2 files changed, 28 insertions, 29 deletions
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.8 b/src/usr.sbin/ocspcheck/ocspcheck.8
index 6b131416aa..a2ca8d6694 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.8
+++ b/src/usr.sbin/ocspcheck/ocspcheck.8
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ocspcheck.8,v 1.2 2017/01/24 08:54:23 beck Exp $
+.\"     $OpenBSD: ocspcheck.8,v 1.3 2017/01/24 09:39:43 jmc Exp $
 .\"
 .\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
 .\"
@@ -19,18 +19,18 @@
 .Os
 .Sh NAME
 .Nm ocspcheck
-.Nd Check a certificate for validity against its OSCP responder
+.Nd check a certificate for validity against its OSCP responder
 .Sh SYNOPSIS
 .Nm
-.Op Fl vN
+.Op Fl Nv
-.Op Fl o Ar staplefile
 .Op Fl C Ar CAfile
+.Op Fl o Ar staplefile
 .Ar file
 .Sh DESCRIPTION
 The
 .Nm
 utility validates a PEM format certificate against the OCSP responder
-encoded in the certificate that is specified by the
+encoded in the certificate specified by the
 .Ar file
 argument.
 Normally it should be used for checking server certificates
@@ -39,20 +39,12 @@ and maintaining saved OCSP responses to be used for OCSP stapling.
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl C Ar CAfile
-Specify a PEM formatted root certificate bundle to use for the validation of
+Specify a PEM format root certificate bundle to use for the validation of
 requests.
 By default no certificates are used beyond those in the
 certificate chain provided by the
 .Ar file
 argument.
-.It Fl o Ar staplefile
-Specify an output filename where the DER encoded response from the
-OCSP server will be written, if the OCSP response validates.
-A filename
-of
-.Ar -
-will write the response to standard output. By default the response
-is not saved.
 .It Fl N
 Do not use a nonce value in the OCSP request, or validate that the
 nonce was returned in the OCSP response.
@@ -61,28 +53,35 @@ The use of this flag is a security risk as it will allow OCSP
 responses to be replayed.
 It should not be used unless the OCSP server does not support the
 use of OCSP nonces.
+.It Fl o Ar staplefile
+Specify an output filename where the DER encoded response from the
+OCSP server will be written, if the OCSP response validates.
+A filename
+of
+.Sq -
+will write the response to standard output.
+By default the response is not saved.
 .It Fl v
 Increase verbosity.
 This flag may be specified multiple times to get more verbose output.
 The default behaviour is to be silent unless something goes wrong.
+.El
 .Sh EXIT STATUS
+The
 .Nm
-exits 0 if the OCSP response validates for the
+utility exits 0 if the OCSP response validates for the certificate in
-certificate in
 .Ar file
-and all output is successfully written out.
+and all output is successfully written out,
-Otherwise
+and >0 if an error occurs.
-.Nm
-will exit >0.
 .Sh SEE ALSO
-.Xr httpd 8 ,
 .Xr nc 1 ,
-.Xr tls_config_set_ocsp_staple_mem 3 ,
 .Xr tls_config_set_ocsp_staple_file 3 ,
-.Sh BUGS
+.Xr tls_config_set_ocsp_staple_mem 3 ,
+.Xr httpd 8
+.Sh AUTHORS
 .Nm
-will create the output file if it does not exist.
+was written by
-On failure a newly created output file will not be removed.
+.An Bob Beck .
 .Sh CAVEATS
 While
 .Nm
@@ -91,7 +90,7 @@ certificates seen on client connections, this is almost always a bad
 idea.
 God kills a kitten every time you make an OCSP query from the
 client side of a TLS connection.
-.Sh AUTHORS
+.Sh BUGS
 .Nm
-was written by
+will create the output file if it does not exist.
-.An Bob Beck
+On failure a newly created output file will not be removed.
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c
index 77fc4e5939..c19ecf4f05 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.c
+++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -499,7 +499,7 @@ validate_response(char *buf, size_t size, ocsp_request *request,
 static void
 usage(void)
 {
-        errx(1, "Usage: %s [-N] [-v] [-o staplefile] certfile", getprogname());
+        errx(1, "usage: %s [-Nv] [-C CAfile] [-o staplefile] file", getprogname());
 }
 int

diff --git a/src/usr.sbin/ocspcheck/ocspcheck.8 b/src/usr.sbin/ocspcheck/ocspcheck.8 index 6b131416aa..a2ca8d6694 100644 --- a/src/usr.sbin/ocspcheck/ocspcheck.8 +++ b/src/usr.sbin/ocspcheck/ocspcheck.8
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ocspcheck.8,v 1.2 2017/01/24 08:54:23 beck Exp $	1	.\" $OpenBSD: ocspcheck.8,v 1.3 2017/01/24 09:39:43 jmc Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>	3	.\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
4	.\"	4	.\"
@@ -19,18 +19,18 @@
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
21	.Nm ocspcheck	21	.Nm ocspcheck
22	.Nd Check a certificate for validity against its OSCP responder	22	.Nd check a certificate for validity against its OSCP responder
23	.Sh SYNOPSIS	23	.Sh SYNOPSIS
24	.Nm	24	.Nm
25	.Op Fl vN	25	.Op Fl Nv
26	.Op Fl o Ar staplefile
27	.Op Fl C Ar CAfile	26	.Op Fl C Ar CAfile
		27	.Op Fl o Ar staplefile
28	.Ar file	28	.Ar file
29	.Sh DESCRIPTION	29	.Sh DESCRIPTION
30	The	30	The
31	.Nm	31	.Nm
32	utility validates a PEM format certificate against the OCSP responder	32	utility validates a PEM format certificate against the OCSP responder
33	encoded in the certificate that is specified by the	33	encoded in the certificate specified by the
34	.Ar file	34	.Ar file
35	argument.	35	argument.
