
ciphersuites are only supported in TLS v1.2. B<AESCCM> references CCM
cipher suites are only supported in TLS v1.2. B<AESCCM> references CCM
cipher suites using both 16 and 8 octet Integrity Check Value (ICV)
while B<AESCCM8> only references 8 octet ICV.
=item B<ARIA128>, B<ARIA256>, B<ARIA>
cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit
Cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit
ARIA.
=item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
Cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
CAMELLIA.
=item B<CHACHA20>
cipher suites using ChaCha20.
Cipher suites using ChaCha20.
=item B<3DES>
cipher suites using triple DES.
Cipher suites using triple DES.
=item B<DES>
......@@ -346,7 +346,7 @@ Cipher suites using SHA1.
=item B<SHA256>, B<SHA384>
Ciphersuites using SHA256 or SHA384.
Cipher suites using SHA256 or SHA384.
=item B<aGOST>
......@@ -393,7 +393,7 @@ Setting Suite B mode has additional consequences required to comply with
RFC6460.
In particular the supported signature algorithms is reduced to support only
ECDSA and SHA256 or SHA384, only the elliptic curves P-256 and P-384 can be
used and only the two suite B compliant ciphersuites
used and only the two suite B compliant cipher suites
(ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are
permissible.
......@@ -444,7 +444,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
=head2 AES ciphersuites from RFC3268, extending TLS v1.0
=head2 AES cipher suites from RFC3268, extending TLS v1.0
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
......@@ -462,7 +462,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA
=head2 Camellia ciphersuites from RFC4132, extending TLS v1.0
=head2 Camellia cipher suites from RFC4132, extending TLS v1.0
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA
......@@ -480,7 +480,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA
=head2 SEED ciphersuites from RFC4162, extending TLS v1.0
=head2 SEED cipher suites from RFC4162, extending TLS v1.0
TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA
......@@ -492,7 +492,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA
=head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0
=head2 GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0
Note: these ciphers require an engine which including GOST cryptographic
algorithms, such as the B<ccgost> engine, included in the OpenSSL distribution.
......@@ -585,7 +585,7 @@ Note: these ciphers can also be used in SSL v3.
ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE-ECDSA-AES128-CCM8
ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE-ECDSA-AES256-CCM8
=head2 ARIA ciphersuites from RFC6209, extending TLS v1.2
=head2 ARIA cipher suites from RFC6209, extending TLS v1.2
TLS_RSA_WITH_ARIA_128_CBC_SHA256 ARIA128-CBC-SHA256
TLS_RSA_WITH_ARIA_256_CBC_SHA384 ARIA256-CBC-SHA384
......@@ -600,14 +600,14 @@ Note: these ciphers can also be used in SSL v3.
TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 ECDHE-RSA-ARIA128-CBC-SHA256
TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 ECDHE-RSA-ARIA256-CBC-SHA384
=head2 Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2
=head2 Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-RSA-CAMELLIA128-SHA256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-RSA-CAMELLIA256-SHA384
=head2 Pre-shared keying (PSK) ciphersuites
=head2 Pre-shared keying (PSK) cipher suites
PSK_WITH_NULL_SHA PSK-NULL-SHA
DHE_PSK_WITH_NULL_SHA DHE-PSK-NULL-SHA
......
doc/man1/cms.pod
浏览文件 @ c4de074e
......@@ -118,7 +118,7 @@ Print out a usage message.
=item B<-encrypt>
encrypt mail for the given recipient certificates. Input file is the message
Encrypt mail for the given recipient certificates. Input file is the message
to be encrypted. The output file is the encrypted mail in MIME format. The
actual CMS type is <B>EnvelopedData<B>.
......@@ -127,33 +127,33 @@ key has been compromised, others may be able to decrypt the text.
=item B<-decrypt>
decrypt mail using the supplied certificate and private key. Expects an
Decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in MIME format for the input file. The decrypted mail
is written to the output file.
=item B<-debug_decrypt>
this option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
with caution: see the notes section below.
=item B<-sign>
sign mail using the supplied certificate and private key. Input file is
Sign mail using the supplied certificate and private key. Input file is
the message to be signed. The signed message in MIME format is written
to the output file.
=item B<-verify>
verify signed mail. Expects a signed mail message on input and outputs
Verify signed mail. Expects a signed mail message on input and outputs
the signed data. Both clear text and opaque signing is supported.
=item B<-cmsout>
takes an input message and writes out a PEM encoded CMS structure.
Takes an input message and writes out a PEM encoded CMS structure.
=item B<-resign>
resign a message: take an existing message and one or more new signers.
Resign a message: take an existing message and one or more new signers.
=item B<-data_create>
......@@ -201,12 +201,12 @@ to the B<-verify> operation.
=item B<-in filename>
the input message to be encrypted or signed or the message to be decrypted
The input message to be encrypted or signed or the message to be decrypted
or verified.
=item B<-inform SMIME|PEM|DER>
this specifies the input format for the CMS structure. The default
This specifies the input format for the CMS structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
format change this to expect PEM and DER format CMS structures
instead. This currently only affects the input format of the CMS
......@@ -215,17 +215,17 @@ B<-encrypt> or B<-sign>) this option has no effect.
=item B<-rctform SMIME|PEM|DER>
specify the format for a signed receipt for use with the B<-receipt_verify>
Specify the format for a signed receipt for use with the B<-receipt_verify>
operation.
=item B<-out filename>
the message text that has been decrypted or verified or the output MIME
The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
=item B<-outform SMIME|PEM|DER>
this specifies the output format for the CMS structure. The default
This specifies the output format for the CMS structure. The default
is B<SMIME> which writes an S/MIME format message. B<PEM> and B<DER>
format change this to write PEM and DER format CMS structures
instead. This currently only affects the output format of the CMS
......@@ -234,7 +234,7 @@ B<-verify> or B<-decrypt>) this option has no effect.
=item B<-stream -indef -noindef>
the B<-stream> and B<-indef> options are equivalent and enable streaming I/O
The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
the need to hold the entire contents in memory, potentially supporting very
large files. Streaming is automatically set for S/MIME signing with detached
......@@ -243,7 +243,7 @@ other operations.
=item B<-noindef>
disable streaming I/O where it would produce and indefinite length constructed
Disable streaming I/O where it would produce and indefinite length constructed
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
......@@ -257,29 +257,29 @@ is S/MIME and it uses the multipart/signed MIME content type.
=item B<-text>
this option adds plain text (text/plain) MIME headers to the supplied
This option adds plain text (text/plain) MIME headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
=item B<-noout>
for the B<-cmsout> operation do not output the parsed CMS structure. This
For the B<-cmsout> operation do not output the parsed CMS structure. This
is useful when combined with the B<-print> option or if the syntax of the CMS
structure is being checked.
=item B<-print>
for the B<-cmsout> operation print out all fields of the CMS structure. This
For the B<-cmsout> operation print out all fields of the CMS structure. This
is mainly useful for testing purposes.
=item B<-CAfile file>
a file containing trusted CA certificates, only used with B<-verify>.
A file containing trusted CA certificates, only used with B<-verify>.
=item B<-CApath dir>
a directory containing trusted CA certificates, only used with
A directory containing trusted CA certificates, only used with
B<-verify>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
......@@ -294,12 +294,12 @@ Do not load the trusted CA certificates from the default directory location
=item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
=item B<-[cipher]>
the encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for a list of ciphers
......@@ -310,48 +310,48 @@ B<-EncryptedData_create> commands.
=item B<-nointern>
when verifying a message normally certificates (if any) included in
When verifying a message normally certificates (if any) included in
the message are searched for the signing certificate. With this option
only the certificates specified in the B<-certfile> option are used.
The supplied certificates can still be used as untrusted CAs however.
=item B<-no_signer_cert_verify>
do not verify the signers certificate of a signed message.
Do not verify the signers certificate of a signed message.
=item B<-nocerts>
when signing a message the signer's certificate is normally included
When signing a message the signer's certificate is normally included
with this option it is excluded. This will reduce the size of the
signed message but the verifier must have a copy of the signers certificate
available locally (passed using the B<-certfile> option for example).
=item B<-noattr>
normally when a message is signed a set of attributes are included which
Normally when a message is signed a set of attributes are included which
include the signing time and supported symmetric algorithms. With this
option they are not included.
=item B<-nosmimecap>
exclude the list of supported algorithms from signed attributes, other options
Exclude the list of supported algorithms from signed attributes, other options
such as signing time and content type are still included.
=item B<-binary>
normally the input message is converted to "canonical" format which is
Normally the input message is converted to "canonical" format which is
effectively using CR and LF as end of line: as required by the S/MIME
specification. When this option is present no translation occurs. This
is useful when handling binary data which may not be in MIME format.
=item B<-crlfeol>
normally the output file uses a single B<LF> as end of line. When this
Normally the output file uses a single B<LF> as end of line. When this
option is present B<CRLF> is used instead.
=item B<-asciicrlf>
when signing use ASCII CRLF format canonicalisation. This strips trailing
When signing use ASCII CRLF format canonicalisation. This strips trailing
whitespace from all lines, deletes trailing blank lines at EOF and sets
the encapsulated content type. This option is normally used with detached
content and an output signature format of DER. This option is not normally
......@@ -360,31 +360,31 @@ content format is detected.
=item B<-nodetach>
when signing a message use opaque signing: this form is more resistant
When signing a message use opaque signing: this form is more resistant
to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
=item B<-certfile file>
allows additional certificates to be specified. When signing these will
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
=item B<-certsout file>
any certificates contained in the message are written to B<file>.
Any certificates contained in the message are written to B<file>.
=item B<-signer file>
a signing certificate when signing or resigning a message, this option can be
A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
=item B<-recip file>
when decrypting a message this specifies the recipients certificate. The
When decrypting a message this specifies the recipients certificate. The
certificate must match one of the recipients of the message or an error
occurs.
......@@ -394,19 +394,19 @@ required (for example to specify RSA-OAEP).
=item B<-keyid>
use subject key identifier to identify certificates instead of issuer name and
Use subject key identifier to identify certificates instead of issuer name and
serial number. The supplied certificate B<must> include a subject key
identifier extension. Supported by B<-sign> and B<-encrypt> options.
=item B<-receipt_request_all -receipt_request_first>
for B<-sign> option include a signed receipt request. Indicate requests should
For B<-sign> option include a signed receipt request. Indicate requests should
be provided by all recipient or first tier recipients (those mailed directly
and not from a mailing list). Ignored it B<-receipt_request_from> is included.
=item B<-receipt_request_from emailaddress>
for B<-sign> option include a signed receipt request. Add an explicit email
For B<-sign> option include a signed receipt request. Add an explicit email
address where receipts should be supplied.
=item B<-receipt_request_to emailaddress>
......@@ -421,7 +421,7 @@ requests.
=item B<-secretkey key>
specify symmetric key to use. The key must be supplied in hex format and be
Specify symmetric key to use. The key must be supplied in hex format and be
consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
......@@ -429,7 +429,7 @@ content encryption key using an AES key in the B<KEKRecipientInfo> type.
=item B<-secretkeyid id>
the key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
This option B<must> be present if the B<-secretkey> option is used with
B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
relevant key if it is not supplied then an attempt is used to decrypt any
......@@ -437,13 +437,13 @@ B<KEKRecipientInfo> structures.
=item B<-econtent_type type>
set the encapsulated content type to B<type> if not supplied the B<Data> type
Set the encapsulated content type to B<type> if not supplied the B<Data> type
is used. The B<type> argument can be any valid OID name in either text or
numerical format.
=item B<-inkey file>
the private key to use when signing or decrypting. This must match the
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the B<-recip> or B<-signer> file. When signing this option can be used
......@@ -451,19 +451,19 @@ multiple times to specify successive keys.
