1 |
diff -Naurp libressl-2.3.1/apps/openssl/Makefile.am libressl-2.3.1.oden/apps/openssl/Makefile.am |
2 |
--- libressl-2.3.1/apps/openssl/Makefile.am 2015-11-24 12:08:52.422002611 +0100 |
3 |
+++ libressl-2.3.1.oden/apps/openssl/Makefile.am 2015-11-24 12:09:15.822646127 +0100 |
4 |
@@ -2,7 +2,7 @@ include $(top_srcdir)/Makefile.am.common |
5 |
|
6 |
bin_PROGRAMS = openssl |
7 |
|
8 |
-dist_man_MANS = openssl.1 |
9 |
+dist_man_MANS = libressl.1 |
10 |
|
11 |
openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD) |
12 |
openssl_LDADD += $(top_builddir)/ssl/libssl.la |
13 |
diff -Naurp libressl-2.3.1/apps/openssl/Makefile.in libressl-2.3.1.oden/apps/openssl/Makefile.in |
14 |
--- libressl-2.3.1/apps/openssl/Makefile.in 2015-11-24 12:08:52.422002611 +0100 |
15 |
+++ libressl-2.3.1.oden/apps/openssl/Makefile.in 2015-11-24 12:09:39.398294495 +0100 |
16 |
@@ -376,7 +376,7 @@ top_builddir = @top_builddir@ |
17 |
top_srcdir = @top_srcdir@ |
18 |
AM_CFLAGS = |
19 |
AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL |
20 |
-dist_man_MANS = openssl.1 |
21 |
+dist_man_MANS = libressl.1 |
22 |
openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD) \ |
23 |
$(top_builddir)/ssl/libssl.la \ |
24 |
$(top_builddir)/crypto/libcrypto.la |
25 |
diff -Naurp libressl-2.3.1/apps/openssl/openssl.1 libressl-2.3.1.oden/apps/openssl/openssl.1 |
26 |
--- libressl-2.3.1/apps/openssl/openssl.1 2015-10-15 23:12:24.000000000 +0200 |
27 |
+++ libressl-2.3.1.oden/apps/openssl/openssl.1 2015-11-24 12:09:15.824646097 +0100 |
28 |
@@ -113,11 +113,11 @@ |
29 |
.\" OPENSSL |
30 |
.\" |
31 |
.Dd $Mdocdate: September 14 2015 $ |
32 |
-.Dt OPENSSL 1 |
33 |
+.Dt LibreSSL 1 |
34 |
.Os |
35 |
.Sh NAME |
36 |
-.Nm openssl |
37 |
-.Nd OpenSSL command line tool |
38 |
+.Nm libressl |
39 |
+.Nd LibreSSL command line tool |
40 |
.Sh SYNOPSIS |
41 |
.Nm |
42 |
.Cm command |
43 |
@@ -136,7 +136,7 @@ |
44 |
.Cm no- Ns Ar XXX |
45 |
.Op Ar arbitrary options |
46 |
.Sh DESCRIPTION |
47 |
-.Nm OpenSSL |
48 |
+.Nm LibreSSL |
49 |
is a cryptography toolkit implementing the Secure Sockets Layer |
50 |
.Pq SSL v3 |
51 |
and Transport Layer Security |
52 |
@@ -147,7 +147,7 @@ The |
53 |
.Nm |
54 |
program is a command line tool for using the various |
55 |
cryptography functions of |
56 |
-.Nm OpenSSL Ns Li 's |
57 |
+.Nm LibreSSL Ns Li 's |
58 |
.Em crypto |
59 |
library from the shell. |
60 |
It can be used for |
61 |
@@ -339,7 +339,7 @@ This implements a generic SSL/TLS client |
62 |
connection to a remote server speaking SSL/TLS. |
63 |
It's intended for testing purposes only and provides only rudimentary |
64 |
interface functionality but internally uses mostly all functionality of the |
65 |
-.Nm OpenSSL |
66 |
+.Nm LibreSSL |
67 |
.Em ssl |
68 |
library. |
69 |
.It Cm s_server |
70 |
@@ -347,7 +347,7 @@ This implements a generic SSL/TLS server |
71 |
clients speaking SSL/TLS. |
72 |
It's intended for testing purposes only and provides only rudimentary |
73 |
interface functionality but internally uses mostly all functionality of the |
74 |
-.Nm OpenSSL |
75 |
+.Nm LibreSSL |
76 |
.Em ssl |
77 |
library. |
78 |
It provides both an own command line oriented protocol for testing |
79 |
@@ -368,7 +368,7 @@ Time stamping authority tool (client/ser |
80 |
.It Cm verify |
81 |
X.509 certificate verification. |
82 |
.It Cm version |
83 |
-.Nm OpenSSL |
84 |
+.Nm LibreSSL |
85 |
version information. |
86 |
.It Cm x509 |
87 |
X.509 certificate data management. |
88 |
@@ -504,7 +504,7 @@ Read the password from standard input. |
89 |
.\" |
90 |
.Sh ASN1PARSE |
91 |
.nr nS 1 |
92 |
-.Nm "openssl asn1parse" |
93 |
+.Nm "libressl asn1parse" |
94 |
.Bk -words |
95 |
.Op Fl i |
96 |
.Op Fl dlimit Ar number |
97 |
@@ -650,7 +650,7 @@ BF0EDF2B4068058C7A947F52548DDF7E15E96B38 |
98 |
If an OID |
99 |
.Pq object identifier |
100 |
is not part of |
101 |
-.Nm OpenSSL Ns Li 's |
102 |
+.Nm LibreSSL Ns Li 's |
103 |
internal table it will be represented in |
104 |
numerical form |
105 |
.Pq for example 1.2.3.4 . |
106 |
@@ -673,11 +673,11 @@ Example: |
107 |
.Sh ASN1 EXAMPLES |
108 |
Parse a file: |
109 |
.Pp |
110 |
-.Dl $ openssl asn1parse -in file.pem |
111 |
+.Dl $ libressl asn1parse -in file.pem |
112 |
.Pp |
113 |
Parse a DER file: |
114 |
.Pp |
115 |
-.Dl $ openssl asn1parse -inform DER -in file.der |
116 |
+.Dl $ libressl asn1parse -inform DER -in file.der |
117 |
.Sh ASN1PARSE BUGS |
118 |
There should be options to change the format of output lines. |
119 |
The output of some ASN.1 types is not well handled |
120 |
@@ -687,7 +687,7 @@ The output of some ASN.1 types is not we |
121 |
.\" |
122 |
.Sh CA |
123 |
.nr nS 1 |
124 |
-.Nm "openssl ca" |
125 |
+.Nm "libressl ca" |
126 |
.Bk -words |
127 |
.Op Fl batch |
128 |
.Op Fl cert Ar file |
129 |
@@ -1217,23 +1217,23 @@ and the empty index file |
130 |
.Pp |
131 |
Sign a certificate request: |
132 |
.Pp |
133 |
-.Dl $ openssl ca -in req.pem -out newcert.pem |
134 |
+.Dl $ libressl ca -in req.pem -out newcert.pem |
135 |
.Pp |
136 |
Sign a certificate request, using CA extensions: |
137 |
.Pp |
138 |
-.Dl $ openssl ca -in req.pem -extensions v3_ca -out newcert.pem |
139 |
+.Dl $ libressl ca -in req.pem -extensions v3_ca -out newcert.pem |
140 |
.Pp |
141 |
Generate a CRL: |
142 |
.Pp |
143 |
-.Dl $ openssl ca -gencrl -out crl.pem |
144 |
+.Dl $ libressl ca -gencrl -out crl.pem |
145 |
.Pp |
146 |
Sign several requests: |
147 |
.Pp |
148 |
-.Dl $ openssl ca -infiles req1.pem req2.pem req3.pem |
149 |
+.Dl $ libressl ca -infiles req1.pem req2.pem req3.pem |
150 |
.Pp |
151 |
Certify a Netscape SPKAC: |
152 |
.Pp |
153 |
-.Dl $ openssl ca -spkac spkac.txt |
154 |
+.Dl $ libressl ca -spkac spkac.txt |
155 |
.Pp |
156 |
A sample SPKAC file |
157 |
.Pq the SPKAC line has been truncated for clarity : |
158 |
@@ -1286,7 +1286,7 @@ the location of all files can change eit |
159 |
configuration file entries, environment variables, or command line options. |
160 |
The values below reflect the default values. |
161 |
.Bd -literal -offset indent |
162 |
-/etc/ssl/openssl.cnf - master configuration file |
163 |
+/etc/pki/tls/libressl.cnf - master configuration file |
164 |
\&./demoCA - main CA directory |
165 |
\&./demoCA/cacert.pem - CA certificate |
166 |
\&./demoCA/private/cakey.pem - CA private key |
167 |
@@ -1401,7 +1401,7 @@ then even if a certificate is issued wit |
168 |
.\" CIPHERS |
169 |
.\" |
170 |
.Sh CIPHERS |
171 |
-.Nm openssl ciphers |
172 |
+.Nm libressl ciphers |
173 |
.Op Fl hVv |
174 |
.Op Fl tls1 |
175 |
.Op Ar cipherlist |
176 |
@@ -1409,7 +1409,7 @@ then even if a certificate is issued wit |
177 |
The |
178 |
.Nm ciphers |
179 |
command converts |
180 |
-.Nm OpenSSL |
181 |
+.Nm LibreSSL |
182 |
cipher lists into ordered SSL cipher preference lists. |
183 |
It can be used as a test tool to determine the appropriate cipherlist. |
184 |
.Pp |
185 |
@@ -1589,34 +1589,34 @@ Cipher suites using SHA1. |
186 |
.El |
187 |
.Sh CIPHERS EXAMPLES |
188 |
Verbose listing of all |
189 |
-.Nm OpenSSL |
190 |
+.Nm LibreSSL |
191 |
ciphers including NULL ciphers: |
192 |
.Pp |
193 |
-.Dl $ openssl ciphers -v 'ALL:eNULL' |
194 |
+.Dl $ libressl ciphers -v 'ALL:eNULL' |
195 |
.Pp |
196 |
Include all ciphers except NULL and anonymous DH then sort by |
197 |
strength: |
198 |
.Pp |
199 |
-.Dl $ openssl ciphers -v 'ALL:!ADH:@STRENGTH' |
200 |
+.Dl $ libressl ciphers -v 'ALL:!ADH:@STRENGTH' |
201 |
.Pp |
202 |
Include only 3DES ciphers and then place RSA ciphers last: |
203 |
.Pp |
204 |
-.Dl $ openssl ciphers -v '3DES:+RSA' |
205 |
+.Dl $ libressl ciphers -v '3DES:+RSA' |
206 |
.Pp |
207 |
Include all RC4 ciphers but leave out those without authentication: |
208 |
.Pp |
209 |
-.Dl $ openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' |
210 |
+.Dl $ libressl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' |
211 |
.Pp |
212 |
Include all ciphers with RSA authentication but leave out ciphers without |
213 |
encryption: |
214 |
.Pp |
215 |
-.Dl $ openssl ciphers -v 'RSA:!COMPLEMENTOFALL' |
216 |
+.Dl $ libressl ciphers -v 'RSA:!COMPLEMENTOFALL' |
217 |
.\" |
218 |
.\" CRL |
219 |
.\" |
220 |
.Sh CRL |
221 |
.nr nS 1 |
222 |
-.Nm "openssl crl" |
223 |
+.Nm "libressl crl" |
224 |
.Bk -words |
225 |
.Op Fl CAfile Ar file |
226 |
.Op Fl CApath Ar dir |
227 |
@@ -1696,11 +1696,11 @@ The PEM CRL format uses the header and f |
228 |
.Sh CRL EXAMPLES |
229 |
Convert a CRL file from PEM to DER: |
230 |
.Pp |
231 |
-.Dl $ openssl crl -in crl.pem -outform DER -out crl.der |
232 |
+.Dl $ libressl crl -in crl.pem -outform DER -out crl.der |
233 |
.Pp |
234 |
Output the text form of a DER-encoded certificate: |
235 |
.Pp |
236 |
-.Dl $ openssl crl -in crl.der -inform DER -text -noout |
237 |
+.Dl $ libressl crl -in crl.der -inform DER -text -noout |
238 |
.Sh CRL BUGS |
239 |
