csu3_am335x/EVSE/GPL/openssl-1.0.2g/release/openssl/man/man5/config.5

.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.if !\nF .nr F 0
.if \nF>0 \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    if !\nF==2 \{\
.        nr % 0
.        nr F 2
.    \}
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CONFIG 5"
.TH CONFIG 5 "2019-09-12" "1.0.2g" "OpenSSL"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
config \- OpenSSL CONF library configuration files
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The OpenSSL \s-1CONF\s0 library can be used to read configuration files.
It is used for the OpenSSL master configuration file \fBopenssl.cnf\fR
and in a few other places like \fB\s-1SPKAC\s0\fR files and certificate extension
files for the \fBx509\fR utility. OpenSSL applications can also use the
\&\s-1CONF\s0 library for their own purposes.
.PP
A configuration file is divided into a number of sections. Each section
starts with a line \fB[ section_name ]\fR and ends when a new section is
started or end of file is reached. A section name can consist of
alphanumeric characters and underscores.
.PP
The first section of a configuration file is special and is referred
to as the \fBdefault\fR section this is usually unnamed and is from the
start of file until the first named section. When a name is being looked up
it is first looked up in a named section (if any) and then the
default section.
.PP
The environment is mapped onto a section called \fB\s-1ENV\s0\fR.
.PP
Comments can be included by preceding them with the \fB#\fR character
.PP
Each section in a configuration file consists of a number of name and
value pairs of the form \fBname=value\fR
.PP
The \fBname\fR string can contain any alphanumeric characters as well as
a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR.
.PP
The \fBvalue\fR string consists of the string following the \fB=\fR character
until end of line with any leading and trailing white space removed.
.PP
The value string undergoes variable expansion. This can be done by
including the form \fB\f(CB$var\fB\fR or \fB${var}\fR: this will substitute the value
of the named variable in the current section. It is also possible to
substitute a value from another section using the syntax \fB\f(CB$section::name\fB\fR
or \fB${section::name}\fR. By using the form \fB\f(CB$ENV::name\fB\fR environment
variables can be substituted. It is also possible to assign values to
environment variables by using the name \fBENV::name\fR, this will work
if the program looks up environment variables using the \fB\s-1CONF\s0\fR library
instead of calling \fB\f(BIgetenv()\fB\fR directly.
.PP
It is possible to escape certain characters by using any kind of quote
or the \fB\e\fR character. By making the last character of a line a \fB\e\fR
a \fBvalue\fR string can be spread across multiple lines. In addition
the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized.
.SH "OPENSSL LIBRARY CONFIGURATION"
.IX Header "OPENSSL LIBRARY CONFIGURATION"
In OpenSSL 0.9.7 and later applications can automatically configure certain
aspects of OpenSSL using the master OpenSSL configuration file, or optionally
an alternative configuration file. The \fBopenssl\fR utility includes this
functionality: any sub command uses the master OpenSSL configuration file
unless an option is used in the sub command to use an alternative configuration
file.
.PP
To enable library configuration the default section needs to contain an 
appropriate line which points to the main configuration section. The default
name is \fBopenssl_conf\fR which is used by the \fBopenssl\fR utility. Other
applications may use an alternative name such as \fBmyapplicaton_conf\fR.
.PP
The configuration section should consist of a set of name value pairs which
contain specific module configuration information. The \fBname\fR represents
the name of the \fIconfiguration module\fR the meaning of the \fBvalue\fR is 
module specific: it may, for example, represent a further configuration
section containing configuration module specific information. E.g.
.PP
.Vb 1
\& openssl_conf = openssl_init
\&
\& [openssl_init]
\&
\& oid_section = new_oids
\& engines = engine_section
\&
\& [new_oids]
\&
\& ... new oids here ...
\&
\& [engine_section]
\&
\& ... engine stuff here ...
.Ve
.PP
The features of each configuration module are described below.
.SS "\s-1ASN1 OBJECT CONFIGURATION MODULE\s0"
.IX Subsection "ASN1 OBJECT CONFIGURATION MODULE"
This module has the name \fBoid_section\fR. The value of this variable points
to a section containing name value pairs of OIDs: the name is the \s-1OID\s0 short
and long name, the value is the numerical form of the \s-1OID.\s0 Although some of
the \fBopenssl\fR utility sub commands already have their own \s-1ASN1 OBJECT\s0 section
functionality not all do. By using the \s-1ASN1 OBJECT\s0 configuration module
\&\fBall\fR the \fBopenssl\fR utility sub commands can see the new objects as well
as any compliant applications. For example:
.PP
.Vb 1
\& [new_oids]
\& 
\& some_new_oid = 1.2.3.4
\& some_other_oid = 1.2.3.5
.Ve
.PP
In OpenSSL 0.9.8 it is also possible to set the value to the long name followed
by a comma and the numerical \s-1OID\s0 form. For example:
.PP
.Vb 1
\& shortName = some object long name, 1.2.3.4
.Ve
.SS "\s-1ENGINE CONFIGURATION MODULE\s0"
.IX Subsection "ENGINE CONFIGURATION MODULE"
This \s-1ENGINE\s0 configuration module has the name \fBengines\fR. The value of this
variable points to a section containing further \s-1ENGINE\s0 configuration
information.
