[Midnightbsd-cvs] src [12148] trunk/secure/usr.bin/openssl/man: tag and update
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sun Jan 20 00:35:54 EST 2019
Revision: 12148
http://svnweb.midnightbsd.org/src/?rev=12148
Author: laffer1
Date: 2019-01-20 00:35:36 -0500 (Sun, 20 Jan 2019)
Log Message:
-----------
tag and update
Modified Paths:
--------------
trunk/secure/usr.bin/openssl/man/CA.pl.1
trunk/secure/usr.bin/openssl/man/asn1parse.1
trunk/secure/usr.bin/openssl/man/ca.1
trunk/secure/usr.bin/openssl/man/ciphers.1
trunk/secure/usr.bin/openssl/man/cms.1
trunk/secure/usr.bin/openssl/man/crl.1
trunk/secure/usr.bin/openssl/man/crl2pkcs7.1
trunk/secure/usr.bin/openssl/man/dgst.1
trunk/secure/usr.bin/openssl/man/dhparam.1
trunk/secure/usr.bin/openssl/man/dsa.1
trunk/secure/usr.bin/openssl/man/dsaparam.1
trunk/secure/usr.bin/openssl/man/ec.1
trunk/secure/usr.bin/openssl/man/ecparam.1
trunk/secure/usr.bin/openssl/man/enc.1
trunk/secure/usr.bin/openssl/man/errstr.1
trunk/secure/usr.bin/openssl/man/gendsa.1
trunk/secure/usr.bin/openssl/man/genpkey.1
trunk/secure/usr.bin/openssl/man/genrsa.1
trunk/secure/usr.bin/openssl/man/nseq.1
trunk/secure/usr.bin/openssl/man/ocsp.1
trunk/secure/usr.bin/openssl/man/openssl.1
trunk/secure/usr.bin/openssl/man/passwd.1
trunk/secure/usr.bin/openssl/man/pkcs12.1
trunk/secure/usr.bin/openssl/man/pkcs7.1
trunk/secure/usr.bin/openssl/man/pkcs8.1
trunk/secure/usr.bin/openssl/man/pkey.1
trunk/secure/usr.bin/openssl/man/pkeyparam.1
trunk/secure/usr.bin/openssl/man/pkeyutl.1
trunk/secure/usr.bin/openssl/man/rand.1
trunk/secure/usr.bin/openssl/man/req.1
trunk/secure/usr.bin/openssl/man/rsa.1
trunk/secure/usr.bin/openssl/man/rsautl.1
trunk/secure/usr.bin/openssl/man/s_client.1
trunk/secure/usr.bin/openssl/man/s_server.1
trunk/secure/usr.bin/openssl/man/s_time.1
trunk/secure/usr.bin/openssl/man/sess_id.1
trunk/secure/usr.bin/openssl/man/smime.1
trunk/secure/usr.bin/openssl/man/speed.1
trunk/secure/usr.bin/openssl/man/spkac.1
trunk/secure/usr.bin/openssl/man/ts.1
trunk/secure/usr.bin/openssl/man/tsget.1
trunk/secure/usr.bin/openssl/man/verify.1
trunk/secure/usr.bin/openssl/man/version.1
trunk/secure/usr.bin/openssl/man/x509.1
trunk/secure/usr.bin/openssl/man/x509v3_config.1
Modified: trunk/secure/usr.bin/openssl/man/CA.pl.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/CA.pl.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/CA.pl.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,7 +130,7 @@
.\" ========================================================================
.\"
.IX Title "CA.PL 1"
-.TH CA.PL 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH CA.PL 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Modified: trunk/secure/usr.bin/openssl/man/asn1parse.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/asn1parse.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/asn1parse.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "ASN1PARSE 1"
-.TH ASN1PARSE 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH ASN1PARSE 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-asn1parse,
asn1parse \- ASN.1 parsing tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -236,7 +233,7 @@
.PP
This example is part of a self signed certificate. Each line starts with the
offset in decimal. \fBd=XX\fR specifies the current depth. The depth is increased
-within the scope of any \s-1SET\s0 or \s-1SEQUENCE. \s0\fBhl=XX\fR gives the header length
+within the scope of any \s-1SET\s0 or \s-1SEQUENCE.\s0 \fBhl=XX\fR gives the header length
(tag and length octets) of the current type. \fBl=XX\fR gives the length of
the contents octets.
.PP
Modified: trunk/secure/usr.bin/openssl/man/ca.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/ca.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/ca.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "CA 1"
-.TH CA 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH CA 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-ca,
ca \- sample minimal CA application
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -270,11 +267,11 @@
.IP "\fB\-startdate date\fR" 4
.IX Item "-startdate date"
this allows the start date to be explicitly set. The format of the
-date is \s-1YYMMDDHHMMSSZ \s0(the same as an \s-1ASN1\s0 UTCTime structure).
+date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure).
.IP "\fB\-enddate date\fR" 4
.IX Item "-enddate date"
this allows the expiry date to be explicitly set. The format of the
-date is \s-1YYMMDDHHMMSSZ \s0(the same as an \s-1ASN1\s0 UTCTime structure).
+date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure).
.IP "\fB\-days arg\fR" 4
.IX Item "-days arg"
the number of days to certify the certificate for.
@@ -284,7 +281,7 @@
This option also applies to CRLs.
.IP "\fB\-policy arg\fR" 4
.IX Item "-policy arg"
-this option defines the \s-1CA \s0\*(L"policy\*(R" to use. This is a section in
+this option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in
the configuration file which decides which fields should be mandatory
or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR section
for more information.
@@ -417,8 +414,8 @@
of the configuration file (or in the default section of the
configuration file). Besides \fBdefault_ca\fR, the following options are
read directly from the \fBca\fR section:
- \s-1RANDFILE
-\&\s0 preserve
+ \s-1RANDFILE\s0
+ preserve
msie_hack
With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may
change in future releases.
@@ -491,6 +488,10 @@
versions of OpenSSL. However, to make \s-1CA\s0 certificate roll-over easier,
it's recommended to use the value \fBno\fR, especially if combined with
the \fB\-selfsign\fR command line option.
+.Sp
+Note that it is valid in some circumstances for certificates to be created
+without any subject. In the case where there are multiple certificates without
+subjects this does not count as a duplicate.
.IP "\fBserial\fR" 4
.IX Item "serial"
a text file containing the next serial number to use in hex. Mandatory.
Modified: trunk/secure/usr.bin/openssl/man/ciphers.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/ciphers.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/ciphers.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "CIPHERS 1"
-.TH CIPHERS 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH CIPHERS 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-ciphers,
ciphers \- SSL cipher display and cipher list tool.
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -198,7 +195,7 @@
.PP
Lists of cipher suites can be combined in a single cipher string using the
\&\fB+\fR character. This is used as a logical \fBand\fR operation. For example
-\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1 \s0\fBand\fR the \s-1DES\s0
+\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1\s0 \fBand\fR the \s-1DES\s0
algorithms.
.PP
Each cipher string can be optionally preceded by the characters \fB!\fR,
@@ -253,21 +250,21 @@
.IX Item "LOW"
Low strength encryption cipher suites, currently those using 64 or 56 bit
encryption algorithms but excluding export cipher suites.
-As of OpenSSL 1.0.1s, these are disabled in default builds.
+As of OpenSSL 1.0.2g, these are disabled in default builds.
.IP "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4
.IX Item "EXP, EXPORT"
Export strength encryption algorithms. Including 40 and 56 bits algorithms.
-As of OpenSSL 1.0.1s, these are disabled in default builds.
+As of OpenSSL 1.0.2g, these are disabled in default builds.
.IP "\fB\s-1EXPORT40\s0\fR" 4
.IX Item "EXPORT40"
40\-bit export encryption algorithms
-As of OpenSSL 1.0.1s, these are disabled in default builds.
+As of OpenSSL 1.0.2g, these are disabled in default builds.
.IP "\fB\s-1EXPORT56\s0\fR" 4
.IX Item "EXPORT56"
56\-bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of
56 bit export ciphers is empty unless OpenSSL has been explicitly configured
with support for experimental ciphers.
-As of OpenSSL 1.0.1s, these are disabled in default builds.
+As of OpenSSL 1.0.2g, these are disabled in default builds.
.IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
.IX Item "eNULL, NULL"
The \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no
@@ -288,22 +285,23 @@
When in doubt, include \fB!aNULL\fR in your cipherlist.
.IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4
.IX Item "kRSA, RSA"
-cipher suites using \s-1RSA\s0 key exchange.
+cipher suites using \s-1RSA\s0 key exchange or authentication. \fB\s-1RSA\s0\fR is an alias for
+\&\fBkRSA\fR.
.IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4
.IX Item "kDHr, kDHd, kDH"
cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0
-and \s-1DSS\s0 keys or either respectively. Not implemented.
-.IP "\fBkEDH\fR" 4
-.IX Item "kEDH"
+and \s-1DSS\s0 keys or either respectively.
+.IP "\fBkDHE\fR, \fBkEDH\fR" 4
+.IX Item "kDHE, kEDH"
cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher
suites.
-.IP "\fB\s-1EDH\s0\fR" 4
-.IX Item "EDH"
+.IP "\fB\s-1DHE\s0\fR, \fB\s-1EDH\s0\fR" 4
+.IX Item "DHE, EDH"
cipher suites using authenticated ephemeral \s-1DH\s0 key agreement.
.IP "\fB\s-1ADH\s0\fR" 4
.IX Item "ADH"
anonymous \s-1DH\s0 cipher suites, note that this does not include anonymous Elliptic
-Curve \s-1DH \s0(\s-1ECDH\s0) cipher suites.
+Curve \s-1DH\s0 (\s-1ECDH\s0) cipher suites.
.IP "\fB\s-1DH\s0\fR" 4
.IX Item "DH"
cipher suites using \s-1DH,\s0 including anonymous \s-1DH,\s0 ephemeral \s-1DH\s0 and fixed \s-1DH.\s0
@@ -311,12 +309,12 @@
.IX Item "kECDHr, kECDHe, kECDH"
cipher suites using fixed \s-1ECDH\s0 key agreement signed by CAs with \s-1RSA\s0 and \s-1ECDSA\s0
keys or either respectively.
-.IP "\fBkEECDH\fR" 4
-.IX Item "kEECDH"
+.IP "\fBkECDHE\fR, \fBkEECDH\fR" 4
+.IX Item "kECDHE, kEECDH"
cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous
cipher suites.
