From 51e00db226cab1d69d464e03996a554afbce800a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lutz=20J=C3=A4nicke?= Date: Mon, 19 May 2008 07:52:15 +0000 Subject: [PATCH] Document "openssl s_server" -crl_check* options Submitted by: Daniel Black --- apps/s_server.c | 5 +++++ doc/apps/s_server.pod | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/apps/s_server.c b/apps/s_server.c index 5cc7d15af7..a7a728c268 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -408,6 +408,11 @@ static void sv_usage(void) BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); + BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ + " The CRL(s) are appended to the certificate file\n"); + BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ + " or any other CRL in the CA chain. CRL(s) are appened to the\n" \ + " the certificate file.\n"); BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); BIO_printf(bio_err," -key arg - Private Key file to use, in cert file if\n"); BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT); diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index b586874645..7f159a39ed 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -12,6 +12,8 @@ B B [B<-context id>] [B<-verify depth>] [B<-Verify depth>] +[B<-crl_check>] +[B<-crl_check_all>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key keyfile>] @@ -142,6 +144,12 @@ the client. With the B<-verify> option a certificate is requested but the client does not have to send one, with the B<-Verify> option the client must supply a certificate or an error occurs. +=item B<-crl_check>, B<-crl_check_all> + +Check the peer certificate has not been revoked by its CA. +The CRL(s) are appended to the certificate file. With the B<-crl_check_all> +option all CRLs of all CAs in the chain are checked. + =item B<-CApath directory> The directory to use for client certificate verification. This directory