.PP
The section pointed to by \fBengines\fR is a table of engine names (though see
\&\fBengine_id\fR below) and further sections containing configuration information
specific to each \s-1ENGINE.\s0
.PP
Each \s-1ENGINE\s0 specific section is used to set default algorithms, load
dynamic, perform initialization and send ctrls. The actual operation performed
depends on the \fIcommand\fR name which is the name of the name value pair. The
currently supported commands are listed below.
.PP
For example:
.PP
.Vb 1
\& [engine_section]
\&
\& # Configure ENGINE named "foo"
\& foo = foo_section
\& # Configure ENGINE named "bar"
\& bar = bar_section
\&
\& [foo_section]
\& ... foo ENGINE specific commands ...
\&
\& [bar_section]
\& ... "bar" ENGINE specific commands ...
.Ve
.PP
The command \fBengine_id\fR is used to give the \s-1ENGINE\s0 name. If used this 
command must be first. For example:
.PP
.Vb 3
\& [engine_section]
\& # This would normally handle an ENGINE named "foo"
\& foo = foo_section
\&
\& [foo_section]
\& # Override default name and use "myfoo" instead.
\& engine_id = myfoo
.Ve
.PP
The command \fBdynamic_path\fR loads and adds an \s-1ENGINE\s0 from the given path. It
is equivalent to sending the ctrls \fB\s-1SO_PATH\s0\fR with the path argument followed
by \fB\s-1LIST_ADD\s0\fR with value 2 and \fB\s-1LOAD\s0\fR to the dynamic \s-1ENGINE.\s0 If this is
not the required behaviour then alternative ctrls can be sent directly
to the dynamic \s-1ENGINE\s0 using ctrl commands.
.PP
The command \fBinit\fR determines whether to initialize the \s-1ENGINE.\s0 If the value
is \fB0\fR the \s-1ENGINE\s0 will not be initialized, if \fB1\fR and attempt it made to
initialized the \s-1ENGINE\s0 immediately. If the \fBinit\fR command is not present
then an attempt will be made to initialize the \s-1ENGINE\s0 after all commands in
its section have been processed.
.PP
The command \fBdefault_algorithms\fR sets the default algorithms an \s-1ENGINE\s0 will
supply using the functions \fB\f(BIENGINE_set_default_string()\fB\fR
.PP
If the name matches none of the above command names it is assumed to be a
ctrl command which is sent to the \s-1ENGINE.\s0 The value of the command is the 
argument to the ctrl command. If the value is the string \fB\s-1EMPTY\s0\fR then no
value is sent to the command.
.PP
For example:
.PP
.Vb 1
\& [engine_section]
\&
\& # Configure ENGINE named "foo"
\& foo = foo_section
\&
\& [foo_section]
\& # Load engine from DSO
\& dynamic_path = /some/path/fooengine.so
\& # A foo specific ctrl.
\& some_ctrl = some_value
\& # Another ctrl that doesn\*(Aqt take a value.
\& other_ctrl = EMPTY
\& # Supply all default algorithms
\& default_algorithms = ALL
.Ve
.SS "\s-1EVP CONFIGURATION MODULE\s0"
.IX Subsection "EVP CONFIGURATION MODULE"
This modules has the name \fBalg_section\fR which points to a section containing
algorithm commands.
.PP
Currently the only algorithm command supported is \fBfips_mode\fR whose
value should be a boolean string such as \fBon\fR or \fBoff\fR. If the value is
\&\fBon\fR this attempt to enter \s-1FIPS\s0 mode. If the call fails or the library is
not \s-1FIPS\s0 capable then an error occurs.
.PP
For example:
.PP
.Vb 1
\& alg_section = evp_settings
\&
\& [evp_settings]
\&
\& fips_mode = on
.Ve
.SH "NOTES"
.IX Header "NOTES"
If a configuration file attempts to expand a variable that doesn't exist
then an error is flagged and the file will not load. This can happen
if an attempt is made to expand an environment variable that doesn't
exist. For example in a previous version of OpenSSL the default OpenSSL
master configuration file used the value of \fB\s-1HOME\s0\fR which may not be
defined on non Unix systems and would cause an error.