-.IP "\fB\s-1EECDH\s0\fR" 4
-.IX Item "EECDH"
+.IP "\fB\s-1ECDHE\s0\fR, \fB\s-1EECDH\s0\fR" 4
+.IX Item "ECDHE, EECDH"
cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement.
.IP "\fB\s-1AECDH\s0\fR" 4
.IX Item "AECDH"
@@ -334,7 +332,7 @@
.IP "\fBaDH\fR" 4
.IX Item "aDH"
cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry
-\&\s-1DH\s0 keys. Not implemented.
+\&\s-1DH\s0 keys.
.IP "\fBaECDH\fR" 4
.IX Item "aECDH"
cipher suites effectively using \s-1ECDH\s0 authentication, i.e. the certificates
@@ -367,7 +365,7 @@
cipher suites using triple \s-1DES.\s0
.IP "\fB\s-1DES\s0\fR" 4
.IX Item "DES"
-cipher suites using \s-1DES \s0(not triple \s-1DES\s0).
+cipher suites using \s-1DES\s0 (not triple \s-1DES\s0).
.IP "\fB\s-1RC4\s0\fR" 4
.IX Item "RC4"
cipher suites using \s-1RC4.\s0
@@ -391,7 +389,7 @@
ciphersuites using \s-1SHA256\s0 or \s-1SHA384.\s0
.IP "\fBaGOST\fR" 4
.IX Item "aGOST"
-cipher suites using \s-1GOST R 34.10 \s0(either 2001 or 94) for authenticaction
+cipher suites using \s-1GOST R 34.10\s0 (either 2001 or 94) for authenticaction
(needs an engine supporting \s-1GOST\s0 algorithms).
.IP "\fBaGOST01\fR" 4
.IX Item "aGOST01"
@@ -408,10 +406,21 @@
cipher suites, using \s-1HMAC\s0 based on \s-1GOST R 34.11\-94.\s0
.IP "\fB\s-1GOST89MAC\s0\fR" 4
.IX Item "GOST89MAC"
-cipher suites using \s-1GOST 28147\-89 MAC \s0\fBinstead of\fR \s-1HMAC.\s0
+cipher suites using \s-1GOST 28147\-89 MAC\s0 \fBinstead of\fR \s-1HMAC.\s0
.IP "\fB\s-1PSK\s0\fR" 4
.IX Item "PSK"
cipher suites using pre-shared keys (\s-1PSK\s0).
+.IP "\fB\s-1SUITEB128\s0\fR, \fB\s-1SUITEB128ONLY\s0\fR, \fB\s-1SUITEB192\s0\fR" 4
+.IX Item "SUITEB128, SUITEB128ONLY, SUITEB192"
+enables suite B mode operation using 128 (permitting 192 bit mode by peer)
+128 bit (not permitting 192 bit by peer) or 192 bit level of security
+respectively. If used these cipherstrings should appear first in the cipher
+list and anything after them is ignored. Setting Suite B mode has additional
+consequences required to comply with \s-1RFC6460.\s0 In particular the supported
+signature algorithms is reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384,\s0
+only the elliptic curves P\-256 and P\-384 can be used and only the two suite B
+compliant ciphersuites (\s-1ECDHE\-ECDSA\-AES128\-GCM\-SHA256\s0 and
+\&\s-1ECDHE\-ECDSA\-AES256\-GCM\-SHA384\s0) are permissible.
.SH "CIPHER SUITE NAMES"
.IX Header "CIPHER SUITE NAMES"
The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
@@ -432,12 +441,10 @@
\& SSL_RSA_WITH_DES_CBC_SHA DES\-CBC\-SHA
\& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA
\&
-\& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented.
-\& SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented.
-\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented.
-\& SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented.
-\& SSL_DH_RSA_WITH_DES_CBC_SHA Not implemented.
-\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented.
+\& SSL_DH_DSS_WITH_DES_CBC_SHA DH\-DSS\-DES\-CBC\-SHA
+\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH\-DSS\-DES\-CBC3\-SHA
+\& SSL_DH_RSA_WITH_DES_CBC_SHA DH\-RSA\-DES\-CBC\-SHA
+\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH\-RSA\-DES\-CBC3\-SHA
\& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-DSS\-DES\-CBC\-SHA
\& SSL_DHE_DSS_WITH_DES_CBC_SHA EDH\-DSS\-CBC\-SHA
\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA
@@ -494,10 +501,10 @@
\& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA
\& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA
\&
-\& TLS_DH_DSS_WITH_AES_128_CBC_SHA Not implemented.
-\& TLS_DH_DSS_WITH_AES_256_CBC_SHA Not implemented.
-\& TLS_DH_RSA_WITH_AES_128_CBC_SHA Not implemented.
-\& TLS_DH_RSA_WITH_AES_256_CBC_SHA Not implemented.
+\& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH\-DSS\-AES128\-SHA
+\& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH\-DSS\-AES256\-SHA
+\& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH\-RSA\-AES128\-SHA
+\& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH\-RSA\-AES256\-SHA
\&
\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE\-DSS\-AES128\-SHA
\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE\-DSS\-AES256\-SHA
@@ -513,10 +520,10 @@
\& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA
\& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA
\&
-\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA Not implemented.
-\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA Not implemented.
-\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA Not implemented.
-\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA Not implemented.
+\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH\-DSS\-CAMELLIA128\-SHA
+\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH\-DSS\-CAMELLIA256\-SHA
+\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH\-RSA\-CAMELLIA128\-SHA
+\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH\-RSA\-CAMELLIA256\-SHA
\&
\& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE\-DSS\-CAMELLIA128\-SHA
\& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE\-DSS\-CAMELLIA256\-SHA
@@ -531,8 +538,8 @@
.Vb 1
\& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA
\&
-\& TLS_DH_DSS_WITH_SEED_CBC_SHA Not implemented.
-\& TLS_DH_RSA_WITH_SEED_CBC_SHA Not implemented.
+\& TLS_DH_DSS_WITH_SEED_CBC_SHA DH\-DSS\-SEED\-SHA
+\& TLS_DH_RSA_WITH_SEED_CBC_SHA DH\-RSA\-SEED\-SHA
\&
\& TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE\-DSS\-SEED\-SHA
\& TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE\-RSA\-SEED\-SHA
@@ -604,15 +611,15 @@
\& TLS_RSA_WITH_AES_128_GCM_SHA256 AES128\-GCM\-SHA256
\& TLS_RSA_WITH_AES_256_GCM_SHA384 AES256\-GCM\-SHA384
\&
-\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 Not implemented.
-\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 Not implemented.
-\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 Not implemented.
-\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 Not implemented.
+\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH\-RSA\-AES128\-SHA256
+\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH\-RSA\-AES256\-SHA256
+\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 DH\-RSA\-AES128\-GCM\-SHA256
+\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 DH\-RSA\-AES256\-GCM\-SHA384
\&
-\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 Not implemented.
-\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 Not implemented.
-\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 Not implemented.
-\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 Not implemented.
+\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH\-DSS\-AES128\-SHA256
+\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH\-DSS\-AES256\-SHA256
+\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 DH\-DSS\-AES128\-GCM\-SHA256
+\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 DH\-DSS\-AES256\-GCM\-SHA384
\&
\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE\-RSA\-AES128\-SHA256
\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE\-RSA\-AES256\-SHA256
@@ -670,9 +677,6 @@
.Ve
.SH "NOTES"
.IX Header "NOTES"
-The non-ephemeral \s-1DH\s0 modes are currently unimplemented in OpenSSL
-because there is no support for \s-1DH\s0 certificates.
-.PP
Some compiled versions of OpenSSL may not include all the ciphers
listed here because some ciphers were excluded at compile time.
.SH "EXAMPLES"
Modified: trunk/secure/usr.bin/openssl/man/cms.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/cms.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/cms.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "CMS 1"
-.TH CMS 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH CMS 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-cms,
cms \- CMS utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -195,6 +192,7 @@
[\fB\-secretkeyid id\fR]
[\fB\-econtent_type type\fR]
[\fB\-inkey file\fR]
+[\fB\-keyopt name:parameter\fR]
[\fB\-passin arg\fR]
[\fB\-rand file(s)\fR]
[\fBcert.pem...\fR]
@@ -245,29 +243,29 @@
resign a message: take an existing message and one or more new signers.
.IP "\fB\-data_create\fR" 4
.IX Item "-data_create"
-Create a \s-1CMS \s0\fBData\fR type.
+Create a \s-1CMS\s0 \fBData\fR type.
.IP "\fB\-data_out\fR" 4
.IX Item "-data_out"
\&\fBData\fR type and output the content.
.IP "\fB\-digest_create\fR" 4
.IX Item "-digest_create"
-Create a \s-1CMS \s0\fBDigestedData\fR type.
+Create a \s-1CMS\s0 \fBDigestedData\fR type.
.IP "\fB\-digest_verify\fR" 4
.IX Item "-digest_verify"
-Verify a \s-1CMS \s0\fBDigestedData\fR type and output the content.
+Verify a \s-1CMS\s0 \fBDigestedData\fR type and output the content.
.IP "\fB\-compress\fR" 4
.IX Item "-compress"
-Create a \s-1CMS \s0\fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR
+Create a \s-1CMS\s0 \fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR
support for this option to work, otherwise it will output an error.
.IP "\fB\-uncompress\fR" 4
.IX Item "-uncompress"
-Uncompress a \s-1CMS \s0\fBCompressedData\fR type and output the content. OpenSSL must be
+Uncompress a \s-1CMS\s0 \fBCompressedData\fR type and output the content. OpenSSL must be
compiled with \fBzlib\fR support for this option to work, otherwise it will
output an error.
.IP "\fB\-EncryptedData_encrypt\fR" 4
.IX Item "-EncryptedData_encrypt"
-Encrypt content using supplied symmetric key and algorithm using a \s-1CMS
-\&\s0\fBEncrytedData\fR type and output the content.
+Encrypt content using supplied symmetric key and algorithm using a \s-1CMS\s0
+\&\fBEncrytedData\fR type and output the content.
.IP "\fB\-sign_receipt\fR" 4
.IX Item "-sign_receipt"
Generate and output a signed receipt for the supplied message. The input
@@ -330,7 +328,7 @@
.IX Item "-text"
this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of \s-1MIME \s0
+off text headers: if the decrypted or verified message is not of \s-1MIME\s0
type text/plain then an error occurs.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
@@ -356,8 +354,8 @@
default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
.IP "\fB\-[cipher]\fR" 4
.IX Item "-[cipher]"
-the encryption algorithm to use. For example triple \s-1DES \s0(168 bits) \- \fB\-des3\fR
-or 256 bit \s-1AES \- \s0\fB\-aes256\fR. Any standard algorithm name (as used by the
+the encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR
+or 256 bit \s-1AES\s0 \- \fB\-aes256\fR. Any standard algorithm name (as used by the
\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for
example \fB\-aes_128_cbc\fR. See \fBenc\fR for a list of ciphers
supported by your version of OpenSSL.
