diff options
Diffstat (limited to 'secure/usr.bin/openssl')
61 files changed, 1374 insertions, 1073 deletions
diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1 index f3175944d4d5..17e5f68662fa 100644 --- a/secure/usr.bin/openssl/man/CA.pl.1 +++ b/secure/usr.bin/openssl/man/CA.pl.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "CA.PL 1ossl" -.TH CA.PL 1ossl 2025-09-30 3.5.4 OpenSSL +.TH CA.PL 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -94,7 +97,7 @@ It is intended to simplify the process of certificate creation and management by the use of some simple options. .PP The script is intended as a simple front end for the \fBopenssl\fR\|(1) program for -use by a beginner. Its behaviour isn't always what is wanted. For more control +use by a beginner. Its behaviour isn\*(Aqt always what is wanted. For more control over the behaviour of the certificate commands call the \fBopenssl\fR\|(1) command directly. .PP @@ -154,8 +157,8 @@ If there is an additional argument on the command line it will be used as the "friendly name" for the certificate (which is typically displayed in the browser list box), otherwise the name "My Certificate" is used. Delegates work to \fBopenssl\-pkcs12\fR\|(1). -.IP "\fB\-sign\fR, \fB\-signcert\fR, \fB\-xsign\fR" 4 -.IX Item "-sign, -signcert, -xsign" +.IP "\fB\-sign\fR, \fB\-xsign\fR" 4 +.IX Item "-sign, -xsign" Calls the \fBopenssl\-ca\fR\|(1) command to sign a certificate request. It expects the request to be in the file \fInewreq.pem\fR. The new certificate is written to the file \fInewcert.pem\fR except in the case of the \fB\-xsign\fR option when it is @@ -189,10 +192,10 @@ certificates are specified on the command line it tries to verify the file .IP "\fB\-extra\-\fR\f(BIcmd\fR \fIparameter\fR" 4 .IX Item "-extra-cmd parameter" For each option \fBextra\-\fR\f(BIcmd\fR, pass \fIparameter\fR to the \fBopenssl\fR\|(1) -sub-command with the same name as \fIcmd\fR, if that sub-command is invoked. +sub\-command with the same name as \fIcmd\fR, if that sub\-command is invoked. For example, if \fBopenssl\-req\fR\|(1) is invoked, the \fIparameter\fR given with \&\fB\-extra\-req\fR will be passed to it. -For multi-word parameters, either repeat the option or quote the \fIparameters\fR +For multi\-word parameters, either repeat the option or quote the \fIparameters\fR so it looks like one word to your shell. See the individual command documentation for more information. .SH EXAMPLES @@ -219,7 +222,7 @@ the OpenSSL program. It can be a full pathname, or a relative one. .PP The environment variable \fBOPENSSL_CONFIG\fR may be used to specify a configuration option and value to the \fBreq\fR and \fBca\fR commands invoked by -this script. It's value should be the option and pathname, as in +this script. It\*(Aqs value should be the option and pathname, as in \&\f(CW\*(C`\-config /path/to/conf\-file\*(C'\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" @@ -231,7 +234,7 @@ this script. It's value should be the option and pathname, as in \&\fBconfig\fR\|(5) .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/usr.bin/openssl/man/openssl-asn1parse.1 b/secure/usr.bin/openssl/man/openssl-asn1parse.1 index a46871fcaacf..fee6cbde252e 100644 --- a/secure/usr.bin/openssl/man/openssl-asn1parse.1 +++ b/secure/usr.bin/openssl/man/openssl-asn1parse.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-ASN1PARSE 1ossl" -.TH OPENSSL-ASN1PARSE 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-ASN1PARSE 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -104,7 +107,7 @@ option is not present then no data will be output. This is most useful when combined with the \fB\-strparse\fR option. .IP \fB\-noout\fR 4 .IX Item "-noout" -Don't output the parsed version of the input file. +Don\*(Aqt output the parsed version of the input file. .IP "\fB\-offset\fR \fInumber\fR" 4 .IX Item "-offset number" Starting offset to begin parsing, default is start of file. @@ -173,7 +176,7 @@ The output will typically contain lines like this: .PP \&..... .PP -This example is part of a self-signed certificate. Each line starts with the +This example is part of a self\-signed certificate. Each line starts with the offset in decimal. \f(CW\*(C`d=XX\*(C'\fR specifies the current depth. The depth is increased within the scope of any SET or SEQUENCE. \f(CW\*(C`hl=XX\*(C'\fR gives the header length (tag and length octets) of the current type. \f(CW\*(C`l=XX\*(C'\fR gives the length of @@ -194,7 +197,7 @@ be examined using the option \f(CW\*(C`\-strparse 229\*(C'\fR to yield: .Ve .SH NOTES .IX Header "NOTES" -If an OID is not part of OpenSSL's internal table it will be represented in +If an OID is not part of OpenSSL\*(Aqs internal table it will be represented in numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option allows additional OIDs to be included. Each line consists of three columns, the first column is the OID in numerical format and should be followed by white @@ -226,7 +229,7 @@ Generate a simple UTF8String: \& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq .Ve .PP -Generate and write out a UTF8String, don't print parsed output: +Generate and write out a UTF8String, don\*(Aqt print parsed output: .PP .Vb 1 \& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq \-noout \-out utf8.der diff --git a/secure/usr.bin/openssl/man/openssl-ca.1 b/secure/usr.bin/openssl/man/openssl-ca.1 index 20bcaf806098..3da4a5c17866 100644 --- a/secure/usr.bin/openssl/man/openssl-ca.1 +++ b/secure/usr.bin/openssl/man/openssl-ca.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CA 1ossl" -.TH OPENSSL-CA 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CA 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -183,7 +186,7 @@ by default PEM is tried first. See \fBopenssl\-format\-options\fR\|(1) for details. .IP "\fB\-ss_cert\fR \fIfilename\fR" 4 .IX Item "-ss_cert filename" -A single self-signed certificate to be signed by the CA. +A single self\-signed certificate to be signed by the CA. .IP "\fB\-spkac\fR \fIfilename\fR" 4 .IX Item "-spkac filename" A file containing a single Netscape signed public key and challenge @@ -221,14 +224,14 @@ See \fBopenssl\-format\-options\fR\|(1) for details. .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-sigopt nm:v" Pass options to the signature algorithm during sign operations. -Names and values of these options are algorithm-specific and +Names and values of these options are algorithm\-specific and documented in "Signature parameters" in \fBprovider\-signature\fR\|(7). .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-vfyopt nm:v" Pass options to the signature algorithm during verify operations. -Names and values of these options are algorithm-specific. +Names and values of these options are algorithm\-specific. .Sp -This often needs to be given while signing too, because the self-signature of +This often needs to be given while signing too, because the self\-signature of a certificate signing request (CSR) is verified against the included public key, and that verification may need its own set of options. .IP "\fB\-key\fR \fIpassword\fR" 4 @@ -250,14 +253,14 @@ the certificate requests were signed with (given with \fB\-keyfile\fR). Certificate requests signed with a different key are ignored. If \fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is ignored. .Sp -A consequence of using \fB\-selfsign\fR is that the self-signed +A consequence of using \fB\-selfsign\fR is that the self\-signed certificate appears among the entries in the certificate database (see the configuration option \fBdatabase\fR), and uses the same serial number counter as all other certificates sign with the -self-signed certificate. +self\-signed certificate. .IP \fB\-notext\fR 4 .IX Item "-notext" -Don't output the text form of a certificate to the output file. +Don\*(Aqt output the text form of a certificate to the output file. .IP \fB\-dateopt\fR 4 .IX Item "-dateopt" Specify the date output format. Values are: rfc_822 and iso_8601. @@ -316,7 +319,7 @@ DNs match the order of the request. This is not needed for Xenroll. The DN of a certificate can contain the EMAIL field if present in the request DN, however, it is good policy just having the e\-mail set into the altName extension of the certificate. When this option is set the -EMAIL field is removed from the certificate' subject and set only in +EMAIL field is removed from the certificate\*(Aq subject and set only in the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be used in the configuration file to enable this behaviour. .IP \fB\-batch\fR 4 @@ -344,8 +347,8 @@ The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C' Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the resulting certificate. -Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN). -Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR +Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL\-DN). +Multi\-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR between the AttributeValueAssertions (AVAs) that specify the members of the set. Example: .Sp @@ -362,7 +365,7 @@ If reading serial from the text file as specified in the configuration fails, specifying this option creates a new random serial to be used as next serial number. To get random serial numbers, use the \fB\-rand_serial\fR flag instead; this -should only be used for simple error-recovery. +should only be used for simple error\-recovery. .IP \fB\-rand_serial\fR 4 .IX Item "-rand_serial" Generate a large random number to use as the serial number. @@ -395,13 +398,13 @@ See "Provider Options" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproper This option generates a CRL based on information in the index file. .IP "\fB\-crl_lastupdate\fR \fItime\fR" 4 .IX Item "-crl_lastupdate time" -Allows the value of the CRL's lastUpdate field to be explicitly set; if +Allows the value of the CRL\*(Aqs lastUpdate field to be explicitly set; if this option is not present, the current time is used. Accepts times in YYMMDDHHMMSSZ format (the same as an ASN1 UTCTime structure) or YYYYMMDDHHMMSSZ format (the same as an ASN1 GeneralizedTime structure). .IP "\fB\-crl_nextupdate\fR \fItime\fR" 4 .IX Item "-crl_nextupdate time" -Allows the value of the CRL's nextUpdate field to be explicitly set; if +Allows the value of the CRL\*(Aqs nextUpdate field to be explicitly set; if this option is present, any values given for \fB\-crldays\fR, \fB\-crlhours\fR and \fB\-crlsec\fR are ignored. Accepts times in the same formats as \&\fB\-crl_lastupdate\fR. @@ -458,7 +461,7 @@ include. If no CRL extension section is present then a V1 CRL is created, if the CRL extension section is present (even if it is empty) then a V2 CRL is created. The CRL extensions specified are CRL extensions and \fBnot\fR CRL entry extensions. It should be noted -that some software (for example Netscape) can't handle V2 CRLs. See +that some software (for example Netscape) can\*(Aqt handle V2 CRLs. See \&\fBx509v3_config\fR\|(5) manual page for details of the extension section format. .SH "CONFIGURATION FILE OPTIONS" @@ -543,8 +546,8 @@ If the value \fByes\fR is given, the valid certificate entries in the database must have unique subjects. if the value \fBno\fR is given, several valid certificate entries may have the exact same subject. The default value is \fByes\fR, to be compatible with older (pre 0.9.8) -versions of OpenSSL. However, to make CA certificate roll-over easier, -it's recommended to use the value \fBno\fR, especially if combined with +versions of OpenSSL. However, to make CA certificate roll\-over easier, +it\*(Aqs recommended to use the value \fBno\fR, especially if combined with the \fB\-selfsign\fR command line option. .Sp Note that it is valid in some circumstances for certificates to be created @@ -571,8 +574,8 @@ The same as \fB\-preserveDN\fR .IP \fBemail_in_dn\fR 4 .IX Item "email_in_dn" The same as \fB\-noemailDN\fR. If you want the EMAIL field to be removed -from the DN of the certificate simply set this to 'no'. If not present -the default is to allow for the EMAIL filed in the certificate's DN. +from the DN of the certificate simply set this to \*(Aqno\*(Aq. If not present +the default is to allow for the EMAIL filed in the certificate\*(Aqs DN. .IP \fBmsie_hack\fR 4 .IX Item "msie_hack" The same as \fB\-msie_hack\fR @@ -628,7 +631,7 @@ It is however possible to create SPKACs using \fBopenssl\-spkac\fR\|(1). The file should contain the variable SPKAC set to the value of the SPKAC and also the required DN components as name value pairs. If you need to include the same component twice then it can be -preceded by a number and a '.'. +preceded by a number and a \*(Aq.\*(Aq. .PP When processing SPKAC format, the output is DER if the \fB\-out\fR flag is used, but PEM format if sending to stdout or the \fB\-outdir\fR @@ -759,24 +762,24 @@ CRL: however there is no option to do this. V2 CRL features like delta CRLs are not currently supported. .PP Although several requests can be input and handled at once it is only -possible to include one SPKAC or self-signed certificate. +possible to include one SPKAC or self\-signed certificate. .SH BUGS .IX Header "BUGS" This command is quirky and at times downright unfriendly. .PP -The use of an in-memory text database can cause problems when large +The use of an in\-memory text database can cause problems when large numbers of certificates are present because, as the name implies the database has to be kept in memory. .PP This command really needs rewriting or the required functionality -exposed at either a command or interface level so that a more user-friendly +exposed at either a command or interface level so that a more user\-friendly replacement could handle things properly. The script \&\fBCA.pl\fR helps a little but not very much. .PP Any fields in a request that are not present in a policy are silently deleted. This does not happen if the \fB\-preserveDN\fR option is used. To enforce the absence of the EMAIL field within the DN, as suggested by -RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR +RFCs, regardless the contents of the request\*(Aq subject the \fB\-noemailDN\fR option can be used. The behaviour should be more friendly and configurable. .PP diff --git a/secure/usr.bin/openssl/man/openssl-ciphers.1 b/secure/usr.bin/openssl/man/openssl-ciphers.1 index 09f07d6b689a..70aad361a31d 100644 --- a/secure/usr.bin/openssl/man/openssl-ciphers.1 +++ b/secure/usr.bin/openssl/man/openssl-ciphers.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CIPHERS 1ossl" -.TH OPENSSL-CIPHERS 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CIPHERS 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -174,16 +177,16 @@ the IANA TLS Cipher Suites Registry .PP The actual cipher string can take several different forms. .PP -It can consist of a single cipher suite such as \fBRC4\-SHA\fR. +It can consist of a single cipher suite such as \fBAES256\-SHA\fR. .PP It can represent a list of cipher suites containing a certain algorithm, or -cipher suites of a certain type. For example \fBSHA1\fR represents all ciphers -suites using the digest algorithm SHA1 and \fBSSLv3\fR represents all SSL v3 -algorithms. +cipher suites of a certain type. For example \fBSHA256\fR represents all cipher +suites using the digest algorithm SHA256 and \fBTLSv1.2\fR represents all +cipher suites introduced in TLS v.1.2. .PP Lists of cipher suites can be combined in a single cipher string using the \&\fB+\fR character. This is used as a logical \fBand\fR operation. For example -\&\fBSHA1+DES\fR represents all cipher suites containing the SHA1 \fBand\fR the DES +\&\fBSHA256+AES\fR represents all cipher suites using the SHA256 \fBand\fR the AES algorithms. .PP Each cipher string can be optionally preceded by the characters \fB!\fR, @@ -197,7 +200,7 @@ If \fB\-\fR is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later options. .PP If \fB+\fR is used then the ciphers are moved to the end of the list. This -option doesn't add any new ciphers it just moves matching existing ones. +option doesn\*(Aqt add any new ciphers it just moves matching existing ones. .PP If none of these characters is present then the string is just interpreted as a list of ciphers to be appended to the current preference list. If the @@ -214,7 +217,7 @@ See \fBSSL_CTX_set_security_level\fR\|(3) for a description of what each level m The cipher list can be prefixed with the \fBDEFAULT\fR keyword, which enables the default cipher list as defined below. Unlike cipher strings, this prefix may not be combined with other strings using \fB+\fR character. -For example, \fBDEFAULT+DES\fR is not valid. +For example, \fBDEFAULT+AES\fR is not valid. .PP The content of the default list is determined at compile time and normally corresponds to \fBALL:!COMPLEMENTOFDEFAULT:!eNULL\fR. @@ -223,11 +226,12 @@ corresponds to \fBALL:!COMPLEMENTOFDEFAULT:!eNULL\fR. The following is a list of all permitted cipher strings and their meanings. .IP \fBCOMPLEMENTOFDEFAULT\fR 4 .IX Item "COMPLEMENTOFDEFAULT" -The ciphers included in \fBALL\fR, but not enabled by default. Currently -this includes all RC4 and anonymous ciphers. Note that this rule does -not cover \fBeNULL\fR, which is not included by \fBALL\fR (use \fBCOMPLEMENTOFALL\fR if -necessary). Note that RC4 based cipher suites are not built into OpenSSL by -default (see the enable-weak-ssl-ciphers option to Configure). +The cipher suites included in \fBALL\fR, but not enabled by default. The default +cipher suite list provides strong security and reasonable interoperability. +A cipher suite can be not included in the default list for different reasons: +because it is weak, or not "mature" enough, or not widely used, etc. +Note that this rule does not cover \fBeNULL\fR, which is not included by \fBALL\fR +(use \fBCOMPLEMENTOFALL\fR if necessary). .IP \fBALL\fR 4 .IX Item "ALL" All cipher suites except the \fBeNULL\fR ciphers (which must be explicitly enabled @@ -249,12 +253,15 @@ encryption. "Low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites. All these cipher suites have been removed as of OpenSSL 1.1.0. +.IP \fBFIPS\fR 4 +.IX Item "FIPS" +Cipher suites permitted in FIPS mode. .IP "\fBeNULL\fR, \fBNULL\fR" 4 .IX Item "eNULL, NULL" The "NULL" ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are not enabled via either the \&\fBDEFAULT\fR or \fBALL\fR cipher strings. -Be careful when building cipherlists out of lower-level primitives such as +Be careful when building cipherlists out of lower\-level primitives such as \&\fBkRSA\fR or \fBaECDSA\fR as these do overlap with the \fBeNULL\fR ciphers. When in doubt, include \fB!eNULL\fR in your cipherlist. .IP \fBaNULL\fR 4 @@ -264,18 +271,13 @@ DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable to "man in the middle" attacks and so their use is discouraged. These are excluded from the \fBDEFAULT\fR ciphers, but included in the \fBALL\fR ciphers. -Be careful when building cipherlists out of lower-level primitives such as +Be careful when building cipherlists out of lower\-level primitives such as \&\fBkDHE\fR or \fBAES\fR as these do overlap with the \fBaNULL\fR ciphers. When in doubt, include \fB!aNULL\fR in your cipherlist. .IP "\fBkRSA\fR, \fBaRSA\fR, \fBRSA\fR" 4 .IX Item "kRSA, aRSA, RSA" -Cipher suites using RSA key exchange or authentication. \fBRSA\fR is an alias for -\&\fBkRSA\fR. -.IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4 -.IX Item "kDHr, kDHd, kDH" -Cipher suites using static DH key agreement and DH certificates signed by CAs -with RSA and DSS keys or either respectively. -All these cipher suites have been removed in OpenSSL 1.1.0. +Cipher suites using RSA key exchange, RSA authentication, or both of them +respectively. .IP "\fBkDHE\fR, \fBkEDH\fR, \fBDH\fR" 4 .IX Item "kDHE, kEDH, DH" Cipher suites using ephemeral DH key agreement, including anonymous cipher @@ -296,23 +298,17 @@ cipher suites. Cipher suites using authenticated ephemeral ECDH key agreement. .IP \fBAECDH\fR 4 .IX Item "AECDH" -Anonymous Elliptic Curve Diffie-Hellman cipher suites. +Anonymous Elliptic Curve Diffie\-Hellman cipher suites. .IP "\fBaDSS\fR, \fBDSS\fR" 4 .IX Item "aDSS, DSS" Cipher suites using DSS authentication, i.e. the certificates carry DSS keys. -.IP \fBaDH\fR 4 -.IX Item "aDH" -Cipher suites effectively using DH authentication, i.e. the certificates carry -DH keys. -All these cipher suites have been removed in OpenSSL 1.1.0. .IP "\fBaECDSA\fR, \fBECDSA\fR" 4 .IX Item "aECDSA, ECDSA" Cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA keys. .IP "\fBTLSv1.2\fR, \fBTLSv1.0\fR, \fBSSLv3\fR" 4 .IX Item "TLSv1.2, TLSv1.0, SSLv3" -Lists cipher suites which are only supported in at least TLS v1.2, TLS v1.0 or -SSL v3.0 respectively. +Lists cipher suites introduced in TLS v1.2, TLS v1.0 or SSL v3.0 respectively. Note: there are no cipher suites specific to TLS v1.1. Since this is only the minimum version, if, for example, TLSv1.0 is negotiated then both TLSv1.0 and SSLv3.0 cipher suites are available. @@ -332,10 +328,12 @@ AES in Cipher Block Chaining \- Message Authentication Mode (CCM): these cipher suites are only supported in TLS v1.2. \fBAESCCM\fR references CCM cipher suites using both 16 and 8 octet Integrity Check Value (ICV) while \fBAESCCM8\fR only references 8 octet ICV. -.IP "\fBARIA128\fR, \fBARIA256\fR, \fBARIA\fR" 4 -.IX Item "ARIA128, ARIA256, ARIA" -Cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit -ARIA. +.IP "\fBARIA128\fR, \fBARIA256\fR" 4 +.IX Item "ARIA128, ARIA256" +Cipher suites using 128 bit ARIA or 256 bit ARIA respectively. +.IP "\fBARIA\fR, \fBARIAGCM\fR" 4 +.IX Item "ARIA, ARIAGCM" +Cipher suites using either 128 or 256 bit ARIA. .IP "\fBCAMELLIA128\fR, \fBCAMELLIA256\fR, \fBCAMELLIA\fR" 4 .IX Item "CAMELLIA128, CAMELLIA256, CAMELLIA" Cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit @@ -373,23 +371,40 @@ Cipher suites using SHA1. Cipher suites using SHA256 or SHA384. .IP \fBaGOST\fR 4 .IX Item "aGOST" -Cipher suites using GOST R 34.10 (either 2001 or 94) for authentication +Cipher suites using GOST R 34.10 (either 2001 or 2012) for authentication (needs an engine supporting GOST algorithms). .IP \fBaGOST01\fR 4 .IX Item "aGOST01" -Cipher suites using GOST R 34.10\-2001 authentication. +Cipher suites that can be uses with GOST R 34.10\-2001 keys for authentication. +.IP \fBaGOST12\fR 4 +.IX Item "aGOST12" +Cipher suites that can be used with GOST R 34.10\-2012 keys for authentication. .IP \fBkGOST\fR 4 .IX Item "kGOST" -Cipher suites, using VKO 34.10 key exchange, specified in the RFC 4357. +Cipher suites using VKO 34.10 key exchange and key wrap specified in the +RFC 4357 or RFC 7836. +.IP \fBkGOST18\fR 4 +.IX Item "kGOST18" +Cipher suites using VKO 34.10 key exchange specified in the RFC 7836 and +KExp15 key export specified in the RFC 9189. .IP \fBGOST94\fR 4 .IX Item "GOST94" Cipher suites, using HMAC based on GOST R 34.11\-94. +.IP \fBGOST12\fR 4 +.IX Item "GOST12" +Cipher suites, using HMAC based on GOST R 34.11\-2012 256 bits. .IP \fBGOST89MAC\fR 4 .IX Item "GOST89MAC" -Cipher suites using GOST 28147\-89 MAC \fBinstead of\fR HMAC. +Cipher suites using GOST 28147\-89 MAC \fBinstead of\fR HMAC with S\-boxes A. +.IP \fBGOST89MAC12\fR 4 +.IX Item "GOST89MAC12" +Cipher suites using GOST 28147\-89 MAC \fBinstead of\fR HMAC with S\-boxes Z. +.IP \fBGOST89\fR 4 +.IX Item "GOST89" +Cipher suites using any GOST cipher (GOST 28147\-89, Magma or Kuznyechik). .IP \fBPSK\fR 4 .IX Item "PSK" -All cipher suites using pre-shared keys (PSK). +All cipher suites using pre\-shared keys (PSK). .IP "\fBkPSK\fR, \fBkECDHEPSK\fR, \fBkDHEPSK\fR, \fBkRSAPSK\fR" 4 .IX Item "kPSK, kECDHEPSK, kDHEPSK, kRSAPSK" Cipher suites using PSK key exchange, ECDHE_PSK, DHE_PSK or RSA_PSK. @@ -397,6 +412,12 @@ Cipher suites using PSK key exchange, ECDHE_PSK, DHE_PSK or RSA_PSK. .IX Item "aPSK" Cipher suites using PSK authentication (currently all PSK modes apart from RSA_PSK). +.IP "\fBkSRP\fR, \fBSRP\fR" 4 +.IX Item "kSRP, SRP" +Cipher suites using SRP key exchange. +.IP \fBaSRP\fR 4 +.IX Item "aSRP" +Cipher suites using SRP authentication. .IP "\fBSUITEB128\fR, \fBSUITEB128ONLY\fR, \fBSUITEB192\fR" 4 .IX Item "SUITEB128, SUITEB128ONLY, SUITEB192" Enables suite B mode of operation using 128 (permitting 192 bit mode by peer) @@ -415,7 +436,7 @@ permissible. .IX Item "CBC" All cipher suites using encryption algorithm in Cipher Block Chaining (CBC) mode. These cipher suites are only supported in TLS v1.2 and earlier. Currently -it's an alias for the following cipherstrings: \fBSSL_DES\fR, \fBSSL_3DES\fR, \fBSSL_RC2\fR, +it\*(Aqs an alias for the following cipherstrings: \fBSSL_DES\fR, \fBSSL_3DES\fR, \fBSSL_RC2\fR, \&\fBSSL_IDEA\fR, \fBSSL_AES128\fR, \fBSSL_AES256\fR, \fBSSL_CAMELLIA128\fR, \fBSSL_CAMELLIA256\fR, \fBSSL_SEED\fR. .SH "CIPHER SUITE NAMES" .IX Header "CIPHER SUITE NAMES" @@ -426,323 +447,407 @@ standard names or OpenSSL names in cipher lists, or a mix of both. It should be noted, that several cipher suite names do not include the authentication used, e.g. DES\-CBC3\-SHA. In these cases, RSA authentication is used. -.SS "SSL v3.0 cipher suites" -.IX Subsection "SSL v3.0 cipher suites" -.Vb 6 -\& SSL_RSA_WITH_NULL_MD5 NULL\-MD5 -\& SSL_RSA_WITH_NULL_SHA NULL\-SHA -\& SSL_RSA_WITH_RC4_128_MD5 RC4\-MD5 -\& SSL_RSA_WITH_RC4_128_SHA RC4\-SHA -\& SSL_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA -\& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA -\& -\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH\-DSS\-DES\-CBC3\-SHA -\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH\-RSA\-DES\-CBC3\-SHA -\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA -\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA -\& -\& SSL_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 -\& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA -\& -\& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. -\& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. -\& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. -.Ve -.SS "TLS v1.0 cipher suites" -.IX Subsection "TLS v1.0 cipher suites" -.Vb 6 -\& TLS_RSA_WITH_NULL_MD5 NULL\-MD5 -\& TLS_RSA_WITH_NULL_SHA NULL\-SHA -\& TLS_RSA_WITH_RC4_128_MD5 RC4\-MD5 -\& TLS_RSA_WITH_RC4_128_SHA RC4\-SHA -\& TLS_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA -\& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA -\& -\& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. -\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA -\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA -\& -\& TLS_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 -\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA -.Ve -.SS "AES cipher suites from RFC3268, extending TLS v1.0" -.IX Subsection "AES cipher suites from RFC3268, extending TLS v1.0" -.Vb 2 -\& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA -\& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA -\& -\& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH\-DSS\-AES128\-SHA -\& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH\-DSS\-AES256\-SHA -\& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH\-RSA\-AES128\-SHA -\& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH\-RSA\-AES256\-SHA -\& -\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE\-DSS\-AES128\-SHA -\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE\-DSS\-AES256\-SHA -\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE\-RSA\-AES128\-SHA -\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE\-RSA\-AES256\-SHA -\& -\& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH\-AES128\-SHA -\& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH\-AES256\-SHA -.Ve -.SS "Camellia cipher suites from RFC4132, extending TLS v1.0" -.IX Subsection "Camellia cipher suites from RFC4132, extending TLS v1.0" -.Vb 2 -\& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA -\& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA -\& -\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH\-DSS\-CAMELLIA128\-SHA -\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH\-DSS\-CAMELLIA256\-SHA -\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH\-RSA\-CAMELLIA128\-SHA -\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH\-RSA\-CAMELLIA256\-SHA -\& -\& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE\-DSS\-CAMELLIA128\-SHA -\& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE\-DSS\-CAMELLIA256\-SHA -\& TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE\-RSA\-CAMELLIA128\-SHA -\& TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE\-RSA\-CAMELLIA256\-SHA -\& -\& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH\-CAMELLIA128\-SHA -\& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH\-CAMELLIA256\-SHA +.SS "AES cipher suites for TLS v1.2" +.IX Subsection "AES cipher suites for TLS v1.2" +.Vb 10 +\& TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH\-AES128\-SHA256 +\& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH\-AES128\-SHA +\& TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH\-AES128\-GCM\-SHA256 +\& TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH\-AES256\-SHA256 +\& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH\-AES256\-SHA +\& TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH\-AES256\-GCM\-SHA384 +\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE\-DSS\-AES128\-SHA256 +\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE\-DSS\-AES128\-SHA +\& TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE\-DSS\-AES128\-GCM\-SHA256 +\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE\-DSS\-AES256\-SHA256 +\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE\-DSS\-AES256\-SHA +\& TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE\-DSS\-AES256\-GCM\-SHA384 +\& TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 DHE\-PSK\-AES128\-CBC\-SHA256 +\& TLS_DHE_PSK_WITH_AES_128_CBC_SHA DHE\-PSK\-AES128\-CBC\-SHA +\& TLS_DHE_PSK_WITH_AES_128_CCM_8 DHE\-PSK\-AES128\-CCM8 +\& TLS_DHE_PSK_WITH_AES_128_CCM DHE\-PSK\-AES128\-CCM +\& TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 DHE\-PSK\-AES128\-GCM\-SHA256 +\& TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 DHE\-PSK\-AES256\-CBC\-SHA384 +\& TLS_DHE_PSK_WITH_AES_256_CBC_SHA DHE\-PSK\-AES256\-CBC\-SHA +\& TLS_DHE_PSK_WITH_AES_256_CCM_8 DHE\-PSK\-AES256\-CCM8 +\& TLS_DHE_PSK_WITH_AES_256_CCM DHE\-PSK\-AES256\-CCM +\& TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 DHE\-PSK\-AES256\-GCM\-SHA384 +\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE\-RSA\-AES128\-SHA256 +\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE\-RSA\-AES128\-SHA +\& TLS_DHE_RSA_WITH_AES_128_CCM_8 DHE\-RSA\-AES128\-CCM8 +\& TLS_DHE_RSA_WITH_AES_128_CCM DHE\-RSA\-AES128\-CCM +\& TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE\-RSA\-AES128\-GCM\-SHA256 +\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE\-RSA\-AES256\-SHA256 +\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE\-RSA\-AES256\-SHA +\& TLS_DHE_RSA_WITH_AES_256_CCM_8 DHE\-RSA\-AES256\-CCM8 +\& TLS_DHE_RSA_WITH_AES_256_CCM DHE\-RSA\-AES256\-CCM +\& TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE\-RSA\-AES256\-GCM\-SHA384 +\& TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH\-AES128\-SHA +\& TLS_ECDH_anon_WITH_AES_128_CCM_8 AECDH\-AES128\-CCM8 +\& TLS_ECDH_anon_WITH_AES_128_CCM AECDH\-AES128\-CCM +\& TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH\-AES256\-SHA +\& TLS_ECDH_anon_WITH_AES_256_CCM_8 AECDH\-AES256\-CCM8 +\& TLS_ECDH_anon_WITH_AES_256_CCM AECDH\-AES256\-CCM +\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH\-ECDSA\-AES128\-SHA256 +\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH\-ECDSA\-AES128\-SHA +\& TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH\-ECDSA\-AES128\-GCM\-SHA256 +\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH\-ECDSA\-AES256\-SHA384 +\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH\-ECDSA\-AES256\-SHA +\& TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH\-ECDSA\-AES256\-GCM\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE\-ECDSA\-AES128\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE\-ECDSA\-AES128\-SHA +\& TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE\-ECDSA\-AES128\-CCM8 +\& TLS_ECDHE_ECDSA_WITH_AES_128_CCM ECDHE\-ECDSA\-AES128\-CCM +\& TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE\-ECDSA\-AES128\-GCM\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE\-ECDSA\-AES256\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE\-ECDSA\-AES256\-SHA +\& TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE\-ECDSA\-AES256\-CCM8 +\& TLS_ECDHE_ECDSA_WITH_AES_256_CCM ECDHE\-ECDSA\-AES256\-CCM +\& TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE\-ECDSA\-AES256\-GCM\-SHA384 +\& TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 ECDHE\-PSK\-AES128\-CBC\-SHA256 +\& TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA ECDHE\-PSK\-AES128\-CBC\-SHA +\& TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 ECDHE\-PSK\-AES128\-CCM8 +\& TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 ECDHE\-PSK\-AES128\-CCM +\& TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 ECDHE\-PSK\-AES128\-GCM\-SHA256 +\& TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 ECDHE\-PSK\-AES256\-CBC\-SHA384 +\& TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA ECDHE\-PSK\-AES256\-CBC\-SHA +\& TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 ECDHE\-PSK\-AES256\-GCM\-SHA384 +\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE\-RSA\-AES128\-SHA256 +\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE\-RSA\-AES128\-SHA +\& TLS_ECDHE_RSA_WITH_AES_128_CCM_8 ECDHE\-RSA\-AES128\-CCM8 +\& TLS_ECDHE_RSA_WITH_AES_128_CCM ECDHE\-RSA\-AES128\-CCM +\& TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE\-RSA\-AES128\-GCM\-SHA256 +\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE\-RSA\-AES256\-SHA384 +\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE\-RSA\-AES256\-SHA +\& TLS_ECDHE_RSA_WITH_AES_256_CCM_8 ECDHE\-RSA\-AES256\-CCM8 +\& TLS_ECDHE_RSA_WITH_AES_256_CCM ECDHE\-RSA\-AES256\-CCM +\& TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE\-RSA\-AES256\-GCM\-SHA384 +\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ECDH\-RSA\-AES128\-SHA256 +\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ECDH\-RSA\-AES128\-SHA +\& TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ECDH\-RSA\-AES128\-GCM\-SHA256 +\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ECDH\-RSA\-AES256\-SHA384 +\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ECDH\-RSA\-AES256\-SHA +\& TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ECDH\-RSA\-AES256\-GCM\-SHA384 +\& TLS_PSK_WITH_AES_128_CBC_SHA256 PSK\-AES128\-CBC\-SHA256 +\& TLS_PSK_WITH_AES_128_CBC_SHA PSK\-AES128\-CBC\-SHA +\& TLS_PSK_WITH_AES_128_CCM_8 PSK\-AES128\-CCM8 +\& TLS_PSK_WITH_AES_128_CCM PSK\-AES128\-CCM +\& TLS_PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256 +\& TLS_PSK_WITH_AES_256_CBC_SHA384 PSK\-AES256\-CBC\-SHA384 +\& TLS_PSK_WITH_AES_256_CBC_SHA PSK\-AES256\-CBC\-SHA +\& TLS_PSK_WITH_AES_256_CCM_8 PSK\-AES256\-CCM8 +\& TLS_PSK_WITH_AES_256_CCM PSK\-AES256\-CCM +\& TLS_PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384 +\& TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 RSA\-PSK\-AES128\-CBC\-SHA256 +\& TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA\-PSK\-AES128\-CBC\-SHA +\& TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 RSA\-PSK\-AES128\-GCM\-SHA256 +\& TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 RSA\-PSK\-AES256\-CBC\-SHA384 +\& TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA\-PSK\-AES256\-CBC\-SHA +\& TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 RSA\-PSK\-AES256\-GCM\-SHA384 +\& TLS_RSA_WITH_AES_128_CBC_SHA256 AES128\-SHA256 +\& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA +\& TLS_RSA_WITH_AES_128_CCM_8 AES128\-CCM8 +\& TLS_RSA_WITH_AES_128_CCM AES128\-CCM +\& TLS_RSA_WITH_AES_128_GCM_SHA256 AES128\-GCM\-SHA256 +\& TLS_RSA_WITH_AES_256_CBC_SHA256 AES256\-SHA256 +\& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA +\& TLS_RSA_WITH_AES_256_CCM_8 AES256\-CCM8 +\& TLS_RSA_WITH_AES_256_CCM AES256\-CCM +\& TLS_RSA_WITH_AES_256_GCM_SHA384 AES256\-GCM\-SHA384 .Ve -.SS "SEED cipher suites from RFC4162, extending TLS v1.0" -.IX Subsection "SEED cipher suites from RFC4162, extending TLS v1.0" -.Vb 1 -\& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA -\& -\& TLS_DH_DSS_WITH_SEED_CBC_SHA DH\-DSS\-SEED\-SHA -\& TLS_DH_RSA_WITH_SEED_CBC_SHA DH\-RSA\-SEED\-SHA -\& -\& TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE\-DSS\-SEED\-SHA -\& TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE\-RSA\-SEED\-SHA -\& -\& TLS_DH_anon_WITH_SEED_CBC_SHA ADH\-SEED\-SHA +.SS "Camellia cipher suites for TLS v1.2" +.IX Subsection "Camellia cipher suites for TLS v1.2" +.Vb 10 +\& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 ADH\-CAMELLIA128\-SHA256 +\& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH\-CAMELLIA128\-SHA +\& TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 ADH\-CAMELLIA128\-GCM\-SHA256 +\& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 ADH\-CAMELLIA256\-SHA256 +\& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH\-CAMELLIA256\-SHA +\& TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 