Ideally, it should be possible to create a CRL using appropriate options |
240 |
and files too. |
241 |
@@ -1709,7 +1709,7 @@ and files too. |
242 |
.\" |
243 |
.Sh CRL2PKCS7 |
244 |
.nr nS 1 |
245 |
-.Nm "openssl crl2pkcs7" |
246 |
+.Nm "libressl crl2pkcs7" |
247 |
.Bk -words |
248 |
.Op Fl certfile Ar file |
249 |
.Op Fl in Ar file |
250 |
@@ -1766,12 +1766,12 @@ is a base64-encoded version of the DER f |
251 |
.Sh CRL2PKCS7 EXAMPLES |
252 |
Create a PKCS#7 structure from a certificate and CRL: |
253 |
.Pp |
254 |
-.Dl $ openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem |
255 |
+.Dl $ libressl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem |
256 |
.Pp |
257 |
Create a PKCS#7 structure in DER format with no CRL from several |
258 |
different certificates: |
259 |
.Bd -literal -offset indent |
260 |
-$ openssl crl2pkcs7 -nocrl -certfile newcert.pem \e |
261 |
+$ libressl crl2pkcs7 -nocrl -certfile newcert.pem \e |
262 |
-certfile demoCA/cacert.pem -outform DER -out p7.der |
263 |
.Ed |
264 |
.Sh CRL2PKCS7 NOTES |
265 |
@@ -1791,7 +1791,7 @@ install user certificates and CAs in MSI |
266 |
.\" |
267 |
.Sh DGST |
268 |
.nr nS 1 |
269 |
-.Nm "openssl dgst" |
270 |
+.Nm "libressl dgst" |
271 |
.Bk -words |
272 |
.Oo |
273 |
.Fl gost-mac | streebog256 | streebog512 | md_gost94 | |
274 |
@@ -1816,7 +1816,7 @@ install user certificates and CAs in MSI |
275 |
.Ek |
276 |
.nr nS 0 |
277 |
.Pp |
278 |
-.Nm openssl |
279 |
+.Nm libressl |
280 |
.Cm gost-mac | streebog256 | streebog512 | md_gost94 | |
281 |
.Cm md4 | md5 | ripemd160 | sha1 | |
282 |
.Cm sha224 | sha256 | sha384 | sha512 | whirlpool |
283 |
@@ -1935,7 +1935,7 @@ below. |
284 |
.\" |
285 |
.Sh DHPARAM |
286 |
.nr nS 1 |
287 |
-.Nm "openssl dhparam" |
288 |
+.Nm "libressl dhparam" |
289 |
.Bk -words |
290 |
.Op Fl 2 | 5 |
291 |
.Op Fl C |
292 |
@@ -2041,7 +2041,7 @@ and |
293 |
.Nm gendh |
294 |
programs are retained for now, but may have different purposes in future |
295 |
versions of |
296 |
-.Nm OpenSSL . |
297 |
+.Nm LibreSSL . |
298 |
.Sh DHPARAM NOTES |
299 |
PEM format DH parameters use the header and footer lines: |
300 |
.Bd -unfilled -offset indent |
301 |
@@ -2049,7 +2049,7 @@ PEM format DH parameters use the header |
302 |
-----END DH PARAMETERS----- |
303 |
.Ed |
304 |
.Pp |
305 |
-.Nm OpenSSL |
306 |
+.Nm LibreSSL |
307 |
currently only supports the older PKCS#3 DH, |
308 |
not the newer X9.42 DH. |
309 |
.Pp |
310 |
@@ -2072,7 +2072,7 @@ option was added in |
311 |
.\" |
312 |
.Sh DSA |
313 |
.nr nS 1 |
314 |
-.Nm "openssl dsa" |
315 |
+.Nm "libressl dsa" |
316 |
.Bk -words |
317 |
.Oo |
318 |
.Fl aes128 | aes192 | aes256 | |
319 |
@@ -2202,29 +2202,29 @@ The PEM public key format uses the heade |
320 |
.Sh DSA EXAMPLES |
321 |
To remove the pass phrase on a DSA private key: |
322 |
.Pp |
323 |
-.Dl $ openssl dsa -in key.pem -out keyout.pem |
324 |
+.Dl $ libressl dsa -in key.pem -out keyout.pem |
325 |
.Pp |
326 |
To encrypt a private key using triple DES: |
327 |
.Pp |
328 |
-.Dl $ openssl dsa -in key.pem -des3 -out keyout.pem |
329 |
+.Dl $ libressl dsa -in key.pem -des3 -out keyout.pem |
330 |
.Pp |
331 |
To convert a private key from PEM to DER format: |
332 |
.Pp |
333 |
-.Dl $ openssl dsa -in key.pem -outform DER -out keyout.der |
334 |
+.Dl $ libressl dsa -in key.pem -outform DER -out keyout.der |
335 |
.Pp |
336 |
To print out the components of a private key to standard output: |
337 |
.Pp |
338 |
-.Dl $ openssl dsa -in key.pem -text -noout |
339 |
+.Dl $ libressl dsa -in key.pem -text -noout |
340 |
.Pp |
341 |
To just output the public part of a private key: |
342 |
.Pp |
343 |
-.Dl $ openssl dsa -in key.pem -pubout -out pubkey.pem |
344 |
+.Dl $ libressl dsa -in key.pem -pubout -out pubkey.pem |
345 |
.\" |
346 |
.\" DSAPARAM |
347 |
.\" |
348 |
.Sh DSAPARAM |
349 |
.nr nS 1 |
350 |
-.Nm "openssl dsaparam" |
351 |
+.Nm "libressl dsaparam" |
352 |
.Bk -words |
353 |
.Op Fl C |
354 |
.Op Fl genkey |
355 |
@@ -2308,7 +2308,7 @@ DSA parameters is often used to generate |
356 |
.\" |
357 |
.Sh EC |
358 |
.nr nS 1 |
359 |
-.Nm "openssl ec" |
360 |
+.Nm "libressl ec" |
361 |
.Bk -words |
362 |
.Op Fl conv_form Ar arg |
363 |
.Op Fl des |
364 |
@@ -2334,12 +2334,12 @@ command processes EC keys. |
365 |
They can be converted between various |
366 |
forms and their components printed out. |
367 |
Note: |
368 |
-.Nm OpenSSL |
369 |
+.Nm LibreSSL |
370 |
uses the private key format specified in |
371 |
.Dq SEC 1: Elliptic Curve Cryptography |
372 |
.Pq Lk http://www.secg.org/ . |
373 |
To convert an |
374 |
-.Nm OpenSSL |
375 |
+.Nm LibreSSL |
376 |
EC private key into the PKCS#8 private key format use the |
377 |
.Nm pkcs8 |
378 |
command. |
379 |
@@ -2367,7 +2367,7 @@ at compile time. |
380 |
.It Fl des | des3 |
381 |
These options encrypt the private key with the DES, triple DES, or |
382 |
any other cipher supported by |
383 |
-.Nm OpenSSL |
384 |
+.Nm LibreSSL |
385 |
before outputting it. |
386 |
A pass phrase is prompted for. |
387 |
If none of these options is specified the key is written in plain text. |
388 |
@@ -2422,7 +2422,7 @@ Note: the |
389 |
alternative, |
390 |
as specified in RFC 3279, |
391 |
is currently not implemented in |
392 |
-.Nm OpenSSL . |
393 |
+.Nm LibreSSL . |
394 |
.It Fl passin Ar arg |
395 |
The key password source. |
396 |
For more information about the format of |
397 |
@@ -2462,34 +2462,34 @@ The PEM public key format uses the heade |
398 |
.Sh EC EXAMPLES |
399 |
To encrypt a private key using triple DES: |
400 |
.Bd -literal -offset indent |
401 |
-$ openssl ec -in key.pem -des3 -out keyout.pem |
402 |
+$ libressl ec -in key.pem -des3 -out keyout.pem |
403 |
.Ed |
404 |
.Pp |
405 |
To convert a private key from PEM to DER format: |
406 |
.Bd -literal -offset indent |
407 |
-$ openssl ec -in key.pem -outform DER -out keyout.der |
408 |
+$ libressl ec -in key.pem -outform DER -out keyout.der |
409 |
.Ed |
410 |
.Pp |
411 |
To print out the components of a private key to standard output: |
412 |
.Bd -literal -offset indent |
413 |
-$ openssl ec -in key.pem -text -noout |
414 |
+$ libressl ec -in key.pem -text -noout |
415 |
.Ed |
416 |
.Pp |
417 |
To just output the public part of a private key: |
418 |
.Bd -literal -offset indent |
419 |
-$ openssl ec -in key.pem -pubout -out pubkey.pem |
420 |
+$ libressl ec -in key.pem -pubout -out pubkey.pem |
421 |
.Ed |
422 |
.Pp |
423 |
To change the parameter encoding to |
424 |
.Cm explicit : |
425 |
.Bd -literal -offset indent |
426 |
-$ openssl ec -in key.pem -param_enc explicit -out keyout.pem |
427 |
+$ libressl ec -in key.pem -param_enc explicit -out keyout.pem |
428 |
.Ed |
429 |
.Pp |
430 |
To change the point conversion form to |
431 |
.Cm compressed : |
432 |
.Bd -literal -offset indent |
433 |
-$ openssl ec -in key.pem -conv_form compressed -out keyout.pem |
434 |
+$ libressl ec -in key.pem -conv_form compressed -out keyout.pem |
435 |
.Ed |
436 |
.Sh EC HISTORY |
437 |
The |
438 |
@@ -2504,7 +2504,7 @@ command was first introduced in |
439 |
.\" |
440 |
.Sh ECPARAM |
441 |
.nr nS 1 |
442 |
-.Nm "openssl ecparam" |
443 |
+.Nm "libressl ecparam" |
444 |
.Bk -words |
445 |
.Op Fl C |
446 |
.Op Fl check |
447 |
@@ -2602,7 +2602,7 @@ Note: the |
448 |
.Cm implicitlyCA |
449 |
alternative, as specified in RFC 3279, |
450 |
is currently not implemented in |
451 |
-.Nm OpenSSL . |
452 |
+.Nm LibreSSL . |
453 |
.It Fl text |
454 |
Print out the EC parameters in human readable form. |
455 |
.El |
456 |
@@ -2613,41 +2613,41 @@ PEM format EC parameters use the header |
457 |
-----END EC PARAMETERS----- |
458 |
.Ed |
459 |
.Pp |
460 |
-.Nm OpenSSL |
461 |
+.Nm LibreSSL |
462 |
is currently not able to generate new groups and therefore |
463 |
.Nm ecparam |
464 |
can only create EC parameters from known (named) curves. |
465 |
.Sh ECPARAM EXAMPLES |
466 |
To create EC parameters with the group 'prime192v1': |
467 |
.Bd -literal -offset indent |
468 |
-$ openssl ecparam -out ec_param.pem -name prime192v1 |
469 |
+$ libressl ecparam -out ec_param.pem -name prime192v1 |
470 |
.Ed |
471 |
.Pp |
472 |
To create EC parameters with explicit parameters: |
473 |
.Bd -literal -offset indent |
474 |
-$ openssl ecparam -out ec_param.pem -name prime192v1 \e |
475 |
+$ libressl ecparam -out ec_param.pem -name prime192v1 \e |
476 |
-param_enc explicit |
477 |
.Ed |
478 |
.Pp |
479 |
To validate given EC parameters: |
480 |
.Bd -literal -offset indent |
481 |
-$ openssl ecparam -in ec_param.pem -check |
482 |
+$ libressl ecparam -in ec_param.pem -check |
483 |
.Ed |
484 |
.Pp |
485 |
To create EC parameters and a private key: |
486 |
.Bd -literal -offset indent |
487 |
-$ openssl ecparam -out ec_key.pem -name prime192v1 -genkey |
488 |
+$ libressl ecparam -out ec_key.pem -name prime192v1 -genkey |
489 |
.Ed |
490 |
.Pp |
491 |
