csu3_am335x/EVSE/GPL/openssl-1.1.1n/release/share/man/man5/config.5

.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CONFIG 5"
.TH CONFIG 5 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
config \- OpenSSL CONF library configuration files
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The OpenSSL \s-1CONF\s0 library can be used to read configuration files.
It is used for the OpenSSL master configuration file \fBopenssl.cnf\fR
and in a few other places like \fB\s-1SPKAC\s0\fR files and certificate extension
files for the \fBx509\fR utility. OpenSSL applications can also use the
\&\s-1CONF\s0 library for their own purposes.
.PP
A configuration file is divided into a number of sections. Each section
starts with a line \fB[ section_name ]\fR and ends when a new section is
started or end of file is reached. A section name can consist of
alphanumeric characters and underscores.
.PP
The first section of a configuration file is special and is referred
to as the \fBdefault\fR section. This section is usually unnamed and spans from the
start of file until the first named section. When a name is being looked up
it is first looked up in a named section (if any) and then the
default section.
.PP
The environment is mapped onto a section called \fB\s-1ENV\s0\fR.
.PP
Comments can be included by preceding them with the \fB#\fR character
.PP
Other files can be included using the \fB.include\fR directive followed
by a path. If the path points to a directory all files with
names ending with \fB.cnf\fR or \fB.conf\fR are included from the directory.
Recursive inclusion of directories from files in such directory is not
supported. That means the files in the included directory can also contain
\&\fB.include\fR directives but only inclusion of regular files is supported
there. The inclusion of directories is not supported on systems without
\&\s-1POSIX IO\s0 support.
.PP
It is strongly recommended to use absolute paths with the \fB.include\fR
directive. Relative paths are evaluated based on the application current
working directory so unless the configuration file containing the
\&\fB.include\fR directive is application specific the inclusion will not
work as expected.
.PP
There can be optional \fB=\fR character and whitespace characters between
\&\fB.include\fR directive and the path which can be useful in cases the
configuration file needs to be loaded by old OpenSSL versions which do
not support the \fB.include\fR syntax. They would bail out with error
if the \fB=\fR character is not present but with it they just ignore
the include.
.PP
Each section in a configuration file consists of a number of name and
value pairs of the form \fBname=value\fR
.PP
The \fBname\fR string can contain any alphanumeric characters as well as
a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR.
.PP
The \fBvalue\fR string consists of the string following the \fB=\fR character
until end of line with any leading and trailing white space removed.
.PP
The value string undergoes variable expansion. This can be done by
including the form \fB\f(CB$var\fB\fR or \fB${var}\fR: this will substitute the value
of the named variable in the current section. It is also possible to
substitute a value from another section using the syntax \fB\f(CB$section::name\fB\fR
or \fB${section::name}\fR. By using the form \fB\f(CB$ENV::name\fB\fR environment
variables can be substituted. It is also possible to assign values to
environment variables by using the name \fBENV::name\fR, this will work
if the program looks up environment variables using the \fB\s-1CONF\s0\fR library
instead of calling \fBgetenv()\fR directly. The value string must not exceed 64k in
length after variable expansion. Otherwise an error will occur.
.PP
It is possible to escape certain characters by using any kind of quote
or the \fB\e\fR character. By making the last character of a line a \fB\e\fR
a \fBvalue\fR string can be spread across multiple lines. In addition
the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized.
.PP
All expansion and escape rules as described above that apply to \fBvalue\fR
also apply to the path of the \fB.include\fR directive.
.SH "OPENSSL LIBRARY CONFIGURATION"
.IX Header "OPENSSL LIBRARY CONFIGURATION"
Applications can automatically configure certain
aspects of OpenSSL using the master OpenSSL configuration file, or optionally
an alternative configuration file. The \fBopenssl\fR utility includes this
functionality: any sub command uses the master OpenSSL configuration file
unless an option is used in the sub command to use an alternative configuration
file.
.PP
To enable library configuration the default section needs to contain an
appropriate line which points to the main configuration section. The default
name is \fBopenssl_conf\fR which is used by the \fBopenssl\fR utility. Other
applications may use an alternative name such as \fBmyapplication_conf\fR.
All library configuration lines appear in the default section at the start
of the configuration file.
