diff options
author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2008-09-21 14:56:30 +0000 |
---|---|---|
committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2008-09-21 14:56:30 +0000 |
commit | bb1499d2aac1d25a95b8573ff425751f06f159e1 (patch) | |
tree | a136b5b2317abe8eb83b021afe5e088230fd67e2 /doc | |
parent | ee266f1253f9cc49430572463d26f72910dfb49e (diff) | |
download | src-test2-bb1499d2aac1d25a95b8573ff425751f06f159e1.tar.gz src-test2-bb1499d2aac1d25a95b8573ff425751f06f159e1.zip |
Notes
Diffstat (limited to 'doc')
-rw-r--r-- | doc/apps/ciphers.pod | 34 | ||||
-rw-r--r-- | doc/apps/dgst.pod | 5 | ||||
-rw-r--r-- | doc/apps/enc.pod | 8 | ||||
-rw-r--r-- | doc/apps/ocsp.pod | 8 | ||||
-rw-r--r-- | doc/apps/openssl.pod | 16 | ||||
-rw-r--r-- | doc/apps/rsautl.pod | 2 | ||||
-rw-r--r-- | doc/apps/s_client.pod | 31 | ||||
-rw-r--r-- | doc/apps/s_server.pod | 21 | ||||
-rw-r--r-- | doc/apps/verify.pod | 2 | ||||
-rw-r--r-- | doc/c-indentation.el | 1 | ||||
-rw-r--r-- | doc/crypto/ASN1_generate_nconf.pod | 35 | ||||
-rw-r--r-- | doc/crypto/DH_set_method.pod | 2 | ||||
-rw-r--r-- | doc/crypto/DSA_set_method.pod | 2 | ||||
-rw-r--r-- | doc/crypto/OPENSSL_ia32cap.pod | 36 | ||||
-rw-r--r-- | doc/crypto/RAND_bytes.pod | 3 | ||||
-rw-r--r-- | doc/crypto/RAND_set_rand_method.pod | 2 | ||||
-rw-r--r-- | doc/crypto/RSA_set_method.pod | 2 | ||||
-rw-r--r-- | doc/crypto/X509_NAME_print_ex.pod | 4 | ||||
-rw-r--r-- | doc/crypto/des_modes.pod | 2 | ||||
-rw-r--r-- | doc/crypto/engine.pod | 6 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_options.pod | 9 | ||||
-rw-r--r-- | doc/ssl/SSL_read.pod | 6 | ||||
-rw-r--r-- | doc/standards.txt | 9 |
23 files changed, 194 insertions, 52 deletions
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index e16eadef21ee..694e433ef392 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -105,7 +105,7 @@ The following is a list of all permitted cipher strings and their meanings. =item B<DEFAULT> the default cipher list. This is determined at compile time and is normally -B<ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH>. This must be the first cipher string +B<AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH>. This must be the first cipher string specified. =item B<COMPLEMENTOFDEFAULT> @@ -209,6 +209,10 @@ anonymous DH cipher suites. cipher suites using AES. +=item B<CAMELLIA> + +cipher suites using Camellia. + =item B<3DES> cipher suites using triple DES. @@ -229,6 +233,10 @@ cipher suites using RC2. cipher suites using IDEA. +=item B<SEED> + +cipher suites using SEED. + =item B<MD5> cipher suites using MD5. @@ -237,10 +245,6 @@ cipher suites using MD5. cipher suites using SHA1. -=item B<Camellia> - -cipher suites using Camellia. - =back =head1 CIPHER SUITE NAMES @@ -323,10 +327,10 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA - TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA - TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA - TLS_DH_RSA_WITH_AES_128_CBC_SHA DH-RSA-AES128-SHA - TLS_DH_RSA_WITH_AES_256_CBC_SHA DH-RSA-AES256-SHA + TLS_DH_DSS_WITH_AES_128_CBC_SHA Not implemented. + TLS_DH_DSS_WITH_AES_256_CBC_SHA Not implemented. + TLS_DH_RSA_WITH_AES_128_CBC_SHA Not implemented. + TLS_DH_RSA_WITH_AES_256_CBC_SHA Not implemented. TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA @@ -354,6 +358,18 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA +=head2 SEED ciphersuites from RFC4162, extending TLS v1.0 + + TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA + + TLS_DH_DSS_WITH_SEED_CBC_SHA Not implemented. + TLS_DH_RSA_WITH_SEED_CBC_SHA Not implemented. + + TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE-DSS-SEED-SHA + TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE-RSA-SEED-SHA + + TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA + =head2 Additional Export 1024 and other cipher suites Note: these ciphers can also be used in SSL v3. diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod index b0d198724c6b..908cd2a6d657 100644 --- a/doc/apps/dgst.pod +++ b/doc/apps/dgst.pod @@ -18,6 +18,7 @@ B<openssl> B<dgst> [B<-verify filename>] [B<-prverify filename>] [B<-signature filename>] +[B<-hmac key>] [B<file...