1 | =pod
|
---|
2 |
|
---|
3 | =head1 NAME
|
---|
4 |
|
---|
5 | config - OpenSSL CONF library configuration files
|
---|
6 |
|
---|
7 | =head1 DESCRIPTION
|
---|
8 |
|
---|
9 | The OpenSSL CONF library can be used to read configuration files.
|
---|
10 | It is used for the OpenSSL master configuration file B<openssl.cnf>
|
---|
11 | and in a few other places like B<SPKAC> files and certificate extension
|
---|
12 | files for the B<x509> utility. OpenSSL applications can also use the
|
---|
13 | CONF library for their own purposes.
|
---|
14 |
|
---|
15 | A configuration file is divided into a number of sections. Each section
|
---|
16 | starts with a line B<[ section_name ]> and ends when a new section is
|
---|
17 | started or end of file is reached. A section name can consist of
|
---|
18 | alphanumeric characters and underscores.
|
---|
19 |
|
---|
20 | The first section of a configuration file is special and is referred
|
---|
21 | to as the B<default> section. This section is usually unnamed and spans from the
|
---|
22 | start of file until the first named section. When a name is being looked up
|
---|
23 | it is first looked up in a named section (if any) and then the
|
---|
24 | default section.
|
---|
25 |
|
---|
26 | The environment is mapped onto a section called B<ENV>.
|
---|
27 |
|
---|
28 | Comments can be included by preceding them with the B<#> character
|
---|
29 |
|
---|
30 | Other files can be included using the B<.include> directive followed
|
---|
31 | by a path. If the path points to a directory all files with
|
---|
32 | names ending with B<.cnf> or B<.conf> are included from the directory.
|
---|
33 | Recursive inclusion of directories from files in such directory is not
|
---|
34 | supported. That means the files in the included directory can also contain
|
---|
35 | B<.include> directives but only inclusion of regular files is supported
|
---|
36 | there. The inclusion of directories is not supported on systems without
|
---|
37 | POSIX IO support.
|
---|
38 |
|
---|
39 | It is strongly recommended to use absolute paths with the B<.include>
|
---|
40 | directive. Relative paths are evaluated based on the application current
|
---|
41 | working directory so unless the configuration file containing the
|
---|
42 | B<.include> directive is application specific the inclusion will not
|
---|
43 | work as expected.
|
---|
44 |
|
---|
45 | There can be optional B<=> character and whitespace characters between
|
---|
46 | B<.include> directive and the path which can be useful in cases the
|
---|
47 | configuration file needs to be loaded by old OpenSSL versions which do
|
---|
48 | not support the B<.include> syntax. They would bail out with error
|
---|
49 | if the B<=> character is not present but with it they just ignore
|
---|
50 | the include.
|
---|
51 |
|
---|
52 | Each section in a configuration file consists of a number of name and
|
---|
53 | value pairs of the form B<name=value>
|
---|
54 |
|
---|
55 | The B<name> string can contain any alphanumeric characters as well as
|
---|
56 | a few punctuation symbols such as B<.> B<,> B<;> and B<_>.
|
---|
57 |
|
---|
58 | The B<value> string consists of the string following the B<=> character
|
---|
59 | until end of line with any leading and trailing white space removed.
|
---|
60 |
|
---|
61 | The value string undergoes variable expansion. This can be done by
|
---|
62 | including the form B<$var> or B<${var}>: this will substitute the value
|
---|
63 | of the named variable in the current section. It is also possible to
|
---|
64 | substitute a value from another section using the syntax B<$section::name>
|
---|
65 | or B<${section::name}>. By using the form B<$ENV::name> environment
|
---|
66 | variables can be substituted. It is also possible to assign values to
|
---|
67 | environment variables by using the name B<ENV::name>, this will work
|
---|
68 | if the program looks up environment variables using the B<CONF> library
|
---|
69 | instead of calling getenv() directly. The value string must not exceed 64k in
|
---|
70 | length after variable expansion. Otherwise an error will occur.
|
---|
71 |
|
---|
72 | It is possible to escape certain characters by using any kind of quote
|
---|
73 | or the B<\> character. By making the last character of a line a B<\>
|
---|
74 | a B<value> string can be spread across multiple lines. In addition
|
---|
75 | the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized.
|
---|
76 |
|
---|
77 | All expansion and escape rules as described above that apply to B<value>
|
---|
78 | also apply to the path of the B<.include> directive.
