Commit 8d419330 authored by Rich Salz's avatar Rich Salz
Browse files

RT3102: Document -verify_error_return flag 



Also moved some options around so all the "verify" options.
are clumped together.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
parent f47e2039

doc/apps/s_server.pod

+18 −11
Original line number Diff line number Diff line
@@ -53,6 +53,7 @@ B<openssl> B<s_server> 
[B<-trusted_first>]

[B<-use_deltas>]

[B<-verify_depth num>]

[B<-verify_return_error>]

[B<-verify_email email>]

[B<-verify_hostname hostname>]

[B<-verify_ip ip>]
@@ -185,17 +186,6 @@ disabling the ephemeral ECDH cipher suites. 
certain export cipher suites sometimes use a temporary RSA key, this option

disables temporary RSA key generation.



=item B<-verify depth>, B<-Verify depth>



The verify depth to use. This specifies the maximum length of the

client certificate chain and makes the server request a certificate from

the client. With the B<-verify> option a certificate is requested but the

client does not have to send one, with the B<-Verify> option the client

must supply a certificate or an error occurs.



If the ciphersuite cannot request a client certificate (for example an

anonymous ciphersuite or PSK) this option has no effect.



=item B<-crl_check>, B<-crl_check_all>



Check the peer certificate has not been revoked by its CA.
@@ -215,6 +205,17 @@ and to use when attempting to build the server certificate chain. The list 
is also used in the list of acceptable client CAs passed to the client when

a certificate is requested.



=item B<-verify depth>, B<-Verify depth>



The verify depth to use. This specifies the maximum length of the

client certificate chain and makes the server request a certificate from

the client. With the B<-verify> option a certificate is requested but the

client does not have to send one, with the B<-Verify> option the client

must supply a certificate or an error occurs.



If the ciphersuite cannot request a client certificate (for example an

anonymous ciphersuite or PSK) this option has no effect.



=item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>,

B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,

B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
@@ -225,6 +226,12 @@ B<-verify_ip>, B<-verify_name>, B<-x509_strict> 
Set different peer certificate verification options.

See the L<B<verify>|verify(1)> manual page for details.



=item B<-verify_return_error>



Verification errors normally just print a message but allow the

connection to continue, for debugging purposes.

If this option is used, then verification errors close the connection.



=item B<-state>



prints out the SSL session states.