ADH\-CAMELLIA256\-GCM\-SHA384 +\& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 DHE\-DSS\-CAMELLIA128\-SHA256 +\& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE\-DSS\-CAMELLIA128\-SHA +\& TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 DHE\-DSS\-CAMELLIA128\-GCM\-SHA256 +\& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 DHE\-DSS\-CAMELLIA256\-SHA256 +\& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE\-DSS\-CAMELLIA256\-SHA +\& TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 DHE\-DSS\-CAMELLIA256\-GCM\-SHA384 +\& TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 DHE\-RSA\-CAMELLIA128\-SHA256 +\& TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE\-RSA\-CAMELLIA128\-SHA +\& TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 DHE\-RSA\-CAMELLIA128\-GCM\-SHA256 +\& TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 DHE\-RSA\-CAMELLIA256\-SHA256 +\& TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE\-RSA\-CAMELLIA256\-SHA +\& TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 DHE\-RSA\-CAMELLIA256\-GCM\-SHA384 +\& TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDH\-ECDSA\-CAMELLIA128\-SHA256 +\& TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDH\-ECDSA\-CAMELLIA256\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-ECDSA\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-ECDSA\-CAMELLIA256\-SHA384 +\& TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-PSK\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-PSK\-CAMELLIA256\-SHA384 +\& TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-RSA\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-RSA\-CAMELLIA256\-SHA384 +\& TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDH\-RSA\-CAMELLIA128\-SHA256 +\& TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDH\-RSA\-CAMELLIA256\-SHA384 +\& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 CAMELLIA128\-SHA256 +\& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA +\& TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 CAMELLIA128\-GCM\-SHA256 +\& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 CAMELLIA256\-SHA256 +\& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA +\& TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 CAMELLIA256\-GCM\-SHA384 .Ve -.SS "GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0" -.IX Subsection "GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0" -Note: these ciphers require an engine which including GOST cryptographic -algorithms, such as the \fBgost\fR engine, which isn't part of the OpenSSL -distribution. -.PP +.SS "SEED cipher suites for TLS v1.2" +.IX Subsection "SEED cipher suites for TLS v1.2" .Vb 4 -\& TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94\-GOST89\-GOST89 -\& TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001\-GOST89\-GOST89 -\& TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94\-NULL\-GOST94 -\& TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001\-NULL\-GOST94 +\& TLS_DH_anon_WITH_SEED_CBC_SHA ADH\-SEED\-SHA +\& TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE\-DSS\-SEED\-SHA +\& TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE\-RSA\-SEED\-SHA +\& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA .Ve -.SS "GOST cipher suites, extending TLS v1.2" -.IX Subsection "GOST cipher suites, extending TLS v1.2" +.SS "GOST cipher suites for TLS v1.2" +.IX Subsection "GOST cipher suites for TLS v1.2" Note: these ciphers require an engine which including GOST cryptographic -algorithms, such as the \fBgost\fR engine, which isn't part of the OpenSSL +algorithms, such as the \fBgost\fR engine, which isn\*(Aqt part of the OpenSSL distribution. .PP -.Vb 2 -\& TLS_GOSTR341112_256_WITH_28147_CNT_IMIT GOST2012\-GOST8912\-GOST8912 -\& TLS_GOSTR341112_256_WITH_NULL_GOSTR3411 GOST2012\-NULL\-GOST12 -.Ve -.PP -Note: GOST2012\-GOST8912\-GOST8912 is an alias for two ciphers ID -old LEGACY\-GOST2012\-GOST8912\-GOST8912 and new IANA\-GOST2012\-GOST8912\-GOST8912 -.SS "Additional Export 1024 and other cipher suites" -.IX Subsection "Additional Export 1024 and other cipher suites" -Note: these ciphers can also be used in SSL v3. -.PP -.Vb 1 -\& TLS_DHE_DSS_WITH_RC4_128_SHA DHE\-DSS\-RC4\-SHA -.Ve -.SS "Elliptic curve cipher suites" -.IX Subsection "Elliptic curve cipher suites" -.Vb 5 -\& TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE\-RSA\-NULL\-SHA -\& TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE\-RSA\-RC4\-SHA -\& TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE\-RSA\-DES\-CBC3\-SHA -\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE\-RSA\-AES128\-SHA -\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE\-RSA\-AES256\-SHA -\& -\& TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE\-ECDSA\-NULL\-SHA -\& TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE\-ECDSA\-RC4\-SHA -\& TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE\-ECDSA\-DES\-CBC3\-SHA -\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE\-ECDSA\-AES128\-SHA -\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE\-ECDSA\-AES256\-SHA -\& -\& TLS_ECDH_anon_WITH_NULL_SHA AECDH\-NULL\-SHA -\& TLS_ECDH_anon_WITH_RC4_128_SHA AECDH\-RC4\-SHA -\& TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH\-DES\-CBC3\-SHA -\& TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH\-AES128\-SHA -\& TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH\-AES256\-SHA -.Ve -.SS "TLS v1.2 cipher suites" -.IX Subsection "TLS v1.2 cipher suites" -.Vb 1 -\& TLS_RSA_WITH_NULL_SHA256 NULL\-SHA256 -\& -\& TLS_RSA_WITH_AES_128_CBC_SHA256 AES128\-SHA256 -\& TLS_RSA_WITH_AES_256_CBC_SHA256 AES256\-SHA256 -\& TLS_RSA_WITH_AES_128_GCM_SHA256 AES128\-GCM\-SHA256 -\& TLS_RSA_WITH_AES_256_GCM_SHA384 AES256\-GCM\-SHA384 -\& -\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH\-RSA\-AES128\-SHA256 -\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH\-RSA\-AES256\-SHA256 -\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 DH\-RSA\-AES128\-GCM\-SHA256 -\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 DH\-RSA\-AES256\-GCM\-SHA384 -\& -\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH\-DSS\-AES128\-SHA256 -\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH\-DSS\-AES256\-SHA256 -\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 DH\-DSS\-AES128\-GCM\-SHA256 -\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 DH\-DSS\-AES256\-GCM\-SHA384 -\& -\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE\-RSA\-AES128\-SHA256 -\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE\-RSA\-AES256\-SHA256 -\& TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE\-RSA\-AES128\-GCM\-SHA256 -\& TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE\-RSA\-AES256\-GCM\-SHA384 -\& -\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE\-DSS\-AES128\-SHA256 -\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE\-DSS\-AES256\-SHA256 -\& TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE\-DSS\-AES128\-GCM\-SHA256 -\& TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE\-DSS\-AES256\-GCM\-SHA384 -\& -\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE\-RSA\-AES128\-SHA256 -\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE\-RSA\-AES256\-SHA384 -\& TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE\-RSA\-AES128\-GCM\-SHA256 -\& TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE\-RSA\-AES256\-GCM\-SHA384 -\& -\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE\-ECDSA\-AES128\-SHA256 -\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE\-ECDSA\-AES256\-SHA384 -\& TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE\-ECDSA\-AES128\-GCM\-SHA256 -\& TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE\-ECDSA\-AES256\-GCM\-SHA384 -\& -\& TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH\-AES128\-SHA256 -\& TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH\-AES256\-SHA256 -\& TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH\-AES128\-GCM\-SHA256 -\& TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH\-AES256\-GCM\-SHA384 -\& -\& RSA_WITH_AES_128_CCM AES128\-CCM -\& RSA_WITH_AES_256_CCM AES256\-CCM -\& DHE_RSA_WITH_AES_128_CCM DHE\-RSA\-AES128\-CCM -\& DHE_RSA_WITH_AES_256_CCM DHE\-RSA\-AES256\-CCM -\& RSA_WITH_AES_128_CCM_8 AES128\-CCM8 -\& RSA_WITH_AES_256_CCM_8 AES256\-CCM8 -\& DHE_RSA_WITH_AES_128_CCM_8 DHE\-RSA\-AES128\-CCM8 -\& DHE_RSA_WITH_AES_256_CCM_8 DHE\-RSA\-AES256\-CCM8 -\& ECDHE_ECDSA_WITH_AES_128_CCM ECDHE\-ECDSA\-AES128\-CCM -\& ECDHE_ECDSA_WITH_AES_256_CCM ECDHE\-ECDSA\-AES256\-CCM -\& ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE\-ECDSA\-AES128\-CCM8 -\& ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE\-ECDSA\-AES256\-CCM8 +.Vb 7 +\& TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001\-GOST89\-GOST89 +\& TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001\-NULL\-GOST94 +\& IANA\-GOST2012\-GOST8912\-GOST8912 +\& LEGACY\-GOST2012\-GOST8912\-GOST8912 +\& GOST2012\-NULL\-GOST12 +\& GOST2012\-KUZNYECHIK\-KUZNYECHIKOMAC +\& GOST2012\-MAGMA\-MAGMAOMAC .Ve .SS "ARIA cipher suites from RFC6209, extending TLS v1.2" .IX Subsection "ARIA cipher suites from RFC6209, extending TLS v1.2" Note: the CBC modes mentioned in this RFC are not supported. .PP .Vb 10 -\& TLS_RSA_WITH_ARIA_128_GCM_SHA256 ARIA128\-GCM\-SHA256 -\& TLS_RSA_WITH_ARIA_256_GCM_SHA384 ARIA256\-GCM\-SHA384 -\& TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 DHE\-RSA\-ARIA128\-GCM\-SHA256 -\& TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 DHE\-RSA\-ARIA256\-GCM\-SHA384 -\& TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 DHE\-DSS\-ARIA128\-GCM\-SHA256 -\& TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 DHE\-DSS\-ARIA256\-GCM\-SHA384 -\& TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ECDSA\-ARIA128\-GCM\-SHA256 -\& TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ECDSA\-ARIA256\-GCM\-SHA384 -\& TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ARIA128\-GCM\-SHA256 -\& TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ARIA256\-GCM\-SHA384 -\& TLS_PSK_WITH_ARIA_128_GCM_SHA256 PSK\-ARIA128\-GCM\-SHA256 -\& TLS_PSK_WITH_ARIA_256_GCM_SHA384 PSK\-ARIA256\-GCM\-SHA384 -\& TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 DHE\-PSK\-ARIA128\-GCM\-SHA256 -\& TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 DHE\-PSK\-ARIA256\-GCM\-SHA384 -\& TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA\-PSK\-ARIA128\-GCM\-SHA256 -\& TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA\-PSK\-ARIA256\-GCM\-SHA384 -.Ve -.SS "Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2" -.IX Subsection "Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2" -.Vb 4 -\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-ECDSA\-CAMELLIA128\-SHA256 -\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-ECDSA\-CAMELLIA256\-SHA384 -\& TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-RSA\-CAMELLIA128\-SHA256 -\& TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-RSA\-CAMELLIA256\-SHA384 -.Ve -.SS "Pre-shared keying (PSK) cipher suites" -.IX Subsection "Pre-shared keying (PSK) cipher suites" -.Vb 3 -\& PSK_WITH_NULL_SHA PSK\-NULL\-SHA -\& DHE_PSK_WITH_NULL_SHA DHE\-PSK\-NULL\-SHA -\& RSA_PSK_WITH_NULL_SHA RSA\-PSK\-NULL\-SHA -\& -\& PSK_WITH_RC4_128_SHA PSK\-RC4\-SHA -\& PSK_WITH_3DES_EDE_CBC_SHA PSK\-3DES\-EDE\-CBC\-SHA -\& PSK_WITH_AES_128_CBC_SHA PSK\-AES128\-CBC\-SHA -\& PSK_WITH_AES_256_CBC_SHA PSK\-AES256\-CBC\-SHA -\& -\& DHE_PSK_WITH_RC4_128_SHA DHE\-PSK\-RC4\-SHA -\& DHE_PSK_WITH_3DES_EDE_CBC_SHA DHE\-PSK\-3DES\-EDE\-CBC\-SHA -\& DHE_PSK_WITH_AES_128_CBC_SHA DHE\-PSK\-AES128\-CBC\-SHA -\& DHE_PSK_WITH_AES_256_CBC_SHA DHE\-PSK\-AES256\-CBC\-SHA -\& -\& RSA_PSK_WITH_RC4_128_SHA RSA\-PSK\-RC4\-SHA -\& RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA\-PSK\-3DES\-EDE\-CBC\-SHA -\& RSA_PSK_WITH_AES_128_CBC_SHA RSA\-PSK\-AES128\-CBC\-SHA -\& RSA_PSK_WITH_AES_256_CBC_SHA RSA\-PSK\-AES256\-CBC\-SHA -\& -\& PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256 -\& PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384 -\& DHE_PSK_WITH_AES_128_GCM_SHA256 DHE\-PSK\-AES128\-GCM\-SHA256 -\& DHE_PSK_WITH_AES_256_GCM_SHA384 DHE\-PSK\-AES256\-GCM\-SHA384 -\& RSA_PSK_WITH_AES_128_GCM_SHA256 RSA\-PSK\-AES128\-GCM\-SHA256 -\& RSA_PSK_WITH_AES_256_GCM_SHA384 RSA\-PSK\-AES256\-GCM\-SHA384 -\& -\& PSK_WITH_AES_128_CBC_SHA256 PSK\-AES128\-CBC\-SHA256 -\& PSK_WITH_AES_256_CBC_SHA384 PSK\-AES256\-CBC\-SHA384 -\& PSK_WITH_NULL_SHA256 PSK\-NULL\-SHA256 -\& PSK_WITH_NULL_SHA384 PSK\-NULL\-SHA384 -\& DHE_PSK_WITH_AES_128_CBC_SHA256 DHE\-PSK\-AES128\-CBC\-SHA256 -\& DHE_PSK_WITH_AES_256_CBC_SHA384 DHE\-PSK\-AES256\-CBC\-SHA384 -\& DHE_PSK_WITH_NULL_SHA256 DHE\-PSK\-NULL\-SHA256 -\& DHE_PSK_WITH_NULL_SHA384 DHE\-PSK\-NULL\-SHA384 -\& RSA_PSK_WITH_AES_128_CBC_SHA256 RSA\-PSK\-AES128\-CBC\-SHA256 -\& RSA_PSK_WITH_AES_256_CBC_SHA384 RSA\-PSK\-AES256\-CBC\-SHA384 -\& RSA_PSK_WITH_NULL_SHA256 RSA\-PSK\-NULL\-SHA256 -\& RSA_PSK_WITH_NULL_SHA384 RSA\-PSK\-NULL\-SHA384 -\& PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256 -\& PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384 -\& -\& ECDHE_PSK_WITH_RC4_128_SHA ECDHE\-PSK\-RC4\-SHA -\& ECDHE_PSK_WITH_3DES_EDE_CBC_SHA ECDHE\-PSK\-3DES\-EDE\-CBC\-SHA -\& ECDHE_PSK_WITH_AES_128_CBC_SHA ECDHE\-PSK\-AES128\-CBC\-SHA -\& ECDHE_PSK_WITH_AES_256_CBC_SHA ECDHE\-PSK\-AES256\-CBC\-SHA -\& ECDHE_PSK_WITH_AES_128_CBC_SHA256 ECDHE\-PSK\-AES128\-CBC\-SHA256 -\& ECDHE_PSK_WITH_AES_256_CBC_SHA384 ECDHE\-PSK\-AES256\-CBC\-SHA384 -\& ECDHE_PSK_WITH_NULL_SHA ECDHE\-PSK\-NULL\-SHA -\& ECDHE_PSK_WITH_NULL_SHA256 ECDHE\-PSK\-NULL\-SHA256 -\& ECDHE_PSK_WITH_NULL_SHA384 ECDHE\-PSK\-NULL\-SHA384 -\& -\& PSK_WITH_CAMELLIA_128_CBC_SHA256 PSK\-CAMELLIA128\-SHA256 -\& PSK_WITH_CAMELLIA_256_CBC_SHA384 PSK\-CAMELLIA256\-SHA384 -\& -\& DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 DHE\-PSK\-CAMELLIA128\-SHA256 -\& DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 DHE\-PSK\-CAMELLIA256\-SHA384 -\& -\& RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 RSA\-PSK\-CAMELLIA128\-SHA256 -\& RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 RSA\-PSK\-CAMELLIA256\-SHA384 -\& -\& ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-PSK\-CAMELLIA128\-SHA256 -\& ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-PSK\-CAMELLIA256\-SHA384 -\& -\& PSK_WITH_AES_128_CCM PSK\-AES128\-CCM -\& PSK_WITH_AES_256_CCM PSK\-AES256\-CCM -\& DHE_PSK_WITH_AES_128_CCM DHE\-PSK\-AES128\-CCM -\& DHE_PSK_WITH_AES_256_CCM DHE\-PSK\-AES256\-CCM -\& PSK_WITH_AES_128_CCM_8 PSK\-AES128\-CCM8 -\& PSK_WITH_AES_256_CCM_8 PSK\-AES256\-CCM8 -\& DHE_PSK_WITH_AES_128_CCM_8 DHE\-PSK\-AES128\-CCM8 -\& DHE_PSK_WITH_AES_256_CCM_8 DHE\-PSK\-AES256\-CCM8 +\& TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 ADH\-ARIA128\-CBC\-SHA256 +\& TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 ADH\-ARIA128\-GCM\-SHA256 +\& TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 ADH\-ARIA256\-CBC\-SHA384 +\& TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 ADH\-ARIA256\-GCM\-SHA384 +\& TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 DHE\-DSS\-ARIA128\-GCM\-SHA256 +\& TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 DHE\-DSS\-ARIA256\-GCM\-SHA384 +\& TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 DHE\-PSK\-ARIA128\-CBC\-SHA256 +\& TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 DHE\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 DHE\-PSK\-ARIA256\-CBC\-SHA384 +\& TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 DHE\-PSK\-ARIA256\-GCM\-SHA384 +\& TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 DHE\-RSA\-ARIA128\-CBC\-SHA256 +\& TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 DHE\-RSA\-ARIA128\-GCM\-SHA256 +\& TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 DHE\-RSA\-ARIA256\-CBC\-SHA384 +\& TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 DHE\-RSA\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 ECDHE\-ECDSA\-ARIA128\-CBC\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ECDSA\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 ECDHE\-ECDSA\-ARIA256\-CBC\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ECDSA\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 ECDHE\-PSK\-ARIA128\-CBC\-SHA256 +\& TLS_ECDHE_PSK_WITH_ARIA_128_GCM_SHA256 ECDHE\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 ECDHE\-PSK\-ARIA256\-CBC\-SHA384 +\& TLS_ECDHE_PSK_WITH_ARIA_256_GCM_SHA384 ECDHE\-PSK\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 ECDHE\-RSA\-ARIA128\-CBC\-SHA256 +\& TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-RSA\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 ECDHE\-RSA\-ARIA256\-CBC\-SHA384 +\& TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-RSA\-ARIA256\-GCM\-SHA384 +\& TLS_PSK_WITH_ARIA_128_CBC_SHA256 PSK\-ARIA128\-CBC\-SHA256 +\& TLS_PSK_WITH_ARIA_128_GCM_SHA256 PSK\-ARIA128\-GCM\-SHA256 +\& TLS_PSK_WITH_ARIA_256_GCM_SHA384 PSK\-ARIA256\-GCM\-SHA384 +\& TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 RSA\-PSK\-ARIA128\-CBC\-SHA256 +\& TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 RSA\-PSK\-ARIA256\-CBC\-SHA384 +\& TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA\-PSK\-ARIA256\-GCM\-SHA384 +\& TLS_RSA_WITH_ARIA_128_CBC_SHA256 ARIA128\-CBC\-SHA256 +\& TLS_RSA_WITH_ARIA_128_GCM_SHA256 ARIA128\-GCM\-SHA256 +\& TLS_RSA_WITH_ARIA_256_CBC_SHA384 ARIA256\-CBC\-SHA384 +\& TLS_RSA_WITH_ARIA_256_GCM_SHA384 ARIA256\-GCM\-SHA384 .Ve .SS "ChaCha20\-Poly1305 cipher suites, extending TLS v1.2" .IX Subsection "ChaCha20-Poly1305 cipher suites, extending TLS v1.2" .Vb 7 -\& TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-RSA\-CHACHA20\-POLY1305 -\& TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-ECDSA\-CHACHA20\-POLY1305 -\& TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 DHE\-RSA\-CHACHA20\-POLY1305 -\& TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 PSK\-CHACHA20\-POLY1305 -\& TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-PSK\-CHACHA20\-POLY1305 -\& TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE\-PSK\-CHACHA20\-POLY1305 -\& TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA\-PSK\-CHACHA20\-POLY1305 +\& TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE\-PSK\-CHACHA20\-POLY1305 +\& TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 DHE\-RSA\-CHACHA20\-POLY1305 +\& TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-ECDSA\-CHACHA20\-POLY1305 +\& TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-PSK\-CHACHA20\-POLY1305 +\& TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-RSA\-CHACHA20\-POLY1305 +\& TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 PSK\-CHACHA20\-POLY1305 +\& TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA\-PSK\-CHACHA20\-POLY1305 +.Ve +.SS "Elliptic curve cipher suites for TLS v.1.2" +.IX Subsection "Elliptic curve cipher suites for TLS v.1.2" +.Vb 10 +\& TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH\-DES\-CBC3\-SHA +\& TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH\-AES128\-SHA +\& TLS_ECDH_anon_WITH_AES_128_CCM_8 AECDH\-AES128\-CCM8 +\& TLS_ECDH_anon_WITH_AES_128_CCM AECDH\-AES128\-CCM +\& TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH\-AES256\-SHA +\& TLS_ECDH_anon_WITH_AES_256_CCM_8 AECDH\-AES256\-CCM8 +\& TLS_ECDH_anon_WITH_AES_256_CCM AECDH\-AES256\-CCM +\& TLS_ECDH_anon_WITH_RC4_128_SHA AECDH\-RC4\-SHA +\& TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ECDH\-ECDSA\-DES\-CBC3\-SHA +\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH\-ECDSA\-AES128\-SHA256 +\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH\-ECDSA\-AES128\-SHA +\& TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH\-ECDSA\-AES128\-GCM\-SHA256 +\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH\-ECDSA\-AES256\-SHA384 +\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH\-ECDSA\-AES256\-SHA +\& TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH\-ECDSA\-AES256\-GCM\-SHA384 +\& TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDH\-ECDSA\-CAMELLIA128\-SHA256 +\& TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDH\-ECDSA\-CAMELLIA256\-SHA384 +\& TLS_ECDH_ECDSA_WITH_RC4_128_SHA ECDH\-ECDSA\-RC4\-SHA +\& TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ECDH\-RSA\-DES\-CBC3\-SHA +\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ECDH\-RSA\-AES128\-SHA256 +\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ECDH\-RSA\-AES128\-SHA +\& TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ECDH\-RSA\-AES128\-GCM\-SHA256 +\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ECDH\-RSA\-AES256\-SHA384 +\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ECDH\-RSA\-AES256\-SHA +\& TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ECDH\-RSA\-AES256\-GCM\-SHA384 +\& TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDH\-RSA\-CAMELLIA128\-SHA256 +\& TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDH\-RSA\-CAMELLIA256\-SHA384 +\& TLS_ECDH_RSA_WITH_RC4_128_SHA ECDH\-RSA\-RC4\-SHA +\& TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE\-ECDSA\-DES\-CBC3\-SHA +\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE\-ECDSA\-AES128\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE\-ECDSA\-AES128\-SHA +\& TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE\-ECDSA\-AES128\-CCM8 +\& TLS_ECDHE_ECDSA_WITH_AES_128_CCM ECDHE\-ECDSA\-AES128\-CCM +\& TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE\-ECDSA\-AES128\-GCM\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE\-ECDSA\-AES256\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE\-ECDSA\-AES256\-SHA +\& TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE\-ECDSA\-AES256\-CCM8 +\& TLS_ECDHE_ECDSA_WITH_AES_256_CCM ECDHE\-ECDSA\-AES256\-CCM +\& TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE\-ECDSA\-AES256\-GCM\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 ECDHE\-ECDSA\-ARIA128\-CBC\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ECDSA\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 ECDHE\-ECDSA\-ARIA256\-CBC\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ECDSA\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-ECDSA\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-ECDSA\-CAMELLIA256\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-ECDSA\-CHACHA20\-POLY1305 +\& TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE\-ECDSA\-RC4\-SHA +\& TLS_ECDHE_ECDSA_WITH_SM4_CCM_SM3 ECDHE\-ECDSA\-SM4\-CCM\-SM3 +\& TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM3 ECDHE\-ECDSA\-SM4\-GCM\-SM3 +\& TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE\-RSA\-DES\-CBC3\-SHA +\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE\-RSA\-AES128\-SHA256 +\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE\-RSA\-AES128\-SHA +\& TLS_ECDHE_RSA_WITH_AES_128_CCM_8 ECDHE\-RSA\-AES128\-CCM8 +\& TLS_ECDHE_RSA_WITH_AES_128_CCM ECDHE\-RSA\-AES128\-CCM +\& TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE\-RSA\-AES128\-GCM\-SHA256 +\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE\-RSA\-AES256\-SHA384 +\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE\-RSA\-AES256\-SHA +\& TLS_ECDHE_RSA_WITH_AES_256_CCM_8 ECDHE\-RSA\-AES256\-CCM8 +\& TLS_ECDHE_RSA_WITH_AES_256_CCM ECDHE\-RSA\-AES256\-CCM +\& TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE\-RSA\-AES256\-GCM\-SHA384 +\& TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 ECDHE\-RSA\-ARIA128\-CBC\-SHA256 +\& TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-RSA\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 ECDHE\-RSA\-ARIA256\-CBC\-SHA384 +\& TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-RSA\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-RSA\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-RSA\-CAMELLIA256\-SHA384 +\& TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-RSA\-CHACHA20\-POLY1305 +\& TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE\-RSA\-RC4\-SHA +\& TLS_ECDHE_RSA_WITH_SM4_CCM_SM3 ECDHE\-RSA\-SM4\-CCM\-SM3 +\& TLS_ECDHE_RSA_WITH_SM4_GCM_SM3 ECDHE\-RSA\-SM4\-GCM\-SM3 +\& TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA ECDHE\-PSK\-DES\-CBC3\-SHA +\& TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 ECDHE\-PSK\-AES128\-CBC\-SHA256 +\& TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA ECDHE\-PSK\-AES128\-CBC\-SHA +\& TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 ECDHE\-PSK\-AES128\-CCM8 +\& TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 ECDHE\-PSK\-AES128\-CCM +\& TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 ECDHE\-PSK\-AES128\-GCM\-SHA256 +\& TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 ECDHE\-PSK\-AES256\-CBC\-SHA384 +\& TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA ECDHE\-PSK\-AES256\-CBC\-SHA +\& TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 ECDHE\-PSK\-AES256\-GCM\-SHA384 +\& TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 ECDHE\-PSK\-ARIA128\-CBC\-SHA256 +\& TLS_ECDHE_PSK_WITH_ARIA_128_GCM_SHA256 ECDHE\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 ECDHE\-PSK\-ARIA256\-CBC\-SHA384 +\& TLS_ECDHE_PSK_WITH_ARIA_256_GCM_SHA384 ECDHE\-PSK\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-PSK\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-PSK\-CAMELLIA256\-SHA384 +\& TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-PSK\-CHACHA20\-POLY1305 +\& TLS_ECDHE_PSK_WITH_RC4_128_SHA ECDHE\-PSK\-RC4\-SHA +\& TLS_ECDHE_PSK_WITH_SM4_CCM_SM3 ECDHE\-PSK\-SM4\-CCM\-SM3 +\& TLS_ECDHE_PSK_WITH_SM4_GCM_SM3 ECDHE\-PSK\-SM4\-GCM\-SM3 +.Ve +.SS "Pre\-shared keying (PSK) cipher suites" +.IX Subsection "Pre-shared keying (PSK) cipher suites" +.Vb 10 +\& TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 DHE\-PSK\-AES128\-CBC\-SHA256 +\& TLS_DHE_PSK_WITH_AES_128_CBC_SHA DHE\-PSK\-AES128\-CBC\-SHA +\& TLS_DHE_PSK_WITH_AES_128_CCM_8 DHE\-PSK\-AES128\-CCM8 +\& TLS_DHE_PSK_WITH_AES_128_CCM DHE\-PSK\-AES128\-CCM +\& TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 DHE\-PSK\-AES128\-GCM\-SHA256 +\& TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 DHE\-PSK\-AES256\-CBC\-SHA384 +\& TLS_DHE_PSK_WITH_AES_256_CBC_SHA DHE\-PSK\-AES256\-CBC\-SHA +\& TLS_DHE_PSK_WITH_AES_256_CCM_8 DHE\-PSK\-AES256\-CCM8 +\& TLS_DHE_PSK_WITH_AES_256_CCM DHE\-PSK\-AES256\-CCM +\& TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 DHE\-PSK\-AES256\-GCM\-SHA384 +\& TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 DHE\-PSK\-ARIA128\-CBC\-SHA256 +\& TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 DHE\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 DHE\-PSK\-ARIA256\-CBC\-SHA384 +\& TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 DHE\-PSK\-ARIA256\-GCM\-SHA384 +\& TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE\-PSK\-CHACHA20\-POLY1305 +\& TLS_DHE_PSK_WITH_SM4_CCM_SM3 DHE\-PSK\-SM4\-CCM\-SM3 +\& TLS_DHE_PSK_WITH_SM4_GCM_SM3 DHE\-PSK\-SM4\-GCM\-SM3 +\& TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA ECDHE\-PSK\-DES\-CBC3\-SHA +\& TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 ECDHE\-PSK\-AES128\-CBC\-SHA256 +\& TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA ECDHE\-PSK\-AES128\-CBC\-SHA +\& TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 ECDHE\-PSK\-AES128\-CCM8 +\& TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 ECDHE\-PSK\-AES128\-CCM +\& TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 ECDHE\-PSK\-AES128\-GCM\-SHA256 +\& TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 ECDHE\-PSK\-AES256\-CBC\-SHA384 +\& TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA ECDHE\-PSK\-AES256\-CBC\-SHA +\& TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 ECDHE\-PSK\-AES256\-GCM\-SHA384 +\& TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 ECDHE\-PSK\-ARIA128\-CBC\-SHA256 +\& TLS_ECDHE_PSK_WITH_ARIA_128_GCM_SHA256 ECDHE\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 ECDHE\-PSK\-ARIA256\-CBC\-SHA384 +\& TLS_ECDHE_PSK_WITH_ARIA_256_GCM_SHA384 ECDHE\-PSK\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-PSK\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-PSK\-CAMELLIA256\-SHA384 +\& TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-PSK\-CHACHA20\-POLY1305 +\& TLS_ECDHE_PSK_WITH_RC4_128_SHA ECDHE\-PSK\-RC4\-SHA +\& TLS_ECDHE_PSK_WITH_SM4_CCM_SM3 ECDHE\-PSK\-SM4\-CCM\-SM3 +\& TLS_ECDHE_PSK_WITH_SM4_GCM_SM3 ECDHE\-PSK\-SM4\-GCM\-SM3 +\& TLS_PSK_WITH_AES_128_CBC_SHA256 PSK\-AES128\-CBC\-SHA256 +\& TLS_PSK_WITH_AES_128_CBC_SHA PSK\-AES128\-CBC\-SHA +\& TLS_PSK_WITH_AES_128_CCM_8 PSK\-AES128\-CCM8 +\& TLS_PSK_WITH_AES_128_CCM PSK\-AES128\-CCM +\& TLS_PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256 +\& TLS_PSK_WITH_AES_256_CBC_SHA384 PSK\-AES256\-CBC\-SHA384 +\& TLS_PSK_WITH_AES_256_CBC_SHA PSK\-AES256\-CBC\-SHA +\& TLS_PSK_WITH_AES_256_CCM_8 PSK\-AES256\-CCM8 +\& TLS_PSK_WITH_AES_256_CCM PSK\-AES256\-CCM +\& TLS_PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384 +\& TLS_PSK_WITH_ARIA_128_CBC_SHA256 PSK\-ARIA128\-CBC\-SHA256 +\& TLS_PSK_WITH_ARIA_128_GCM_SHA256 PSK\-ARIA128\-GCM\-SHA256 +\& TLS_PSK_WITH_ARIA_256_GCM_SHA384 PSK\-ARIA256\-GCM\-SHA384 +\& TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 PSK\-CHACHA20\-POLY1305 +\& TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 RSA\-PSK\-AES128\-CBC\-SHA256 +\& TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA\-PSK\-AES128\-CBC\-SHA +\& TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 RSA\-PSK\-AES128\-GCM\-SHA256 +\& TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 RSA\-PSK\-AES256\-CBC\-SHA384 +\& TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA\-PSK\-AES256\-CBC\-SHA +\& TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 RSA\-PSK\-AES256\-GCM\-SHA384 +\& TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 RSA\-PSK\-ARIA128\-CBC\-SHA256 +\& TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 RSA\-PSK\-ARIA256\-CBC\-SHA384 +\& TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA\-PSK\-ARIA256\-GCM\-SHA384 +\& TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA\-PSK\-CHACHA20\-POLY1305 +\& TLS_RSA_PSK_WITH_SM4_CCM_SM3 RSA\-PSK\-SM4\-CCM\-SM3 +\& TLS_RSA_PSK_WITH_SM4_GCM_SM3 RSA\-PSK\-SM4\-GCM\-SM3 +.Ve +.SS "Other TLS v1.2 cipher suites" +.IX Subsection "Other TLS v1.2 cipher suites" +.Vb 10 +\& TLS_RSA_WITH_NULL_MD5 NULL\-MD5 +\& TLS_RSA_WITH_NULL_SHA NULL\-SHA +\& TLS_RSA_WITH_NULL_SHA256 NULL\-SHA256 +\& TLS_RSA_WITH_RC4_128_MD5 RC4\-MD5 +\& TLS_RSA_WITH_RC4_128_SHA RC4\-SHA +\& TLS_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA +\& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA +\& TLS_RSA_WITH_SM4_CCM_SM3 SM4\-CCM\-SM3 +\& TLS_RSA_WITH_SM4_GCM_SM3 SM4\-GCM\-SM3 +\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA +\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA +\& TLS_DHE_RSA_WITH_SM4_CCM_SM3 DHE\-RSA\-SM4\-CCM\-SM3 +\& TLS_DHE_RSA_WITH_SM4_GCM_SM3 DHE\-RSA\-SM4\-GCM\-SM3 +\& TLS_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 +\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA .Ve .SS "TLS v1.3 cipher suites" .IX Subsection "TLS v1.3 cipher suites" @@ -753,7 +858,7 @@ Note: the CBC modes mentioned in this RFC are not supported. \& TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256 \& TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256 .Ve -.SS "TLS v1.3 integrity-only cipher suites according to RFC 9150" +.SS "TLS v1.3 integrity\-only cipher suites according to RFC 9150" .IX Subsection "TLS v1.3 integrity-only cipher suites according to RFC 9150" .Vb 2 \& TLS_SHA256_SHA256 TLS_SHA256_SHA256 @@ -763,13 +868,13 @@ Note: the CBC modes mentioned in this RFC are not supported. Note: these ciphers are purely HMAC based and do not provide any confidentiality and thus are disabled by default. These ciphers are only available at security level 0. -.SS "Older names used by OpenSSL" -.IX Subsection "Older names used by OpenSSL" +.SS """EDH\-"" aliases to ""DHE\-"" names for backward compatibility" +.IX Subsection """EDH-"" aliases to ""DHE-"" names for backward compatibility" The following names are accepted by older releases: .PP .Vb 2 -\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA (DHE\-RSA\-DES\-CBC3\-SHA) -\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA (DHE\-DSS\-DES\-CBC3\-SHA) +\& EDH\-RSA\-DES\-CBC3\-SHA \- alias of DHE\-RSA\-DES\-CBC3\-SHA +\& EDH\-DSS\-DES\-CBC3\-SHA \- alias of DHE\-DSS\-DES\-CBC3\-SHA .Ve .SH NOTES .IX Header "NOTES" @@ -797,16 +902,10 @@ authentication (aNULL): \& openssl ciphers \-v \*(AqALL:!aNULL\*(Aq .Ve .PP -Include only 3DES ciphers and then place RSA ciphers last: -.PP -.Vb 1 -\& openssl ciphers \-v \*(Aq3DES:+RSA\*(Aq -.Ve -.PP -Include all RC4 ciphers but leave out those without authentication: +Include only AES ciphers and then place RSA ciphers last: .PP .Vb 1 -\& openssl ciphers \-v \*(AqRC4:!COMPLEMENTOFDEFAULT\*(Aq +\& openssl ciphers \-v \*(AqAES:+RSA\*(Aq .Ve .PP Include all ciphers with RSA authentication but leave out ciphers without @@ -832,17 +931,17 @@ Set security level to 2 and display all ciphers consistent with level 2: The \fB\-V\fR option was added in OpenSSL 1.0.0. .PP The \fB\-stdname\fR is only available if OpenSSL is built with tracing enabled -(\fBenable-ssl-trace\fR argument to Configure) before OpenSSL 1.1.1. +(\fBenable\-ssl\-trace\fR argument to Configure) before OpenSSL 1.1.1. .PP The \fB\-convert\fR option was added in OpenSSL 1.1.1. .PP Support for standard IANA names in cipher lists was added in OpenSSL 3.2.0. .PP -The support for TLS v1.3 integrity-only cipher suites was added in OpenSSL 3.4. +The support for TLS v1.3 integrity\-only cipher suites was added in OpenSSL 3.4. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/usr.bin/openssl/man/openssl-cmds.1 b/secure/usr.bin/openssl/man/openssl-cmds.1 index d450d50148de..b83b9853946a 100644 --- a/secure/usr.bin/openssl/man/openssl-cmds.1 +++ b/secure/usr.bin/openssl/man/openssl-cmds.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CMDS 1ossl" -.TH OPENSSL-CMDS 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CMDS 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -184,10 +187,10 @@ Print out a usage message for the subcommand. Initially, the manual page entry for the \f(CW\*(C`openssl \fR\f(CIcmd\fR\f(CW\*(C'\fR command used to be available at \fIcmd\fR(1). Later, the alias \fBopenssl\-\fR\f(BIcmd\fR(1) was introduced, which made it easier to group the openssl commands using -the \fBapropos\fR\|(1) command or the shell's tab completion. +the \fBapropos\fR\|(1) command or the shell\*(Aqs tab completion. .PP In order to reduce cluttering of the global manual page namespace, -the manual page entries without the 'openssl\-' prefix have been +the manual page entries without the \*(Aqopenssl\-\*(Aq prefix have been deprecated in OpenSSL 3.0 and will be removed in OpenSSL 4.0. .SH COPYRIGHT .IX Header "COPYRIGHT" diff --git a/secure/usr.bin/openssl/man/openssl-cmp.1 b/secure/usr.bin/openssl/man/openssl-cmp.1 index e28310ecd79e..948df496e68b 100644 --- a/secure/usr.bin/openssl/man/openssl-cmp.1 +++ b/secure/usr.bin/openssl/man/openssl-cmp.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,16 +52,19 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CMP 1ossl" -.TH OPENSSL-CMP 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CMP 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME -openssl\-cmp \- Certificate Management Protocol (CMP, RFC 4210) application +openssl\-cmp \- Certificate Management Protocol (CMP, RFCs 9810 and 9811) application .SH SYNOPSIS .