|
---|
79 |
|
---|
80 | =head1 OPENSSL LIBRARY CONFIGURATION
|
---|
81 |
|
---|
82 | Applications can automatically configure certain
|
---|
83 | aspects of OpenSSL using the master OpenSSL configuration file, or optionally
|
---|
84 | an alternative configuration file. The B<openssl> utility includes this
|
---|
85 | functionality: any sub command uses the master OpenSSL configuration file
|
---|
86 | unless an option is used in the sub command to use an alternative configuration
|
---|
87 | file.
|
---|
88 |
|
---|
89 | To enable library configuration the default section needs to contain an
|
---|
90 | appropriate line which points to the main configuration section. The default
|
---|
91 | name is B<openssl_conf> which is used by the B<openssl> utility. Other
|
---|
92 | applications may use an alternative name such as B<myapplication_conf>.
|
---|
93 | All library configuration lines appear in the default section at the start
|
---|
94 | of the configuration file.
|
---|
95 |
|
---|
96 | The configuration section should consist of a set of name value pairs which
|
---|
97 | contain specific module configuration information. The B<name> represents
|
---|
98 | the name of the I<configuration module>. The meaning of the B<value> is
|
---|
99 | module specific: it may, for example, represent a further configuration
|
---|
100 | section containing configuration module specific information. E.g.:
|
---|
101 |
|
---|
102 | # This must be in the default section
|
---|
103 | openssl_conf = openssl_init
|
---|
104 |
|
---|
105 | [openssl_init]
|
---|
106 |
|
---|
107 | oid_section = new_oids
|
---|
108 | engines = engine_section
|
---|
109 |
|
---|
110 | [new_oids]
|
---|
111 |
|
---|
112 | ... new oids here ...
|
---|
113 |
|
---|
114 | [engine_section]
|
---|
115 |
|
---|
116 | ... engine stuff here ...
|
---|
117 |
|
---|
118 | The features of each configuration module are described below.
|
---|
119 |
|
---|
120 | =head2 ASN1 Object Configuration Module
|
---|
121 |
|
---|
122 | This module has the name B<oid_section>. The value of this variable points
|
---|
123 | to a section containing name value pairs of OIDs: the name is the OID short
|
---|
124 | and long name, the value is the numerical form of the OID. Although some of
|
---|
125 | the B<openssl> utility sub commands already have their own ASN1 OBJECT section
|
---|
126 | functionality not all do. By using the ASN1 OBJECT configuration module
|
---|
127 | B<all> the B<openssl> utility sub commands can see the new objects as well
|
---|
128 | as any compliant applications. For example:
|
---|
129 |
|
---|
130 | [new_oids]
|
---|
131 |
|
---|
132 | some_new_oid = 1.2.3.4
|
---|
133 | some_other_oid = 1.2.3.5
|
---|
134 |
|
---|
135 | It is also possible to set the value to the long name followed
|
---|
136 | by a comma and the numerical OID form. For example:
|
---|
137 |
|
---|
138 | shortName = some object long name, 1.2.3.4
|
---|
139 |
|
---|
140 | =head2 Engine Configuration Module
|
---|
141 |
|
---|
142 | This ENGINE configuration module has the name B<engines>. The value of this
|
---|
143 | variable points to a section containing further ENGINE configuration
|
---|
144 | information.
|
---|
145 |
|
---|
146 | The section pointed to by B<engines> is a table of engine names (though see
|
---|
147 | B<engine_id> below) and further sections containing configuration information
|
---|
148 | specific to each ENGINE.
|
---|
149 |
|
---|
150 | Each ENGINE specific section is used to set default algorithms, load
|
---|
151 | dynamic, perform initialization and send ctrls. The actual operation performed
|
---|
152 | depends on the I<command> name which is the name of the name value pair. The
|
---|
153 | currently supported commands are listed below.
|
---|
154 |
|
---|
155 | For example:
|
---|
156 |
|
---|
157 | [engine_section]
|
---|
158 |
|
---|
159 | # Configure ENGINE named "foo"
|
---|
160 | foo = foo_section
|
---|
161 | # Configure ENGINE named "bar"
|
---|
162 | bar = bar_section
|
---|
163 |
|
---|
164 | [foo_section]
|
---|
165 | ... foo ENGINE specific commands ...
|
---|
166 |
|
---|
167 | [bar_section]
|
---|
168 | ... "bar" ENGINE specific commands ...
|
---|
169 |
|
---|
170 | The command B<engine_id> is used to give the ENGINE name. If used this
|
---|
171 | command must be first. For example:
|
---|
172 |
|
---|
173 | [engine_section]
|
---|
174 | # This would normally handle an ENGINE named "foo"
|
---|
175 | foo = foo_section
|
---|
176 |
|
---|
177 | [foo_section]
|
---|
178 | # Override default name and use "myfoo" instead.