To change the point encoding to 'compressed': |
492 |
.Bd -literal -offset indent |
493 |
-$ openssl ecparam -in ec_in.pem -out ec_out.pem \e |
494 |
+$ libressl ecparam -in ec_in.pem -out ec_out.pem \e |
495 |
-conv_form compressed |
496 |
.Ed |
497 |
.Pp |
498 |
To print out the EC parameters to standard output: |
499 |
.Bd -literal -offset indent |
500 |
-$ openssl ecparam -in ec_param.pem -noout -text |
501 |
+$ libressl ecparam -in ec_param.pem -noout -text |
502 |
.Ed |
503 |
.Sh ECPARAM HISTORY |
504 |
The |
505 |
@@ -2662,7 +2662,7 @@ command was first introduced in |
506 |
.\" |
507 |
.Sh ENC |
508 |
.nr nS 1 |
509 |
-.Nm "openssl enc" |
510 |
+.Nm "libressl enc" |
511 |
.Bk -words |
512 |
.Fl ciphername |
513 |
.Op Fl AadePp |
514 |
@@ -2837,9 +2837,9 @@ This is the default. |
515 |
.El |
516 |
.Sh ENC NOTES |
517 |
The program can be called either as |
518 |
-.Nm openssl ciphername |
519 |
+.Nm libressl ciphername |
520 |
or |
521 |
-.Nm openssl enc -ciphername . |
522 |
+.Nm libressl enc -ciphername . |
523 |
.Pp |
524 |
A password will be prompted for to derive the |
525 |
.Ar key |
526 |
@@ -2944,29 +2944,29 @@ rc4-40 40-bit RC4 |
527 |
.Sh ENC EXAMPLES |
528 |
Just base64 encode a binary file: |
529 |
.Pp |
530 |
-.Dl $ openssl base64 -in file.bin -out file.b64 |
531 |
+.Dl $ libressl base64 -in file.bin -out file.b64 |
532 |
.Pp |
533 |
Decode the same file: |
534 |
.Pp |
535 |
-.Dl $ openssl base64 -d -in file.b64 -out file.bin |
536 |
+.Dl $ libressl base64 -d -in file.b64 -out file.bin |
537 |
.Pp |
538 |
Encrypt a file using triple DES in CBC mode using a prompted password: |
539 |
.Pp |
540 |
-.Dl $ openssl des3 -salt -in file.txt -out file.des3 |
541 |
+.Dl $ libressl des3 -salt -in file.txt -out file.des3 |
542 |
.Pp |
543 |
Decrypt a file using a supplied password: |
544 |
.Pp |
545 |
-.Dl "$ openssl des3 -d -in file.des3 -out file.txt -k mypassword" |
546 |
+.Dl "$ libressl des3 -d -in file.des3 -out file.txt -k mypassword" |
547 |
.Pp |
548 |
Encrypt a file then base64 encode it |
549 |
(so it can be sent via mail for example) |
550 |
using Blowfish in CBC mode: |
551 |
.Pp |
552 |
-.Dl $ openssl bf -a -salt -in file.txt -out file.bf |
553 |
+.Dl $ libressl bf -a -salt -in file.txt -out file.bf |
554 |
.Pp |
555 |
Base64 decode a file then decrypt it: |
556 |
.Pp |
557 |
-.Dl "$ openssl bf -d -a -in file.bf -out file.txt" |
558 |
+.Dl "$ libressl bf -d -a -in file.bf -out file.txt" |
559 |
.Sh ENC BUGS |
560 |
The |
561 |
.Fl A |
562 |
@@ -2983,7 +2983,7 @@ or RC4 with an 84-bit key with this prog |
563 |
.\" ERRSTR |
564 |
.\" |
565 |
.Sh ERRSTR |
566 |
-.Nm openssl errstr |
567 |
+.Nm libressl errstr |
568 |
.Op Fl stats |
569 |
.Ar errno ... |
570 |
.Pp |
571 |
@@ -3019,7 +3019,7 @@ The following error code: |
572 |
.Pp |
573 |
\&...can be displayed with: |
574 |
.Pp |
575 |
-.Dl $ openssl errstr 2006D080 |
576 |
+.Dl $ libressl errstr 2006D080 |
577 |
.Pp |
578 |
\&...to produce the error message: |
579 |
.Pp |
580 |
@@ -3039,7 +3039,7 @@ above. |
581 |
.\" |
582 |
.Sh GENDSA |
583 |
.nr nS 1 |
584 |
-.Nm "openssl gendsa" |
585 |
+.Nm "libressl gendsa" |
586 |
.Bk -words |
587 |
.Oo |
588 |
.Fl aes128 | aes192 | aes256 | |
589 |
@@ -3054,7 +3054,7 @@ The |
590 |
.Nm gendsa |
591 |
command generates a DSA private key from a DSA parameter file |
592 |
(which will typically be generated by the |
593 |
-.Nm openssl dsaparam |
594 |
+.Nm libressl dsaparam |
595 |
command). |
596 |
.Pp |
597 |
The options are as follows: |
598 |
@@ -3075,7 +3075,7 @@ If this argument is not specified, stand |
599 |
This option specifies the DSA parameter file to use. |
600 |
The parameters in this file determine the size of the private key. |
601 |
DSA parameters can be generated and examined using the |
602 |
-.Nm openssl dsaparam |
603 |
+.Nm libressl dsaparam |
604 |
command. |
605 |
.El |
606 |
.Sh GENDSA NOTES |
607 |
@@ -3086,7 +3086,7 @@ much quicker than RSA key generation, fo |
608 |
.\" |
609 |
.Sh GENPKEY |
610 |
.nr nS 1 |
611 |
-.Nm "openssl genpkey" |
612 |
+.Nm "libressl genpkey" |
613 |
.Bk -words |
614 |
.Op Fl algorithm Ar alg |
615 |
.Op Ar cipher |
616 |
@@ -3177,7 +3177,7 @@ parameters along with the DER or PEM str |
617 |
The options supported by each algorithm |
618 |
and indeed each implementation of an algorithm can vary. |
619 |
The options for the |
620 |
-.Nm OpenSSL |
621 |
+.Nm LibreSSL |
622 |
implementations are detailed below. |
623 |
.Bl -tag -width Ds -offset indent |
624 |
.It rsa_keygen_bits : Ns Ar numbits |
625 |
@@ -3208,48 +3208,48 @@ The EC curve to use. |
626 |
.Sh GENPKEY EXAMPLES |
627 |
Generate an RSA private key using default parameters: |
628 |
.Bd -literal -offset indent |
629 |
-$ openssl genpkey -algorithm RSA -out key.pem |
630 |
+$ libressl genpkey -algorithm RSA -out key.pem |
631 |
.Ed |
632 |
.Pp |
633 |
Encrypt and output a private key using 128-bit AES and the passphrase "hello": |
634 |
.Bd -literal -offset indent |
635 |
-$ openssl genpkey -algorithm RSA -out key.pem \e |
636 |
+$ libressl genpkey -algorithm RSA -out key.pem \e |
637 |
-aes-128-cbc -pass pass:hello |
638 |
.Ed |
639 |
.Pp |
640 |
Generate a 2048-bit RSA key using 3 as the public exponent: |
641 |
.Bd -literal -offset indent |
642 |
-$ openssl genpkey -algorithm RSA -out key.pem \e |
643 |
+$ libressl genpkey -algorithm RSA -out key.pem \e |
644 |
-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3 |
645 |
.Ed |
646 |
.Pp |
647 |
Generate 1024-bit DSA parameters: |
648 |
.Bd -literal -offset indent |
649 |
-$ openssl genpkey -genparam -algorithm DSA \e |
650 |
+$ libressl genpkey -genparam -algorithm DSA \e |
651 |
-out dsap.pem -pkeyopt dsa_paramgen_bits:1024 |
652 |
.Ed |
653 |
.Pp |
654 |
Generate a DSA key from parameters: |
655 |
.Bd -literal -offset indent |
656 |
-$ openssl genpkey -paramfile dsap.pem -out dsakey.pem |
657 |
+$ libressl genpkey -paramfile dsap.pem -out dsakey.pem |
658 |
.Ed |
659 |
.Pp |
660 |
Generate 1024-bit DH parameters: |
661 |
.Bd -literal -offset indent |
662 |
-$ openssl genpkey -genparam -algorithm DH \e |
663 |
+$ libressl genpkey -genparam -algorithm DH \e |
664 |
-out dhp.pem -pkeyopt dh_paramgen_prime_len:1024 |
665 |
.Ed |
666 |
.Pp |
667 |
Generate a DH key from parameters: |
668 |
.Bd -literal -offset indent |
669 |
-$ openssl genpkey -paramfile dhp.pem -out dhkey.pem |
670 |
+$ libressl genpkey -paramfile dhp.pem -out dhkey.pem |
671 |
.Ed |
672 |
.\" |
673 |
.\" GENRSA |
674 |
.\" |
675 |
.Sh GENRSA |
676 |
.nr nS 1 |
677 |
-.Nm "openssl genrsa" |
678 |
+.Nm "libressl genrsa" |
679 |
.Bk -words |
680 |
.Op Fl 3 | f4 |
681 |
.Oo |
682 |
@@ -3324,7 +3324,7 @@ they will be much larger |
683 |
.\" NSEQ |
684 |
.\" |
685 |
.Sh NSEQ |
686 |
-.Nm openssl nseq |
687 |
+.Nm libressl nseq |
688 |
.Op Fl in Ar file |
689 |
.Op Fl out Ar file |
690 |
.Op Fl toseq |
691 |
@@ -3357,12 +3357,12 @@ a Netscape certificate sequence is creat |
692 |
.Sh NSEQ EXAMPLES |
693 |
Output the certificates in a Netscape certificate sequence: |
694 |
.Bd -literal -offset indent |
695 |
-$ openssl nseq -in nseq.pem -out certs.pem |
696 |
+$ libressl nseq -in nseq.pem -out certs.pem |
697 |
.Ed |
698 |
.Pp |
699 |
Create a Netscape certificate sequence: |
700 |
.Bd -literal -offset indent |
701 |
-$ openssl nseq -in certs.pem -toseq -out nseq.pem |
702 |
+$ libressl nseq -in certs.pem -toseq -out nseq.pem |
703 |
.Ed |
704 |
.Sh NSEQ NOTES |
705 |
The PEM-encoded form uses the same headers and footers as a certificate: |
706 |
@@ -3385,7 +3385,7 @@ and allowing multiple certificate files |
707 |
.\" |
708 |
.Sh OCSP |
709 |
.nr nS 1 |
710 |
-.Nm "openssl ocsp" |
711 |
+.Nm "libressl ocsp" |
712 |
.Bk -words |
713 |
.Op Fl CA Ar file |
714 |
.Op Fl CAfile Ar file |
715 |
@@ -3739,7 +3739,7 @@ specified by the |
716 |
and |
717 |
.Fl CApath |
718 |
options or they will be looked for in the standard |
719 |
-.Nm OpenSSL |
720 |
+.Nm LibreSSL |
721 |
certificates |
722 |
directory. |
723 |
.Pp |
724 |
@@ -3771,7 +3771,7 @@ which can give details about multiple CA |
725 |
certificate chain, then its root CA can be trusted for OCSP signing. |
726 |
For example: |
727 |
.Bd -literal -offset indent |
728 |
-$ openssl x509 -in ocspCA.pem -addtrust OCSPSigning \e |
729 |
+$ libressl x509 -in ocspCA.pem -addtrust OCSPSigning \e |
730 |
-out trustedCA.pem |
731 |
.Ed |
732 |
.Pp |
733 |
@@ -3809,7 +3809,7 @@ options. |
734 |
.Sh OCSP EXAMPLES |
735 |
Create an OCSP request and write it to a file: |
736 |
.Bd -literal -offset indent |
737 |
-$ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e |
738 |
+$ libressl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e |
739 |
-reqout req.der |
740 |
.Ed |
741 |
.Pp |
742 |
@@ -3817,39 +3817,39 @@ Send a query to an OCSP responder with U |
743 |
.Pa http://ocsp.myhost.com/ , |
744 |