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBcmp\fR @@ -179,7 +182,7 @@ TLS connection options: [\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR] [\fB\-tls_host\fR \fIname\fR] .PP -Client-side debugging options: +Client\-side debugging options: .PP [\fB\-batch\fR] [\fB\-repeat\fR \fInumber\fR] @@ -261,7 +264,8 @@ Certificate verification options, for both CMP and TLS: .SH DESCRIPTION .IX Header "DESCRIPTION" The \fBcmp\fR command is a client implementation for the Certificate -Management Protocol (CMP) as defined in RFC4210. +Management Protocol (CMP) as defined in RFCs 9810 and +its HTTP(S) transfer as defined in RFC 9811. It can be used to request certificates from a CA server, update their certificates, request certificates to be revoked, and perform other types of CMP requests. @@ -285,7 +289,7 @@ Multiple section names may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Contents of sections named later may override contents of sections named before. In any case, as usual, the \f(CW\*(C`[default]\*(C'\fR section and finally the unnamed -section (as far as present) can provide per-option fallback values. +section (as far as present) can provide per\-option fallback values. .IP "\fB\-verbosity\fR \fIlevel\fR" 4 .IX Item "-verbosity level" Level of verbosity for logging, error output, etc. @@ -300,21 +304,21 @@ CMP command to execute. Currently implemented commands are: .RS 4 .IP "ir \ \- Initialization Request" 8 -.IX Item "ir \ - Initialization Request" +.IX Item "ir - Initialization Request" .PD 0 .IP "cr \ \- Certificate Request" 8 -.IX Item "cr \ - Certificate Request" +.IX Item "cr - Certificate Request" .IP "p10cr \- PKCS#10 Certification Request (for legacy support)" 8 .IX Item "p10cr - PKCS#10 Certification Request (for legacy support)" .IP "kur \ \ \- Key Update Request" 8 -.IX Item "kur \ \ - Key Update Request" +.IX Item "kur - Key Update Request" .IP "rr \ \- Revocation Request" 8 -.IX Item "rr \ - Revocation Request" +.IX Item "rr - Revocation Request" .IP "genm \- General Message" 8 .IX Item "genm - General Message" +.PD .RE .RS 4 -.PD .Sp \&\fBir\fR requests initialization of an end entity into a PKI hierarchy by issuing a first certificate. @@ -346,7 +350,7 @@ Name of a certificate profile to place in the PKIHeader generalInfo field of request messages. .IP "\fB\-geninfo\fR \fIvalues\fR" 4 .IX Item "-geninfo values" -A comma-separated list of InfoTypeAndValue to place in +A comma\-separated list of InfoTypeAndValue to place in the generalInfo field of the PKIHeader of requests messages. Each InfoTypeAndValue gives an OID and an integer or string value of the form \fIOID\fR:int:\fInumber\fR or \fIOID\fR:str:\fItext\fR, @@ -354,11 +358,11 @@ e.g., \f(CW\*(Aq1.2.3.4:int:56789, id\-kp:str:name\*(Aq\fR. .IP "\fB\-template\fR \fIfilename\fR" 4 .IX Item "-template filename" The file to save any CRMF certTemplate in DER format -received in a genp message with id-it-certReqTemplate. +received in a genp message with id\-it\-certReqTemplate. .IP "\fB\-keyspec\fR \fIfilename\fR" 4 .IX Item "-keyspec filename" It is optional and used to specify the file to save any keySpec if -present in a genp message with id-it-keyGenParameters. +present in a genp message with id\-it\-keyGenParameters. .Sp Note: any keySpec field contents received are logged as INFO. .SS "Certificate enrollment options" @@ -392,7 +396,7 @@ File to save centrally generated private key, in PEM format. .IX Item "-subject name" X.509 Distinguished Name (DN) to use as subject field in the requested certificate template in IR/CR/KUR messages. -If the NULL-DN (\f(CW\*(C`/\*(C'\fR) is given then no subject is placed in the template. +If the NULL\-DN (\f(CW\*(C`/\*(C'\fR) is given then no subject is placed in the template. Default is the subject DN of any PKCS#10 CSR given with the \fB\-csr\fR option. For KUR, a further fallback is the subject DN of the reference certificate (see \fB\-oldcert\fR) if provided. @@ -404,8 +408,8 @@ the subject DN is used as fallback sender of outgoing CMP messages. The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR. Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash); whitespace is retained. Empty values are permitted, but the corresponding type will not be included. -Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN). -Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR +Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL\-DN). +Multi\-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR between the AttributeValueAssertions (AVAs) that specify the members of the set. Example: .Sp @@ -451,11 +455,11 @@ This option cannot be used together with \fB\-policies\fR. Flag the policies given with \fB\-policy_oids\fR as critical. .IP "\fB\-popo\fR \fInumber\fR" 4 .IX Item "-popo number" -Proof-of-possession (POPO) method to use for IR/CR/KUR; values: \f(CW\-1\fR..<2> where +Proof\-of\-possession (POPO) method to use for IR/CR/KUR; values: \f(CW\-1\fR..<2> where \&\f(CW\-1\fR = NONE, which implies central key generation, \&\f(CW0\fR = RAVERIFIED, \f(CW1\fR = SIGNATURE (default), \f(CW2\fR = KEYENC. .Sp -Note that a signature-based POPO can only be produced if a private key +Note that a signature\-based POPO can only be produced if a private key is provided via the \fB\-newkey\fR or \fB\-key\fR options. .IP "\fB\-csr\fR \fIfilename\fR" 4 .IX Item "-csr filename" @@ -494,7 +498,7 @@ Request implicit confirmation of newly enrolled certificates. Do not send certificate confirmation message for newly enrolled certificate without requesting implicit confirmation to cope with broken servers not supporting implicit confirmation correctly. -\&\fBWARNING:\fR This leads to behavior violating RFC 4210. +\&\fBWARNING:\fR This leads to behavior violating RFC 9810. .IP "\fB\-certout\fR \fIfilename\fR" 4 .IX Item "-certout filename" The file where any newly enrolled certificate should be saved. @@ -511,7 +515,7 @@ the newly enrolled certificate followed by its chain. .IX Subsection "Certificate enrollment and revocation options" .IP "\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-oldcert filename|uri" -The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request +The certificate to be updated (i.e., renewed or re\-keyed) in Key Update Request (KUR) messages or to be revoked in Revocation Request (RR) messages. For KUR the certificate to be updated defaults to \fB\-cert\fR, and the resulting certificate is called \fIreference certificate\fR. @@ -529,7 +533,7 @@ if neither \fB\-recipient\fR, \fB\-srvcert\fR, nor \fB\-issuer\fR is given. .IX Item "-issuer name" X.509 Distinguished Name (DN) to place as the issuer field in the requested certificate template in IR/CR/KUR/RR messages. -If the NULL-DN (\f(CW\*(C`/\*(C'\fR) is given then no issuer is placed in the template. +If the NULL\-DN (\f(CW\*(C`/\*(C'\fR) is given then no issuer is placed in the template. .Sp If provided and neither \fB\-recipient\fR nor \fB\-srvcert\fR is given, the issuer DN is used as fallback recipient of outgoing CMP messages. @@ -609,7 +613,7 @@ the subject of the CMP server certificate given with the \fB\-srvcert\fR option, the \fB\-issuer\fR option, the issuer of the certificate given with the \fB\-oldcert\fR option, the issuer of the CMP client certificate (\fB\-cert\fR option), -as far as any of those is present, else the NULL-DN as last resort. +as far as any of those is present, else the NULL\-DN as last resort. .Sp The argument must be formatted as \fI/type0=value0/type1=value1/type2=...\fR. For details see the description of the \fB\-subject\fR option. @@ -629,7 +633,7 @@ i.e., an error occurs if the server does not grant it. The default value is 1, which means preferring to keep the connection open. .IP "\fB\-msg_timeout\fR \fIseconds\fR" 4 .IX Item "-msg_timeout seconds" -Number of seconds a CMP request-response message round trip +Number of seconds a CMP request\-response message round trip is allowed to take before a timeout error is returned. A value <= 0 means no limitation (waiting indefinitely). Default is to use the \fB\-total_timeout\fR setting. @@ -644,7 +648,7 @@ Default is 0. .IP "\fB\-trusted\fR \fIfilenames\fR|\fIuris\fR" 4 .IX Item "-trusted filenames|uris" The certificate(s), typically of root CAs, the client shall use as trust anchors -when validating signature-based protection of CMP response messages. +when validating signature\-based protection of CMP response messages. This option is ignored if the \fB\-srvcert\fR option is given as well. It provides more flexibility than \fB\-srvcert\fR because the CMP protection certificate of the server is not pinned but may be any certificate @@ -662,13 +666,13 @@ The certificate verification options have no effect on the certificate verification enabled via this option. .IP "\fB\-untrusted\fR \fIfilenames\fR|\fIuris\fR" 4 .IX Item "-untrusted filenames|uris" -Non-trusted intermediate CA certificate(s). +Non\-trusted intermediate CA certificate(s). Any extra certificates given with the \fB\-cert\fR option are appended to it. All these certificates may be useful for cert path construction for the own CMP signer certificate (to include in the extraCerts field of request messages) and for the TLS client certificate (if TLS is used) as well as for chain building -when validating server certificates (checking signature-based +when validating server certificates (checking signature\-based CMP message protection) and when validating newly enrolled certificates. .Sp Multiple sources may be given, separated by commas and/or whitespace @@ -677,7 +681,7 @@ Each source may contain multiple certificates. .IP "\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-srvcert filename|uri" The specific CMP server certificate to expect and directly trust (even if it is -expired) when verifying signature-based protection of CMP response messages. +expired) when verifying signature\-based protection of CMP response messages. This pins the accepted server and results in ignoring the \fB\-trusted\fR option. .Sp If set, the subject of the certificate is also used @@ -700,7 +704,7 @@ For details see the description of the \fB\-subject\fR option. .IP \fB\-ignore_keyusage\fR 4 .IX Item "-ignore_keyusage" Ignore key usage restrictions in CMP signer certificates when validating -signature-based protection of incoming CMP messages. +signature\-based protection of incoming CMP messages. By default, \f(CW\*(C`digitalSignature\*(C'\fR must be allowed by CMP signer certificates. This option applies to both CMP clients and the mock server. .IP \fB\-unprotected_errors\fR 4 @@ -721,7 +725,7 @@ negative PKIConf messages .Sp \&\fBWARNING:\fR This setting leads to unspecified behavior and it is meant exclusively to allow interoperability with server implementations violating -RFC 4210, e.g.: +RFC 9810, e.g.: .IP \(bu 4 section 5.1.3.1 allows exceptions from protecting only for special cases: @@ -739,13 +743,19 @@ appendix D.4 shows PKIConf message having protection .IP \fB\-no_cache_extracerts\fR 4 .IX Item "-no_cache_extracerts" Do not cache certificates in the extraCerts field of CMP messages received. -By default, they are kept as they may be helful for validating further messages. +By default, they are kept as they may be helpful for validating further messages. This option applies to both CMP clients and the mock server. +.Sp +In any case, after successfully validating an incoming message, its protection +certificate (if any) is cached for reuse with validation of subsequent messages. +This is done not only for efficiency but also +to eliminate the need for the sender to include its certificate and related chain +in the extraCerts field of subsequent messages of the same transaction. .IP "\fB\-srvcertout\fR \fIfilename\fR" 4 .IX Item "-srvcertout filename" The file where to save the successfully validated certificate, if any, -that the CMP server used for signature-based response message protection. -If there is no such certificate, typically because the protection was MAC-based, +that the CMP server used for signature\-based response message protection. +If there is no such certificate, typically because the protection was MAC\-based, this is indicated by deleting the file (if it existed). .IP "\fB\-extracertsout\fR \fIfilename\fR" 4 .IX Item "-extracertsout filename" @@ -811,21 +821,21 @@ If on success no such CRL was received, this is indicated by deleting the file. .IX Item "-ref value" Reference number/string/value to use as fallback senderKID; this is required if no sender name can be determined from the \fB\-cert\fR or <\-subject> options and -is typically used when authenticating with pre-shared key (password-based MAC). +is typically used when authenticating with pre\-shared key (password\-based MAC). .IP "\fB\-secret\fR \fIarg\fR" 4 .IX Item "-secret arg" -Provides the source of a secret value to use with MAC-based message protection. +Provides the source of a secret value to use with MAC\-based message protection. This takes precedence over the \fB\-cert\fR and \fB\-key\fR options. -The secret is used for creating MAC-based protection of outgoing messages -and for validating incoming messages that have MAC-based protection. -The algorithm used by default is Password-Based Message Authentication Code (PBM) -as defined in RFC 4210 section 5.1.3.1. +The secret is used for creating MAC\-based protection of outgoing messages +and for validating incoming messages that have MAC\-based protection. +The algorithm used by default is Password\-Based Message Authentication Code (PBM) +as defined in RFC 9810 section 5.1.3.1. .Sp For more information about the format of \fIarg\fR see \&\fBopenssl\-passphrase\-options\fR\|(1). .IP "\fB\-cert\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-cert filename|uri" -The client's current CMP signer certificate. +The client\*(Aqs current CMP signer certificate. Requires the corresponding key to be given with \fB\-key\fR. .Sp The subject and the public key contained in this certificate @@ -837,23 +847,23 @@ while the subject of \fB\-oldcert\fR or \fB\-subjectName\fR may provide fallback The issuer of this certificate is used as one of the recipient fallback values and as fallback issuer entry in the certificate template of IR/CR/KUR messages. .Sp -When performing signature-based message protection, +When performing signature\-based message protection, this "protection certificate", also called "signer certificate", will be included first in the extraCerts field of outgoing messages and the signature is done with the corresponding key. In Initialization Request (IR) messages this can be used for authenticating -using an external entity certificate as defined in appendix E.7 of RFC 4210. +using an external entity certificate as defined in appendix D.7 of RFC 9810. .Sp For Key Update Request (KUR) messages this is also used as the certificate to be updated if the \fB\-oldcert\fR option is not given. .Sp If the file includes further certs, they are appended to the untrusted certs because they typically constitute the chain of the client certificate, which -is included in the extraCerts field in signature-protected request messages. +is included in the extraCerts field in signature\-protected request messages. .IP "\fB\-own_trusted\fR \fIfilenames\fR|\fIuris\fR" 4 .IX Item "-own_trusted filenames|uris" If this list of certificates is provided then the chain built for -the client-side CMP signer certificate given with the \fB\-cert\fR option +the client\-side CMP signer certificate given with the \fB\-cert\fR option is verified using the given certificates as trust anchors. .Sp Multiple sources may be given, separated by commas and/or whitespace @@ -865,10 +875,10 @@ The certificate verification options have no effect on the certificate verification enabled via this option. .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-key filename|uri" -The corresponding private key file for the client's current certificate given in +The corresponding private key file for the client\*(Aqs current certificate given in the \fB\-cert\fR option. -This will be used for signature-based message protection unless the \fB\-secret\fR -option indicating MAC-based protection or \fB\-unprotected_requests\fR is given. +This will be used for signature\-based message protection unless the \fB\-secret\fR +option indicating MAC\-based protection or \fB\-unprotected_requests\fR is given. .Sp It is also used as a fallback for the \fB\-newkey\fR option with IR/CR/KUR messages. .IP "\fB\-keypass\fR \fIarg\fR" 4 @@ -881,10 +891,10 @@ For more information about the format of \fIarg\fR see \&\fBopenssl\-passphrase\-options\fR\|(1). .IP "\fB\-digest\fR \fIname\fR" 4 .IX Item "-digest name" -Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG -and as the one-way function (OWF) in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR. +Specifies name of supported digest to use in RFC 9810\*(Aqs MSG_SIG_ALG +and as the one\-way function (OWF) in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR. If applicable, this is used for message protection and -proof-of-possession (POPO) signatures. +proof\-of\-possession (POPO) signatures. To see the list of supported digests, use \f(CW\*(C`openssl list \-digest\-commands\*(C'\fR. Defaults to \f(CW\*(C`sha256\*(C'\fR. .IP "\fB\-mac\fR \fIname\fR" 4 @@ -893,7 +903,7 @@ Specifies the name of the MAC algorithm in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR. To get the names of supported MAC algorithms use \f(CW\*(C`openssl list \-mac\-algorithms\*(C'\fR and possibly combine such a name with the name of a supported digest algorithm, e.g., hmacWithSHA256. -Defaults to \f(CW\*(C`hmac\-sha1\*(C'\fR as per RFC 4210. +Defaults to \f(CW\*(C`hmac\-sha1\*(C'\fR, for backward compatibility with RFC 4210. .IP "\fB\-extracerts\fR \fIfilenames\fR|\fIuris\fR" 4 .IX Item "-extracerts filenames|uris" Certificates to append in the extraCerts field when sending messages. @@ -904,7 +914,7 @@ Multiple sources may be given, separated by commas and/or whitespace Each source may contain multiple certificates. .IP \fB\-unprotected_requests\fR 4 .IX Item "-unprotected_requests" -Send request messages without CMP-level protection. +Send request messages without CMP\-level protection. .SS "Credentials format options" .IX Subsection "Credentials format options" .IP "\fB\-certform\fR \fIPEM|DER\fR" 4 @@ -944,7 +954,7 @@ As an alternative to using this combination: \& \-engine {engineid} \-key {keyid} \-keyform ENGINE .Ve .Sp -\&... it's also possible to just give the key ID in URI form to \fB\-key\fR, +\&... it\*(Aqs also possible to just give the key ID in URI form to \fB\-key\fR, like this: .Sp .Vb 1 @@ -975,25 +985,25 @@ See "Random State Options" in \fBopenssl\fR\|(1) for details. .IX Subsection "TLS connection options" .IP \fB\-tls_used\fR 4 .IX Item "-tls_used" -Make the CMP client use TLS (regardless if other TLS-related options are set) +Make the CMP client use TLS (regardless if other TLS\-related options are set) for message exchange with the server via HTTP. This option is not supported with the \fI\-port\fR option. It is implied if the \fB\-server\fR option is given with the scheme \f(CW\*(C`https\*(C'\fR. It is ignored if the \fB\-server\fR option is not given or \fB\-use_mock_srv\fR is given or \fB\-rspin\fR is given with enough filename arguments. .Sp -The following TLS-related options are ignored if TLS is not used. +The following TLS\-related options are ignored if TLS is not used. .IP "\fB\-tls_cert\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-tls_cert filename|uri" -Client's TLS certificate to use for authenticating to the TLS server. +Client\*(Aqs TLS certificate to use for authenticating to the TLS server. If the source includes further certs they are used (along with \fB\-untrusted\fR certs) for constructing the client cert chain provided to the TLS server. .IP "\fB\-tls_key\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-tls_key filename|uri" -Private key for the client's TLS certificate. +Private key for the client\*(Aqs TLS certificate. .IP "\fB\-tls_keypass\fR \fIarg\fR" 4 .IX Item "-tls_keypass arg" -Pass phrase source for client's private TLS key \fB\-tls_key\fR. +Pass phrase source for client\*(Aqs private TLS key \fB\-tls_key\fR. Also used for \fB\-tls_cert\fR in case it is an encrypted PKCS#12 file. If not given here, the password will be prompted for if needed. .Sp @@ -1019,7 +1029,7 @@ have no effect on the certificate verification enabled via this option. Address to be checked during hostname validation. This may be a DNS name or an IP address. If not given it defaults to the \fB\-server\fR address. -.SS "Client-side options for debugging and offline scenarios" +.SS "Client\-side options for debugging and offline scenarios" .IX Subsection "Client-side options for debugging and offline scenarios" .IP \fB\-batch\fR 4 .IX Item "-batch" @@ -1067,7 +1077,7 @@ in the sequence of requests produced internally. .Sp The client needs to update the recipNonce field in the given requests (except for the first one) in order to satisfy the checks to be performed by the server. -This causes re-protection (if protecting requests is required). +This causes re\-protection (if protecting requests is required). .IP \fB\-reqin_new_tid\fR 4 .IX Item "-reqin_new_tid" Use a fresh transactionID for CMP request messages read using \fB\-reqin\fR, @@ -1088,6 +1098,7 @@ If the transaction contains more requests, the remaining ones are not saved. .IX Item "-reqout_only filename" Save the first CMP requests created by the client to the given file and exit. Any options related to CMP servers and their responses are ignored. +This option does not combine with the \fB\-port\fR option. .Sp This option is useful for supporting offline scenarios where the certificate request (or any other CMP request) is produced beforehand and sent out later. @@ -1115,31 +1126,31 @@ contained in the transaction and filenames have been provided. If the transaction contains more responses, the remaining ones are not saved. .IP \fB\-use_mock_srv\fR 4 .IX Item "-use_mock_srv" -Test the client using the internal CMP server mock-up at API level, -bypassing socket-based transfer via HTTP. +Test the client using the internal CMP server mock\-up at API level, +bypassing socket\-based transfer via HTTP. This excludes the \fB\-server\fR and \fB\-port\fR options. .SS "Mock server options" .IX Subsection "Mock server options" .IP "\fB\-port\fR \fInumber\fR" 4 .IX Item "-port number" -Act as HTTP-based CMP server mock-up listening on the given local port. +Act as HTTP\-based CMP server mock\-up listening on the given local port. The client may address the server via, e.g., \f(CW127.0.0.1\fR or \f(CW\*(C`[::1]\*(C'\fR. This option excludes the \fB\-server\fR and \fB\-use_mock_srv\fR options. The \fB\-rspin\fR, \fB\-rspout\fR, \fB\-reqin\fR, and \fB\-reqout\fR options so far are not supported in this mode. .IP "\fB\-max_msgs\fR \fInumber\fR" 4 .IX Item "-max_msgs number" -Maximum number of CMP (request) messages the CMP HTTP server mock-up +Maximum number of CMP (request) messages the CMP HTTP server mock\-up should handle, which must be nonnegative. The default value is 0, which means that no limit is imposed. In any case the server terminates on internal errors, but not when it -detects a CMP-level error that it can successfully answer with an error message. +detects a CMP\-level error that it can successfully answer with an error message. .IP "\fB\-srv_ref\fR \fIvalue\fR" 4 .IX Item "-srv_ref value" Reference value to use as senderKID of server in case no \fB\-srv_cert\fR is given. .IP "\fB\-srv_secret\fR \fIarg\fR" 4 .IX Item "-srv_secret arg" -Password source for server authentication with a pre-shared key (secret). +Password source for server authentication with a pre\-shared key (secret). .IP "\fB\-srv_cert\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-srv_cert filename|uri" Certificate of the server. @@ -1218,12 +1229,12 @@ Text to be included as status string in server response. Force server to reply with error message. .IP \fB\-send_unprotected\fR 4 .IX Item "-send_unprotected" -Send response messages without CMP-level protection. +Send response messages without CMP\-level protection. .IP \fB\-send_unprot_err\fR 4 .IX Item "-send_unprot_err" In case of negative responses, server shall send unprotected error messages, certificate responses (IP/CP/KUP), and revocation responses (RP). -WARNING: This setting leads to behavior violating RFC 4210. +WARNING: This setting leads to behavior violating RFC 9810. .IP \fB\-accept_unprotected\fR 4 .IX Item "-accept_unprotected" Accept missing or invalid protection of requests. @@ -1233,7 +1244,7 @@ Accept unprotected error messages from client. So far this has no effect because the server does not accept any error messages. .IP \fB\-accept_raverified\fR 4 .IX Item "-accept_raverified" -Accept RAVERIFED as proof of possession (POPO). +Accept RAVERIFIED as proof of possession (POPO). .SS "Certificate verification options, for both CMP and TLS" .IX Subsection "Certificate verification options, for both CMP and TLS" .IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4 @@ -1251,9 +1262,9 @@ trust, for instance via the \f(CW\*(C`caPubs\*(C'\fR field of a certificate resp or using general messages with infoType \f(CW\*(C`caCerts\*(C'\fR or \f(CW\*(C`rootCaCert\*(C'\fR, authentication of the CMP server is particularly critical. So special care must be taken setting up server authentication -using \fB\-trusted\fR and related options for certificate-based authentication -or \fB\-secret\fR for MAC-based protection. -If authentication is certificate-based, the \fB\-srvcertout\fR option +using \fB\-trusted\fR and related options for certificate\-based authentication +or \fB\-secret\fR for MAC\-based protection. +If authentication is certificate\-based, the \fB\-srvcertout\fR option should be used to obtain the validated server certificate and perform an authorization check based on it. .PP @@ -1300,16 +1311,16 @@ It can be viewed using, e.g., .PP In case the network setup requires using an HTTP proxy it may be given as usual via the environment variable \fBhttp_proxy\fR or via the \fB\-proxy\fR option in the -configuration file or the CMP command-line argument \fB\-proxy\fR, for example +configuration file or the CMP command\-line argument \fB\-proxy\fR, for example .PP .Vb 1 \& \-proxy http://192.168.1.1:8080 .Ve .PP -In the Insta Demo CA scenario both clients and the server may use the pre-shared +In the Insta Demo CA scenario both clients and the server may use the pre\-shared secret \fIinsta\fR and the reference value \fI3078\fR to authenticate to each other. .PP -Alternatively, CMP messages may be protected in signature-based manner, +Alternatively, CMP messages may be protected in signature\-based manner, where the trust anchor in this case is \fIinsta.ca.crt\fR and the client may use any certificate already obtained from that CA, as specified in the \fB[signature]\fR section of the example configuration. @@ -1338,8 +1349,8 @@ In order to update the enrolled certificate one may call \& openssl cmp \-section insta,kur,signature .Ve .PP -using signature-based protection with the certificate that is to be updated. -For certificate updates, MAC-based protection should generally not be used. +using signature\-based protection with the certificate that is to be updated. +For certificate updates, MAC\-based protection should generally not be used. .PP In a similar way any previously enrolled certificate may be revoked by .PP @@ -1370,7 +1381,7 @@ and accepts requests under the alias \fI/pkix/\fR. .PP For enrolling its very first certificate the client generates a client key and sends an initial request message to the local CMP server -using a pre-shared secret key for mutual authentication. +using a pre\-shared secret key for mutual authentication. In this example the client does not have the CA certificate yet, so we specify the name of the CA with the \fB\-recipient\fR option and save any CA certificates that we may receive in the \f(CW\*(C`capubs.pem\*(C'\fR file. @@ -1415,7 +1426,7 @@ This prints information about all received ITAV \fBinfoType\fRs to stdout. .SS "Using a custom configuration file" .IX Subsection "Using a custom configuration file" For CMP client invocations, in particular for certificate enrollment, -usually many parameters need to be set, which is tedious and error-prone to do +usually many parameters need to be set, which is tedious and error\-prone to do on the command line. Therefore, the client offers the possibility to read options from sections of the OpenSSL config file, usually called \fIopenssl.cnf\fR. @@ -1482,7 +1493,7 @@ and \fB\-rsp_crl\fR options were added in OpenSSL 3.4. \&\fB\-rsp_keypass\fR were added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2007\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/usr.bin/openssl/man/openssl-cms.1 b/secure/usr.bin/openssl/man/openssl-cms.1 index 49060bb4ffe5..598220425c2d 100644 --- a/secure/usr.bin/openssl/man/openssl-cms.1 +++ b/secure/usr.bin/openssl/man/openssl-cms.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CMS 1ossl" -.TH OPENSSL-CMS 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CMS 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -126,7 +129,7 @@ Encryption options: .PP [\fB\-originator\fR \fIfile\fR] [\fB\-recip\fR \fIfile\fR] -[\fIrecipient-cert\fR ...] +[\fIrecipient\-cert\fR ...] [\fB\-\fR\f(BIcipher\fR] [\fB\-wrap\fR \fIcipher\fR] [\fB\-aes128\-wrap\fR] @@ -294,7 +297,7 @@ computing it from the original message content. Cannot be combined with \fB\-in\ or \fB\-nodetach\fR. .Sp This operation is the CMS equivalent of \fBopenssl\-pkeyutl\fR\|(1) signing. -When signing a pre-computed digest, the security relies on the digest and its +When signing a pre\-computed digest, the security relies on the digest and its computation from the original message being trusted. .IP \fB\-digest_create\fR 4 .IX Item "-digest_create" @@ -410,7 +413,7 @@ see \fBopenssl\-passphrase\-options\fR\|(1). .IX Item "-keyopt name:parameter" For signing and encryption this option can be used multiple times to set customised parameters for the preceding key or certificate. It can -currently be used to set RSA-PSS for signing, RSA-OAEP for encryption +currently be used to set RSA\-PSS for signing, RSA\-OAEP for encryption or to modify default parameters for ECDH. .IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4 .IX Item "-keyform DER|PEM|P12|ENGINE" @@ -448,11 +451,11 @@ The certificate must match one of the recipients of the message. .Sp When encrypting a message this option may be used multiple times to specify each recipient. This form \fBmust\fR be used if customised parameters are -required (for example to specify RSA-OAEP). +required (for example to specify RSA\-OAEP). .Sp -Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this +Only certificates carrying RSA, Diffie\-Hellman or EC keys are supported by this option. -.IP "\fIrecipient-cert\fR ..." 4 +.IP "\fIrecipient\-cert\fR ..." 4 .IX Item "recipient-cert ..." This is an alternative to using the \fB\-recip\fR option when encrypting a message. One or more certificate filenames may be given. @@ -468,7 +471,7 @@ Currently, the AES variants with GCM mode are the only supported AEAD algorithms. .Sp If not specified, AES\-256\-CBC is used as the default. Only used with \fB\-encrypt\fR and -\&\fB\-EncryptedData_create\fR commands. +\&\fB\-EncryptedData_encrypt\fR commands. .IP "\fB\-wrap\fR \fIcipher\fR" 4 .IX Item "-wrap cipher" Cipher algorithm to use for key wrap when encrypting the message using Key @@ -487,7 +490,7 @@ with caution: see the notes section below. .IP "\fB\-md\fR \fIdigest\fR" 4 .IX Item "-md digest" Digest algorithm to use when signing or resigning. If not present then the -default digest algorithm for the signing key will be used (usually SHA1). +default digest algorithm for the signing key will be used (usually SHA\-256). .IP "\fB\-signer\fR \fIfile\fR" 4 .IX Item "-signer file" A signing certificate. When signing or resigning a message, this option can be @@ -502,9 +505,9 @@ The input can be in PEM, DER, or PKCS#12 format. .IP \fB\-cades\fR 4 .IX Item "-cades" When used with \fB\-sign\fR, -add an ESS signingCertificate or ESS signingCertificateV2 signed-attribute +add an ESS signingCertificate or ESS signingCertificateV2 signed\-attribute to the SignerInfo, in order to make the signature comply with the requirements -for a CAdES Basic Electronic Signature (CAdES-BES). +for a CAdES Basic Electronic Signature (CAdES\-BES). .IP \fB\-nodetach\fR 4 .IX Item "-nodetach" When signing a message use opaque signing: this form is more resistant @@ -513,7 +516,7 @@ do not support S/MIME. Without this option cleartext signing with the MIME type multipart/signed is used. .IP \fB\-nocerts\fR 4 .IX Item "-nocerts" -When signing a message the signer's certificate is normally included +When signing a message the signer\*(Aqs certificate is normally included with this option it is excluded. This will reduce the size of the signed message but the verifier must have a copy of the signers certificate available locally (passed using the \fB\-certfile\fR option for example). @@ -564,7 +567,7 @@ Do not verify signed content signatures. Do not verify signed attribute signatures. .IP \fB\-nosigs\fR 4 .IX Item "-nosigs" -Don't verify message signature. +Don\*(Aqt verify message signature. .IP \fB\-noverify\fR 4 .IX Item "-noverify" Do not verify the signers certificate of a signed message. @@ -609,7 +612,7 @@ Any certificates contained in the input message are written to \fIfile\fR. .IX Item "-to, -from, -subject" The relevant email headers. These are included outside the signed portion of a message so they may be included manually. If signing -then many S/MIME mail clients check the signers certificate's email +then many S/MIME mail clients check the signers certificate\*(Aqs email address matches that specified in the From: address. .SS "Printing options" .IX Subsection "Printing options" @@ -647,7 +650,7 @@ a blank line. Piping the mail directly to sendmail is one way to achieve the correct format. .PP The supplied message to be signed or encrypted must include the -necessary MIME headers or many S/MIME clients won't display it +necessary MIME headers or many S/MIME clients won\*(Aqt display it properly (if at all). You can use the \fB\-text\fR option to automatically add plain text headers. .PP @@ -680,22 +683,22 @@ remains DER. If the \fB\-decrypt\fR option is used without a recipient certificate then an attempt is made to locate the recipient by trying each potential recipient in turn using the supplied private key. To thwart the MMA attack -(Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are +(Bleichenbacher\*(Aqs attack on PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or not and if no recipients match the message is "decrypted" using a random key which will typically output garbage. The \fB\-debug_decrypt\fR option can be used to disable the MMA attack protection and return an error if no recipient can be found: this option should be used with caution. For a fuller description see \fBCMS_decrypt\fR\|(3)). -.SH "CADES BASIC ELECTRONIC SIGNATURE (CADES-BES)" +.SH "CADES BASIC ELECTRONIC SIGNATURE (CADES\-BES)" .IX Header "CADES BASIC ELECTRONIC SIGNATURE (CADES-BES)" -A CAdES Basic Electronic Signature (CAdES-BES), +A CAdES Basic Electronic Signature (CAdES\-BES), as defined in the European Standard ETSI EN 319 122\-1 V1.1.1, contains: .IP \(bu 4 The signed user data as defined in CMS (RFC 3852); .IP \(bu 4 -Content-type of the EncapsulatedContentInfo value being signed; +Content\-type of the EncapsulatedContentInfo value being signed; .IP \(bu 4 -Message-digest of the eContent OCTET STRING within encapContentInfo being signed; +Message\-digest of the eContent OCTET STRING within encapContentInfo being signed; .IP \(bu 4 An ESS signingCertificate or ESS signingCertificateV2 attribute, as defined in Enhanced Security Services (ESS), RFC 2634 and RFC 5035. @@ -746,9 +749,9 @@ The \fB\-secretkey\fR option when used with \fB\-encrypt\fR. .PP The use of PSS with \fB\-sign\fR. .PP -The use of OAEP or non-RSA keys with \fB\-encrypt\fR. +The use of OAEP or non\-RSA keys with \fB\-encrypt\fR. .PP -Additionally the \fB\-EncryptedData_create\fR and \fB\-data_create\fR type cannot +Additionally the \fB\-EncryptedData_encrypt\fR and \fB\-data_create\fR type cannot be processed by the older \fBopenssl\-smime\fR\|(1) command. .SH EXAMPLES .IX Header "EXAMPLES" @@ -789,7 +792,7 @@ Send a signed message under Unix directly to sendmail, including headers: \& \-subject "Signed message" | sendmail someone@somewhere .Ve .PP -Verify a message and extract the signer's certificate if successful: +Verify a message and extract the signer\*(Aqs certificate if successful: .PP .Vb 1 \& openssl cms \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt @@ -855,14 +858,14 @@ Add a signer to an existing message: \& openssl cms \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg .Ve .PP -Sign a message using RSA-PSS: +Sign a message using RSA\-PSS: .PP .Vb 2 \& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e \& \-signer mycert.pem \-keyopt rsa_padding_mode:pss .Ve .PP -Create an encrypted message using RSA-OAEP: +Create an encrypted message using RSA\-OAEP: .PP .Vb 2 \& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e @@ -876,15 +879,17 @@ Use SHA256 KDF with an ECDH certificate: \& \-recip ecdhcert.pem \-keyopt ecdh_kdf_md:sha256 .Ve .PP -Print CMS signed binary data in human-readable form: +Print CMS signed binary data in human\-readable form: .PP -openssl cms \-in signed.cms \-binary \-inform DER \-cmsout \-print +.Vb 1 +\& openssl cms \-in signed.cms \-binary \-inform DER \-cmsout \-print +.Ve .SH BUGS .IX Header "BUGS" -The MIME parser isn't very clever: it seems to handle most messages that I've +The MIME parser isn\*(Aqt very clever: it seems to handle most messages that I\*(Aqve thrown at it but it may choke on others. .PP -The code currently will only write out the signer's certificate to a file: if +The code currently will only write out the signer\*(Aqs certificate to a file: if the signer has a separate encryption certificate this must be manually extracted. There should be some heuristic that determines the correct encryption certificate. @@ -892,12 +897,12 @@ encryption certificate. Ideally a database should be maintained of a certificates for each email address. .PP -The code doesn't currently take note of the permitted symmetric encryption +The code doesn\*(Aqt currently take note of the permitted symmetric encryption algorithms as supplied in the SMIMECapabilities signed attribute. this means the user has to manually include the correct encryption algorithm. It should store the list of permitted ciphers in a database and only use those. .PP -No revocation checking is done on the signer's certificate. +No revocation checking is done on the signer\*(Aqs certificate. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBossl_store\-file\fR\|(7) @@ -910,9 +915,9 @@ added in OpenSSL 1.0.0. .PP The \fB\-keyopt\fR option was added in OpenSSL 1.0.2. .PP -Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2. +Support for RSA\-OAEP and RSA\-PSS was added in OpenSSL 1.0.2. .PP -The use of non-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR +The use of non\-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR was added in OpenSSL 1.0.2. .PP The \-no_alt_chains option was added in OpenSSL 1.0.2b. @@ -924,7 +929,7 @@ The \fB\-engine\fR option was deprecated in OpenSSL 3.0. The \fB\-digest\fR option was added in OpenSSL 3.2. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2008\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/usr.bin/openssl/man/openssl-crl.1 b/secure/usr.bin/openssl/man/openssl-crl.1 index 5ab4ef9fe050..e50565954e35 100644 --- a/secure/usr.bin/openssl/man/openssl-crl.1 +++ b/secure/usr.bin/openssl/man/openssl-crl.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CRL 1ossl" -.TH OPENSSL-CRL 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CRL 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -151,7 +154,7 @@ This option is implicitly enabled if any of \fB\-CApath\fR, \fB\-CAfile\fR or \fB\-CAstore\fR is specified. .IP \fB\-noout\fR 4 .IX Item "-noout" -Don't output the encoded version of the CRL. +Don\*(Aqt output the encoded version of the CRL. .IP \fB\-fingerprint\fR 4 .IX Item "-fingerprint" Output the fingerprint of the CRL. diff --git a/secure/usr.bin/openssl/man/openssl-crl2pkcs7.1 b/secure/usr.bin/openssl/man/openssl-crl2pkcs7.1 index 3a257ce88e29..ea51beca6671 100644 --- a/secure/usr.bin/openssl/man/openssl-crl2pkcs7.1 +++ b/secure/usr.bin/openssl/man/openssl-crl2pkcs7.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-CRL2PKCS7 1ossl" -.TH OPENSSL-CRL2PKCS7 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-CRL2PKCS7 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/openssl-dgst.1 b/secure/usr.bin/openssl/man/openssl-dgst.1 index 0f9ecd943b29..43dfde8d8805 100644 --- a/secure/usr.bin/openssl/man/openssl-dgst.1 +++ b/secure/usr.bin/openssl/man/openssl-dgst.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-DGST 1ossl" -.TH OPENSSL-DGST 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-DGST 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ signatures using message digests. The generic name, \fBopenssl dgst\fR, may be used with an option specifying the algorithm to be used. The default digest is \fBsha256\fR. -A supported \fIdigest\fR name may also be used as the sub-command name. +A supported \fIdigest\fR name may also be used as the sub\-command name. To see the list of supported algorithms, use \f(CW\*(C`openssl list \-digest\-algorithms\*(C'\fR .SH OPTIONS .IX Header "OPTIONS" @@ -162,7 +165,7 @@ Filename to output to, or standard output by default. .IX Item "-sign filename|uri" Digitally sign the digest using the given private key. .Sp -Note that for algorithms that only support one-shot signing +Note that for algorithms that only support one\-shot signing (such as Ed25519, ED448, ML\-DSA\-44, ML\-DSA\-65 andML\-DSA\-87) the digest must not be set. For these algorithms the input is buffered (and not digested) before signing. For these algorithms, if the input is larger than 16MB an error @@ -174,7 +177,7 @@ See \fBopenssl\-format\-options\fR\|(1) for details. .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-sigopt nm:v" Pass options to the signature algorithm during sign or verify operations. -Names and values of these options are algorithm-specific and documented +Names and values of these options are algorithm\-specific and documented in "Signature parameters" in \fBprovider\-signature\fR\|(7). .IP "\fB\-passin\fR \fIarg\fR" 4 .IX Item "-passin arg" @@ -199,8 +202,8 @@ option. .IP "\fB\-mac\fR \fIalg\fR" 4 .IX Item "-mac alg" Create MAC (keyed Message Authentication Code). The most popular MAC -algorithm is HMAC (hash-based MAC), but there are other MAC algorithms -which are not based on hash, for instance \fBgost-mac\fR algorithm, +algorithm is HMAC (hash\-based MAC), but there are other MAC algorithms +which are not based on hash, for instance \fBgost\-mac\fR algorithm, supported by the \fBgost\fR engine. MAC keys and other options should be set via \fB\-macopt\fR parameter. .Sp @@ -209,18 +212,18 @@ option. .IP "\fB\-macopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-macopt nm:v" Passes options to MAC algorithm, specified by \fB\-mac\fR key. -Following options are supported by both by \fBHMAC\fR and \fBgost-mac\fR: +Following options are supported by both by \fBHMAC\fR and \fBgost\-mac\fR: .RS 4 .IP \fBkey\fR:\fIstring\fR 4 .IX Item "key:string" Specifies MAC key as alphanumeric string (use if key contain printable characters only). String length must conform to any restrictions of -the MAC algorithm for example exactly 32 chars for gost-mac. +the MAC algorithm for example exactly 32 chars for gost\-mac. .IP \fBhexkey\fR:\fIstring\fR 4 .IX Item "hexkey:string" Specifies MAC key in hexadecimal form (two hex digits per byte). Key length must conform to any restrictions of the MAC algorithm -for example exactly 32 chars for gost-mac. +for example exactly 32 chars for gost\-mac. .RE .RS 4 .Sp @@ -229,7 +232,7 @@ option. .RE .IP \fB\-fips\-fingerprint\fR 4 .IX Item "-fips-fingerprint" -Compute HMAC using a specific key for certain OpenSSL-FIPS operations. +Compute HMAC using a specific key for certain OpenSSL\-FIPS operations. .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4 .IX Item "-rand files, -writerand file" See "Random State Options" in \fBopenssl\fR\|(1) for details. @@ -261,7 +264,7 @@ File or files to digest. If no files are specified then standard input is used. .SH EXAMPLES .IX Header "EXAMPLES" -To create a hex-encoded message digest of a file: +To create a hex\-encoded message digest of a file: .PP .Vb 3 \& openssl dgst \-md5 \-hex file.txt @@ -295,7 +298,7 @@ particularly SHA\-1 and MD5, are still widely used for interoperating with existing formats and protocols. .PP When signing a file, this command will automatically determine the algorithm -(RSA, ECC, etc) to use for signing based on the private key's ASN.1 info. +(RSA, ECC, etc) to use for signing based on the private key\*(Aqs ASN.1 info. When verifying signatures, it only handles the RSA, DSA, or ECDSA signature itself, not the related data to identify the signer and algorithm used in formats such as x.509, CMS, and S/MIME. @@ -318,7 +321,7 @@ The \fBopenssl\-mac\fR\|(1) command is preferred over the \fB\-hmac\fR, \fB\-mac .SH HISTORY .IX Header "HISTORY" The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. -The FIPS-related options were removed in OpenSSL 1.1.0. +The FIPS\-related options were removed in OpenSSL 1.1.0. .PP The \fB\-engine\fR and \fB\-engine_impl\fR options were deprecated in OpenSSL 3.0. .SH COPYRIGHT diff --git a/secure/usr.bin/openssl/man/openssl-dhparam.1 b/secure/usr.bin/openssl/man/openssl-dhparam.1 index 42e39ce90665..18b2e6f3929a 100644 --- a/secure/usr.bin/openssl/man/openssl-dhparam.1 +++ b/secure/usr.bin/openssl/man/openssl-dhparam.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-DHPARAM 1ossl" -.TH OPENSSL-DHPARAM 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-DHPARAM 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -122,8 +125,8 @@ they are converted to DH format. Otherwise, safe primes (such that (p\-1)/2 is also prime) will be used for DH parameter generation. .Sp DH parameter generation with the \fB\-dsaparam\fR option is much faster. -Beware that with such DSA-style DH parameters, a fresh DH key should be -created for each use to avoid small-subgroup attacks that may be possible +Beware that with such DSA\-style DH parameters, a fresh DH key should be +created for each use to avoid small\-subgroup attacks that may be possible otherwise. .IP \fB\-check\fR 4 .IX Item "-check" diff --git a/secure/usr.bin/openssl/man/openssl-dsa.1 b/secure/usr.bin/openssl/man/openssl-dsa.1 index 0d054d62471c..23c35b0eafbc 100644 --- a/secure/usr.bin/openssl/man/openssl-dsa.1 +++ b/secure/usr.bin/openssl/man/openssl-dsa.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-DSA 1ossl" -.TH OPENSSL-DSA 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-DSA 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -168,13 +171,13 @@ key will be output instead. This option is automatically set if the input is a public key. .IP \fB\-pvk\-strong\fR 4 .IX Item "-pvk-strong" -Enable 'Strong' PVK encoding level (default). +Enable \*(AqStrong\*(Aq PVK encoding level (default). .IP \fB\-pvk\-weak\fR 4 .IX Item "-pvk-weak" -Enable 'Weak' PVK encoding level. +Enable \*(AqWeak\*(Aq PVK encoding level. .IP \fB\-pvk\-none\fR 4 .IX Item "-pvk-none" -Don't enforce PVK encoding. +Don\*(Aqt enforce PVK encoding. .IP "\fB\-engine\fR \fIid\fR" 4 .IX Item "-engine id" See "Engine Options" in \fBopenssl\fR\|(1). diff --git a/secure/usr.bin/openssl/man/openssl-dsaparam.1 b/secure/usr.bin/openssl/man/openssl-dsaparam.1 index 04ba2e78cbe7..2338bbda6b72 100644 --- a/secure/usr.bin/openssl/man/openssl-dsaparam.1 +++ b/secure/usr.bin/openssl/man/openssl-dsaparam.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-DSAPARAM 1ossl" -.TH OPENSSL-DSAPARAM 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-DSAPARAM 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -105,7 +108,7 @@ The DSA parameters output format; the default is \fBPEM\fR. See \fBopenssl\-format\-options\fR\|(1) for details. .Sp Parameters are a sequence of \fBASN.1 INTEGER\fRs: \fBp\fR, \fBq\fR, and \fBg\fR. -This is compatible with RFC 2459 \fBDSS-Parms\fR structure. +This is compatible with RFC 2459 \fBDSS\-Parms\fR structure. .IP "\fB\-in\fR \fIfilename\fR" 4 .IX Item "-in filename" This specifies the input file to read parameters from or standard input if diff --git a/secure/usr.bin/openssl/man/openssl-ec.1 b/secure/usr.bin/openssl/man/openssl-ec.1 index acbd296760a5..59bdb2e2b825 100644 --- a/secure/usr.bin/openssl/man/openssl-ec.1 +++ b/secure/usr.bin/openssl/man/openssl-ec.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-EC 1ossl" -.TH OPENSSL-EC 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-EC 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -93,7 +96,7 @@ openssl\-ec \- EC key processing .IX Header "DESCRIPTION" The \fBopenssl\-ec\fR\|(1) command processes EC keys. They can be converted between various forms and their components printed out. \fBNote\fR OpenSSL uses the -private key format specified in 'SEC 1: Elliptic Curve Cryptography' +private key format specified in \*(AqSEC 1: Elliptic Curve Cryptography\*(Aq (http://www.secg.org/). To convert an OpenSSL EC private key into the PKCS#8 private key format use the \fBopenssl\-pkcs8\fR\|(1) command. .SH OPTIONS diff --git a/secure/usr.bin/openssl/man/openssl-ecparam.1 b/secure/usr.bin/openssl/man/openssl-ecparam.1 index f1d567668715..dd560144eafe 100644 --- a/secure/usr.bin/openssl/man/openssl-ecparam.1 +++ b/secure/usr.bin/openssl/man/openssl-ecparam.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-ECPARAM 1ossl" -.TH OPENSSL-ECPARAM 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-ECPARAM 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -131,10 +134,10 @@ Validate the elliptic curve parameters. .IP \fB\-check_named\fR 4 .IX Item "-check_named" Validate the elliptic name curve parameters by checking if the curve parameters -match any built-in curves. +match any built\-in curves. .IP "\fB\-name\fR \fIarg\fR" 4 .IX Item "-name arg" -Use the EC parameters with the specified 'short' name. Use \fB\-list_curves\fR +Use the EC parameters with the specified \*(Aqshort\*(Aq name. Use \fB\-list_curves\fR to get a list of all currently implemented EC parameters. .IP \fB\-list_curves\fR 4 .IX Item "-list_curves" @@ -159,7 +162,7 @@ EC parameters structures). The default value is \fBnamed_curve\fR. is currently not implemented in OpenSSL. .IP \fB\-no_seed\fR 4 .IX Item "-no_seed" -This option inhibits that the 'seed' for the parameter generation +This option inhibits that the \*(Aqseed\*(Aq for the parameter generation is included in the ECParameters structure (see RFC 3279). .IP \fB\-genkey\fR 4 .IX Item "-genkey" @@ -191,7 +194,7 @@ other public key types. The documentation for the \fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkeyparam\fR\|(1) commands contains examples equivalent to the ones listed here. .PP -To create EC parameters with the group 'prime192v1': +To create EC parameters with the group \*(Aqprime192v1\*(Aq: .PP .Vb 1 \& openssl ecparam \-out ec_param.pem \-name prime192v1 @@ -215,7 +218,7 @@ To create EC parameters and a private key: \& openssl ecparam \-out ec_key.pem \-name prime192v1 \-genkey .Ve .PP -To change the point encoding to 'compressed': +To change the point encoding to \*(Aqcompressed\*(Aq: .PP .Vb 1 \& openssl ecparam \-in ec_in.pem \-out ec_out.pem \-conv_form compressed diff --git a/secure/usr.bin/openssl/man/openssl-enc.1 b/secure/usr.bin/openssl/man/openssl-enc.1 index 6886aa036fee..9b30dc2bb5b4 100644 --- a/secure/usr.bin/openssl/man/openssl-enc.1 +++ b/secure/usr.bin/openssl/man/openssl-enc.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-ENC 1ossl" -.TH OPENSSL-ENC 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-ENC 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -176,7 +179,7 @@ The default algorithm is sha\-256. .IP "\fB\-iter\fR \fIcount\fR" 4 .IX Item "-iter count" Use a given number of iterations on the password in deriving the encryption key. -High values increase the time required to brute-force the resulting file. +High values increase the time required to brute\-force the resulting file. This option enables the use of PBKDF2 algorithm to derive the key. .IP \fB\-pbkdf2\fR 4 .IX Item "-pbkdf2" @@ -192,7 +195,7 @@ and a fixed salt length of 8 is used. The salt length used when encrypting must also be used when decrypting. .IP \fB\-nosalt\fR 4 .IX Item "-nosalt" -Don't use a salt in the key derivation routines. This option \fBSHOULD NOT\fR be +Don\*(Aqt use a salt in the key derivation routines. This option \fBSHOULD NOT\fR be used except for test purposes or compatibility with ancient versions of OpenSSL. .IP \fB\-salt\fR 4 @@ -224,7 +227,7 @@ one of the other options, the IV is generated from this password. Print out the key and IV used. .IP \fB\-P\fR 4 .IX Item "-P" -Print out the key and IV used then immediately exit: don't do any encryption +Print out the key and IV used then immediately exit: don\*(Aqt do any encryption or decryption. .IP "\fB\-bufsize\fR \fInumber\fR[\fBk\fR]" 4 .IX Item "-bufsize number[k]" @@ -245,7 +248,7 @@ Debug the BIOs used for I/O. .IX Item "-z" Compress or decompress encrypted data using zlib after encryption or before decryption. This option exists only if OpenSSL was compiled with the zlib -or zlib-dynamic option. +or zlib\-dynamic option. .IP \fB\-none\fR 4 .IX Item "-none" Use NULL cipher (no encryption or decryption of input). @@ -260,7 +263,7 @@ please refer to the output of the \f(CW\*(C`openssl list \-skey\-managers\*(C'\f .IP "\fB\-skeyopt\fR \fIopt\fR:\fIvalue\fR" 4 .IX Item "-skeyopt opt:value" To obtain an existing opaque symmetric key or generate a new one, key -options are specified as opt:value. These options can't be used together with +options are specified as opt:value. These options can\*(Aqt be used together with any options implying raw key directly or indirectly. .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4 .IX Item "-rand files, -writerand file" @@ -283,15 +286,15 @@ This option is deprecated. .SH NOTES .IX Header "NOTES" The program can be called either as \f(CW\*(C`openssl \fR\f(CIcipher\fR\f(CW\*(C'\fR or -\&\f(CW\*(C`openssl enc \-\fR\f(CIcipher\fR\f(CW\*(C'\fR. The first form doesn't work with -engine-provided ciphers, because this form is processed before the +\&\f(CW\*(C`openssl enc \-\fR\f(CIcipher\fR\f(CW\*(C'\fR. The first form doesn\*(Aqt work with +engine\-provided ciphers, because this form is processed before the configuration file is read and any ENGINEs loaded. Use the \fBopenssl\-list\fR\|(1) command to get a list of supported ciphers. .PP Engines which provide entirely new encryption algorithms (such as the ccgost engine which provides gost89 algorithm) should be configured in the configuration file. Engines specified on the command line using \fB\-engine\fR -option can only be used for hardware-assisted implementations of +option can only be used for hardware\-assisted implementations of ciphers which are supported by the OpenSSL core or another engine specified in the configuration file. .PP @@ -320,7 +323,7 @@ a strong block cipher, such as AES, in CBC mode. All the block ciphers normally use PKCS#7 padding, also known as standard block padding. This allows a rudimentary integrity or password check to be performed. However, since the chance of random data passing the test -is better than 1 in 256 it isn't a very good test. +is better than 1 in 256 it isn\*(Aqt a very good test. .PP If padding is disabled then the input data must be a multiple of the cipher block length. @@ -371,9 +374,9 @@ When enc is used with key wrapping modes the input data cannot be streamed, meaning it must be processed in a single pass. Consequently, the input data size must be less than the buffer size (\-bufsize arg, default to 8*1024 bytes). -The '*\-wrap' ciphers require the input to be a multiple of 8 bytes long, +The \*(Aq*\-wrap\*(Aq ciphers require the input to be a multiple of 8 bytes long, because no padding is involved. -The '*\-wrap\-pad' ciphers allow any input length. +The \*(Aq*\-wrap\-pad\*(Aq ciphers allow any input length. In both cases, no IV is needed. See example below. .PP .Vb 1 @@ -535,14 +538,14 @@ AES key wrapping: .Ve .SH BUGS .IX Header "BUGS" -The \fB\-A\fR option when used with large files doesn't work properly. +The \fB\-A\fR option when used with large files doesn\*(Aqt work properly. On the other hand, when base64 decoding without the \fB\-A\fR option, if the first 1024 bytes of input do not include a newline character the first two lines of input are ignored. .PP The \fBopenssl enc\fR command only supports a fixed number of algorithms with certain parameters. So if, for example, you want to use RC2 with a -76 bit key or RC4 with an 84 bit key you can't use this program. +76 bit key or RC4 with an 84 bit key you can\*(Aqt use this program. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBopenssl\-list\fR\|(1), \fBEVP_SKEY\fR\|(3) diff --git a/secure/usr.bin/openssl/man/openssl-engine.1 b/secure/usr.bin/openssl/man/openssl-engine.1 index 2870d3767cbb..ed93cb342ba4 100644 --- a/secure/usr.bin/openssl/man/openssl-engine.1 +++ b/secure/usr.bin/openssl/man/openssl-engine.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-ENGINE 1ossl" -.TH OPENSSL-ENGINE 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-ENGINE 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ This command has been deprecated. Providers should be used instead of engines. .PP This command is used to query the status and capabilities of the specified \fIengine\fRs. -Engines may be specified before and after all other command-line flags. +Engines may be specified before and after all other command\-line flags. Only those specified are queried. .SH OPTIONS .IX Header "OPTIONS" @@ -92,7 +95,7 @@ Display an option summary. .IP "\fB\-v\fR \fB\-vv\fR \fB\-vvv\fR \fB\-vvvv\fR" 4 .IX Item "-v -vv -vvv -vvvv" Provides information about each specified engine. The first flag lists -all the possible run-time control commands; the second adds a +all the possible run\-time control commands; the second adds a description of each command; the third adds the input flags, and the final option adds the internal input flags. .IP \fB\-c\fR 4 @@ -110,7 +113,7 @@ Displays an error trace for any unavailable engine. .IP "\fB\-post\fR \fIcommand\fR" 4 .IX Item "-post command" .PD -Command-line configuration of engines. +Command\-line configuration of engines. The \fB\-pre\fR command is given to the engine before it is loaded and the \fB\-post\fR command is given after the engine is loaded. The \fIcommand\fR is of the form \fIcmd\fR:\fIval\fR where \fIcmd\fR is the command, diff --git a/secure/usr.bin/openssl/man/openssl-errstr.1 b/secure/usr.bin/openssl/man/openssl-errstr.1 index 3db408012482..df1c064ef068 100644 --- a/secure/usr.bin/openssl/man/openssl-errstr.1 +++ b/secure/usr.bin/openssl/man/openssl-errstr.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-ERRSTR 1ossl" -.TH OPENSSL-ERRSTR 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-ERRSTR 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/openssl-fipsinstall.1 b/secure/usr.bin/openssl/man/openssl-fipsinstall.1 index 930db9b84704..faafe1160a1c 100644 --- a/secure/usr.bin/openssl/man/openssl-fipsinstall.1 +++ b/secure/usr.bin/openssl/man/openssl-fipsinstall.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-FIPSINSTALL 1ossl" -.TH OPENSSL-FIPSINSTALL 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-FIPSINSTALL 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ openssl\-fipsinstall \- perform FIPS configuration installation This command is used to generate a FIPS module configuration file. This configuration file can be used each time a FIPS module is loaded in order to pass data to the FIPS module self tests. The FIPS module always -verifies its MAC, but optionally only needs to run the KAT's once, +verifies its MAC, but optionally only needs to run the KAT\*(Aqs once, at installation. .PP The generated configuration file consists of: @@ -126,7 +129,7 @@ The generated configuration file consists of: .IP "\- A test status indicator." 4 .IX Item "- A test status indicator." .PD -This indicates if the Known Answer Self Tests (KAT's) have successfully run. +This indicates if the Known Answer Self Tests (KAT\*(Aqs) have successfully run. .IP "\- A MAC of the status indicator." 4 .IX Item "- A MAC of the status indicator." .PD 0 @@ -136,17 +139,17 @@ This indicates if the Known Answer Self Tests (KAT's) have successfully run. By default if a continuous test (e.g a key pair test) fails then the FIPS module will enter an error state, and no services or cryptographic algorithms will be able to be accessed after this point. -The default value of '1' will cause the fips module error state to be entered. -If the value is '0' then the module error state will not be entered. +The default value of \*(Aq1\*(Aq will cause the fips module error state to be entered. +If the value is \*(Aq0\*(Aq then the module error state will not be entered. Regardless of whether the error state is entered or not, the current operation (e.g. key generation) will return an error. The user is responsible for retrying the operation if the module error state is not entered. -.IP "\- A control to indicate whether run-time security checks are done." 4 +.IP "\- A control to indicate whether run\-time security checks are done." 4 .IX Item "- A control to indicate whether run-time security checks are done." -This indicates if run-time checks related to enforcement of security parameters +This indicates if run\-time checks related to enforcement of security parameters such as minimum security strength of keys and approved curve names are used. -The default value of '1' will perform the checks. -If the value is '0' the checks are not performed and FIPS compliance must +The default value of \*(Aq1\*(Aq will perform the checks. +If the value is \*(Aq0\*(Aq the checks are not performed and FIPS compliance must be done by procedures documented in the relevant Security Policy. .PP This file is described in \fBfips_config\fR\|(5). @@ -183,7 +186,7 @@ The default value is \f(CW\*(C`fips_sect\*(C'\fR. Specifies the name of a supported MAC algorithm which will be used. The MAC mechanisms that are available will depend on the options used when building OpenSSL. -To see the list of supported MAC's use the command +To see the list of supported MAC\*(Aqs use the command \&\f(CW\*(C`openssl list \-mac\-algorithms\*(C'\fR. The default is \fBHMAC\fR. .IP "\fB\-macopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-macopt nm:v" @@ -234,13 +237,13 @@ Configure the module to not enter an error state if a conditional self test fails as described above. .IP \fB\-no_security_checks\fR 4 .IX Item "-no_security_checks" -Configure the module to not perform run-time security checks as described above. +Configure the module to not perform run\-time security checks as described above. .Sp -Enabling the configuration option "no-fips-securitychecks" provides another way to +Enabling the configuration option "no\-fips\-securitychecks" provides another way to turn off the check at compile time. .IP \fB\-ems_check\fR 4 .IX Item "-ems_check" -Configure the module to enable a run-time Extended Master Secret (EMS) check +Configure the module to enable a run\-time Extended Master Secret (EMS) check when using the TLS1_PRF KDF algorithm. This check is disabled by default. See RFC 7627 for information related to EMS. .IP \fB\-no_short_mac\fR 4 @@ -268,17 +271,17 @@ explicitly permitted by the various standards. This option is deprecated. .IP \fB\-tls13_kdf_digest_check\fR 4 .IX Item "-tls13_kdf_digest_check" -Configure the module to enable a run-time digest check when deriving a key by +Configure the module to enable a run\-time digest check when deriving a key by TLS13 KDF. See RFC 8446 for details. .IP \fB\-tls1_prf_digest_check\fR 4 .IX Item "-tls1_prf_digest_check" -Configure the module to enable a run-time digest check when deriving a key by +Configure the module to enable a run\-time digest check when deriving a key by TLS_PRF. See NIST SP 800\-135r1 for details. .IP \fB\-sshkdf_digest_check\fR 4 .IX Item "-sshkdf_digest_check" -Configure the module to enable a run-time digest check when deriving a key by +Configure the module to enable a run\-time digest check when deriving a key by SSHKDF. See NIST SP 800\-135r1 for details. .IP \fB\-sskdf_digest_check\fR 4 @@ -286,7 +289,7 @@ See NIST SP 800\-135r1 for details. This option is deprecated. .IP \fB\-x963kdf_digest_check\fR 4 .IX Item "-x963kdf_digest_check" -Configure the module to enable a run-time digest check when deriving a key by +Configure the module to enable a run\-time digest check when deriving a key by X963KDF. See NIST SP 800\-131Ar2 for details. .IP \fB\-dsa_sign_disabled\fR 4 @@ -295,18 +298,18 @@ Configure the module to not allow DSA signing (DSA signature verification is still allowed). See FIPS 140\-3 IG C.K for details. .IP \fB\-tdes_encrypt_disabled\fR 4 .IX Item "-tdes_encrypt_disabled" -Configure the module to not allow Triple-DES encryption. -Triple-DES decryption is still allowed for legacy purposes. +Configure the module to not allow Triple\-DES encryption. +Triple\-DES decryption is still allowed for legacy purposes. See SP800\-131Ar2 for details. .IP \fB\-rsa_pkcs15_padding_disabled\fR 4 .IX Item "-rsa_pkcs15_padding_disabled" Configure the module to not allow PKCS#1 version 1.5 padding to be used with -RSA for key transport and key agreement. See NIST's SP 800\-131A Revision 2 +RSA for key transport and key agreement. See NIST\*(Aqs SP 800\-131A Revision 2 for details. .IP \fB\-rsa_pss_saltlen_check\fR 4 .IX Item "-rsa_pss_saltlen_check" -Configure the module to enable a run-time salt length check when generating or -verifying a RSA-PSS signature. +Configure the module to enable a run\-time salt length check when generating or +verifying a RSA\-PSS signature. See FIPS 186\-5 5.4 (g) for details. .IP \fB\-rsa_sign_x931_disabled\fR 4 .IX Item "-rsa_sign_x931_disabled" @@ -314,52 +317,52 @@ Configure the module to not allow X9.31 padding to be used when signing with RSA. See FIPS 140\-3 IG C.K for details. .IP \fB\-hkdf_key_check\fR 4 .IX Item "-hkdf_key_check" -Configure the module to enable a run-time short key-derivation key check when +Configure the module to enable a run\-time short key\-derivation key check when deriving a key by HKDF. See NIST SP 800\-131Ar2 for details. .IP \fB\-kbkdf_key_check\fR 4 .IX Item "-kbkdf_key_check" -Configure the module to enable a run-time short key-derivation key check when +Configure the module to enable a run\-time short key\-derivation key check when deriving a key by KBKDF. See NIST SP 800\-131Ar2 for details. .IP \fB\-tls13_kdf_key_check\fR 4 .IX Item "-tls13_kdf_key_check" -Configure the module to enable a run-time short key-derivation key check when +Configure the module to enable a run\-time short key\-derivation key check when deriving a key by TLS13 KDF. See NIST SP 800\-131Ar2 for details. .IP \fB\-tls1_prf_key_check\fR 4 .IX Item "-tls1_prf_key_check" -Configure the module to enable a run-time short key-derivation key check when +Configure the module to enable a run\-time short key\-derivation key check when deriving a key by TLS_PRF. See NIST SP 800\-131Ar2 for details. .IP \fB\-sshkdf_key_check\fR 4 .IX Item "-sshkdf_key_check" -Configure the module to enable a run-time short key-derivation key check when +Configure the module to enable a run\-time short key\-derivation key check when deriving a key by SSHKDF. See NIST SP 800\-131Ar2 for details. .IP \fB\-sskdf_key_check\fR 4 .IX Item "-sskdf_key_check" -Configure the module to enable a run-time short key-derivation key check when +Configure the module to enable a run\-time short key\-derivation key check when deriving a key by SSKDF. See NIST SP 800\-131Ar2 for details. .IP \fB\-x963kdf_key_check\fR 4 .IX Item "-x963kdf_key_check" -Configure the module to enable a run-time short key-derivation key check when +Configure the module to enable a run\-time short key\-derivation key check when deriving a key by X963KDF. See NIST SP 800\-131Ar2 for details. .IP \fB\-x942kdf_key_check\fR 4 .IX Item "-x942kdf_key_check" -Configure the module to enable a run-time short key-derivation key check when +Configure the module to enable a run\-time short key\-derivation key check when deriving a key by X942KDF. See NIST SP 800\-131Ar2 for details. .IP \fB\-no_pbkdf2_lower_bound_check\fR 4 .IX Item "-no_pbkdf2_lower_bound_check" -Configure the module to not perform run-time lower bound check for PBKDF2. +Configure the module to not perform run\-time lower bound check for PBKDF2. See NIST SP 800\-132 for details. .IP \fB\-ecdh_cofactor_check\fR 4 .IX Item "-ecdh_cofactor_check" -Configure the module to enable a run-time check that ECDH uses the EC curves -cofactor value when deriving a key. This only affects the 'B' and 'K' curves. +Configure the module to enable a run\-time check that ECDH uses the EC curves +cofactor value when deriving a key. This only affects the \*(AqB\*(Aq and \*(AqK\*(Aq curves. See SP 800\-56A r3 Section 5.7.1.2 for details. .IP \fB\-self_test_onload\fR 4 .IX Item "-self_test_onload" @@ -375,7 +378,7 @@ and is not relevant for an OpenSSL FIPS 140\-3 provider, since this is no longer allowed. .IP \fB\-self_test_oninstall\fR 4 .IX Item "-self_test_oninstall" -The converse of \fB\-self_test_oninstall\fR. The two fields related to the +The converse of \fB\-self_test_onload\fR. The two fields related to the "test status indicator" and "MAC status indicator" are written to the output configuration file. This field is not relevant for an OpenSSL FIPS 140\-3 provider, since this is no @@ -388,7 +391,7 @@ Do not output pass/fail messages. Implies \fB\-noout\fR. The corrupt options can be used to test failure of one or more self tests by name. Either option or both may be used to select the tests to corrupt. -Refer to the entries for \fBst-desc\fR and \fBst-type\fR in \fBOSSL_PROVIDER\-FIPS\fR\|(7) for +Refer to the entries for \fBst\-desc\fR and \fBst\-type\fR in \fBOSSL_PROVIDER\-FIPS\fR\|(7) for values that can be used. .IP "\fB\-config\fR \fIparent_config\fR" 4 .IX Item "-config parent_config" @@ -396,7 +399,7 @@ Test that a FIPS provider can be loaded from the specified configuration file. A previous call to this application needs to generate the extra configuration data that is included by the base \f(CW\*(C`parent_config\*(C'\fR configuration file. See \fBconfig\fR\|(5) for further information on how to set up a provider section. -All other options are ignored if '\-config' is used. +All other options are ignored if \*(Aq\-config\*(Aq is used. .SH NOTES .IX Header "NOTES" Self tests results are logged by default if the options \fB\-quiet\fR and \fB\-noout\fR @@ -450,7 +453,7 @@ Validate that the fips module can be loaded from a base configuration file: \&\fBEVP_MAC\fR\|(3) .SH HISTORY .IX Header "HISTORY" -The \fBopenssl-fipsinstall\fR application was added in OpenSSL 3.0. +The \fBopenssl\-fipsinstall\fR application was added in OpenSSL 3.0. .PP The following options were added in OpenSSL 3.1: .PP diff --git a/secure/usr.bin/openssl/man/openssl-format-options.1 b/secure/usr.bin/openssl/man/openssl-format-options.1 index f490f275687d..c96c2d4d95cc 100644 --- a/secure/usr.bin/openssl/man/openssl-format-options.1 +++ b/secure/usr.bin/openssl/man/openssl-format-options.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-FORMAT-OPTIONS 1ossl" -.TH OPENSSL-FORMAT-OPTIONS 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-FORMAT-OPTIONS 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,9 +119,9 @@ An engine must be configured or specified using the \fB\-engine\fR option. A password or PIN may be supplied to the engine using the \fB\-passin\fR option. .IP \fBP12\fR 4 .IX Item "P12" -A DER-encoded file containing a PKCS#12 object. +A DER\-encoded file containing a PKCS#12 object. It might be necessary to provide a decryption password to retrieve -the private key. +the private key or certificate. .IP \fBPEM\fR 4 .IX Item "PEM" A text format defined in IETF RFC 1421 and IETF RFC 7468. Briefly, this is @@ -135,7 +138,7 @@ lines used to mark the start and end: \& Text after the END line is also ignored .Ve .Sp -The \fIobject-type\fR must match the type of object that is expected. +The \fIobject\-type\fR must match the type of object that is expected. For example a \f(CW\*(C`BEGIN X509 CERTIFICATE\*(C'\fR will not match if the command is trying to read a private key. The types supported include: .Sp @@ -163,7 +166,7 @@ is trying to read a private key. The types supported include: \& X9.42 DH PARAMETERS .Ve .Sp -The following legacy \fIobject-type\fR's are also supported for compatibility +The following legacy \fIobject\-type\fR\*(Aqs are also supported for compatibility with earlier releases: .Sp .Vb 4 @@ -179,7 +182,7 @@ Earlier versions were known as CMS and are compatible. Note that the parsing is simple and might fail to parse some legal data. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/usr.bin/openssl/man/openssl-gendsa.1 b/secure/usr.bin/openssl/man/openssl-gendsa.1 index 24fa9353db7b..5dc59c081674 100644 --- a/secure/usr.bin/openssl/man/openssl-gendsa.1 +++ b/secure/usr.bin/openssl/man/openssl-gendsa.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-GENDSA 1ossl" -.TH OPENSSL-GENDSA 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-GENDSA 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/openssl-genpkey.1 b/secure/usr.bin/openssl/man/openssl-genpkey.1 index 135d6cb59b7c..911df903715c 100644 --- a/secure/usr.bin/openssl/man/openssl-genpkey.1 +++ b/secure/usr.bin/openssl/man/openssl-genpkey.