@@ -416,8 +414,16 @@
verification was successful.
.IP "\fB\-recip file\fR" 4
.IX Item "-recip file"
-the recipients certificate when decrypting a message. This certificate
-must match one of the recipients of the message or an error occurs.
+when decrypting a message this specifies the recipients certificate. The
+certificate must match one of the recipients of the message or an error
+occurs.
+.Sp
+When encrypting a message this option may be used multiple times to specify
+each recipient. This form \fBmust\fR be used if customised parameters are
+required (for example to specify RSA-OAEP).
+.Sp
+Only certificates carrying \s-1RSA,\s0 Diffie-Hellman or \s-1EC\s0 keys are supported by this
+option.
.IP "\fB\-keyid\fR" 4
.IX Item "-keyid"
use subject key identifier to identify certificates instead of issuer name and
@@ -466,6 +472,12 @@
private key must be included in the certificate file specified with
the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used
multiple times to specify successive keys.
+.IP "\fB\-keyopt name:opt\fR" 4
+.IX Item "-keyopt name:opt"
+for signing and encryption this option can be used multiple times to
+set customised parameters for the preceding key or certificate. It can
+currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
+or to modify default parameters for \s-1ECDH.\s0
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
the private key password source. For more information about the format of \fBarg\fR
@@ -574,6 +586,10 @@
.PP
The \fB\-secretkey\fR option when used with \fB\-encrypt\fR.
.PP
+The use of \s-1PSS\s0 with \fB\-sign\fR.
+.PP
+The use of \s-1OAEP\s0 or non-RSA keys with \fB\-encrypt\fR.
+.PP
Additionally the \fB\-EncryptedData_create\fR and \fB\-data_create\fR type cannot
be processed by the older \fBsmime\fR command.
.SH "EXAMPLES"
@@ -680,6 +696,27 @@
.Vb 1
\& openssl cms \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg
.Ve
+.PP
+Sign mail using RSA-PSS:
+.PP
+.Vb 2
+\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
+\& \-signer mycert.pem \-keyopt rsa_padding_mode:pss
+.Ve
+.PP
+Create encrypted mail using RSA-OAEP:
+.PP
+.Vb 2
+\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e
+\& \-recip cert.pem \-keyopt rsa_padding_mode:oaep
+.Ve
+.PP
+Use \s-1SHA256 KDF\s0 with an \s-1ECDH\s0 certificate:
+.PP
+.Vb 2
+\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e
+\& \-recip ecdhcert.pem \-keyopt ecdh_kdf_md:sha256
+.Ve
.SH "BUGS"
.IX Header "BUGS"
The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've
@@ -702,6 +739,13 @@
.SH "HISTORY"
.IX Header "HISTORY"
The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
-added in OpenSSL 1.0.0
+added in OpenSSL 1.0.0.
.PP
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \fBkeyopt\fR option was first added in OpenSSL 1.0.2.
+.PP
+Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.0.2.
+.PP
+The use of non-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR was first added
+to OpenSSL 1.0.2.
+.PP
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
Modified: trunk/secure/usr.bin/openssl/man/crl.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/crl.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/crl.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "CRL 1"
-.TH CRL 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH CRL 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-crl,
crl \- CRL utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -235,7 +232,7 @@
Output the text form of a \s-1DER\s0 encoded certificate:
.PP
.Vb 1
-\& openssl crl \-in crl.der \-text \-noout
+\& openssl crl \-in crl.der \-inform DER \-text \-noout
.Ve
.SH "BUGS"
.IX Header "BUGS"
Modified: trunk/secure/usr.bin/openssl/man/crl2pkcs7.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/crl2pkcs7.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/crl2pkcs7.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "CRL2PKCS7 1"
-.TH CRL2PKCS7 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH CRL2PKCS7 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-crl2pkcs7,
crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates.
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/dgst.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/dgst.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/dgst.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "DGST 1"
-.TH DGST 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH DGST 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-dgst,
dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 \- message digests
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -233,8 +230,8 @@
create a hashed \s-1MAC\s0 using \*(L"key\*(R".
.IP "\fB\-mac alg\fR" 4
.IX Item "-mac alg"
-create \s-1MAC \s0(keyed Message Authentication Code). The most popular \s-1MAC\s0
-algorithm is \s-1HMAC \s0(hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms
+create \s-1MAC\s0 (keyed Message Authentication Code). The most popular \s-1MAC\s0
+algorithm is \s-1HMAC\s0 (hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms
which are not based on hash, for instance \fBgost-mac\fR algorithm,
supported by \fBccgost\fR engine. \s-1MAC\s0 keys and other options should be set
via \fB\-macopt\fR parameter.
Modified: trunk/secure/usr.bin/openssl/man/dhparam.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/dhparam.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/dhparam.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "DHPARAM 1"
-.TH DHPARAM 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH DHPARAM 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-dhparam,
dhparam \- DH parameter manipulation and generation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/dsa.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/dsa.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/dsa.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "DSA 1"
-.TH DSA 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH DSA 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-dsa,
dsa \- DSA key processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/dsaparam.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/dsaparam.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/dsaparam.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "DSAPARAM 1"
-.TH DSAPARAM 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH DSAPARAM 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-dsaparam,
dsaparam \- DSA parameter manipulation and generation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -163,7 +160,7 @@
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
-form compatible with \s-1RFC2459 \s0(\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting
+form compatible with \s-1RFC2459\s0 (\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting
of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consists
of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines.
.IP "\fB\-outform DER|PEM\fR" 4
Modified: trunk/secure/usr.bin/openssl/man/ec.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/ec.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/ec.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "EC 1"
-.TH EC 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH EC 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-ec,
ec \- EC key processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/ecparam.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/ecparam.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/ecparam.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "ECPARAM 1"
-.TH ECPARAM 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH ECPARAM 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-ecparam,
ecparam \- EC parameter manipulation and generation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -208,8 +205,8 @@
.IP "\fB\-conv_form\fR" 4
.IX Item "-conv_form"
This specifies how the points on the elliptic curve are converted
-into octet strings. Possible values are: \fBcompressed\fR (the default
-value), \fBuncompressed\fR and \fBhybrid\fR. For more information regarding
+into octet strings. Possible values are: \fBcompressed\fR, \fBuncompressed\fR (the
+default value) and \fBhybrid\fR. For more information regarding
the point conversion forms please read the X9.62 standard.
\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled
by default for binary curves and can be enabled by defining
Modified: trunk/secure/usr.bin/openssl/man/enc.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/enc.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/enc.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "ENC 1"
-.TH ENC 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH ENC 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-enc,
enc \- symmetric cipher routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/errstr.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/errstr.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/errstr.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "ERRSTR 1"
-.TH ERRSTR 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH ERRSTR 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-errstr,
errstr \- lookup error codes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/gendsa.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/gendsa.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/gendsa.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "GENDSA 1"
-.TH GENDSA 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH GENDSA 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-gendsa,
gendsa \- generate a DSA private key from a set of parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/genpkey.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/genpkey.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/genpkey.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "GENPKEY 1"
-.TH GENPKEY 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH GENPKEY 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-genpkey,
genpkey \- generate a private key
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -147,7 +144,7 @@
[\fB\-out filename\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-pass arg\fR]
-[\fB\-cipher\fR]
+[\fB\-\f(BIcipher\fB\fR]
[\fB\-engine id\fR]
[\fB\-paramfile file\fR]
[\fB\-algorithm alg\fR]
@@ -165,18 +162,18 @@
used.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
-This specifies the output format \s-1DER\s0 or \s-1PEM.\s0
+This specifies the output format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0
.IP "\fB\-pass arg\fR" 4
.IX Item "-pass arg"
-the output file password source. For more information about the format of \fBarg\fR
+The output file password source. For more information about the format of \fBarg\fR
see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
-.IP "\fB\-cipher\fR" 4
+.IP "\fB\-\f(BIcipher\fB\fR" 4
.IX Item "-cipher"
This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by \fIEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
-specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR
+Specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
@@ -183,18 +180,31 @@
options.
.IP "\fB\-algorithm alg\fR" 4
.IX Item "-algorithm alg"
-public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must
+Public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must
precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
-are mutually exclusive.
+are mutually exclusive. Engines may add algorithms in addition to the standard
+built-in ones.
+.Sp
+Valid built-in algorithm names for private key generation are \s-1RSA\s0 and \s-1EC.\s0
+.Sp
+Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR
+option) are \s-1DH, DSA\s0 and \s-1EC.\s0
+.Sp
+Note that the algorithm name X9.42 \s-1DH\s0 may be used as a synonym for the \s-1DH\s0
+algorithm. These are identical and do not indicate the type of parameters that
+will be generated. Use the \fBdh_paramgen_type\fR option to indicate whether PKCS#3
+or X9.42 \s-1DH\s0 parameters are required. See \*(L"\s-1DH\s0 Parameter Generation Options\*(R"
+below for more details.
.IP "\fB\-pkeyopt opt:value\fR" 4
.IX Item "-pkeyopt opt:value"
-set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
+Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
options supported depends on the public key algorithm used and its
-implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR below for more details.
+implementation. See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 and
+\&\*(L"\s-1PARAMETER GENERATION OPTIONS\*(R"\s0 below for more details.
.IP "\fB\-genparam\fR" 4
.IX Item "-genparam"
-generate a set of parameters instead of a private key. If used this option must
-precede and \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
+Generate a set of parameters instead of a private key. If used this option must
+precede any \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
.IP "\fB\-paramfile filename\fR" 4
.IX Item "-paramfile filename"
Some public key algorithms generate a private key based on a set of parameters.
@@ -211,8 +221,8 @@
The options supported by each algorith and indeed each implementation of an
algorithm can vary. The options for the OpenSSL implementations are detailed
below.
-.SH "RSA KEY GENERATION OPTIONS"
-.IX Header "RSA KEY GENERATION OPTIONS"
+.SS "\s-1RSA\s0 Key Generation Options"
+.IX Subsection "RSA Key Generation Options"
.IP "\fBrsa_keygen_bits:numbits\fR" 4
.IX Item "rsa_keygen_bits:numbits"
The number of bits in the generated key. If not specified 1024 is used.