=item B<-keyopt name:opt>
for signing and encryption this option can be used multiple times to
For signing and encryption this option can be used multiple times to
set customised parameters for the preceding key or certificate. It can
currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
or to modify default parameters for ECDH.
=item B<-passin arg>
the private key password source. For more information about the format of B<arg>
The private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -471,12 +471,12 @@ all others.
=item B<cert.pem...>
one or more certificates of message recipients: used when encrypting
One or more certificates of message recipients: used when encrypting
a message.
=item B<-to, -from, -subject>
the relevant mail headers. These are included outside the signed
The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
......@@ -548,28 +548,28 @@ with caution. For a fuller description see L<CMS_decrypt(3)>).
=item Z<>0
the operation was completely successfully.
The operation was completely successfully.
=item Z<>1
an error occurred parsing the command options.
An error occurred parsing the command options.
=item Z<>2
one of the input files could not be read.
One of the input files could not be read.
=item Z<>3
an error occurred creating the CMS file or when reading the MIME
An error occurred creating the CMS file or when reading the MIME
message.
=item Z<>4
an error occurred decrypting or verifying the message.
An error occurred decrypting or verifying the message.
=item Z<>5
the message was verified correctly but an error occurred writing out
The message was verified correctly but an error occurred writing out
the signers certificates.
=back
......@@ -727,7 +727,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2008-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/crl.pod
浏览文件 @ c4de074e
......@@ -52,52 +52,52 @@ option is not specified.
=item B<-out filename>
specifies the output filename to write to or standard output by
Specifies the output filename to write to or standard output by
default.
=item B<-text>
print out the CRL in text form.
Print out the CRL in text form.
=item B<-nameopt option>
option which determines how the subject or issuer names are displayed. See
Option which determines how the subject or issuer names are displayed. See
the description of B<-nameopt> in L<x509(1)>.
=item B<-noout>
don't output the encoded version of the CRL.
Don't output the encoded version of the CRL.
=item B<-hash>
output a hash of the issuer name. This can be use to lookup CRLs in
Output a hash of the issuer name. This can be use to lookup CRLs in
a directory by issuer name.
=item B<-hash_old>
outputs the "hash" of the CRL issuer name using the older algorithm
Outputs the "hash" of the CRL issuer name using the older algorithm
as used by OpenSSL versions before 1.0.0.
=item B<-issuer>
output the issuer name.
Output the issuer name.
=item B<-lastupdate>
output the lastUpdate field.
Output the lastUpdate field.
=item B<-nextupdate>
output the nextUpdate field.
Output the nextUpdate field.
=item B<-CAfile file>
verify the signature on a CRL by looking up the issuing certificate in
B<file>
Verify the signature on a CRL by looking up the issuing certificate in
B<file>.
=item B<-CApath dir>
verify the signature on a CRL by looking up the issuing certificate in
Verify the signature on a CRL by looking up the issuing certificate in
B<dir>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
......@@ -132,7 +132,7 @@ L<crl2pkcs7(1)>, L<ca(1)>, L<x509(1)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/crl2pkcs7.pod
浏览文件 @ c4de074e
......@@ -48,19 +48,19 @@ option is not specified.
=item B<-out filename>
specifies the output filename to write the PKCS#7 structure to or standard
Specifies the output filename to write the PKCS#7 structure to or standard
output by default.
=item B<-certfile filename>
specifies a filename containing one or more certificates in B<PEM> format.
Specifies a filename containing one or more certificates in B<PEM> format.
All certificates in the file will be added to the PKCS#7 structure. This
option can be used more than once to read certificates form multiple
files.
=item B<-nocrl>
normally a CRL is included in the output file. With this option no CRL is
Normally a CRL is included in the output file. With this option no CRL is
included in the output file and a CRL is not read from the input file.
=back
......@@ -95,7 +95,7 @@ L<pkcs7(1)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/dgst.pod
浏览文件 @ c4de074e
......@@ -59,34 +59,34 @@ supported digests, use the command I<list --digest-commands>.
=item B<-c>
print out the digest in two digit groups separated by colons, only relevant if
Print out the digest in two digit groups separated by colons, only relevant if
B<hex> format output is used.
=item B<-d>
print out BIO debugging information.
Print out BIO debugging information.
=item B<-hex>
digest is to be output as a hex dump. This is the default case for a "normal"
Digest is to be output as a hex dump. This is the default case for a "normal"
digest as opposed to a digital signature. See NOTES below for digital
signatures using B<-hex>.
=item B<-binary>
output the digest or signature in binary form.
Output the digest or signature in binary form.
=item B<-r>
output the digest in the "coreutils" format used by programs like B<sha1sum>.
Output the digest in the "coreutils" format used by programs like B<sha1sum>.
=item B<-out filename>
filename to output to, or standard output by default.
Filename to output to, or standard output by default.
=item B<-sign filename>
digitally sign the digest using the private key in "filename".
Digitally sign the digest using the private key in "filename".
=item B<-keyform arg>
......@@ -98,32 +98,31 @@ and ENGINE formats are supported.
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
=item B<-passin arg>
the private key password source. For more information about the format of B<arg>
The private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-verify filename>
verify the signature using the public key in "filename".
Verify the signature using the public key in "filename".
The output is either "Verification OK" or "Verification Failure".
=item B<-prverify filename>
verify the signature using the private key in "filename".
Verify the signature using the private key in "filename".
=item B<-signature filename>
the actual signature to verify.
The actual signature to verify.
=item B<-hmac key>
create a hashed MAC using "key".
Create a hashed MAC using "key".
=item B<-mac alg>
create MAC (keyed Message Authentication Code). The most popular MAC
Create MAC (keyed Message Authentication Code). The most popular MAC
algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
which are not based on hash, for instance B<gost-mac> algorithm,
supported by B<ccgost> engine. MAC keys and other options should be set
......@@ -152,7 +151,7 @@ for example exactly 32 chars for gost-mac.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -160,8 +159,7 @@ all others.
=item B<-fips-fingerprint>
compute HMAC using a specific key
for certain OpenSSL-FIPS operations.
Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
=item B<-engine id>
......@@ -177,7 +175,7 @@ engine B<id> for digest operations.
=item B<file...>
file or files to digest. If no files are specified then standard input is
File or files to digest. If no files are specified then standard input is
used.
=back
......@@ -230,7 +228,7 @@ The FIPS-related options were removed in OpenSSL 1.1.0
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/dhparam.pod
浏览文件 @ c4de074e
......@@ -84,7 +84,7 @@ default generator 2.
=item B<-rand> I<file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -92,7 +92,7 @@ all others.
=item I<numbits>
this option specifies that a parameter set should be generated of size
This option specifies that a parameter set should be generated of size
I<numbits>. It must be the last option. If this option is present then
the input file is ignored and parameters are generated instead. If
this option is not present but a generator (B<-2> or B<-5>) is
......@@ -100,20 +100,20 @@ present, parameters are generated with a default length of 2048 bits.
=item B<-noout>
this option inhibits the output of the encoded version of the parameters.
This option inhibits the output of the encoded version of the parameters.
=item B<-text>
this option prints out the DH parameters in human readable form.
This option prints out the DH parameters in human readable form.
=item B<-C>
this option converts the parameters into C code. The parameters can then
This option converts the parameters into C code. The parameters can then
be loaded by calling the get_dhNNNN() function.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<dhparam>
Specifying an engine (by its unique B<id> string) will cause B<dhparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......@@ -149,7 +149,7 @@ L<dsaparam(1)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/dsa.pod
浏览文件 @ c4de074e
......@@ -73,7 +73,7 @@ prompted for.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
......@@ -85,7 +85,7 @@ filename.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
......@@ -100,30 +100,30 @@ These options can only be used with PEM format output files.
=item B<-text>
prints out the public, private key components and parameters.
Prints out the public, private key components and parameters.
=item B<-noout>
this option prevents output of the encoded version of the key.
This option prevents output of the encoded version of the key.
=item B<-modulus>
this option prints out the value of the public key component of the key.
This option prints out the value of the public key component of the key.
=item B<-pubin>
by default a private key is read from the input file: with this option a
By default, a private key is read from the input file. With this option a
public key is read instead.
=item B<-pubout>
by default a private key is output. With this option a public
By default, a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<dsa>
Specifying an engine (by its unique B<id> string) will cause B<dsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......
doc/man1/dsaparam.pod
浏览文件 @ c4de074e
......@@ -58,25 +58,25 @@ as the input filename.
=item B<-noout>
this option inhibits the output of the encoded version of the parameters.
This option inhibits the output of the encoded version of the parameters.
=item B<-text>
this option prints out the DSA parameters in human readable form.
This option prints out the DSA parameters in human readable form.
=item B<-C>
this option converts the parameters into C code. The parameters can then
This option converts the parameters into C code. The parameters can then
be loaded by calling the get_dsaXXX() function.
=item B<-genkey>
this option will generate a DSA either using the specified or generated
This option will generate a DSA either using the specified or generated
parameters.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -84,13 +84,13 @@ all others.
=item B<numbits>
this option specifies that a parameter set should be generated of size
This option specifies that a parameter set should be generated of size
B<numbits>. It must be the last option. If this option is included then
the input file (if any) is ignored.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<dsaparam>
Specifying an engine (by its unique B<id> string) will cause B<dsaparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......@@ -114,7 +114,7 @@ L<rsa(1)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/ec.pod
浏览文件 @ c4de074e
......@@ -66,7 +66,7 @@ prompted for.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
......@@ -78,7 +78,7 @@ filename.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-des|-des3|-idea>
......@@ -94,24 +94,24 @@ These options can only be used with PEM format output files.
=item B<-text>
prints out the public, private key components and parameters.
Prints out the public, private key components and parameters.
=item B<-noout>
this option prevents output of the encoded version of the key.
This option prevents output of the encoded version of the key.
=item B<-modulus>
this option prints out the value of the public key component of the key.
This option prints out the value of the public key component of the key.
=item B<-pubin>
by default a private key is read from the input file: with this option a
By default, a private key is read from the input file. With this option a
public key is read instead.
=item B<-pubout>
by default a private key is output. With this option a public
By default a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
......@@ -141,11 +141,11 @@ This option omits the public key components from the private key output.
=item B<-check>
this option checks the consistency of an EC private or public key.
This option checks the consistency of an EC private or public key.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<ec>
Specifying an engine (by its unique B<id> string) will cause B<ec>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......@@ -196,7 +196,7 @@ L<ecparam(1)>, L<dsa(1)>, L<rsa(1)>
=head1 COPYRIGHT
Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/ecparam.pod
浏览文件 @ c4de074e
......@@ -118,7 +118,7 @@ This option will generate an EC private key using the specified parameters.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -126,7 +126,7 @@ all others.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<ecparam>
Specifying an engine (by its unique B<id> string) will cause B<ecparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......@@ -175,7 +175,7 @@ L<ec(1)>, L<dsaparam(1)>
=head1 COPYRIGHT
Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/gendsa.pod
浏览文件 @ c4de074e
......@@ -51,7 +51,7 @@ If none of these options is specified no encryption is used.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -59,7 +59,7 @@ all others.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<gendsa>
Specifying an engine (by its unique B<id> string) will cause B<gendsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......
doc/man1/genpkey.pod
浏览文件 @ c4de074e
......@@ -42,7 +42,7 @@ This specifies the output format DER or PEM.
=item B<-pass arg>
the output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-cipher>
......@@ -52,7 +52,7 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<genpkey>
Specifying an engine (by its unique B<id> string) will cause B<genpkey>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
......@@ -60,19 +60,19 @@ options.
=item B<-algorithm alg>
public key algorithm to use such as RSA, DSA or DH. If used this option must
Public key algorithm to use such as RSA, DSA or DH. If used this option must
precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
are mutually exclusive.