.PP
This can be worked around by including a \fBdefault\fR section to provide
a default value: then if the environment lookup fails the default value
will be used instead. For this to work properly the default value must
be defined earlier in the configuration file than the expansion. See
the \fB\s-1EXAMPLES\s0\fR section for an example of how to do this.
.PP
If the same variable exists in the same section then all but the last
value will be silently ignored. In certain circumstances such as with
DNs the same field may occur multiple times. This is usually worked
around by ignoring any characters before an initial \fB.\fR e.g.
.PP
.Vb 2
\& 1.OU="My first OU"
\& 2.OU="My Second OU"
.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Here is a sample configuration file using some of the features
mentioned above.
.PP
.Vb 1
\& # This is the default section.
\& 
\& HOME=/temp
\& RANDFILE= ${ENV::HOME}/.rnd
\& configdir=$ENV::HOME/config
\&
\& [ section_one ]
\&
\& # We are now in section one.
\&
\& # Quotes permit leading and trailing whitespace
\& any = " any variable name "
\&
\& other = A string that can \e
\& cover several lines \e
\& by including \e\e characters
\&
\& message = Hello World\en
\&
\& [ section_two ]
\&
\& greeting = $section_one::message
.Ve
.PP
This next example shows how to expand environment variables safely.
.PP
Suppose you want a variable called \fBtmpfile\fR to refer to a
temporary filename. The directory it is placed in can determined by
the the \fB\s-1TEMP\s0\fR or \fB\s-1TMP\s0\fR environment variables but they may not be
set to any value at all. If you just include the environment variable
names and the variable doesn't exist then this will cause an error when
an attempt is made to load the configuration file. By making use of the
default section both values can be looked up with \fB\s-1TEMP\s0\fR taking 
priority and \fB/tmp\fR used if neither is defined:
.PP
.Vb 5
\& TMP=/tmp
\& # The above value is used if TMP isn\*(Aqt in the environment
\& TEMP=$ENV::TMP
\& # The above value is used if TEMP isn\*(Aqt in the environment
\& tmpfile=${ENV::TEMP}/tmp.filename
.Ve
.PP
Simple OpenSSL library configuration example to enter \s-1FIPS\s0 mode:
.PP
.Vb 3
\& # Default appname: should match "appname" parameter (if any)
\& # supplied to CONF_modules_load_file et al.
\& openssl_conf = openssl_conf_section
\&
\& [openssl_conf_section]
\& # Configuration module list
\& alg_section = evp_sect
\&
\& [evp_sect]
\& # Set to "yes" to enter FIPS mode if supported
\& fips_mode = yes
.Ve
.PP
Note: in the above example you will get an error in non \s-1FIPS\s0 capable versions
of OpenSSL.
.PP
More complex OpenSSL library configuration. Add \s-1OID\s0 and don't enter \s-1FIPS\s0 mode:
.PP
.Vb 3
\& # Default appname: should match "appname" parameter (if any)
\& # supplied to CONF_modules_load_file et al.
\& openssl_conf = openssl_conf_section
\&
\& [openssl_conf_section]
\& # Configuration module list
\& alg_section = evp_sect
\& oid_section = new_oids
\&
\& [evp_sect]
\& # This will have no effect as FIPS mode is off by default.
\& # Set to "yes" to enter FIPS mode, if supported
\& fips_mode = no
\&
\& [new_oids]
\& # New OID, just short name
\& newoid1 = 1.2.3.4.1
\& # New OID shortname and long name
\& newoid2 = New OID 2 long name, 1.2.3.4.2
.Ve
.PP
The above examples can be used with with any application supporting library
configuration if \*(L"openssl_conf\*(R" is modified to match the appropriate \*(L"appname\*(R".
.PP
For example if the second sample file above is saved to \*(L"example.cnf\*(R" then
the command line:
.PP
.Vb 1
\& OPENSSL_CONF=example.cnf openssl asn1parse \-genstr OID:1.2.3.4.1
.Ve
.PP
will output:
.PP
.Vb 1
\&    0:d=0  hl=2 l=   4 prim: OBJECT            :newoid1
.Ve
.PP
showing that the \s-1OID\s0 \*(L"newoid1\*(R" has been added as \*(L"1.2.3.4.1\*(R".
.SH "BUGS"
.IX Header "BUGS"
Currently there is no way to include characters using the octal \fB\ennn\fR
form. Strings are all null terminated so nulls cannot form part of
the value.
.PP
The escaping isn't quite right: if you want to use sequences like \fB\en\fR
you can't use any quote escaping on the same line.
.PP
Files are loaded in a single pass. This means that an variable expansion
will only work if the variables referenced are defined earlier in the
file.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIx509\fR\|(1), \fIreq\fR\|(1), \fIca\fR\|(1)