.PP
The configuration section should consist of a set of name value pairs which
contain specific module configuration information. The \fBname\fR represents
the name of the \fIconfiguration module\fR. The meaning of the \fBvalue\fR is
module specific: it may, for example, represent a further configuration
section containing configuration module specific information. E.g.:
.PP
.Vb 2
\& # This must be in the default section
\& openssl_conf = openssl_init
\&
\& [openssl_init]
\&
\& oid_section = new_oids
\& engines = engine_section
\&
\& [new_oids]
\&
\& ... new oids here ...
\&
\& [engine_section]
\&
\& ... engine stuff here ...
.Ve
.PP
The features of each configuration module are described below.
.SS "\s-1ASN1\s0 Object Configuration Module"
.IX Subsection "ASN1 Object Configuration Module"
This module has the name \fBoid_section\fR. The value of this variable points
to a section containing name value pairs of OIDs: the name is the \s-1OID\s0 short
and long name, the value is the numerical form of the \s-1OID.\s0 Although some of
the \fBopenssl\fR utility sub commands already have their own \s-1ASN1 OBJECT\s0 section
functionality not all do. By using the \s-1ASN1 OBJECT\s0 configuration module
\&\fBall\fR the \fBopenssl\fR utility sub commands can see the new objects as well
as any compliant applications. For example:
.PP
.Vb 1
\& [new_oids]
\&
\& some_new_oid = 1.2.3.4
\& some_other_oid = 1.2.3.5
.Ve
.PP
It is also possible to set the value to the long name followed
by a comma and the numerical \s-1OID\s0 form. For example:
.PP
.Vb 1
\& shortName = some object long name, 1.2.3.4
.Ve
.SS "Engine Configuration Module"
.IX Subsection "Engine Configuration Module"
This \s-1ENGINE\s0 configuration module has the name \fBengines\fR. The value of this
variable points to a section containing further \s-1ENGINE\s0 configuration
information.
.PP
The section pointed to by \fBengines\fR is a table of engine names (though see
\&\fBengine_id\fR below) and further sections containing configuration information
specific to each \s-1ENGINE.\s0
.PP
Each \s-1ENGINE\s0 specific section is used to set default algorithms, load
dynamic, perform initialization and send ctrls. The actual operation performed
depends on the \fIcommand\fR name which is the name of the name value pair. The
currently supported commands are listed below.
.PP
For example:
.PP
.Vb 1
\& [engine_section]
\&
\& # Configure ENGINE named "foo"
\& foo = foo_section
\& # Configure ENGINE named "bar"
\& bar = bar_section
\&
\& [foo_section]
\& ... foo ENGINE specific commands ...
\&
\& [bar_section]
\& ... "bar" ENGINE specific commands ...
.Ve
.PP
The command \fBengine_id\fR is used to give the \s-1ENGINE\s0 name. If used this
command must be first. For example:
.PP
.Vb 3
\& [engine_section]
\& # This would normally handle an ENGINE named "foo"
\& foo = foo_section
\&
\& [foo_section]
\& # Override default name and use "myfoo" instead.
\& engine_id = myfoo
.Ve
.PP
The command \fBdynamic_path\fR loads and adds an \s-1ENGINE\s0 from the given path. It
is equivalent to sending the ctrls \fB\s-1SO_PATH\s0\fR with the path argument followed
by \fB\s-1LIST_ADD\s0\fR with value 2 and \fB\s-1LOAD\s0\fR to the dynamic \s-1ENGINE.\s0 If this is
not the required behaviour then alternative ctrls can be sent directly
to the dynamic \s-1ENGINE\s0 using ctrl commands.
.PP
The command \fBinit\fR determines whether to initialize the \s-1ENGINE.\s0 If the value
is \fB0\fR the \s-1ENGINE\s0 will not be initialized, if \fB1\fR and attempt it made to
initialized the \s-1ENGINE\s0 immediately. If the \fBinit\fR command is not present
then an attempt will be made to initialize the \s-1ENGINE\s0 after all commands in
its section have been processed.
.PP
The command \fBdefault_algorithms\fR sets the default algorithms an \s-1ENGINE\s0 will
supply using the functions \fBENGINE_set_default_string()\fR.
.PP
If the name matches none of the above command names it is assumed to be a
ctrl command which is sent to the \s-1ENGINE.\s0 The value of the command is the
argument to the ctrl command. If the value is the string \fB\s-1EMPTY\s0\fR then no
value is sent to the command.
