diff options
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/openssl/openssl.1 | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/usr.sbin/openssl/openssl.1 b/usr.sbin/openssl/openssl.1 index d7adc32f08c..5abc0738ab9 100644 --- a/usr.sbin/openssl/openssl.1 +++ b/usr.sbin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.46 2004/07/23 10:35:44 jmc Exp $ +.\" $OpenBSD: openssl.1,v 1.47 2004/08/26 21:29:18 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -6943,17 +6943,19 @@ to be used in a .\" .Sh VERIFY .Nm openssl verify -.Op Fl CApath Ar directory -.Op Fl CAfile Ar file -.Op Fl purpose Ar purpose -.Op Fl untrusted Ar file +.Bk -words +.Op Fl crl_check .Op Fl help .Op Fl issuer_checks .Op Fl verbose -.Op Fl crl_check +.Op Fl CAfile Ar file +.Op Fl CApath Ar directory .Op Fl engine Ar id +.Op Fl purpose Ar purpose +.Op Fl untrusted Ar file .Op Fl .Op Ar certificates +.Ek .Pp The .Nm verify @@ -6961,7 +6963,7 @@ command verifies certificate chains. .Pp The options are as follows: .Bl -tag -width "XXXX" -.It Fl CApath directory +.It Fl CApath Ar directory A .Ar directory of trusted certificates. @@ -6998,8 +7000,10 @@ Without this option no chain verification will be done. Currently accepted uses are .Ar sslclient , sslserver , .Ar nssslserver , smimesign , +.Ar smimeencrypt , crlsign , +.Ar any , and -.Ar smimeencrypt . +.Ar ocsphelper . See the .Sx VERIFY OPERATION section for more information. @@ -7051,23 +7055,23 @@ after an error, whereas normally the verify operation would halt on the first error. This allows all the problems with a certificate chain to be determined. .Pp -The verify operation consists of a number of separate steps. +The verify operation consists of a number of separate steps: .Pp Firstly a certificate chain is built up starting from the supplied certificate and ending in the root CA. It is an error if the whole chain cannot be built up. -The chain is built up by looking up the issuers certificate of the current +The chain is built up by looking up the issuer's certificate of the current certificate. If a certificate is found which is its own issuer, it is assumed to be the root CA. .Pp The process of -.Qq looking up the issuers certificate +.Qq looking up the issuer's certificate itself involves a number of steps. In versions of .Nm OpenSSL before 0.9.5a the first certificate whose subject name matched the issuer -of the current certificate was assumed to be the issuers certificate. +of the current certificate was assumed to be the issuer's certificate. In .Nm OpenSSL 0.9.6 and later all certificates whose subject name matches the issuer name @@ -7140,7 +7144,7 @@ Finally a text version of the error number is presented. .Pp An exhaustive list of the error codes and messages is shown below; this also includes the name of the error code as defined in the header file -.Aq Pa x509_vfy.h . +.Aq Pa openssl/x509_vfy.h . Some of the error codes are defined but never returned: these are described as .Qq unused . @@ -7281,7 +7285,7 @@ be recognised. .Pp Previous versions of .Nm OpenSSL -assume certificates with matching subject name are identical and +assumed certificates with matching subject name were identical and mishandled them. .\" .\" VERSION |