Import OpenSSL 1.1.0f
This commit is contained in:
Steve Dower
Steve Dower
@@ -7,6 +7,7 @@ ocsp - Online Certificate Status Protocol utility
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<openssl> B<ocsp>
|
||||
[B<-help>]
|
||||
[B<-out file>]
|
||||
[B<-issuer file>]
|
||||
[B<-cert file>]
|
||||
@@ -25,12 +26,41 @@ B<openssl> B<ocsp>
|
||||
[B<-nonce>]
|
||||
[B<-no_nonce>]
|
||||
[B<-url URL>]
|
||||
[B<-host host:n>]
|
||||
[B<-header name value>]
|
||||
[B<-host host:port>]
|
||||
[B<-header>]
|
||||
[B<-path>]
|
||||
[B<-CApath dir>]
|
||||
[B<-CAfile file>]
|
||||
[B<-no-CAfile>]
|
||||
[B<-no-CApath>]
|
||||
[B<-attime timestamp>]
|
||||
[B<-check_ss_sig>]
|
||||
[B<-crl_check>]
|
||||
[B<-crl_check_all>]
|
||||
[B<-explicit_policy>]
|
||||
[B<-extended_crl>]
|
||||
[B<-ignore_critical>]
|
||||
[B<-inhibit_any>]
|
||||
[B<-inhibit_map>]
|
||||
[B<-no_check_time>]
|
||||
[B<-partial_chain>]
|
||||
[B<-policy arg>]
|
||||
[B<-policy_check>]
|
||||
[B<-policy_print>]
|
||||
[B<-purpose purpose>]
|
||||
[B<-suiteB_128>]
|
||||
[B<-suiteB_128_only>]
|
||||
[B<-suiteB_192>]
|
||||
[B<-trusted_first>]
|
||||
[B<-no_alt_chains>]
|
||||
[B<-use_deltas>]
|
||||
[B<-auth_level num>]
|
||||
[B<-verify_depth num>]
|
||||
[B<-verify_email email>]
|
||||
[B<-verify_hostname hostname>]
|
||||
[B<-verify_ip ip>]
|
||||
[B<-verify_name name>]
|
||||
[B<-x509_strict>]
|
||||
[B<-VAfile file>]
|
||||
[B<-validity_period n>]
|
||||
[B<-status_age n>]
|
||||
@@ -65,10 +95,19 @@ The B<ocsp> command performs many common OCSP tasks. It can be used
|
||||
to print out requests and responses, create requests and send queries
|
||||
to an OCSP responder and behave like a mini OCSP server itself.
|
||||
|
||||
=head1 OCSP CLIENT OPTIONS
|
||||
=head1 OPTIONS
|
||||
|
||||
This command operates as either a client or a server.
|
||||
The options are described below, divided into those two modes.
|
||||
|
||||
=head2 OCSP Client Options
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<-help>
|
||||
|
||||
Print out a usage message.
|
||||
|
||||
=item B<-out filename>
|
||||
|
||||
specify output filename, default is standard output.
|
||||
@@ -107,7 +146,7 @@ Additional certificates to include in the signed request.
|
||||
=item B<-nonce>, B<-no_nonce>
|
||||
|
||||
Add an OCSP nonce extension to a request or disable OCSP nonce addition.
|
||||
Normally if an OCSP request is input using the B<respin> option no
|
||||
Normally if an OCSP request is input using the B<reqin> option no
|
||||
nonce is added: using the B<nonce> option will force addition of a nonce.
|
||||
If an OCSP request is being created (using B<cert> and B<serial> options)
|
||||
a nonce is automatically added specifying B<no_nonce> overrides this.
|
||||
@@ -134,15 +173,14 @@ specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
|
||||
|
||||
if the B<host> option is present then the OCSP request is sent to the host
|
||||
B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
|
||||
or "/" by default.
|
||||
or "/" by default. This is equivalent to specifying B<-url> with scheme
|
||||
http:// and the given hostname, port, and pathname.
|
||||
|
||||
=item B<-header name value>
|
||||
=item B<-header name=value>
|
||||
|
||||
If sending a request to an OCSP server, then the specified header name and
|
||||
value are added to the HTTP request. Note that the B<name> and B<value> must
|
||||
be specified as two separate parameters, not as a single quoted string, and
|
||||
that the header name does not have the trailing colon.
|
||||
Some OCSP responders require a Host header; use this flag to provide it.
|
||||
Adds the header B<name> with the specified B<value> to the OCSP request
|
||||
that is sent to the responder.
|
||||
This may be repeated.
|
||||
|
||||
=item B<-timeout seconds>
|
||||
|
||||
@@ -153,9 +191,24 @@ connection timeout to the OCSP responder in seconds
|
||||
file or pathname containing trusted CA certificates. These are used to verify
|
||||
the signature on the OCSP response.
|
||||
|
||||
=item B<-no_alt_chains>
|
||||
=item B<-no-CAfile>
|
||||
|
||||
See L<B<verify>|verify(1)> manual page for details.
|
||||
Do not load the trusted CA certificates from the default file location
|
||||
|
||||
=item B<-no-CApath>
|
||||
|
||||
Do not load the trusted CA certificates from the default directory location
|
||||
|
||||
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
|
||||
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
|
||||
B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>,
|
||||
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
|
||||
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
|
||||
B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
|
||||
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
|
||||
|
||||
Set different certificate verification options.
|
||||
See L<verify(1)> manual page for details.
|
||||
|
||||
=item B<-verify_other file>
|
||||
|
||||
@@ -218,26 +271,29 @@ only be used for testing purposes.