.PP
For example:
.PP
.Vb 1
\& [engine_section]
\&
\& # Configure ENGINE named "foo"
\& foo = foo_section
\&
\& [foo_section]
\& # Load engine from DSO
\& dynamic_path = /some/path/fooengine.so
\& # A foo specific ctrl.
\& some_ctrl = some_value
\& # Another ctrl that doesn\*(Aqt take a value.
\& other_ctrl = EMPTY
\& # Supply all default algorithms
\& default_algorithms = ALL
.Ve
.SS "\s-1EVP\s0 Configuration Module"
.IX Subsection "EVP Configuration Module"
This modules has the name \fBalg_section\fR which points to a section containing
algorithm commands.
.PP
Currently the only algorithm command supported is \fBfips_mode\fR whose
value can only be the boolean string \fBoff\fR. If \fBfips_mode\fR is set to \fBon\fR,
an error occurs as this library version is not \s-1FIPS\s0 capable.
.SS "\s-1SSL\s0 Configuration Module"
.IX Subsection "SSL Configuration Module"
This module has the name \fBssl_conf\fR which points to a section containing
\&\s-1SSL\s0 configurations.
.PP
Each line in the \s-1SSL\s0 configuration section contains the name of the
configuration and the section containing it.
.PP
Each configuration section consists of command value pairs for \fB\s-1SSL_CONF\s0\fR.
Each pair will be passed to a \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR structure if it calls
\&\fBSSL_CTX_config()\fR or \fBSSL_config()\fR with the appropriate configuration name.
.PP
Note: any characters before an initial dot in the configuration section are
ignored so the same command can be used multiple times.
.PP
For example:
.PP
.Vb 1
\& ssl_conf = ssl_sect
\&
\& [ssl_sect]
\&
\& server = server_section
\&
\& [server_section]
\&
\& RSA.Certificate = server\-rsa.pem
\& ECDSA.Certificate = server\-ecdsa.pem
\& Ciphers = ALL:!RC4
.Ve
.PP
The system default configuration with name \fBsystem_default\fR if present will
be applied during any creation of the \fB\s-1SSL_CTX\s0\fR structure.
.PP
Example of a configuration with the system default:
.PP
.Vb 1
\& ssl_conf = ssl_sect
\&
\& [ssl_sect]
\& system_default = system_default_sect
\&
\& [system_default_sect]
\& MinProtocol = TLSv1.2
\& MinProtocol = DTLSv1.2
.Ve
.SH "NOTES"
.IX Header "NOTES"
If a configuration file attempts to expand a variable that doesn't exist
then an error is flagged and the file will not load. This can happen
if an attempt is made to expand an environment variable that doesn't
exist. For example in a previous version of OpenSSL the default OpenSSL
master configuration file used the value of \fB\s-1HOME\s0\fR which may not be
defined on non Unix systems and would cause an error.
.PP
This can be worked around by including a \fBdefault\fR section to provide
a default value: then if the environment lookup fails the default value
will be used instead. For this to work properly the default value must
be defined earlier in the configuration file than the expansion. See
the \fB\s-1EXAMPLES\s0\fR section for an example of how to do this.
.PP
If the same variable exists in the same section then all but the last
value will be silently ignored. In certain circumstances such as with
DNs the same field may occur multiple times. This is usually worked
around by ignoring any characters before an initial \fB.\fR e.g.
.PP
.Vb 2
\& 1.OU="My first OU"
\& 2.OU="My Second OU"
.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Here is a sample configuration file using some of the features
mentioned above.
.PP
.Vb 1
\& # This is the default section.
\&
\& HOME=/temp
\& RANDFILE= ${ENV::HOME}/.rnd
\& configdir=$ENV::HOME/config
\&
\& [ section_one ]
\&
\& # We are now in section one.
\&
\& # Quotes permit leading and trailing whitespace
\& any = " any variable name "
\&
\& other = A string that can \e
\& cover several lines \e
\& by including \e\e characters
\&
\& message = Hello World\en
\&
\& [ section_two ]
\&
\& greeting = $section_one::message
.Ve
.PP
This next example shows how to expand environment variables safely.
