diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/verify.1')
-rw-r--r-- | secure/usr.bin/openssl/man/verify.1 | 61 |
1 files changed, 38 insertions, 23 deletions
diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1 index fd4477bc55ea..a7ff1da6b11a 100644 --- a/secure/usr.bin/openssl/man/verify.1 +++ b/secure/usr.bin/openssl/man/verify.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23) +.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== @@ -38,6 +38,8 @@ . ds PI \(*p . ds L" `` . ds R" '' +. ds C` +. ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. @@ -48,17 +50,24 @@ .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX .. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} .\} +.rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -124,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "VERIFY 1" -.TH VERIFY 1 "2013-02-11" "1.0.1e" "OpenSSL" +.TH VERIFY 1 "2015-01-15" "1.0.1l" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -152,6 +161,7 @@ verify \- Utility to verify certificates. [\fB\-untrusted file\fR] [\fB\-help\fR] [\fB\-issuer_checks\fR] +[\fB\-attime timestamp\fR] [\fB\-verbose\fR] [\fB\-\fR] [certificates] @@ -167,12 +177,12 @@ of the form: hash.0 or have symbolic links to them of this form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically create symbolic links to a directory of certificates. -.IP "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" -A file of trusted certificates. The file should contain multiple certificates -in \s-1PEM\s0 format concatenated together. +.IP "\fB\-CAfile file\fR A file of trusted certificates. The file should contain multiple certificates in \s-1PEM\s0 format concatenated together." 4 +.IX Item "-CAfile file A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together." +.PD 0 .IP "\fB\-untrusted file\fR" 4 .IX Item "-untrusted file" +.PD A file of untrusted certificates. The file should contain multiple certificates in \s-1PEM\s0 format concatenated together. .IP "\fB\-purpose purpose\fR" 4 @@ -180,7 +190,7 @@ in \s-1PEM\s0 format concatenated together. The intended use for the certificate. If this option is not specified, \&\fBverify\fR will not consider certificate purpose during chain verification. Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, \fBnssslserver\fR, -\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY\s0 \s-1OPERATION\s0\fR section for more +\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY OPERATION\s0\fR section for more information. .IP "\fB\-help\fR" 4 .IX Item "-help" @@ -195,6 +205,11 @@ current certificate. This shows why each candidate issuer certificate was rejected. The presence of rejection messages does not itself imply that anything is wrong; during the normal verification process, several rejections may take place. +.IP "\fB\-attime timestamp\fR" 4 +.IX Item "-attime timestamp" +Perform validation checks using time specified by \fBtimestamp\fR and not +current system time. \fBtimestamp\fR is the number of seconds since +01.01.1970 (\s-1UNIX\s0 time). .IP "\fB\-policy arg\fR" 4 .IX Item "-policy arg" Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see @@ -217,7 +232,7 @@ Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0). Print out diagnostics related to policy processing. .IP "\fB\-crl_check\fR" 4 .IX Item "-crl_check" -Checks end entity certificate validity by attempting to look up a valid \s-1CRL\s0. +Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0 If a valid \s-1CRL\s0 cannot be found an error occurs. .IP "\fB\-crl_check_all\fR" 4 .IX Item "-crl_check_all" @@ -241,7 +256,7 @@ signing keys. Enable support for delta CRLs. .IP "\fB\-check_ss_sig\fR" 4 .IX Item "-check_ss_sig" -Verify the signature on the self-signed root \s-1CA\s0. This is disabled by default +Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by default because it doesn't add any security. .IP "\fB\-\fR" 4 .IX Item "-" @@ -268,10 +283,10 @@ determined. The verify operation consists of a number of separate steps. .PP Firstly a certificate chain is built up starting from the supplied certificate -and ending in the root \s-1CA\s0. It is an error if the whole chain cannot be built +and ending in the root \s-1CA.\s0 It is an error if the whole chain cannot be built up. The chain is built up by looking up the issuers certificate of the current certificate. If a certificate is found which is its own issuer it is assumed -to be the root \s-1CA\s0. +to be the root \s-1CA.\s0 .PP The process of 'looking up the issuers certificate' itself involves a number of steps. In versions of OpenSSL before 0.9.5a the first certificate whose @@ -295,9 +310,9 @@ consistency with the supplied purpose. If the \fB\-purpose\fR option is not incl then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions compatible with the supplied purpose and all other certificates must also be valid \&\s-1CA\s0 certificates. The precise extensions required are described in more detail in -the \fB\s-1CERTIFICATE\s0 \s-1EXTENSIONS\s0\fR section of the \fBx509\fR utility. +the \fB\s-1CERTIFICATE EXTENSIONS\s0\fR section of the \fBx509\fR utility. .PP -The third operation is to check the trust settings on the root \s-1CA\s0. The root +The third operation is to check the trust settings on the root \s-1CA.\s0 The root \&\s-1CA\s0 should be trusted for the supplied purpose. For compatibility with previous versions of SSLeay and OpenSSL a certificate with no trust settings is considered to be valid for all purposes. @@ -447,8 +462,8 @@ does not permit certificate signing. an application specific error. Unused. .SH "BUGS" .IX Header "BUGS" -Although the issuer checks are a considerably improvement over the old technique they still -suffer from limitations in the underlying X509_LOOKUP \s-1API\s0. One consequence of this is that +Although the issuer checks are a considerable improvement over the old technique they still +suffer from limitations in the underlying X509_LOOKUP \s-1API.\s0 One consequence of this is that trusted certificates with matching subject name must either appear in a file (as specified by the \&\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only the certificates in the file will be recognised. |