|
---|
179 | engine_id = myfoo
|
---|
180 |
|
---|
181 | The command B<dynamic_path> loads and adds an ENGINE from the given path. It
|
---|
182 | is equivalent to sending the ctrls B<SO_PATH> with the path argument followed
|
---|
183 | by B<LIST_ADD> with value 2 and B<LOAD> to the dynamic ENGINE. If this is
|
---|
184 | not the required behaviour then alternative ctrls can be sent directly
|
---|
185 | to the dynamic ENGINE using ctrl commands.
|
---|
186 |
|
---|
187 | The command B<init> determines whether to initialize the ENGINE. If the value
|
---|
188 | is B<0> the ENGINE will not be initialized, if B<1> and attempt it made to
|
---|
189 | initialized the ENGINE immediately. If the B<init> command is not present
|
---|
190 | then an attempt will be made to initialize the ENGINE after all commands in
|
---|
191 | its section have been processed.
|
---|
192 |
|
---|
193 | The command B<default_algorithms> sets the default algorithms an ENGINE will
|
---|
194 | supply using the functions ENGINE_set_default_string().
|
---|
195 |
|
---|
196 | If the name matches none of the above command names it is assumed to be a
|
---|
197 | ctrl command which is sent to the ENGINE. The value of the command is the
|
---|
198 | argument to the ctrl command. If the value is the string B<EMPTY> then no
|
---|
199 | value is sent to the command.
|
---|
200 |
|
---|
201 | For example:
|
---|
202 |
|
---|
203 |
|
---|
204 | [engine_section]
|
---|
205 |
|
---|
206 | # Configure ENGINE named "foo"
|
---|
207 | foo = foo_section
|
---|
208 |
|
---|
209 | [foo_section]
|
---|
210 | # Load engine from DSO
|
---|
211 | dynamic_path = /some/path/fooengine.so
|
---|
212 | # A foo specific ctrl.
|
---|
213 | some_ctrl = some_value
|
---|
214 | # Another ctrl that doesn't take a value.
|
---|
215 | other_ctrl = EMPTY
|
---|
216 | # Supply all default algorithms
|
---|
217 | default_algorithms = ALL
|
---|
218 |
|
---|
219 | =head2 EVP Configuration Module
|
---|
220 |
|
---|
221 | This modules has the name B<alg_section> which points to a section containing
|
---|
222 | algorithm commands.
|
---|
223 |
|
---|
224 | Currently the only algorithm command supported is B<fips_mode> whose
|
---|
225 | value can only be the boolean string B<off>. If B<fips_mode> is set to B<on>,
|
---|
226 | an error occurs as this library version is not FIPS capable.
|
---|
227 |
|
---|
228 | =head2 SSL Configuration Module
|
---|
229 |
|
---|
230 | This module has the name B<ssl_conf> which points to a section containing
|
---|
231 | SSL configurations.
|
---|
232 |
|
---|
233 | Each line in the SSL configuration section contains the name of the
|
---|
234 | configuration and the section containing it.
|
---|
235 |
|
---|
236 | Each configuration section consists of command value pairs for B<SSL_CONF>.
|
---|
237 | Each pair will be passed to a B<SSL_CTX> or B<SSL> structure if it calls
|
---|
238 | SSL_CTX_config() or SSL_config() with the appropriate configuration name.
|
---|
239 |
|
---|
240 | Note: any characters before an initial dot in the configuration section are
|
---|
241 | ignored so the same command can be used multiple times.
|
---|
242 |
|
---|
243 | For example:
|
---|
244 |
|
---|
245 | ssl_conf = ssl_sect
|
---|
246 |
|
---|
247 | [ssl_sect]
|
---|
248 |
|
---|
249 | server = server_section
|
---|
250 |
|
---|
251 | [server_section]
|
---|
252 |
|
---|
253 | RSA.Certificate = server-rsa.pem
|
---|
254 | ECDSA.Certificate = server-ecdsa.pem
|
---|
255 | Ciphers = ALL:!RC4
|
---|
256 |
|
---|
257 | The system default configuration with name B<system_default> if present will
|
---|
258 | be applied during any creation of the B<SSL_CTX> structure.