save the response to a file and print it out in text form: |
745 |
.Bd -literal -offset indent |
746 |
-$ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e |
747 |
+$ libressl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e |
748 |
-url http://ocsp.myhost.com/ -resp_text -respout resp.der |
749 |
.Ed |
750 |
.Pp |
751 |
Read in an OCSP response and print out in text form: |
752 |
.Pp |
753 |
-.Dl $ openssl ocsp -respin resp.der -text |
754 |
+.Dl $ libressl ocsp -respin resp.der -text |
755 |
.Pp |
756 |
OCSP server on port 8888 using a standard |
757 |
.Nm ca |
758 |
configuration, and a separate responder certificate. |
759 |
All requests and responses are printed to a file: |
760 |
.Bd -literal -offset indent |
761 |
-$ openssl ocsp -index demoCA/index.txt -port 8888 -rsigner \e |
762 |
+$ libressl ocsp -index demoCA/index.txt -port 8888 -rsigner \e |
763 |
rcert.pem -CA demoCA/cacert.pem -text -out log.txt |
764 |
.Ed |
765 |
.Pp |
766 |
As above, but exit after processing one request: |
767 |
.Bd -literal -offset indent |
768 |
-$ openssl ocsp -index demoCA/index.txt -port 8888 -rsigner \e |
769 |
+$ libressl ocsp -index demoCA/index.txt -port 8888 -rsigner \e |
770 |
rcert.pem -CA demoCA/cacert.pem -nrequest 1 |
771 |
.Ed |
772 |
.Pp |
773 |
Query status information using internally generated request: |
774 |
.Bd -literal -offset indent |
775 |
-$ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e |
776 |
+$ libressl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e |
777 |
demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1 |
778 |
.Ed |
779 |
.Pp |
780 |
Query status information using request read from a file and write |
781 |
the response to a second file: |
782 |
.Bd -literal -offset indent |
783 |
-$ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e |
784 |
+$ libressl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e |
785 |
demoCA/cacert.pem -reqin req.der -respout resp.der |
786 |
.Ed |
787 |
.\" |
788 |
@@ -3857,7 +3857,7 @@ $ openssl ocsp -index demoCA/index.txt - |
789 |
.\" |
790 |
.Sh PASSWD |
791 |
.nr nS 1 |
792 |
-.Nm "openssl passwd" |
793 |
+.Nm "libressl passwd" |
794 |
.Op Fl 1 | apr1 | crypt |
795 |
.Op Fl in Ar file |
796 |
.Op Fl noverify |
797 |
@@ -3936,15 +3936,15 @@ In the output list, prepend the cleartex |
798 |
to each password hash. |
799 |
.El |
800 |
.Sh PASSWD EXAMPLES |
801 |
-.Dl $ openssl passwd -crypt -salt xx password |
802 |
+.Dl $ libressl passwd -crypt -salt xx password |
803 |
prints |
804 |
.Qq xxj31ZMTZzkVA . |
805 |
.Pp |
806 |
-.Dl $ openssl passwd -1 -salt xxxxxxxx password |
807 |
+.Dl $ libressl passwd -1 -salt xxxxxxxx password |
808 |
prints |
809 |
.Qq $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a. . |
810 |
.Pp |
811 |
-.Dl $ openssl passwd -apr1 -salt xxxxxxxx password |
812 |
+.Dl $ libressl passwd -apr1 -salt xxxxxxxx password |
813 |
prints |
814 |
.Qq $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0 . |
815 |
.\" |
816 |
@@ -3952,7 +3952,7 @@ prints |
817 |
.\" |
818 |
.Sh PKCS7 |
819 |
.nr nS 1 |
820 |
-.Nm "openssl pkcs7" |
821 |
+.Nm "libressl pkcs7" |
822 |
.Bk -words |
823 |
.Op Fl in Ar file |
824 |
.Op Fl inform Ar DER | PEM |
825 |
@@ -4004,11 +4004,11 @@ issuer names. |
826 |
.Sh PKCS7 EXAMPLES |
827 |
Convert a PKCS#7 file from PEM to DER: |
828 |
.Pp |
829 |
-.Dl $ openssl pkcs7 -in file.pem -outform DER -out file.der |
830 |
+.Dl $ libressl pkcs7 -in file.pem -outform DER -out file.der |
831 |
.Pp |
832 |
Output all certificates in a file: |
833 |
.Pp |
834 |
-.Dl $ openssl pkcs7 -in file.pem -print_certs -out certs.pem |
835 |
+.Dl $ libressl pkcs7 -in file.pem -print_certs -out certs.pem |
836 |
.Sh PKCS7 NOTES |
837 |
The PEM PKCS#7 format uses the header and footer lines: |
838 |
.Bd -unfilled -offset indent |
839 |
@@ -4031,7 +4031,7 @@ They cannot currently parse, for example |
840 |
.\" |
841 |
.Sh PKCS8 |
842 |
.nr nS 1 |
843 |
-.Nm "openssl pkcs8" |
844 |
+.Nm "libressl pkcs8" |
845 |
.Bk -words |
846 |
.Op Fl embed |
847 |
.Op Fl in Ar file |
848 |
@@ -4157,7 +4157,7 @@ option PKCS#5 v2.0 algorithms are used w |
849 |
encryption algorithm such as 168-bit triple DES or 128-bit RC2, however |
850 |
not many implementations support PKCS#5 v2.0 yet. |
851 |
If using private keys with |
852 |
-.Nm OpenSSL |
853 |
+.Nm LibreSSL |
854 |
then this doesn't matter. |
855 |
.Pp |
856 |
The |
857 |
@@ -4227,27 +4227,27 @@ allow strong encryption algorithms like |
858 |
.Sh PKCS8 EXAMPLES |
859 |
Convert a private key from traditional to PKCS#5 v2.0 format using triple DES: |
860 |
.Pp |
861 |
-.Dl "$ openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem" |
862 |
+.Dl "$ libressl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem" |
863 |
.Pp |
864 |
Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm |
865 |
.Pq DES : |
866 |
.Pp |
867 |
-.Dl $ openssl pkcs8 -in key.pem -topk8 -out enckey.pem |
868 |
+.Dl $ libressl pkcs8 -in key.pem -topk8 -out enckey.pem |
869 |
.Pp |
870 |
Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm |
871 |
.Pq 3DES : |
872 |
.Bd -literal -offset indent |
873 |
-$ openssl pkcs8 -in key.pem -topk8 -out enckey.pem \e |
874 |
+$ libressl pkcs8 -in key.pem -topk8 -out enckey.pem \e |
875 |
-v1 PBE-SHA1-3DES |
876 |
.Ed |
877 |
.Pp |
878 |
Read a DER-unencrypted PKCS#8 format private key: |
879 |
.Pp |
880 |
-.Dl "$ openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem" |
881 |
+.Dl "$ libressl pkcs8 -inform DER -nocrypt -in key.der -out key.pem" |
882 |
.Pp |
883 |
Convert a private key from any PKCS#8 format to traditional format: |
884 |
.Pp |
885 |
-.Dl $ openssl pkcs8 -in pk8.pem -out key.pem |
886 |
+.Dl $ libressl pkcs8 -in pk8.pem -out key.pem |
887 |
.Sh PKCS8 STANDARDS |
888 |
Test vectors from this PKCS#5 v2.0 implementation were posted to the |
889 |
pkcs-tng mailing list using triple DES, DES and RC2 with high iteration counts; |
890 |
@@ -4260,7 +4260,7 @@ The format of PKCS#8 DSA |
891 |
.Pq and other |
892 |
private keys is not well documented: |
893 |
it is hidden away in PKCS#11 v2.01, section 11.9; |
894 |
-.Nm OpenSSL Ns Li 's |
895 |
+.Nm LibreSSL Ns Li 's |
896 |
default DSA PKCS#8 private key format complies with this standard. |
897 |
.Sh PKCS8 BUGS |
898 |
There should be an option that prints out the encryption algorithm |
899 |
@@ -4275,7 +4275,7 @@ compatibility, several of the utilities |
900 |
.\" |
901 |
.Sh PKCS12 |
902 |
.nr nS 1 |
903 |
-.Nm "openssl pkcs12" |
904 |
+.Nm "libressl pkcs12" |
905 |
.Bk -words |
906 |
.Oo |
907 |
.Fl aes128 | aes192 | aes256 | |
908 |
@@ -4571,29 +4571,29 @@ section above. |
909 |
.Sh PKCS12 EXAMPLES |
910 |
Parse a PKCS#12 file and output it to a file: |
911 |
.Pp |
912 |
-.Dl $ openssl pkcs12 -in file.p12 -out file.pem |
913 |
+.Dl $ libressl pkcs12 -in file.p12 -out file.pem |
914 |
.Pp |
915 |
Output only client certificates to a file: |
916 |
.Pp |
917 |
-.Dl $ openssl pkcs12 -in file.p12 -clcerts -out file.pem |
918 |
+.Dl $ libressl pkcs12 -in file.p12 -clcerts -out file.pem |
919 |
.Pp |
920 |
Don't encrypt the private key: |
921 |
.Pp |
922 |
-.Dl $ openssl pkcs12 -in file.p12 -out file.pem -nodes |
923 |
+.Dl $ libressl pkcs12 -in file.p12 -out file.pem -nodes |
924 |
.Pp |
925 |
Print some info about a PKCS#12 file: |
926 |
.Pp |
927 |
-.Dl $ openssl pkcs12 -in file.p12 -info -noout |
928 |
+.Dl $ libressl pkcs12 -in file.p12 -info -noout |
929 |
.Pp |
930 |
Create a PKCS#12 file: |
931 |
.Bd -literal -offset indent |
932 |
-$ openssl pkcs12 -export -in file.pem -out file.p12 \e |
933 |
+$ libressl pkcs12 -export -in file.pem -out file.p12 \e |
934 |
-name "My Certificate" |
935 |
.Ed |
936 |
.Pp |
937 |
Include some extra certificates: |
938 |
.Bd -literal -offset indent |
939 |
-$ openssl pkcs12 -export -in file.pem -out file.p12 \e |
940 |
+$ libressl pkcs12 -export -in file.pem -out file.p12 \e |
941 |
-name "My Certificate" -certfile othercerts.pem |
942 |
.Ed |
943 |
.Sh PKCS12 BUGS |
944 |
@@ -4631,7 +4631,7 @@ the PKCS#12 file from the keys and certi |
945 |
For example: |
946 |
.Bd -literal -offset indent |
947 |
$ old-openssl -in bad.p12 -out keycerts.pem |
948 |
-$ openssl -in keycerts.pem -export -name "My PKCS#12 file" \e |
949 |
+$ libressl -in keycerts.pem -export -name "My PKCS#12 file" \e |
950 |
-out fixed.p12 |
951 |
.Ed |
952 |
.\" |
953 |
@@ -4639,7 +4639,7 @@ $ openssl -in keycerts.pem -export -name |
954 |
.\" |
955 |
.Sh PKEY |
956 |
.nr nS 1 |
957 |
-.Nm "openssl pkey" |
958 |
+.Nm "libressl pkey" |
959 |
.Bk -words |
960 |
.Op Ar cipher |
961 |
.Op Fl in Ar file |
962 |
@@ -4723,38 +4723,38 @@ even if a private key is being processed |
963 |
.Sh PKEY EXAMPLES |
964 |
To remove the pass phrase on an RSA private key: |
965 |
.Bd -literal -offset indent |
966 |
-$ openssl pkey -in key.pem -out keyout.pem |
967 |