=item B<-pkeyopt opt:value>
set the public key algorithm option B<opt> to B<value>. The precise set of
Set the public key algorithm option B<opt> to B<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> below for more details.
=item B<-genparam>
generate a set of parameters instead of a private key. If used this option must
Generate a set of parameters instead of a private key. If used this option must
precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
=item B<-paramfile filename>
......@@ -179,11 +179,11 @@ key from a named curve without the need to use an explicit parameter file.
=item B<ec_paramgen_curve:curve>
the EC curve to use. OpenSSL supports NIST curve names such as "P-256".
The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
=item B<ec_param_enc:encoding>
the encoding to use for parameters. The "encoding" parameter must be either
The encoding to use for parameters. The "encoding" parameter must be either
"named_curve" or "explicit".
=back
......@@ -292,7 +292,7 @@ were added in OpenSSL 1.0.2.
=head1 COPYRIGHT
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/genrsa.pod
浏览文件 @ c4de074e
......@@ -47,8 +47,8 @@ standard output is used.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
The output file password source. For more information about the format
of B<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
......@@ -59,11 +59,11 @@ for if it is not supplied via the B<-passout> argument.
=item B<-F4|-3>
the public exponent to use, either 65537 or 3. The default is 65537.
The public exponent to use, either 65537 or 3. The default is 65537.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -71,14 +71,14 @@ all others.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<genrsa>
Specifying an engine (by its unique B<id> string) will cause B<genrsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<numbits>
the size of the private key to generate in bits. This must be the last option
The size of the private key to generate in bits. This must be the last option
specified. The default is 2048.
=back
......
doc/man1/ocsp.pod
浏览文件 @ c4de074e
......@@ -153,25 +153,25 @@ a nonce is automatically added specifying B<no_nonce> overrides this.
=item B<-req_text>, B<-resp_text>, B<-text>
print out the text form of the OCSP request, response or both respectively.
Print out the text form of the OCSP request, response or both respectively.
=item B<-reqout file>, B<-respout file>
write out the DER encoded certificate request or response to B<file>.
Write out the DER encoded certificate request or response to B<file>.
=item B<-reqin file>, B<-respin file>
read OCSP request or response file from B<file>. These option are ignored
Read OCSP request or response file from B<file>. These option are ignored
if OCSP request or response creation is implied by other options (for example
with B<serial>, B<cert> and B<host> options).
=item B<-url responder_url>
specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
=item B<-host hostname:port>, B<-path pathname>
if the B<host> option is present then the OCSP request is sent to the host
If the B<host> option is present then the OCSP request is sent to the host
B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
......@@ -184,11 +184,11 @@ This may be repeated.
=item B<-timeout seconds>
connection timeout to the OCSP responder in seconds
Connection timeout to the OCSP responder in seconds
=item B<-CAfile file>, B<-CApath pathname>
file or pathname containing trusted CA certificates. These are used to verify
File or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response.
=item B<-no-CAfile>
......@@ -212,65 +212,66 @@ See L<verify(1)> manual page for details.
=item B<-verify_other file>
file containing additional certificates to search when attempting to locate
File containing additional certificates to search when attempting to locate
the OCSP response signing certificate. Some responders omit the actual signer's
certificate from the response: this option can be used to supply the necessary
certificate in such cases.
=item B<-trust_other>
the certificates specified by the B<-verify_other> option should be explicitly
The certificates specified by the B<-verify_other> option should be explicitly
trusted and no additional checks will be performed on them. This is useful
when the complete responder certificate chain is not available or trusting a
root CA is not appropriate.
=item B<-VAfile file>
file containing explicitly trusted responder certificates. Equivalent to the
File containing explicitly trusted responder certificates. Equivalent to the
B<-verify_other> and B<-trust_other> options.
=item B<-noverify>
don't attempt to verify the OCSP response signature or the nonce values. This
option will normally only be used for debugging since it disables all verification
of the responders certificate.
Don't attempt to verify the OCSP response signature or the nonce
values. This option will normally only be used for debugging since it
disables all verification of the responders certificate.
=item B<-no_intern>
ignore certificates contained in the OCSP response when searching for the
Ignore certificates contained in the OCSP response when searching for the
signers certificate. With this option the signers certificate must be specified
with either the B<-verify_other> or B<-VAfile> options.
=item B<-no_signature_verify>
don't check the signature on the OCSP response. Since this option tolerates invalid
signatures on OCSP responses it will normally only be used for testing purposes.
Don't check the signature on the OCSP response. Since this option
tolerates invalid signatures on OCSP responses it will normally only be
used for testing purposes.
=item B<-no_cert_verify>
don't verify the OCSP response signers certificate at all. Since this option allows
the OCSP response to be signed by any certificate it should only be used for
testing purposes.
Don't verify the OCSP response signers certificate at all. Since this
option allows the OCSP response to be signed by any certificate it should
only be used for testing purposes.
=item B<-no_chain>
do not use certificates in the response as additional untrusted CA
Do not use certificates in the response as additional untrusted CA
certificates.
=item B<-no_explicit>
do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
Do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
=item B<-no_cert_checks>
don't perform any additional checks on the OCSP response signers certificate.
Don't perform any additional checks on the OCSP response signers certificate.
That is do not make any checks to see if the signers certificate is authorised
to provide the necessary status information: as a result this option should
only be used for testing purposes.
=item B<-validity_period nsec>, B<-status_age age>
these options specify the range of times, in seconds, which will be tolerated
These options specify the range of times, in seconds, which will be tolerated
in an OCSP response. Each certificate status response includes a B<notBefore>
time and an optional B<notAfter> time. The current time should fall between
these two values, but the interval between the two times may be only a few
......@@ -286,7 +287,7 @@ By default this additional check is not performed.
=item B<-[digest]>
this option sets digest algorithm to use for certificate identification in the
This option sets digest algorithm to use for certificate identification in the
OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
The default is SHA-1. This option may be used multiple times to specify the
digest used by subsequent certificate identifiers.
......@@ -299,16 +300,17 @@ digest used by subsequent certificate identifiers.
=item B<-index indexfile>
B<indexfile> is a text index file in B<ca> format containing certificate revocation
information.
The B<indexfile> parameter is the name of a text index file in B<ca>
format containing certificate revocation information.
If the B<index> option is specified the B<ocsp> utility is in responder mode, otherwise
it is in client mode. The request(s) the responder processes can be either specified on
the command line (using B<issuer> and B<serial> options), supplied in a file (using the
B<reqin> option) or via external OCSP clients (if B<port> or B<url> is specified).
If the B<index> option is specified the B<ocsp> utility is in responder
mode, otherwise it is in client mode. The request(s) the responder
processes can be either specified on the command line (using B<issuer>
and B<serial> options), supplied in a file (using the B<reqin> option)
or via external OCSP clients (if B<port> or B<url> is specified).
If the B<index> option is present then the B<CA> and B<rsigner> options must also be
present.
If the B<index> option is present then the B<CA> and B<rsigner> options
must also be present.
=item B<-CA file>
......@@ -328,17 +330,18 @@ Don't include any certificates in the OCSP response.
=item B<-resp_key_id>
Identify the signer certificate using the key ID, default is to use the subject name.
Identify the signer certificate using the key ID, default is to use the
subject name.
=item B<-rkey file>
The private key to sign OCSP responses with: if not present the file specified in the
B<rsigner> option is used.
The private key to sign OCSP responses with: if not present the file
specified in the B<rsigner> option is used.
=item B<-port portnum>
Port to listen for OCSP requests on. The port may also be specified using the B<url>
option.
Port to listen for OCSP requests on. The port may also be specified
using the B<url> option.
=item B<-nrequest number>
......@@ -346,9 +349,10 @@ The OCSP server will exit after receiving B<number> requests, default unlimited.
=item B<-nmin minutes>, B<-ndays days>
Number of minutes or days when fresh revocation information is available: used in the
B<nextUpdate> field. If neither option is present then the B<nextUpdate> field
is omitted meaning fresh revocation information is immediately available.
Number of minutes or days when fresh revocation information is available:
used in the B<nextUpdate> field. If neither option is present then the
B<nextUpdate> field is omitted meaning fresh revocation information is
immediately available.
=back
......@@ -456,7 +460,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/openssl.pod
浏览文件 @ c4de074e
......@@ -91,7 +91,7 @@ Cipher Suite Description Determination.
=item L<B<cms>|cms(1)>
CMS (Cryptographic Message Syntax) utility
CMS (Cryptographic Message Syntax) utility.
=item L<B<crl>|crl(1)>
......@@ -113,8 +113,7 @@ Obsoleted by L<B<dhparam>|dhparam(1)>.
=item L<B<dhparam>|dhparam(1)>
Generation and Management of Diffie-Hellman Parameters. Superseded by
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>.
=item L<B<dsa>|dsa(1)>
......@@ -123,15 +122,15 @@ DSA Data Management.
=item L<B<dsaparam>|dsaparam(1)>
DSA Parameter Generation and Management. Superseded by
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>.
=item L<B<ec>|ec(1)>
EC (Elliptic curve) key processing
EC (Elliptic curve) key processing.
=item L<B<ecparam>|ecparam(1)>
EC parameter manipulation and generation
EC parameter manipulation and generation.
=item L<B<enc>|enc(1)>
......@@ -153,7 +152,7 @@ Obsoleted by L<B<dhparam>|dhparam(1)>.
=item L<B<gendsa>|gendsa(1)>
Generation of DSA Private Key from Parameters. Superseded by
L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>
L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>.
=item L<B<genpkey>|genpkey(1)>
......@@ -165,7 +164,7 @@ Generation of RSA Private Key. Superseded by L<B<genpkey>|genpkey(1)>.
=item L<B<nseq>|nseq(1)>
Create or examine a Netscape certificate sequence
Create or examine a Netscape certificate sequence.
=item L<B<ocsp>|ocsp(1)>
......@@ -211,7 +210,7 @@ RSA key management.
=item L<B<rsautl>|rsautl(1)>
RSA utility for signing, verification, encryption, and decryption. Superseded
by L<B<pkeyutl>|pkeyutl(1)>
by L<B<pkeyutl>|pkeyutl(1)>.
=item L<B<s_client>|s_client(1)>
......@@ -247,11 +246,11 @@ Algorithm Speed Measurement.
=item L<B<spkac>|spkac(1)>
SPKAC printing and generating utility
SPKAC printing and generating utility.
=item L<B<ts>|ts(1)>
Time Stamping Authority tool (client/server)
Time Stamping Authority tool (client/server).
=item L<B<verify>|verify(1)>
......@@ -388,19 +387,19 @@ terminal with echoing turned off.
=item B<pass:password>
the actual password is B<password>. Since the password is visible
The actual password is B<password>. Since the password is visible
to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
=item B<env:var>
obtain the password from the environment variable B<var>. Since
Obtain the password from the environment variable B<var>. Since
the environment of other processes is visible on certain platforms
(e.g. ps under certain Unix OSes) this option should be used with caution.
=item B<file:pathname>
the first line of B<pathname> is the password. If the same B<pathname>
The first line of B<pathname> is the password. If the same B<pathname>
argument is supplied to B<-passin> and B<-passout> arguments then the first
line will be used for the input password and the next line for the output
password. B<pathname> need not refer to a regular file: it could for example
......@@ -408,12 +407,12 @@ refer to a device or named pipe.
=item B<fd:number>
read the password from the file descriptor B<number>. This can be used to
Read the password from the file descriptor B<number>. This can be used to
send the data via a pipe for example.
=item B<stdin>
read the password from standard input.
Read the password from standard input.
=back
......@@ -441,7 +440,7 @@ manual pages.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/pkcs12.pod
浏览文件 @ c4de074e
......@@ -75,13 +75,13 @@ default. They are all written in PEM format.
