diff options
author | Pauli <paul.dale@oracle.com> | 2020-08-26 05:41:30 +0200 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2020-08-28 11:21:29 +0200 |
commit | 33855c0af6046c2b36d1c541b0962e534fa6f8d9 (patch) | |
tree | 32c2db416b5c06d8709eb5fb69b77e04ba81edb4 /doc | |
parent | provider_conf: report missing section on error (diff) | |
download | openssl-33855c0af6046c2b36d1c541b0962e534fa6f8d9.tar.xz openssl-33855c0af6046c2b36d1c541b0962e534fa6f8d9.zip |
conf: add diagnostic option
Add an option to configuration files "config_diagnostics" that when set to a
non-zero value, overrides the error ignoring flags. The outcome is that
diagnostic option is produced when e.g. sections are missing.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12663)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/CONF_modules_load_file.pod | 3 | ||||
-rw-r--r-- | doc/man5/config.pod | 7 |
2 files changed, 9 insertions, 1 deletions
diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod index ba2c8b68b5..7e99bb9d5a 100644 --- a/doc/man3/CONF_modules_load_file.pod +++ b/doc/man3/CONF_modules_load_file.pod @@ -24,7 +24,8 @@ library context B<libctx> file B<filename> and application name B<appname>. If B<filename> is NULL the standard OpenSSL configuration file is used. If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is used. -The behaviour can be customized using B<flags>. +The behaviour can be customized using B<flags>. Note that, the error suppressing +can be overriden by B<config_diagnostics> as described in L<config(5)>. CONF_modules_load_file() is the same as CONF_modules_load_file_with_libctx() but has a NULL library context. diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 2618cef588..46d60f6ced 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -160,6 +160,12 @@ how to configure any modules in the library. It is not an error to leave any module in its default configuration. An application can specify a different name by calling CONF_modules_load_file(), for example, directly. +OpenSSL also looks up the value of B<config_diagnostics>. +If this exists and has a nonzero numeric value, any error suppressing flags +passed to CONF_modules_load() will be ignored. +This is useful for diagnosing misconfigurations and should not be used in +production. + # This must be in the default section openssl_conf = openssl_init @@ -482,6 +488,7 @@ L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>, L<openssl-fipsinstall(1)>, L<ASN1_generate_nconf(3)>, L<EVP_set_default_properties(3)>, +L<CONF_modules_load(3)>, L<CONF_modules_load_file(3)>, L<fips_config(5)>, and L<x509v3_config(5)>. |