1 files changed, 22 insertions, 18 deletions
diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1
index 8d674df686..a6929eacbd 100644
--- a/src/usr.sbin/openssl/openssl.1
+++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.61 2008/05/30 19:06:50 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.62 2008/11/03 14:49:23 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: May 30 2008 $
+.Dd $Mdocdate: November 3 2008 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -1878,6 +1878,7 @@ install user certificates and CAs in MSIE using the Xenroll control.
 .Op Fl c
 .Op Fl d
 .Op Fl hex
+.Op Fl hmac Ar key
 .Op Fl engine Ar id
 .Op Fl keyform Ar ENGINE | PEM
 .Op Fl out Ar file
@@ -1929,6 +1930,9 @@ Digest is to be output as a hex dump.
 This is the default case for a
 .Qq normal
 digest as opposed to a digital signature.
+.It Fl hmac Ar key
+Create a hashed MAC using
+.Ar key .
 .It Fl keyform Ar ENGINE | PEM
 Key file format.
 .It Fl out Ar file
@@ -3088,6 +3092,11 @@ This option can be used multiple times.
 The certificate specified in
 .Ar file
 must be in PEM format.
+This option
+.Em must
+come before any
+.Fl cert
+options.
 .It Fl no_cert_checks
 Don't perform any additional checks on the OCSP response signer's certificate.
 That is, do not make any checks to see if the signer's certificate is
@@ -3106,7 +3115,7 @@ certificates.
 Ignore certificates contained in the OCSP response
 when searching for the signer's certificate.
 With this option, the signer's certificate must be specified with either the
-.Fl verify_certs
+.Fl verify_other
 or
 .Fl VAfile
 options.
@@ -3190,7 +3199,7 @@ as the certificate.
 If neither option is specified, the OCSP request is not signed.
 .It Fl trust_other
 The certificates specified by the
-.Fl verify_certs
+.Fl verify_other
 option should be explicitly trusted and no additional checks will be
 performed on them.
 This is useful when the complete responder certificate chain is not available
@@ -3204,7 +3213,7 @@ URLs can be specified.
 .Ar file
 containing explicitly trusted responder certificates.
 Equivalent to the
-.Fl verify_certs
+.Fl verify_other
 and
 .Fl trust_other
 options.
@@ -5685,6 +5694,8 @@ We should really report information whenever a session is renegotiated.
 .Nm openssl s_server
 .Bk -words
 .Op Fl bugs
+.Op Fl crl_check
+.Op Fl crl_check_all
 .Op Fl crlf
 .Op Fl debug
 .Op Fl hack
@@ -5775,6 +5786,12 @@ section for more information.
 Sets the SSL context ID.
 It can be given any string value.
 If this option is not present, a default value will be used.
+.It Fl crl_check , crl_check_all
+Check the peer certificate has not been revoked by its CA.
+The CRLs are appended to the certificate file.
+With the
+.Fl crl_check_all
+option, all CRLs of all CAs in the chain are checked.
 .It Fl crlf
 This option translates a line feed from the terminal into CR+LF.
 .It Fl dcert Ar file , Fl dkey Ar file
@@ -8316,19 +8333,6 @@ certificates.
 .\" SEE ALSO
 .\"
 .Sh SEE ALSO
-.Xr blowfish 3 ,
-.Xr crypto 3 ,
-.Xr des_crypt 3 ,
-.Xr dsa 3 ,
-.Xr ERR_error_string_n 3 ,
-.Xr HMAC 3 ,
-.Xr md4 3 ,
-.Xr md5 3 ,
-.Xr RAND_egd 3 ,
-.Xr rsa 3 ,
-.Xr sha1 3 ,
-.Xr ssl 3 ,
-.Xr des_modes 7 ,
 .Xr httpd 8 ,
 .Xr sendmail 8 ,
 .Xr ssl 8 ,

diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1 index 8d674df686..a6929eacbd 100644 --- a/src/usr.sbin/openssl/openssl.1 +++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.61 2008/05/30 19:06:50 jmc Exp $	1	.\" $OpenBSD: openssl.1,v 1.62 2008/11/03 14:49:23 jmc Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -112,7 +112,7 @@
112	.\"	112	.\"
113	.\" OPENSSL	113	.\" OPENSSL
114	.\"	114	.\"
115	.Dd $Mdocdate: May 30 2008 $	115	.Dd $Mdocdate: November 3 2008 $
116	.Dt OPENSSL 1	116	.Dt OPENSSL 1
117	.Os	117	.Os
118	.Sh NAME	118	.Sh NAME
@@ -1878,6 +1878,7 @@ install user certificates and CAs in MSIE using the Xenroll control.
1878	.Op Fl c	1878	.Op Fl c
1879	.Op Fl d	1879	.Op Fl d
1880	.Op Fl hex	1880	.Op Fl hex
		1881	.Op Fl hmac Ar key
1881	.Op Fl engine Ar id	1882	.Op Fl engine Ar id
1882	.Op Fl keyform Ar ENGINE \| PEM	1883	.Op Fl keyform Ar ENGINE \| PEM
1883	.Op Fl out Ar file	1884	.Op Fl out Ar file
@@ -1929,6 +1930,9 @@ Digest is to be output as a hex dump.