@@ -220,24 +230,68 @@
.IX Item "rsa_keygen_pubexp:value"
The \s-1RSA\s0 public exponent value. This can be a large decimal or
hexadecimal value if preceded by \fB0x\fR. Default value is 65537.
-.SH "DSA PARAMETER GENERATION OPTIONS"
-.IX Header "DSA PARAMETER GENERATION OPTIONS"
+.SS "\s-1EC\s0 Key Generation Options"
+.IX Subsection "EC Key Generation Options"
+The \s-1EC\s0 key generation options can also be used for parameter generation.
+.IP "\fBec_paramgen_curve:curve\fR" 4
+.IX Item "ec_paramgen_curve:curve"
+The \s-1EC\s0 curve to use. OpenSSL supports \s-1NIST\s0 curve names such as \*(L"P\-256\*(R".
+.IP "\fBec_param_enc:encoding\fR" 4
+.IX Item "ec_param_enc:encoding"
+The encoding to use for parameters. The \*(L"encoding\*(R" parameter must be either
+\&\*(L"named_curve\*(R" or \*(L"explicit\*(R". The default value is \*(L"named_curve\*(R".
+.SH "PARAMETER GENERATION OPTIONS"
+.IX Header "PARAMETER GENERATION OPTIONS"
+The options supported by each algorithm and indeed each implementation of an
+algorithm can vary. The options for the OpenSSL implementations are detailed
+below.
+.SS "\s-1DSA\s0 Parameter Generation Options"
+.IX Subsection "DSA Parameter Generation Options"
.IP "\fBdsa_paramgen_bits:numbits\fR" 4
.IX Item "dsa_paramgen_bits:numbits"
-The number of bits in the generated parameters. If not specified 1024 is used.
-.SH "DH PARAMETER GENERATION OPTIONS"
-.IX Header "DH PARAMETER GENERATION OPTIONS"
+The number of bits in the generated prime. If not specified 1024 is used.
+.IP "\fBdsa_paramgen_q_bits:numbits\fR" 4
+.IX Item "dsa_paramgen_q_bits:numbits"
+The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
+specified 160 is used.
+.IP "\fBdsa_paramgen_md:digest\fR" 4
+.IX Item "dsa_paramgen_md:digest"
+The digest to use during parameter generation. Must be one of \fBsha1\fR, \fBsha224\fR
+or \fBsha256\fR. If set, then the number of bits in \fBq\fR will match the output size
+of the specified digest and the \fBdsa_paramgen_q_bits\fR parameter will be
+ignored. If not set, then a digest will be used that gives an output matching
+the number of bits in \fBq\fR, i.e. \fBsha1\fR if q length is 160, \fBsha224\fR if it 224
+or \fBsha256\fR if it is 256.
+.SS "\s-1DH\s0 Parameter Generation Options"
+.IX Subsection "DH Parameter Generation Options"
.IP "\fBdh_paramgen_prime_len:numbits\fR" 4
.IX Item "dh_paramgen_prime_len:numbits"
-The number of bits in the prime parameter \fBp\fR.
+The number of bits in the prime parameter \fBp\fR. The default is 1024.
+.IP "\fBdh_paramgen_subprime_len:numbits\fR" 4
+.IX Item "dh_paramgen_subprime_len:numbits"
+The number of bits in the sub prime parameter \fBq\fR. The default is 256 if the
+prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
+conjunction with the \fBdh_paramgen_type\fR option to generate X9.42 \s-1DH\s0 parameters.
.IP "\fBdh_paramgen_generator:value\fR" 4
.IX Item "dh_paramgen_generator:value"
-The value to use for the generator \fBg\fR.
-.SH "EC PARAMETER GENERATION OPTIONS"
-.IX Header "EC PARAMETER GENERATION OPTIONS"
-.IP "\fBec_paramgen_curve:curve\fR" 4
-.IX Item "ec_paramgen_curve:curve"
-the \s-1EC\s0 curve to use.
+The value to use for the generator \fBg\fR. The default is 2.
+.IP "\fBdh_paramgen_type:value\fR" 4
+.IX Item "dh_paramgen_type:value"
+The type of \s-1DH\s0 parameters to generate. Use 0 for PKCS#3 \s-1DH\s0 and 1 for X9.42 \s-1DH.\s0
+The default is 0.
+.IP "\fBdh_rfc5114:num\fR" 4
+.IX Item "dh_rfc5114:num"
+If this option is set, then the appropriate \s-1RFC5114\s0 parameters are used
+instead of generating new parameters. The value \fBnum\fR can take the
+values 1, 2 or 3 corresponding to \s-1RFC5114 DH\s0 parameters consisting of
+1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
+and 2048 bit group with 256 bit subgroup as mentioned in \s-1RFC5114\s0 sections
+2.1, 2.2 and 2.3 respectively. If present this overrides all other \s-1DH\s0 parameter
+options.
+.SS "\s-1EC\s0 Parameter Generation Options"
+.IX Subsection "EC Parameter Generation Options"
+The \s-1EC\s0 parameter generation options are the same as for key generation. See
+\&\*(L"\s-1EC\s0 Key Generation Options\*(R" above.
.SH "GOST2001 KEY GENERATION AND PARAMETER OPTIONS"
.IX Header "GOST2001 KEY GENERATION AND PARAMETER OPTIONS"
Gost 2001 support is not enabled by default. To enable this algorithm,
@@ -289,11 +343,11 @@
\& \-pkeyopt rsa_keygen_pubexp:3
.Ve
.PP
-Generate 1024 bit \s-1DSA\s0 parameters:
+Generate 2048 bit \s-1DSA\s0 parameters:
.PP
.Vb 2
\& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \e
-\& \-pkeyopt dsa_paramgen_bits:1024
+\& \-pkeyopt dsa_paramgen_bits:2048
.Ve
.PP
Generate \s-1DSA\s0 key from parameters:
@@ -302,15 +356,41 @@
\& openssl genpkey \-paramfile dsap.pem \-out dsakey.pem
.Ve
.PP
-Generate 1024 bit \s-1DH\s0 parameters:
+Generate 2048 bit \s-1DH\s0 parameters:
.PP
.Vb 2
\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e
-\& \-pkeyopt dh_paramgen_prime_len:1024
+\& \-pkeyopt dh_paramgen_prime_len:2048
.Ve
.PP
+Generate 2048 bit X9.42 \s-1DH\s0 parameters:
+.PP
+.Vb 3
+\& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e
+\& \-pkeyopt dh_paramgen_prime_len:2048 \e
+\& \-pkeyopt dh_paramgen_type:1
+.Ve
+.PP
+Output \s-1RFC5114 2048\s0 bit \s-1DH\s0 parameters with 224 bit subgroup:
+.PP
+.Vb 1
+\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt dh_rfc5114:2
+.Ve
+.PP
Generate \s-1DH\s0 key from parameters:
.PP
.Vb 1
\& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem
.Ve
+.PP
+Generate \s-1EC\s0 key directly:
+.PP
+.Vb 3
+\& openssl genpkey \-algorithm EC \-out eckey.pem \e
+\& \-pkeyopt ec_paramgen_curve:P\-384 \e
+\& \-pkeyopt ec_param_enc:named_curve
+.Ve
+.SH "HISTORY"
+.IX Header "HISTORY"
+The ability to use \s-1NIST\s0 curve names, and to generate an \s-1EC\s0 key directly,
+were added in OpenSSL 1.0.2.
Modified: trunk/secure/usr.bin/openssl/man/genrsa.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/genrsa.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/genrsa.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,21 +130,26 @@
.\" ========================================================================
.\"
.IX Title "GENRSA 1"
-.TH GENRSA 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH GENRSA 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-genrsa,
genrsa \- generate an RSA private key
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBgenrsa\fR
+[\fB\-help\fR]
[\fB\-out filename\fR]
[\fB\-passout arg\fR]
[\fB\-aes128\fR]
[\fB\-aes192\fR]
[\fB\-aes256\fR]
+[\fB\-aria128\fR]
+[\fB\-aria192\fR]
+[\fB\-aria256\fR]
[\fB\-camellia128\fR]
[\fB\-camellia192\fR]
[\fB\-camellia256\fR]
@@ -165,16 +166,19 @@
The \fBgenrsa\fR command generates an \s-1RSA\s0 private key.
.SH "OPTIONS"
.IX Header "OPTIONS"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print out a usage message.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
-the output filename. If this argument is not specified then standard output is
-used.
+Output the key to the specified file. If this argument is not specified then
+standard output is used.
.IP "\fB\-passout arg\fR" 4
.IX Item "-passout arg"
the output file password source. For more information about the format of \fBarg\fR
see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
-.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4
-.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea"
+.IP "\fB\-aes128|\-aes192|\-aes256|\-aria128|\-aria192|\-aria256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4
+.IX Item "-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea"
These options encrypt the private key with specified
cipher before outputting it. If none of these options is
specified no encryption is used. If encryption is used a pass phrase is prompted
@@ -186,7 +190,7 @@
.IX Item "-rand file(s)"
a file or files containing random data used to seed the random number
generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
-Multiple files can be specified separated by a OS-dependent character.
+Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "\fB\-engine id\fR" 4
@@ -198,7 +202,7 @@
.IP "\fBnumbits\fR" 4
.IX Item "numbits"
the size of the private key to generate in bits. This must be the last option
-specified. The default is 512.
+specified. The default is 2048.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1RSA\s0 private key generation essentially involves the generation of two prime
@@ -219,3 +223,11 @@
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIgendsa\fR\|(1)
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
Modified: trunk/secure/usr.bin/openssl/man/nseq.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/nseq.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/nseq.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "NSEQ 1"
-.TH NSEQ 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH NSEQ 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-nseq,
nseq \- create or examine a netscape certificate sequence
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/ocsp.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/ocsp.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/ocsp.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "OCSP 1"
-.TH OCSP 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH OCSP 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-ocsp,
ocsp \- Online Certificate Status Protocol utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -163,10 +160,11 @@
[\fB\-no_nonce\fR]
[\fB\-url \s-1URL\s0\fR]
[\fB\-host host:n\fR]
+[\fB\-header name value\fR]
[\fB\-path\fR]
[\fB\-CApath dir\fR]
[\fB\-CAfile file\fR]
-[\fB\-no_alt_chains\fR]]
+[\fB\-no_alt_chains\fR]
[\fB\-VAfile file\fR]
[\fB\-validity_period n\fR]
[\fB\-status_age n\fR]
@@ -250,12 +248,19 @@
with \fBserial\fR, \fBcert\fR and \fBhost\fR options).
