diff options
Diffstat (limited to 'deps/openssl/openssl/doc/apps/config.pod')
| -rw-r--r-- | deps/openssl/openssl/doc/apps/config.pod | 72 |
1 files changed, 54 insertions, 18 deletions
diff --git a/deps/openssl/openssl/doc/apps/config.pod b/deps/openssl/openssl/doc/apps/config.pod index 3f607d3b5f..76f282f28c 100644 --- a/deps/openssl/openssl/doc/apps/config.pod +++ b/deps/openssl/openssl/doc/apps/config.pod @@ -1,4 +1,3 @@ - =pod =for comment openssl_manual_section:5 @@ -47,7 +46,7 @@ or B<${section::name}>. By using the form B<$ENV::name> environment variables can be substituted. It is also possible to assign values to environment variables by using the name B<ENV::name>, this will work if the program looks up environment variables using the B<CONF> library -instead of calling B<getenv()> directly. The value string must not exceed 64k in +instead of calling getenv() directly. The value string must not exceed 64k in length after variable expansion. Otherwise an error will occur. It is possible to escape certain characters by using any kind of quote @@ -57,21 +56,21 @@ the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized. =head1 OPENSSL LIBRARY CONFIGURATION -In OpenSSL 0.9.7 and later applications can automatically configure certain +Applications can automatically configure certain aspects of OpenSSL using the master OpenSSL configuration file, or optionally an alternative configuration file. The B<openssl> utility includes this functionality: any sub command uses the master OpenSSL configuration file unless an option is used in the sub command to use an alternative configuration file. -To enable library configuration the default section needs to contain an +To enable library configuration the default section needs to contain an appropriate line which points to the main configuration section. The default name is B<openssl_conf> which is used by the B<openssl> utility. Other applications may use an alternative name such as B<myapplicaton_conf>. The configuration section should consist of a set of name value pairs which contain specific module configuration information. The B<name> represents -the name of the I<configuration module> the meaning of the B<value> is +the name of the I<configuration module> the meaning of the B<value> is module specific: it may, for example, represent a further configuration section containing configuration module specific information. E.g. @@ -92,7 +91,7 @@ section containing configuration module specific information. E.g. The features of each configuration module are described below. -=head2 ASN1 OBJECT CONFIGURATION MODULE +=head2 ASN1 Object Configuration Module This module has the name B<oid_section>. The value of this variable points to a section containing name value pairs of OIDs: the name is the OID short @@ -103,16 +102,16 @@ B<all> the B<openssl> utility sub commands can see the new objects as well as any compliant applications. For example: [new_oids] - + some_new_oid = 1.2.3.4 some_other_oid = 1.2.3.5 -In OpenSSL 0.9.8 it is also possible to set the value to the long name followed +It is also possible to set the value to the long name followed by a comma and the numerical OID form. For example: shortName = some object long name, 1.2.3.4 -=head2 ENGINE CONFIGURATION MODULE +=head2 Engine Configuration Module This ENGINE configuration module has the name B<engines>. The value of this variable points to a section containing further ENGINE configuration @@ -142,7 +141,7 @@ For example: [bar_section] ... "bar" ENGINE specific commands ... -The command B<engine_id> is used to give the ENGINE name. If used this +The command B<engine_id> is used to give the ENGINE name. If used this command must be first. For example: [engine_section] @@ -166,10 +165,10 @@ then an attempt will be made to initialize the ENGINE after all commands in its section have been processed. The command B<default_algorithms> sets the default algorithms an ENGINE will -supply using the functions B<ENGINE_set_default_string()> +supply using the functions ENGINE_set_default_string(). If the name matches none of the above command names it is assumed to be a -ctrl command which is sent to the ENGINE. The value of the command is the +ctrl command which is sent to the ENGINE. The value of the command is the argument to the ctrl command. If the value is the string B<EMPTY> then no value is sent to the command. @@ -191,7 +190,7 @@ For example: # Supply all default algorithms default_algorithms = ALL -=head2 EVP CONFIGURATION MODULE +=head2 EVP Configuration Module This modules has the name B<alg_section> which points to a section containing algorithm commands. @@ -209,6 +208,34 @@ For example: fips_mode = on +=head2 SSL Configuration Module + +This module has the name B<ssl_conf> which points to a section containing +SSL configurations. + +Each line in the SSL configuration section contains the name of the +configuration and the section containing it. + +Each configuration section consists of command value pairs for B<SSL_CONF>. +Each pair will be passed to a B<SSL_CTX> or B<SSL> structure if it calls +SSL_CTX_config() or SSL_config() with the appropriate configuration name. + +Note: any characters before an initial dot in the configuration section are +ignored so the same command can be used multiple times. + +For example: + + ssl_conf = ssl_sect + + [ssl_sect] + + server = server_section + + [server_section] + + RSA.Certificate = server-rsa.pem + ECDSA.Certificate = server-ecdsa.pem + Ciphers = ALL:!RC4 =head1 NOTES @@ -239,7 +266,7 @@ Here is a sample configuration file using some of the features mentioned above. # This is the default section. - + HOME=/temp RANDFILE= ${ENV::HOME}/.rnd configdir=$ENV::HOME/config @@ -265,11 +292,11 @@ This next example shows how to expand environment variables safely. Suppose you want a variable called B<tmpfile> to refer to a temporary filename. The directory it is placed in can determined by -the the B<TEMP> or B<TMP> environment variables but they may not be +the B<TEMP> or B<TMP> environment variables but they may not be set to any value at all. If you just include the environment variable names and the variable doesn't exist then this will cause an error when an attempt is made to load the configuration file. By making use of the -default section both values can be looked up with B<TEMP> taking +default section both values can be looked up with B<TEMP> taking priority and B</tmp> used if neither is defined: TMP=/tmp @@ -317,7 +344,7 @@ More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: # New OID shortname and long name newoid2 = New OID 2 long name, 1.2.3.4.2 -The above examples can be used with with any application supporting library +The above examples can be used with any application supporting library configuration if "openssl_conf" is modified to match the appropriate "appname". For example if the second sample file above is saved to "example.cnf" then @@ -346,6 +373,15 @@ file. =head1 SEE ALSO -L<x509(1)|x509(1)>, L<req(1)|req(1)>, L<ca(1)|ca(1)> +L<x509(1)>, L<req(1)>, L<ca(1)> + +=head1 COPYRIGHT + +Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. =cut |