Browse Source

DOC: Fix nits found by new check on SYNOPSIS and OPTIONS consistency

Reviewed-by: Paul Dale <>
(Merged from
Dr. David von Oheimb 1 year ago
committed by Dr. David von Oheimb
14 changed files with 170 additions and 35 deletions
  1. +3
  2. +6
  3. +2
  4. +4
  5. +4
  6. +4
  7. +5
  8. +4
  9. +78
  10. +8
  11. +25
  12. +13
  13. +7
  14. +7

+ 3
- 3
apps/ View File

@ -122,9 +122,9 @@ if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
print STDERR <<EOF;
Usage: -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd parameter] -pkcs12 [-extra-pkcs12 parameter] [certname] -verify [-extra-verify parameter] certfile ... -revoke [-extra-ca parameter] certfile [reason] -pkcs12 [certname] -verify certfile ... -revoke certfile [reason]
exit 0;

+ 6
- 6
apps/s_server.c View File

@ -718,7 +718,7 @@ const OPTIONS s_server_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"ssl_config", OPT_SSL_CONFIG, 's',
"Configure SSL_CTX using the configuration 'val'"},
"Configure SSL_CTX using the given configuration value"},
{"trace", OPT_TRACE, '-', "trace protocol messages"},
@ -786,7 +786,7 @@ const OPTIONS s_server_options[] = {
{"servername", OPT_SERVERNAME, 's',
"Servername for HostName TLS extension"},
{"servername_fatal", OPT_SERVERNAME_FATAL, '-',
"mismatch send fatal alert (default warning alert)"},
"On servername mismatch send fatal alert (default warning alert)"},
{"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
{"quiet", OPT_QUIET, '-', "No server output"},
@ -823,13 +823,13 @@ const OPTIONS s_server_options[] = {
"use URI as certificate store to verify CA certificate"},
{"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
{"ext_cache", OPT_EXT_CACHE, '-',
"Disable internal cache, setup and use external cache"},
"Disable internal cache, set up and use external cache"},
{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
"Close connection on verification error"},
{"verify_quiet", OPT_VERIFY_QUIET, '-',
"No verify output except verify errors"},
{"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
{"ign_eof", OPT_IGN_EOF, '-', "Ignore input EOF (default when -quiet)"},
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input EOF"},
@ -872,7 +872,7 @@ const OPTIONS s_server_options[] = {
{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
{"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
{"mtu", OPT_MTU, 'p', "Set link layer MTU"},
{"mtu", OPT_MTU, 'p', "Set link-layer MTU"},
{"read_buf", OPT_READ_BUF, 'p',
"Default read buffer size to be used for connections"},
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',

+ 2
- 2
apps/srp.c View File

@ -209,8 +209,8 @@ const OPTIONS srp_options[] = {
{"add", OPT_ADD, '-', "Add a user and srp verifier"},
{"modify", OPT_MODIFY, '-', "Modify the srp verifier of an existing user"},
{"add", OPT_ADD, '-', "Add a user and SRP verifier"},
{"modify", OPT_MODIFY, '-', "Modify the SRP verifier of an existing user"},
{"delete", OPT_DELETE, '-', "Delete user from verifier file"},
{"list", OPT_LIST, '-', "List users"},

+ 4
- 4
doc/man1/ View File

@ -23,11 +23,11 @@ B<-crl> |
[B<-extra-I<cmd>> I<parameter>]
B<> B<-pkcs12> [B<-extra-pkcs12> I<parameter>] [I<certname>]
B<> B<-pkcs12> [I<certname>]
B<> B<-verify> [B<-extra-verify> I<parameter>] I<certfile> ...
B<> B<-verify> I<certfile> ...
B<> B<-revoke> [B<-extra-ca> I<parameter>] I<certfile> [I<reason>]
B<> B<-revoke> I<certfile> [I<reason>]
@ -57,7 +57,7 @@ the correct path of the configuration file.
=over 4
=item B<?>, B<-h>, B<-help>
=item B<-?>, B<-h>, B<-help>
Prints a usage message.

+ 4
- 0
doc/man1/ View File

@ -100,6 +100,10 @@ Prints out the public, private key components and parameters.
This option prevents output of the encoded version of the key.
=item B<-param_out>
Print the elliptic curve parameters.
=item B<-pubin>
By default, a private key is read from the input file. With this option a

+ 4
- 0
doc/man1/ View File

@ -54,6 +54,10 @@ either by itself or in addition to the encryption or decryption.
=over 4
=item B<-I<cipher>>
The cipher to use.
=item B<-help>
Print out a usage message.