+$ libressl pkey -in key.pem -out keyout.pem |
968 |
.Ed |
969 |
.Pp |
970 |
To encrypt a private key using triple DES: |
971 |
.Bd -literal -offset indent |
972 |
-$ openssl pkey -in key.pem -des3 -out keyout.pem |
973 |
+$ libressl pkey -in key.pem -des3 -out keyout.pem |
974 |
.Ed |
975 |
.Pp |
976 |
To convert a private key from PEM to DER format: |
977 |
.Bd -literal -offset indent |
978 |
-$ openssl pkey -in key.pem -outform DER -out keyout.der |
979 |
+$ libressl pkey -in key.pem -outform DER -out keyout.der |
980 |
.Ed |
981 |
.Pp |
982 |
To print the components of a private key to standard output: |
983 |
.Bd -literal -offset indent |
984 |
-$ openssl pkey -in key.pem -text -noout |
985 |
+$ libressl pkey -in key.pem -text -noout |
986 |
.Ed |
987 |
.Pp |
988 |
To print the public components of a private key to standard output: |
989 |
.Bd -literal -offset indent |
990 |
-$ openssl pkey -in key.pem -text_pub -noout |
991 |
+$ libressl pkey -in key.pem -text_pub -noout |
992 |
.Ed |
993 |
.Pp |
994 |
To just output the public part of a private key: |
995 |
.Bd -literal -offset indent |
996 |
-$ openssl pkey -in key.pem -pubout -out pubkey.pem |
997 |
+$ libressl pkey -in key.pem -pubout -out pubkey.pem |
998 |
.Ed |
999 |
.\" |
1000 |
.\" PKEYPARAM |
1001 |
.\" |
1002 |
.Sh PKEYPARAM |
1003 |
-.Cm openssl pkeyparam |
1004 |
+.Cm libressl pkeyparam |
1005 |
.Op Fl in Ar file |
1006 |
.Op Fl noout |
1007 |
.Op Fl out Ar file |
1008 |
@@ -4781,7 +4781,7 @@ Prints out the parameters in plain text |
1009 |
.Sh PKEYPARAM EXAMPLES |
1010 |
Print out text version of parameters: |
1011 |
.Bd -literal -offset indent |
1012 |
-$ openssl pkeyparam -in param.pem -text |
1013 |
+$ libressl pkeyparam -in param.pem -text |
1014 |
.Ed |
1015 |
.Sh PKEYPARAM NOTES |
1016 |
There are no |
1017 |
@@ -4795,7 +4795,7 @@ because the key type is determined by th |
1018 |
.\" |
1019 |
.Sh PKEYUTL |
1020 |
.nr nS 1 |
1021 |
-.Nm "openssl pkeyutl" |
1022 |
+.Nm "libressl pkeyutl" |
1023 |
.Bk -words |
1024 |
.Op Fl asn1parse |
1025 |
.Op Fl certin |
1026 |
@@ -4887,7 +4887,7 @@ Verify the input data and output the rec |
1027 |
The operations and options supported vary according to the key algorithm |
1028 |
and its implementation. |
1029 |
The |
1030 |
-.Nm OpenSSL |
1031 |
+.Nm LibreSSL |
1032 |
operations and options are indicated below. |
1033 |
.Pp |
1034 |
Unless otherwise mentioned all algorithms support the |
1035 |
@@ -4963,36 +4963,36 @@ Only the SHA1 digest can be used and thi |
1036 |
.Sh PKEYUTL EXAMPLES |
1037 |
Sign some data using a private key: |
1038 |
.Bd -literal -offset indent |
1039 |
-$ openssl pkeyutl -sign -in file -inkey key.pem -out sig |
1040 |
+$ libressl pkeyutl -sign -in file -inkey key.pem -out sig |
1041 |
.Ed |
1042 |
.Pp |
1043 |
Recover the signed data (e.g. if an RSA key is used): |
1044 |
.Bd -literal -offset indent |
1045 |
-$ openssl pkeyutl -verifyrecover -in sig -inkey key.pem |
1046 |
+$ libressl pkeyutl -verifyrecover -in sig -inkey key.pem |
1047 |
.Ed |
1048 |
.Pp |
1049 |
Verify the signature (e.g. a DSA key): |
1050 |
.Bd -literal -offset indent |
1051 |
-$ openssl pkeyutl -verify -in file -sigfile sig \e |
1052 |
+$ libressl pkeyutl -verify -in file -sigfile sig \e |
1053 |
-inkey key.pem |
1054 |
.Ed |
1055 |
.Pp |
1056 |
Sign data using a message digest value (this is currently only valid for RSA): |
1057 |
.Bd -literal -offset indent |
1058 |
-$ openssl pkeyutl -sign -in file -inkey key.pem \e |
1059 |
+$ libressl pkeyutl -sign -in file -inkey key.pem \e |
1060 |
-out sig -pkeyopt digest:sha256 |
1061 |
.Ed |
1062 |
.Pp |
1063 |
Derive a shared secret value: |
1064 |
.Bd -literal -offset indent |
1065 |
-$ openssl pkeyutl -derive -inkey key.pem \e |
1066 |
+$ libressl pkeyutl -derive -inkey key.pem \e |
1067 |
-peerkey pubkey.pem -out secret |
1068 |
.Ed |
1069 |
.\" |
1070 |
.\" PRIME |
1071 |
.\" |
1072 |
.Sh PRIME |
1073 |
-.Cm openssl prime |
1074 |
+.Cm libressl prime |
1075 |
.Op Fl bits Ar n |
1076 |
.Op Fl checks Ar n |
1077 |
.Op Fl generate |
1078 |
@@ -5040,7 +5040,7 @@ is prime. |
1079 |
.\" |
1080 |
.Sh RAND |
1081 |
.nr nS 1 |
1082 |
-.Nm "openssl rand" |
1083 |
+.Nm "libressl rand" |
1084 |
.Op Fl base64 |
1085 |
.Op Fl hex |
1086 |
.Op Fl out Ar file |
1087 |
@@ -5071,7 +5071,7 @@ instead of standard output. |
1088 |
.\" |
1089 |
.Sh REQ |
1090 |
.nr nS 1 |
1091 |
-.Nm "openssl req" |
1092 |
+.Nm "libressl req" |
1093 |
.Bk -words |
1094 |
.Op Fl asn1-kludge |
1095 |
.Op Fl batch |
1096 |
@@ -5383,7 +5383,7 @@ or |
1097 |
.Em unstructuredName |
1098 |
types. |
1099 |
They are currently ignored by |
1100 |
-.Nm OpenSSL Ns Li 's |
1101 |
+.Nm LibreSSL Ns Li 's |
1102 |
request signing utilities, but some CAs might want them. |
1103 |
.It Ar default_bits |
1104 |
This specifies the default key size in bits. |
1105 |
@@ -5588,7 +5588,7 @@ can be input by calling it |
1106 |
The actual permitted field names are any object identifier short or |
1107 |
long names. |
1108 |
These are compiled into |
1109 |
-.Nm OpenSSL |
1110 |
+.Nm LibreSSL |
1111 |
and include the usual values such as |
1112 |
.Em commonName , countryName , localityName , organizationName , |
1113 |
.Em organizationUnitName , stateOrProvinceName . |
1114 |
@@ -5609,21 +5609,21 @@ Any additional fields will be treated as |
1115 |
.Sh REQ EXAMPLES |
1116 |
Examine and verify a certificate request: |
1117 |
.Pp |
1118 |
-.Dl $ openssl req -in req.pem -text -verify -noout |
1119 |
+.Dl $ libressl req -in req.pem -text -verify -noout |
1120 |
.Pp |
1121 |
Create a private key and then generate a certificate request from it: |
1122 |
.Bd -literal -offset indent |
1123 |
-$ openssl genrsa -out key.pem 2048 |
1124 |
-$ openssl req -new -key key.pem -out req.pem |
1125 |
+$ libressl genrsa -out key.pem 2048 |
1126 |
+$ libressl req -new -key key.pem -out req.pem |
1127 |
.Ed |
1128 |
.Pp |
1129 |
The same but just using req: |
1130 |
.Pp |
1131 |
-.Dl $ openssl req -newkey rsa:2048 -keyout key.pem -out req.pem |
1132 |
+.Dl $ libressl req -newkey rsa:2048 -keyout key.pem -out req.pem |
1133 |
.Pp |
1134 |
Generate a self-signed root certificate: |
1135 |
.Pp |
1136 |
-.Dl "$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem" |
1137 |
+.Dl "$ libressl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem" |
1138 |
.Pp |
1139 |
Example of a file pointed to by the |
1140 |
.Ar oid_file |
1141 |
@@ -5734,7 +5734,7 @@ extension. |
1142 |
.Sh REQ DIAGNOSTICS |
1143 |
The following messages are frequently asked about: |
1144 |
.Bd -unfilled -offset indent |
1145 |
-Using configuration from /some/path/openssl.cnf |
1146 |
+Using configuration from /some/path/libressl.cnf |
1147 |
Unable to load config info |
1148 |
.Ed |
1149 |
.Pp |
1150 |
@@ -5778,7 +5778,7 @@ file location to be specified; it will b |
1151 |
.Fl config |
1152 |
command line switch if it is present. |
1153 |
.Sh REQ BUGS |
1154 |
-.Nm OpenSSL Ns Li 's |
1155 |
+.Nm LibreSSL Ns Li 's |
1156 |
handling of T61Strings |
1157 |
.Pq aka TeletexStrings |
1158 |
is broken: it effectively treats them as ISO 8859-1 |
1159 |
@@ -5791,7 +5791,7 @@ and you don't want to or can't use |
1160 |
.Pp |
1161 |
As a consequence of the T61String handling, the only correct way to represent |
1162 |
accented characters in |
1163 |
-.Nm OpenSSL |
1164 |
+.Nm LibreSSL |
1165 |
is to use a |
1166 |
.Em BMPString : |
1167 |
unfortunately Netscape currently chokes on these. |
1168 |
@@ -5810,7 +5810,7 @@ should be input by the user. |
1169 |
.\" |
1170 |
.Sh RSA |
1171 |
.nr nS 1 |
1172 |
-.Nm "openssl rsa" |
1173 |
+.Nm "libressl rsa" |
1174 |
.Bk -words |
1175 |
.Oo |
1176 |
.Fl aes128 | aes192 | aes256 | |
1177 |
@@ -5970,23 +5970,23 @@ option. |
1178 |
.Sh RSA EXAMPLES |
1179 |
To remove the pass phrase on an RSA private key: |
1180 |
.Pp |
1181 |
-.Dl $ openssl rsa -in key.pem -out keyout.pem |
1182 |
+.Dl $ libressl rsa -in key.pem -out keyout.pem |
1183 |
.Pp |
1184 |
To encrypt a private key using triple DES: |
1185 |
.Pp |
1186 |
-.Dl $ openssl rsa -in key.pem -des3 -out keyout.pem |
1187 |
+.Dl $ libressl rsa -in key.pem -des3 -out keyout.pem |
1188 |
.Pp |
1189 |
To convert a private key from PEM to DER format: |
1190 |
.Pp |
1191 |
-.Dl $ openssl rsa -in key.pem -outform DER -out keyout.der |
1192 |
+.Dl $ libressl rsa -in key.pem -outform DER -out keyout.der |
1193 |
.Pp |
1194 |
To print out the components of a private key to standard output: |
1195 |
.Pp |
1196 |
-.Dl $ openssl rsa -in key.pem -text -noout |
1197 |
+.Dl $ libressl rsa -in key.pem -text -noout |
1198 |
.Pp |
1199 |
To just output the public part of a private key: |
1200 |
.Pp |
1201 |
-.Dl $ openssl rsa -in key.pem -pubout -out pubkey.pem |
1202 |
+.Dl $ libressl rsa -in key.pem -pubout -out pubkey.pem |
1203 |
.Sh RSA BUGS |
1204 |
The command line password arguments don't currently work with |