.IP "\fB\-url responder_url\fR" 4
.IX Item "-url responder_url"
-specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS \s0(\s-1SSL/TLS\s0) URLs can be specified.
+specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified.
.IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4
.IX Item "-host hostname:port, -path pathname"
if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host
\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use
or \*(L"/\*(R" by default.
+.IP "\fB\-header name value\fR" 4
+.IX Item "-header name value"
+If sending a request to an \s-1OCSP\s0 server, then the specified header name and
+value are added to the \s-1HTTP\s0 request. Note that the \fBname\fR and \fBvalue\fR must
+be specified as two separate parameters, not as a single quoted string, and
+that the header name does not have the trailing colon.
+Some \s-1OCSP\s0 responders require a Host header; use this flag to provide it.
.IP "\fB\-timeout seconds\fR" 4
.IX Item "-timeout seconds"
connection timeout to the \s-1OCSP\s0 responder in seconds
@@ -490,4 +495,4 @@
.Ve
.SH "HISTORY"
.IX Header "HISTORY"
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
Modified: trunk/secure/usr.bin/openssl/man/openssl.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/openssl.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/openssl.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,7 +130,7 @@
.\" ========================================================================
.\"
.IX Title "OPENSSL 1"
-.TH OPENSSL 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH OPENSSL 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -215,7 +211,7 @@
Cipher Suite Description Determination.
.IP "\fBcms\fR" 10
.IX Item "cms"
-\&\s-1CMS \s0(Cryptographic Message Syntax) utility
+\&\s-1CMS\s0 (Cryptographic Message Syntax) utility
.IP "\fBcrl\fR" 10
.IX Item "crl"
Certificate Revocation List (\s-1CRL\s0) Management.
@@ -242,7 +238,7 @@
\&\fBgenpkey\fR and \fBpkeyparam\fR
.IP "\fBec\fR" 10
.IX Item "ec"
-\&\s-1EC \s0(Elliptic curve) key processing
+\&\s-1EC\s0 (Elliptic curve) key processing
.IP "\fBecparam\fR" 10
.IX Item "ecparam"
\&\s-1EC\s0 parameter manipulation and generation
Modified: trunk/secure/usr.bin/openssl/man/passwd.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/passwd.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/passwd.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "PASSWD 1"
-.TH PASSWD 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH PASSWD 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-passwd,
passwd \- compute password hashes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/pkcs12.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/pkcs12.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/pkcs12.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "PKCS12 1"
-.TH PKCS12 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH PKCS12 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-pkcs12,
pkcs12 \- PKCS#12 file utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -313,7 +310,7 @@
.IX Item "-keypbe alg, -certpbe alg"
these options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name
-can be used (see \fB\s-1NOTES\s0\fR section for more information). If a a cipher name
+can be used (see \fB\s-1NOTES\s0\fR section for more information). If a cipher name
(as output by the \fBlist-cipher-algorithms\fR command is specified then it
is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
use PKCS#12 algorithms.
Modified: trunk/secure/usr.bin/openssl/man/pkcs7.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/pkcs7.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/pkcs7.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "PKCS7 1"
-.TH PKCS7 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH PKCS7 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-pkcs7,
pkcs7 \- PKCS#7 utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/pkcs8.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/pkcs8.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/pkcs8.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "PKCS8 1"
-.TH PKCS8 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH PKCS8 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-pkcs8,
pkcs8 \- PKCS#8 format private key conversion tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -157,6 +154,7 @@
[\fB\-embed\fR]
[\fB\-nsdb\fR]
[\fB\-v2 alg\fR]
+[\fB\-v2prf alg\fR]
[\fB\-v1 alg\fR]
[\fB\-engine id\fR]
.SH "DESCRIPTION"
@@ -239,6 +237,11 @@
.Sp
The \fBalg\fR argument is the encryption algorithm to use, valid values include
\&\fBdes\fR, \fBdes3\fR and \fBrc2\fR. It is recommended that \fBdes3\fR is used.
+.IP "\fB\-v2prf alg\fR" 4
+.IX Item "-v2prf alg"
+This option sets the \s-1PRF\s0 algorithm to use with PKCS#5 v2.0. A typical value
+values would be \fBhmacWithSHA256\fR. If this option isn't set then the default
+for the cipher is used or \fBhmacWithSHA1\fR if there is no default.
.IP "\fB\-v1 alg\fR" 4
.IX Item "-v1 alg"
This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
@@ -309,6 +312,13 @@
\& openssl pkcs8 \-in key.pem \-topk8 \-v2 des3 \-out enckey.pem
.Ve
.PP
+Convert a private from traditional to PKCS#5 v2.0 format using \s-1AES\s0 with
+256 bits in \s-1CBC\s0 mode and \fBhmacWithSHA256\fR \s-1PRF:\s0
+.PP
+.Vb 1
+\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-v2prf hmacWithSHA256 \-out enckey.pem
+.Ve
+.PP
Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
(\s-1DES\s0):
.PP
@@ -343,7 +353,7 @@
implementation is reasonably accurate at least as far as these
algorithms are concerned.
.PP
-The format of PKCS#8 \s-1DSA \s0(and other) private keys is not well documented:
+The format of PKCS#8 \s-1DSA\s0 (and other) private keys is not well documented:
it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default \s-1DSA\s0
PKCS#8 private key format complies with this standard.
.SH "BUGS"
Modified: trunk/secure/usr.bin/openssl/man/pkey.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/pkey.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/pkey.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "PKEY 1"
-.TH PKEY 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH PKEY 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-pkey,
pkey \- public or private key processing tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/pkeyparam.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/pkeyparam.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/pkeyparam.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "PKEYPARAM 1"
-.TH PKEYPARAM 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH PKEYPARAM 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-pkeyparam,
pkeyparam \- public key algorithm parameter processing tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/pkeyutl.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/pkeyutl.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/pkeyutl.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "PKEYUTL 1"
-.TH PKEYUTL 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH PKEYUTL 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-pkeyutl,
pkeyutl \- public key algorithm utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -247,6 +244,19 @@
which specifies the digest in use for sign, verify and verifyrecover operations.
The value \fBalg\fR should represent a digest name as used in the
\&\fIEVP_get_digestbyname()\fR function for example \fBsha1\fR.
+This value is used only for sanity-checking the lengths of data passed in to
+the \fBpkeyutl\fR and for creating the structures that make up the signature
+(e.g. \fBDigestInfo\fR in \s-1RSASSA\s0 PKCS#1 v1.5 signatures).
+In case of \s-1RSA, ECDSA\s0 and \s-1DSA\s0 signatures, this utility
+will not perform hashing on input data but rather use the data directly as
+input of signature algorithm. Depending on key type, signature type and mode
+of padding, the maximum acceptable lengths of input data differ. In general,
+with \s-1RSA\s0 the signed data can't be longer than the key modulus, in case of \s-1ECDSA\s0
+and \s-1DSA\s0 the data shouldn't be longer than field size, otherwise it will be
+silently truncated to field size.
+.PP
+In other words, if the value of digest is \fBsha1\fR the input should be 20 bytes
+long binary encoding of \s-1SHA\-1\s0 hash function output.
.SH "RSA ALGORITHM"
.IX Header "RSA ALGORITHM"
The \s-1RSA\s0 algorithm supports encrypt, decrypt, sign, verify and verifyrecover
Modified: trunk/secure/usr.bin/openssl/man/rand.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/rand.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/rand.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "RAND 1"
-.TH RAND 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH RAND 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-rand,
rand \- generate pseudo\-random bytes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/req.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/req.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/req.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "REQ 1"
-.TH REQ 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH REQ 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-req,
req \- PKCS#10 certificate request and certificate generating utility.
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -166,7 +163,6 @@
[\fB\-keygen_engine id\fR]
[\fB\-[digest]\fR]
[\fB\-config filename\fR]
-[\fB\-subj arg\fR]
[\fB\-multivalue\-rdn\fR]
[\fB\-x509\fR]
[\fB\-days n\fR]
@@ -315,7 +311,7 @@
.Sp
Some public key algorithms may override this choice. For instance, \s-1DSA\s0
signatures always use \s-1SHA1, GOST R 34.10\s0 signatures always use
-\&\s-1GOST R 34.11\-94 \s0(\fB\-md_gost94\fR).
+\&\s-1GOST R 34.11\-94\s0 (\fB\-md_gost94\fR).
.IP "\fB\-config filename\fR" 4
.IX Item "-config filename"
this allows an alternative configuration file to be specified,
@@ -341,8 +337,11 @@
request. This is typically used to generate a test certificate or
a self signed root \s-1CA.\s0 The extensions added to the certificate
(if any) are specified in the configuration file. Unless specified
-using the \fBset_serial\fR option \fB0\fR will be used for the serial
-number.
+using the \fBset_serial\fR option, a large random number will be used for
+the serial number.
+.Sp
+If existing request is specified with the \fB\-in\fR option, it is converted
+to the self signed certificate otherwise new request is created.
.IP "\fB\-days n\fR" 4
.IX Item "-days n"
when the \fB\-x509\fR option is being used this specifies the number of
@@ -435,9 +434,12 @@
configuration file values.
.IP "\fBdefault_bits\fR" 4
.IX Item "default_bits"
-This specifies the default key size in bits. If not specified then
-512 is used. It is used if the \fB\-new\fR option is used. It can be
-overridden by using the \fB\-newkey\fR option.
+Specifies the default key size in bits.
+.Sp
+This option is used in conjunction with the \fB\-new\fR option to generate
+a new key. It can be overridden by specifying an explicit key size in
+the \fB\-newkey\fR option. The smallest accepted key size is 512 bits. If
+no key size is specified then 2048 bits is used.
.IP "\fBdefault_keyfile\fR" 4
.IX Item "default_keyfile"
This is the default filename to write a private key to. If not
@@ -468,8 +470,7 @@
.IP "\fBdefault_md\fR" 4
.IX Item "default_md"
This option specifies the digest algorithm to use. Possible values
-include \fBmd5 sha1 mdc2\fR. If not present then \s-1MD5\s0 is used. This
-option can be overridden on the command line.
+include \fBmd5 sha1 mdc2\fR. This option can be overridden on the command line.