=item B<-passin arg>
the PKCS#12 file (i.e. input file) password source. For more information about
The PKCS#12 file (i.e. input file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passout arg>
pass phrase source to encrypt any outputted private keys with. For more
Pass phrase source to encrypt any outputted private keys with. For more
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)>.
......@@ -92,65 +92,65 @@ Otherwise, -password is equivalent to -passin.
=item B<-noout>
this option inhibits output of the keys and certificates to the output file
This option inhibits output of the keys and certificates to the output file
version of the PKCS#12 file.
=item B<-clcerts>
only output client certificates (not CA certificates).
Only output client certificates (not CA certificates).
=item B<-cacerts>
only output CA certificates (not client certificates).
Only output CA certificates (not client certificates).
=item B<-nocerts>
no certificates at all will be output.
No certificates at all will be output.
=item B<-nokeys>
no private keys will be output.
No private keys will be output.
=item B<-info>
output additional information about the PKCS#12 file structure, algorithms used and
iteration counts.
Output additional information about the PKCS#12 file structure, algorithms
used and iteration counts.
=item B<-des>
use DES to encrypt private keys before outputting.
Use DES to encrypt private keys before outputting.
=item B<-des3>
use triple DES to encrypt private keys before outputting, this is the default.
Use triple DES to encrypt private keys before outputting, this is the default.
=item B<-idea>
use IDEA to encrypt private keys before outputting.
Use IDEA to encrypt private keys before outputting.
=item B<-aes128>, B<-aes192>, B<-aes256>
use AES to encrypt private keys before outputting.
Use AES to encrypt private keys before outputting.
=item B<-aria128>, B<-aria192>, B<-aria256>
use ARIA to encrypt private keys before outputting.
Use ARIA to encrypt private keys before outputting.
=item B<-camellia128>, B<-camellia192>, B<-camellia256>
use Camellia to encrypt private keys before outputting.
Use Camellia to encrypt private keys before outputting.
=item B<-nodes>
don't encrypt the private keys at all.
Don't encrypt the private keys at all.
=item B<-nomacver>
don't attempt to verify the integrity MAC before reading the file.
Don't attempt to verify the integrity MAC before reading the file.
=item B<-twopass>
prompt for separate integrity and encryption passwords: most software
Prompt for separate integrity and encryption passwords: most software
always assumes these are the same so this option will render such
PKCS#12 files unreadable.
......@@ -179,7 +179,7 @@ certificates are present they will also be included in the PKCS#12 file.
=item B<-inkey filename>
file to read private key from. If not present then a private key must be present
File to read private key from. If not present then a private key must be present
in the input file.
=item B<-name friendlyname>
......@@ -200,31 +200,31 @@ displays them.
=item B<-pass arg>, B<-passout arg>
the PKCS#12 file (i.e. output file) password source. For more information about
The PKCS#12 file (i.e. output file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passin password>
pass phrase source to decrypt any input private keys with. For more information
Pass phrase source to decrypt any input private keys with. For more information
about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-chain>
if this option is present then an attempt is made to include the entire
If this option is present then an attempt is made to include the entire
certificate chain of the user certificate. The standard CA store is used
for this search. If the search fails it is considered a fatal error.
=item B<-descert>
encrypt the certificate using triple DES, this may render the PKCS#12
Encrypt the certificate using triple DES, this may render the PKCS#12
file unreadable by some "export grade" software. By default the private
key is encrypted using triple DES and the certificate using 40 bit RC2.
=item B<-keypbe alg>, B<-certpbe alg>
these options allow the algorithm used to encrypt the private key and
These options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
can be used (see B<NOTES> section for more information). If a cipher name
(as output by the B<list-cipher-algorithms> command is specified then it
......@@ -233,7 +233,7 @@ use PKCS#12 algorithms.
=item B<-keyex|-keysig>
specifies that the private key is to be used for key exchange or just signing.
Specifies that the private key is to be used for key exchange or just signing.
This option is only interpreted by MSIE and similar MS software. Normally
"export grade" software will only allow 512 bit RSA keys to be used for
encryption purposes but arbitrary length keys for signing. The B<-keysig>
......@@ -244,11 +244,11 @@ the use of signing only keys for SSL client authentication.
=item B<-macalg digest>
specify the MAC digest algorithm. If not included them SHA1 will be used.
Specify the MAC digest algorithm. If not included them SHA1 will be used.
=item B<-nomaciter>, B<-noiter>
these options affect the iteration counts on the MAC and key algorithms.
These options affect the iteration counts on the MAC and key algorithms.
Unless you wish to produce files compatible with MSIE 4.0 you should leave
these options alone.
......@@ -271,11 +271,11 @@ to be needed to use MAC iterations counts but they are now used by default.
=item B<-nomac>
don't attempt to provide the MAC integrity.
Don't attempt to provide the MAC integrity.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -293,15 +293,15 @@ linked to each certificate.
=item B<-no-CAfile>
Do not load the trusted CA certificates from the default file location
Do not load the trusted CA certificates from the default file location.
=item B<-no-CApath>
Do not load the trusted CA certificates from the default directory location
Do not load the trusted CA certificates from the default directory location.
=item B<-CSP name>
write B<name> as a Microsoft CSP name.
Write B<name> as a Microsoft CSP name.
=back
......
doc/man1/pkcs7.pod
浏览文件 @ c4de074e
......@@ -47,27 +47,27 @@ option is not specified.
=item B<-out filename>
specifies the output filename to write to or standard output by
Specifies the output filename to write to or standard output by
default.
=item B<-print_certs>
prints out any certificates or CRLs contained in the file. They are
Prints out any certificates or CRLs contained in the file. They are
preceded by their subject and issuer names in one line format.
=item B<-text>
prints out certificates details in full rather than just subject and
Prints out certificates details in full rather than just subject and
issuer names.
=item B<-noout>
don't output the encoded version of the PKCS#7 structure (or certificates
Don't output the encoded version of the PKCS#7 structure (or certificates
is B<-print_certs> is set).
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<pkcs7>
Specifying an engine (by its unique B<id> string) will cause B<pkcs7>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......@@ -109,7 +109,7 @@ L<crl2pkcs7(1)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/pkcs8.pod
浏览文件 @ c4de074e
......@@ -69,7 +69,7 @@ prompted for.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
......@@ -81,7 +81,7 @@ filename.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-iter count>
......@@ -124,21 +124,21 @@ If not specified PKCS#5 v2.0 form is used.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<pkcs8>
Specifying an engine (by its unique B<id> string) will cause B<pkcs8>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-scrypt>
uses the B<scrypt> algorithm for private key encryption using default
Uses the B<scrypt> algorithm for private key encryption using default
parameters: currently N=16384, r=8 and p=1 and AES in CBC mode with a 256 bit
key. These parameters can be modified using the B<-scrypt_N>, B<-scrypt_r>,
B<-scrypt_p> and B<-v2> options.
B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p>
=item B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p>
sets the scrypt B<N>, B<r> or B<p> parameters.
Sets the scrypt B<N>, B<r> or B<p> parameters.
=back
......@@ -291,7 +291,7 @@ The B<-iter> option was added to OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/pkey.pod
浏览文件 @ c4de074e
......@@ -53,7 +53,7 @@ prompted for.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
......@@ -65,12 +65,12 @@ filename.
=item B<-passout password>
the output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-traditional>
normally a private key is written using standard format: this is PKCS#8 form
Normally a private key is written using standard format: this is PKCS#8 form
with the appropriate encryption algorithm (if any). If the B<-traditional>
option is specified then the older "traditional" format is used instead.
......@@ -81,31 +81,31 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
=item B<-text>
prints out the various public or private key components in
Prints out the various public or private key components in
plain text in addition to the encoded version.
=item B<-text_pub>
print out only public key components even if a private key is being processed.
Print out only public key components even if a private key is being processed.
=item B<-noout>
do not output the encoded version of the key.
Do not output the encoded version of the key.
=item B<-pubin>
by default a private key is read from the input file: with this
By default a private key is read from the input file: with this
option a public key is read instead.
=item B<-pubout>
by default a private key is output: with this option a public
By default a private key is output: with this option a public
key will be output instead. This option is automatically set if
the input is a public key.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<pkey>
Specifying an engine (by its unique B<id> string) will cause B<pkey>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......@@ -145,7 +145,7 @@ L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)>
=head1 COPYRIGHT
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/pkeyparam.pod
浏览文件 @ c4de074e
......@@ -39,15 +39,15 @@ this option is not specified.
=item B<-text>
prints out the parameters in plain text in addition to the encoded version.
Prints out the parameters in plain text in addition to the encoded version.
=item B<-noout>
do not output the encoded version of the parameters.
Do not output the encoded version of the parameters.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
Specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......@@ -72,7 +72,7 @@ L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)>
=head1 COPYRIGHT
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/pkeyutl.pod
浏览文件 @ c4de074e
......@@ -53,7 +53,7 @@ if this option is not specified.
=item B<-out filename>
specifies the output filename to write to or standard output by
Specifies the output filename to write to or standard output by
default.
=item B<-sigfile file>
......@@ -62,64 +62,63 @@ Signature file, required for B<verify> operations only
=item B<-inkey file>
the input key file, by default it should be a private key.
The input key file, by default it should be a private key.
=item B<-keyform PEM|DER|ENGINE>
the key format PEM, DER or ENGINE. Default is PEM.
The key format PEM, DER or ENGINE. Default is PEM.
=item B<-passin arg>
the input key password source. For more information about the format of B<arg>
The input key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-peerkey file>
the peer key file, used by key derivation (agreement) operations.
The peer key file, used by key derivation (agreement) operations.
=item B<-peerform PEM|DER|ENGINE>
the peer key format PEM, DER or ENGINE. Default is PEM.
The peer key format PEM, DER or ENGINE. Default is PEM.
=item B<-pubin>
the input file is a public key.
The input file is a public key.
=item B<-certin>
the input is a certificate containing a public key.
The input is a certificate containing a public key.
=item B<-rev>
reverse the order of the input buffer. This is useful for some libraries
Reverse the order of the input buffer. This is useful for some libraries
(such as CryptoAPI) which represent the buffer in little endian format.
=item B<-sign>
sign the input data and output the signed result. This requires
Sign the input data and output the signed result. This requires
a private key.
=item B<-verify>
verify the input data against the signature file and indicate if the
Verify the input data against the signature file and indicate if the
verification succeeded or failed.
=item B<-verifyrecover>
verify the input data and output the recovered data.
Verify the input data and output the recovered data.
=item B<-encrypt>
encrypt the input data using a public key.
Encrypt the input data using a public key.
=item B<-decrypt>
decrypt the input data using a private key.
Decrypt the input data using a private key.
=item B<-derive>
derive a shared secret using the peer key.
Derive a shared secret using the peer key.
=item B<-kdf algorithm>
......@@ -144,12 +143,12 @@ hex dump the output data.
=item B<-asn1parse>
asn1parse the output data, this is useful when combined with the
Parse the ASN.1 output data, this is useful when combined with the
B<-verifyrecover> option when an ASN1 structure is signed.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
Specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......@@ -308,7 +307,7 @@ L<EVP_PKEY_CTX_set_hkdf_md(3)>, L<EVP_PKEY_CTX_set_tls1_prf_md(3)>
=head1 COPYRIGHT
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/req.pod
浏览文件 @ c4de074e
......@@ -81,7 +81,7 @@ options (B<-new> and B<-newkey>) are not specified.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
......@@ -91,38 +91,38 @@ default.
=item B<-passout arg>
the output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-text>
prints out the certificate request in text form.
Prints out the certificate request in text form.
=item B<-subject>
prints out the request subject (or certificate subject if B<-x509> is
Prints out the request subject (or certificate subject if B<-x509> is
specified)
=item B<-pubkey>
outputs the public key.
Outputs the public key.
=item B<-noout>
this option prevents output of the encoded version of the request.