>] [B<md5|md4|md2|sha1|sha|mdc2|ripemd160>] @@ -78,6 +79,10 @@ verify the signature using the the private key in "filename". the actual signature to verify. +=item B<-hmac key> + +create a hashed MAC using "key". + =item B<-rand file(s)> a file or files containing random data used to seed the random number diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index c43da5b3f1ee..4391c933600f 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod @@ -227,6 +227,14 @@ Blowfish and RC5 algorithms use a 128 bit key. rc5-ecb RC5 cipher in ECB mode rc5-ofb RC5 cipher in OFB mode + aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode + aes-[128|192|256] Alias for aes-[128|192|256]-cbc + aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode + aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode + aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode + aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode + aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode + =head1 EXAMPLES Just base64 encode a binary file: diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 4f266058e536..b58ddc1788cb 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -73,7 +73,7 @@ specify output filename, default is standard output. This specifies the current issuer certificate. This option can be used multiple times. The certificate specified in B<filename> must be in -PEM format. +PEM format. This option B<MUST> come before any B<-cert> options. =item B<-cert filename> @@ -146,7 +146,7 @@ certificate in such cases. =item B<-trust_other> -the certificates specified by the B<-verify_certs> option should be explicitly +the certificates specified by the B<-verify_other> option should be explicitly trusted and no additional checks will be performed on them. This is useful when the complete responder certificate chain is not available or trusting a root CA is not appropriate. @@ -154,7 +154,7 @@ root CA is not appropriate. =item B<-VAfile file> file containing explicitly trusted responder certificates. Equivalent to the -B<-verify_certs> and B<-trust_other> options. +B<-verify_other> and B<-trust_other> options. =item B<-noverify> @@ -166,7 +166,7 @@ of the responders certificate. ignore certificates contained in the OCSP response when searching for the signers certificate. With this option the signers certificate must be specified -with either the B<-verify_certs> or B<-VAfile> options. +with either the B<-verify_other> or B<-VAfile> options. =item B<-no_signature_verify> diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod index dc0f49ddca63..964cdf0f027d 100644 --- a/doc/apps/openssl.pod +++ b/doc/apps/openssl.pod @@ -227,6 +227,22 @@ SHA Digest SHA-1 Digest +=item B<sha224> + +SHA-224 Digest + +=item B<sha256> + +SHA-256 Digest + +=item B<sha384> + +SHA-384 Digest + +=item B<sha512> + +SHA-512 Digest + =back =head2 ENCODING AND CIPHER COMMANDS diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod index a7c1681d9859..1a498c2f62e0 100644 --- a/doc/apps/rsautl.pod +++ b/doc/apps/rsautl.pod @@ -152,7 +152,7 @@ The final BIT STRING contains the actual signature. It can be extracted with: The certificate public key can be extracted with: - openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem + openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem The signature can be analysed with: diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index c17a83a22581..c44d357cf754 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -38,6 +38,10 @@ B<openssl> B<s_client> [B<-cipher cipherlist>] [B<-starttls protocol>] [B<-engine id>] +[B<-tlsextdebug>] +[B<-no_ticket>] +[B<-sess_out filename>] +[B<-sess_in filename>] [B<-rand file(s)>] =head1 DESCRIPTION @@ -186,6 +190,26 @@ send the protocol-specific message(s) to switch to TLS for communication. B<protocol> is a keyword for the intended protocol. Currently, the only supported keywords are "smtp", "pop3", "imap", and "ftp". +=item B<-tlsextdebug> + +print out a hex dump of any TLS extensions received from the server. Note: this +option is only available if extension support is explicitly enabled at compile +time + +=item B<-no_ticket> + +disable RFC4507bis session ticket support. Note: this option is only available +if extension support is explicitly enabled at compile time + +=item B<-sess_out filename> + +output SSL session