.PP
Suppose you want a variable called \fBtmpfile\fR to refer to a
temporary filename. The directory it is placed in can determined by
the \fB\s-1TEMP\s0\fR or \fB\s-1TMP\s0\fR environment variables but they may not be
set to any value at all. If you just include the environment variable
names and the variable doesn't exist then this will cause an error when
an attempt is made to load the configuration file. By making use of the
default section both values can be looked up with \fB\s-1TEMP\s0\fR taking
priority and \fB/tmp\fR used if neither is defined:
.PP
.Vb 5
\& TMP=/tmp
\& # The above value is used if TMP isn\*(Aqt in the environment
\& TEMP=$ENV::TMP
\& # The above value is used if TEMP isn\*(Aqt in the environment
\& tmpfile=${ENV::TEMP}/tmp.filename
.Ve
.PP
Simple OpenSSL library configuration example to enter \s-1FIPS\s0 mode:
.PP
.Vb 3
\& # Default appname: should match "appname" parameter (if any)
\& # supplied to CONF_modules_load_file et al.
\& openssl_conf = openssl_conf_section
\&
\& [openssl_conf_section]
\& # Configuration module list
\& alg_section = evp_sect
\&
\& [evp_sect]
\& # Set to "yes" to enter FIPS mode if supported
\& fips_mode = yes
.Ve
.PP
Note: in the above example you will get an error in non \s-1FIPS\s0 capable versions
of OpenSSL.
.PP
Simple OpenSSL library configuration to make \s-1TLS 1.2\s0 and \s-1DTLS 1.2\s0 the
system-default minimum \s-1TLS\s0 and \s-1DTLS\s0 versions, respectively:
.PP
.Vb 2
\& # Toplevel section for openssl (including libssl)
\& openssl_conf = default_conf_section
\&
\& [default_conf_section]
\& # We only specify configuration for the "ssl module"
\& ssl_conf = ssl_section
\&
\& [ssl_section]
\& system_default = system_default_section
\&
\& [system_default_section]
\& MinProtocol = TLSv1.2
\& MinProtocol = DTLSv1.2
.Ve
.PP
The minimum \s-1TLS\s0 protocol is applied to \fB\s-1SSL_CTX\s0\fR objects that are TLS-based,
and the minimum \s-1DTLS\s0 protocol to those are DTLS-based.
The same applies also to maximum versions set with \fBMaxProtocol\fR.
.PP
More complex OpenSSL library configuration. Add \s-1OID\s0 and don't enter \s-1FIPS\s0 mode:
.PP
.Vb 3
\& # Default appname: should match "appname" parameter (if any)
\& # supplied to CONF_modules_load_file et al.
\& openssl_conf = openssl_conf_section
\&
\& [openssl_conf_section]
\& # Configuration module list
\& alg_section = evp_sect
\& oid_section = new_oids
\&
\& [evp_sect]
\& # This will have no effect as FIPS mode is off by default.
\& # Set to "yes" to enter FIPS mode, if supported
\& fips_mode = no
\&
\& [new_oids]
\& # New OID, just short name
\& newoid1 = 1.2.3.4.1
\& # New OID shortname and long name
\& newoid2 = New OID 2 long name, 1.2.3.4.2
.Ve
.PP
The above examples can be used with any application supporting library
configuration if \*(L"openssl_conf\*(R" is modified to match the appropriate \*(L"appname\*(R".
.PP
For example if the second sample file above is saved to \*(L"example.cnf\*(R" then
the command line:
.PP
.Vb 1
\& OPENSSL_CONF=example.cnf openssl asn1parse \-genstr OID:1.2.3.4.1
.Ve
.PP
will output:
.PP
.Vb 1
\&    0:d=0  hl=2 l=   4 prim: OBJECT            :newoid1
.Ve
.PP
showing that the \s-1OID\s0 \*(L"newoid1\*(R" has been added as \*(L"1.2.3.4.1\*(R".
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
.IP "\fB\s-1OPENSSL_CONF\s0\fR" 4
.IX Item "OPENSSL_CONF"
The path to the config file.
Ignored in set-user-ID and set-group-ID programs.
.IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4
.IX Item "OPENSSL_ENGINES"
The path to the engines directory.
Ignored in set-user-ID and set-group-ID programs.
.SH "BUGS"
.IX Header "BUGS"
Currently there is no way to include characters using the octal \fB\ennn\fR
form. Strings are all null terminated so nulls cannot form part of
the value.
.PP
The escaping isn't quite right: if you want to use sequences like \fB\en\fR
you can't use any quote escaping on the same line.
.PP
Files are loaded in a single pass. This means that a variable expansion
will only work if the variables referenced are defined earlier in the
file.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBx509\fR\|(1), \fBreq\fR\|(1), \fBca\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.