.IP "\fBstring_mask\fR" 4
.IX Item "string_mask"
This option masks out the use of certain string types in certain
@@ -582,7 +583,7 @@
Create a private key and then generate a certificate request from it:
.PP
.Vb 2
-\& openssl genrsa \-out key.pem 1024
+\& openssl genrsa \-out key.pem 2048
\& openssl req \-new \-key key.pem \-out req.pem
.Ve
.PP
@@ -589,13 +590,13 @@
The same but just using req:
.PP
.Vb 1
-\& openssl req \-newkey rsa:1024 \-keyout key.pem \-out req.pem
+\& openssl req \-newkey rsa:2048 \-keyout key.pem \-out req.pem
.Ve
.PP
Generate a self signed root certificate:
.PP
.Vb 1
-\& openssl req \-x509 \-newkey rsa:1024 \-keyout key.pem \-out req.pem
+\& openssl req \-x509 \-newkey rsa:2048 \-keyout key.pem \-out req.pem
.Ve
.PP
Example of a file pointed to by the \fBoid_file\fR option:
@@ -617,7 +618,7 @@
.PP
.Vb 6
\& [ req ]
-\& default_bits = 1024
+\& default_bits = 2048
\& default_keyfile = privkey.pem
\& distinguished_name = req_distinguished_name
\& attributes = req_attributes
@@ -659,7 +660,7 @@
\& RANDFILE = $ENV::HOME/.rnd
\&
\& [ req ]
-\& default_bits = 1024
+\& default_bits = 2048
\& default_keyfile = keyfile.pem
\& distinguished_name = req_distinguished_name
\& attributes = req_attributes
@@ -750,7 +751,7 @@
.SH "BUGS"
.IX Header "BUGS"
OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
-treats them as \s-1ISO\-8859\-1 \s0(Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour.
+treats them as \s-1ISO\-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour.
This can cause problems if you need characters that aren't available in
PrintableStrings and you don't want to or can't use BMPStrings.
.PP
Modified: trunk/secure/usr.bin/openssl/man/rsa.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/rsa.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/rsa.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "RSA 1"
-.TH RSA 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH RSA 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-rsa,
rsa \- RSA key processing tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -269,7 +266,7 @@
\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
.Ve
.PP
-The \s-1PEM \s0\fBRSAPublicKey\fR format uses the header and footer lines:
+The \s-1PEM\s0 \fBRSAPublicKey\fR format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN RSA PUBLIC KEY\-\-\-\-\-
@@ -277,7 +274,7 @@
.Ve
.PP
The \fB\s-1NET\s0\fR form is a format compatible with older Netscape servers
-and Microsoft \s-1IIS \s0.key files, this uses unsalted \s-1RC4\s0 for its encryption.
+and Microsoft \s-1IIS\s0 .key files, this uses unsalted \s-1RC4\s0 for its encryption.
It is not very secure and so should only be used when necessary.
.PP
Some newer version of \s-1IIS\s0 have additional data in the exported .key
Modified: trunk/secure/usr.bin/openssl/man/rsautl.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/rsautl.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/rsautl.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "RSAUTL 1"
-.TH RSAUTL 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH RSAUTL 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-rsautl,
rsautl \- RSA utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -228,7 +225,7 @@
Examine the raw signed data:
.PP
.Vb 1
-\& openssl rsautl \-verify \-in file \-inkey key.pem \-raw \-hexdump
+\& openssl rsautl \-verify \-in sig \-inkey key.pem \-raw \-hexdump
\&
\& 0000 \- 00 01 ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0010 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
Modified: trunk/secure/usr.bin/openssl/man/s_client.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/s_client.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/s_client.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "S_CLIENT 1"
-.TH S_CLIENT 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH S_CLIENT 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-s_client,
s_client \- SSL/TLS client program
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -174,7 +171,12 @@
[\fB\-no_ssl2\fR]
[\fB\-no_ssl3\fR]
[\fB\-no_tls1\fR]
+[\fB\-no_tls1_1\fR]
+[\fB\-no_tls1_2\fR]
+[\fB\-fallback_scsv\fR]
[\fB\-bugs\fR]
+[\fB\-sigalgs sigalglist\fR]
+[\fB\-curves curvelist\fR]
[\fB\-cipher cipherlist\fR]
[\fB\-serverpref\fR]
[\fB\-starttls protocol\fR]
@@ -184,7 +186,9 @@
[\fB\-sess_out filename\fR]
[\fB\-sess_in filename\fR]
[\fB\-rand file(s)\fR]
+[\fB\-serverinfo types\fR]
[\fB\-status\fR]
+[\fB\-alpn protocols\fR]
[\fB\-nextprotoneg protocols\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
@@ -199,7 +203,7 @@
then an attempt is made to connect to the local host on port 4433.
.IP "\fB\-servername name\fR" 4
.IX Item "-servername name"
-Set the \s-1TLS SNI \s0(Server Name Indication) extension in the ClientHello message.
+Set the \s-1TLS SNI\s0 (Server Name Indication) extension in the ClientHello message.
.IP "\fB\-cert certname\fR" 4
.IX Item "-cert certname"
The certificate to use, if one is requested by the server. The default is
@@ -251,8 +255,9 @@
pauses 1 second between each read and write call.
.IP "\fB\-showcerts\fR" 4
.IX Item "-showcerts"
-display the whole server certificate chain: normally only the server
-certificate itself is displayed.
+Displays the server certificate list as sent by the server: it only consists of
+certificates the server has sent (in the order the server has sent them). It is
+\&\fBnot\fR a verified chain.
.IP "\fB\-prexit\fR" 4
.IX Item "-prexit"
print session information when the program exits. This will always attempt
@@ -297,20 +302,38 @@
.IP "\fB\-psk_identity identity\fR" 4
.IX Item "-psk_identity identity"
Use the \s-1PSK\s0 identity \fBidentity\fR when using a \s-1PSK\s0 cipher suite.
+The default value is \*(L"Client_identity\*(R" (without the quotes).
.IP "\fB\-psk key\fR" 4
.IX Item "-psk key"
Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is
given as a hexadecimal number without leading 0x, for example \-psk
1a2b3c4d.
+This option must be provided in order to use a \s-1PSK\s0 cipher.
.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4
.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2"
These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols.
By default the initial handshake uses a \fIversion-flexible\fR method which will
negotiate the highest mutually supported protocol version.
+.IP "\fB\-fallback_scsv\fR" 4
+.IX Item "-fallback_scsv"
+Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello.
.IP "\fB\-bugs\fR" 4
.IX Item "-bugs"
there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
option enables various workarounds.
+.IP "\fB\-sigalgs sigalglist\fR" 4
+.IX Item "-sigalgs sigalglist"
+Specifies the list of signature algorithms that are sent by the client.
+The server selects one entry in the list based on its preferences.
+For example strings, see \fISSL_CTX_set1_sigalgs\fR\|(3)
+.IP "\fB\-curves curvelist\fR" 4
+.IX Item "-curves curvelist"
+Specifies the list of supported curves to be sent by the client. The curve is
+is ultimately selected by the server. For a list of all curves, use:
+.Sp
+.Vb 1
+\& $ openssl ecparam \-list_curves
+.Ve
.IP "\fB\-cipher cipherlist\fR" 4
.IX Item "-cipher cipherlist"
this allows the cipher list sent by the client to be modified. Although
@@ -324,7 +347,7 @@
.IX Item "-starttls protocol"
send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication.
\&\fBprotocol\fR is a keyword for the intended protocol. Currently, the only
-supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", and \*(L"ftp\*(R".
+supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", \*(L"ftp\*(R" and \*(L"xmpp\*(R".
.IP "\fB\-tlsextdebug\fR" 4
.IX Item "-tlsextdebug"
print out a hex dump of any \s-1TLS\s0 extensions received from the server.
@@ -351,13 +374,23 @@
Multiple files can be specified separated by a OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
+.IP "\fB\-serverinfo types\fR" 4
+.IX Item "-serverinfo types"
+a list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and
+65535). Each type will be sent as an empty ClientHello \s-1TLS\s0 Extension.
+The server's response (if any) will be encoded and displayed as a \s-1PEM\s0
+file.
.IP "\fB\-status\fR" 4
.IX Item "-status"
sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server
response (if any) is printed out.
-.IP "\fB\-nextprotoneg protocols\fR" 4
-.IX Item "-nextprotoneg protocols"
-enable Next Protocol Negotiation \s-1TLS\s0 extension and provide a list of
+.IP "\fB\-alpn protocols\fR, \fB\-nextprotoneg protocols\fR" 4
+.IX Item "-alpn protocols, -nextprotoneg protocols"
+these flags enable the
+Enable the Application-Layer Protocol Negotiation or Next Protocol
+Negotiation extension, respectively. \s-1ALPN\s0 is the \s-1IETF\s0 standard and
+replaces \s-1NPN.\s0
+The \fBprotocols\fR list is a
comma-separated protocol names that the client should advertise
support for. The list should contain most wanted protocols first.
Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or
@@ -407,7 +440,8 @@
on the command line is no guarantee that the certificate works.
.PP
If there are problems verifying a server certificate then the
-\&\fB\-showcerts\fR option can be used to show the whole chain.
+\&\fB\-showcerts\fR option can be used to show all the certificates sent by the
+server.
.PP
Since the SSLv23 client hello cannot include compression methods or extensions
these will only be supported if its use is disabled, for example by using the
@@ -433,4 +467,4 @@
\&\fIsess_id\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
Modified: trunk/secure/usr.bin/openssl/man/s_server.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/s_server.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/s_server.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "S_SERVER 1"
-.TH S_SERVER 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH S_SERVER 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-s_server,
s_server \- SSL/TLS server program
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -171,6 +168,8 @@
[\fB\-CAfile filename\fR]
[\fB\-no_alt_chains\fR]
[\fB\-nocert\fR]
+[\fB\-client_sigalgs sigalglist\fR]
+[\fB\-named_curve curve\fR]
[\fB\-cipher cipherlist\fR]
[\fB\-serverpref\fR]
[\fB\-quiet\fR]
@@ -193,10 +192,13 @@
[\fB\-no_ticket\fR]
[\fB\-id_prefix arg\fR]
[\fB\-rand file(s)\fR]
+[\fB\-serverinfo file\fR]
+[\fB\-no_resumption_on_reneg\fR]
[\fB\-status\fR]
[\fB\-status_verbose\fR]
[\fB\-status_timeout nsec\fR]
[\fB\-status_url url\fR]
+[\fB\-alpn protocols\fR]
[\fB\-nextprotoneg protocols\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
@@ -215,8 +217,8 @@
.IX Item "-cert certname"
The certificate to use, most servers cipher suites require the use of a
certificate and some require a certificate with a certain public key type:
-for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS
-\&\s0(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used.