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-GENPKEY 1ossl" -.TH OPENSSL-GENPKEY 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-GENPKEY 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -128,12 +131,12 @@ name accepted by \fBEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR. Public key algorithm to use such as RSA, DSA, DH or DHX. If used this option must precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR are mutually exclusive. Engines or providers may add algorithms in addition to -the standard built-in ones. +the standard built\-in ones. .Sp -Valid built-in algorithm names for private key generation are RSA, RSA-PSS, EC, -X25519, X448, ED25519, ED448, ML-DSA and ML-KEM. +Valid built\-in algorithm names for private key generation are RSA, RSA\-PSS, EC, +X25519, X448, ED25519, ED448, ML\-DSA and ML\-KEM. .Sp -Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR +Valid built\-in algorithm names for parameter generation (see the \fB\-genparam\fR option) are DH, DSA and EC. .Sp Note that the algorithm name X9.42 DH may be used as a synonym for DHX keys and @@ -201,9 +204,9 @@ The number of primes in the generated key. If not specified 2 is used. .IX Item "rsa_keygen_pubexp:value" The RSA public exponent value. This can be a large decimal or hexadecimal value if preceded by \f(CW\*(C`0x\*(C'\fR. Default value is 65537. -.SS "RSA-PSS Key Generation Options" +.SS "RSA\-PSS Key Generation Options" .IX Subsection "RSA-PSS Key Generation Options" -Note: by default an \fBRSA-PSS\fR key has no parameter restrictions. +Note: by default an \fBRSA\-PSS\fR key has no parameter restrictions. .IP "\fBrsa_keygen_bits\fR:\fInumbits\fR, \fBrsa_keygen_primes\fR:\fInumprimes\fR, \fBrsa_keygen_pubexp\fR:\fIvalue\fR" 4 .IX Item "rsa_keygen_bits:numbits, rsa_keygen_primes:numprimes, rsa_keygen_pubexp:value" These options have the same meaning as the \fBRSA\fR algorithm. @@ -212,7 +215,7 @@ These options have the same meaning as the \fBRSA\fR algorithm. If set the key is restricted and can only use \fIdigest\fR for signing. .IP \fBrsa_pss_keygen_mgf1_md\fR:\fIdigest\fR 4 .IX Item "rsa_pss_keygen_mgf1_md:digest" -If set the key is restricted and can only use \fIdigest\fR as it's MGF1 +If set the key is restricted and can only use \fIdigest\fR as it\*(Aqs MGF1 parameter. .IP \fBrsa_pss_keygen_saltlen\fR:\fIlen\fR 4 .IX Item "rsa_pss_keygen_saltlen:len" @@ -227,28 +230,28 @@ The EC curve to use. OpenSSL supports NIST curve names such as "P\-256". .IX Item "ec_param_enc:encoding" The encoding to use for parameters. The \fIencoding\fR parameter must be either \&\fBnamed_curve\fR or \fBexplicit\fR. The default value is \fBnamed_curve\fR. -.SS "ML-DSA Key Generation Options" +.SS "ML\-DSA Key Generation Options" .IX Subsection "ML-DSA Key Generation Options" .IP \fBhexseed\fR:\fIseed\fR 4 .IX Item "hexseed:seed" -This specifies the optional ML-DSA \fIseed\fR in hexadecimal form. The seed is 32 +This specifies the optional ML\-DSA \fIseed\fR in hexadecimal form. The seed is 32 bytes, giving 64 hexadecimal digits. When generated from an explicit seed the key is completely determined by the seed value. -If other users can see the command-line arguments of the running process, this -option may compromise the secret key, it is best avoided, tests-aside. +If other users can see the command\-line arguments of the running process, this +option may compromise the secret key, it is best avoided, tests\-aside. .Sp See \fBEVP_PKEY\-ML\-DSA\fR\|(7) for more detail. -.SS "ML-KEM Key Generation Options" +.SS "ML\-KEM Key Generation Options" .IX Subsection "ML-KEM Key Generation Options" .IP \fBhexseed\fR:\fIseed\fR 4 .IX Item "hexseed:seed" -This specifies the optional ML-KEM \fIseed\fR in hexadecimal form. The seed is 64 +This specifies the optional ML\-KEM \fIseed\fR in hexadecimal form. The seed is 64 bytes, giving 128 hexadecimal digits. When generated from an explicit seed the key is completely determined by the seed value. -If other users can see the command-line arguments of the running process, this -option may compromise the secret key, it is best avoided, tests-aside. +If other users can see the command\-line arguments of the running process, this +option may compromise the secret key, it is best avoided, tests\-aside. .Sp See \fBEVP_PKEY\-ML\-KEM\fR\|(7) for more detail. .SS "DH Key Generation Options" @@ -350,7 +353,7 @@ The number of bits in the prime parameter \fIp\fR. The default is 2048. The number of bits in the sub prime parameter \fIq\fR. The default is 224. Only relevant if used in conjunction with the \fBdh_paramgen_type\fR option to generate DHX parameters. -.IP \fBsafeprime-generator\fR:\fIvalue\fR 4 +.IP \fBsafeprime\-generator\fR:\fIvalue\fR 4 .IX Item "safeprime-generator:value" .PD 0 .IP \fBdh_paramgen_generator\fR:\fIvalue\fR 4 @@ -581,7 +584,7 @@ The ability to generate X448, ED25519 and ED448 keys was added in OpenSSL 1.1.1. .PP The \fB\-engine\fR option was deprecated in OpenSSL 3.0. .PP -Support for \fBML-DSA\fR and \fBML-KEM\fR was added in OpenSSL 3.5. +Support for \fBML\-DSA\fR and \fBML\-KEM\fR was added in OpenSSL 3.5. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/usr.bin/openssl/man/openssl-genrsa.1 b/secure/usr.bin/openssl/man/openssl-genrsa.1 index 6d435aa15627..ea4c278bc2c6 100644 --- a/secure/usr.bin/openssl/man/openssl-genrsa.1 +++ b/secure/usr.bin/openssl/man/openssl-genrsa.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-GENRSA 1ossl" -.TH OPENSSL-GENRSA 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-GENRSA 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,7 +128,7 @@ The \fB\-3\fR option has been deprecated. .IX Item "-primes num" Specify the number of primes to use while generating the RSA key. The \fInum\fR parameter must be a positive integer that is greater than 1 and less than 16. -If \fInum\fR is greater than 2, then the generated key is called a 'multi\-prime' +If \fInum\fR is greater than 2, then the generated key is called a \*(Aqmulti\-prime\*(Aq RSA key, which is defined in RFC 8017. .IP \fB\-verbose\fR 4 .IX Item "-verbose" @@ -165,7 +168,7 @@ RSA private key generation essentially involves the generation of two or more prime numbers. When generating a private key various symbols will be output to indicate the progress of the generation. A \fB.\fR represents each number which has passed an initial sieve test, \fB+\fR means a number has passed a single -round of the Miller-Rabin primality test, \fB*\fR means the current prime starts +round of the Miller\-Rabin primality test, \fB*\fR means the current prime starts a regenerating progress due to some failed tests. A newline means that the number has passed all the prime tests (the actual number depends on the key size). .PP diff --git a/secure/usr.bin/openssl/man/openssl-info.1 b/secure/usr.bin/openssl/man/openssl-info.1 index e333aa34f2b3..52aa25512521 100644 --- a/secure/usr.bin/openssl/man/openssl-info.1 +++ b/secure/usr.bin/openssl/man/openssl-info.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-INFO 1ossl" -.TH OPENSSL-INFO 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-INFO 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/openssl-kdf.1 b/secure/usr.bin/openssl/man/openssl-kdf.1 index 8a548f379726..8004da8496f3 100644 --- a/secure/usr.bin/openssl/man/openssl-kdf.1 +++ b/secure/usr.bin/openssl/man/openssl-kdf.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-KDF 1ossl" -.TH OPENSSL-KDF 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-KDF 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -139,7 +142,7 @@ Alternative to the \fBpass:\fR option where the password is specified in hexadecimal form (two hex digits per byte). .IP \fBsalt:\fR\fIstring\fR 4 .IX Item "salt:string" -Specifies a non-secret unique cryptographic salt as an alphanumeric string +Specifies a non\-secret unique cryptographic salt as an alphanumeric string (use if it contains printable characters only). The length must conform to any restrictions of the KDF algorithm. A salt parameter is required for several KDF algorithms, @@ -150,9 +153,9 @@ Alternative to the \fBsalt:\fR option where the salt is specified in hexadecimal form (two hex digits per byte). .IP \fBinfo:\fR\fIstring\fR 4 .IX Item "info:string" -Some KDF implementations, such as \fBEVP_KDF\-HKDF\fR\|(7), take an 'info' parameter +Some KDF implementations, such as \fBEVP_KDF\-HKDF\fR\|(7), take an \*(Aqinfo\*(Aq parameter for binding the derived key material -to application\- and context-specific information. +to application\- and context\-specific information. Specifies the info, fixed info, other info or shared info argument as an alphanumeric string (use if it contains printable characters only). The length must conform to any restrictions of the KDF algorithm. @@ -190,21 +193,21 @@ The supported algorithms names include TLS1\-PRF, HKDF, SSKDF, PBKDF2, SSHKDF, X942KDF\-ASN1, X942KDF\-CONCAT, X963KDF and SCRYPT. .SH EXAMPLES .IX Header "EXAMPLES" -Use TLS1\-PRF to create a hex-encoded derived key from a secret key and seed: +Use TLS1\-PRF to create a hex\-encoded derived key from a secret key and seed: .PP .Vb 2 \& openssl kdf \-keylen 16 \-kdfopt digest:SHA2\-256 \-kdfopt key:secret \e \& \-kdfopt seed:seed TLS1\-PRF .Ve .PP -Use HKDF to create a hex-encoded derived key from a secret key, salt and info: +Use HKDF to create a hex\-encoded derived key from a secret key, salt and info: .PP .Vb 2 \& openssl kdf \-keylen 10 \-kdfopt digest:SHA2\-256 \-kdfopt key:secret \e \& \-kdfopt salt:salt \-kdfopt info:label HKDF .Ve .PP -Use SSKDF with KMAC to create a hex-encoded derived key from a secret key, salt and info: +Use SSKDF with KMAC to create a hex\-encoded derived key from a secret key, salt and info: .PP .Vb 3 \& openssl kdf \-keylen 64 \-kdfopt mac:KMAC\-128 \-kdfopt maclen:20 \e @@ -212,7 +215,7 @@ Use SSKDF with KMAC to create a hex-encoded derived key from a secret key, salt \& \-kdfopt hexsalt:3638271ccd68a2 SSKDF .Ve .PP -Use SSKDF with HMAC to create a hex-encoded derived key from a secret key, salt and info: +Use SSKDF with HMAC to create a hex\-encoded derived key from a secret key, salt and info: .PP .Vb 3 \& openssl kdf \-keylen 16 \-kdfopt mac:HMAC \-kdfopt digest:SHA2\-256 \e @@ -220,7 +223,7 @@ Use SSKDF with HMAC to create a hex-encoded derived key from a secret key, salt \& \-kdfopt hexsalt:3638271c SSKDF .Ve .PP -Use SSKDF with Hash to create a hex-encoded derived key from a secret key, salt and info: +Use SSKDF with Hash to create a hex\-encoded derived key from a secret key, salt and info: .PP .Vb 3 \& openssl kdf \-keylen 14 \-kdfopt digest:SHA2\-256 \e @@ -228,7 +231,7 @@ Use SSKDF with Hash to create a hex-encoded derived key from a secret key, salt \& \-kdfopt hexinfo:a1b2c3d4 SSKDF .Ve .PP -Use SSHKDF to create a hex-encoded derived key from a secret key, hash and session_id: +Use SSHKDF to create a hex\-encoded derived key from a secret key, hash and session_id: .PP .Vb 5 \& openssl kdf \-keylen 16 \-kdfopt digest:SHA2\-256 \e @@ -238,14 +241,14 @@ Use SSHKDF to create a hex-encoded derived key from a secret key, hash and sessi \& \-kdfopt type:A SSHKDF .Ve .PP -Use PBKDF2 to create a hex-encoded derived key from a password and salt: +Use PBKDF2 to create a hex\-encoded derived key from a password and salt: .PP .Vb 2 \& openssl kdf \-keylen 32 \-kdfopt digest:SHA256 \-kdfopt pass:password \e \& \-kdfopt salt:salt \-kdfopt iter:2 PBKDF2 .Ve .PP -Use scrypt to create a hex-encoded derived key from a password and salt: +Use scrypt to create a hex\-encoded derived key from a password and salt: .PP .Vb 3 \& openssl kdf \-keylen 64 \-kdfopt pass:password \-kdfopt salt:NaCl \e diff --git a/secure/usr.bin/openssl/man/openssl-list.1 b/secure/usr.bin/openssl/man/openssl-list.1 index 972bec32208b..28d97322f03d 100644 --- a/secure/usr.bin/openssl/man/openssl-list.1 +++ b/secure/usr.bin/openssl/man/openssl-list.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-LIST 1ossl" -.TH OPENSSL-LIST 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-LIST 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,7 +126,7 @@ The options below where verbosity applies say a bit more about what that means. Only list algorithms that match this name. .IP \fB\-1\fR 4 .IX Item "-1" -List the commands, digest-commands, or cipher-commands in a single column. +List the commands, digest\-commands, or cipher\-commands in a single column. If used, this option must be given first. .IP \fB\-all\-algorithms\fR 4 .IX Item "-all-algorithms" @@ -158,25 +161,25 @@ Display lists of all algorithms. These include: .IX Item "Store loaders" .IP "Symmetric ciphers" 4 .IX Item "Symmetric ciphers" +.PD .RE .RS 4 .RE .IP \fB\-commands\fR 4 .IX Item "-commands" -.PD Display a list of standard commands. .IP \fB\-standard\-commands\fR 4 .IX Item "-standard-commands" List of standard commands. .IP \fB\-digest\-commands\fR 4 .IX Item "-digest-commands" -This option is deprecated. Use \fBdigest-algorithms\fR instead. +This option is deprecated. Use \fBdigest\-algorithms\fR instead. .Sp Display a list of message digest commands, which are typically used as input to the \fBopenssl\-dgst\fR\|(1) or \fBopenssl\-speed\fR\|(1) commands. .IP \fB\-cipher\-commands\fR 4 .IX Item "-cipher-commands" -This option is deprecated. Use \fBcipher-algorithms\fR instead. +This option is deprecated. Use \fBcipher\-algorithms\fR instead. .Sp Display a list of cipher commands, which are typically used as input to the \fBopenssl\-enc\fR\|(1) or \fBopenssl\-speed\fR\|(1) commands. @@ -216,8 +219,8 @@ information on what parameters each implementation supports. .IX Item "-public-key-algorithms" Display a list of public key algorithms, with each algorithm as a block of multiple lines, all but the first are indented. -The options \fBkey-exchange-algorithms\fR, \fBkem-algorithms\fR, -\&\fBsignature-algorithms\fR, and \fBasymcipher-algorithms\fR will display similar info. +The options \fBkey\-exchange\-algorithms\fR, \fBkem\-algorithms\fR, +\&\fBsignature\-algorithms\fR, and \fBasymcipher\-algorithms\fR will display similar info. .IP \fB\-public\-key\-methods\fR 4 .IX Item "-public-key-methods" Display a list of public key methods. @@ -284,12 +287,12 @@ Display a list of disabled features, those that were compiled out of the installation. .IP \fB\-objects\fR 4 .IX Item "-objects" -Display a list of built in objects, i.e. OIDs with names. They're listed in the +Display a list of built in objects, i.e. OIDs with names. They\*(Aqre listed in the format described in "ASN1 Object Configuration Module" in \fBconfig\fR\|(5). .IP "\fB\-options\fR \fIcommand\fR" 4 .IX Item "-options command" -Output a two-column list of the options accepted by the specified \fIcommand\fR. -The first is the option name, and the second is a one-character indication +Output a two\-column list of the options accepted by the specified \fIcommand\fR. +The first is the option name, and the second is a one\-character indication of what type of parameter it takes, if any. This is an internal option, used for checking that the documentation is complete. @@ -321,7 +324,7 @@ implementation is labeled with a single name: \& foo @ bar .Ve .Sp -or like this if it's labeled with multiple names: +or like this if it\*(Aqs labeled with multiple names: .Sp .Vb 1 \& { foo1, foo2 } @bar diff --git a/secure/usr.bin/openssl/man/openssl-mac.1 b/secure/usr.bin/openssl/man/openssl-mac.1 index fdd6d443d4a8..5b72864b288f 100644 --- a/secure/usr.bin/openssl/man/openssl-mac.1 +++ b/secure/usr.bin/openssl/man/openssl-mac.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-MAC 1ossl" -.TH OPENSSL-MAC 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-MAC 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -89,7 +92,7 @@ Print a usage message. .IP "\fB\-in\fR \fIfilename\fR" 4 .IX Item "-in filename" Input filename to calculate a MAC for, or standard input by default. -Standard input is used if the filename is '\-'. +Standard input is used if the filename is \*(Aq\-\*(Aq. Files and standard input are expected to be in binary format. .IP "\fB\-out\fR \fIfilename\fR" 4 .IX Item "-out filename" @@ -164,11 +167,11 @@ See "Provider Options" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproper .IP \fImac_name\fR 4 .IX Item "mac_name" Specifies the name of a supported MAC algorithm which will be used. -To see the list of supported MAC's use the command \f(CW\*(C`openssl list +To see the list of supported MAC\*(Aqs use the command \f(CW\*(C`openssl list \&\-mac\-algorithms\*(C'\fR. .SH EXAMPLES .IX Header "EXAMPLES" -To create a hex-encoded HMAC\-SHA1 MAC of a file and write to stdout: +To create a hex\-encoded HMAC\-SHA1 MAC of a file and write to stdout: .PP .Vb 3 \& openssl mac \-digest SHA1 \e @@ -183,7 +186,7 @@ To create a SipHash MAC from a file with a binary file output: \& \-in msg.bin \-out out.bin \-binary SipHash .Ve .PP -To create a hex-encoded CMAC\-AES\-128\-CBC MAC from a file: +To create a hex\-encoded CMAC\-AES\-128\-CBC MAC from a file: .PP .Vb 3 \& openssl mac \-cipher AES\-128\-CBC \e @@ -191,15 +194,15 @@ To create a hex-encoded CMAC\-AES\-128\-CBC MAC from a file: \& \-in msg.bin CMAC .Ve .PP -To create a hex-encoded KMAC128 MAC from a file with a Customisation String -\&'Tag' and output length of 16: +To create a hex\-encoded KMAC128 MAC from a file with a Customisation String +\&\*(AqTag\*(Aq and output length of 16: .PP .Vb 2 \& openssl mac \-macopt custom:Tag \-macopt hexkey:40414243444546 \e \& \-macopt size:16 \-in msg.bin KMAC128 .Ve .PP -To create a hex-encoded GMAC\-AES\-128\-GCM with a IV from a file: +To create a hex\-encoded GMAC\-AES\-128\-GCM with a IV from a file: .PP .Vb 2 \& openssl mac \-cipher AES\-128\-GCM \-macopt hexiv:E0E00F19FED7BA0136A797F3 \e diff --git a/secure/usr.bin/openssl/man/openssl-namedisplay-options.1 b/secure/usr.bin/openssl/man/openssl-namedisplay-options.1 index fbf29878d6c5..a8a9289cfa85 100644 --- a/secure/usr.bin/openssl/man/openssl-namedisplay-options.1 +++ b/secure/usr.bin/openssl/man/openssl-namedisplay-options.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-NAMEDISPLAY-OPTIONS 1ossl" -.TH OPENSSL-NAMEDISPLAY-OPTIONS 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-NAMEDISPLAY-OPTIONS 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -70,10 +73,10 @@ openssl\-namedisplay\-options \- Distinguished name display options [ \fIparameters\fR ... ] .SH DESCRIPTION .IX Header "DESCRIPTION" -OpenSSL provides fine-grain control over how the subject and issuer DN's are +OpenSSL provides fine\-grain control over how the subject and issuer DN\*(Aqs are displayed. This is specified by using the \fB\-nameopt\fR option, which takes a -comma-separated list of options from the following set. +comma\-separated list of options from the following set. An option may be preceded by a minus sign, \f(CW\*(C`\-\*(C'\fR, to turn it off. The first four option arguments are the most commonly used. .PP @@ -116,7 +119,7 @@ Escape the "special" characters in a field as required by RFC 2254 in a field. That is, the \fBNUL\fR character and of \f(CW\*(C`()*\*(C'\fR. .IP \fBesc_ctrl\fR 4 .IX Item "esc_ctrl" -Escape non-printable ASCII characters, codes less than 0x20 (space) +Escape non\-printable ASCII characters, codes less than 0x20 (space) or greater than 0x7F (DELETE). They are displayed using RFC 2253 \f(CW\*(C`\eXX\*(C'\fR notation where \fBXX\fR are the two hex digits representing the character value. .IP \fBesc_msb\fR 4 @@ -156,7 +159,7 @@ If not set, just the content octets are displayed. Either way, the \fB#XXXX...\fR format of RFC 2253 is used. .IP \fBdump_nostr\fR 4 .IX Item "dump_nostr" -Dump non-character strings, such as ASN.1 \fBOCTET STRING\fR. +Dump non\-character strings, such as ASN.1 \fBOCTET STRING\fR. If this option is not set, then non character string types will be displayed as though each content octet represents a single character. .IP \fBdump_all\fR 4 diff --git a/secure/usr.bin/openssl/man/openssl-nseq.1 b/secure/usr.bin/openssl/man/openssl-nseq.1 index fd991f8380ca..89460ded89a9 100644 --- a/secure/usr.bin/openssl/man/openssl-nseq.1 +++ b/secure/usr.bin/openssl/man/openssl-nseq.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-NSEQ 1ossl" -.TH OPENSSL-NSEQ 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-NSEQ 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -80,7 +83,7 @@ sequence and prints out the certificates contained in it or takes a file of certificates and converts it into a Netscape certificate sequence. .PP -A Netscape certificate sequence is an old Netscape-specific format that +A Netscape certificate sequence is an old Netscape\-specific format that can be sometimes be sent to browsers as an alternative to the standard PKCS#7 format when several certificates are sent to the browser, for example during certificate enrollment. It was also used by Netscape certificate server. diff --git a/secure/usr.bin/openssl/man/openssl-ocsp.1 b/secure/usr.bin/openssl/man/openssl-ocsp.1 index 376f991907c1..420debcb8c26 100644 --- a/secure/usr.bin/openssl/man/openssl-ocsp.1 +++ b/secure/usr.bin/openssl/man/openssl-ocsp.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-OCSP 1ossl" -.TH OPENSSL-OCSP 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-OCSP 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,7 +126,7 @@ openssl\-ocsp \- Online Certificate Status Protocol command [\fB\-ndays\fR \fIn\fR] [\fB\-resp_key_id\fR] [\fB\-nrequest\fR \fIn\fR] -[\fB\-multi\fR \fIprocess-count\fR] +[\fB\-multi\fR \fIprocess\-count\fR] [\fB\-rcid\fR \fIdigest\fR] [\fB\-\fR\f(BIdigest\fR] [\fB\-CAfile\fR \fIfile\fR] @@ -203,7 +206,7 @@ The issuer certificate is taken from the previous \fB\-issuer\fR option, or an error occurs if no issuer certificate is specified. .IP \fB\-no_certs\fR 4 .IX Item "-no_certs" -Don't include any certificates in signed request. +Don\*(Aqt include any certificates in signed request. .IP "\fB\-serial\fR \fInum\fR" 4 .IX Item "-serial num" Same as the \fB\-cert\fR option except the certificate with serial number @@ -235,7 +238,7 @@ a nonce is automatically added specifying \fB\-no_nonce\fR overrides this. Print out the text form of the OCSP request, response or both respectively. .IP "\fB\-reqout\fR \fIfile\fR, \fB\-respout\fR \fIfilename\fR" 4 .IX Item "-reqout file, -respout filename" -Write out the DER-encoded OCSP request or response to \fIfilename\fR. +Write out the DER\-encoded OCSP request or response to \fIfilename\fR. The output filename can be the same as the input filename, which leads to replacing the file contents. Note that file I/O is not atomic. The output file is truncated and then written. @@ -294,7 +297,7 @@ the complete request is received. .IX Item "-verify_other file" File or URI containing additional certificates to search when attempting to locate -the OCSP response signing certificate. Some responders omit the actual signer's +the OCSP response signing certificate. Some responders omit the actual signer\*(Aqs certificate from the response: this option can be used to supply the necessary certificate in such cases. The input can be in PEM, DER, or PKCS#12 format. @@ -311,7 +314,7 @@ Equivalent to the \fB\-verify_other\fR and \fB\-trust_other\fR options. The input can be in PEM, DER, or PKCS#12 format. .IP \fB\-noverify\fR 4 .IX Item "-noverify" -Don't attempt to verify the OCSP response signature or the nonce +Don\*(Aqt attempt to verify the OCSP response signature or the nonce values. This option will normally only be used for debugging since it disables all verification of the responders certificate. .IP \fB\-no_intern\fR 4 @@ -321,12 +324,12 @@ signers certificate. With this option the signers certificate must be specified with either the \fB\-verify_other\fR or \fB\-VAfile\fR options. .IP \fB\-no_signature_verify\fR 4 .IX Item "-no_signature_verify" -Don't check the signature on the OCSP response. Since this option +Don\*(Aqt check the signature on the OCSP response. Since this option tolerates invalid signatures on OCSP responses it will normally only be used for testing purposes. .IP \fB\-no_cert_verify\fR 4 .IX Item "-no_cert_verify" -Don't verify the OCSP response signers certificate at all. Since this +Don\*(Aqt verify the OCSP response signers certificate at all. Since this option allows the OCSP response to be signed by any certificate it should only be used for testing purposes. .IP \fB\-no_chain\fR 4 @@ -338,7 +341,7 @@ certificates. Do not explicitly trust the root CA if it is set to be trusted for OCSP signing. .IP \fB\-no_cert_checks\fR 4 .IX Item "-no_cert_checks" -Don't perform any additional checks on the OCSP response signers certificate. +Don\*(Aqt perform any additional checks on the OCSP response signers certificate. That is do not make any checks to see if the signers certificate is authorised to provide the necessary status information: as a result this option should only be used for testing purposes. @@ -425,7 +428,7 @@ The input can be in PEM, DER, or PKCS#12 format. .IP "\fB\-rsigopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-rsigopt nm:v" Pass options to the signature algorithm when signing OCSP responses. -Names and values of these options are algorithm-specific. +Names and values of these options are algorithm\-specific. .IP "\fB\-rmd\fR \fIdigest\fR" 4 .IX Item "-rmd digest" The digest to use when signing the response. @@ -435,7 +438,7 @@ Corrupt the response signature before writing it; this can be useful for testing. .IP \fB\-resp_no_certs\fR 4 .IX Item "-resp_no_certs" -Don't include any certificates in the OCSP response. +Don\*(Aqt include any certificates in the OCSP response. .IP \fB\-resp_key_id\fR 4 .IX Item "-resp_key_id" Identify the signer certificate using the key ID, default is to use the @@ -453,16 +456,16 @@ running instead of terminating upon receiving a malformed request. .IP "\fB\-nrequest\fR \fInumber\fR" 4 .IX Item "-nrequest number" The OCSP server will exit after receiving \fInumber\fR requests, default unlimited. -.IP "\fB\-multi\fR \fIprocess-count\fR" 4 +.IP "\fB\-multi\fR \fIprocess\-count\fR" 4 .IX Item "-multi process-count" Run the specified number of OCSP responder child processes, with the parent process respawning child processes as needed. Child processes will detect changes in the CA index file and automatically reload it. When running as a responder \fB\-timeout\fR option is recommended to limit the time -each child is willing to wait for the client's OCSP response. +each child is willing to wait for the client\*(Aqs OCSP response. This option is available on POSIX systems (that support the \fBfork()\fR and other -required unix system-calls). +required unix system\-calls). .IP "\fB\-nmin\fR \fIminutes\fR, \fB\-ndays\fR \fIdays\fR" 4 .IX Item "-nmin minutes, -ndays days" Number of minutes or days when fresh revocation information is available: @@ -474,7 +477,7 @@ immediately available. OCSP Response follows the rules specified in RFC2560. .PP Initially the OCSP responder certificate is located and the signature on -the OCSP request checked using the responder certificate's public key. +the OCSP request checked using the responder certificate\*(Aqs public key. .PP Then a normal certificate verify is performed on the OCSP responder certificate building up a certificate chain in the process. The locations of the trusted @@ -488,7 +491,7 @@ error. Otherwise the issuing CA certificate in the request is compared to the OCSP responder certificate: if there is a match then the OCSP verify succeeds. .PP -Otherwise the OCSP responder certificate's CA is checked against the issuing +Otherwise the OCSP responder certificate\*(Aqs CA is checked against the issuing CA certificate in the request. If there is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify succeeds. @@ -517,7 +520,7 @@ with the \fB\-VAfile\fR option. .IX Header "NOTES" As noted, most of the verify options are for testing or debugging purposes. Normally only the \fB\-CApath\fR, \fB\-CAfile\fR, \fB\-CAstore\fR and (if the responder -is a 'global VA') \fB\-VAfile\fR options need to be used. +is a \*(Aqglobal VA\*(Aq) \fB\-VAfile\fR options need to be used. .PP The OCSP server is only useful for test and demonstration purposes: it is not really usable as a full OCSP responder. It contains only a very diff --git a/secure/usr.bin/openssl/man/openssl-passphrase-options.1 b/secure/usr.bin/openssl/man/openssl-passphrase-options.1 index 46d891b7dc71..e38a0fd3d592 100644 --- a/secure/usr.bin/openssl/man/openssl-passphrase-options.1 +++ b/secure/usr.bin/openssl/man/openssl-passphrase-options.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-PASSPHRASE-OPTIONS 1ossl" -.TH OPENSSL-PASSPHRASE-OPTIONS 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-PASSPHRASE-OPTIONS 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ Pass phrase arguments can be formatted as follows. .IP \fBpass:\fR\fIpassword\fR 4 .IX Item "pass:password" The actual password is \fIpassword\fR. Since the password is visible -to utilities (like 'ps' under Unix) this form should only be used +to utilities (like \*(Aqps\*(Aq under Unix) this form should only be used where security is not important. .IP \fBenv:\fR\fIvar\fR 4 .IX Item "env:var" diff --git a/secure/usr.bin/openssl/man/openssl-passwd.1 b/secure/usr.bin/openssl/man/openssl-passwd.1 index dc4e07b65c49..dd44b0591278 100644 --- a/secure/usr.bin/openssl/man/openssl-passwd.1 +++ b/secure/usr.bin/openssl/man/openssl-passwd.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-PASSWD 1ossl" -.TH OPENSSL-PASSWD 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-PASSWD 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -88,7 +91,7 @@ openssl\-passwd \- compute password hashes .SH DESCRIPTION .IX Header "DESCRIPTION" This command computes the hash of a password typed at -run-time or the hash of each password in a list. The password list is +run\-time or the hash of each password in a list. The password list is taken from the named file for option \fB\-in\fR, from stdin for option \fB\-stdin\fR, or from the command line, or from the terminal otherwise. .SH OPTIONS @@ -125,10 +128,10 @@ Read passwords from \fIfile\fR. Read passwords from \fBstdin\fR. .IP \fB\-noverify\fR 4 .IX Item "-noverify" -Don't verify when reading a password from the terminal. +Don\*(Aqt verify when reading a password from the terminal. .IP \fB\-quiet\fR 4 .IX Item "-quiet" -Don't output warnings when passwords given at the command line are truncated. +Don\*(Aqt output warnings when passwords given at the command line are truncated. .IP \fB\-table\fR 4 .IX Item "-table" In the output list, prepend the cleartext password and a TAB character diff --git a/secure/usr.bin/openssl/man/openssl-pkcs12.1 b/secure/usr.bin/openssl/man/openssl-pkcs12.1 index 0da076e8d70b..c01e3a3f178a 100644 --- a/secure/usr.bin/openssl/man/openssl-pkcs12.1 +++ b/secure/usr.bin/openssl/man/openssl-pkcs12.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-PKCS12 1ossl" -.TH OPENSSL-PKCS12 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-PKCS12 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -193,7 +196,7 @@ and so the input is just verified. .IP \fB\-legacy\fR 4 .IX Item "-legacy" Use legacy mode of operation and automatically load the legacy provider. -If OpenSSL is not installed system-wide, +If OpenSSL is not installed system\-wide, it is necessary to also use, for example, \f(CW\*(C`\-provider\-path ./providers\*(C'\fR or to set the environment variable \fBOPENSSL_MODULES\fR to point to the directory where the providers can be found. @@ -241,7 +244,7 @@ Output additional information about the PKCS#12 file structure, algorithms used and iteration counts. .IP \fB\-nomacver\fR 4 .IX Item "-nomacver" -Don't attempt to verify the integrity MAC. +Don\*(Aqt attempt to verify the integrity MAC. .IP \fB\-clcerts\fR 4 .IX Item "-clcerts" Only output client certificates (not CA certificates). @@ -268,7 +271,7 @@ Use triple DES to encrypt private keys before outputting. Use IDEA to encrypt private keys before outputting. .IP \fB\-noenc\fR 4 .IX Item "-noenc" -Don't encrypt private keys at all. +Don\*(Aqt encrypt private keys at all. .IP \fB\-nodes\fR 4 .IX Item "-nodes" This option is deprecated since OpenSSL 3.0; use \fB\-noenc\fR instead. @@ -288,7 +291,7 @@ This specifies the input filename or URI. Standard input is used by default. With the \fB\-export\fR option this is a file with certificates and a key, or a URI that refers to a key accessed via an engine. -The order of credentials in a file doesn't matter but one private key and +The order of credentials in a file doesn\*(Aqt matter but one private key and its corresponding certificate should be present. If additional certificates are present they will also be included in the PKCS#12 output file. .IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4 @@ -370,7 +373,7 @@ Special value \f(CW\*(C`NONE\*(C'\fR disables encryption of the private key and .IX Item "-descert" Encrypt the certificates using triple DES. By default the private key and the certificates are encrypted using AES\-256\-CBC unless -the '\-legacy' option is used. If '\-descert' is used with the '\-legacy' +the \*(Aq\-legacy\*(Aq option is used. If \*(Aq\-descert\*(Aq is used with the \*(Aq\-legacy\*(Aq then both, the private key and the certificates are encrypted using triple DES. .IP "\fB\-macalg\fR \fIdigest\fR" 4 .IX Item "-macalg digest" @@ -398,7 +401,7 @@ By default both encryption and MAC iteration counts are set to 2048, using these options the MAC and encryption iteration counts can be set to 1, since this reduces the file security you should not use these options unless you really have to. Most software supports both MAC and encryption iteration counts. -MSIE 4.0 doesn't support MAC iteration counts so it needs the \fB\-nomaciter\fR +MSIE 4.0 doesn\*(Aqt support MAC iteration counts so it needs the \fB\-nomaciter\fR option. .IP \fB\-maciter\fR 4 .IX Item "-maciter" @@ -442,19 +445,19 @@ the \fB\-nokeys\fR \fB\-cacerts\fR options to just output CA certificates. .PP The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption algorithms for private keys and certificates to be specified. Normally -the defaults are fine but occasionally software can't handle triple DES +the defaults are fine but occasionally software can\*(Aqt handle triple DES encrypted private keys, then the option \fB\-keypbe\fR \fIPBE\-SHA1\-RC2\-40\fR can be used to reduce the private key encryption to 40 bit RC2. A complete description of all algorithms is contained in \fBopenssl\-pkcs8\fR\|(1). .PP -Prior 1.1 release passwords containing non-ASCII characters were encoded -in non-compliant manner, which limited interoperability, in first hand -with Windows. But switching to standard-compliant password encoding +Prior 1.1 release passwords containing non\-ASCII characters were encoded +in non\-compliant manner, which limited interoperability, in first hand +with Windows. But switching to standard\-compliant password encoding poses problem accessing old data protected with broken encoding. For this reason even legacy encodings is attempted when reading the data. If you use PKCS#12 files in production application you are advised to convert the data, because implemented heuristic approach is not -MT-safe, its sole goal is to facilitate the data upgrade with this +MT\-safe, its sole goal is to facilitate the data upgrade with this command. .SH EXAMPLES .IX Header "EXAMPLES" @@ -470,7 +473,7 @@ Output only client certificates to a file: \& openssl pkcs12 \-in file.p12 \-clcerts \-out file.pem .Ve .PP -Don't encrypt the private key: +Don\*(Aqt encrypt the private key: .PP .Vb 1 \& openssl pkcs12 \-in file.p12 \-out file.pem \-noenc diff --git a/secure/usr.bin/openssl/man/openssl-pkcs7.1 b/secure/usr.bin/openssl/man/openssl-pkcs7.1 index 1f4bc2420c45..91b88cd9a82a 100644 --- a/secure/usr.bin/openssl/man/openssl-pkcs7.1 +++ b/secure/usr.bin/openssl/man/openssl-pkcs7.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-PKCS7 1ossl" -.TH OPENSSL-PKCS7 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-PKCS7 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,7 +116,7 @@ Prints out any certificates or CRLs contained in the file. They are preceded by their subject and issuer names in one line format. .IP \fB\-quiet\fR 4 .IX Item "-quiet" -When used with \-print_certs, prints out just the PEM-encoded +When used with \-print_certs, prints out just the PEM\-encoded certificates without any other output. .IP \fB\-text\fR 4 .IX Item "-text" @@ -121,7 +124,7 @@ Prints out certificate details in full rather than just subject and issuer names. .IP \fB\-noout\fR 4 .IX Item "-noout" -Don't output the encoded version of the PKCS#7 structure (or certificates +Don\*(Aqt output the encoded version of the PKCS#7 structure (or certificates if \fB\-print_certs\fR is set). .IP "\fB\-engine\fR \fIid\fR" 4 .IX Item "-engine id" diff --git a/secure/usr.bin/openssl/man/openssl-pkcs8.1 b/secure/usr.bin/openssl/man/openssl-pkcs8.1 index 7400967c9be1..31c890112f3f 100644 --- a/secure/usr.bin/openssl/man/openssl-pkcs8.1 +++ b/secure/usr.bin/openssl/man/openssl-pkcs8.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-PKCS8 1ossl" -.TH OPENSSL-PKCS8 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-PKCS8 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -155,7 +158,7 @@ When password input is interrupted, the output file is not touched. .IX Item "-iter count" When creating new PKCS#8 containers, use a given number of iterations on the password in deriving the encryption key for the PKCS#8 output. -High values increase the time required to brute-force a PKCS#8 container. +High values increase the time required to brute\-force a PKCS#8 container. .IP \fB\-noiter\fR 4 .IX Item "-noiter" When creating new PKCS#8 containers, use 1 as iteration count. @@ -172,12 +175,12 @@ code signing software used unencrypted private keys. This option sets the PKCS#5 v2.0 algorithm. .Sp The \fIalg\fR argument is the encryption algorithm to use, valid values include -\&\fBaes128\fR, \fBaes256\fR and \fBdes3\fR. If this option isn't specified then \fBaes256\fR +\&\fBaes128\fR, \fBaes256\fR and \fBdes3\fR. If this option isn\*(Aqt specified then \fBaes256\fR is used. .IP "\fB\-v2prf\fR \fIalg\fR" 4 .IX Item "-v2prf alg" This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value -value would be \fBhmacWithSHA256\fR. If this option isn't set then the default +value would be \fBhmacWithSHA256\fR. If this option isn\*(Aqt set then the default for the cipher is used or \fBhmacWithSHA256\fR if there is no default. .Sp Some implementations may not support custom PRF algorithms and may require @@ -318,14 +321,14 @@ one million iterations of the password: .SH STANDARDS .IX Header "STANDARDS" Test vectors from this PKCS#5 v2.0 implementation were posted to the -pkcs-tng mailing list using triple DES, DES and RC2 with high iteration +pkcs\-tng mailing list using triple DES, DES and RC2 with high iteration counts, several people confirmed that they could decrypt the private keys produced and therefore, it can be assumed that the PKCS#5 v2.0 implementation is reasonably accurate at least as far as these algorithms are concerned. .PP The format of PKCS#8 DSA (and other) private keys is not well documented: -it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA +it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL\*(Aqs default DSA PKCS#8 private key format complies with this standard. .SH BUGS .IX Header "BUGS" diff --git a/secure/usr.bin/openssl/man/openssl-pkey.1 b/secure/usr.bin/openssl/man/openssl-pkey.1 index 3e248310e3ca..913a2cb6a6f8 100644 --- a/secure/usr.bin/openssl/man/openssl-pkey.1 +++ b/secure/usr.bin/openssl/man/openssl-pkey.