to B<filename> + +=item B<-sess_in sess.pem> + +load SSL session from B<filename>. The client will attempt to resume a +connection from this session. + =item B<-engine id> specifying an engine (by it's unique B<id> string) will cause B<s_client> @@ -246,6 +270,13 @@ on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then the B<-showcerts> option can be used to show the whole chain. +Since the SSLv23 client hello cannot include compression methods or extensions +these will only be supported if its use is disabled, for example by using the +B<-no_sslv2> option. + +TLS extensions are only supported in OpenSSL 0.9.8 if they are explictly +enabled at compile time using for example the B<enable-tlsext> switch. + =head1 BUGS Because this program has a lot of options and also because some of diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 7c1a9581d961..fdcc170e2832 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -12,6 +12,8 @@ B<openssl> B<s_server> [B<-context id>] [B<-verify depth>] [B<-Verify depth>] +[B<-crl_check>] +[B<-crl_check_all>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key keyfile>] @@ -48,6 +50,8 @@ B<openssl> B<s_server> [B<-WWW>] [B<-HTTP>] [B<-engine id>] +[B<-tlsextdebug>] +[B<-no_ticket>] [B<-id_prefix arg>] [B<-rand file(s)>] @@ -140,6 +144,12 @@ the client. With the B<-verify> option a certificate is requested but the client does not have to send one, with the B<-Verify> option the client must supply a certificate or an error occurs. +=item B<-crl_check>, B<-crl_check_all> + +Check the peer certificate has not been revoked by its CA. +The CRL(s) are appended to the certificate file. With the B<-crl_check_all> +option all CRLs of all CAs in the chain are checked. + =item B<-CApath directory> The directory to use for client certificate verification. This directory @@ -205,6 +215,14 @@ also included in the server list is used. Because the client specifies the preference order, the order of the server cipherlist irrelevant. See the B<ciphers> command for more information. +=item B<-tlsextdebug> + +print out a hex dump of any TLS extensions received from the server. + +=item B<-no_ticket> + +disable RFC4507bis session ticket support. + =item B<-www> sends a status message back to the client when it connects. This includes @@ -307,6 +325,9 @@ mean any CA is acceptable. This is useful for debugging purposes. The session parameters can printed out using the B<sess_id> program. +TLS extensions are only supported in OpenSSL 0.9.8 if they are explictly +enabled at compile time using for example the B<enable-tlsext> switch. + =head1 BUGS Because this program has a lot of options and also because some of diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index ea5c29c15021..ff2629d2cf85 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -169,7 +169,7 @@ the operation was successful. the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found. -=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL> +=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL> the CRL of a certificate could not be found. Unused. diff --git a/doc/c-indentation.el b/doc/c-indentation.el index cbf01cb1720a..90861d397978 100644 --- a/doc/c-indentation.el +++ b/doc/c-indentation.el @@ -20,6 +20,7 @@ (c-add-style "eay" '((c-basic-offset . 8) + (indent-tabs-mode . t) (c-comment-only-line-offset . 0) (c-hanging-braces-alist) (c-offsets-alist . ((defun-open . +) diff --git a/doc/crypto/ASN1_generate_nconf.pod b/doc/crypto/ASN1_generate_nconf.pod index ba6e3c2e8140..1157cff510d6 100644 --- a/doc/crypto/ASN1_generate_nconf.pod +++ b/doc/crypto/ASN1_generate_nconf.pod @@ -28,7 +28,11 @@ The actual data encoded is determined by the string B<str> and the configuration information. The general format of the string is: - B<[modifier,]type[:value]> +=over 2 + +=item B<[modifier,]type[:value]> + +=back That is zero or more comma separated modifiers followed by a type followed by an optional colon and a value. The formats of B<type>, @@ -81,13 +85,13 @@ the format B<YYYYMMDDHHMMSSZ>. =item B<OCTETSTRING>, B<OCT> -Emcodes an ASN1 B<OCTET STRING>. B<value> represents the contents +Encodes an ASN1 B<OCTET STRING>. B<value> represents the contents of this structure, the format strings B<ASCII> and B<HEX> can be