+ 5
- 2
doc/man1/ View File

@ -14,6 +14,7 @@ B<openssl> B<ocsp>
[B<-out> I<file>]
[B<-issuer> I<file>]
[B<-cert> I<file>]
[B<-serial> I<n>]
[B<-signer> I<file>]
[B<-signkey> I<file>]
@ -23,7 +24,6 @@ B<openssl> B<ocsp>
[B<-reqout> I<file>]
[B<-respout> I<file>]
[B<-reqin> I<file>]
@ -112,6 +112,10 @@ Add the certificate I<filename> to the request. The issuer certificate
is taken from the previous B<-issuer> option, or an error occurs if no
issuer certificate is specified.
=item B<-no_certs>
Don't include any certificates in signed request.
=item B<-serial> I<num>
Same as the B<-cert> option except the certificate with serial number
@ -389,7 +393,6 @@ each child is willing to wait for the client's OCSP response.
This option is available on POSIX systems (that support the fork() and other
required unix system-calls).
=item B<-nmin> I<minutes>, B<-ndays> I<days>
Number of minutes or days when fresh revocation information is available:

+ 4
- 0
doc/man1/ View File

@ -101,6 +101,10 @@ When creating new PKCS#8 containers, use a given number of iterations on
the password in deriving the encryption key for the PKCS#8 output.
High values increase the time required to brute-force a PKCS#8 container.
=item B<-noiter>
When creating new PKCS#8 containers, use 1 as iteration count.
=item B<-nocrypt>
PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo

+ 78
- 3
doc/man1/ View File

@ -77,13 +77,13 @@ B<openssl> B<s_server>
[B<-no_proxy> I<addresses>]
[B<-status_url> I<val>]
[B<-status_file> I<infile>]
[B<-ssl_config> I<val>]
[B<-ssl_config> I<val>]
[B<-max_send_frag> I<+int>]
[B<-split_send_frag> I<+int>]
[B<-max_pipelines> I<+int>]
@ -123,9 +123,9 @@ B<openssl> B<s_server>
[B<-use_srtp> I<val>]
[B<-nextprotoneg> I<val>]
[B<-use_srtp> I<val>]
[B<-alpn> I<val>]
[B<-keylogfile> I<outfile>]
@ -303,6 +303,14 @@ This option translated a line feed from the terminal into CR+LF.
Print extensive debugging information including a hex dump of all traffic.
=item B<-security_debug>
Print output from SSL/TLS security framework.
=item B<-security_debug_verbose>
Print more output from SSL/TLS security framework
=item B<-msg>
Show all protocol messages with hex dump.
@ -377,6 +385,10 @@ DH).
Inhibit printing of session and certificate information.
=item B<-no_resume_ephemeral>
Disable caching and tickets if ephemeral (EC)DH is used.
=item B<-tlsextdebug>
Print a hex dump of any TLS extensions received from the server.
@ -426,6 +438,14 @@ option is enabled the peer does not need to send the close_notify alert and a
closed connection will be treated as if the close_notify alert was received.
For more information on shutting down a connection, see L<SSL_shutdown(3)>.
=item B<-servername>
Servername for HostName TLS extension.
=item B<-servername_fatal>
On servername mismatch send fatal alert (default: warning alert).
=item B<-id_prefix> I<val>
Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
@ -433,12 +453,40 @@ for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple
servers, when each of which might be generating a unique range of session
IDs (e.g. with a certain prefix).
=item B<-keymatexport>
Export keying material using label.
=item B<-keymatexportlen>
Export the given number of bytes of keying material; default 20.
=item B<-no_cache>
Disable session cache.
=item B<-ext_cache>.
Disable internal cache, set up and use external cache.
=item B<-verify_return_error>
Verification errors normally just print a message but allow the
connection to continue, for debugging purposes.
If this option is used, then verification errors close the connection.
=item B<-verify_quiet>
No verify output except verify errors.
=item B<-ign_eof>
Ignore input EOF (default: when B<-quiet>).
=item B<-no_ign_eof>
Do not ignore input EOF.
=item B<-status>
Enables certificate status request support (aka OCSP stapling).
@ -482,6 +530,10 @@ Any given query component is handled as part of the path component.
Overrides any OCSP responder URLs from the certificate and always provides the
OCSP Response stored in the file. The file must be in DER format.
=item B<-ssl_config> I<val>
Configure SSL_CTX using the given configuration value.
=item B<-trace>
Show verbose trace output of protocol messages. OpenSSL needs to be compiled
@ -622,6 +674,14 @@ will be used.
Turns on non blocking I/O.
=item B<-timeout>
Enable timeouts.
=item B<-mtu>
Set link-layer MTU.
=item B<-psk_identity> I<val>
Expect the client to send PSK identity I<val> when using a PSK
@ -644,6 +704,16 @@ This option must be provided in order to use a PSK cipher.
Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
=item B<-srpvfile>
The verifier file for SRP.
This option is deprecated.
=item B<-srpuserseed>
A seed string for a default user salt.
This option is deprecated.
=item B<-listen>
This option can only be used in conjunction with one of the DTLS options above.
@ -669,6 +739,10 @@ older broken implementations but breaks interoperability with correct
implementations. Must be used in conjunction with B<-sctp>. This option is only
available where OpenSSL has support for SCTP enabled.
=item B<-use_srtp>
Offer SRTP key management with a colon-separated profile list.
=item B<-no_dhe>
If this option is set then no DH parameters will be loaded effectively
@ -849,7 +923,8 @@ The -no_alt_chains option was added in OpenSSL 1.1.0.
-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
The B<-engine> option was deprecated in OpenSSL 3.0.
The B<-srpvfile>, B<-srpuserseed>, and B<-engine>
option were deprecated in OpenSSL 3.0.