|
---|
259 |
|
---|
260 | Example of a configuration with the system default:
|
---|
261 |
|
---|
262 | ssl_conf = ssl_sect
|
---|
263 |
|
---|
264 | [ssl_sect]
|
---|
265 | system_default = system_default_sect
|
---|
266 |
|
---|
267 | [system_default_sect]
|
---|
268 | MinProtocol = TLSv1.2
|
---|
269 | MinProtocol = DTLSv1.2
|
---|
270 |
|
---|
271 | =head1 NOTES
|
---|
272 |
|
---|
273 | If a configuration file attempts to expand a variable that doesn't exist
|
---|
274 | then an error is flagged and the file will not load. This can happen
|
---|
275 | if an attempt is made to expand an environment variable that doesn't
|
---|
276 | exist. For example in a previous version of OpenSSL the default OpenSSL
|
---|
277 | master configuration file used the value of B<HOME> which may not be
|
---|
278 | defined on non Unix systems and would cause an error.
|
---|
279 |
|
---|
280 | This can be worked around by including a B<default> section to provide
|
---|
281 | a default value: then if the environment lookup fails the default value
|
---|
282 | will be used instead. For this to work properly the default value must
|
---|
283 | be defined earlier in the configuration file than the expansion. See
|
---|
284 | the B<EXAMPLES> section for an example of how to do this.
|
---|
285 |
|
---|
286 | If the same variable exists in the same section then all but the last
|
---|
287 | value will be silently ignored. In certain circumstances such as with
|
---|
288 | DNs the same field may occur multiple times. This is usually worked
|
---|
289 | around by ignoring any characters before an initial B<.> e.g.
|
---|
290 |
|
---|
291 | 1.OU="My first OU"
|
---|
292 | 2.OU="My Second OU"
|
---|
293 |
|
---|
294 | =head1 EXAMPLES
|
---|
295 |
|
---|
296 | Here is a sample configuration file using some of the features
|
---|
297 | mentioned above.
|
---|
298 |
|
---|
299 | # This is the default section.
|
---|
300 |
|
---|
301 | HOME=/temp
|
---|
302 | RANDFILE= ${ENV::HOME}/.rnd
|
---|
303 | configdir=$ENV::HOME/config
|
---|
304 |
|
---|
305 | [ section_one ]
|
---|
306 |
|
---|
307 | # We are now in section one.
|
---|
308 |
|
---|
309 | # Quotes permit leading and trailing whitespace
|
---|
310 | any = " any variable name "
|
---|
311 |
|
---|
312 | other = A string that can \
|
---|
313 | cover several lines \
|
---|
314 | by including \\ characters
|
---|
315 |
|
---|
316 | message = Hello World\n
|
---|
317 |
|
---|
318 | [ section_two ]
|
---|
319 |
|
---|
320 | greeting = $section_one::message
|
---|
321 |
|
---|
322 | This next example shows how to expand environment variables safely.
|
---|
323 |
|
---|
324 | Suppose you want a variable called B<tmpfile> to refer to a
|
---|
325 | temporary filename. The directory it is placed in can determined by
|
---|
326 | the B<TEMP> or B<TMP> environment variables but they may not be
|
---|
327 | set to any value at all. If you just include the environment variable
|
---|
328 | names and the variable doesn't exist then this will cause an error when
|
---|
329 | an attempt is made to load the configuration file. By making use of the
|
---|
330 | default section both values can be looked up with B<TEMP> taking
|
---|
331 | priority and B</tmp> used if neither is defined:
|
---|
332 |
|
---|
333 | TMP=/tmp
|
---|
334 | # The above value is used if TMP isn't in the environment
|
---|
335 | TEMP=$ENV::TMP
|
---|
336 | # The above value is used if TEMP isn't in the environment
|
---|
337 | tmpfile=${ENV::TEMP}/tmp.filename
|
---|
338 |
|
---|
339 | Simple OpenSSL library configuration example to enter FIPS mode:
|
---|
340 |
|
---|
341 | # Default appname: should match "appname" parameter (if any)
|
---|
342 | # supplied to CONF_modules_load_file et al.
|
---|
343 | openssl_conf = openssl_conf_section
|
---|
344 |
|
---|
345 | [openssl_conf_section]
|
---|
346 | # Configuration module list
|
---|
347 | alg_section = evp_sect
|
---|
348 |
|
---|
349 | [evp_sect]
|
---|
350 | # Set to "yes" to enter FIPS mode if supported
|
---|
351 | fips_mode = yes
|
---|
352 |
|
---|
353 | Note: in the above example you will get an error in non FIPS capable versions
|
---|
354 | of OpenSSL.