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-PKEY 1ossl" -.TH OPENSSL-PKEY 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-PKEY 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -200,7 +203,7 @@ Output in text form only the public key components (also for private keys). This cannot be combined with encoded output in DER format. .IP "\fB\-ec_conv_form\fR \fIarg\fR" 4 .IX Item "-ec_conv_form arg" -This option only applies to elliptic-curve based keys. +This option only applies to elliptic\-curve based keys. .Sp This specifies how the points on the elliptic curve are converted into octet strings. Possible values are: \fBcompressed\fR (the default diff --git a/secure/usr.bin/openssl/man/openssl-pkeyparam.1 b/secure/usr.bin/openssl/man/openssl-pkeyparam.1 index 9a6bad4dbb49..9625838ede7c 100644 --- a/secure/usr.bin/openssl/man/openssl-pkeyparam.1 +++ b/secure/usr.bin/openssl/man/openssl-pkeyparam.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-PKEYPARAM 1ossl" -.TH OPENSSL-PKEYPARAM 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-PKEYPARAM 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/openssl-pkeyutl.1 b/secure/usr.bin/openssl/man/openssl-pkeyutl.1 index ed4edcc9fb5b..251304ae2aed 100644 --- a/secure/usr.bin/openssl/man/openssl-pkeyutl.1 +++ b/secure/usr.bin/openssl/man/openssl-pkeyutl.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-PKEYUTL 1ossl" -.TH OPENSSL-PKEYUTL 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-PKEYUTL 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -106,7 +109,7 @@ openssl\-pkeyutl \- asymmetric key command [\fB\-config\fR \fIconfigfile\fR] .SH DESCRIPTION .IX Header "DESCRIPTION" -This command can be used to perform low-level operations +This command can be used to perform low\-level operations on asymmetric (public or private) keys using any supported algorithm. .PP By default the signing operation (see \fB\-sign\fR option) is assumed. @@ -152,10 +155,10 @@ so the \fB\-digest\fR option cannot be used with EdDSA. Specifies the output filename to write to or standard output by default. .IP "\fB\-secret\fR \fIfilename\fR" 4 .IX Item "-secret filename" -Specifies the shared-secret output filename for when performing encapsulation +Specifies the shared\-secret output filename for when performing encapsulation via the \fB\-encap\fR option or decapsulation via the \fB\-decap\fR option. The \fB\-encap\fR option also produces a separate (public) ciphertext output which -is by default written to standard output, but being \fIbinary\fR non-text data, +is by default written to standard output, but being \fIbinary\fR non\-text data, is typically also redirected to a file selected via the \fI\-out\fR option. .IP "\fB\-sigfile\fR \fIfile\fR" 4 .IX Item "-sigfile file" @@ -182,7 +185,7 @@ The input is a certificate containing a public key. .IP \fB\-rev\fR 4 .IX Item "-rev" Reverse the order of the input buffer. This is useful for some libraries -(such as CryptoAPI) which represent the buffer in little-endian format. +(such as CryptoAPI) which represent the buffer in little\-endian format. This cannot be used in conjunction with \fB\-rawin\fR. .IP \fB\-sign\fR 4 .IX Item "-sign" @@ -235,16 +238,16 @@ The peer key format; unspecified by default. See \fBopenssl\-format\-options\fR\|(1) for details. .IP \fB\-encap\fR 4 .IX Item "-encap" -Use a Key Encapsulation Mechanism (\fBKEM\fR) to \fBencapsulate\fR a shared-secret to -a peer's \fBpublic\fR key. -The encapsulated result (or ciphertext, non-text binary data) is written to +Use a Key Encapsulation Mechanism (\fBKEM\fR) to \fBencapsulate\fR a shared\-secret to +a peer\*(Aqs \fBpublic\fR key. +The encapsulated result (or ciphertext, non\-text binary data) is written to standard output by default, or else to the file specified with \fI\-out\fR. The \fI\-secret\fR option must also be provided to specify the output file for the -derived shared-secret value generated in the encapsulation process. +derived shared\-secret value generated in the encapsulation process. Encapsulation is supported with a number of public key algorithms, currently: -ML-KEM, +ML\-KEM, X25519, -X449, +X448, and EC. The ECX and EC algorithms use the @@ -253,21 +256,21 @@ Encapsulation is also supported with RSA keys via the \&\fBRSASVE\fR construction. .Sp At the API level, encapsulation and decapsulation are also supported for a few -hybrid ECDHE (no DHKEM) plus \fBML-KEM\fR algorithms, but these are intended +hybrid ECDHE (no DHKEM) plus \fBML\-KEM\fR algorithms, but these are intended primarily for use with TLS and should not be used standalone. There are in any case no standard public and private key formats for the hybrid algorithms, so it is not possible to provide the required key material. .IP \fB\-decap\fR 4 .IX Item "-decap" Decode an encapsulated secret, with the use of a \fB\-private\fR key, to derive the -same shared-secret as that obtained when the secret was encapsulated to the +same shared\-secret as that obtained when the secret was encapsulated to the corresponding public key. The encapsulated secret is by default read from the standard input, or else from the file specified with \fB\-in\fR. -The derived shared-secret is written to the file specified with the \fB\-secret\fR +The derived shared\-secret is written to the file specified with the \fB\-secret\fR option, which \fImust\fR also be provided. Decapsulation is supported with a number of public key algorithms, currently: -ML-KEM, +ML\-KEM, X25519, X448, and @@ -310,7 +313,7 @@ hex dump the output data. .IX Item "-asn1parse" Parse the ASN.1 output data to check its DER encoding and print any errors. When combined with the \fB\-verifyrecover\fR option, this may be useful in case -an ASN.1 DER-encoded structure had been signed directly (without hashing it) +an ASN.1 DER\-encoded structure had been signed directly (without hashing it) and when checking a signature in PKCS#1 v1.5 format, which has a DER encoding. .IP "\fB\-engine\fR \fIid\fR" 4 .IX Item "-engine id" @@ -343,11 +346,11 @@ The operations and options supported vary according to the key algorithm and its implementation. The OpenSSL operations and options are indicated below. .PP Unless otherwise mentioned, the \fB\-pkeyopt\fR option supports -for all public-key types the \f(CW\*(C`digest:\*(C'\fR\fIalg\fR argument, +for all public\-key types the \f(CW\*(C`digest:\*(C'\fR\fIalg\fR argument, which specifies the digest in use for the signing and verification operations. The value \fIalg\fR should represent a digest name as used in the \&\fBEVP_get_digestbyname()\fR function for example \fBsha256\fR. This value is not used to -hash the input data. It is used (by some algorithms) for sanity-checking the +hash the input data. It is used (by some algorithms) for sanity\-checking the lengths of data passed in and for creating the structures that make up the signature (e.g., \fBDigestInfo\fR in RSASSA PKCS#1 v1.5 signatures). .PP @@ -416,11 +419,11 @@ rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a protection against Bleichenbacher attack, the library will generate a deterministic random plaintext that it will return to the caller in case of padding check failure. -When disabled, it's the callers' responsibility to handle the returned -errors in a side-channel free manner. -.SH "RSA-PSS ALGORITHM" +When disabled, it\*(Aqs the callers\*(Aq responsibility to handle the returned +errors in a side\-channel free manner. +.SH "RSA\-PSS ALGORITHM" .IX Header "RSA-PSS ALGORITHM" -The RSA-PSS algorithm is a restricted version of the RSA algorithm which only +The RSA\-PSS algorithm is a restricted version of the RSA algorithm which only supports the sign and verify operations with PSS padding. The following additional \fB\-pkeyopt\fR values are supported: .IP "\fBrsa_padding_mode:\fR\fImode\fR, \fBrsa_pss_saltlen:\fR\fIlen\fR, \fBrsa_mgf1_md:\fR\fIdigest\fR" 4 @@ -451,62 +454,62 @@ for the \fB\-pkeyopt\fR \fBdigest\fR option. .IX Header "X25519 AND X448 ALGORITHMS" The X25519 and X448 algorithms support key derivation only. Currently there are no additional options. -.SS "SLH-DSA ALGORITHMS" +.SS "SLH\-DSA ALGORITHMS" .IX Subsection "SLH-DSA ALGORITHMS" -The SLH-DSA algorithms (SLH\-DSA\-SHA2\-128s, SLH\-DSA\-SHA2\-128f, SLH\-DSA\-SHA2\-192s, SLH\-DSA\-SHA2\-192f, SLH\-DSA\-SHA2\-256s, SLH\-DSA\-SHA2\-256f) are post-quantum signature algorithms. When using SLH-DSA with pkeyutl, the following options are available: +The SLH\-DSA algorithms (SLH\-DSA\-SHA2\-128s, SLH\-DSA\-SHA2\-128f, SLH\-DSA\-SHA2\-192s, SLH\-DSA\-SHA2\-192f, SLH\-DSA\-SHA2\-256s, SLH\-DSA\-SHA2\-256f) are post\-quantum signature algorithms. When using SLH\-DSA with pkeyutl, the following options are available: .IP \fB\-sign\fR 4 .IX Item "-sign" -Sign the input data using an SLH-DSA private key. For example: +Sign the input data using an SLH\-DSA private key. For example: .Sp .Vb 1 \& $ openssl pkeyutl \-sign \-in file.txt \-inkey slhdsa.pem \-out sig .Ve .IP \fB\-verify\fR 4 .IX Item "-verify" -Verify the signature using an SLH-DSA public key. For example: +Verify the signature using an SLH\-DSA public key. For example: .Sp .Vb 1 \& $ openssl pkeyutl \-verify \-in file.txt \-inkey slhdsa.pem \-sigfile sig .Ve .PP -See \fBEVP_PKEY\-SLH\-DSA\fR\|(7) and \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7) for additional details about the SLH-DSA algorithm and its implementation. +See \fBEVP_PKEY\-SLH\-DSA\fR\|(7) and \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7) for additional details about the SLH\-DSA algorithm and its implementation. .SH "ML\-DSA\-44, ML\-DSA\-65 AND ML\-DSA\-87 ALGORITHMS" .IX Header "ML-DSA-44, ML-DSA-65 AND ML-DSA-87 ALGORITHMS" -The ML-DSA algorithms are post-quantum signature algorithms that support signing and verification of "raw" messages. -No preliminary hashing is performed. When using ML-DSA with pkeyutl, the following options are available: +The ML\-DSA algorithms are post\-quantum signature algorithms that support signing and verification of "raw" messages. +No preliminary hashing is performed. When using ML\-DSA with pkeyutl, the following options are available: .IP \fB\-sign\fR 4 .IX Item "-sign" -Sign the input data using an ML-DSA private key. For example: +Sign the input data using an ML\-DSA private key. For example: .Sp .Vb 1 \& $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig .Ve .IP \fB\-verify\fR 4 .IX Item "-verify" -Verify the signature using an ML-DSA public key. For example: +Verify the signature using an ML\-DSA public key. For example: .Sp .Vb 1 \& $ openssl pkeyutl \-verify \-in file.txt \-inkey mldsa65.pem \-sigfile sig .Ve .IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4 .IX Item "-pkeyopt opt:value" -Additional options for ML-DSA signing and verification: +Additional options for ML\-DSA signing and verification: .RS 4 -.IP \fBmessage-encoding\fR:\fIvalue\fR 4 +.IP \fBmessage\-encoding\fR:\fIvalue\fR 4 .IX Item "message-encoding:value" Specifies the message encoding mode used for signing. This controls how the input message is processed before signing. Valid values are described in \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7). For example: .Sp .Vb 1 \& $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt message\-encoding:1 .Ve -.IP \fBtest-entropy\fR:\fIvalue\fR 4 +.IP \fBtest\-entropy\fR:\fIvalue\fR 4 .IX Item "test-entropy:value" Specifies a test entropy value for deterministic signing. For example: .Sp .Vb 1 \& $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt test\-entropy:abcdefghijklmnopqrstuvwxyz012345 .Ve -.IP \fBhextest-entropy\fR:\fIvalue\fR 4 +.IP \fBhextest\-entropy\fR:\fIvalue\fR 4 .IX Item "hextest-entropy:value" Specifies a test entropy value in hex format. For example: .Sp @@ -531,7 +534,7 @@ Specifies the mu parameter. For example: .RE .RS 4 .RE -.IP \fBcontext-string\fR:\fIstring\fR 4 +.IP \fBcontext\-string\fR:\fIstring\fR 4 .IX Item "context-string:string" Specifies a context string for both signing and verification operations. The context string must be the same for verification to succeed. For example: .Sp @@ -539,7 +542,7 @@ Specifies a context string for both signing and verification operations. The con \& $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt context\-string:mycontext \& $ openssl pkeyutl \-verify \-in file.txt \-inkey mldsa65.pem \-sigfile sig \-pkeyopt context\-string:mycontext .Ve -.IP \fBhexcontext-string\fR:\fIstring\fR 4 +.IP \fBhexcontext\-string\fR:\fIstring\fR 4 .IX Item "hexcontext-string:string" Specifies a context string in hex format, allowing binary control values. For example: .Sp @@ -552,13 +555,13 @@ with \fIbool\fR set to \f(CW1\fR if a deterministic signature is to be generated with a fixed all zero random input. By default, or if the \fIbool\fR is \f(CW0\fR a random entropy value is used. A deterministic result can also be obtained by specifying an explicit -entropy value via the \fBhextest-entropy\fR:\fIvalue\fR parameter. -Deterministic \fBML-DSA\fR signing should only be used in tests. +entropy value via the \fBhextest\-entropy\fR:\fIvalue\fR parameter. +Deterministic \fBML\-DSA\fR signing should only be used in tests. .PP -See \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7) for additional details about the ML-DSA algorithms and their implementation. +See \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7) for additional details about the ML\-DSA algorithms and their implementation. .SH "ML\-KEM\-512, ML\-KEM\-768 AND ML\-KEM\-1024 ALGORITHMS" .IX Header "ML-KEM-512, ML-KEM-768 AND ML-KEM-1024 ALGORITHMS" -The ML-KEM algorithms support encapsulation and decapsulation only. +The ML\-KEM algorithms support encapsulation and decapsulation only. The encapsulation operation supports a \fBhexikme\fR:\fIentropy\fR option, with \fIentropy\fR the 64 hexadecimal digit encoding of a 32\-byte value. This should only be used in tests, known or leaked values of the option may @@ -666,20 +669,20 @@ Decrypt some data using a private key with OAEP padding using SHA256: \& \-pkeyopt rsa_padding_mode:oaep \-pkeyopt rsa_oaep_md:sha256 .Ve .PP -Create an ML-DSA key pair and sign data with a specific context string: +Create an ML\-DSA key pair and sign data with a specific context string: .PP .Vb 2 \& $ openssl genpkey \-algorithm ML\-DSA\-65 \-out mldsa65.pem \& $ openssl pkeyutl \-sign \-in file.txt \-inkey mldsa65.pem \-out sig \-pkeyopt context\-string:example .Ve .PP -Verify a signature using ML-DSA with the same context string: +Verify a signature using ML\-DSA with the same context string: .PP .Vb 1 \& $ openssl pkeyutl \-verify \-in file.txt \-inkey mldsa65.pem \-sigfile sig \-pkeyopt context\-string:example .Ve .PP -Generate an ML-KEM key pair and use it for encapsulation: +Generate an ML\-KEM key pair and use it for encapsulation: .PP .Vb 3 \& $ openssl genpkey \-algorithm ML\-KEM\-768 \-out mlkem768.pem @@ -687,20 +690,20 @@ Generate an ML-KEM key pair and use it for encapsulation: \& $ openssl pkeyutl \-encap \-inkey mlkem768_pub.pem \-pubin \-out ciphertext \-secret shared_secret.bin .Ve .PP -Decapsulate a shared secret using an ML-KEM private key: +Decapsulate a shared secret using an ML\-KEM private key: .PP .Vb 1 \& $ openssl pkeyutl \-decap \-inkey mlkem768.pem \-in ciphertext \-secret decapsulated_secret.bin .Ve .PP -Create an SLH-DSA key pair and sign data: +Create an SLH\-DSA key pair and sign data: .PP .Vb 2 \& $ openssl genpkey \-algorithm SLH\-DSA\-SHA2\-128s \-out slh\-dsa.pem \& $ openssl pkeyutl \-sign \-in file.txt \-inkey slh\-dsa.pem \-out sig .Ve .PP -Verify a signature using SLH-DSA: +Verify a signature using SLH\-DSA: .PP .Vb 1 \& $ openssl pkeyutl \-verify \-in file.txt \-inkey slh\-dsa.pem \-sigfile sig @@ -729,7 +732,7 @@ the supported algorithms, the only supported \fBmode\fR is now the default. The \fB\-engine\fR option was deprecated in OpenSSL 3.0. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/usr.bin/openssl/man/openssl-prime.1 b/secure/usr.bin/openssl/man/openssl-prime.1 index fb39ea266dec..cd8b8dc6621f 100644 --- a/secure/usr.bin/openssl/man/openssl-prime.1 +++ b/secure/usr.bin/openssl/man/openssl-prime.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-PRIME 1ossl" -.TH OPENSSL-PRIME 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-PRIME 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/openssl-rand.1 b/secure/usr.bin/openssl/man/openssl-rand.1 index 1bb1154c9745..d894c2d0e320 100644 --- a/secure/usr.bin/openssl/man/openssl-rand.1 +++ b/secure/usr.bin/openssl/man/openssl-rand.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-RAND 1ossl" -.TH OPENSSL-RAND 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-RAND 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -86,7 +89,7 @@ multiple of KiB/MiB/GiB/TiB respectively. Note that suffixes are case sensitive, and that the suffixes represent binary multiples (K = 1024 bytes, M = 1024*1024 bytes, etc). .PP -The string 'max' may be substituted for a numerical value in num, to request the +The string \*(Aqmax\*(Aq may be substituted for a numerical value in num, to request the maximum number of bytes the CSPRNG can produce per instantiation. Currently, this is restricted to 2^61 bytes as per NIST SP 800\-90C. .PP diff --git a/secure/usr.bin/openssl/man/openssl-rehash.1 b/secure/usr.bin/openssl/man/openssl-rehash.1 index 05d9ca42fdff..943045946d94 100644 --- a/secure/usr.bin/openssl/man/openssl-rehash.1 +++ b/secure/usr.bin/openssl/man/openssl-rehash.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-REHASH 1ossl" -.TH OPENSSL-REHASH 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-REHASH 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -63,8 +66,8 @@ .SH NAME openssl\-rehash, c_rehash \- Create symbolic links to files named by the hash values -.SH "SYNOPSIS =for openssl duplicate options" -.IX Header "SYNOPSIS =for openssl duplicate options" +.SH SYNOPSIS +.IX Header "SYNOPSIS" \&\fBopenssl\fR \&\fBrehash\fR [\fB\-h\fR] @@ -106,9 +109,9 @@ directories to be set up like this in order to find certificates. .PP If any directories are named on the command line, then those are processed in turn. If not, then the \fBSSL_CERT_DIR\fR environment variable -is consulted; this should be a colon-separated list of directories, +is consulted; this should be a colon\-separated list of directories, like the Unix \fBPATH\fR variable. -If that is not set then the default directory (installation-specific +If that is not set then the default directory (installation\-specific but often \fI/usr/local/ssl/certs\fR) is processed. .PP In order for a directory to be processed, the user must have write @@ -120,7 +123,7 @@ When a directory is processed, all links in it that have a name in that syntax are first removed, even if they are being used for some other purpose. To skip the removal step, use the \fB\-n\fR flag. -Hashes for CRL's look similar except the letter \fBr\fR appears after +Hashes for CRL\*(Aqs look similar except the letter \fBr\fR appears after the period, like this: \fIHHHHHHHH.\fR\fBr\fR\fID\fR. .PP Multiple objects may have the same hash; they will be indicated by @@ -135,7 +138,7 @@ more than one such object appears in the file. .IX Subsection "Script Configuration" The \fBc_rehash\fR script uses the \fBopenssl\fR program to compute the hashes and -fingerprints. If not found in the user's \fBPATH\fR, then set the +fingerprints. If not found in the user\*(Aqs \fBPATH\fR, then set the \&\fBOPENSSL\fR environment variable to the full pathname. Any program can be used, it will be invoked as follows for either a certificate or CRL: @@ -155,17 +158,17 @@ optionally prefixed with some text and an equals sign. Display a brief usage message. .IP \fB\-old\fR 4 .IX Item "-old" -Use old-style hashing (MD5, as opposed to SHA\-1) for generating +Use old\-style hashing (MD5, as opposed to SHA\-1) for generating links to be used for releases before 1.0.0. Note that current versions will not use the old style. .IP \fB\-n\fR 4 .IX Item "-n" Do not remove existing links. -This is needed when keeping new and old-style links in the same directory. +This is needed when keeping new and old\-style links in the same directory. .IP \fB\-compat\fR 4 .IX Item "-compat" -Generate links for both old-style (MD5) and new-style (SHA1) hashing. -This allows releases before 1.0.0 to use these links along-side newer +Generate links for both old\-style (MD5) and new\-style (SHA1) hashing. +This allows releases before 1.0.0 to use these links along\-side newer releases. .IP \fB\-v\fR 4 .IX Item "-v" diff --git a/secure/usr.bin/openssl/man/openssl-req.1 b/secure/usr.bin/openssl/man/openssl-req.1 index dd3d023b0021..dabc6ba2448b 100644 --- a/secure/usr.bin/openssl/man/openssl-req.1 +++ b/secure/usr.bin/openssl/man/openssl-req.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-REQ 1ossl" -.TH OPENSSL-REQ 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-REQ 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -125,7 +128,7 @@ openssl\-req \- PKCS#10 certificate request and certificate generating command .SH DESCRIPTION .IX Header "DESCRIPTION" This command primarily creates and processes certificate requests (CSRs) -in PKCS#10 format. It can additionally create self-signed certificates +in PKCS#10 format. It can additionally create self\-signed certificates for use as root CAs for example. .SH OPTIONS .IX Header "OPTIONS" @@ -156,11 +159,11 @@ A request is only read if the creation options .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-sigopt nm:v" Pass options to the signature algorithm during sign operations. -Names and values of these options are algorithm-specific. +Names and values of these options are algorithm\-specific. .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-vfyopt nm:v" Pass options to the signature algorithm during verify operations. -Names and values of these options are algorithm-specific. +Names and values of these options are algorithm\-specific. .IP "\fB\-passin\fR \fIarg\fR" 4 .IX Item "-passin arg" The password source for private key and certificate input. @@ -192,7 +195,7 @@ This option prevents output of the encoded version of the certificate request. Prints out the value of the modulus of the public key contained in the request. .IP \fB\-verify\fR 4 .IX Item "-verify" -Verifies the self-signature on the request. If the verification fails, +Verifies the self\-signature on the request. If the verification fails, the program will immediately exit, i.e. further option processing (e.g. \fB\-text\fR) is skipped. .IP \fB\-new\fR 4 @@ -251,7 +254,7 @@ See "KEY GENERATION OPTIONS" in \fBopenssl\-genpkey\fR\|(1) for more details. This option provides the private key for signing a new certificate or certificate request. Unless \fB\-in\fR is given, the corresponding public key is placed in -the new certificate or certificate request, resulting in a self-signature. +the new certificate or certificate request, resulting in a self\-signature. .Sp For certificate signing this option is overridden by the \fB\-CA\fR option. .Sp @@ -303,8 +306,8 @@ The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C' Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the request. -Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN). -Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR +Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL\-DN). +Multi\-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR between the AttributeValueAssertions (AVAs) that specify the members of the set. Example: .Sp @@ -383,7 +386,7 @@ When used together with the option \fB\-not_after\fR, the explicit expiry date takes precedence. .IP "\fB\-set_serial\fR \fIn\fR" 4 .IX Item "-set_serial n" -Serial number to use when outputting a self-signed certificate. +Serial number to use when outputting a self\-signed certificate. This may be specified as a decimal value or a hex value if preceded by \f(CW\*(C`0x\*(C'\fR. If not given, a large random number will be used. .IP "\fB\-copy_extensions\fR \fIarg\fR" 4 @@ -413,13 +416,13 @@ If an extension is added using this option that has the same OID as one defined in the extension section of the config file, it overrides that one. .Sp This option can be given multiple times. -Doing so, the same key most not be given more than once. +Doing so, the same key must not be given more than once. .IP \fB\-precert\fR 4 .IX Item "-precert" A poison extension will be added to the certificate, making it a -"pre-certificate" (see RFC6962). This can be submitted to Certificate +"pre\-certificate" (see RFC6962). This can be submitted to Certificate Transparency logs in order to obtain signed certificate timestamps (SCTs). -These SCTs can then be embedded into the pre-certificate as an extension, before +These SCTs can then be embedded into the pre\-certificate as an extension, before removing the poison and signing the certificate. .Sp This implies the \fB\-new\fR flag. @@ -442,7 +445,7 @@ Adds the word \fBNEW\fR to the PEM file header and footer lines on the outputted request. Some software (Netscape certificate server) and some CAs need this. .IP \fB\-batch\fR 4 .IX Item "-batch" -Non-interactive mode. +Non\-interactive mode. .IP \fB\-verbose\fR 4 .IX Item "-verbose" Print extra details about the operations being performed. @@ -549,13 +552,13 @@ several values: .IX Item "nombstr - any string type except BMPStrings and UTF8Strings" .IP "\fBdefault\fR \- any kind of string type" 4 .IX Item "default - any kind of string type" +.PD .RE .RS 4 -.PD .Sp Note that \fButf8only\fR is the PKIX recommendation in RFC2459 after 2003, and the default \fBstring_mask\fR; \fBdefault\fR is not the default option. The \fBnombstr\fR -value is a workaround for some software that has problems with variable-sized +value is a workaround for some software that has problems with variable\-sized BMPStrings and UTF8Strings. .RE .IP \fBreq_extensions\fR 4 @@ -586,7 +589,7 @@ configuration file, must be valid UTF8 strings. This specifies the section containing any request attributes: its format is the same as \fBdistinguished_name\fR. Typically these may contain the challengePassword or unstructuredName types. They are currently ignored -by OpenSSL's request signing utilities but some CAs might want them. +by OpenSSL\*(Aqs request signing utilities but some CAs might want them. .IP \fBdistinguished_name\fR 4 .IX Item "distinguished_name" This specifies the section containing the distinguished name fields to @@ -623,7 +626,7 @@ The "prompt" string is used to ask the user to enter the relevant details. If the user enters nothing then the default value is used if no default value is present then the field is omitted. A field can still be omitted if a default value is present if the user just -enters the '.' character. +enters the \*(Aq.\*(Aq character. .PP The number of characters entered must be between the fieldName_min and fieldName_max limits: there may be additional restrictions based @@ -673,7 +676,7 @@ The same but just using req: \& openssl req \-newkey rsa:2048 \-keyout key.pem \-out req.pem .Ve .PP -Generate a self-signed root certificate: +Generate a self\-signed root certificate: .PP .Vb 1 \& openssl req \-x509 \-newkey rsa:2048 \-keyout key.pem \-out req.pem @@ -802,9 +805,9 @@ This is followed some time later by: \& problems making Certificate Request .Ve .PP -The first error message is the clue: it can't find the configuration -file! Certain operations (like examining a certificate request) don't -need a configuration file so its use isn't enforced. Generation of +The first error message is the clue: it can\*(Aqt find the configuration +file! Certain operations (like examining a certificate request) don\*(Aqt +need a configuration file so its use isn\*(Aqt enforced. Generation of certificates or requests however does need a configuration file. This could be regarded as a bug. .PP @@ -828,18 +831,18 @@ it is tolerated). See the description of the command line option \fB\-asn1\-klud for more information. .SH BUGS .IX Header "BUGS" -OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively +OpenSSL\*(Aqs handling of T61Strings (aka TeletexStrings) is broken: it effectively treats them as ISO\-8859\-1 (Latin 1), Netscape and MSIE have similar behaviour. -This can cause problems if you need characters that aren't available in -PrintableStrings and you don't want to or can't use BMPStrings. +This can cause problems if you need characters that aren\*(Aqt available in +PrintableStrings and you don\*(Aqt want to or can\*(Aqt use BMPStrings. .PP As a consequence of the T61String handling the only correct way to represent accented characters in OpenSSL is to use a BMPString: unfortunately Netscape currently chokes on these. If you have to use accented characters with Netscape and MSIE then you currently need to use the invalid T61String form. .PP -The current prompting is not very friendly. It doesn't allow you to confirm what -you've just entered. Other things like extensions in certificate requests are +The current prompting is not very friendly. It doesn\*(Aqt allow you to confirm what +you\*(Aqve just entered. Other things like extensions in certificate requests are statically defined in the configuration file. Some of these: like an email address in subjectAltName should be input by the user. .SH "SEE ALSO" diff --git a/secure/usr.bin/openssl/man/openssl-rsa.1 b/secure/usr.bin/openssl/man/openssl-rsa.1 index 131180e0fc4c..0229f6f44dac 100644 --- a/secure/usr.bin/openssl/man/openssl-rsa.1 +++ b/secure/usr.bin/openssl/man/openssl-rsa.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-RSA 1ossl" -.TH OPENSSL-RSA 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-RSA 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -175,13 +178,13 @@ the input is a public key. Like \fB\-pubin\fR and \fB\-pubout\fR except \fBRSAPublicKey\fR format is used instead. .IP \fB\-pvk\-strong\fR 4 .IX Item "-pvk-strong" -Enable 'Strong' PVK encoding level (default). +Enable \*(AqStrong\*(Aq PVK encoding level (default). .IP \fB\-pvk\-weak\fR 4 .IX Item "-pvk-weak" -Enable 'Weak' PVK encoding level. +Enable \*(AqWeak\*(Aq PVK encoding level. .IP \fB\-pvk\-none\fR 4 .IX Item "-pvk-none" -Don't enforce PVK encoding. +Don\*(Aqt enforce PVK encoding. .IP "\fB\-engine\fR \fIid\fR" 4 .IX Item "-engine id" See "Engine Options" in \fBopenssl\fR\|(1). diff --git a/secure/usr.bin/openssl/man/openssl-rsautl.1 b/secure/usr.bin/openssl/man/openssl-rsautl.1 index 1075f24f6c24..8135470d7b10 100644 --- a/secure/usr.bin/openssl/man/openssl-rsautl.1 +++ b/secure/usr.bin/openssl/man/openssl-rsautl.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-RSAUTL 1ossl" -.TH OPENSSL-RSAUTL 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-RSAUTL 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -188,7 +191,7 @@ used to sign or verify small pieces of data. .SH EXAMPLES .IX Header "EXAMPLES" Examples equivalent to these can be found in the documentation for the -non-deprecated \fBopenssl\-pkeyutl\fR\|(1) command. +non\-deprecated \fBopenssl\-pkeyutl\fR\|(1) command. .PP Sign some data using a private key: .PP diff --git a/secure/usr.bin/openssl/man/openssl-s_client.1 b/secure/usr.bin/openssl/man/openssl-s_client.1 index debcab302eac..917dfc6634e4 100644 --- a/secure/usr.bin/openssl/man/openssl-s_client.1 +++ b/secure/usr.bin/openssl/man/openssl-s_client.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-S_CLIENT 1ossl" -.TH OPENSSL-S_CLIENT 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-S_CLIENT 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -295,7 +298,7 @@ Connect to the specified port; use \fB\-connect\fR instead. .IP "\fB\-bind\fR \fIhost\fR:\fIport\fR" 4 .IX Item "-bind host:port" This specifies the host address and or port to bind as the source for the -connection. For Unix-domain sockets the port is ignored and the host is +connection. For Unix\-domain sockets the port is ignored and the host is used as the source socket address. If the host string is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR. .IP "\fB\-proxy\fR \fIhost\fR:\fIport\fR" 4 @@ -319,7 +322,7 @@ For more information about the format of \fBarg\fR see \fBopenssl\-passphrase\-options\fR\|(1). .IP "\fB\-unix\fR \fIpath\fR" 4 .IX Item "-unix path" -Connect over the specified Unix-domain socket. +Connect over the specified Unix\-domain socket. .IP \fB\-4\fR 4 .IX Item "-4" Use IPv4 only. @@ -370,7 +373,7 @@ Specify whether the application should build the client certificate chain to be provided to the server. .IP "\fB\-CRL\fR \fIfilename\fR" 4 .IX Item "-CRL filename" -CRL file to use to check the server's certificate. +CRL file to use to check the server\*(Aqs certificate. .IP "\fB\-CRLform\fR \fBDER\fR|\fBPEM\fR" 4 .IX Item "-CRLform DER|PEM" The CRL file format; unspecified by default. @@ -416,17 +419,17 @@ Limit verify output to only errors. .IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4 .IX Item "-verifyCAfile filename" A file in PEM format containing trusted certificates to use -for verifying the server's certificate. +for verifying the server\*(Aqs certificate. .IP "\fB\-verifyCApath\fR \fIdir\fR" 4 .IX Item "-verifyCApath dir" A directory containing trusted certificates to use -for verifying the server's certificate. +for verifying the server\*(Aqs certificate. This directory must be in "hash format", see \fBopenssl\-verify\fR\|(1) for more information. .IP "\fB\-verifyCAstore\fR \fIuri\fR" 4 .IX Item "-verifyCAstore uri" The URI of a store containing trusted certificates to use -for verifying the server's certificate. +for verifying the server\*(Aqs certificate. .IP "\fB\-chainCAfile\fR \fIfile\fR" 4 .IX Item "-chainCAfile file" A file in PEM format containing trusted certificates to use @@ -462,7 +465,7 @@ option below. When DANE authentication succeeds, the diagnostic output will include the lowest (closest to 0) depth at which a TLSA record authenticated a chain certificate. When that TLSA record is a "2 1 0" trust -anchor public key that signed (rather than matched) the top-most +anchor public key that signed (rather than matched) the top\-most certificate of the chain, the result is reported as "TA public key verified". Otherwise, either the TLSA record "matched TA certificate" at a positive depth or else "matched EE certificate" at depth 0. @@ -497,7 +500,7 @@ For some applications, primarily web browsers, it is not safe to disable name checks due to "unknown key share" attacks, in which a malicious server can convince a client that a connection to a victim server is instead a secure connection to the malicious server. -The malicious server may then be able to violate cross-origin scripting +The malicious server may then be able to violate cross\-origin scripting restrictions. Thus, despite the text of RFC7671, name checks are by default enabled for \&\fBDANE\-EE\fR\|(3) TLSA records, and can be disabled in applications where it is safe @@ -527,7 +530,7 @@ option is not always accurate because a connection might never have been established. .IP \fB\-no\-interactive\fR 4 .IX Item "-no-interactive" -This flag can be used to run the client in a non-interactive mode. +This flag can be used to run the client in a non\-interactive mode. .IP \fB\-state\fR 4 .IX Item "-state" Prints out the SSL session states. @@ -616,7 +619,7 @@ available where OpenSSL has support for SCTP enabled. .IP \fB\-sctp_label_bug\fR 4 .IX Item "-sctp_label_bug" Use the incorrect behaviour of older OpenSSL implementations when computing -endpoint-pair shared secrets for DTLS/SCTP. This allows communication with +endpoint\-pair shared secrets for DTLS/SCTP. This allows communication with older broken implementations but breaks interoperability with correct implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only available where OpenSSL has support for SCTP enabled. @@ -677,25 +680,25 @@ Only provide a brief summary of connection parameters instead of the normal verbose output. .IP "\fB\-starttls\fR \fIprotocol\fR" 4 .IX Item "-starttls protocol" -Send the protocol-specific message(s) to switch to TLS for communication. +Send the protocol\-specific message(s) to switch to TLS for communication. \&\fIprotocol\fR is a keyword for the intended protocol. Currently, the only -supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", +supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp\-server", "irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap". .IP "\fB\-xmpphost\fR \fIhostname\fR" 4 .IX Item "-xmpphost hostname" -This option, when used with "\-starttls xmpp" or "\-starttls xmpp-server", +This option, when used with "\-starttls xmpp" or "\-starttls xmpp\-server", specifies the host for the "to" attribute of the stream element. If this option is not specified, then the host specified with "\-connect" will be used. .Sp -This option is an alias of the \fB\-name\fR option for "xmpp" and "xmpp-server". +This option is an alias of the \fB\-name\fR option for "xmpp" and "xmpp\-server". .IP "\fB\-name\fR \fIhostname\fR" 4 .IX Item "-name hostname" This option is used to specify hostname information for various protocols -used with \fB\-starttls\fR option. Currently only "xmpp", "xmpp-server", +used with \fB\-starttls\fR option. Currently only "xmpp", "xmpp\-server", "smtp" and "lmtp" can utilize this \fB\-name\fR option. .Sp -If this option is used with "\-starttls xmpp" or "\-starttls xmpp-server", +If this option is used with "\-starttls xmpp" or "\-starttls xmpp\-server", if specifies the host for the "to" attribute of the stream element. If this option is not specified, then the host specified with "\-connect" will be used. .Sp @@ -714,9 +717,9 @@ Load SSL session from \fIfilename\fR. The client will attempt to resume a connection from this session. .IP "\fB\-serverinfo\fR \fItypes\fR" 4 .IX Item "-serverinfo types" -A list of comma-separated TLS Extension Types (numbers between 0 and +A list of comma\-separated TLS Extension Types (numbers between 0 and 65535). Each type will be sent as an empty ClientHello TLS Extension. -The server's response (if any) will be encoded and displayed as a PEM +The server\*(Aqs response (if any) will be encoded and displayed as a PEM file. .IP \fB\-status\fR 4 .IX Item "-status" @@ -724,10 +727,10 @@ Sends a certificate status request to the server (OCSP stapling). The server response (if any) is printed out. .IP "\fB\-alpn\fR \fIprotocols\fR, \fB\-nextprotoneg\fR \fIprotocols\fR" 4 .IX Item "-alpn protocols, -nextprotoneg protocols" -These flags enable the Enable the Application-Layer Protocol Negotiation +These flags enable the Enable the Application\-Layer Protocol Negotiation or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the IETF standard and replaces NPN. -The \fIprotocols\fR list is a comma-separated list of protocol names that +The \fIprotocols\fR list is a comma\-separated list of protocol names that the client should advertise support for. The list should contain the most desirable protocols first. Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". @@ -759,11 +762,11 @@ to the server. This will only work with resumed sessions that support early data and when the server accepts the early data. .IP \fB\-enable_pha\fR 4 .IX Item "-enable_pha" -For TLSv1.3 only, send the Post-Handshake Authentication extension. This will +For TLSv1.3 only, send the Post\-Handshake Authentication extension. This will happen whether or not a certificate has been provided via \fB\-cert\fR. .IP "\fB\-use_srtp\fR \fIvalue\fR" 4 .IX Item "-use_srtp value" -Offer SRTP key management, where \fBvalue\fR is a colon-separated profile list. +Offer SRTP key management, where \fBvalue\fR is a colon\-separated profile list. .IP "\fB\-srpuser\fR \fIvalue\fR" 4 .IX Item "-srpuser value" Set the SRP username to the specified value. This option is deprecated. @@ -842,7 +845,7 @@ proceed unless the \fB\-verify_return_error\fR option is used. Enable support for receiving raw public keys (RFC7250) from the server. Use of X.509 certificates by the server becomes optional, and servers that support raw public keys may elect to use them. -Servers that don't support raw public keys or prefer to use X.509 +Servers that don\*(Aqt support raw public keys or prefer to use X.509 certificates can still elect to send X.509 certificates as usual. .IP \fB\-enable_client_rpk\fR 4 .IX Item "-enable_client_rpk" @@ -966,16 +969,16 @@ server. .PP This command is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will -accept any certificate chain (trusted or not) sent by the peer. Non-test +accept any certificate chain (trusted or not) sent by the peer. Non\-test applications should \fBnot\fR do this as it makes them vulnerable to a MITM attack. This behaviour can be changed by with the \fB\-verify_return_error\fR option: any verify errors are then returned aborting the handshake. .PP The \fB\-bind\fR option may be useful if the server or a firewall requires connections to come from some particular address and or port. -.SS "Note on Non-Interactive Use" +.SS "Note on Non\-Interactive Use" .IX Subsection "Note on Non-Interactive Use" -When \fBs_client\fR is run in a non-interactive environment (e.g., a cron job or +When \fBs_client\fR is run in a non\-interactive environment (e.g., a cron job or a script without a valid \fIstdin\fR), it may close the connection prematurely, especially with TLS 1.3. To prevent this, you can use the \fB\-ign_eof\fR flag, which keeps \fBs_client\fR running even after reaching EOF from \fIstdin\fR. @@ -1007,7 +1010,7 @@ server expects a QUIT command before closing: \& [long pause] .Ve .PP -To avoid such hangs, it's better to use an application-level command to +To avoid such hangs, it\*(Aqs better to use an application\-level command to initiate a clean disconnect. For SMTP, you can send a QUIT command: .PP .Vb 2 @@ -1015,7 +1018,7 @@ initiate a clean disconnect. For SMTP, you can send a QUIT command: \& \-starttls smtp \-brief \-ign_eof .Ve .PP -Similarly, for HTTP/1.1 connections, including a `Connection: close` header +Similarly, for HTTP/1.1 connections, including a \`Connection: close\` header ensures the server closes the connection after responding: .PP .Vb 2 diff --git a/secure/usr.bin/openssl/man/openssl-s_server.1 b/secure/usr.bin/openssl/man/openssl-s_server.1 index 526610d665f2..e7cb9b2e781f 100644 --- a/secure/usr.bin/openssl/man/openssl-s_server.1 +++ b/secure/usr.bin/openssl/man/openssl-s_server.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-S_SERVER 1ossl" -.TH OPENSSL-S_SERVER 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-S_SERVER 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -493,14 +496,14 @@ If the \fB\-HTTP\fR flag is used, the files are sent directly, and should contai any HTTP response headers (including status response line). If the \fB\-WWW\fR option is used, the response headers are generated by the server, and the file extension is -examined to determine the \fBContent-Type\fR header. +examined to determine the \fBContent\-Type\fR header. Extensions of \f(CW\*(C`html\*(C'\fR, \f(CW\*(C`htm\*(C'\fR, and \f(CW\*(C`php\*(C'\fR are \f(CW\*(C`text/html\*(C'\fR and all others are \&\f(CW\*(C`text/plain\*(C'\fR. In addition, the special URL \f(CW\*(C`/stats\*(C'\fR will return status information like the \fB\-www\fR option. .IP \fB\-http_server_binmode\fR 4 .IX Item "-http_server_binmode" -When acting as web-server (using option \fB\-WWW\fR or \fB\-HTTP\fR) open files requested +When acting as web\-server (using option \fB\-WWW\fR or \fB\-HTTP\fR) open files requested by the client in binary mode. .IP \fB\-no_ca_names\fR 4 .IX Item "-no_ca_names" @@ -563,7 +566,7 @@ Enables certificate status request support (aka OCSP stapling). .IX Item "-status_verbose" Enables certificate status request support (aka OCSP stapling) and gives a verbose printout of the OCSP response. -Use the \fB\-cert_chain\fR option to specify the certificate of the server's +Use the \fB\-cert_chain\fR option to specify the certificate of the server\*(Aqs certificate signer that is required for certificate status requests. .IP "\fB\-status_timeout\fR \fIint\fR" 4 .IX Item "-status_timeout int" @@ -674,7 +677,7 @@ Turns on non blocking I/O. Enable timeouts. .IP \fB\-mtu\fR 4 .IX Item "-mtu" -Set link-layer MTU. +Set link\-layer MTU. .IP "\fB\-psk_identity\fR \fIval\fR" 4 .IX Item "-psk_identity val" Expect the client to send PSK identity \fIval\fR when using a PSK @@ -719,23 +722,23 @@ available where OpenSSL has support for SCTP enabled. .IP \fB\-sctp_label_bug\fR 4 .IX Item "-sctp_label_bug" Use the incorrect behaviour of older OpenSSL implementations when computing -endpoint-pair shared secrets for DTLS/SCTP. This allows communication with +endpoint\-pair shared secrets for DTLS/SCTP. This allows communication with older broken implementations but breaks interoperability with correct implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only available where OpenSSL has support for SCTP enabled. .IP \fB\-use_srtp\fR 4 .IX Item "-use_srtp" -Offer SRTP key management with a colon-separated profile list. +Offer SRTP key management with a colon\-separated profile list. .IP \fB\-no_dhe\fR 4 .IX Item "-no_dhe" If this option is set then no DH parameters will be loaded effectively disabling the ephemeral DH cipher suites. .IP "\fB\-alpn\fR \fIval\fR, \fB\-nextprotoneg\fR \fIval\fR" 4 .IX Item "-alpn val, -nextprotoneg val" -These flags enable the Application-Layer Protocol Negotiation +These flags enable the Application\-Layer Protocol Negotiation or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the IETF standard and replaces NPN. -The \fIval\fR list is a comma-separated list of supported protocol +The \fIval\fR list is a comma\-separated list of supported protocol names. The list should contain the most desirable protocols first. Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". @@ -793,7 +796,7 @@ data that was sent will be rejected. Enable acceptance of TCP Fast Open (RFC7413) connections. .IP \fB\-cert_comp\fR 4 .IX Item "-cert_comp" -Pre-compresses certificates (RFC8879) that will be sent during the handshake. +Pre\-compresses certificates (RFC8879) that will be sent during the handshake. .IP "\fB\-nameopt\fR \fIoption\fR" 4 .IX Item "-nameopt option" This specifies how the subject or issuer names are displayed. @@ -846,7 +849,7 @@ proceed unless the \fB\-verify_return_error\fR option is used. Enable support for sending raw public keys (RFC7250) to the client. A raw public key will be sent by the server, if solicited by the client, provided a suitable key and public certificate pair is configured. -Clients that don't support raw public keys or prefer to use X.509 +Clients that don\*(Aqt support raw public keys or prefer to use X.509 certificates can still elect to receive X.509 certificates as usual. .Sp Raw public keys are extracted from the configured certificate/private key. @@ -855,7 +858,7 @@ Raw public keys are extracted from the configured certificate/private key. Enable support for receiving raw public keys (RFC7250) from the client. Use of X.509 certificates by the client becomes optional, and clients that support raw public keys may elect to use them. -Clients that don't support raw public keys or prefer to use X.509 +Clients that don\*(Aqt support raw public keys or prefer to use X.509 certificates can still elect to send X.509 certificates as usual. .Sp Raw public keys are extracted from the configured certificate/private key. diff --git a/secure/usr.bin/openssl/man/openssl-s_time.1 b/secure/usr.bin/openssl/man/openssl-s_time.1 index 9aac464d8cca..eff8a614d905 100644 --- a/secure/usr.bin/openssl/man/openssl-s_time.1 +++ b/secure/usr.bin/openssl/man/openssl-s_time.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-S_TIME 1ossl" -.TH OPENSSL-S_TIME 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-S_TIME 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -113,7 +116,7 @@ This specifies the host and optional port to connect to. If the host string is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR. .IP "\fB\-www\fR \fIpage\fR" 4 .IX Item "-www page" -This specifies the page to GET from the server. A value of '/' gets the +This specifies the page to GET from the server. A value of \*(Aq/\*(Aq gets the \&\fIindex.html\fR page. If this parameter is not specified, then this command will only perform the handshake to establish SSL connections but not transfer any payload data. diff --git a/secure/usr.bin/openssl/man/openssl-sess_id.1 b/secure/usr.bin/openssl/man/openssl-sess_id.1 index 68b4121082fd..8ac9c553d69b 100644 --- a/secure/usr.bin/openssl/man/openssl-sess_id.1 +++ b/secure/usr.bin/openssl/man/openssl-sess_id.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-SESS_ID 1ossl" -.TH OPENSSL-SESS_ID 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-SESS_ID 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -118,7 +121,7 @@ This option prevents output of the encoded version of the session. .IP "\fB\-context\fR \fIID\fR" 4 .IX Item "-context ID" This option can set the session id so the output session information uses the -supplied ID. The ID can be any string of characters. This option won't normally +supplied ID. The ID can be any string of characters. This option won\*(Aqt normally be used. .SH OUTPUT .IX Header "OUTPUT" @@ -145,13 +148,13 @@ This is the protocol in use TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 or SSLv3. .IX Item "Cipher" The cipher used this is the actual raw SSL or TLS cipher code, see the SSL or TLS specifications for more information. -.IP \fBSession-ID\fR 4 +.IP \fBSession\-ID\fR 4 .IX Item "Session-ID" The SSL session ID in hex format. -.IP \fBSession-ID-ctx\fR 4 +.IP \fBSession\-ID\-ctx\fR 4 .IX Item "Session-ID-ctx" The session ID context in hex format. -.IP \fBMaster-Key\fR 4 +.IP \fBMaster\-Key\fR 4 .IX Item "Master-Key" This is the SSL session master key. .IP "\fBStart Time\fR" 4 diff --git a/secure/usr.bin/openssl/man/openssl-skeyutl.1 b/secure/usr.bin/openssl/man/openssl-skeyutl.1 index f59743348eef..f619c03bf6a3 100644 --- a/secure/usr.bin/openssl/man/openssl-skeyutl.1 +++ b/secure/usr.bin/openssl/man/openssl-skeyutl.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-SKEYUTL 1ossl" -.TH OPENSSL-SKEYUTL 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-SKEYUTL 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -98,7 +101,7 @@ please refer to the output of the \f(CW\*(C`openssl list \-skey\-managers\*(C'\f .IP "\fB\-skeyopt\fR \fIopt\fR:\fIvalue\fR" 4 .IX Item "-skeyopt opt:value" To obtain an existing opaque symmetric key or to generate a new one, key -options are specified as opt:value. These options can't be used together with +options are specified as opt:value. These options can\*(Aqt be used together with any options implying raw key either directly or indirectly. .IP \fB\-genkey\fR 4 .IX Item "-genkey" diff --git a/secure/usr.bin/openssl/man/openssl-smime.1 b/secure/usr.bin/openssl/man/openssl-smime.1 index 79e3b209f0c3..8a05302ed5bd 100644 --- a/secure/usr.bin/openssl/man/openssl-smime.1 +++ b/secure/usr.bin/openssl/man/openssl-smime.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-SMIME 1ossl" -.TH OPENSSL-SMIME 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-SMIME 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -263,10 +266,10 @@ Do not do chain verification of signers certificates; that is, do not use the certificates in the signed message as untrusted CAs. .IP \fB\-nosigs\fR 4 .IX Item "-nosigs" -Don't try to verify the signatures on the message. +Don\*(Aqt try to verify the signatures on the message. .IP \fB\-nocerts\fR 4 .IX Item "-nocerts" -When signing a message, the signer's certificate is normally included. +When signing a message, the signer\*(Aqs certificate is normally included. With this option it is excluded. This will reduce the size of the signed message, but the verifier must have a copy of the signers certificate available locally (passed using the \fB\-certfile\fR option for example). @@ -326,7 +329,7 @@ see \fBopenssl\-passphrase\-options\fR\|(1). .IX Item "-to, -from, -subject" The relevant mail headers. These are included outside the signed portion of a message so they may be included manually. If signing -then many S/MIME mail clients check the signers certificate's email +then many S/MIME mail clients check the signers certificate\*(Aqs email address matches that specified in the From: address. .IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4 .IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks" @@ -370,7 +373,7 @@ a blank line. Piping the mail directly to sendmail is one way to achieve the correct format. .PP The supplied message to be signed or encrypted must include the -necessary MIME headers or many S/MIME clients won't display it +necessary MIME headers or many S/MIME clients won\*(Aqt display it properly (if at all). You can use the \fB\-text\fR option to automatically add plain text headers. .PP @@ -459,7 +462,7 @@ Send a signed message under Unix directly to sendmail, including headers: \& \-subject "Signed message" | sendmail someone@somewhere .Ve .PP -Verify a message and extract the signer's certificate if successful: +Verify a message and extract the signer\*(Aqs certificate if successful: .PP .Vb 1 \& openssl smime \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt @@ -526,10 +529,10 @@ Add a signer to an existing message: .Ve .SH BUGS .IX Header "BUGS" -The MIME parser isn't very clever: it seems to handle most messages that I've +The MIME parser isn\*(Aqt very clever: it seems to handle most messages that I\*(Aqve thrown at it but it may choke on others. .PP -The code currently will only write out the signer's certificate to a file: if +The code currently will only write out the signer\*(Aqs certificate to a file: if the signer has a separate encryption certificate this must be manually extracted. There should be some heuristic that determines the correct encryption certificate. @@ -537,12 +540,12 @@ encryption certificate. Ideally a database should be maintained of a certificates for each email address. .PP -The code doesn't currently take note of the permitted symmetric encryption +The code doesn\*(Aqt currently take note of the permitted symmetric encryption algorithms as supplied in the SMIMECapabilities signed attribute. This means the user has to manually include the correct encryption algorithm. It should store the list of permitted ciphers in a database and only use those. .PP -No revocation checking is done on the signer's certificate. +No revocation checking is done on the signer\*(Aqs certificate. .PP The current code can only handle S/MIME v2 messages, the more complex S/MIME v3 structures may cause parsing errors. diff --git a/secure/usr.bin/openssl/man/openssl-speed.1 b/secure/usr.bin/openssl/man/openssl-speed.1 index fce7dcf2cf10..355c1ed63c9b 100644 --- a/secure/usr.bin/openssl/man/openssl-speed.1 +++ b/secure/usr.bin/openssl/man/openssl-speed.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-SPEED 1ossl" -.TH OPENSSL-SPEED 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-SPEED 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -108,15 +111,15 @@ Optional; for a description of the default value, see "COMMAND SUMMARY" in \fBopenssl\fR\|(1). .IP \fB\-elapsed\fR 4 .IX Item "-elapsed" -When calculating operations\- or bytes-per-second, use wall-clock time +When calculating operations\- or bytes\-per\-second, use wall\-clock time instead of CPU user time as divisor. It can be useful when testing speed of hardware engines. .IP "\fB\-evp\fR \fIalgo\fR" 4 .IX Item "-evp algo" Use the specified cipher or message digest algorithm via the EVP interface. If \fIalgo\fR is an AEAD cipher, then you can pass \fB\-aead\fR to benchmark a -TLS-like sequence. And if \fIalgo\fR is a multi-buffer capable cipher, e.g. -aes\-128\-cbc\-hmac\-sha1, then \fB\-mb\fR will time multi-buffer operation. +TLS\-like sequence. And if \fIalgo\fR is a multi\-buffer capable cipher, e.g. +aes\-128\-cbc\-hmac\-sha1, then \fB\-mb\fR will time multi\-buffer operation. .Sp To see the algorithms supported with this option, use \&\f(CW\*(C`openssl list \-digest\-algorithms\*(C'\fR or \f(CW\*(C`openssl list \-cipher\-algorithms\*(C'\fR @@ -142,10 +145,10 @@ Time the CMAC algorithm using the specified cipher e.g. Time the decryption instead of encryption. Affects only the EVP testing. .IP \fB\-mb\fR 4 .IX Item "-mb" -Enable multi-block mode on EVP-named cipher. +Enable multi\-block mode on EVP\-named cipher. .IP \fB\-aead\fR 4 .IX Item "-aead" -Benchmark EVP-named AEAD cipher in TLS-like sequence. +Benchmark EVP\-named AEAD cipher in TLS\-like sequence. .IP \fB\-kem\-algorithms\fR 4 .IX Item "-kem-algorithms" Benchmark KEM algorithms: key generation, encapsulation, decapsulation. @@ -166,7 +169,7 @@ The limit on the size of the buffer is INT_MAX \- 64 bytes, which for a 32\-bit int would be 2147483583 bytes. .IP \fB\-mr\fR 4 .IX Item "-mr" -Produce the summary in a mechanical, machine-readable, format. +Produce the summary in a mechanical, machine\-readable, format. .IP \fB\-mlock\fR 4 .IX Item "-mlock" Lock memory into RAM for more deterministic measurements. @@ -196,10 +199,10 @@ See "Provider Options" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproper .IP "\fIalgorithm\fR ..." 4 .IX Item "algorithm ..." If any \fIalgorithm\fR is given, then those algorithms are tested, otherwise a -pre-compiled grand selection is tested. +pre\-compiled grand selection is tested. .SH BUGS .IX Header "BUGS" -The \fIalgorithm\fR can be selected only from a pre-compiled subset of things +The \fIalgorithm\fR can be selected only from a pre\-compiled subset of things that the \f(CW\*(C`openssl speed\*(C'\fR command knows about. To test any additional digest or cipher algorithm supported by OpenSSL use the \f(CW\*(C`\-evp\*(C'\fR option. .PP diff --git a/secure/usr.bin/openssl/man/openssl-spkac.1 b/secure/usr.bin/openssl/man/openssl-spkac.1 index 4995ec819f15..483f02d23e38 100644 --- a/secure/usr.bin/openssl/man/openssl-spkac.1 +++ b/secure/usr.bin/openssl/man/openssl-spkac.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-SPKAC 1ossl" -.TH OPENSSL-SPKAC 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-SPKAC 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -132,7 +135,7 @@ Allows an alternative name form the section containing the SPKAC. The default is the default section. .IP \fB\-noout\fR 4 .IX Item "-noout" -Don't output the text version of the SPKAC (not used if an +Don\*(Aqt output the text version of the SPKAC (not used if an SPKAC is being created). .IP \fB\-pubkey\fR 4 .IX Item "-pubkey" diff --git a/secure/usr.bin/openssl/man/openssl-srp.1 b/secure/usr.bin/openssl/man/openssl-srp.1 index c27b5427034e..24b2aa891c1c 100644 --- a/secure/usr.bin/openssl/man/openssl-srp.1 +++ b/secure/usr.bin/openssl/man/openssl-srp.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-SRP 1ossl" -.TH OPENSSL-SRP 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-SRP 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/usr.bin/openssl/man/openssl-storeutl.1 b/secure/usr.bin/openssl/man/openssl-storeutl.1 index e8e438fa31a6..f1584013c130 100644 --- a/secure/usr.bin/openssl/man/openssl-storeutl.1 +++ b/secure/usr.bin/openssl/man/openssl-storeutl.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-STOREUTL 1ossl" -.TH OPENSSL-STOREUTL 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-STOREUTL 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,8 +144,8 @@ Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespac Empty values are permitted but are ignored for the search. That is, a search with an empty value will have the same effect as not specifying the type at all. -Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN). -Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR +Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL\-DN). +Multi\-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR between the AttributeValueAssertions (AVAs) that specify the members of the set. .Sp Example: diff --git a/secure/usr.bin/openssl/man/openssl-ts.1 b/secure/usr.bin/openssl/man/openssl-ts.1 index acd899206b33..75353d9f2032 100644 --- a/secure/usr.bin/openssl/man/openssl-ts.1 +++ b/secure/usr.bin/openssl/man/openssl-ts.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-TS 1ossl" -.TH OPENSSL-TS 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-TS 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -156,12 +159,12 @@ openssl\-ts \- Time Stamping Authority command .SH DESCRIPTION .IX Header "DESCRIPTION" This command is a basic Time Stamping Authority (TSA) client and -server application as specified in RFC 3161 (Time-Stamp Protocol, TSP). A +server application as specified in RFC 3161 (Time\-Stamp Protocol, TSP). A TSA can be part of a PKI deployment and its role is to provide long term proof of the existence of a certain datum before a particular time. Here is a brief description of the protocol: .IP 1. 4 -The TSA client computes a one-way hash value for a data file and sends +The TSA client computes a one\-way hash value for a data file and sends the hash to the TSA. .IP 2. 4 The TSA attaches the current date and time to the received hash value, @@ -232,7 +235,7 @@ use its own default policy. (Optional) .IP \fB\-no_nonce\fR 4 .IX Item "-no_nonce" No nonce is specified in the request if this option is -given. Otherwise, a 64\-bit long pseudo-random nonce is +given. Otherwise, a 64\-bit long pseudo\-random nonce is included in the request. It is recommended to use a nonce to protect against replay attacks. (Optional) .IP \fB\-cert\fR 4 @@ -243,7 +246,7 @@ response. (Optional) .IX Item "-in request.tsq" This option specifies a previously created timestamp request in DER format that will be printed into the output file. Useful when you need -to examine the content of a request in human-readable +to examine the content of a request in human\-readable format. (Optional) .IP "\fB\-out\fR \fIrequest.tsq\fR" 4 .IX Item "-out request.tsq" @@ -251,7 +254,7 @@ Name of the output file to which the request will be written. Default is stdout. (Optional) .IP \fB\-text\fR 4 .IX Item "-text" -If this option is specified the output is human-readable text format +If this option is specified the output is human\-readable text format instead of DER. (Optional) .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4 .IX Item "-rand files, -writerand file" @@ -262,7 +265,7 @@ A timestamp response (TimeStampResp) consists of a response status and the timestamp token itself (ContentInfo), if the token generation was successful. The \fB\-reply\fR command is for creating a timestamp response or timestamp token based on a request and printing the -response/token in human-readable format. If \fB\-token_out\fR is not +response/token in human\-readable format. If \fB\-token_out\fR is not specified the output is always a timestamp response (TimeStampResp), otherwise it is a timestamp token (ContentInfo). .IP "\fB\-config\fR \fIconfigfile\fR" 4 @@ -320,7 +323,7 @@ to the output file. This option does not require a request, it is useful e.g. when you need to examine the content of a response or token or you want to extract the timestamp token from a response. If the input is a token and the output is a timestamp response a default -\&'granted' status info is added to the token. (Optional) +\&\*(Aqgranted\*(Aq status info is added to the token. (Optional) .IP \fB\-token_in\fR 4 .IX Item "-token_in" This flag can be used together with the \fB\-in\fR option and indicates @@ -337,7 +340,7 @@ The output is a timestamp token (ContentInfo) instead of timestamp response (TimeStampResp). (Optional) .IP \fB\-text\fR 4 .IX Item "-text" -If this option is specified the output is human-readable text format +If this option is specified the output is human\-readable text format instead of DER. (Optional) .IP "\fB\-engine\fR \fIid\fR" 4 .IX Item "-engine id" @@ -386,7 +389,7 @@ of a timestamp response (TimeStampResp). (Optional) .IP "\fB\-untrusted\fR \fIfiles\fR|\fIuris\fR" 4 .IX Item "-untrusted files|uris" A set of additional untrusted certificates which may be -needed when building the certificate chain for the TSA's signing certificate. +needed when building the certificate chain for the TSA\*(Aqs signing certificate. These do not need to contain the TSA signing certificate and intermediate CA certificates as far as the response already includes them. (Optional) @@ -445,7 +448,7 @@ generation a new file is created with serial number 1. (Mandatory) .IP \fBcrypto_device\fR 4 .IX Item "crypto_device" Specifies the OpenSSL engine that will be set as the default for -all available algorithms. The default value is built-in, you can specify +all available algorithms. The default value is built\-in, you can specify any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM). (Optional) .IP \fBsigner_cert\fR 4 @@ -513,7 +516,7 @@ be included, where the \fB\-chain\fR option overrides the \fBcerts\fR variable. Default is no. (Optional) .IP \fBess_cert_id_alg\fR 4 .IX Item "ess_cert_id_alg" -This option specifies the hash function to be used to calculate the TSA's +This option specifies the hash function to be used to calculate the TSA\*(Aqs public key certificate identifier. Default is sha256. (Optional) .SH EXAMPLES .IX Header "EXAMPLES" @@ -607,7 +610,7 @@ To extract the timestamp token from a response: \& openssl ts \-reply \-in design1.tsr \-out design1_token.der \-token_out .Ve .PP -To add 'granted' status info to a timestamp token thereby creating a +To add \*(Aqgranted\*(Aq status info to a timestamp token thereby creating a valid response: .PP .Vb 1 @@ -643,7 +646,7 @@ To verify a timestamp token against a message imprint: \& \-in design2.tsr \-CAfile cacert.pem .Ve .PP -You could also look at the 'test' directory for more examples. +You could also look at the \*(Aqtest\*(Aq directory for more examples. .SH BUGS .IX Header "BUGS" .IP \(bu 2 diff --git a/secure/usr.bin/openssl/man/openssl-verification-options.1 b/secure/usr.bin/openssl/man/openssl-verification-options.1 index 76c982714b47..fedf97b93656 100644 --- a/secure/usr.bin/openssl/man/openssl-verification-options.1 +++ b/secure/usr.bin/openssl/man/openssl-verification-options.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-VERIFICATION-OPTIONS 1ossl" -.TH OPENSSL-VERIFICATION-OPTIONS 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-VERIFICATION-OPTIONS 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -82,7 +85,7 @@ In a nutshell, a valid chain of certificates needs to be built up and verified starting from the \fItarget certificate\fR that is to be verified and ending in a certificate that due to some policy is trusted. Certificate validation can be performed in the context of a \fIpurpose\fR, which -is a high-level specification of the intended use of the target certificate, +is a high\-level specification of the intended use of the target certificate, such as \f(CW\*(C`sslserver\*(C'\fR for TLS servers, or (by default) for any purpose. .PP The details of how each OpenSSL command handles errors @@ -107,10 +110,10 @@ In particular, the subject key identifier extension, if present, is used for matching trust anchors during chain building. .PP In the most simple and common case, trust anchors are by default -all self-signed "root" CA certificates that are placed in the \fItrust store\fR, +all self\-signed "root" CA certificates that are placed in the \fItrust store\fR, which is a collection of certificates that are trusted for certain uses. This is akin to what is used in the trust stores of Mozilla Firefox, -or Apple's and Microsoft's certificate stores, ... +or Apple\*(Aqs and Microsoft\*(Aqs certificate stores, ... .PP From the OpenSSL perspective, a trust anchor is a certificate that should be augmented with an explicit designation for which @@ -121,7 +124,7 @@ explicitly stating trust for the listed purposes and/or a set of negative trust attributes explicitly rejecting the use for the listed purposes. The purposes are encoded using the values defined for the extended key usages -(EKUs) that may be given in X.509 extensions of end-entity certificates. +(EKUs) that may be given in X.509 extensions of end\-entity certificates. See also the "Extended Key Usage" section below. .PP The currently recognized uses are @@ -132,7 +135,7 @@ The currently recognized uses are As of OpenSSL 1.1.0, the last of these blocks all uses when rejected or enables all uses when trusted. .PP -A certificate, which may be CA certificate or an end-entity certificate, +A certificate, which may be CA certificate or an end\-entity certificate, is considered a trust anchor for the given use if and only if all the following conditions hold: .IP \(bu 4 @@ -142,7 +145,7 @@ It does not have a negative trust attribute rejecting the given use. .IP \(bu 4 It has a positive trust attribute accepting the given use or (by default) one of the following compatibility conditions apply: -It is self-signed or the \fB\-partial_chain\fR option is given +It is self\-signed or the \fB\-partial_chain\fR option is given (which corresponds to the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag being set). .SS "Certification Path Building" .IX Subsection "Certification Path Building" @@ -157,7 +160,7 @@ is taken, otherwise the one that expired most recently of all such certificates. For efficiency, no backtracking is performed, thus any further candidate issuer certificates that would match equally are ignored. .PP -When a self-signed certificate has been added, chain construction stops. +When a self\-signed certificate has been added, chain construction stops. In this case it must fully match a trust anchor, otherwise chain building fails. .PP A candidate issuer certificate matches a subject certificate @@ -166,7 +169,7 @@ if all of the following conditions hold: Its subject name matches the issuer name of the subject certificate. .IP \(bu 4 If the subject certificate has an authority key identifier extension, -each of its sub-fields equals the corresponding subject key identifier, serial +each of its sub\-fields equals the corresponding subject key identifier, serial number, and issuer field of the candidate issuer certificate, as far as the respective fields are present in both certificates. .IP \(bu 4 @@ -177,12 +180,18 @@ equals the public key algorithm of the candidate issuer certificate. The lookup first searches for issuer certificates in the trust store. If it does not find a match there it consults the list of untrusted ("intermediate" CA) certificates, if provided. +If one issuer certificate was found in the trust store, the list of +untrusted certificates will not be consulted anymore to find further +issuer certificates. Therefore, either only the root certificate or an +uninterrupted chain to the root certificate must be provided in the trust +store for a successful verification, if \fBX509_V_FLAG_PARTIAL_CHAIN\fR +is not enabled. .SS "Certification Path Validation" .IX Subsection "Certification Path Validation" When the certificate chain building process was successful the chain components and their links are checked thoroughly. .PP -The first step is to check that each certificate is well-formed. +The first step is to check that each certificate is well\-formed. Part of these checks are enabled only if the \fB\-x509_strict\fR option is given. .PP The second step is to check the X.509v3 extensions of every certificate @@ -193,14 +202,14 @@ connection setup, where by default \f(CW\*(C`sslserver\*(C'\fR or \f(CW\*(C`sslc The X.509v3 extensions of the target or "leaf" certificate must be compatible with the specified purpose. All other certificates down the chain are checked to be valid CA certificates, -and possibly also further non-standard checks are performed. +and possibly also further non\-standard checks are performed. The precise extensions required are described in detail in the "Certificate Extensions" section below. .PP The third step is to check the trust settings on the last certificate -(which typically is a self-signed root CA certificate). +(which typically is a self\-signed root CA certificate). It must be trusted for the given use. -For compatibility with previous versions of OpenSSL, a self-signed certificate +For compatibility with previous versions of OpenSSL, a self\-signed certificate with no trust attributes is considered to be valid for all uses. .PP The fourth, and final, step is to check the validity of the certificate chain. @@ -209,7 +218,7 @@ the validity period as specified by the \f(CW\*(C`notBefore\*(C'\fR and \f(CW\*( is checked against the current system time. The \fB\-attime\fR flag may be used to use a reference time other than "now." The certificate signature is checked as well -(except for the signature of the typically self-signed root CA certificate, +(except for the signature of the typically self\-signed root CA certificate, which is verified only if the \fB\-check_ss_sig\fR option is given). When verifying a certificate signature the keyUsage extension (if present) of the candidate issuer certificate @@ -236,7 +245,7 @@ can be specified using following options. .IX Item "-CAfile file" Load the specified file which contains a trusted certificate in DER format or potentially several of them in case the input is in PEM format. -PEM-encoded certificates may also have trust attributes set. +PEM\-encoded certificates may also have trust attributes set. .IP \fB\-no\-CAfile\fR 4 .IX Item "-no-CAfile" Do not load the default file of trusted certificates. @@ -268,7 +277,7 @@ chain (for example with \fBopenssl\-s_time\fR\|(1)). Do not use the default store of trusted CA certificates. .SS "Verification Options" .IX Subsection "Verification Options" -The certificate verification can be fine-tuned with the following flags. +The certificate verification can be fine\-tuned with the following flags. .IP \fB\-verbose\fR 4 .IX Item "-verbose" Print extra information about the operations being performed. @@ -284,11 +293,11 @@ against the current time. If option \fB\-attime\fR is used to specify a verification time, the check is not suppressed. .IP \fB\-x509_strict\fR 4 .IX Item "-x509_strict" -This disables non-compliant workarounds for broken certificates. +This disables non\-compliant workarounds for broken certificates. Thus errors are thrown on certificates not compliant with RFC 5280. .Sp When this option is set, -among others, the following certificate well-formedness conditions are checked: +among others, the following certificate well\-formedness conditions are checked: .RS 