This option prevents output of the encoded version of the request.
=item B<-modulus>
this option prints out the value of the modulus of the public key
This option prints out the value of the modulus of the public key
contained in the request.
=item B<-verify>
verifies the signature on the request.
Verifies the signature on the request.
=item B<-new>
this option generates a new certificate request. It will prompt
This option generates a new certificate request. It will prompt
the user for the relevant field values. The actual fields
prompted for and their maximum and minimum sizes are specified
in the configuration file and any requested extensions.
......@@ -132,7 +132,7 @@ key using information specified in the configuration file.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -140,7 +140,7 @@ all others.
=item B<-newkey arg>
this option creates a new certificate request and a new private
This option creates a new certificate request and a new private
key. The argument takes one of several forms. B<rsa:nbits>, where
B<nbits> is the number of bits, generates an RSA key B<nbits>
in size. If B<nbits> is omitted, i.e. B<-newkey rsa> specified,
......@@ -166,7 +166,7 @@ specified by B<-pkeyopt paramset:X>
=item B<-pkeyopt opt:value>
set the public key algorithm option B<opt> to B<value>. The precise set of
Set the public key algorithm option B<opt> to B<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
for more details.
......@@ -178,23 +178,23 @@ accepts PKCS#8 format private keys for PEM format files.
=item B<-keyform PEM|DER>
the format of the private key file specified in the B<-key>
The format of the private key file specified in the B<-key>
argument. PEM is the default.
=item B<-keyout filename>
this gives the filename to write the newly created private key to.
This gives the filename to write the newly created private key to.
If this option is not specified then the filename present in the
configuration file is used.
=item B<-nodes>
if this option is specified then if a private key is created it
If this option is specified then if a private key is created it
will not be encrypted.
=item B<-[digest]>
this specifies the message digest to sign the request.
This specifies the message digest to sign the request.
Any digest supported by the OpenSSL B<dgst> command can be used.
This overrides the digest algorithm specified in
the configuration file.
......@@ -205,20 +205,20 @@ GOST R 34.11-94 (B<-md_gost94>).
=item B<-config filename>
this allows an alternative configuration file to be specified.
This allows an alternative configuration file to be specified.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
=item B<-subj arg>
sets subject name for new request or supersedes the subject name
Sets subject name for new request or supersedes the subject name
when processing a request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
=item B<-multivalue-rdn>
this option causes the -subj argument to be interpreted with full
This option causes the -subj argument to be interpreted with full
support for multivalued RDNs. Example:
I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
......@@ -227,7 +227,7 @@ If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
=item B<-x509>
this option outputs a self signed certificate instead of a certificate
This option outputs a self signed certificate instead of a certificate
request. This is typically used to generate a test certificate or
a self signed root CA. The extensions added to the certificate
(if any) are specified in the configuration file. Unless specified
......@@ -236,19 +236,19 @@ the serial number.
=item B<-days n>
when the B<-x509> option is being used this specifies the number of
When the B<-x509> option is being used this specifies the number of
days to certify the certificate for. The default is 30 days.
=item B<-set_serial n>
serial number to use when outputting a self signed certificate. This
Serial number to use when outputting a self signed certificate. This
may be specified as a decimal value or a hex value if preceded by B<0x>.
=item B<-extensions section>
=item B<-reqexts section>
these options specify alternative sections to include certificate
These options specify alternative sections to include certificate
extensions (if the B<-x509> option is present) or certificate
request extensions. This allows several different sections to
be used in the same configuration file to specify requests for
......@@ -256,7 +256,7 @@ a variety of purposes.
=item B<-precert>
a poison extension will be added to the certificate, making it a
A poison extension will be added to the certificate, making it a
"pre-certificate" (see RFC6962). This can be submitted to Certificate
Transparency logs in order to obtain signed certificate timestamps (SCTs).
These SCTs can then be embedded into the pre-certificate as an extension, before
......@@ -266,21 +266,21 @@ This implies the B<-new> flag.
=item B<-utf8>
this option causes field values to be interpreted as UTF8 strings, by
This option causes field values to be interpreted as UTF8 strings, by
default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
=item B<-nameopt option>
option which determines how the subject or issuer names are displayed. The
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
=item B<-reqopt>
customise the output format used with B<-text>. The B<option> argument can be
Customise the output format used with B<-text>. The B<option> argument can be
a single option or multiple options separated by commas.
See discussion of the B<-certopt> parameter in the L<x509(1)>
......@@ -293,22 +293,22 @@ request. Some software (Netscape certificate server) and some CAs need this.
=item B<-batch>
non-interactive mode.
Non-interactive mode.
=item B<-verbose>
print extra details about the operations being performed.
Print extra details about the operations being performed.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<req>
Specifying an engine (by its unique B<id> string) will cause B<req>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-keygen_engine id>
specifies an engine (by its unique B<id> string) which would be used
Specifies an engine (by its unique B<id> string) which would be used
for key generation operations.
=back
......@@ -395,7 +395,7 @@ problems with BMPStrings and UTF8Strings: in particular Netscape.
=item B<req_extensions>
this specifies the configuration file section containing a list of
This specifies the configuration file section containing a list of
extensions to add to the certificate request. It can be overridden
by the B<-reqexts> command line switch. See the
L<x509v3_config(5)> manual page for details of the
......@@ -403,26 +403,26 @@ extension section format.
=item B<x509_extensions>
this specifies the configuration file section containing a list of
This specifies the configuration file section containing a list of
extensions to add to certificate generated when the B<-x509> switch
is used. It can be overridden by the B<-extensions> command line switch.
=item B<prompt>
if set to the value B<no> this disables prompting of certificate fields
If set to the value B<no> this disables prompting of certificate fields
and just takes values from the config file directly. It also changes the
expected format of the B<distinguished_name> and B<attributes> sections.
=item B<utf8>
if set to the value B<yes> then field values to be interpreted as UTF8
If set to the value B<yes> then field values to be interpreted as UTF8
strings, by default they are interpreted as ASCII. This means that
the field values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
=item B<attributes>
this specifies the section containing any request attributes: its format
This specifies the section containing any request attributes: its format
is the same as B<distinguished_name>. Typically these may contain the
challengePassword or unstructuredName types. They are currently ignored
by OpenSSL's request signing utilities but some CAs might want them.
......@@ -659,7 +659,7 @@ L<x509v3_config(5)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/rsa.pod
浏览文件 @ c4de074e
......@@ -74,7 +74,7 @@ prompted for.
=item B<-passin arg>
the input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-out filename>
......@@ -86,7 +86,7 @@ filename.
=item B<-passout password>
the output file password source. For more information about the format of B<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
......@@ -101,39 +101,39 @@ These options can only be used with PEM format output files.
=item B<-text>
prints out the various public or private key components in
Prints out the various public or private key components in
plain text in addition to the encoded version.
=item B<-noout>
this option prevents output of the encoded version of the key.
This option prevents output of the encoded version of the key.
=item B<-modulus>
this option prints out the value of the modulus of the key.
This option prints out the value of the modulus of the key.
=item B<-check>
this option checks the consistency of an RSA private key.
This option checks the consistency of an RSA private key.
=item B<-pubin>
by default a private key is read from the input file: with this
By default a private key is read from the input file: with this
option a public key is read instead.
=item B<-pubout>
by default a private key is output: with this option a public
By default a private key is output: with this option a public
key will be output instead. This option is automatically set if
the input is a public key.
=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out>
like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<rsa>
Specifying an engine (by its unique B<id> string) will cause B<rsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......
doc/man1/rsautl.pod
浏览文件 @ c4de074e
......@@ -44,56 +44,56 @@ if this option is not specified.
=item B<-out filename>
specifies the output filename to write to or standard output by
Specifies the output filename to write to or standard output by
default.
=item B<-inkey file>
the input key file, by default it should be an RSA private key.
The input key file, by default it should be an RSA private key.
=item B<-keyform PEM|DER|ENGINE>
the key format PEM, DER or ENGINE.
The key format PEM, DER or ENGINE.
=item B<-pubin>
the input file is an RSA public key.
The input file is an RSA public key.
=item B<-certin>
the input is a certificate containing an RSA public key.
The input is a certificate containing an RSA public key.
=item B<-sign>
sign the input data and output the signed result. This requires
Sign the input data and output the signed result. This requires
an RSA private key.
=item B<-verify>
verify the input data and output the recovered data.
Verify the input data and output the recovered data.
=item B<-encrypt>
encrypt the input data using an RSA public key.
Encrypt the input data using an RSA public key.
=item B<-decrypt>
decrypt the input data using an RSA private key.
Decrypt the input data using an RSA private key.
=item B<-pkcs, -oaep, -ssl, -raw>
the padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
special padding used in SSL v2 backwards compatible handshakes,
or no padding, respectively.
For signatures, only B<-pkcs> and B<-raw> can be used.
=item B<-hexdump>
hex dump the output data.
Hex dump the output data.
=item B<-asn1parse>
asn1parse the output data, this is useful when combined with the
Parse the ASN.1 output data, this is useful when combined with the
B<-verify> option.
=back
......@@ -194,7 +194,7 @@ L<dgst(1)>, L<rsa(1)>, L<genrsa(1)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/s_client.pod
浏览文件 @ c4de074e
......@@ -194,7 +194,7 @@ abort the handshake with a fatal error.
=item B<-nameopt option>
option which determines how the subject or issuer names are displayed. The
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
......@@ -287,17 +287,17 @@ L<verify(1)> manual page for details.
=item B<-reconnect>
reconnects to the same server 5 times using the same session ID, this can
Reconnects to the same server 5 times using the same session ID, this can
be used as a test that session caching is working.
=item B<-showcerts>
display the whole server certificate chain: normally only the server
Display the whole server certificate chain: normally only the server
certificate itself is displayed.
=item B<-prexit>
print session information when the program exits. This will always attempt
Print session information when the program exits. This will always attempt
to print out information even if the connection fails. Normally information
will only be printed out once if the connection succeeds. This option is useful
because the cipher in use may be renegotiated or the connection may fail
......@@ -308,51 +308,51 @@ established.
=item B<-state>
prints out the SSL session states.
Prints out the SSL session states.
=item B<-debug>
print extensive debugging information including a hex dump of all traffic.
Print extensive debugging information including a hex dump of all traffic.
=item B<-msg>
show all protocol messages with hex dump.
Show all protocol messages with hex dump.
=item B<-trace>
show verbose trace output of protocol messages. OpenSSL needs to be compiled
Show verbose trace output of protocol messages. OpenSSL needs to be compiled
with B<enable-ssl-trace> for this option to work.
=item B<-msgfile>
file to send output of B<-msg> or B<-trace> to, default standard output.
File to send output of B<-msg> or B<-trace> to, default standard output.
=item B<-nbio_test>
tests non-blocking I/O
Tests non-blocking I/O
=item B<-nbio>
turns on non-blocking I/O
Turns on non-blocking I/O
=item B<-crlf>
this option translated a line feed from the terminal into CR+LF as required
This option translated a line feed from the terminal into CR+LF as required
by some servers.
=item B<-ign_eof>
inhibit shutting down the connection when end of file is reached in the
Inhibit shutting down the connection when end of file is reached in the
input.
=item B<-quiet>
inhibit printing of session and certificate information. This implicitly
Inhibit printing of session and certificate information. This implicitly
turns on B<-ign_eof> as well.
=item B<-no_ign_eof>
shut down the connection when end of file is reached in the input.
Shut down the connection when end of file is reached in the input.
Can be used to override the implicit B<-ign_eof> after B<-quiet>.
=item B<-psk_identity identity>
......@@ -386,7 +386,7 @@ Send TLS_FALLBACK_SCSV in the ClientHello.
=item B<-async>
switch on asynchronous mode. Cryptographic operations will be performed
Switch on asynchronous mode. Cryptographic operations will be performed
asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).