+for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0
+(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used.
.IP "\fB\-certform format\fR" 4
.IX Item "-certform format"
The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
@@ -238,7 +240,7 @@
if they are not specified (no additional certificate and key is used). As
noted above some cipher suites require a certificate containing a key of
a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key
-and some a \s-1DSS \s0(\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
+and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites
by using an appropriate certificate.
.IP "\fB\-dcertform format\fR, \fB\-dkeyform format\fR, \fB\-dpass arg\fR" 4
@@ -261,7 +263,7 @@
disabling the ephemeral \s-1DH\s0 cipher suites.
.IP "\fB\-no_ecdhe\fR" 4
.IX Item "-no_ecdhe"
-if this option is set then no \s-1ECDH\s0 parameters will be loaded effectively
+if this option is set then no \s-1ECDH\s0 parameters will be selected, effectively
disabling the ephemeral \s-1ECDH\s0 cipher suites.
.IP "\fB\-no_tmp_rsa\fR" 4
.IX Item "-no_tmp_rsa"
@@ -325,6 +327,7 @@
Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is
given as a hexadecimal number without leading 0x, for example \-psk
1a2b3c4d.
+This option must be provided in order to use a \s-1PSK\s0 cipher.
.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4
.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2"
These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols.
@@ -338,6 +341,18 @@
.IX Item "-hack"
this option enables a further workaround for some some early Netscape
\&\s-1SSL\s0 code (?).
+.IP "\fB\-client_sigalgs sigalglist\fR" 4
+.IX Item "-client_sigalgs sigalglist"
+Signature algorithms to support for client certificate authentication
+(colon-separated list)
+.IP "\fB\-named_curve curve\fR" 4
+.IX Item "-named_curve curve"
+Specifies the elliptic curve to use. \s-1NOTE:\s0 this is single curve, not a list.
+For a list of all possible curves, use:
+.Sp
+.Vb 1
+\& $ openssl ecparam \-list_curves
+.Ve
.IP "\fB\-cipher cipherlist\fR" 4
.IX Item "-cipher cipherlist"
this allows the cipher list used by the server to be modified. When
@@ -391,6 +406,16 @@
Multiple files can be specified separated by a OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
+.IP "\fB\-serverinfo file\fR" 4
+.IX Item "-serverinfo file"
+a file containing one or more blocks of \s-1PEM\s0 data. Each \s-1PEM\s0 block
+must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length,
+followed by \*(L"length\*(R" bytes of extension data). If the client sends
+an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding
+ServerHello extension will be returned.
+.IP "\fB\-no_resumption_on_reneg\fR" 4
+.IX Item "-no_resumption_on_reneg"
+set \s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0 flag.
.IP "\fB\-status\fR" 4
.IX Item "-status"
enables certificate status request support (aka \s-1OCSP\s0 stapling).
@@ -406,9 +431,13 @@
sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the
server certificate. Without this option an error is returned if the server
certificate does not contain a responder address.
-.IP "\fB\-nextprotoneg protocols\fR" 4
-.IX Item "-nextprotoneg protocols"
-enable Next Protocol Negotiation \s-1TLS\s0 extension and provide a
+.IP "\fB\-alpn protocols\fR, \fB\-nextprotoneg protocols\fR" 4
+.IX Item "-alpn protocols, -nextprotoneg protocols"
+these flags enable the
+Enable the Application-Layer Protocol Negotiation or Next Protocol
+Negotiation extension, respectively. \s-1ALPN\s0 is the \s-1IETF\s0 standard and
+replaces \s-1NPN.\s0
+The \fBprotocols\fR list is a
comma-separated list of supported protocol names.
The list should contain most wanted protocols first.
Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or
@@ -451,10 +480,6 @@
.PP
can be used for example.
.PP
-Most web browsers (in particular Netscape and \s-1MSIE\s0) only support \s-1RSA\s0 cipher
-suites, so they cannot connect to servers which don't use a certificate
-carrying an \s-1RSA\s0 key or a version of OpenSSL with \s-1RSA\s0 disabled.
-.PP
Although specifying an empty list of CAs when requesting a client certificate
is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to
mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes.
@@ -477,4 +502,4 @@
\&\fIsess_id\fR\|(1), \fIs_client\fR\|(1), \fIciphers\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
Modified: trunk/secure/usr.bin/openssl/man/s_time.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/s_time.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/s_time.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "S_TIME 1"
-.TH S_TIME 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH S_TIME 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-s_time,
s_time \- SSL/TLS performance timing program
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/sess_id.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/sess_id.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/sess_id.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "SESS_ID 1"
-.TH SESS_ID 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH SESS_ID 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-sess_id,
sess_id \- SSL/TLS session handling utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/smime.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/smime.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/smime.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "SMIME 1"
-.TH SMIME 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH SMIME 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-smime,
smime \- S/MIME utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -255,7 +252,7 @@
.IX Item "-text"
this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of \s-1MIME \s0
+off text headers: if the decrypted or verified message is not of \s-1MIME\s0
type text/plain then an error occurs.
.IP "\fB\-CAfile file\fR" 4
.IX Item "-CAfile file"
@@ -272,8 +269,8 @@
default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
.IP "\fB\-[cipher]\fR" 4
.IX Item "-[cipher]"
-the encryption algorithm to use. For example \s-1DES \s0(56 bits) \- \fB\-des\fR,
-triple \s-1DES \s0(168 bits) \- \fB\-des3\fR,
+the encryption algorithm to use. For example \s-1DES\s0 (56 bits) \- \fB\-des\fR,
+triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR,
\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for
example \fB\-aes_128_cbc\fR. See \fBenc\fR for list of ciphers
supported by your version of OpenSSL.
@@ -554,4 +551,4 @@
The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
added in OpenSSL 1.0.0
.PP
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
Modified: trunk/secure/usr.bin/openssl/man/speed.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/speed.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/speed.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "SPEED 1"
-.TH SPEED 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH SPEED 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-speed,
speed \- test library performance
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/spkac.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/spkac.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/spkac.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "SPKAC 1"
-.TH SPKAC 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH SPKAC 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-spkac,
spkac \- SPKAC printing and generating utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -193,11 +190,11 @@
\&\s-1SPKAC.\s0 The default is the default section.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
-don't output the text version of the \s-1SPKAC \s0(not used if an
+don't output the text version of the \s-1SPKAC\s0 (not used if an
\&\s-1SPKAC\s0 is being created).
.IP "\fB\-pubkey\fR" 4
.IX Item "-pubkey"
-output the public key of an \s-1SPKAC \s0(not used if an \s-1SPKAC\s0 is
+output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is
being created).
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
@@ -228,7 +225,7 @@
\& openssl spkac \-key key.pem \-challenge hello \-out spkac.cnf
.Ve
.PP
-Example of an \s-1SPKAC, \s0(long lines split up for clarity):
+Example of an \s-1SPKAC,\s0 (long lines split up for clarity):
.PP
.Vb 5
\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
Modified: trunk/secure/usr.bin/openssl/man/ts.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/ts.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/ts.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "TS 1"
-.TH TS 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH TS 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-ts,
ts \- Time Stamping Authority tool (client/server)
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -187,7 +184,7 @@
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBts\fR command is a basic Time Stamping Authority (\s-1TSA\s0) client and server
-application as specified in \s-1RFC 3161 \s0(Time-Stamp Protocol, \s-1TSP\s0). A
+application as specified in \s-1RFC 3161\s0 (Time-Stamp Protocol, \s-1TSP\s0). A
\&\s-1TSA\s0 can be part of a \s-1PKI\s0 deployment and its role is to provide long
term proof of the existence of a certain datum before a particular
time. Here is a brief description of the protocol:
@@ -246,7 +243,7 @@
.IX Item "-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160|..."
The message digest to apply to the data file, it supports all the message
digest algorithms that are supported by the openssl \fBdgst\fR command.
-The default is \s-1SHA\-1. \s0(Optional)
+The default is \s-1SHA\-1.\s0 (Optional)
.IP "\fB\-policy\fR object_id" 4
.IX Item "-policy object_id"
The policy that the client expects the \s-1TSA\s0 to use for creating the
@@ -277,7 +274,7 @@
.IP "\fB\-text\fR" 4
.IX Item "-text"
If this option is specified the output is human-readable text format
-instead of \s-1DER. \s0(Optional)
+instead of \s-1DER.\s0 (Optional)
.SS "Time Stamp Response generation"
.IX Subsection "Time Stamp Response generation"
A time stamp response (TimeStampResp) consists of a response status
@@ -355,7 +352,7 @@
.IP "\fB\-text\fR" 4
.IX Item "-text"
If this option is specified the output is human-readable text format
-instead of \s-1DER. \s0(Optional)
+instead of \s-1DER.\s0 (Optional)
.IP "\fB\-engine\fR id" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBts\fR
@@ -398,7 +395,7 @@
details. Either this option or \fB\-CAfile\fR must be specified. (Optional)
.IP "\fB\-CAfile\fR trusted_certs.pem" 4
.IX Item "-CAfile trusted_certs.pem"
-The name of the file containing a set of trusted self-signed \s-1CA \s0
+The name of the file containing a set of trusted self-signed \s-1CA\s0
certificates in \s-1PEM\s0 format. See the similar option of
\&\fIverify\fR\|(1) for additional details. Either this option
or \fB\-CApath\fR must be specified.
@@ -515,7 +512,7 @@
openssl/apps/openssl.cnf will do.
.SS "Time Stamp Request"
.IX Subsection "Time Stamp Request"
-To create a time stamp request for design1.txt with \s-1SHA\-1 \s0
+To create a time stamp request for design1.txt with \s-1SHA\-1\s0
without nonce and policy and no certificate is required in the response:
.PP
.Vb 2
Modified: trunk/secure/usr.bin/openssl/man/tsget.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/tsget.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/tsget.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "TSGET 1"
-.TH TSGET 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH TSGET 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-tsget,
tsget \- Time Stamping HTTP/HTTPS client
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -229,13 +226,13 @@
.IX Item "-C CA_certs.pem"
(\s-1HTTPS\s0) The trusted \s-1CA\s0 certificate store. The certificate chain of the peer's
certificate must include one of the \s-1CA\s0 certificates specified in this file.
-Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS. \s0(Optional)
+Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS.\s0 (Optional)
.IP "\fB\-P\fR CA_path" 4
.IX Item "-P CA_path"
(\s-1HTTPS\s0) The path containing the trusted \s-1CA\s0 certificates to verify the peer's
certificate. The directory must be prepared with the \fBc_rehash\fR
OpenSSL utility. Either option \fB\-C\fR or option \fB\-P\fR must be given in case of
-\&\s-1HTTPS. \s0(Optional)
+\&\s-1HTTPS.\s0 (Optional)
.IP "\fB\-rand\fR file:file..." 4
.IX Item "-rand file:file..."
The files containing random data for seeding the random number
Modified: trunk/secure/usr.bin/openssl/man/verify.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/verify.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/verify.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "VERIFY 1"
-.TH VERIFY 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH VERIFY 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-verify,
verify \- Utility to verify certificates.
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -149,6 +146,10 @@
[\fB\-purpose purpose\fR]
[\fB\-policy arg\fR]
[\fB\-ignore_critical\fR]
+[\fB\-attime timestamp\fR]
+[\fB\-check_ss_sig\fR]
+[\fB\-CRLfile file\fR]
+[\fB\-crl_download\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-policy_check\fR]
@@ -164,7 +165,7 @@
[\fB\-untrusted file\fR]
[\fB\-help\fR]
[\fB\-issuer_checks\fR]
-[\fB\-attime timestamp\fR]
+[\fB\-trusted file\fR]
[\fB\-verbose\fR]
[\fB\-\fR]
[certificates]
@@ -183,9 +184,28 @@
.IP "\fB\-CAfile file\fR A file of trusted certificates. The file should contain multiple certificates in \s-1PEM\s0 format concatenated together." 4
.IX Item "-CAfile file A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together."
.PD 0
+.IP "\fB\-attime timestamp\fR" 4
+.IX Item "-attime timestamp"
+.PD
+Perform validation checks using time specified by \fBtimestamp\fR and not
+current system time. \fBtimestamp\fR is the number of seconds since
+01.01.1970 (\s-1UNIX\s0 time).
+.IP "\fB\-check_ss_sig\fR" 4
+.IX Item "-check_ss_sig"
+Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by default
+because it doesn't add any security.
+.IP "\fB\-CRLfile file\fR" 4
+.IX Item "-CRLfile file"
+File containing one or more \s-1CRL\s0's (in \s-1PEM\s0 format) to load.
+.IP "\fB\-crl_download\fR" 4
+.IX Item "-crl_download"
+Attempt to download \s-1CRL\s0 information for this certificate.
+.IP "\fB\-crl_check\fR" 4
+.IX Item "-crl_check"
+Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0
+If a valid \s-1CRL\s0 cannot be found an error occurs.
.IP "\fB\-untrusted file\fR" 4
.IX Item "-untrusted file"
-.PD
A file of untrusted certificates. The file should contain multiple certificates
in \s-1PEM\s0 format concatenated together.
.IP "\fB\-purpose purpose\fR" 4
@@ -208,11 +228,6 @@
rejected. The presence of rejection messages does not itself imply that
anything is wrong; during the normal verification process, several
rejections may take place.
-.IP "\fB\-attime timestamp\fR" 4
-.IX Item "-attime timestamp"
-Perform validation checks using time specified by \fBtimestamp\fR and not
-current system time. \fBtimestamp\fR is the number of seconds since
-01.01.1970 (\s-1UNIX\s0 time).
.IP "\fB\-policy arg\fR" 4
.IX Item "-policy arg"
Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see
@@ -240,6 +255,10 @@
.IP "\fB\-allow_proxy_certs\fR" 4
.IX Item "-allow_proxy_certs"
Allow the verification of proxy certificates.
+.IP "\fB\-trusted file\fR" 4
+.IX Item "-trusted file"
+A file of additional trusted certificates. The file should contain multiple
+certificates in \s-1PEM\s0 format concatenated together.
.IP "\fB\-policy_print\fR" 4
.IX Item "-policy_print"
Print out diagnostics related to policy processing.
@@ -492,4 +511,4 @@
\&\fIx509\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
-The \-no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
+The \-no_alt_chains options was first added to OpenSSL 1.0.2b.
Modified: trunk/secure/usr.bin/openssl/man/version.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/version.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/version.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "VERSION 1"
-.TH VERSION 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH VERSION 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-version,
version \- print OpenSSL version information
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Modified: trunk/secure/usr.bin/openssl/man/x509.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/x509.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/x509.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,12 +130,13 @@
.\" ========================================================================
.\"
.IX Title "X509 1"
-.TH X509 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH X509 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
+openssl\-x509,
x509 \- Certificate display and signing utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
@@ -187,6 +184,7 @@
[\fB\-CAkey filename\fR]
[\fB\-CAcreateserial\fR]
[\fB\-CAserial filename\fR]
+[\fB\-force_pubkey key\fR]
[\fB\-text\fR]
[\fB\-certopt option\fR]
[\fB\-C\fR]
@@ -323,8 +321,11 @@
non-zero if yes it will expire or zero if not.
.IP "\fB\-fingerprint\fR" 4
.IX Item "-fingerprint"
-prints out the digest of the \s-1DER\s0 encoded version of the whole certificate
-(see digest options).
+Calculates and outputs the digest of the \s-1DER\s0 encoded version of the entire
+certificate (see digest options).
+This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
+digests, the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.
.IP "\fB\-C\fR" 4
.IX Item "-C"
this outputs the certificate in the form of a C source file.
@@ -483,6 +484,14 @@
\&\*(L"extensions\*(R" which contains the section to use. See the
\&\fIx509v3_config\fR\|(5) manual page for details of the
extension section format.
+.IP "\fB\-force_pubkey key\fR" 4
+.IX Item "-force_pubkey key"
+when a certificate is created set its public key to \fBkey\fR instead of the
+key in the certificate or certificate request. This option is useful for
+creating certificates where the algorithm can't normally sign requests, for
+example \s-1DH.\s0
+.Sp
+The format or \fBkey\fR can be specified using the \fB\-keyform\fR option.
.SS "\s-1NAME OPTIONS\s0"
.IX Subsection "NAME OPTIONS"
The \fBnameopt\fR command line switch determines how the subject and issuer
@@ -551,8 +560,8 @@
.IX Item "dump_der"
when this option is set any fields that need to be hexdumped will
be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the
-content octets will be displayed. Both options use the \s-1RFC2253
-\&\s0\fB#XXXX...\fR format.
+content octets will be displayed. Both options use the \s-1RFC2253\s0
+\&\fB#XXXX...\fR format.
.IP "\fBdump_nostr\fR" 4
.IX Item "dump_nostr"
dump non character string types (for example \s-1OCTET STRING\s0) if this
@@ -650,8 +659,8 @@
hex dump unsupported extensions.
.IP "\fBca_default\fR" 4
.IX Item "ca_default"
-the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, \fBno_header\fR,
-\&\fBno_version\fR, \fBno_sigdump\fR and \fBno_signame\fR.
+the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
+\&\fBno_header\fR, and \fBno_version\fR.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: in these examples the '\e' means the example should be all on one
@@ -688,12 +697,6 @@
\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
.Ve
.PP
-Display the certificate \s-1MD5\s0 fingerprint:
-.PP
-.Vb 1
-\& openssl x509 \-in cert.pem \-noout \-fingerprint
-.Ve
-.PP
Display the certificate \s-1SHA1\s0 fingerprint:
.PP
.Vb 1
@@ -763,13 +766,6 @@
and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
it is more likely to display the majority of certificates correctly.
.PP
-The \fB\-fingerprint\fR option takes the digest of the \s-1DER\s0 encoded certificate.
-This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
-digests the fingerprint of a certificate is unique to that certificate and
-two certificates with the same fingerprint can be considered to be the same.
-.PP
-The Netscape fingerprint uses \s-1MD5\s0 whereas \s-1MSIE\s0 uses \s-1SHA1.\s0
-.PP
The \fB\-email\fR option searches the subject name and the subject alternative
name extension. Only unique email addresses will be printed out: it will
not print the same address more than once.
@@ -785,7 +781,7 @@
.PP
The basicConstraints extension \s-1CA\s0 flag is used to determine whether the
certificate can be used as a \s-1CA.\s0 If the \s-1CA\s0 flag is true then it is a \s-1CA,\s0
-if the \s-1CA\s0 flag is false then it is not a \s-1CA. \s0\fBAll\fR CAs should have the
+if the \s-1CA\s0 flag is false then it is not a \s-1CA.\s0 \fBAll\fR CAs should have the
\&\s-1CA\s0 flag set to true.
.PP
If the basicConstraints extension is absent then the certificate is
@@ -813,7 +809,7 @@
.IP "\fB\s-1SSL\s0 Client\fR" 4
.IX Item "SSL Client"
The extended key usage extension must be absent or include the \*(L"web client
-authentication\*(R" \s-1OID. \s0 keyUsage must be absent or it must have the
+authentication\*(R" \s-1OID.\s0 keyUsage must be absent or it must have the
digitalSignature bit set. Netscape certificate type must be absent or it must
have the \s-1SSL\s0 client bit set.
.IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4
Modified: trunk/secure/usr.bin/openssl/man/x509v3_config.1
===================================================================
--- trunk/secure/usr.bin/openssl/man/x509v3_config.1 2019-01-20 05:34:05 UTC (rev 12147)
+++ trunk/secure/usr.bin/openssl/man/x509v3_config.1 2019-01-20 05:35:36 UTC (rev 12148)
@@ -1,5 +1,5 @@
.\" $MidnightBSD$
-.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -47,7 +47,7 @@
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
@@ -55,20 +55,16 @@
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{
-. if \nF \{
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
+.if !\nF .nr F 0
+.if \nF>0 \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
..
-. if !\nF==2 \{
-. nr % 0
-. nr F 2
-. \}
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
. \}
.\}
-.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
@@ -134,7 +130,7 @@
.\" ========================================================================
.\"
.IX Title "X509V3_CONFIG 1"
-.TH X509V3_CONFIG 1 "2016-09-22" "1.0.1u" "OpenSSL"
+.TH X509V3_CONFIG 1 "2018-11-20" "1.0.2q" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -245,7 +241,7 @@
This extensions consists of a list of usages indicating purposes for which
the certificate public key can be used for,
.PP
-These can either be object short names of the dotted numerical form of OIDs.
+These can either be object short names or the dotted numerical form of OIDs.
While any \s-1OID\s0 can be used only certain values make sense. In particular the
following \s-1PKIX, NS\s0 and \s-1MS\s0 values are meaningful:
.PP
More information about the Midnightbsd-cvs
mailing list