|
---|
355 |
|
---|
356 | Simple OpenSSL library configuration to make TLS 1.2 and DTLS 1.2 the
|
---|
357 | system-default minimum TLS and DTLS versions, respectively:
|
---|
358 |
|
---|
359 | # Toplevel section for openssl (including libssl)
|
---|
360 | openssl_conf = default_conf_section
|
---|
361 |
|
---|
362 | [default_conf_section]
|
---|
363 | # We only specify configuration for the "ssl module"
|
---|
364 | ssl_conf = ssl_section
|
---|
365 |
|
---|
366 | [ssl_section]
|
---|
367 | system_default = system_default_section
|
---|
368 |
|
---|
369 | [system_default_section]
|
---|
370 | MinProtocol = TLSv1.2
|
---|
371 | MinProtocol = DTLSv1.2
|
---|
372 |
|
---|
373 | The minimum TLS protocol is applied to B<SSL_CTX> objects that are TLS-based,
|
---|
374 | and the minimum DTLS protocol to those are DTLS-based.
|
---|
375 | The same applies also to maximum versions set with B<MaxProtocol>.
|
---|
376 |
|
---|
377 | More complex OpenSSL library configuration. Add OID and don't enter FIPS mode:
|
---|
378 |
|
---|
379 | # Default appname: should match "appname" parameter (if any)
|
---|
380 | # supplied to CONF_modules_load_file et al.
|
---|
381 | openssl_conf = openssl_conf_section
|
---|
382 |
|
---|
383 | [openssl_conf_section]
|
---|
384 | # Configuration module list
|
---|
385 | alg_section = evp_sect
|
---|
386 | oid_section = new_oids
|
---|
387 |
|
---|
388 | [evp_sect]
|
---|
389 | # This will have no effect as FIPS mode is off by default.
|
---|
390 | # Set to "yes" to enter FIPS mode, if supported
|
---|
391 | fips_mode = no
|
---|
392 |
|
---|
393 | [new_oids]
|
---|
394 | # New OID, just short name
|
---|
395 | newoid1 = 1.2.3.4.1
|
---|
396 | # New OID shortname and long name
|
---|
397 | newoid2 = New OID 2 long name, 1.2.3.4.2
|
---|
398 |
|
---|
399 | The above examples can be used with any application supporting library
|
---|
400 | configuration if "openssl_conf" is modified to match the appropriate "appname".
|
---|
401 |
|
---|
402 | For example if the second sample file above is saved to "example.cnf" then
|
---|
403 | the command line:
|
---|
404 |
|
---|
405 | OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
|
---|
406 |
|
---|
407 | will output:
|
---|
408 |
|
---|
409 | 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1
|
---|
410 |
|
---|
411 | showing that the OID "newoid1" has been added as "1.2.3.4.1".
|
---|
412 |
|
---|
413 | =head1 ENVIRONMENT
|
---|
414 |
|
---|
415 | =over 4
|
---|
416 |
|
---|
417 | =item B<OPENSSL_CONF>
|
---|
418 |
|
---|
419 | The path to the config file.
|
---|
420 | Ignored in set-user-ID and set-group-ID programs.
|
---|
421 |
|
---|
422 | =item B<OPENSSL_ENGINES>
|
---|
423 |
|
---|
424 | The path to the engines directory.
|
---|
425 | Ignored in set-user-ID and set-group-ID programs.
|
---|
426 |
|
---|
427 | =back
|
---|
428 |
|
---|
429 | =head1 BUGS
|
---|
430 |
|
---|
431 | Currently there is no way to include characters using the octal B<\nnn>
|
---|
432 | form. Strings are all null terminated so nulls cannot form part of
|
---|
433 | the value.
|
---|
434 |
|
---|
435 | The escaping isn't quite right: if you want to use sequences like B<\n>
|
---|
436 | you can't use any quote escaping on the same line.
|
---|
437 |
|
---|
438 | Files are loaded in a single pass. This means that a variable expansion
|
---|
439 | will only work if the variables referenced are defined earlier in the
|
---|
440 | file.
|
---|
441 |
|
---|
442 | =head1 SEE ALSO
|
---|
443 |
|
---|
444 | L<x509(1)>, L<req(1)>, L<ca(1)>
|
---|
445 |
|
---|
446 | =head1 COPYRIGHT
|
---|
447 |
|
---|
448 | Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
|
---|
449 |
|
---|
450 | Licensed under the OpenSSL license (the "License"). You may not use
|
---|
451 | this file except in compliance with the License. You can obtain a copy
|
---|
452 | in the file LICENSE in the source distribution or at
|
---|
453 | L<https://www.openssl.org/source/license.html>.
|
---|
454 |
|
---|
455 | =cut
|
---|