36	Normally it should be used for checking server certificates	36	Normally it should be used for checking server certificates
@@ -39,20 +39,12 @@ and maintaining saved OCSP responses to be used for OCSP stapling.
39	The options are as follows:	39	The options are as follows:
40	.Bl -tag -width Ds	40	.Bl -tag -width Ds
41	.It Fl C Ar CAfile	41	.It Fl C Ar CAfile
42	Specify a PEM formatted root certificate bundle to use for the validation of	42	Specify a PEM format root certificate bundle to use for the validation of
43	requests.	43	requests.
44	By default no certificates are used beyond those in the	44	By default no certificates are used beyond those in the
45	certificate chain provided by the	45	certificate chain provided by the
46	.Ar file	46	.Ar file
47	argument.	47	argument.
48	.It Fl o Ar staplefile
49	Specify an output filename where the DER encoded response from the
50	OCSP server will be written, if the OCSP response validates.
51	A filename
52	of
53	.Ar -
54	will write the response to standard output. By default the response
55	is not saved.
56	.It Fl N	48	.It Fl N
57	Do not use a nonce value in the OCSP request, or validate that the	49	Do not use a nonce value in the OCSP request, or validate that the
58	nonce was returned in the OCSP response.	50	nonce was returned in the OCSP response.
@@ -61,28 +53,35 @@ The use of this flag is a security risk as it will allow OCSP
61	responses to be replayed.	53	responses to be replayed.
62	It should not be used unless the OCSP server does not support the	54	It should not be used unless the OCSP server does not support the
63	use of OCSP nonces.	55	use of OCSP nonces.
		56	.It Fl o Ar staplefile
		57	Specify an output filename where the DER encoded response from the
		58	OCSP server will be written, if the OCSP response validates.
		59	A filename
		60	of
		61	.Sq -
		62	will write the response to standard output.
		63	By default the response is not saved.
64	.It Fl v	64	.It Fl v
65	Increase verbosity.	65	Increase verbosity.
66	This flag may be specified multiple times to get more verbose output.	66	This flag may be specified multiple times to get more verbose output.
67	The default behaviour is to be silent unless something goes wrong.	67	The default behaviour is to be silent unless something goes wrong.
		68	.El
68	.Sh EXIT STATUS	69	.Sh EXIT STATUS
		70	The
69	.Nm	71	.Nm
70	exits 0 if the OCSP response validates for the	72	utility exits 0 if the OCSP response validates for the certificate in
71	certificate in
72	.Ar file	73	.Ar file
73	and all output is successfully written out.	74	and all output is successfully written out,
74	Otherwise	75	and >0 if an error occurs.
75	.Nm
76	will exit >0.
77	.Sh SEE ALSO	76	.Sh SEE ALSO
78	.Xr httpd 8 ,
79	.Xr nc 1 ,	77	.Xr nc 1 ,
80	.Xr tls_config_set_ocsp_staple_mem 3 ,
81	.Xr tls_config_set_ocsp_staple_file 3 ,	78	.Xr tls_config_set_ocsp_staple_file 3 ,
82	.Sh BUGS	79	.Xr tls_config_set_ocsp_staple_mem 3 ,
		80	.Xr httpd 8
		81	.Sh AUTHORS
83	.Nm	82	.Nm
84	will create the output file if it does not exist.	83	was written by
85	On failure a newly created output file will not be removed.	84	.An Bob Beck .
86	.Sh CAVEATS	85	.Sh CAVEATS
87	While	86	While
88	.Nm	87	.Nm
@@ -91,7 +90,7 @@ certificates seen on client connections, this is almost always a bad
91	idea.	90	idea.
92	God kills a kitten every time you make an OCSP query from the	91	God kills a kitten every time you make an OCSP query from the
93	client side of a TLS connection.	92	client side of a TLS connection.
94	.Sh AUTHORS	93	.Sh BUGS
95	.Nm	94	.Nm
96	was written by	95	will create the output file if it does not exist.
97	.An Bob Beck	96	On failure a newly created output file will not be removed.


diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c index 77fc4e5939..c19ecf4f05 100644 --- a/src/usr.sbin/ocspcheck/ocspcheck.c +++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -499,7 +499,7 @@ validate_response(char buf, size_t size, ocsp_request request,
499	static void	499	static void
500	usage(void)	500	usage(void)
501	{	501	{
502	errx(1, "Usage: %s [-N] [-v] [-o staplefile] certfile", getprogname());	502	errx(1, "usage: %s [-Nv] [-C CAfile] [-o staplefile] file", getprogname());
503	}	503	}
504		504
505	int	505	int