1205 |
.Em NET |
1206 |
@@ -5999,7 +5999,7 @@ without having to manually edit them. |
1207 |
.\" |
1208 |
.Sh RSAUTL |
1209 |
.nr nS 1 |
1210 |
-.Nm "openssl rsautl" |
1211 |
+.Nm "libressl rsautl" |
1212 |
.Bk -words |
1213 |
.Op Fl asn1parse |
1214 |
.Op Fl certin |
1215 |
@@ -6077,15 +6077,15 @@ used to sign or verify small pieces of d |
1216 |
.Sh RSAUTL EXAMPLES |
1217 |
Sign some data using a private key: |
1218 |
.Pp |
1219 |
-.Dl "$ openssl rsautl -sign -in file -inkey key.pem -out sig" |
1220 |
+.Dl "$ libressl rsautl -sign -in file -inkey key.pem -out sig" |
1221 |
.Pp |
1222 |
Recover the signed data: |
1223 |
.Pp |
1224 |
-.Dl $ openssl rsautl -verify -in sig -inkey key.pem |
1225 |
+.Dl $ libressl rsautl -verify -in sig -inkey key.pem |
1226 |
.Pp |
1227 |
Examine the raw signed data: |
1228 |
.Pp |
1229 |
-.Li "\ \&$ openssl rsautl -verify -in file -inkey key.pem -raw -hexdump" |
1230 |
+.Li "\ \&$ libressl rsautl -verify -in file -inkey key.pem -raw -hexdump" |
1231 |
.Bd -unfilled |
1232 |
\& 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ |
1233 |
\& 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ |
1234 |
@@ -6111,7 +6111,7 @@ running |
1235 |
.Nm asn1parse |
1236 |
as follows yields: |
1237 |
.Pp |
1238 |
-.Li "\ \&$ openssl asn1parse -in pca-cert.pem" |
1239 |
+.Li "\ \&$ libressl asn1parse -in pca-cert.pem" |
1240 |
.Bd -unfilled |
1241 |
\& 0:d=0 hl=4 l= 742 cons: SEQUENCE |
1242 |
\& 4:d=1 hl=4 l= 591 cons: SEQUENCE |
1243 |
@@ -6136,15 +6136,15 @@ as follows yields: |
1244 |
The final BIT STRING contains the actual signature. |
1245 |
It can be extracted with: |
1246 |
.Pp |
1247 |
-.Dl "$ openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614" |
1248 |
+.Dl "$ libressl asn1parse -in pca-cert.pem -out sig -noout -strparse 614" |
1249 |
.Pp |
1250 |
The certificate public key can be extracted with: |
1251 |
.Pp |
1252 |
-.Dl $ openssl x509 -in test/testx509.pem -pubkey -noout \*(Gtpubkey.pem |
1253 |
+.Dl $ libressl x509 -in test/testx509.pem -pubkey -noout \*(Gtpubkey.pem |
1254 |
.Pp |
1255 |
The signature can be analysed with: |
1256 |
.Pp |
1257 |
-.Li "\ \&$ openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin" |
1258 |
+.Li "\ \&$ libressl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin" |
1259 |
.Bd -unfilled |
1260 |
\& 0:d=0 hl=2 l= 32 cons: SEQUENCE |
1261 |
\& 2:d=1 hl=2 l= 12 cons: SEQUENCE |
1262 |
@@ -6160,11 +6160,11 @@ structure. |
1263 |
It can be seen that the digest used was MD5. |
1264 |
The actual part of the certificate that was signed can be extracted with: |
1265 |
.Pp |
1266 |
-.Dl "$ openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4" |
1267 |
+.Dl "$ libressl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4" |
1268 |
.Pp |
1269 |
and its digest computed with: |
1270 |
.Pp |
1271 |
-.Dl $ openssl md5 -c tbs |
1272 |
+.Dl $ libressl md5 -c tbs |
1273 |
.D1 MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5 |
1274 |
.Pp |
1275 |
which it can be seen agrees with the recovered value above. |
1276 |
@@ -6173,7 +6173,7 @@ which it can be seen agrees with the rec |
1277 |
.\" |
1278 |
.Sh S_CLIENT |
1279 |
.nr nS 1 |
1280 |
-.Nm "openssl s_client" |
1281 |
+.Nm "libressl s_client" |
1282 |
.Bk -words |
1283 |
.Op Fl 4 | 6 |
1284 |
.Op Fl bugs |
1285 |
@@ -6425,7 +6425,7 @@ or if end of file is reached, the connec |
1286 |
can be used to debug SSL servers. |
1287 |
To connect to an SSL HTTP server the command: |
1288 |
.Pp |
1289 |
-.Dl $ openssl s_client -connect servername:443 |
1290 |
+.Dl $ libressl s_client -connect servername:443 |
1291 |
.Pp |
1292 |
would typically be used |
1293 |
.Pq HTTPS uses port 443 . |
1294 |
@@ -6489,7 +6489,7 @@ We should really report information when |
1295 |
.\" |
1296 |
.Sh S_SERVER |
1297 |
.nr nS 1 |
1298 |
-.Nm "openssl s_server" |
1299 |
+.Nm "libressl s_server" |
1300 |
.Bk -words |
1301 |
.Op Fl accept Ar port |
1302 |
.Op Fl bugs |
1303 |
@@ -6738,7 +6738,7 @@ Print out some session cache status info |
1304 |
can be used to debug SSL clients. |
1305 |
To accept connections from a web browser the command: |
1306 |
.Pp |
1307 |
-.Dl $ openssl s_server -accept 443 -www |
1308 |
+.Dl $ libressl s_server -accept 443 -www |
1309 |
.Pp |
1310 |
can be used, for example. |
1311 |
.Pp |
1312 |
@@ -6765,7 +6765,7 @@ is rather hard to read and not a model o |
1313 |
A typical SSL server program would be much simpler. |
1314 |
.Pp |
1315 |
The output of common ciphers is wrong: it just gives the list of ciphers that |
1316 |
-.Nm OpenSSL |
1317 |
+.Nm LibreSSL |
1318 |
recognizes and the client supports. |
1319 |
.Pp |
1320 |
There should be a way for the |
1321 |
@@ -6777,7 +6777,7 @@ unknown cipher suites a client says it s |
1322 |
.\" |
1323 |
.Sh S_TIME |
1324 |
.nr nS 1 |
1325 |
-.Nm "openssl s_time" |
1326 |
+.Nm "libressl s_time" |
1327 |
.Bk -words |
1328 |
.Op Fl bugs |
1329 |
.Op Fl CAfile Ar file |
1330 |
@@ -6897,7 +6897,7 @@ but not transfer any payload data. |
1331 |
can be used to measure the performance of an SSL connection. |
1332 |
To connect to an SSL HTTP server and get the default page the command |
1333 |
.Bd -literal -offset indent |
1334 |
-$ openssl s_time -connect servername:443 -www / -CApath yourdir \e |
1335 |
+$ libressl s_time -connect servername:443 -www / -CApath yourdir \e |
1336 |
-CAfile yourfile.pem -cipher commoncipher |
1337 |
.Ed |
1338 |
.Pp |
1339 |
@@ -6954,7 +6954,7 @@ option should really exit if the server |
1340 |
.\" |
1341 |
.Sh SESS_ID |
1342 |
.nr nS 1 |
1343 |
-.Nm "openssl sess_id" |
1344 |
+.Nm "libressl sess_id" |
1345 |
.Bk -words |
1346 |
.Op Fl cert |
1347 |
.Op Fl context Ar ID |
1348 |
@@ -7084,7 +7084,7 @@ The cipher and start time should be prin |
1349 |
.\" |
1350 |
.Sh SMIME |
1351 |
.nr nS 1 |
1352 |
-.Nm "openssl smime" |
1353 |
+.Nm "libressl smime" |
1354 |
.Bk -words |
1355 |
.Oo |
1356 |
.Fl aes128 | aes192 | aes256 | des | |
1357 |
@@ -7498,26 +7498,26 @@ the signer's certificates. |
1358 |
.Sh SMIME EXAMPLES |
1359 |
Create a cleartext signed message: |
1360 |
.Bd -literal -offset indent |
1361 |
-$ openssl smime -sign -in message.txt -text -out mail.msg \e |
1362 |
+$ libressl smime -sign -in message.txt -text -out mail.msg \e |
1363 |
-signer mycert.pem |
1364 |
.Ed |
1365 |
.Pp |
1366 |
Create an opaque signed message: |
1367 |
.Bd -literal -offset indent |
1368 |
-$ openssl smime -sign -in message.txt -text -out mail.msg \e |
1369 |
+$ libressl smime -sign -in message.txt -text -out mail.msg \e |
1370 |
-nodetach -signer mycert.pem |
1371 |
.Ed |
1372 |
.Pp |
1373 |
Create a signed message, include some additional certificates and |
1374 |
read the private key from another file: |
1375 |
.Bd -literal -offset indent |
1376 |
-$ openssl smime -sign -in in.txt -text -out mail.msg \e |
1377 |
+$ libressl smime -sign -in in.txt -text -out mail.msg \e |
1378 |
-signer mycert.pem -inkey mykey.pem -certfile mycerts.pem |
1379 |
.Ed |
1380 |
.Pp |
1381 |
Create a signed message with two signers: |
1382 |
.Bd -literal -offset indent |
1383 |
-openssl smime -sign -in message.txt -text -out mail.msg \e |
1384 |
+libressl smime -sign -in message.txt -text -out mail.msg \e |
1385 |
-signer mycert.pem -signer othercert.pem |
1386 |
.Ed |
1387 |
.Pp |
1388 |
@@ -7527,28 +7527,28 @@ directly to |
1389 |
.Xr sendmail 8 , |
1390 |
including headers: |
1391 |
.Bd -literal -offset indent |
1392 |
-$ openssl smime -sign -in in.txt -text -signer mycert.pem \e |
1393 |
+$ libressl smime -sign -in in.txt -text -signer mycert.pem \e |
1394 |
-from steve@openssl.org -to someone@somewhere \e |
1395 |
-subject "Signed message" | sendmail someone@somewhere |
1396 |
.Ed |
1397 |
.Pp |
1398 |
Verify a message and extract the signer's certificate if successful: |
1399 |
.Bd -literal -offset indent |
1400 |
-$ openssl smime -verify -in mail.msg -signer user.pem \e |
1401 |
+$ libressl smime -verify -in mail.msg -signer user.pem \e |
1402 |
-out signedtext.txt |
1403 |
.Ed |
1404 |
.Pp |
1405 |
Send encrypted mail using triple DES: |
1406 |
.Bd -literal -offset indent |
1407 |
-$ openssl smime -encrypt -in in.txt -from steve@openssl.org \e |
1408 |
+$ libressl smime -encrypt -in in.txt -from steve@openssl.org \e |
1409 |
-to someone@somewhere -subject "Encrypted message" \e |
1410 |
-des3 -out mail.msg user.pem |
1411 |
.Ed |
1412 |
.Pp |
1413 |
Sign and encrypt mail: |
1414 |
.Bd -literal -offset indent |
1415 |
-$ openssl smime -sign -in ml.txt -signer my.pem -text | \e |
1416 |
- openssl smime -encrypt -out mail.msg \e |
1417 |
+$ libressl smime -sign -in ml.txt -signer my.pem -text | \e |
1418 |
+ libressl smime -encrypt -out mail.msg \e |
1419 |
-from steve@openssl.org -to someone@somewhere \e |
1420 |
-subject "Signed and Encrypted message" -des3 user.pem |
1421 |
.Ed |