used to specify the format of B<value>. -=item B<BITSRING>, B<BITSTR> +=item B<BITSTRING>, B<BITSTR> -Emcodes an ASN1 B<BIT STRING>. B<value> represents the contents +Encodes an ASN1 B<BIT STRING>. B<value> represents the contents of this structure, the format strings B<ASCII>, B<HEX> and B<BITLIST> can be used to specify the format of B<value>. @@ -147,10 +151,11 @@ bits is set to zero. This specifies the format of the ultimate value. It should be followed by a colon and one of the strings B<ASCII>, B<UTF8>, B<HEX> or B<BITLIST>. -If no format specifier is included then B<ASCII> is used. If B<UTF8> is specified -then the value string must be a valid B<UTF8> string. For B<HEX> the output must -be a set of hex digits. B<BITLIST> (which is only valid for a BIT STRING) is a -comma separated list of set bits. +If no format specifier is included then B<ASCII> is used. If B<UTF8> is +specified then the value string must be a valid B<UTF8> string. For B<HEX> the +output must be a set of hex digits. B<BITLIST> (which is only valid for a BIT +STRING) is a comma separated list of the indices of the set bits, all other +bits are zero. =back @@ -168,16 +173,20 @@ An IA5String explicitly tagged using APPLICATION tagging: EXPLICIT:0A,IA5STRING:Hello World +A BITSTRING with bits 1 and 5 set and all others zero: + + FORMAT=BITLIST,BITSTRING:1,5 + A more complex example using a config file to produce a SEQUENCE consiting of a BOOL an OID and a UTF8String: -asn1 = SEQUENCE:seq_section + asn1 = SEQUENCE:seq_section -[seq_section] + [seq_section] -field1 = BOOLEAN:TRUE -field2 = OID:commonName -field3 = UTF8:Third field + field1 = BOOLEAN:TRUE + field2 = OID:commonName + field3 = UTF8:Third field This example produces an RSAPrivateKey structure, this is the key contained in the file client.pem in all OpenSSL distributions diff --git a/doc/crypto/DH_set_method.pod b/doc/crypto/DH_set_method.pod index 73261fc4675d..d5cdc3be0ce6 100644 --- a/doc/crypto/DH_set_method.pod +++ b/doc/crypto/DH_set_method.pod @@ -36,7 +36,7 @@ structures created later. B<NB>: This is true only whilst no ENGINE has been set as a default for DH, so this function is no longer recommended. DH_get_default_method() returns a pointer to the current default DH_METHOD. -However, the meaningfulness of this result is dependant on whether the ENGINE +However, the meaningfulness of this result is dependent on whether the ENGINE API is being used, so this function is no longer recommended. DH_set_method() selects B<meth> to perform all operations using the key B<dh>. diff --git a/doc/crypto/DSA_set_method.pod b/doc/crypto/DSA_set_method.pod index bc3cfb1f0a78..9c1434bd8d42 100644 --- a/doc/crypto/DSA_set_method.pod +++ b/doc/crypto/DSA_set_method.pod @@ -36,7 +36,7 @@ structures created later. B<NB>: This is true only whilst no ENGINE has been set as a default for DSA, so this function is no longer recommended. DSA_get_default_method() returns a pointer to the current default -DSA_METHOD. However, the meaningfulness of this result is dependant on +DSA_METHOD. However, the meaningfulness of this result is dependent on whether the ENGINE API is being used, so this function is no longer recommended. diff --git a/doc/crypto/OPENSSL_ia32cap.pod b/doc/crypto/OPENSSL_ia32cap.pod index 121a8ddee5e1..2e659d34a5c4 100644 --- a/doc/crypto/OPENSSL_ia32cap.pod +++ b/doc/crypto/OPENSSL_ia32cap.pod @@ -17,19 +17,27 @@ register after executing CPUID instruction with EAX=1 input value (see Intel Application Note #241618). Naturally it's meaningful on IA-32[E] platforms only. The variable is normally set up automatically upon toolkit initialization, but can be manipulated afterwards to modify -crypto library behaviour. For the moment of this writing three bits are -significant, namely bit #28 denoting Hyperthreading, which is used to -distinguish Intel P4 core, bit #26 denoting SSE2 support, and bit #4 -denoting presence of Time-Stamp Counter. Clearing bit #26 at run-time -for example disables high-performance SSE2 code present in the crypto -library. You might have to do this if target OpenSSL application is -executed on SSE2 capable CPU, but under control of OS which does not -support SSE2 extentions. Even though you can manipulate the value -programmatically, you most likely will find it more appropriate to set -up an environment variable with the same name prior starting target -application, e.g. 