1929	This is the default case for a	1930	This is the default case for a
1930	.Qq normal	1931	.Qq normal
1931	digest as opposed to a digital signature.	1932	digest as opposed to a digital signature.
		1933	.It Fl hmac Ar key
		1934	Create a hashed MAC using
		1935	.Ar key .
1932	.It Fl keyform Ar ENGINE \| PEM	1936	.It Fl keyform Ar ENGINE \| PEM
1933	Key file format.	1937	Key file format.
1934	.It Fl out Ar file	1938	.It Fl out Ar file
@@ -3088,6 +3092,11 @@ This option can be used multiple times.
3088	The certificate specified in	3092	The certificate specified in
3089	.Ar file	3093	.Ar file
3090	must be in PEM format.	3094	must be in PEM format.
		3095	This option
		3096	.Em must
		3097	come before any
		3098	.Fl cert
		3099	options.
3091	.It Fl no_cert_checks	3100	.It Fl no_cert_checks
3092	Don't perform any additional checks on the OCSP response signer's certificate.	3101	Don't perform any additional checks on the OCSP response signer's certificate.
3093	That is, do not make any checks to see if the signer's certificate is	3102	That is, do not make any checks to see if the signer's certificate is
@@ -3106,7 +3115,7 @@ certificates.
3106	Ignore certificates contained in the OCSP response	3115	Ignore certificates contained in the OCSP response
3107	when searching for the signer's certificate.	3116	when searching for the signer's certificate.
3108	With this option, the signer's certificate must be specified with either the	3117	With this option, the signer's certificate must be specified with either the
3109	.Fl verify_certs	3118	.Fl verify_other
3110	or	3119	or
3111	.Fl VAfile	3120	.Fl VAfile
3112	options.	3121	options.
@@ -3190,7 +3199,7 @@ as the certificate.
3190	If neither option is specified, the OCSP request is not signed.	3199	If neither option is specified, the OCSP request is not signed.
3191	.It Fl trust_other	3200	.It Fl trust_other
3192	The certificates specified by the	3201	The certificates specified by the
3193	.Fl verify_certs	3202	.Fl verify_other
3194	option should be explicitly trusted and no additional checks will be	3203	option should be explicitly trusted and no additional checks will be
3195	performed on them.	3204	performed on them.
3196	This is useful when the complete responder certificate chain is not available	3205	This is useful when the complete responder certificate chain is not available
@@ -3204,7 +3213,7 @@ URLs can be specified.
3204	.Ar file	3213	.Ar file
3205	containing explicitly trusted responder certificates.	3214	containing explicitly trusted responder certificates.
3206	Equivalent to the	3215	Equivalent to the
3207	.Fl verify_certs	3216	.Fl verify_other
3208	and	3217	and
3209	.Fl trust_other	3218	.Fl trust_other
3210	options.	3219	options.
@@ -5685,6 +5694,8 @@ We should really report information whenever a session is renegotiated.
5685	.Nm openssl s_server	5694	.Nm openssl s_server
5686	.Bk -words	5695	.Bk -words
5687	.Op Fl bugs	5696	.Op Fl bugs
		5697	.Op Fl crl_check
		5698	.Op Fl crl_check_all
5688	.Op Fl crlf	5699	.Op Fl crlf
5689	.Op Fl debug	5700	.Op Fl debug
5690	.Op Fl hack	5701	.Op Fl hack
@@ -5775,6 +5786,12 @@ section for more information.
5775	Sets the SSL context ID.	5786	Sets the SSL context ID.
5776	It can be given any string value.	5787	It can be given any string value.
5777	If this option is not present, a default value will be used.	5788	If this option is not present, a default value will be used.
		5789	.It Fl crl_check , crl_check_all
		5790	Check the peer certificate has not been revoked by its CA.
		5791	The CRLs are appended to the certificate file.
		5792	With the
		5793	.Fl crl_check_all
		5794	option, all CRLs of all CAs in the chain are checked.
5778	.It Fl crlf	5795	.It Fl crlf
5779	This option translates a line feed from the terminal into CR+LF.	5796	This option translates a line feed from the terminal into CR+LF.
5780	.It Fl dcert Ar file , Fl dkey Ar file	5797	.It Fl dcert Ar file , Fl dkey Ar file
@@ -8316,19 +8333,6 @@ certificates.
8316	.\" SEE ALSO	8333	.\" SEE ALSO
8317	.\"	8334	.\"
8318	.Sh SEE ALSO	8335	.Sh SEE ALSO
8319	.Xr blowfish 3 ,
8320	.Xr crypto 3 ,
8321	.Xr des_crypt 3 ,
8322	.Xr dsa 3 ,
8323	.Xr ERR_error_string_n 3 ,
8324	.Xr HMAC 3 ,
8325	.Xr md4 3 ,
8326	.Xr md5 3 ,
8327	.Xr RAND_egd 3 ,
8328	.Xr rsa 3 ,
8329	.Xr sha1 3 ,
8330	.Xr ssl 3 ,
8331	.Xr des_modes 7 ,
8332	.Xr httpd 8 ,	8336	.Xr httpd 8 ,
8333	.Xr sendmail 8 ,	8337	.Xr sendmail 8 ,
8334	.Xr ssl 8 ,	8338	.Xr ssl 8 ,