1422 |
@@ -7562,7 +7562,7 @@ headers. |
1423 |
.Pp |
1424 |
Decrypt mail: |
1425 |
.Bd -literal -offset indent |
1426 |
-$ openssl smime -decrypt -in mail.msg -recip mycert.pem \e |
1427 |
+$ libressl smime -decrypt -in mail.msg -recip mycert.pem \e |
1428 |
-inkey key.pem" |
1429 |
.Ed |
1430 |
.Pp |
1431 |
@@ -7577,25 +7577,25 @@ base64-encoded structure and surrounding |
1432 |
.Pp |
1433 |
and using the command: |
1434 |
.Bd -literal -offset indent |
1435 |
-$ openssl smime -verify -inform PEM -in signature.pem \e |
1436 |
+$ libressl smime -verify -inform PEM -in signature.pem \e |
1437 |
-content content.txt |
1438 |
.Ed |
1439 |
.Pp |
1440 |
Alternatively, you can base64 decode the signature and use: |
1441 |
.Bd -literal -offset indent |
1442 |
-$ openssl smime -verify -inform DER -in signature.der \e |
1443 |
+$ libressl smime -verify -inform DER -in signature.der \e |
1444 |
-content content.txt |
1445 |
.Ed |
1446 |
.Pp |
1447 |
Create an encrypted message using 128-bit AES: |
1448 |
.Bd -literal -offset indent |
1449 |
-openssl smime -encrypt -in plain.txt -aes128 \e |
1450 |
+libressl smime -encrypt -in plain.txt -aes128 \e |
1451 |
-out mail.msg cert.pem |
1452 |
.Ed |
1453 |
.Pp |
1454 |
Add a signer to an existing message: |
1455 |
.Bd -literal -offset indent |
1456 |
-openssl smime -resign -in mail.msg -signer newsign.pem \e |
1457 |
+libressl smime -resign -in mail.msg -signer newsign.pem \e |
1458 |
-out mail2.msg |
1459 |
.Ed |
1460 |
.Sh SMIME BUGS |
1461 |
@@ -7640,7 +7640,7 @@ command were first added in |
1462 |
.\" |
1463 |
.Sh SPEED |
1464 |
.nr nS 1 |
1465 |
-.Nm "openssl speed" |
1466 |
+.Nm "libressl speed" |
1467 |
.Bk -words |
1468 |
.Op Cm aes |
1469 |
.Op Cm aes-128-cbc |
1470 |
@@ -7709,7 +7709,7 @@ benchmarks in parallel. |
1471 |
.\" |
1472 |
.Sh TS |
1473 |
.nr nS 1 |
1474 |
-.Nm "openssl ts" |
1475 |
+.Nm "libressl ts" |
1476 |
.Bk -words |
1477 |
.Fl query |
1478 |
.Op Fl md4 | md5 | ripemd160 | sha1 |
1479 |
@@ -7726,7 +7726,7 @@ benchmarks in parallel. |
1480 |
.nr nS 0 |
1481 |
.Pp |
1482 |
.nr nS 1 |
1483 |
-.Nm "openssl ts" |
1484 |
+.Nm "libressl ts" |
1485 |
.Bk -words |
1486 |
.Fl reply |
1487 |
.Op Fl chain Ar certs_file.pem |
1488 |
@@ -7746,7 +7746,7 @@ benchmarks in parallel. |
1489 |
.nr nS 0 |
1490 |
.Pp |
1491 |
.nr nS 1 |
1492 |
-.Nm "openssl ts" |
1493 |
+.Nm "libressl ts" |
1494 |
.Bk -words |
1495 |
.Fl verify |
1496 |
.Op Fl CAfile Ar trusted_certs.pem |
1497 |
@@ -8145,27 +8145,27 @@ All the examples below presume that |
1498 |
.Ev OPENSSL_CONF |
1499 |
is set to a proper configuration file, |
1500 |
e.g. the example configuration file |
1501 |
-.Pa openssl/apps/openssl.cnf |
1502 |
+.Pa openssl/apps/libressl.cnf |
1503 |
will do. |
1504 |
.Pp |
1505 |
To create a time stamp request for design1.txt with SHA-1 |
1506 |
without nonce and policy and no certificate is required in the response: |
1507 |
.Bd -literal -offset indent |
1508 |
-$ openssl ts -query -data design1.txt -no_nonce \e |
1509 |
+$ libressl ts -query -data design1.txt -no_nonce \e |
1510 |
-out design1.tsq |
1511 |
.Ed |
1512 |
.Pp |
1513 |
To create a similar time stamp request but specifying the message imprint |
1514 |
explicitly: |
1515 |
.Bd -literal -offset indent |
1516 |
-$ openssl ts -query \e |
1517 |
+$ libressl ts -query \e |
1518 |
-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e |
1519 |
-no_nonce -out design1.tsq |
1520 |
.Ed |
1521 |
.Pp |
1522 |
To print the content of the previous request in human readable format: |
1523 |
.Bd -literal -offset indent |
1524 |
-$ openssl ts -query -in design1.tsq -text |
1525 |
+$ libressl ts -query -in design1.tsq -text |
1526 |
.Ed |
1527 |
.Pp |
1528 |
To create a time stamp request which includes the MD5 digest |
1529 |
@@ -8174,7 +8174,7 @@ specifies a policy ID |
1530 |
(assuming the tsa_policy1 name is defined in the |
1531 |
OID section of the config file): |
1532 |
.Bd -literal -offset indent |
1533 |
-$ openssl ts -query -data design2.txt -md5 \e |
1534 |
+$ libressl ts -query -data design2.txt -md5 \e |
1535 |
-policy tsa_policy1 -cert -out design2.tsq |
1536 |
.Ed |
1537 |
.Pp |
1538 |
@@ -8199,35 +8199,35 @@ tsakey.pem is the private key of the TSA |
1539 |
.Pp |
1540 |
To create a time stamp response for a request: |
1541 |
.Bd -literal -offset indent |
1542 |
-$ openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \e |
1543 |
+$ libressl ts -reply -queryfile design1.tsq -inkey tsakey.pem \e |
1544 |
-signer tsacert.pem -out design1.tsr |
1545 |
.Ed |
1546 |
.Pp |
1547 |
If you want to use the settings in the config file you could just write: |
1548 |
.Bd -literal -offset indent |
1549 |
-$ openssl ts -reply -queryfile design1.tsq -out design1.tsr |
1550 |
+$ libressl ts -reply -queryfile design1.tsq -out design1.tsr |
1551 |
.Ed |
1552 |
.Pp |
1553 |
To print a time stamp reply to stdout in human readable format: |
1554 |
.Bd -literal -offset indent |
1555 |
-$ openssl ts -reply -in design1.tsr -text |
1556 |
+$ libressl ts -reply -in design1.tsr -text |
1557 |
.Ed |
1558 |
.Pp |
1559 |
To create a time stamp token instead of time stamp response: |
1560 |
.Bd -literal -offset indent |
1561 |
-$ openssl ts -reply -queryfile design1.tsq \e |
1562 |
+$ libressl ts -reply -queryfile design1.tsq \e |
1563 |
-out design1_token.der -token_out |
1564 |
.Ed |
1565 |
.Pp |
1566 |
To print a time stamp token to stdout in human readable format: |
1567 |
.Bd -literal -offset indent |
1568 |
-$ openssl ts -reply -in design1_token.der -token_in \e |
1569 |
+$ libressl ts -reply -in design1_token.der -token_in \e |
1570 |
-text -token_out |
1571 |
.Ed |
1572 |
.Pp |
1573 |
To extract the time stamp token from a response: |
1574 |
.Bd -literal -offset indent |
1575 |
-$ openssl ts -reply -in design1.tsr -out design1_token.der \e |
1576 |
+$ libressl ts -reply -in design1.tsr -out design1_token.der \e |
1577 |
-token_out |
1578 |
.Ed |
1579 |
.Pp |
1580 |
@@ -8235,31 +8235,31 @@ To add |
1581 |
.Dq granted |
1582 |
status info to a time stamp token thereby creating a valid response: |
1583 |
.Bd -literal -offset indent |
1584 |
-$ openssl ts -reply -in design1_token.der \e |
1585 |
+$ libressl ts -reply -in design1_token.der \e |
1586 |
-token_in -out design1.tsr |
1587 |
.Ed |
1588 |
.Pp |
1589 |
To verify a time stamp reply against a request: |
1590 |
.Bd -literal -offset indent |
1591 |
-$ openssl ts -verify -queryfile design1.tsq -in design1.tsr \e |
1592 |
+$ libressl ts -verify -queryfile design1.tsq -in design1.tsr \e |
1593 |
-CAfile cacert.pem -untrusted tsacert.pem |
1594 |
.Ed |
1595 |
.Pp |
1596 |
To verify a time stamp reply that includes the certificate chain: |
1597 |
.Bd -literal -offset indent |
1598 |
-$ openssl ts -verify -queryfile design2.tsq -in design2.tsr \e |
1599 |
+$ libressl ts -verify -queryfile design2.tsq -in design2.tsr \e |
1600 |
-CAfile cacert.pem |
1601 |
.Ed |
1602 |
.Pp |
1603 |
To verify a time stamp token against the original data file: |
1604 |
.Bd -literal -offset indent |
1605 |
-$ openssl ts -verify -data design2.txt -in design2.tsr \e |
1606 |
+$ libressl ts -verify -data design2.txt -in design2.tsr \e |
1607 |
-CAfile cacert.pem |
1608 |
.Ed |
1609 |
.Pp |
1610 |
To verify a time stamp token against a message imprint: |
1611 |
.Bd -literal -offset indent |
1612 |
-$ openssl ts -verify \e |
1613 |
+$ libressl ts -verify \e |
1614 |
-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e |
1615 |
-in design2.tsr -CAfile cacert.pem |
1616 |
.Ed |
1617 |
@@ -8274,7 +8274,7 @@ Pure TCP/IP is not supported. |
1618 |
The file containing the last serial number of the TSA is not |
1619 |
locked when being read or written. |
1620 |
This is a problem if more than one instance of |
1621 |
-.Nm OpenSSL |
1622 |
+.Nm LibreSSL |
1623 |
is trying to create a time stamp |
1624 |
response at the same time. |
1625 |
.Pp |
1626 |
@@ -8292,7 +8292,7 @@ OpenTSA project |
1627 |
.\" |
1628 |
.Sh SPKAC |
1629 |
.nr nS 1 |
1630 |
-.Nm "openssl spkac" |
1631 |
+.Nm "libressl spkac" |
1632 |
.Bk -words |
1633 |
.Op Fl challenge Ar string |
1634 |
.Op Fl in Ar file |
1635 |
@@ -8366,16 +8366,16 @@ Verifies the digital signature on the su |
1636 |
.Sh SPKAC EXAMPLES |
1637 |
Print out the contents of an SPKAC: |
1638 |
.Pp |
1639 |
-.Dl $ openssl spkac -in spkac.cnf |
1640 |
+.Dl $ libressl spkac -in spkac.cnf |
1641 |
.Pp |
1642 |
Verify the signature of an SPKAC: |
1643 |
.Pp |
1644 |
-.Dl $ openssl spkac -in spkac.cnf -noout -verify |
1645 |
+.Dl $ libressl spkac -in spkac.cnf -noout -verify |
1646 |
.Pp |
1647 |
Create an SPKAC using the challenge string |
1648 |
.Qq hello : |
1649 |
.Pp |
1650 |
-.Dl $ openssl spkac -key key.pem -challenge hello -out spkac.cnf |
1651 |
+.Dl $ libressl spkac -key key.pem -challenge hello -out spkac.cnf |
1652 |
.Pp |
1653 |
Example of an SPKAC, |