......@@ -396,7 +396,7 @@ is also used via the B<-engine> option. For test purposes the dummy async engine
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
maximum number of pipelines defined by max_pipelines. This only has an effect if
a suitable ciphersuite has been negotiated, an engine that supports pipelining
a suitable cipher suite has been negotiated, an engine that supports pipelining
has been loaded, and max_pipelines is greater than 1. See
L<SSL_CTX_set_split_send_fragment(3)> for further information.
......@@ -404,7 +404,7 @@ L<SSL_CTX_set_split_send_fragment(3)> for further information.
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
engine) and a suitable ciphersuite has been negotiated. The default value is 1.
engine) and a suitable cipher suite has been negotiated. The default value is 1.
See L<SSL_CTX_set_max_pipelines(3)> for further information.
=item B<-read_buf int>
......@@ -416,7 +416,7 @@ further information).
=item B<-bugs>
there are several known bug in SSL and TLS implementations. Adding this
There are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
=item B<-comp>
......@@ -434,7 +434,7 @@ OpenSSL 1.1.0.
=item B<-brief>
only provide a brief summary of connection parameters instead of the
Only provide a brief summary of connection parameters instead of the
normal verbose output.
=item B<-sigalgs sigalglist>
......@@ -452,14 +452,14 @@ is ultimately selected by the server. For a list of all curves, use:
=item B<-cipher cipherlist>
this allows the cipher list sent by the client to be modified. Although
This allows the cipher list sent by the client to be modified. Although
the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.
=item B<-starttls protocol>
send the protocol-specific message(s) to switch to TLS for communication.
Send the protocol-specific message(s) to switch to TLS for communication.
B<protocol> is a keyword for the intended protocol. Currently, the only
supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
"irc", "postgres", "lmtp", "nntp", "sieve" and "ldap".
......@@ -473,31 +473,31 @@ will be used.
=item B<-tlsextdebug>
print out a hex dump of any TLS extensions received from the server.
Print out a hex dump of any TLS extensions received from the server.
=item B<-no_ticket>
disable RFC4507bis session ticket support.
Disable RFC4507bis session ticket support.
=item B<-sess_out filename>
output SSL session to B<filename>
Output SSL session to B<filename>.
=item B<-sess_in sess.pem>
load SSL session from B<filename>. The client will attempt to resume a
Load SSL session from B<filename>. The client will attempt to resume a
connection from this session.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<s_client>
Specifying an engine (by its unique B<id> string) will cause B<s_client>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -505,30 +505,28 @@ all others.
=item B<-serverinfo types>
a list of comma-separated TLS Extension Types (numbers between 0 and
A list of comma-separated TLS Extension Types (numbers between 0 and
65535). Each type will be sent as an empty ClientHello TLS Extension.
The server's response (if any) will be encoded and displayed as a PEM
file.
=item B<-status>
sends a certificate status request to the server (OCSP stapling). The server
Sends a certificate status request to the server (OCSP stapling). The server
response (if any) is printed out.
=item B<-alpn protocols>, B<-nextprotoneg protocols>
these flags enable the
Enable the Application-Layer Protocol Negotiation or Next Protocol
Negotiation extension, respectively. ALPN is the IETF standard and
replaces NPN.
The B<protocols> list is a
comma-separated protocol names that the client should advertise
support for. The list should contain most wanted protocols first.
Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
Empty list of protocols is treated specially and will cause the client to
advertise support for the TLS extension but disconnect just after
receiving ServerHello with a list of server supported protocols.
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
IETF standard and replaces NPN.
The B<protocols> list is a comma-separated list of protocol names that
the client should advertise support for. The list should contain the most
desirable protocols first. Protocol names are printable ASCII strings,
for example "http/1.1" or "spdy/3".
An empty list of protocols is treated specially and will cause the
client to advertise support for the TLS extension but disconnect just
after receiving ServerHello with a list of server supported protocols.
=item B<-ct|noct>
......@@ -629,7 +627,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/s_server.pod
浏览文件 @ c4de074e
......@@ -249,11 +249,11 @@ a certificate is requested.
=item B<-no-CAfile>
Do not load the trusted CA certificates from the default file location
Do not load the trusted CA certificates from the default file location.
=item B<-no-CApath>
Do not load the trusted CA certificates from the default directory location
Do not load the trusted CA certificates from the default directory location.
=item B<-verify depth>, B<-Verify depth>
......@@ -263,12 +263,12 @@ the client. With the B<-verify> option a certificate is requested but the
client does not have to send one, with the B<-Verify> option the client
must supply a certificate or an error occurs.
If the ciphersuite cannot request a client certificate (for example an
anonymous ciphersuite or PSK) this option has no effect.
If the cipher suite cannot request a client certificate (for example an
anonymous cipher suite or PSK) this option has no effect.
=item B<-nameopt option>
option which determines how the subject or issuer names are displayed. The
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
......@@ -313,11 +313,11 @@ File to send output of B<-msg> or B<-trace> to, default standard output.
=item B<-nbio_test>
Tests non blocking I/O
Tests non blocking I/O.
=item B<-nbio>
Turns on non blocking I/O
Turns on non blocking I/O.
=item B<-crlf>
......@@ -374,7 +374,7 @@ is also used via the B<-engine> option. For test purposes the dummy async engine
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
maximum number of pipelines defined by max_pipelines. This only has an effect if
a suitable ciphersuite has been negotiated, an engine that supports pipelining
a suitable cipher suite has been negotiated, an engine that supports pipelining
has been loaded, and max_pipelines is greater than 1. See
L<SSL_CTX_set_split_send_fragment(3)> for further information.
......@@ -382,7 +382,7 @@ L<SSL_CTX_set_split_send_fragment(3)> for further information.
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
engine) and a suitable ciphersuite has been negotiated. The default value is 1.
engine) and a suitable cipher suite has been negotiated. The default value is 1.
See L<SSL_CTX_set_max_pipelines(3)> for further information.
=item B<-read_buf int>
......@@ -418,7 +418,7 @@ output.
=item B<-client_sigalgs sigalglist>
Signature algorithms to support for client certificate authentication
(colon-separated list)
(colon-separated list).
=item B<-named_curve curve>
......@@ -533,13 +533,11 @@ OCSP Response stored in the file. The file must be in DER format.
=item B<-alpn protocols>, B<-nextprotoneg protocols>
these flags enable the
Enable the Application-Layer Protocol Negotiation or Next Protocol
Negotiation extension, respectively. ALPN is the IETF standard and
replaces NPN.
The B<protocols> list is a
comma-separated list of supported protocol names.
The list should contain most wanted protocols first.
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
IETF standard and replaces NPN.
The B<protocols> list is a comma-separated list of supported protocol
names. The list should contain the most desirable protocols first.
Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
......@@ -574,28 +572,28 @@ operations: these are listed below.
=item B<q>
end the current SSL connection but still accept new connections.
End the current SSL connection but still accept new connections.
=item B<Q>
end the current SSL connection and exit.
End the current SSL connection and exit.
=item B<r>
renegotiate the SSL session.
Renegotiate the SSL session.
=item B<R>
renegotiate the SSL session and request a client certificate.
Renegotiate the SSL session and request a client certificate.
=item B<P>
send some plain text down the underlying TCP connection: this should
Send some plain text down the underlying TCP connection: this should
cause the client to disconnect due to a protocol violation.
=item B<S>
print out some session cache status information.
Print out some session cache status information.
=back
......@@ -642,7 +640,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/s_time.pod
浏览文件 @ c4de074e
......@@ -73,7 +73,7 @@ will never fail due to a server certificate verify failure.
=item B<-nameopt option>
option which determines how the subject or issuer names are displayed. The
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
......@@ -99,23 +99,23 @@ Do not load the trusted CA certificates from the default directory location
=item B<-new>
performs the timing test using a new session ID for each connection.
Performs the timing test using a new session ID for each connection.
If neither B<-new> nor B<-reuse> are specified, they are both on by default
and executed in sequence.
=item B<-reuse>
performs the timing test using the same session ID; this can be used as a test
Performs the timing test using the same session ID; this can be used as a test
that session caching is working. If neither B<-new> nor B<-reuse> are
specified, they are both on by default and executed in sequence.
=item B<-nbio>
turns on non-blocking I/O.
Turns on non-blocking I/O.
=item B<-ssl3>
these options disable the use of certain SSL or TLS protocols. By default
These options disable the use of certain SSL or TLS protocols. By default
the initial handshake uses a method which should be compatible with all
servers and permit them to use SSL v3 or TLS as appropriate.
The timing program is not as rich in options to turn protocols on and off as
......@@ -127,19 +127,19 @@ work if TLS is turned off with the B<-ssl3> option.
=item B<-bugs>
there are several known bug in SSL and TLS implementations. Adding this
There are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
=item B<-cipher cipherlist>
this allows the cipher list sent by the client to be modified. Although
This allows the cipher list sent by the client to be modified. Although
the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client.
See the L<ciphers(1)> command for more information.
=item B<-time length>
specifies how long (in seconds) B<s_time> should establish connections and
Specifies how long (in seconds) B<s_time> should establish connections and
optionally transfer payload data from a server. Server and client performance
and the link speed determine how many connections B<s_time> can establish.
......@@ -192,7 +192,7 @@ L<s_client(1)>, L<s_server(1)>, L<ciphers(1)>
=head1 COPYRIGHT
Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2004-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/sess_id.pod
浏览文件 @ c4de074e
......@@ -57,21 +57,21 @@ output if this option is not specified.
=item B<-text>
prints out the various public or private key components in
Prints out the various public or private key components in
plain text in addition to the encoded version.
=item B<-cert>
if a certificate is present in the session it will be output using this option,
If a certificate is present in the session it will be output using this option,
if the B<-text> option is also present then it will be printed out in text form.
=item B<-noout>
this option prevents output of the encoded version of the session.
This option prevents output of the encoded version of the session.
=item B<-context ID>
this option can set the session id so the output session information uses the
This option can set the session id so the output session information uses the
supplied ID. The ID can be any string of characters. This option won't normally
be used.
......@@ -98,36 +98,37 @@ Theses are described below in more detail.
=item B<Protocol>
this is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
This is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
=item B<Cipher>
the cipher used this is the actual raw SSL or TLS cipher code, see the SSL
The cipher used this is the actual raw SSL or TLS cipher code, see the SSL
or TLS specifications for more information.
=item B<Session-ID>
the SSL session ID in hex format.
The SSL session ID in hex format.
=item B<Session-ID-ctx>
the session ID context in hex format.
The session ID context in hex format.
=item B<Master-Key>
this is the SSL session master key.
This is the SSL session master key.
=item B<Start Time>
this is the session start time represented as an integer in standard Unix format.
This is the session start time represented as an integer in standard
Unix format.
=item B<Timeout>
the timeout in seconds.
The timeout in seconds.
=item B<Verify return code>
this is the return code when an SSL client certificate is verified.
This is the return code when an SSL client certificate is verified.
=back
......@@ -138,10 +139,11 @@ The PEM encoded session format uses the header and footer lines:
-----BEGIN SSL SESSION PARAMETERS-----
-----END SSL SESSION PARAMETERS-----
Since the SSL session output contains the master key it is possible to read the contents
of an encrypted session using this information. Therefore appropriate security precautions
should be taken if the information is being output by a "real" application. This is
however strongly discouraged and should only be used for debugging purposes.
Since the SSL session output contains the master key it is
possible to read the contents of an encrypted session using this
information. Therefore appropriate security precautions should be taken if
the information is being output by a "real" application. This is however
strongly discouraged and should only be used for debugging purposes.
=head1 BUGS
......@@ -153,7 +155,7 @@ L<ciphers(1)>, L<s_server(1)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/smime.pod
浏览文件 @ c4de074e
......@@ -87,7 +87,7 @@ Print out a usage message.
