Reviewed-by: NRichard Levitte <levitte@openssl.org>

Date:   Tue Mar 15 15:19:44 2016 +0100

This commit updates the documentation of cms, ocsp, s_client,
s_server, and verify to reflect the new "-no_check_time"
option introduced in commit d35ff2c0
on 2015-07-31.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level.  For verification of SSL peers, this
is automatically set from the SSL security level.  Otherwise, for
now, the authentication security level remains at (effectively) 0
by default.

The new "-auth_level" verify(1) option is available in all the
command-line tools that support the standard verify(1) options.

New verify(1) tests added to check enforcement of chain signature
and public key security levels.  Also added new tests of enforcement
of the verify_depth limit.

Updated documentation.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

Document the new split_send_frag, max_pipelines and read_buf options.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NKurt Roeckx <kurt@openssl.org>

This was a developer debugging feature and was never a useful public
interface.

Added all missing X509 error codes to the verify(1) manpage, but
many still need a description beyond the associated text string.

Sorted the errors in x509_txt.c by error number.
Reviewed-by: NStephen Henson <steve@openssl.org>

Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NEmilia Käsper <emilia@openssl.org>

s_server was trying to set the ECDH curve when no-ec was defined. This also
highlighted the fact that the -no_ecdhe option to s_server is broken, and
doesn't make any sense any more (ECDHE is on by default and the only way it
can be disabled is through the cipherstring). Therefore this commit removes
the option.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

MR: #364

Document the libssl and command line application aspects of async.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Add documentation to all the appropriate apps for the new -no-CApath and
-no-CAfile options.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

This commit adds documentation for the new -listen option to s_server. Along
the way it also adds documentation for -dtls, -dtls1 and -dtls1_2 which was
missing.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

L<foo|foo> is sub-optimal  If the xref is the same as the title,
which is what we do, then you only need L<foo>.  This fixes all
1457 occurrences in 349 files.  Approximately.  (And pod used to
need both.)
Reviewed-by: NRichard Levitte <levitte@openssl.org>

the "-hack" option from s_server that set this option.
Reviewed-by: NTim Hudson <tjh@openssl.org>

the X509_V_FLAG_NO_ALT_CHAINS flag.
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>

The only support for SSLv2 left is receiving a SSLv2 compatible client hello.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Also moved some options around so all the "verify" options.
are clumped together.
Reviewed-by: NMatt Caswell <matt@openssl.org>

PR#3452

Add description of the option to advertise support of
Next Protocol Negotiation extension (-nextprotoneg) to
man pages of s_client and s_server.

PR#3444

Remove RFC5878 code. It is no longer needed for CT and has numerous bugs

    298 424 656 882 939 1630 1807 2263 2294 2311 2424 2623
    2637 2686 2697 2921 2922 2940 3055 3112 3156 3177 3277

cms, ocsp, s_client, s_server and smime tools also use args_verify()
for parsing options, that makes them most of the same options
verify tool does. Add those options to man pages and reference
their explanation in the verify man page.

Add -trusted_first description to help messages and man pages
of tools that deal with certificate verification.

While the -help message references this option, the man page
doesn't mention the -no_ecdhe option.
This patch fixes this omission.

Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.

serverinfo rejects non-empty extensions.

Omit extension if no relevant serverinfo data.

Improve error-handling in serverinfo callback.

Cosmetic cleanups.

s_client documentation.

s_server documentation.

SSL_CTX_serverinfo documentation.

Cleaup -1 and NULL callback handling for custom extensions, add tests.

Cleanup ssl_rsa.c serverinfo code.

Whitespace cleanup.

Improve comments in ssl.h for serverinfo.

Whitespace.

Cosmetic cleanup.

Reject non-zero-len serverinfo extensions.

Whitespace.

Make it build.

Submitted by: Daniel Black <daniel.subs@internode.on.net>

PR: 1191
Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation
Reviewed by: Nils Larsch

Add command line options -certform, -keyform and -pass to s_client and
s_server. This supports the use of alternative passphrase sources, key formats
and keys handled by an ENGINE.

Update docs.

PR: 542