'env OPENSSL_ia32cap=0x10 apps/openssl', to achieve -same effect without modifying the application source code. -Alternatively you can reconfigure the toolkit with no-sse2 option and -recompile. +crypto library behaviour. For the moment of this writing six bits are +significant, namely: + +1. bit #28 denoting Hyperthreading, which is used to distiguish + cores with shared cache; +2. bit #26 denoting SSE2 support; +3. bit #25 denoting SSE support; +4. bit #23 denoting MMX support; +5. bit #20, reserved by Intel, is used to choose between RC4 code + pathes; +6. bit #4 denoting presence of Time-Stamp Counter. + +For example, clearing bit #26 at run-time disables high-performance +SSE2 code present in the crypto library. You might have to do this if +target OpenSSL application is executed on SSE2 capable CPU, but under +control of OS which does not support SSE2 extentions. Even though you +can manipulate the value programmatically, you most likely will find it +more appropriate to set up an environment variable with the same name +prior starting target application, e.g. on Intel P4 processor 'env +OPENSSL_ia32cap=0x12900010 apps/openssl', to achieve same effect +without modifying the application source code. Alternatively you can +reconfigure the toolkit with no-sse2 option and recompile. =cut diff --git a/doc/crypto/RAND_bytes.pod b/doc/crypto/RAND_bytes.pod index ce6329ce54af..1a9b91e28144 100644 --- a/doc/crypto/RAND_bytes.pod +++ b/doc/crypto/RAND_bytes.pod @@ -25,6 +25,9 @@ unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc. +The contents of B<buf> is mixed into the entropy pool before retrieving +the new pseudo-random bytes unless disabled at compile time (see FAQ). + =head1 RETURN VALUES RAND_bytes() returns 1 on success, 0 otherwise. The error code can be diff --git a/doc/crypto/RAND_set_rand_method.pod b/doc/crypto/RAND_set_rand_method.pod index c9bb6d9f27b3..e5b780fad06b 100644 --- a/doc/crypto/RAND_set_rand_method.pod +++ b/doc/crypto/RAND_set_rand_method.pod @@ -30,7 +30,7 @@ true only whilst no ENGINE has been set as a default for RAND, so this function is no longer recommended. RAND_get_default_method() returns a pointer to the current RAND_METHOD. -However, the meaningfulness of this result is dependant on whether the ENGINE +However, the meaningfulness of this result is dependent on whether the ENGINE API is being used, so this function is no longer recommended. =head1 THE RAND_METHOD STRUCTURE diff --git a/doc/crypto/RSA_set_method.pod b/doc/crypto/RSA_set_method.pod index 0a305f6b140d..2c963d7e5bba 100644 --- a/doc/crypto/RSA_set_method.pod +++ b/doc/crypto/RSA_set_method.pod @@ -42,7 +42,7 @@ structures created later. B<NB>: This is true only whilst no ENGINE has been set as a default for RSA, so this function is no longer recommended. RSA_get_default_method() returns a pointer to the current default -RSA_METHOD. However, the meaningfulness of this result is dependant on +RSA_METHOD. However, the meaningfulness of this result is dependent on whether the ENGINE API is being used, so this function is no longer recommended. diff --git a/doc/crypto/X509_NAME_print_ex.pod b/doc/crypto/X509_NAME_print_ex.pod index 919b90891937..2579a5dc9dc6 100644 --- a/doc/crypto/X509_NAME_print_ex.pod +++ b/doc/crypto/X509_NAME_print_ex.pod @@ -86,10 +86,10 @@ is equivalent to: B<ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS> -B<XN_FLAG_ONELINE> is a more readable one line format it is the same as: +B<XN_FLAG_ONELINE> is a more readable one line format which is the same as: B<ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_SPC_EQ | XN_FLAG_FN_SN> -B<XN_FLAG_MULTILINE> is a multiline format is is the same as: +B<XN_FLAG_MULTILINE> is a multiline format which is the same as: B<ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN> B<XN_FLAG_COMPAT> uses a format identical to X509_NAME_print(): in fact it calls X509_NAME_print() internally. diff --git a/doc/crypto/des_modes.pod b/doc/crypto/des_modes.pod index 02664036fc6c..e883ca8fde86 100644 --- a/doc/crypto/des_modes.pod +++ b/doc/crypto/des_modes.pod @@ -4,7 +4,7 @@ =head1 NAME -Modes of DES - the variants of DES