=item B<-encrypt>
encrypt mail for the given recipient certificates. Input file is the message
Encrypt mail for the given recipient certificates. Input file is the message
to be encrypted. The output file is the encrypted mail in MIME format.
Note that no revocation check is done for the recipient cert, so if that
......@@ -95,37 +95,37 @@ key has been compromised, others may be able to decrypt the text.
=item B<-decrypt>
decrypt mail using the supplied certificate and private key. Expects an
Decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in MIME format for the input file. The decrypted mail
is written to the output file.
=item B<-sign>
sign mail using the supplied certificate and private key. Input file is
Sign mail using the supplied certificate and private key. Input file is
the message to be signed. The signed message in MIME format is written
to the output file.
=item B<-verify>
verify signed mail. Expects a signed mail message on input and outputs
Verify signed mail. Expects a signed mail message on input and outputs
the signed data. Both clear text and opaque signing is supported.
=item B<-pk7out>
takes an input message and writes out a PEM encoded PKCS#7 structure.
Takes an input message and writes out a PEM encoded PKCS#7 structure.
=item B<-resign>
resign a message: take an existing message and one or more new signers.
Resign a message: take an existing message and one or more new signers.
=item B<-in filename>
the input message to be encrypted or signed or the MIME message to
The input message to be encrypted or signed or the MIME message to
be decrypted or verified.
=item B<-inform SMIME|PEM|DER>
this specifies the input format for the PKCS#7 structure. The default
This specifies the input format for the PKCS#7 structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
format change this to expect PEM and DER format PKCS#7 structures
instead. This currently only affects the input format of the PKCS#7
......@@ -134,12 +134,12 @@ B<-encrypt> or B<-sign>) this option has no effect.
=item B<-out filename>
the message text that has been decrypted or verified or the output MIME
The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
=item B<-outform SMIME|PEM|DER>
this specifies the output format for the PKCS#7 structure. The default
This specifies the output format for the PKCS#7 structure. The default
is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
format change this to write PEM and DER format PKCS#7 structures
instead. This currently only affects the output format of the PKCS#7
......@@ -148,7 +148,7 @@ B<-verify> or B<-decrypt>) this option has no effect.
=item B<-stream -indef -noindef>
the B<-stream> and B<-indef> options are equivalent and enable streaming I/O
The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
the need to hold the entire contents in memory, potentially supporting very
large files. Streaming is automatically set for S/MIME signing with detached
......@@ -157,7 +157,7 @@ other operations.
=item B<-noindef>
disable streaming I/O where it would produce and indefinite length constructed
Disable streaming I/O where it would produce and indefinite length constructed
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
......@@ -171,38 +171,38 @@ is S/MIME and it uses the multipart/signed MIME content type.
=item B<-text>
this option adds plain text (text/plain) MIME headers to the supplied
This option adds plain text (text/plain) MIME headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
=item B<-CAfile file>
a file containing trusted CA certificates, only used with B<-verify>.
A file containing trusted CA certificates, only used with B<-verify>.
=item B<-CApath dir>
a directory containing trusted CA certificates, only used with
A directory containing trusted CA certificates, only used with
B<-verify>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
=item B<-no-CAfile>
Do not load the trusted CA certificates from the default file location
Do not load the trusted CA certificates from the default file location.
=item B<-no-CApath>
Do not load the trusted CA certificates from the default directory location
Do not load the trusted CA certificates from the default directory location.
=item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
=item B<-[cipher]>
the encryption algorithm to use. For example DES (56 bits) - B<-des>,
The encryption algorithm to use. For example DES (56 bits) - B<-des>,
triple DES (168 bits) - B<-des3>,
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for list of ciphers
......@@ -212,77 +212,77 @@ If not specified triple DES is used. Only used with B<-encrypt>.
=item B<-nointern>
when verifying a message normally certificates (if any) included in
When verifying a message normally certificates (if any) included in
the message are searched for the signing certificate. With this option
only the certificates specified in the B<-certfile> option are used.
The supplied certificates can still be used as untrusted CAs however.
=item B<-noverify>
do not verify the signers certificate of a signed message.
Do not verify the signers certificate of a signed message.
=item B<-nochain>
do not do chain verification of signers certificates: that is don't
Do not do chain verification of signers certificates: that is don't
use the certificates in the signed message as untrusted CAs.
=item B<-nosigs>
don't try to verify the signatures on the message.
Don't try to verify the signatures on the message.
=item B<-nocerts>
when signing a message the signer's certificate is normally included
When signing a message the signer's certificate is normally included
with this option it is excluded. This will reduce the size of the
signed message but the verifier must have a copy of the signers certificate
available locally (passed using the B<-certfile> option for example).
=item B<-noattr>
normally when a message is signed a set of attributes are included which
Normally when a message is signed a set of attributes are included which
include the signing time and supported symmetric algorithms. With this
option they are not included.
=item B<-binary>
normally the input message is converted to "canonical" format which is
Normally the input message is converted to "canonical" format which is
effectively using CR and LF as end of line: as required by the S/MIME
specification. When this option is present no translation occurs. This
is useful when handling binary data which may not be in MIME format.
=item B<-crlfeol>
normally the output file uses a single B<LF> as end of line. When this
Normally the output file uses a single B<LF> as end of line. When this
option is present B<CRLF> is used instead.
=item B<-nodetach>
when signing a message use opaque signing: this form is more resistant
When signing a message use opaque signing: this form is more resistant
to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
=item B<-certfile file>
allows additional certificates to be specified. When signing these will
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
=item B<-signer file>
a signing certificate when signing or resigning a message, this option can be
A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
=item B<-recip file>
the recipients certificate when decrypting a message. This certificate
The recipients certificate when decrypting a message. This certificate
must match one of the recipients of the message or an error occurs.
=item B<-inkey file>
the private key to use when signing or decrypting. This must match the
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the B<-recip> or B<-signer> file. When signing this option can be used
......@@ -290,12 +290,12 @@ multiple times to specify successive keys.
=item B<-passin arg>
the private key password source. For more information about the format of B<arg>
The private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
A file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
......@@ -303,12 +303,12 @@ all others.
=item B<cert.pem...>
one or more certificates of message recipients: used when encrypting
One or more certificates of message recipients: used when encrypting
a message.
=item B<-to, -from, -subject>
the relevant mail headers. These are included outside the signed
The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
......@@ -370,28 +370,28 @@ remains DER.
=item Z<>0
the operation was completely successfully.
The operation was completely successfully.
=item Z<>1
an error occurred parsing the command options.
An error occurred parsing the command options.
=item Z<>2
one of the input files could not be read.
One of the input files could not be read.
=item Z<>3
an error occurred creating the PKCS#7 file or when reading the MIME
An error occurred creating the PKCS#7 file or when reading the MIME
message.
=item Z<>4
an error occurred decrypting or verifying the message.
An error occurred decrypting or verifying the message.
=item Z<>5
the message was verified correctly but an error occurred writing out
The message was verified correctly but an error occurred writing out
the signers certificates.
=back
......@@ -505,7 +505,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/speed.pod
浏览文件 @ c4de074e
......@@ -30,7 +30,7 @@ Print out a usage message.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<speed>
Specifying an engine (by its unique B<id> string) will cause B<speed>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......@@ -57,7 +57,7 @@ the above are tested.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/spkac.pod
浏览文件 @ c4de074e
......@@ -41,52 +41,52 @@ option is not specified. Ignored if the B<-key> option is used.
=item B<-out filename>
specifies the output filename to write to or standard output by
Specifies the output filename to write to or standard output by
default.
=item B<-key keyfile>
create an SPKAC file using the private key in B<keyfile>. The
Create an SPKAC file using the private key in B<keyfile>. The
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
=item B<-passin password>
the input file password source. For more information about the format of B<arg>
The input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-challenge string>
specifies the challenge string if an SPKAC is being created.
Specifies the challenge string if an SPKAC is being created.
=item B<-spkac spkacname>
allows an alternative name form the variable containing the
Allows an alternative name form the variable containing the
SPKAC. The default is "SPKAC". This option affects both
generated and input SPKAC files.
=item B<-spksect section>
allows an alternative name form the section containing the
Allows an alternative name form the section containing the
SPKAC. The default is the default section.
=item B<-noout>
don't output the text version of the SPKAC (not used if an
Don't output the text version of the SPKAC (not used if an
SPKAC is being created).
=item B<-pubkey>
output the public key of an SPKAC (not used if an SPKAC is
Output the public key of an SPKAC (not used if an SPKAC is
being created).
=item B<-verify>
verifies the digital signature on the supplied SPKAC.
Verifies the digital signature on the supplied SPKAC.
=item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<spkac>
Specifying an engine (by its unique B<id> string) will cause B<spkac>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
......@@ -137,7 +137,7 @@ L<ca(1)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/ts.pod
浏览文件 @ c4de074e
......@@ -187,7 +187,6 @@ response. (Optional)
This option specifies a previously created time stamp request in DER
format that will be printed into the output file. Useful when you need
to examine the content of a request in human-readable
format. (Optional)
=item B<-out> request.tsq
......@@ -640,7 +639,7 @@ L<config(5)>
=head1 COPYRIGHT
Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/verify.pod
浏览文件 @ c4de074e
......@@ -79,15 +79,15 @@ create symbolic links to a directory of certificates.
=item B<-no-CAfile>
Do not load the trusted CA certificates from the default file location
Do not load the trusted CA certificates from the default file location.
=item B<-no-CApath>
Do not load the trusted CA certificates from the default directory location
Do not load the trusted CA certificates from the default directory location.
=item B<-allow_proxy_certs>
Allow the verification of proxy certificates
Allow the verification of proxy certificates.
=item B<-attime timestamp>
......@@ -154,7 +154,7 @@ Set policy variable inhibit-policy-mapping (see RFC5280).
=item B<-nameopt option>
option which determines how the subject or issuer names are displayed. The
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
......@@ -195,7 +195,7 @@ information.
=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
192 bit, or only 192 bit Level of Security respectively.
See RFC6460 for details. In particular the supported signature algorithms are
reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
......@@ -427,14 +427,15 @@ The CRL of a certificate could not be found.
=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE>
The certificate signature could not be decrypted. This means that the actual signature value
could not be determined rather than it not matching the expected value, this is only
meaningful for RSA keys.
The certificate signature could not be decrypted. This means that the
actual signature value could not be determined rather than it not matching
the expected value, this is only meaningful for RSA keys.
=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE>
The CRL signature could not be decrypted: this means that the actual signature value
could not be determined rather than it not matching the expected value. Unused.
The CRL signature could not be decrypted: this means that the actual
signature value could not be determined rather than it not matching the
expected value. Unused.
=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY>
......@@ -450,11 +451,13 @@ The signature of the certificate is invalid.
=item B<X509_V_ERR_CERT_NOT_YET_VALID>
The certificate is not yet valid: the notBefore date is after the current time.
The certificate is not yet valid: the notBefore date is after the
current time.
=item B<X509_V_ERR_CERT_HAS_EXPIRED>
The certificate has expired: that is the notAfter date is before the current time.
The certificate has expired: that is the notAfter date is before the
current time.
=item B<X509_V_ERR_CRL_NOT_YET_VALID>
......@@ -486,13 +489,13 @@ An error occurred trying to allocate memory. This should never happen.
=item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT>
The passed certificate is self-signed and the same certificate cannot be found in the list of
trusted certificates.
The passed certificate is self-signed and the same certificate cannot
be found in the list of trusted certificates.
=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN>
The certificate chain could be built up using the untrusted certificates but the root could not
be found locally.
The certificate chain could be built up using the untrusted certificates
but the root could not be found locally.
=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY>
......@@ -501,12 +504,13 @@ certificate of an untrusted certificate cannot be found.
