=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/openssl.1,v retrieving revision 1.80 retrieving revision 1.81 diff -c -r1.80 -r1.81 *** src/usr.bin/openssl/openssl.1 2016/09/22 13:30:49 1.80 --- src/usr.bin/openssl/openssl.1 2016/09/22 13:44:02 1.81 *************** *** 1,4 **** ! .\" $OpenBSD: openssl.1,v 1.80 2016/09/22 13:30:49 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" --- 1,4 ---- ! .\" $OpenBSD: openssl.1,v 1.81 2016/09/22 13:44:02 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" *************** *** 318,324 **** .Op Fl infiles .Op Fl key Ar keyfile .Op Fl keyfile Ar arg ! .Op Fl keyform Ar PEM .Op Fl md Ar arg .Op Fl msie_hack .Op Fl name Ar section --- 318,324 ---- .Op Fl infiles .Op Fl key Ar keyfile .Op Fl keyfile Ar arg ! .Op Fl keyform Ar pem .Op Fl md Ar arg .Op Fl msie_hack .Op Fl name Ar section *************** *** 393,399 **** this option should be used with caution. .It Fl keyfile Ar file The private key to sign requests with. ! .It Fl keyform Ar PEM Private key file format. .It Fl md Ar alg The message digest to use. --- 393,399 ---- this option should be used with caution. .It Fl keyfile Ar file The private key to sign requests with. ! .It Fl keyform Ar pem Private key file format. .It Fl md Ar alg The message digest to use. *************** *** 545,558 **** of the configuration file containing CRL extensions to include. If no CRL extension section is present then a V1 CRL is created; if the CRL extension section is present ! .Pq even if it is empty then a V2 CRL is created. ! The CRL extensions specified are CRL extensions and ! .Em not ! CRL entry extensions. ! It should be noted that some software ! .Pq for example Netscape ! can't handle V2 CRLs. .It Fl crlhours Ar num The number of hours before the next CRL is due. .It Fl gencrl --- 545,554 ---- of the configuration file containing CRL extensions to include. If no CRL extension section is present then a V1 CRL is created; if the CRL extension section is present ! (even if it is empty) then a V2 CRL is created. ! The CRL extensions specified are CRL extensions and not CRL entry extensions. ! It should be noted that some software can't handle V2 CRLs. .It Fl crlhours Ar num The number of hours before the next CRL is due. .It Fl gencrl *************** *** 725,733 **** If neither option is present, the format used in earlier versions of .Nm openssl is used. ! Use of the old format is ! .Em strongly ! discouraged because it only displays fields mentioned in the .Cm policy section, mishandles multicharacter string types and does not display extensions. --- 721,728 ---- If neither option is present, the format used in earlier versions of .Nm openssl is used. ! Use of the old format is strongly discouraged ! because it only displays fields mentioned in the .Cm policy section, mishandles multicharacter string types and does not display extensions. *************** *** 1697,1705 **** Disable standard block padding. .It Fl nosalt Don't use a salt in the key derivation routines. ! This option should ! .Em NEVER ! be used since it makes it possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. .It Fl out Ar file --- 1692,1698 ---- Disable standard block padding. .It Fl nosalt Don't use a salt in the key derivation routines. ! This option should never be used since it makes it possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. .It Fl out Ar file *************** *** 2064,2073 **** .Pa / by default. .It Fl issuer Ar file ! The current issuer certificate, ! in PEM format. ! Can be used multiple times ! and must come before any .Fl cert options. .It Fl no_cert_checks --- 2057,2064 ---- .Pa / by default. .It Fl issuer Ar file ! The current issuer certificate, in PEM format. ! Can be used multiple times and must come before any .Fl cert options. .It Fl no_cert_checks *************** *** 2306,2317 **** which can give details about multiple CAs and has its own separate certificate chain, then its root CA can be trusted for OCSP signing. - For example: - .Bd -literal -offset indent - $ openssl x509 -in ocspCA.pem -addtrust OCSPSigning \e - -out trustedCA.pem - .Ed - .Pp Alternatively, the responder certificate itself can be explicitly trusted with the .Fl VAfile --- 2297,2302 ---- *************** *** 2655,2662 **** Create a PKCS#12 file (rather than parsing one). .It Fl in Ar file The input file to read from, ! or standard input if not specified, ! in PEM format. The order doesn't matter but one private key and its corresponding certificate should be present. If additional certificates are present, they will also be included --- 2640,2646 ---- Create a PKCS#12 file (rather than parsing one). .It Fl in Ar file The input file to read from, ! or standard input if not specified. The order doesn't matter but one private key and its corresponding certificate should be present. If additional certificates are present, they will also be included *************** *** 2692,2699 **** Don't attempt to provide the MAC integrity. .It Fl nomaciter , noiter Affect the iteration counts on the MAC and key algorithms. - Unless you wish to produce files compatible with MSIE 4.0, you should leave - these options alone. .Pp To discourage attacks by using large dictionaries of common passwords, the algorithm that derives keys from passwords can have an iteration count --- 2676,2681 ---- *************** *** 2706,2714 **** Since this reduces the file security you should not use these options unless you really have to. Most software supports both MAC and key iteration counts. - MSIE 4.0 doesn't support MAC iteration counts, so it needs the - .Fl nomaciter - option. .It Fl out Ar file The output file to write to, or standard output if not specified. --- 2688,2693 ---- *************** *** 3015,3023 **** The options are as follows: .Bl -tag -width Ds .It Fl base64 ! Perform ! .Em base64 ! encoding on the output. .It Fl hex Specify hexadecimal output. .It Fl out Ar file --- 2994,3000 ---- The options are as follows: .Bl -tag -width Ds .It Fl base64 ! Perform base64 encoding on the output. .It Fl hex Specify hexadecimal output. .It Fl out Ar file *************** *** 3108,3114 **** The format of the private key file specified in the .Fl key argument. ! The default is PEM. .It Fl keyout Ar file The file to write the newly created private key to. If this option is not specified, --- 3085,3092 ---- The format of the private key file specified in the .Fl key argument. ! The default is ! .Cm pem . .It Fl keyout Ar file The file to write the newly created private key to. If this option is not specified, *************** *** 3974,3983 **** Generate SSL/TLS session IDs prefixed by .Ar arg . This is mostly useful for testing any SSL/TLS code ! (e.g. proxies) ! that wish to deal with multiple servers, when each of which might be ! generating a unique range of session IDs ! (e.g. with a certain prefix). .It Fl key Ar keyfile The private key to use. If not specified, the certificate file will be used. --- 3952,3959 ---- Generate SSL/TLS session IDs prefixed by .Ar arg . This is mostly useful for testing any SSL/TLS code ! that wish to deal with multiple servers, ! when each of which might be generating a unique range of session IDs. .It Fl key Ar keyfile The private key to use. If not specified, the certificate file will be used. *************** *** 6055,6063 **** .It Ev OPENSSL_CONF The location of the master configuration file. .El - .\" - .\" FILES - .\" .Sh FILES .Bl -tag -width "/etc/ssl/openssl.cnf" -compact .It Pa /etc/ssl/ --- 6031,6036 ---- *************** *** 6075,6083 **** .Nm x509 certificates. .El - .\" - .\" SEE ALSO - .\" .Sh SEE ALSO .Xr acme-client 1 , .Xr nc 1 , --- 6048,6053 ----