+ 8
- 0
doc/man1/ View File

@ -81,6 +81,14 @@ C<openssl speed -cmac aes128>.
Time the decryption instead of encryption. Affects only the EVP testing.
=item B<-mb>
Enable multi-block mode on EVP-named cipher.
=item B<-aead>
Benchmark EVP-named AEAD cipher in TLS-like sequence.
=item B<-primes> I<num>
Generate a I<num>-prime RSA key and use it to run the benchmarks. This option

+ 25
- 1
doc/man1/ View File

@ -15,7 +15,6 @@ B<openssl srp>
[B<-name> I<section>]
[B<-config> I<file>]
[B<-srpvfile> I<file>]
[B<-gn> I<identifier>]
[B<-userinfo> I<text>]
@ -23,6 +22,7 @@ B<openssl srp>
[B<-passout> I<arg>]
{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
{- $OpenSSL::safe::opt_config_synopsis -}
[I<user> ...]
@ -49,6 +49,26 @@ Display an option summary.
Generate verbose output while processing.
=item B<-add>
Add a user and SRP verifier.
=item B<-modify>
Modify the SRP verifier of an existing user.
=item B<-delete>
Delete user from verifier file.
=item B<-list>
List users.
=item B<-name>
The particular SRP definition to use.
=item B<-srpvfile> I<file>
If the config file is not specified,
@ -72,8 +92,12 @@ see L<openssl-passphrase-options(1)>.
{- $OpenSSL::safe::opt_engine_item -}
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_provider_item -}
{- $OpenSSL::safe::opt_config_item -}
{- $OpenSSL::safe::opt_r_synopsis -}

+ 13
- 1
doc/man1/ View File

@ -106,11 +106,23 @@ requests either by ftp or e-mail.
Print out a usage message.
=item B<-query>
Generate a TS query. For details see L</Timestamp Request generation>.
=item B<-reply>
Generate a TS reply. For details see L</Timestamp Response generation>.
=item B<-verify>
Verify a TS response. For details see L</Timestamp Response verification>.
=head2 Timestamp Request generation
The B<-query> switch can be used for creating and printing a timestamp
The B<-query> command can be used for creating and printing a timestamp
request with the following options:
=over 4

+ 7
- 7
doc/man1/openssl.pod View File

@ -13,13 +13,13 @@ I<command>
B<-standard-commands> |
B<-digest-commands> |
B<-cipher-commands> |
B<-cipher-algorithms> |
B<-digest-algorithms> |
B<-mac-algorithms> |
B<standard-commands> |
B<digest-commands> |
B<cipher-commands> |
B<cipher-algorithms> |
B<digest-algorithms> |
B<mac-algorithms> |
B<openssl> B<no->I<XXX> [ I<options> ]

+ 7
- 6
doc/ View File

@ -58,14 +58,14 @@ $OpenSSL::safe::opt_v_item = ""
# Extended validation options.
$OpenSSL::safe::opt_x_synopsis = ""
. "[B<-xkey>] I<infile>\n"
. "[B<-xkey> I<infile>]\n"
. "[B<-xcert> I<file>]\n"
. "[B<-xchain>] I<file>\n"
. "[B<-xchain_build>] I<file>\n"
. "[B<-xchain> I<file>]\n"
. "[B<-xchain_build> I<file>]\n"
. "[B<-xcertform> B<DER>|B<PEM>]>\n"
. "[B<-xkeyform> B<DER>|B<PEM>]>";
$OpenSSL::safe::opt_x_item = ""
. "=item B<xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
. "=item B<-xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
. "B<-xchain_build> I<file>, B<-xcertform> B<DER>|B<PEM>,\n"
. "B<-xkeyform> B<DER>|B<PEM>\n"
. "\n"
@ -203,8 +203,9 @@ $OpenSSL::safe::opt_s_synopsis = ""
. "[B<-no_middlebox>]";
$OpenSSL::safe::opt_s_item = ""
. "=item B<-bugs>, B<-comp>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,\n"
. "B<-client_renegotiation>, B<_immediate_renegotiation>\n"
. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-no_resumption_on_reneg>,\n"
. "B<-client_renegotiation>, B<_immediate_renegotiation>,\n"
. "B<-legacy_renegotiation>, B<-no_renegotiation>,\n"
. "B<-immediate_renegotiation>, B<-no_resumption_on_reneg>,\n"
. "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n"
. "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
. "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n"