and other crypto algorithms of OpenSSL +des_modes - the variants of DES and other crypto algorithms of OpenSSL =head1 DESCRIPTION diff --git a/doc/crypto/engine.pod b/doc/crypto/engine.pod index 75933fccadc5..f5ab1c3e50fd 100644 --- a/doc/crypto/engine.pod +++ b/doc/crypto/engine.pod @@ -183,7 +183,7 @@ Due to the modular nature of the ENGINE API, pointers to ENGINEs need to be treated as handles - ie. not only as pointers, but also as references to the underlying ENGINE object. Ie. one should obtain a new reference when making copies of an ENGINE pointer if the copies will be used (and -released) independantly. +released) independently. ENGINE objects have two levels of reference-counting to match the way in which the objects are used. At the most basic level, each ENGINE pointer is @@ -200,7 +200,7 @@ B<functional> reference. This kind of reference can be considered a specialised form of structural reference, because each functional reference implicitly contains a structural reference as well - however to avoid difficult-to-find programming bugs, it is recommended to treat the two -kinds of reference independantly. If you have a functional reference to an +kinds of reference independently. If you have a functional reference to an ENGINE, you have a guarantee that the ENGINE has been initialised ready to perform cryptographic operations and will remain uninitialised until after you have released your reference. @@ -587,7 +587,7 @@ extension). The ENGINE API and internal architecture is currently being reviewed. Slated for possible release in 0.9.8 is support for transparent loading of "dynamic" ENGINEs (built as self-contained shared-libraries). This would allow ENGINE -implementations to be provided independantly of OpenSSL libraries and/or +implementations to be provided independently of OpenSSL libraries and/or OpenSSL-based applications, and would also remove any requirement for applications to explicitly use the "dynamic" ENGINE to bind to shared-library implementations. diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index fa63263601c8..eaed19080975 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -201,6 +201,15 @@ When performing renegotiation as a server, always start a new session (i.e., session resumption requests are only accepted in the initial handshake). This option is not needed for clients. +=item SSL_OP_NO_TICKET + +Normally clients and servers will, where possible, transparently make use +of RFC4507bis tickets for stateless session resumption if extension support +is explicitly set when OpenSSL is compiled. + +If this option is set this functionality is disabled and tickets will +not be used by clients or servers. + =back =head1 RETURN VALUES diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod index f6c37f77e491..7038cd2d7520 100644 --- a/doc/ssl/SSL_read.pod +++ b/doc/ssl/SSL_read.pod @@ -64,6 +64,11 @@ non-blocking socket, nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. +L<SSL_pending(3)|SSL_pending(3)> can be used to find out whether there +are buffered bytes available for immediate retrieval. In this case +SSL_read() can be called without blocking or actually receiving new +data from the underlying socket. + =head1 WARNING When an SSL_read() operation has to be repeated because of @@ -112,6 +117,7 @@ L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_write(3)|SSL_write(3)>, L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)> L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>, +L<SSL_pending(3)|SSL_pending(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)> diff --git a/doc/standards.txt b/doc/standards.txt index bda55d1581ad..a5ce778f8e6e 100644 --- a/doc/standards.txt +++ b/doc/standards.txt @@ -100,6 +100,15 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0. (TLS). S. Moriai, A. Kato, M. Kanda. July 2005. (Format: TXT=13590 bytes) (Status: PROPOSED STANDARD) +4162 Addition of SEED Cipher Suites to Transport Layer Security (TLS). + H.J. Lee, J.H. Yoon, J.I. Lee. August 2005. (Format: TXT=10578 bytes) + (Status: PROPOSED STANDARD) + +4269 The SEED Encryption Algorithm. H.J. Lee, S.J. Lee, J.H. Yoon, + D.H. Cheon, J.I. Lee. December 2005. (Format: TXT=34390 bytes) + (Obsoletes RFC4009) (Status: INFORMATIONAL) + + Related: -------- |