summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorPauli <paul.dale@oracle.com>2020-08-26 05:41:30 +0200
committerPauli <paul.dale@oracle.com>2020-08-28 11:21:29 +0200
commit33855c0af6046c2b36d1c541b0962e534fa6f8d9 (patch)
tree32c2db416b5c06d8709eb5fb69b77e04ba81edb4 /doc
parentprovider_conf: report missing section on error (diff)
downloadopenssl-33855c0af6046c2b36d1c541b0962e534fa6f8d9.tar.xz
openssl-33855c0af6046c2b36d1c541b0962e534fa6f8d9.zip
conf: add diagnostic option
Add an option to configuration files "config_diagnostics" that when set to a non-zero value, overrides the error ignoring flags. The outcome is that diagnostic option is produced when e.g. sections are missing. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12663)
Diffstat (limited to 'doc')
-rw-r--r--doc/man3/CONF_modules_load_file.pod3
-rw-r--r--doc/man5/config.pod7
2 files changed, 9 insertions, 1 deletions
diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod
index ba2c8b68b5..7e99bb9d5a 100644
--- a/doc/man3/CONF_modules_load_file.pod
+++ b/doc/man3/CONF_modules_load_file.pod
@@ -24,7 +24,8 @@ library context B<libctx> file B<filename> and application name B<appname>.
If B<filename> is NULL the standard OpenSSL configuration file is used.
If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is
used.
-The behaviour can be customized using B<flags>.
+The behaviour can be customized using B<flags>. Note that, the error suppressing
+can be overriden by B<config_diagnostics> as described in L<config(5)>.
CONF_modules_load_file() is the same as CONF_modules_load_file_with_libctx() but
has a NULL library context.
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 2618cef588..46d60f6ced 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -160,6 +160,12 @@ how to configure any modules in the library. It is not an error to leave
any module in its default configuration. An application can specify a
different name by calling CONF_modules_load_file(), for example, directly.
+OpenSSL also looks up the value of B<config_diagnostics>.
+If this exists and has a nonzero numeric value, any error suppressing flags
+passed to CONF_modules_load() will be ignored.
+This is useful for diagnosing misconfigurations and should not be used in
+production.
+
# This must be in the default section
openssl_conf = openssl_init
@@ -482,6 +488,7 @@ L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
L<openssl-fipsinstall(1)>,
L<ASN1_generate_nconf(3)>,
L<EVP_set_default_properties(3)>,
+L<CONF_modules_load(3)>,
L<CONF_modules_load_file(3)>,
L<fips_config(5)>, and
L<x509v3_config(5)>.