1654 |
.Pq long lines split up for clarity : |
1655 |
@@ -8411,7 +8411,7 @@ to be used in a |
1656 |
.\" |
1657 |
.Sh VERIFY |
1658 |
.nr nS 1 |
1659 |
-.Nm "openssl verify" |
1660 |
+.Nm "libressl verify" |
1661 |
.Bk -words |
1662 |
.Op Fl CAfile Ar file |
1663 |
.Op Fl CApath Ar directory |
1664 |
@@ -8466,7 +8466,7 @@ option of the |
1665 |
utility). |
1666 |
The |
1667 |
.Nm c_rehash |
1668 |
-script distributed with OpenSSL |
1669 |
+script distributed with LibreSSL |
1670 |
will automatically create symbolic links to a directory of certificates. |
1671 |
.It Fl crl_check |
1672 |
Checks end entity certificate validity by attempting to look up a valid CRL. |
1673 |
@@ -8484,7 +8484,7 @@ Prints out a usage message. |
1674 |
.It Fl ignore_critical |
1675 |
Normally if an unhandled critical extension is present which is not |
1676 |
supported by |
1677 |
-.Nm OpenSSL , |
1678 |
+.Nm LibreSSL , |
1679 |
the certificate is rejected (as required by RFC 3280 et al). |
1680 |
If this option is set, critical extensions are ignored. |
1681 |
.It Fl inhibit_any |
1682 |
@@ -8781,13 +8781,13 @@ mishandled them. |
1683 |
.\" VERSION |
1684 |
.\" |
1685 |
.Sh VERSION |
1686 |
-.Nm openssl version |
1687 |
+.Nm libressl version |
1688 |
.Op Fl abdfopv |
1689 |
.Pp |
1690 |
The |
1691 |
.Nm version |
1692 |
command is used to print out version information about |
1693 |
-.Nm OpenSSL . |
1694 |
+.Nm LibreSSL . |
1695 |
.Pp |
1696 |
The options are as follows: |
1697 |
.Bl -tag -width Ds |
1698 |
@@ -8795,7 +8795,7 @@ The options are as follows: |
1699 |
All information: this is the same as setting all the other flags. |
1700 |
.It Fl b |
1701 |
The date the current version of |
1702 |
-.Nm OpenSSL |
1703 |
+.Nm LibreSSL |
1704 |
was built. |
1705 |
.It Fl d |
1706 |
.Ev OPENSSLDIR |
1707 |
@@ -8808,12 +8808,12 @@ Option information: various options set |
1708 |
Platform setting. |
1709 |
.It Fl v |
1710 |
The current |
1711 |
-.Nm OpenSSL |
1712 |
+.Nm LibreSSL |
1713 |
version. |
1714 |
.El |
1715 |
.Sh VERSION NOTES |
1716 |
The output of |
1717 |
-.Nm openssl version -a |
1718 |
+.Nm libressl version -a |
1719 |
would typically be used when sending in a bug report. |
1720 |
.Sh VERSION HISTORY |
1721 |
The |
1722 |
@@ -8826,7 +8826,7 @@ option was added in |
1723 |
.\" |
1724 |
.Sh X509 |
1725 |
.nr nS 1 |
1726 |
-.Nm "openssl x509" |
1727 |
+.Nm "libressl x509" |
1728 |
.Bk -words |
1729 |
.Op Fl C |
1730 |
.Op Fl addreject Ar arg |
1731 |
@@ -9029,7 +9029,7 @@ Outputs the |
1732 |
.Qq hash |
1733 |
of the certificate subject name. |
1734 |
This is used in |
1735 |
-.Nm OpenSSL |
1736 |
+.Nm LibreSSL |
1737 |
to form an index to allow certificates in a directory to be looked up |
1738 |
by subject name. |
1739 |
.It Fl subject_hash_old |
1740 |
@@ -9072,7 +9072,7 @@ See the description of the |
1741 |
utility for more information on the meaning of trust settings. |
1742 |
.Pp |
1743 |
Future versions of |
1744 |
-.Nm OpenSSL |
1745 |
+.Nm LibreSSL |
1746 |
will recognize trust settings on any certificate: not just root CAs. |
1747 |
.Bl -tag -width "XXXX" |
1748 |
.It Fl addreject Ar arg |
1749 |
@@ -9092,7 +9092,7 @@ and |
1750 |
.Pq S/MIME email |
1751 |
are used. |
1752 |
Other |
1753 |
-.Nm OpenSSL |
1754 |
+.Nm LibreSSL |
1755 |
applications may define additional uses. |
1756 |
.It Fl alias |
1757 |
Outputs the certificate alias, if any. |
1758 |
@@ -9321,7 +9321,7 @@ if this option is not set, non-character |
1759 |
as though each content octet represents a single character. |
1760 |
.It Ar dump_unknown |
1761 |
Dump any field whose OID is not recognised by |
1762 |
-.Nm OpenSSL . |
1763 |
+.Nm LibreSSL . |
1764 |
.It Ar esc_2253 |
1765 |
Escape the |
1766 |
.Qq special |
1767 |
@@ -9496,56 +9496,56 @@ Don't print out the version number. |
1768 |
.Sh X509 EXAMPLES |
1769 |
Display the contents of a certificate: |
1770 |
.Pp |
1771 |
-.Dl $ openssl x509 -in cert.pem -noout -text |
1772 |
+.Dl $ libressl x509 -in cert.pem -noout -text |
1773 |
.Pp |
1774 |
Display the certificate serial number: |
1775 |
.Pp |
1776 |
-.Dl $ openssl x509 -in cert.pem -noout -serial |
1777 |
+.Dl $ libressl x509 -in cert.pem -noout -serial |
1778 |
.Pp |
1779 |
Display the certificate subject name: |
1780 |
.Pp |
1781 |
-.Dl $ openssl x509 -in cert.pem -noout -subject |
1782 |
+.Dl $ libressl x509 -in cert.pem -noout -subject |
1783 |
.Pp |
1784 |
Display the certificate subject name in RFC 2253 form: |
1785 |
.Pp |
1786 |
-.Dl $ openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 |
1787 |
+.Dl $ libressl x509 -in cert.pem -noout -subject -nameopt RFC2253 |
1788 |
.Pp |
1789 |
Display the certificate subject name in oneline form on a terminal |
1790 |
supporting UTF8: |
1791 |
.Bd -literal -offset indent |
1792 |
-$ openssl x509 -in cert.pem -noout -subject \e |
1793 |
+$ libressl x509 -in cert.pem -noout -subject \e |
1794 |
-nameopt oneline,-esc_msb |
1795 |
.Ed |
1796 |
.Pp |
1797 |
Display the certificate MD5 fingerprint: |
1798 |
.Pp |
1799 |
-.Dl $ openssl x509 -in cert.pem -noout -fingerprint |
1800 |
+.Dl $ libressl x509 -in cert.pem -noout -fingerprint |
1801 |
.Pp |
1802 |
Display the certificate SHA1 fingerprint: |
1803 |
.Pp |
1804 |
-.Dl $ openssl x509 -sha1 -in cert.pem -noout -fingerprint |
1805 |
+.Dl $ libressl x509 -sha1 -in cert.pem -noout -fingerprint |
1806 |
.Pp |
1807 |
Convert a certificate from PEM to DER format: |
1808 |
.Pp |
1809 |
-.Dl "$ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER" |
1810 |
+.Dl "$ libressl x509 -in cert.pem -inform PEM -out cert.der -outform DER" |
1811 |
.Pp |
1812 |
Convert a certificate to a certificate request: |
1813 |
.Bd -literal -offset indent |
1814 |
-$ openssl x509 -x509toreq -in cert.pem -out req.pem \e |
1815 |
+$ libressl x509 -x509toreq -in cert.pem -out req.pem \e |
1816 |
-signkey key.pem |
1817 |
.Ed |
1818 |
.Pp |
1819 |
Convert a certificate request into a self-signed certificate using |
1820 |
extensions for a CA: |
1821 |
.Bd -literal -offset indent |
1822 |
-$ openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions \e |
1823 |
+$ libressl x509 -req -in careq.pem -extfile libressl.cnf -extensions \e |
1824 |
v3_ca -signkey key.pem -out cacert.pem |
1825 |
.Ed |
1826 |
.Pp |
1827 |
Sign a certificate request using the CA certificate above and add user |
1828 |
certificate extensions: |
1829 |
.Bd -literal -offset indent |
1830 |
-$ openssl x509 -req -in req.pem -extfile openssl.cnf -extensions \e |
1831 |
+$ libressl x509 -req -in req.pem -extfile libressl.cnf -extensions \e |
1832 |
v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial |
1833 |
.Ed |
1834 |
.Pp |
1835 |
@@ -9553,7 +9553,7 @@ Set a certificate to be trusted for SSL |
1836 |
client use and set its alias to |
1837 |
.Qq Steve's Class 1 CA : |
1838 |
.Bd -literal -offset indent |
1839 |
-$ openssl x509 -in cert.pem -addtrust clientAuth \e |
1840 |
+$ libressl x509 -in cert.pem -addtrust clientAuth \e |
1841 |
-setalias "Steve's Class 1 CA" -out trust.pem |
1842 |
.Ed |
1843 |
.Sh X509 NOTES |
1844 |
@@ -9802,18 +9802,18 @@ or similar. |
1845 |
.\" FILES |
1846 |
.\" |
1847 |
.Sh FILES |
1848 |
-.Bl -tag -width "/etc/ssl/openssl.cnf" -compact |
1849 |
-.It Pa /etc/ssl/ |
1850 |
+.Bl -tag -width "/etc/pki/tls/libressl.cnf" -compact |
1851 |
+.It Pa /etc/pki/tls/ |
1852 |
Default config directory for |
1853 |
-.Nm openssl . |
1854 |
-.It Pa /etc/ssl/lib/ |
1855 |
+.Nm libressl . |
1856 |
+.It Pa /etc/pki/tls/lib/ |
1857 |
Unused. |
1858 |
-.It Pa /etc/ssl/private/ |
1859 |
+.It Pa /etc/pki/tls/private/ |
1860 |
Default private key directory. |
1861 |
-.It Pa /etc/ssl/openssl.cnf |
1862 |
+.It Pa /etc/pki/tls/libressl.cnf |
1863 |
Default configuration file for |
1864 |
-.Nm openssl . |
1865 |
-.It Pa /etc/ssl/x509v3.cnf |
1866 |
+.Nm libressl . |
1867 |
+.It Pa /etc/pki/tls/x509v3.cnf |
1868 |
Default configuration file for |
1869 |
.Nm x509 |
1870 |
certificates. |
1871 |
diff -Naurp libressl-2.3.1/man/OPENSSL_config.3 libressl-2.3.1.oden/man/OPENSSL_config.3 |
1872 |
--- libressl-2.3.1/man/OPENSSL_config.3 2015-10-26 11:59:22.000000000 +0100 |
1873 |
+++ libressl-2.3.1.oden/man/OPENSSL_config.3 2015-11-24 12:09:15.824646097 +0100 |
1874 |
@@ -150,7 +150,7 @@ OPENSSL_config, OPENSSL_no_config \- sim |
1875 |
.Ve |
1876 |
.SH "DESCRIPTION" |
1877 |
.IX Header "DESCRIPTION" |
1878 |
-\&\fIOPENSSL_config()\fR configures OpenSSL using the standard \fBopenssl.cnf\fR |
1879 |
+\&\fIOPENSSL_config()\fR configures OpenSSL using the standard \fBlibressl.cnf\fR |
1880 |
configuration file name using \fBconfig_name\fR. If \fBconfig_name\fR is \s-1NULL\s0 then |
1881 |
the default name \fBopenssl_conf\fR will be used. Any errors are ignored. Further |
1882 |
calls to \fIOPENSSL_config()\fR will have no effect. The configuration file format |