4 .IP \(bu 4 The basicConstraints of CA certificates must be marked critical. @@ -297,7 +306,7 @@ CA certificates must explicitly include the keyUsage extension. .IP \(bu 4 If a pathlenConstraint is given the key usage keyCertSign must be allowed. .IP \(bu 4 -The pathlenConstraint must not be given for non-CA certificates. +The pathlenConstraint must not be given for non\-CA certificates. .IP \(bu 4 The issuer name of any certificate must not be empty. .IP \(bu 4 @@ -312,7 +321,7 @@ Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical. .IP \(bu 4 The authorityKeyIdentifier must be given for X.509v3 certs unless they -are self-signed. +are self\-signed. .IP \(bu 4 The subjectKeyIdentifier must be given for all X.509v3 CA certs. .RE @@ -355,7 +364,7 @@ The authentication security level determines the acceptable signature and public key strength when verifying certificate chains. For a certificate chain to validate, the public keys of all the certificates must meet the specified security \fIlevel\fR. The signature algorithm security level is -enforced for all the certificates in the chain except for the chain's +enforced for all the certificates in the chain except for the chain\*(Aqs \&\fItrust anchor\fR, which is either directly trusted or validated by means other than its signature. See \fBSSL_CTX_set_security_level\fR\|(3) for the definitions of the available levels. The default security level is \-1, @@ -367,16 +376,16 @@ keys shorter than 1024 bits. .IX Item "-partial_chain" Allow verification to succeed if an incomplete chain can be built. That is, a chain ending in a certificate that normally would not be trusted -(because it has no matching positive trust attributes and is not self-signed) +(because it has no matching positive trust attributes and is not self\-signed) but is an element of the trust store. -This certificate may be self-issued or belong to an intermediate CA. +This certificate may be self\-issued or belong to an intermediate CA. .IP \fB\-check_ss_sig\fR 4 .IX Item "-check_ss_sig" Verify the signature of -the last certificate in a chain if the certificate is supposedly self-signed. -This is prohibited and will result in an error if it is a non-conforming CA +the last certificate in a chain if the certificate is supposedly self\-signed. +This is prohibited and will result in an error if it is a non\-conforming CA certificate with key usage restrictions not including the keyCertSign bit. -This verification is disabled by default because it doesn't add any security. +This verification is disabled by default because it doesn\*(Aqt add any security. .IP \fB\-allow_proxy_certs\fR 4 .IX Item "-allow_proxy_certs" Allow the verification of proxy certificates. @@ -395,7 +404,7 @@ effect. .IX Item "-trusted file" Parse \fIfile\fR as a set of one or more certificates. Each of them qualifies as trusted if has a suitable positive trust attribute -or it is self-signed or the \fB\-partial_chain\fR option is specified. +or it is self\-signed or the \fB\-partial_chain\fR option is specified. This option implies the \fB\-no\-CAfile\fR, \fB\-no\-CApath\fR, and \fB\-no\-CAstore\fR options and it cannot be used with the \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-CAstore\fR options, so only certificates specified using the \fB\-trusted\fR option are trust anchors. @@ -409,12 +418,12 @@ construct a certificate chain from the target certificate to a trust anchor. This option may be used multiple times. .IP "\fB\-policy\fR \fIarg\fR" 4 .IX Item "-policy arg" -Enable policy processing and add \fIarg\fR to the user-initial-policy-set (see +Enable policy processing and add \fIarg\fR to the user\-initial\-policy\-set (see RFC5280). The policy \fIarg\fR can be an object name or an OID in numeric form. This argument can appear more than once. .IP \fB\-explicit_policy\fR 4 .IX Item "-explicit_policy" -Set policy variable require-explicit-policy (see RFC5280). +Set policy variable require\-explicit\-policy (see RFC5280). .IP \fB\-policy_check\fR 4 .IX Item "-policy_check" Enables certificate policy processing. @@ -423,13 +432,13 @@ Enables certificate policy processing. Print out diagnostics related to policy processing. .IP \fB\-inhibit_any\fR 4 .IX Item "-inhibit_any" -Set policy variable inhibit-any-policy (see RFC5280). +Set policy variable inhibit\-any\-policy (see RFC5280). .IP \fB\-inhibit_map\fR 4 .IX Item "-inhibit_map" -Set policy variable inhibit-policy-mapping (see RFC5280). +Set policy variable inhibit\-policy\-mapping (see RFC5280). .IP "\fB\-purpose\fR \fIpurpose\fR" 4 .IX Item "-purpose purpose" -A high-level specification of the intended use of the target certificate. +A high\-level specification of the intended use of the target certificate. Currently predefined purposes are \f(CW\*(C`sslclient\*(C'\fR, \f(CW\*(C`sslserver\*(C'\fR, \f(CW\*(C`nssslserver\*(C'\fR, \&\f(CW\*(C`smimesign\*(C'\fR, \f(CW\*(C`smimeencrypt\*(C'\fR, \f(CW\*(C`crlsign\*(C'\fR, \f(CW\*(C`ocsphelper\*(C'\fR, \f(CW\*(C`timestampsign\*(C'\fR, \&\f(CW\*(C`codesign\*(C'\fR and \f(CW\*(C`any\*(C'\fR. @@ -440,14 +449,14 @@ TLS server (\f(CW\*(C`sslserver\*(C'\fR) or TLS client use (\f(CW\*(C`sslclient\ By default, CMS signature validation, which can be done via \fBopenssl\-cms\fR\|(1), checks for consistency with S/MIME signing use (\f(CW\*(C`smimesign\*(C'\fR). .Sp -While IETF RFC 5280 says that \fBid-kp-serverAuth\fR and \fBid-kp-clientAuth\fR +While IETF RFC 5280 says that \fBid\-kp\-serverAuth\fR and \fBid\-kp\-clientAuth\fR are only for WWW use, in practice they are used for all kinds of TLS clients and servers, and this is what OpenSSL assumes as well. .IP "\fB\-verify_depth\fR \fInum\fR" 4 .IX Item "-verify_depth num" Limit the certificate chain to \fInum\fR intermediate CA certificates. A maximal depth chain can have up to \fInum\fR+2 certificates, since neither the -end-entity certificate nor the trust-anchor certificate count against the +end\-entity certificate nor the trust\-anchor certificate count against the \&\fB\-verify_depth\fR limit. .IP "\fB\-verify_email\fR \fIemail\fR" 4 .IX Item "-verify_email email" @@ -470,7 +479,7 @@ These mimic the combinations of purpose and trust settings used in SSL/(D)TLS, CMS/PKCS7 (including S/MIME), and code signing. .Sp The verification parameters include the trust model, various flags that can -partly be set also via other command-line options, and the verification purpose, +partly be set also via other command\-line options, and the verification purpose, which in turn implies certificate key usage and extended key usage requirements. .Sp The trust model determines which auxiliary trust or reject OIDs are applicable @@ -480,7 +489,7 @@ for \fBopenssl\-x509\fR\|(1). .SS "Extended Verification Options" .IX Subsection "Extended Verification Options" Sometimes there may be more than one certificate chain leading to an -end-entity certificate. +end\-entity certificate. This usually happens when a root or intermediate CA signs a certificate for another a CA in other organization. Another reason is when a CA might have intermediates that use two different @@ -539,11 +548,11 @@ keyCertSign bit set if the keyUsage extension is present. .PP The extKeyUsage (EKU) extension places additional restrictions on certificate use. If this extension is present (whether critical or not) -in an end-entity certficiate, the key is allowed only for the uses specified, +in an end\-entity certificate, the key is allowed only for the uses specified, while the special EKU \fBanyExtendedKeyUsage\fR allows for all uses. .PP Note that according to RFC 5280 section 4.2.1.12, -the Extended Key Usage extension will appear only in end-entity certificates, +the Extended Key Usage extension will appear only in end\-entity certificates, and consequently the standard certification path validation described in its section 6 does not include EKU checks for CA certificates. The CA/Browser Forum requires for TLS server, S/MIME, and code signing use @@ -596,8 +605,8 @@ This is used as a workaround if the basicConstraints extension is absent. .el .IP "\fBNetscape SSL Server\fR (\f(CWnssslserver\fR)" 4 .IX Item "Netscape SSL Server (nssslserver)" In addition to what has been described for \fBsslserver\fR, for a Netscape -SSL client to connect to an SSL server, its EE certficate must have the -\&\fBkeyEncipherment\fR bit set if the keyUsage extension is present. This isn't +SSL client to connect to an SSL server, its EE certificate must have the +\&\fBkeyEncipherment\fR bit set if the keyUsage extension is present. This isn\*(Aqt always valid because some cipher suites use the key for digital signing. Otherwise it is the same as a normal SSL server. .IP "\fBCommon S/MIME Checks\fR" 4 @@ -608,7 +617,7 @@ For target certificates, the Netscape certificate type must be absent or should have the S/MIME bit set. If the S/MIME bit is not set in the Netscape certificate type then the SSL client bit is tolerated as an alternative but a warning is shown. -This is because some Verisign certificates don't set the S/MIME bit. +This is because some Verisign certificates don\*(Aqt set the S/MIME bit. .Sp For all other certificates the normal CA checks apply. In addition, the Netscape certificate type must be absent or have the S/MIME CA bit set. @@ -616,19 +625,19 @@ This is used as a workaround if the basicConstraints extension is absent. .ie n .IP "\fBS/MIME Signing\fR (""smimesign"")" 4 .el .IP "\fBS/MIME Signing\fR (\f(CWsmimesign\fR)" 4 .IX Item "S/MIME Signing (smimesign)" -In addition to the common S/MIME checks, for target certficiates +In addition to the common S/MIME checks, for target certificates the key usage must allow for \f(CW\*(C`digitalSignature\*(C'\fR and/or \fBnonRepudiation\fR. .ie n .IP "\fBS/MIME Encryption\fR (""smimeencrypt"")" 4 .el .IP "\fBS/MIME Encryption\fR (\f(CWsmimeencrypt\fR)" 4 .IX Item "S/MIME Encryption (smimeencrypt)" -In addition to the common S/MIME checks, for target certficiates +In addition to the common S/MIME checks, for target certificates the key usage must allow for \f(CW\*(C`keyEncipherment\*(C'\fR. .ie n .IP "\fBCRL Signing\fR (""crlsign"")" 4 .el .IP "\fBCRL Signing\fR (\f(CWcrlsign\fR)" 4 .IX Item "CRL Signing (crlsign)" For target certificates, the key usage must allow for \f(CW\*(C`cRLSign\*(C'\fR. .Sp -For all other certifcates the normal CA checks apply. +For all other certificates the normal CA checks apply. Except in this case the basicConstraints extension must be present. .ie n .IP "\fBOCSP Helper\fR (""ocsphelper"")" 4 .el .IP "\fBOCSP Helper\fR (\f(CWocsphelper\fR)" 4 @@ -636,7 +645,7 @@ Except in this case the basicConstraints extension must be present. For target certificates, no checks are performed at this stage, but special checks apply; see \fBOCSP_basic_verify\fR\|(3). .Sp -For all other certifcates the normal CA checks apply. +For all other certificates the normal CA checks apply. .ie n .IP "\fBTimestamp Signing\fR (""timestampsign"")" 4 .el .IP "\fBTimestamp Signing\fR (\f(CWtimestampsign\fR)" 4 .IX Item "Timestamp Signing (timestampsign)" @@ -645,7 +654,7 @@ For target certificates, if the key usage extension is present, it must include The EKU extension must be present and contain \f(CW\*(C`timeStamping\*(C'\fR only. Moreover, it must be marked as critical. .Sp -For all other certifcates the normal CA checks apply. +For all other certificates the normal CA checks apply. .ie n .IP "\fBCode Signing\fR (""codesign"")" 4 .el .IP "\fBCode Signing\fR (\f(CWcodesign\fR)" 4 .IX Item "Code Signing (codesign)" @@ -655,7 +664,7 @@ include <digitalSignature>, but must not include \f(CW\*(C`keyCertSign\*(C'\fR n The EKU extension must be present and contain \f(CW\*(C`codeSign\*(C'\fR, but must not include \f(CW\*(C`anyExtendedKeyUsage\*(C'\fR nor \f(CW\*(C`serverAuth\*(C'\fR. .Sp -For all other certifcates the normal CA checks apply. +For all other certificates the normal CA checks apply. .SH BUGS .IX Header "BUGS" The issuer checks still suffer from limitations in the underlying X509_LOOKUP @@ -682,7 +691,7 @@ only the first one (in the mentioned order of locations) is recognised. The checks enabled by \fB\-x509_strict\fR have been extended in OpenSSL 3.0. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/usr.bin/openssl/man/openssl-verify.1 b/secure/usr.bin/openssl/man/openssl-verify.1 index e0800743a330..924fd359453f 100644 --- a/secure/usr.bin/openssl/man/openssl-verify.1 +++ b/secure/usr.bin/openssl/man/openssl-verify.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-VERIFY 1ossl" -.TH OPENSSL-VERIFY 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-VERIFY 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -157,7 +160,7 @@ sources. .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-vfyopt nm:v" Pass options to the signature algorithm during verify operations. -Names and values of these options are algorithm-specific. +Names and values of these options are algorithm\-specific. .IP "\fB\-nameopt\fR \fIoption\fR" 4 .IX Item "-nameopt option" This specifies how the subject or issuer names are displayed. @@ -198,6 +201,11 @@ with a \fB\-\fR. One or more target certificates to verify, one per file. If no certificates are given, this command will attempt to read a single certificate from standard input. +.PP +Note that the first parameter that does not begin with a \fB\-\fR ends the list +of options and starts the list of certificates. If you place any options +after a certificate filename, they will be interpreted not as options +but as certificates. .SH DIAGNOSTICS .IX Header "DIAGNOSTICS" When a verify operation fails the output messages can be somewhat cryptic. The @@ -233,7 +241,7 @@ The \fB\-show_chain\fR option was added in OpenSSL 1.1.0. The \fB\-engine option\fR was deprecated in OpenSSL 3.0. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2026 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/usr.bin/openssl/man/openssl-version.1 b/secure/usr.bin/openssl/man/openssl-version.1 index a18f5667d8c0..1c83f7a1c20d 100644 --- a/secure/usr.bin/openssl/man/openssl-version.1 +++ b/secure/usr.bin/openssl/man/openssl-version.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-VERSION 1ossl" -.TH OPENSSL-VERSION 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-VERSION 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -123,14 +126,14 @@ The OpenSSL CPU settings info. .IX Item "-w" The OpenSSL \fBOSSL_WINCTX\fR build time variable, if set. Used for computing Windows registry key names. This option is unavailable on -non-Windows platforms. +non\-Windows platforms. .SH HISTORY .IX Header "HISTORY" In OpenSSL versions prior to 3.4, OpenSSL had a limitation regarding the \&\fBOPENSSLDIR\fR, \fBMODULESDIR\fR and \fBENGINESDIR\fR build time macros. These macros were defined at build time, and represented filesystem paths. This is common practice on unix like systems, as there was an expectation that a given build -would be installed to a pre-determined location. On Windows however, there is +would be installed to a pre\-determined location. On Windows however, there is no such expectation, as libraries can be installed to arbitrary locations. \&\fBOSSL_WINCTX\fR was introduced as a new build time variable to define a set of registry keys identified by the name openssl\-<version>\-<ctx>, in which the diff --git a/secure/usr.bin/openssl/man/openssl-x509.1 b/secure/usr.bin/openssl/man/openssl-x509.1 index 9925dd97454b..b55bbc443c70 100644 --- a/secure/usr.bin/openssl/man/openssl-x509.1 +++ b/secure/usr.bin/openssl/man/openssl-x509.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL-X509 1ossl" -.TH OPENSSL-X509 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL-X509 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -146,11 +149,11 @@ openssl\-x509 \- Certificate display and signing command [\fB\-propquery\fR \fIpropq\fR] .SH DESCRIPTION .IX Header "DESCRIPTION" -This command is a multi-purposes certificate handling command. +This command is a multi\-purposes certificate handling command. It can be used to print certificate information, convert certificates to various forms, edit certificate trust settings, generate certificates from scratch or from certification requests -and then self-signing them or signing them like a "micro CA". +and then self\-signing them or signing them like a "micro CA". .PP Generated certificates bear X.509 version 3. Unless specified otherwise, @@ -185,12 +188,12 @@ So this excludes the \fB\-in\fR and \fB\-req\fR options. Instead, the \fB\-set_subject\fR option needs to be given. The public key to include can be given with the \fB\-force_pubkey\fR option and defaults to the key given with the \fB\-key\fR (or \fB\-signkey\fR) option, -which implies self-signature. +which implies self\-signature. .IP \fB\-x509toreq\fR 4 .IX Item "-x509toreq" Output a PKCS#10 certificate request (rather than a certificate). The \fB\-key\fR (or \fB\-signkey\fR) option must be used to provide the private key for -self-signing; the corresponding public key is placed in the subjectPKInfo field. +self\-signing; the corresponding public key is placed in the subjectPKInfo field. .Sp X.509 extensions included in a certificate input are not copied by default. X.509 extensions to be added can be specified using the \fB\-extfile\fR option. @@ -198,7 +201,7 @@ X.509 extensions to be added can be specified using the \fB\-extfile\fR option. .IX Item "-req" By default a certificate is expected on input. With this option a PKCS#10 certificate request is expected instead, -which must be correctly self-signed. +which must be correctly self\-signed. .Sp X.509 extensions included in the request are not copied by default. X.509 extensions to be added can be specified using the \fB\-extfile\fR option. @@ -220,17 +223,17 @@ See \fBopenssl\-format\-options\fR\|(1) for details. .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-vfyopt nm:v" Pass options to the signature algorithm during verify operations. -Names and values of these options are algorithm-specific. +Names and values of these options are algorithm\-specific. .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-key filename|uri" This option provides the private key for signing a new certificate or certificate request. Unless \fB\-force_pubkey\fR is given, the corresponding public key is placed in -the new certificate or certificate request, resulting in a self-signature. +the new certificate or certificate request, resulting in a self\-signature. .Sp This option cannot be used in conjunction with the \fB\-CA\fR option. .Sp -It sets the issuer name to the subject name (i.e., makes it self-issued). +It sets the issuer name to the subject name (i.e., makes it self\-issued). Unless the \fB\-preserve_dates\fR option is supplied, it sets the validity start date to the current time and the end date to a value determined by the \fB\-days\fR option. @@ -349,7 +352,7 @@ the results. For a more complete description see "Certificate Extensions" in \fBopenssl\-verification\-options\fR\|(1). .IP \fB\-pubkey\fR 4 .IX Item "-pubkey" -Prints the certificate's SubjectPublicKeyInfo block in PEM format. +Prints the certificate\*(Aqs SubjectPublicKeyInfo block in PEM format. .IP \fB\-modulus\fR 4 .IX Item "-modulus" This option prints out the value of the modulus of the public key @@ -421,15 +424,15 @@ See \fB\-set_subject\fR on how the arg must be formatted. .IP "\fB\-set_subject\fR \fIarg\fR" 4 .IX Item "-set_subject arg" When a certificate is created set its subject name to the given value. -When the certificate is self-signed the issuer name is set to the same value, +When the certificate is self\-signed the issuer name is set to the same value, unless the \fB\-set_issuer\fR option is given. .Sp The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR. Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the certificate. -Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN). -Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR +Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL\-DN). +Multi\-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR between the AttributeValueAssertions (AVAs) that specify the members of the set. Example: .Sp @@ -451,8 +454,8 @@ If the input contains no public key but a private key, its public part is used. This option can be used in conjunction with b<\-new> and \fB\-set_subject\fR to directly generate a certificate containing any desired public key. .Sp -This option is also useful for creating self-issued certificates that are not -self-signed, for instance when the key cannot be used for signing, such as DH. +This option is also useful for creating self\-issued certificates that are not +self\-signed, for instance when the key cannot be used for signing, such as DH. .IP \fB\-clrext\fR 4 .IX Item "-clrext" When transforming a certificate to a new certificate @@ -482,7 +485,7 @@ key identifier extensions are included as described in \fBx509v3_config\fR\|(5). .IX Item "-sigopt nm:v" Pass options to the signature algorithm during sign operations. This option may be given multiple times. -Names and values provided using this option are algorithm-specific. +Names and values provided using this option are algorithm\-specific. .IP \fB\-badsig\fR 4 .IX Item "-badsig" Corrupt the signature before writing it; this can be useful @@ -495,7 +498,7 @@ digest, such as the \fB\-fingerprint\fR, \fB\-key\fR, and \fB\-CA\fR options. Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used. If not specified then SHA1 is used with \fB\-fingerprint\fR or the default digest for the signing algorithm is used, typically SHA256. -.SS "Micro-CA Options" +.SS "Micro\-CA Options" .IX Subsection "Micro-CA Options" .IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4 .IX Item "-CA filename|uri" @@ -575,7 +578,7 @@ certificate is automatically output if any trust settings are modified. .IP "\fB\-setalias\fR \fIarg\fR" 4 .IX Item "-setalias arg" Sets the "alias" of the certificate. This will allow the certificate -to be referred to using a nickname for example "Steve's Certificate". +to be referred to using a nickname for example "Steve\*(Aqs Certificate". .IP \fB\-clrtrust\fR 4 .IX Item "-clrtrust" Clears all the permitted or trusted uses of the certificate. @@ -624,38 +627,38 @@ the \fBtext\fR option is present. The default behaviour is to print all fields. Use the old format. This is equivalent to specifying no printing options at all. .IP \fBno_header\fR 4 .IX Item "no_header" -Don't print header information: that is the lines saying "Certificate" +Don\*(Aqt print header information: that is the lines saying "Certificate" and "Data". .IP \fBno_version\fR 4 .IX Item "no_version" -Don't print out the version number. +Don\*(Aqt print out the version number. .IP \fBno_serial\fR 4 .IX Item "no_serial" -Don't print out the serial number. +Don\*(Aqt print out the serial number. .IP \fBno_signame\fR 4 .IX Item "no_signame" -Don't print out the signature algorithm used. +Don\*(Aqt print out the signature algorithm used. .IP \fBno_validity\fR 4 .IX Item "no_validity" -Don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields. +Don\*(Aqt print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields. .IP \fBno_subject\fR 4 .IX Item "no_subject" -Don't print out the subject name. +Don\*(Aqt print out the subject name. .IP \fBno_issuer\fR 4 .IX Item "no_issuer" -Don't print out the issuer name. +Don\*(Aqt print out the issuer name. .IP \fBno_pubkey\fR 4 .IX Item "no_pubkey" -Don't print out the public key. +Don\*(Aqt print out the public key. .IP \fBno_sigdump\fR 4 .IX Item "no_sigdump" -Don't give a hexadecimal dump of the certificate signature. +Don\*(Aqt give a hexadecimal dump of the certificate signature. .IP \fBno_aux\fR 4 .IX Item "no_aux" -Don't print out certificate trust information. +Don\*(Aqt print out certificate trust information. .IP \fBno_extensions\fR 4 .IX Item "no_extensions" -Don't print out any X509V3 extensions. +Don\*(Aqt print out any X509V3 extensions. .IP \fBext_default\fR 4 .IX Item "ext_default" Retain default extension behaviour: attempt to print out unsupported @@ -675,7 +678,7 @@ The value used by \fBopenssl\-ca\fR\|(1), equivalent to \fBno_issuer\fR, \fBno_p \&\fBno_header\fR, and \fBno_version\fR. .SH EXAMPLES .IX Header "EXAMPLES" -Note: in these examples the '\e' means the example should be all on one +Note: in these examples the \*(Aq\e\*(Aq means the example should be all on one line. .PP Print the contents of a certificate: @@ -739,7 +742,7 @@ Convert a certificate to a certificate request: \& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-key key.pem .Ve .PP -Convert a certificate request into a self-signed certificate using +Convert a certificate request into a self\-signed certificate using extensions for a CA: .PP .Vb 2 @@ -756,7 +759,7 @@ certificate extensions: .Ve .PP Set a certificate to be trusted for SSL client use and change set its alias to -"Steve's Class 1 CA" +"Steve\*(Aqs Class 1 CA" .PP .Vb 2 \& openssl x509 \-in cert.pem \-addtrust clientAuth \e diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1 index 2e14d64a46b0..ed1b76a592dd 100644 --- a/secure/usr.bin/openssl/man/openssl.1 +++ b/secure/usr.bin/openssl/man/openssl.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "OPENSSL 1ossl" -.TH OPENSSL 1ossl 2025-09-30 3.5.4 OpenSSL +.TH OPENSSL 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -79,7 +82,7 @@ and Transport Layer Security (TLS) network protocols and related cryptography standards required by them. .PP The \fBopenssl\fR program is a command line program for using the various -cryptography functions of OpenSSL's \fBcrypto\fR library from the shell. +cryptography functions of OpenSSL\*(Aqs \fBcrypto\fR library from the shell. It can be used for .PP .Vb 8 @@ -111,7 +114,7 @@ nothing is printed to \fBstderr\fR. Additional command line arguments are always ignored. Since for each cipher there is a command of the same name, this provides an easy way for shell scripts to test for the availability of ciphers in the \fBopenssl\fR program. (\fBno\-\fR\fIXXX\fR is -not able to detect pseudo-commands such as \fBquit\fR, +not able to detect pseudo\-commands such as \fBquit\fR, \&\fBlist\fR, or \fBno\-\fR\fIXXX\fR itself.) .SS "Configuration Option" .IX Subsection "Configuration Option" @@ -152,7 +155,7 @@ Message Digest calculation. MAC calculations are superseded by \&\fBopenssl\-mac\fR\|(1). .IP \fBdhparam\fR 4 .IX Item "dhparam" -Generation and Management of Diffie-Hellman Parameters. Superseded by +Generation and Management of Diffie\-Hellman Parameters. Superseded by \&\fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkeyparam\fR\|(1). .IP \fBdsa\fR 4 .IX Item "dsa" @@ -191,7 +194,7 @@ Generation of Private Key or Parameters. Generation of RSA Private Key. Superseded by \fBopenssl\-genpkey\fR\|(1). .IP \fBhelp\fR 4 .IX Item "help" -Display information about a command's options. +Display information about a command\*(Aqs options. .IP \fBinfo\fR 4 .IX Item "info" Display diverse information built into the OpenSSL libraries. @@ -236,7 +239,7 @@ Public key algorithm cryptographic operation command. Compute prime numbers. .IP \fBrand\fR 4 .IX Item "rand" -Generate pseudo-random bytes. +Generate pseudo\-random bytes. .IP \fBrehash\fR 4 .IX Item "rehash" Create symbolic links to certificate and CRL files named by the hash values. @@ -253,13 +256,13 @@ by \fBopenssl\-pkeyutl\fR\|(1). .IP \fBs_client\fR 4 .IX Item "s_client" This implements a generic SSL/TLS client which can establish a transparent -connection to a remote server speaking SSL/TLS. It's intended for testing +connection to a remote server speaking SSL/TLS. It\*(Aqs intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL \fBssl\fR library. .IP \fBs_server\fR 4 .IX Item "s_server" This implements a generic SSL/TLS server which accepts connections from remote -clients speaking SSL/TLS. It's intended for testing purposes only and provides +clients speaking SSL/TLS. It\*(Aqs intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL \fBssl\fR library. It provides both an own command line oriented protocol for testing SSL functions and a simple HTTP response @@ -397,7 +400,7 @@ Aria\-256 Cipher .IP \fBbase64\fR 4 .IX Item "base64" Base64 Encoding -.IP "\fBbf\fR, \fBbf-cbc\fR, \fBbf-cfb\fR, \fBbf-ecb\fR, \fBbf-ofb\fR" 4 +.IP "\fBbf\fR, \fBbf\-cbc\fR, \fBbf\-cfb\fR, \fBbf\-ecb\fR, \fBbf\-ofb\fR" 4 .IX Item "bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb" Blowfish Cipher .IP "\fBcamellia128\fR, \fBcamellia\-128\-cbc\fR, \fBcamellia\-128\-cfb\fR, \fBcamellia\-128\-ctr\fR, \fBcamellia\-128\-ecb\fR, \fBcamellia\-128\-ofb\fR" 4 @@ -409,7 +412,7 @@ Camellia\-192 Cipher .IP "\fBcamellia256\fR, \fBcamellia\-256\-cbc\fR, \fBcamellia\-256\-cfb\fR, \fBcamellia\-256\-ctr\fR, \fBcamellia\-256\-ecb\fR, \fBcamellia\-256\-ofb\fR" 4 .IX Item "camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr, camellia-256-ecb, camellia-256-ofb" Camellia\-256 Cipher -.IP "\fBcast\fR, \fBcast-cbc\fR" 4 +.IP "\fBcast\fR, \fBcast\-cbc\fR" 4 .IX Item "cast, cast-cbc" CAST Cipher .IP "\fBcast5\-cbc\fR, \fBcast5\-cfb\fR, \fBcast5\-ecb\fR, \fBcast5\-ofb\fR" 4 @@ -418,13 +421,13 @@ CAST5 Cipher .IP \fBchacha20\fR 4 .IX Item "chacha20" Chacha20 Cipher -.IP "\fBdes\fR, \fBdes-cbc\fR, \fBdes-cfb\fR, \fBdes-ecb\fR, \fBdes-ede\fR, \fBdes-ede-cbc\fR, \fBdes-ede-cfb\fR, \fBdes-ede-ofb\fR, \fBdes-ofb\fR" 4 +.IP "\fBdes\fR, \fBdes\-cbc\fR, \fBdes\-cfb\fR, \fBdes\-ecb\fR, \fBdes\-ede\fR, \fBdes\-ede\-cbc\fR, \fBdes\-ede\-cfb\fR, \fBdes\-ede\-ofb\fR, \fBdes\-ofb\fR" 4 .IX Item "des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-ede-ofb, des-ofb" DES Cipher .IP "\fBdes3\fR, \fBdesx\fR, \fBdes\-ede3\fR, \fBdes\-ede3\-cbc\fR, \fBdes\-ede3\-cfb\fR, \fBdes\-ede3\-ofb\fR" 4 .IX Item "des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb" -Triple-DES Cipher -.IP "\fBidea\fR, \fBidea-cbc\fR, \fBidea-cfb\fR, \fBidea-ecb\fR, \fBidea-ofb\fR" 4 +Triple\-DES Cipher +.IP "\fBidea\fR, \fBidea\-cbc\fR, \fBidea\-cfb\fR, \fBidea\-ecb\fR, \fBidea\-ofb\fR" 4 .IX Item "idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb" IDEA Cipher .IP "\fBrc2\fR, \fBrc2\-cbc\fR, \fBrc2\-cfb\fR, \fBrc2\-ecb\fR, \fBrc2\-ofb\fR" 4 @@ -436,7 +439,7 @@ RC4 Cipher .IP "\fBrc5\fR, \fBrc5\-cbc\fR, \fBrc5\-cfb\fR, \fBrc5\-ecb\fR, \fBrc5\-ofb\fR" 4 .IX Item "rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb" RC5 Cipher -.IP "\fBseed\fR, \fBseed-cbc\fR, \fBseed-cfb\fR, \fBseed-ecb\fR, \fBseed-ofb\fR" 4 +.IP "\fBseed\fR, \fBseed\-cbc\fR, \fBseed\-cfb\fR, \fBseed\-ecb\fR, \fBseed\-ofb\fR" 4 .IX Item "seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb" SEED Cipher .IP "\fBsm4\fR, \fBsm4\-cbc\fR, \fBsm4\-cfb\fR, \fBsm4\-ctr\fR, \fBsm4\-ecb\fR, \fBsm4\-ofb\fR" 4 @@ -482,7 +485,7 @@ See the \fBopenssl\-passphrase\-options\fR\|(1) manual page. .SS "Random State Options" .IX Subsection "Random State Options" Prior to OpenSSL 1.1.1, it was common for applications to store information -about the state of the random-number generator in a file that was loaded +about the state of the random\-number generator in a file that was loaded at startup and rewritten upon exit. On modern operating systems, this is generally no longer necessary as OpenSSL will seed itself from a trusted entropy source provided by the operating system. These flags are still @@ -494,8 +497,8 @@ every use of \fB\-rand\fR should be paired with \fB\-writerand\fR. .IX Item "-rand files" A file or files containing random data used to seed the random number generator. -Multiple files can be specified separated by an OS-dependent character. -The separator is \f(CW\*(C`;\*(C'\fR for MS-Windows, \f(CW\*(C`,\*(C'\fR for OpenVMS, and \f(CW\*(C`:\*(C'\fR for +Multiple files can be specified separated by an OS\-dependent character. +The separator is \f(CW\*(C`;\*(C'\fR for MS\-Windows, \f(CW\*(C`,\*(C'\fR for OpenVMS, and \f(CW\*(C`:\*(C'\fR for all others. Another way to specify multiple files is to repeat this flag with different filenames. .IP "\fB\-writerand\fR \fIfile\fR" 4 @@ -540,7 +543,7 @@ respectively. .IX Item "-engine id" Load the engine identified by \fIid\fR and use all the methods it implements (algorithms, key storage, etc.), unless specified otherwise in the -command-specific documentation or it is configured to do so, as described in +command\-specific documentation or it is configured to do so, as described in "Engine Configuration" in \fBconfig\fR\|(5). .Sp The engine will be used for key ids specified with \fB\-key\fR and similar @@ -562,10 +565,10 @@ form: .Ve .PP Where \f(CW\*(C`{engineid}\*(C'\fR is the identity/name of the engine, and \f(CW\*(C`{keyid}\*(C'\fR is a -key identifier that's acceptable by that engine. For example, when using an +key identifier that\*(Aqs acceptable by that engine. For example, when using an engine that interfaces against a PKCS#11 implementation, the generic key URI would be something like this (this happens to be an example for the PKCS#11 -engine that's part of OpenSC): +engine that\*(Aqs part of OpenSC): .PP .Vb 1 \& \-key org.openssl.engine:pkcs11:label_some\-private\-key @@ -629,7 +632,8 @@ For information about specific commands, see \fBopenssl\-engine\fR\|(1), \&\fBopenssl\-rehash\fR\|(1), and \fBtsget\fR\|(1). .PP For information about querying or specifying CPU architecture flags, see -\&\fBOPENSSL_ia32cap\fR\|(3), \fBOPENSSL_s390xcap\fR\|(3) and \fBOPENSSL_riscvcap\fR\|(3). +\&\fBOPENSSL_ia32cap\fR\|(3), \fBOPENSSL_ppccap\fR\|(3), \fBOPENSSL_s390xcap\fR\|(3), +and \fBOPENSSL_riscvcap\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBopenssl\-asn1parse\fR\|(1), diff --git a/secure/usr.bin/openssl/man/tsget.1 b/secure/usr.bin/openssl/man/tsget.1 index 9e84322fe7b9..2c9bd9279449 100644 --- a/secure/usr.bin/openssl/man/tsget.1 +++ b/secure/usr.bin/openssl/man/tsget.1 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "TSGET 1ossl" -.TH TSGET 1ossl 2025-09-30 3.5.4 OpenSSL +.TH TSGET 1ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -116,7 +119,7 @@ the input files. Default extension is \fI.tsr\fR. (Optional) .IP "\fB\-o\fR \fIoutput\fR" 4 .IX Item "-o output" This option can be specified only when just one request is sent to the -server. The timestamp response will be written to the given output file. '\-' +server. The timestamp response will be written to the given output file. \*(Aq\-\*(Aq means standard output. In case of multiple timestamp requests or the absence of this argument the names of the output files will be derived from the names of the input files and the default or specified extension argument. (Optional) @@ -130,7 +133,7 @@ Switches on verbose mode for the underlying perl module WWW::Curl::Easy. You can see detailed debug messages for the connection. (Optional) .IP "\fB\-k\fR \fIprivate_key.pem\fR" 4 .IX Item "-k private_key.pem" -(HTTPS) In case of certificate-based client authentication over HTTPS +(HTTPS) In case of certificate\-based client authentication over HTTPS \&\fIprivate_key.pem\fR must contain the private key of the user. The private key file can optionally be protected by a passphrase. The \fB\-c\fR option must also be specified. (Optional) @@ -141,18 +144,18 @@ argument. If this option is omitted and the key is passphrase protected, it will be prompted for. (Optional) .IP "\fB\-c\fR \fIclient_cert.pem\fR" 4 .IX Item "-c client_cert.pem" -(HTTPS) In case of certificate-based client authentication over HTTPS +(HTTPS) In case of certificate\-based client authentication over HTTPS \&\fIclient_cert.pem\fR must contain the X.509 certificate of the user. The \fB\-k\fR option must also be specified. If this option is not specified no -certificate-based client authentication will take place. (Optional) +certificate\-based client authentication will take place. (Optional) .IP "\fB\-C\fR \fICA_certs.pem\fR" 4 .IX Item "-C CA_certs.pem" -(HTTPS) The trusted CA certificate store. The certificate chain of the peer's +(HTTPS) The trusted CA certificate store. The certificate chain of the peer\*(Aqs certificate must include one of the CA certificates specified in this file. Either option \fB\-C\fR or option \fB\-P\fR must be given in case of HTTPS. (Optional) .IP "\fB\-P\fR \fICA_path\fR" 4 .IX Item "-P CA_path" -(HTTPS) The path containing the trusted CA certificates to verify the peer's +(HTTPS) The path containing the trusted CA certificates to verify the peer\*(Aqs certificate. The directory must be prepared with \fBopenssl\-rehash\fR\|(1). Either option \fB\-C\fR or option \fB\-P\fR must be given in case of HTTPS. (Optional) .IP "\fB\-r\fR \fIfiles\fR" 4 @@ -163,7 +166,7 @@ See "Random State Options" in \fBopenssl\fR\|(1) for more information. The name of an EGD socket to get random data from. (Optional) .IP "\fIrequest\fR ..." 4 .IX Item "request ..." -List of files containing RFC 3161 DER-encoded timestamp requests. If no +List of files containing RFC 3161 DER\-encoded timestamp requests. If no requests are specified only one request will be sent to the server and it will be read from the standard input. (Optional) @@ -211,7 +214,7 @@ authentication: \& \-C cacerts.pem file1.tsq .Ve .PP -Get a timestamp response for \fIfile1.tsq\fR over HTTPS with certificate-based +Get a timestamp response for \fIfile1.tsq\fR over HTTPS with certificate\-based client authentication (it will ask for the passphrase if \fIclient_key.pem\fR is protected): .PP |