=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE>
No signatures could be verified because the chain contains only one certificate and it is not
self signed.
No signatures could be verified because the chain contains only one
certificate and it is not self signed.
=item B<X509_V_ERR_CERT_CHAIN_TOO_LONG>
The certificate chain length is greater than the supplied maximum depth. Unused.
The certificate chain length is greater than the supplied maximum
depth. Unused.
=item B<X509_V_ERR_CERT_REVOKED>
......@@ -514,8 +518,8 @@ The certificate has been revoked.
=item B<X509_V_ERR_INVALID_CA>
A CA certificate is invalid. Either it is not a CA or its extensions are not consistent
with the supplied purpose.
A CA certificate is invalid. Either it is not a CA or its extensions
are not consistent with the supplied purpose.
=item B<X509_V_ERR_PATH_LENGTH_EXCEEDED>
......@@ -527,7 +531,7 @@ The supplied certificate cannot be used for the specified purpose.
=item B<X509_V_ERR_CERT_UNTRUSTED>
the root CA is not marked as trusted for the specified purpose.
The root CA is not marked as trusted for the specified purpose.
=item B<X509_V_ERR_CERT_REJECTED>
......@@ -535,7 +539,7 @@ The root CA is marked to reject the specified purpose.
=item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH>
not used as of OpenSSL 1.1.0 as a result of the deprecation of the
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
B<-issuer_checks> option.
=item B<X509_V_ERR_AKID_SKID_MISMATCH>
......@@ -696,14 +700,15 @@ This error is only possible in L<s_client(1)>.
=head1 BUGS
Although the issuer checks are a considerable improvement over the old technique they still
suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
trusted certificates with matching subject name must either appear in a file (as specified by the
B<-CAfile> option) or a directory (as specified by B<-CApath>). If they occur in both then only
the certificates in the file will be recognised.
Although the issuer checks are a considerable improvement over the old
technique they still suffer from limitations in the underlying X509_LOOKUP
API. One consequence of this is that trusted certificates with matching
subject name must either appear in a file (as specified by the B<-CAfile>
option) or a directory (as specified by B<-CApath>). If they occur in
both then only the certificates in the file will be recognised.
Previous versions of OpenSSL assume certificates with matching subject name are identical and
mishandled them.
Previous versions of OpenSSL assume certificates with matching subject
name are identical and mishandled them.
Previous versions of this documentation swapped the meaning of the
B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
......@@ -722,7 +727,7 @@ is silently ignored.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/version.pod
浏览文件 @ c4de074e
......@@ -31,27 +31,27 @@ Print out a usage message.
=item B<-a>
all information, this is the same as setting all the other flags.
All information, this is the same as setting all the other flags.
=item B<-v>
the current OpenSSL version.
The current OpenSSL version.
=item B<-b>
the date the current version of OpenSSL was built.
The date the current version of OpenSSL was built.
=item B<-o>
option information: various options set when the library was built.
Option information: various options set when the library was built.
=item B<-f>
compilation flags.
Compilation flags.
=item B<-p>
platform setting.
Platform setting.
=item B<-d>
......@@ -70,7 +70,7 @@ in a bug report.
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
......
doc/man1/x509.pod
浏览文件 @ c4de074e
此差异已折叠。
doc/man3/SSL_CIPHER_get_name.pod
浏览文件 @ c4de074e
......@@ -34,17 +34,17 @@ SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol
version that first defined the cipher. It returns "(NONE)" if B<cipher> is NULL.
SSL_CIPHER_get_cipher_nid() returns the cipher NID corresponding to B<c>.
If there is no cipher (e.g. for ciphersuites with no encryption) then
If there is no cipher (e.g. for cipher suites with no encryption) then
B<NID_undef> is returned.
SSL_CIPHER_get_digest_nid() returns the digest NID corresponding to the MAC
used by B<c>. If there is no digest (e.g. for AEAD ciphersuites) then
used by B<c>. If there is no digest (e.g. for AEAD cipher suites) then
B<NID_undef> is returned.
SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method
used by B<c>. If there is no key exchange, then B<NID_undef> is returned.
If any appropriate key exchange algorithm can be used (as in the case of TLS 1.3
ciphersuites) B<NID_kx_any> is returned. Examples (not comprehensive):
cipher suites) B<NID_kx_any> is returned. Examples (not comprehensive):
NID_kx_rsa
NID_kx_ecdhe
......@@ -54,7 +54,7 @@ ciphersuites) B<NID_kx_any> is returned. Examples (not comprehensive):
SSL_CIPHER_get_auth_nid() returns the authentication NID corresponding to the method
used by B<c>. If there is no authentication, then B<NID_undef> is returned.
If any appropriate authentication algorithm can be used (as in the case of
TLS 1.3 ciphersuites) B<NID_auth_any> is returned. Examples (not comprehensive):
TLS 1.3 cipher suites) B<NID_auth_any> is returned. Examples (not comprehensive):
NID_auth_rsa
NID_auth_ecdsa
......
doc/man3/SSL_CTX_add1_chain_cert.pod
浏览文件 @ c4de074e
......@@ -86,7 +86,7 @@ used to iterate over all certificates in an B<SSL_CTX> structure.
SSL_set_current_cert() also supports the option B<SSL_CERT_SET_SERVER>.
If B<ssl> is a server and has sent a certificate to a connected client
this option sets that certificate to the current certificate and returns 1.
If the negotiated ciphersuite is anonymous (and thus no certificate will
If the negotiated cipher suite is anonymous (and thus no certificate will
be sent) 2 is returned and the current certificate is unchanged. If B<ssl>
is not a server or a certificate has not been sent 0 is returned and
the current certificate is unchanged.
......@@ -129,7 +129,7 @@ using SSL_CTX_add_extra_chain_cert() will be used.
=head1 RETURN VALUES
SSL_set_current_cert() with B<SSL_CERT_SET_SERVER> return 1 for success, 2 if
no server certificate is used because the ciphersuites is anonymous and 0
no server certificate is used because the cipher suites is anonymous and 0
for failure.
SSL_CTX_build_cert_chain() and SSL_build_cert_chain() return 1 for success
......
doc/man3/SSL_CTX_set_ct_validation_callback.pod
浏览文件 @ c4de074e
......@@ -78,7 +78,7 @@ If no callback is set, SCTs will not be requested and Certificate Transparency
validation will not occur.
No callback will be invoked when the peer presents no certificate, e.g. by
employing an anonymous (aNULL) ciphersuite.
employing an anonymous (aNULL) cipher suite.
In that case the handshake continues as it would had no callback been
requested.
Callbacks are also not invoked when the peer certificate chain is invalid or
......
doc/man3/SSL_CTX_set_security_level.pod
浏览文件 @ c4de074e
......@@ -70,31 +70,31 @@ OpenSSL.
The security level corresponds to a minimum of 80 bits of security. Any
parameters offering below 80 bits of security are excluded. As a result RSA,
DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
are prohibited. All export ciphersuites are prohibited since they all offer
less than 80 bits of security. SSL version 2 is prohibited. Any ciphersuite
are prohibited. All export cipher suites are prohibited since they all offer
less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite
using MD5 for the MAC is also prohibited.
=item B<Level 2>
Security level set to 112 bits of security. As a result RSA, DSA and DH keys
shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
In addition to the level 1 exclusions any ciphersuite using RC4 is also
In addition to the level 1 exclusions any cipher suite using RC4 is also
prohibited. SSL version 3 is also not allowed. Compression is disabled.
=item B<Level 3>
Security level set to 128 bits of security. As a result RSA, DSA and DH keys
shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited.
In addition to the level 2 exclusions ciphersuites not offering forward
In addition to the level 2 exclusions cipher suites not offering forward
secrecy are prohibited. TLS versions below 1.1 are not permitted. Session
tickets are disabled.
=item B<Level 4>
Security level set to 192 bits of security. As a result RSA, DSA and DH keys
shorter than 7680 bits and ECC keys shorter than 384 bits are prohibited.
Ciphersuites using SHA1 for the MAC are prohibited. TLS versions below 1.2 are
not permitted.
Security level set to 192 bits of security. As a result RSA, DSA and
DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are
prohibited. Cipher suites using SHA1 for the MAC are prohibited. TLS
versions below 1.2 are not permitted.
=item B<Level 5>
......@@ -128,11 +128,11 @@ By setting an appropriate security level much of this complexity can be
avoided.
The bits of security limits affect all relevant parameters including
ciphersuite encryption algorithms, supported ECC curves, supported
cipher suite encryption algorithms, supported ECC curves, supported
signature algorithms, DH parameter sizes, certificate key sizes and
signature algorithms. This limit applies no matter what other custom
settings an application has set: so if the ciphersuite is set to B<ALL>
then only ciphersuites consistent with the security level are permissible.
settings an application has set: so if the cipher suite is set to B<ALL>
then only cipher suites consistent with the security level are permissible.
See SP800-57 for how the security limits are related to individual
algorithms.
......@@ -141,7 +141,7 @@ Some security levels require large key sizes for non-ECC public key
algorithms which can severely degrade performance. For example 256 bits
of security requires the use of RSA keys of at least 15360 bits in size.
Some restrictions can be gracefully handled: for example ciphersuites
Some restrictions can be gracefully handled: for example cipher suites
offering insufficient security are not sent by the client and will not
be selected by the server. Other restrictions such as the peer certificate
key size or the DH parameter size will abort the handshake with a fatal
......
doc/man3/SSL_CTX_set_split_send_fragment.pod
浏览文件 @ c4de074e
......@@ -51,7 +51,7 @@ used (i.e. normal non-parallel operation). The number of pipelines set must be
in the range 1 - SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also
automatically turn on "read_ahead" (see L<SSL_CTX_set_read_ahead(3)>). This is
explained further below. OpenSSL will only every use more than one pipeline if
a ciphersuite is negotiated that uses a pipeline capable cipher provided by an
a cipher suite is negotiated that uses a pipeline capable cipher provided by an
engine.
Pipelining operates slightly differently for reading encrypted data compared to
......
doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
浏览文件 @ c4de074e
......@@ -112,12 +112,12 @@ exactly as if a full negotiation had occurred.
If an attacker can obtain the key used to encrypt a session ticket, they can
obtain the master secret for any ticket using that key and decrypt any traffic
using that session: even if the ciphersuite supports forward secrecy. As
using that session: even if the cipher suite supports forward secrecy. As
a result applications may wish to use multiple keys and avoid using long term
keys stored in files.
Applications can use longer keys to maintain a consistent level of security.
For example if a ciphersuite uses 256 bit ciphers but only a 128 bit ticket key
For example if a cipher suite uses 256 bit ciphers but only a 128 bit ticket key
the overall security is only 128 bits because breaking the ticket key will
enable an attacker to obtain the session keys.
......
doc/man3/SSL_CTX_set_tmp_dh_callback.pod
浏览文件 @ c4de074e
......@@ -74,7 +74,7 @@ can supply the DH parameters via a callback function.
Previous versions of the callback used B<is_export> and B<keylength>
parameters to control parameter generation for export and non-export
cipher suites. Modern servers that do not support export ciphersuites
cipher suites. Modern servers that do not support export cipher suites
are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use
the callback but ignore B<keylength> and B<is_export> and simply
supply at least 2048-bit parameters in the callback.
......
doc/man3/SSL_get_peer_signature_nid.pod
浏览文件 @ c4de074e
......@@ -25,7 +25,7 @@ where it is B<EVP_PKEY_RSA_PSS>.
=head1 RETURN VALUES
These functions return 1 for success and 0 for failure. There are several
possible reasons for failure: the ciphersuite has no signature (e.g. it
possible reasons for failure: the cipher suite has no signature (e.g. it
uses RSA key exchange or is anonymous), the TLS version is below 1.2 or
the functions were called before the peer signed a message.
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册