[B<-crl_check>]
[B<-crl_check_all>]
[B<-explicit_policy>]
-[B<-extended_crl>]
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-issuer_checks>]
-[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
[B<-policy_print>]
[B<-purpose purpose>]
-[B<-suiteB_128>]
-[B<-suiteB_128_only>]
-[B<-suiteB_192>]
[B<-trusted_first>]
[B<-use_deltas>]
[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
[B<-x509_strict>]
[B<-reconnect>]
[B<-pause>]
[B<-sess_out filename>]
[B<-sess_in filename>]
[B<-rand file(s)>]
-[B<-serverinfo types>]
-[B<-auth>]
-[B<-auth_require_reneg>]
=head1 DESCRIPTION
and to use when attempting to build the client certificate chain.
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
-B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
-B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
-B<-verify_name>, B<-x509_strict>
+B<explicit_policy>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-issuer_checks>, B<-policy>,
+B<-policy_check>, B<-policy_print>, B<-purpose>,
+B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>,
+B<-x509_strict>
Set various certificate chain valiadition options. See the
L<B<verify>|verify(1)> manual page for details.
show all protocol messages with hex dump.
-=item B<-trace>
-
-show verbose trace output of protocol messages. OpenSSL needs to be compiled
-with B<enable-ssl-trace> for this option to work.
-
-=item B<-msgfile>
-
-file to send output of B<-msg> or B<-trace> to, default standard output.
-
=item B<-nbio_test>
tests non-blocking I/O
inhibit printing of session and certificate information. This implicitly
turns on B<-ign_eof> as well.
-=item B<-psk_identity identity>
-
-Use the PSK identity B<identity> when using a PSK cipher suite.
-
-=item B<-psk key>
-
-Use the PSK key B<key> when using a PSK cipher suite. The key is
-given as a hexadecimal number without leading 0x, for example -psk
-1a2b3c4d.
-
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
these options disable the use of certain SSL or TLS protocols. By default
there are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
-=item B<-brief>
-
-only provide a brief summary of connection parameters instead of the
-normal verbose output.
-
=item B<-cipher cipherlist>
this allows the cipher list sent by the client to be modified. Although
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item B<-serverinfo types>
-
-a list of comma-separated TLS Extension Types (numbers between 0 and
-65535). Each type will be sent as an empty ClientHello TLS Extension.
-The server's response (if any) will be encoded and displayed as a PEM
-file.
-
-=item B<-auth>
-
-send RFC 5878 client and server authorization extensions in the Client Hello as well as
-supplemental data if the server also sent the authorization extensions in the Server Hello.
-
-=item B<-auth_require_reneg>
-
-only send RFC 5878 client and server authorization extensions during renegotiation.
-
=back
=head1 CONNECTED COMMANDS
[B<-crl_check>]
[B<-crl_check_all>]
[B<-explicit_policy>]
-[B<-extended_crl>]
[B<-help>]
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-issuer_checks>]
-[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
[B<-policy_print>]
[B<-purpose purpose>]
-[B<-suiteB_128>]
-[B<-suiteB_128_only>]
-[B<-suiteB_192>]
[B<-trusted_first>]
[B<-untrusted file>]
[B<-use_deltas>]
[B<-verbose>]
[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
[B<-x509_strict>]
[B<->]
[certificates]
Set policy variable require-explicit-policy (see RFC5280).
-=item B<-extended_crl>
-
-Enable extended CRL features such as indirect CRLs and alternate CRL
-signing keys.
-
=item B<-help>
Print out a usage message.
anything is wrong; during the normal verification process, several
rejections may take place.
-=item B<-partial_chain>
-
-Allow partial certificate chain if at least one certificate is in trusted store.
-
=item B<-policy arg>
Enable policy processing and add B<arg> to the user-initial-policy-set (see
B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more
information.
-=item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
-
-enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
-192 bit, or only 192 bit Level of Security respectively.
-See RFC6460 for details. In particular the supported signature algorithms are
-reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
-P-256 and P-384.
-
=item B<-trusted_first>
Use certificates in CA file or CA directory before certificates in untrusted
Limit the maximum depth of the certificate chain to B<num> certificates.
-=item B<-verify_email email>
-
-Verify if the B<email> matches the email address in Subject Alternative Name or
-the email in the subject Distinguished Name.
-
-=item B<-verify_hostname hostname>
-
-Verify if the B<hostname> matches DNS name in Subject Alternative Name or
-Common Name in the subject certificate.
-
-=item B<-verify_ip ip>
-
-Verify if the B<ip> matches the IP address in Subject Alternative Name of
-the subject certificate.
-
-=item B<-verify_name name>
-
-Use default verification options like trust model and required certificate
-policies identified by B<name>.
-Supported usages include: default, pkcs7, smime_sign, ssl_client, ssl_server.
-
=item B<-x509_strict>
For strict X.509 compliance, disable non-compliant workarounds for broken
projects / oweals / openssl.git / commitdiff