|
||||
=item B<-validity_period nsec>, B<-status_age age>
|
||||
|
||||
these options specify the range of times, in seconds, which will be tolerated
|
||||
in an OCSP response. Each certificate status response includes a B<notBefore> time and
|
||||
an optional B<notAfter> time. The current time should fall between these two values, but
|
||||
the interval between the two times may be only a few seconds. In practice the OCSP
|
||||
responder and clients clocks may not be precisely synchronised and so such a check
|
||||
may fail. To avoid this the B<-validity_period> option can be used to specify an
|
||||
acceptable error range in seconds, the default value is 5 minutes.
|
||||
in an OCSP response. Each certificate status response includes a B<notBefore>
|
||||
time and an optional B<notAfter> time. The current time should fall between
|
||||
these two values, but the interval between the two times may be only a few
|
||||
seconds. In practice the OCSP responder and clients clocks may not be precisely
|
||||
synchronised and so such a check may fail. To avoid this the
|
||||
B<-validity_period> option can be used to specify an acceptable error range in
|
||||
seconds, the default value is 5 minutes.
|
||||
|
||||
If the B<notAfter> time is omitted from a response then this means that new status
|
||||
information is immediately available. In this case the age of the B<notBefore> field
|
||||
is checked to see it is not older than B<age> seconds old. By default this additional
|
||||
check is not performed.
|
||||
If the B<notAfter> time is omitted from a response then this means that new
|
||||
status information is immediately available. In this case the age of the
|
||||
B<notBefore> field is checked to see it is not older than B<age> seconds old.
|
||||
By default this additional check is not performed.
|
||||
|
||||
=item B<-md5|-sha1|-sha256|-ripemod160|...>
|
||||
=item B<-[digest]>
|
||||
|
||||
this option sets digest algorithm to use for certificate identification
|
||||
in the OCSP request. By default SHA-1 is used.
|
||||
this option sets digest algorithm to use for certificate identification in the
|
||||
OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
|
||||
The default is SHA-1. This option may be used multiple times to specify the
|
||||
digest used by subsequent certificate identifiers.
|
||||
|
||||
=back
|
||||
|
||||
=head1 OCSP SERVER OPTIONS
|
||||
=head2 OCSP Server Options
|
||||
|
||||
=over 4
|
||||
|
||||
@@ -249,7 +305,7 @@ information.
|
||||
If the B<index> option is specified the B<ocsp> utility is in responder mode, otherwise
|
||||
it is in client mode. The request(s) the responder processes can be either specified on
|
||||
the command line (using B<issuer> and B<serial> options), supplied in a file (using the
|
||||
B<respin> option) or via external OCSP clients (if B<port> or B<url> is specified).
|
||||
B<reqin> option) or via external OCSP clients (if B<port> or B<url> is specified).
|
||||
|
||||
If the B<index> option is present then the B<CA> and B<rsigner> options must also be
|
||||
present.
|
||||
@@ -286,13 +342,13 @@ option.
|
||||
|
||||
=item B<-nrequest number>
|
||||
|
||||
The OCSP server will exit after receiving B<number> requests, default unlimited.
|
||||
The OCSP server will exit after receiving B<number> requests, default unlimited.
|
||||
|
||||
=item B<-nmin minutes>, B<-ndays days>
|
||||
|
||||
Number of minutes or days when fresh revocation information is available: used in the
|
||||
B<nextUpdate> field. If neither option is present then the B<nextUpdate> field is
|
||||
omitted meaning fresh revocation information is immediately available.
|
||||
B<nextUpdate> field. If neither option is present then the B<nextUpdate> field
|
||||
is omitted meaning fresh revocation information is immediately available.
|
||||
|
||||
=back
|
||||
|
||||
@@ -354,7 +410,7 @@ format of revocation is also inefficient for large quantities of revocation
|
||||
data.
|
||||
|
||||
It is possible to run the B<ocsp> application in responder mode via a CGI
|
||||
script using the B<respin> and B<respout> options.
|
||||
script using the B<reqin> and B<respout> options.
|
||||
|
||||
=head1 EXAMPLES
|
||||
|
||||
@@ -362,40 +418,49 @@ Create an OCSP request and write it to a file:
|
||||
|
||||
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
|
||||
|
||||
Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the
|
||||
response to a file and print it out in text form
|
||||
Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the
|
||||
response to a file, print it out in text form, and verify the response:
|
||||
|
||||
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
|
||||
-url http://ocsp.myhost.com/ -resp_text -respout resp.der
|
||||
|
||||
Read in an OCSP response and print out text form:
|
||||
|
||||
openssl ocsp -respin resp.der -text
|
||||
openssl ocsp -respin resp.der -text -noverify
|
||||
|
||||
OCSP server on port 8888 using a standard B<ca> configuration, and a separate
|
||||
responder certificate. All requests and responses are printed to a file.
|
||||
|
||||
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
|
||||
-text -out log.txt
|
||||
-text -out log.txt
|
||||
|
||||
As above but exit after processing one request:
|
||||
|
||||
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
|
||||
-nrequest 1
|
||||
|
||||
Query status information using internally generated request:
|
||||
Query status information using an internally generated request:
|
||||
|
||||
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
|
||||
-issuer demoCA/cacert.pem -serial 1
|
||||
|
||||
Query status information using request read from a file, write response to a
|
||||
second file.
|
||||
Query status information using request read from a file, and write the response
|
||||
to a second file.
|
||||
|
||||
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
|
||||
-reqin req.der -respout resp.der
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
||||
The -no_alt_chains options was first added to OpenSSL 1.1.0.
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
in the file LICENSE in the source distribution or at
|
||||
L<https://www.openssl.org/source/license.html>.
|
||||
|
||||
=cut
|
||||
|
||||
Reference in New Issue
Block a user