mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
6bd4e3f231
Add a -provider option to allow providers to be loaded. This option can be specified multiple times. Add a -provider_path option to allow the path to providers to be specified. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11167)
151 lines
3.8 KiB
Plaintext
151 lines
3.8 KiB
Plaintext
=pod
|
|
{- OpenSSL::safe::output_do_not_edit_headers(); -}
|
|
|
|
=head1 NAME
|
|
|
|
openssl-dhparam - DH parameter manipulation and generation
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
B<openssl dhparam>
|
|
[B<-help>]
|
|
[B<-inform> B<DER>|B<PEM>]
|
|
[B<-outform> B<DER>|B<PEM>]
|
|
[B<-in> I<filename>]
|
|
[B<-out> I<filename>]
|
|
[B<-dsaparam>]
|
|
[B<-check>]
|
|
[B<-noout>]
|
|
[B<-text>]
|
|
[B<-C>]
|
|
[B<-2>]
|
|
[B<-3>]
|
|
[B<-5>]
|
|
{- $OpenSSL::safe::opt_engine_synopsis -}
|
|
{- $OpenSSL::safe::opt_r_synopsis -}
|
|
{- $OpenSSL::safe::opt_provider_synopsis -}
|
|
[I<numbits>]
|
|
|
|
=for openssl ifdef dsaparam engine
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
This command has been deprecated.
|
|
The L<openssl-pkeyparam(1)> command should be used instead.
|
|
|
|
This command is used to manipulate DH parameter files.
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item B<-help>
|
|
|
|
Print out a usage message.
|
|
|
|
=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
|
|
|
|
The input format and output format; the default is B<PEM>.
|
|
The object is compatible with the PKCS#3 B<DHparameter> structure.
|
|
See L<openssl(1)/Format Options> for details.
|
|
|
|
=item B<-in> I<filename>
|
|
|
|
This specifies the input filename to read parameters from or standard input if
|
|
this option is not specified.
|
|
|
|
=item B<-out> I<filename>
|
|
|
|
This specifies the output filename parameters to. Standard output is used
|
|
if this option is not present. The output filename should B<not> be the same
|
|
as the input filename.
|
|
|
|
=item B<-dsaparam>
|
|
|
|
If this option is used, DSA rather than DH parameters are read or created;
|
|
they are converted to DH format. Otherwise, "strong" primes (such
|
|
that (p-1)/2 is also prime) will be used for DH parameter generation.
|
|
|
|
DH parameter generation with the B<-dsaparam> option is much faster,
|
|
and the recommended exponent length is shorter, which makes DH key
|
|
exchange more efficient. Beware that with such DSA-style DH
|
|
parameters, a fresh DH key should be created for each use to
|
|
avoid small-subgroup attacks that may be possible otherwise.
|
|
|
|
=item B<-check>
|
|
|
|
Performs numerous checks to see if the supplied parameters are valid and
|
|
displays a warning if not.
|
|
|
|
=item B<-2>, B<-3>, B<-5>
|
|
|
|
The generator to use, either 2, 3 or 5. If present then the
|
|
input file is ignored and parameters are generated instead. If not
|
|
present but I<numbits> is present, parameters are generated with the
|
|
default generator 2.
|
|
|
|
=item I<numbits>
|
|
|
|
This option specifies that a parameter set should be generated of size
|
|
I<numbits>. It must be the last option. If this option is present then
|
|
the input file is ignored and parameters are generated instead. If
|
|
this option is not present but a generator (B<-2>, B<-3> or B<-5>) is
|
|
present, parameters are generated with a default length of 2048 bits.
|
|
The minimim length is 512 bits. The maximum length is 10000 bits.
|
|
|
|
=item B<-noout>
|
|
|
|
This option inhibits the output of the encoded version of the parameters.
|
|
|
|
=item B<-text>
|
|
|
|
This option prints out the DH parameters in human readable form.
|
|
|
|
=item B<-C>
|
|
|
|
This option converts the parameters into C code. The parameters can then
|
|
be loaded by calling the get_dhNNNN() function.
|
|
|
|
{- $OpenSSL::safe::opt_engine_item -}
|
|
|
|
{- $OpenSSL::safe::opt_r_item -}
|
|
|
|
{- $OpenSSL::safe::opt_provider_item -}
|
|
|
|
=back
|
|
|
|
=head1 NOTES
|
|
|
|
This command replaces the B<dh> and B<gendh> commands of previous
|
|
releases.
|
|
|
|
OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42
|
|
DH.
|
|
|
|
This command manipulates DH parameters not keys.
|
|
|
|
=head1 BUGS
|
|
|
|
There should be a way to generate and manipulate DH keys.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<openssl(1)>,
|
|
L<openssl-pkeyparam(1)>,
|
|
L<openssl-dsaparam(1)>
|
|
|
|
=head1 HISTORY
|
|
|
|
This command was deprecated in OpenSSL 3.0.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|