1CONFIG(5) OpenSSL CONFIG(5)
2
6 config - OpenSSL CONF library configuration files
7
9 The OpenSSL CONF library can be used to read configuration files. It
10 is used for the OpenSSL master configuration file openssl.cnf and in a
11 few other places like SPKAC files and certificate extension files for
12 the x509 utility. OpenSSL applications can also use the CONF library
13 for their own purposes.
14 A configuration file is divided into a number of sections. Each section
16 starts with a line [ section_name ] and ends when a new section is
17 started or end of file is reached. A section name can consist of
18 alphanumeric characters and underscores.
19 The first section of a configuration file is special and is referred to
21 as the default section this is usually unnamed and is from the start of
22 file until the first named section. When a name is being looked up it
23 is first looked up in a named section (if any) and then the default
24 section.
25 The environment is mapped onto a section called ENV.
27 Comments can be included by preceding them with the # character
29 Each section in a configuration file consists of a number of name and
31 value pairs of the form name=value
32 The name string can contain any alphanumeric characters as well as a
34 few punctuation symbols such as . , ; and _.
35 The value string consists of the string following the = character until
37 end of line with any leading and trailing white space removed.
38 The value string undergoes variable expansion. This can be done by
40 including the form $var or ${var}: this will substitute the value of
41 the named variable in the current section. It is also possible to
42 substitute a value from another section using the syntax $section::name
43 or ${section::name}. By using the form $ENV::name environment variables
44 can be substituted. It is also possible to assign values to environment
45 variables by using the name ENV::name, this will work if the program
46 looks up environment variables using the CONF library instead of
47 calling getenv() directly.
48 It is possible to escape certain characters by using any kind of quote
50 or the \ character. By making the last character of a line a \ a value
51 string can be spread across multiple lines. In addition the sequences
52 \n, \r, \b and \t are recognized.
53
55 In OpenSSL 0.9.7 and later applications can automatically configure
56 certain aspects of OpenSSL using the master OpenSSL configuration file,
57 or optionally an alternative configuration file. The openssl utility
58 includes this functionality: any sub command uses the master OpenSSL
59 configuration file unless an option is used in the sub command to use
60 an alternative configuration file.
61 To enable library configuration the default section needs to contain an
63 appropriate line which points to the main configuration section. The
64 default name is openssl_conf which is used by the openssl utility.
65 Other applications may use an alternative name such as
66 myapplicaton_conf.
67 The configuration section should consist of a set of name value pairs
69 which contain specific module configuration information. The name
70 represents the name of the configuration module the meaning of the
71 value is module specific: it may, for example, represent a further
72 configuration section containing configuration module specific
73 information. E.g.
74 openssl_conf = openssl_init
76 [openssl_init]
78 oid_section = new_oids
80 engines = engine_section
81 [new_oids]
83 ... new oids here ...
85 [engine_section]
87 ... engine stuff here ...
89 Currently there are two configuration modules. One for ASN1 objects
91 another for ENGINE configuration.
92 ASN1 OBJECT CONFIGURATION MODULE
94 This module has the name oid_section. The value of this variable points
95 to a section containing name value pairs of OIDs: the name is the OID
96 short and long name, the value is the numerical form of the OID.
97 Although some of the openssl utility sub commands already have their
98 own ASN1 OBJECT section functionality not all do. By using the ASN1
99 OBJECT configuration module all the openssl utility sub commands can
100 see the new objects as well as any compliant applications. For example:
101 [new_oids]
103 some_new_oid = 1.2.3.4
105 some_other_oid = 1.2.3.5
106 In OpenSSL 0.9.8 it is also possible to set the value to the long name
108 followed by a comma and the numerical OID form. For example:
109 shortName = some object long name, 1.2.3.4
111 ENGINE CONFIGURATION MODULE
113 This ENGINE configuration module has the name engines. The value of
114 this variable points to a section containing further ENGINE
115 configuration information.
116 The section pointed to by engines is a table of engine names (though
118 see engine_id below) and further sections containing configuration
119 informations specific to each ENGINE.
120 Each ENGINE specific section is used to set default algorithms, load
122 dynamic, perform initialization and send ctrls. The actual operation
123 performed depends on the command name which is the name of the name
124 value pair. The currently supported commands are listed below.
125 For example:
127 [engine_section]
129 # Configure ENGINE named "foo"
131 foo = foo_section
132 # Configure ENGINE named "bar"
133 bar = bar_section
134 [foo_section]
136 ... foo ENGINE specific commands ...
137 [bar_section]
139 ... "bar" ENGINE specific commands ...
140 The command engine_id is used to give the ENGINE name. If used this
142 command must be first. For example:
143 [engine_section]
145 # This would normally handle an ENGINE named "foo"
146 foo = foo_section
147 [foo_section]
149 # Override default name and use "myfoo" instead.
150 engine_id = myfoo
151 The command dynamic_path loads and adds an ENGINE from the given path.
153 It is equivalent to sending the ctrls SO_PATH with the path argument
154 followed by LIST_ADD with value 2 and LOAD to the dynamic ENGINE. If
155 this is not the required behaviour then alternative ctrls can be sent
156 directly to the dynamic ENGINE using ctrl commands.
157 The command init determines whether to initialize the ENGINE. If the
159 value is 0 the ENGINE will not be initialized, if 1 and attempt it made
160 to initialized the ENGINE immediately. If the init command is not
161 present then an attempt will be made to initialize the ENGINE after all
162 commands in its section have been processed.
163 The command default_algorithms sets the default algorithms an ENGINE
165 will supply using the functions ENGINE_set_default_string()
166 If the name matches none of the above command names it is assumed to be
168 a ctrl command which is sent to the ENGINE. The value of the command is
169 the argument to the ctrl command. If the value is the string EMPTY then
170 no value is sent to the command.
171 For example:
173 [engine_section]
175 # Configure ENGINE named "foo"
177 foo = foo_section
178 [foo_section]
180 # Load engine from DSO
181 dynamic_path = /some/path/fooengine.so
182 # A foo specific ctrl.
183 some_ctrl = some_value
184 # Another ctrl that doesn't take a value.
185 other_ctrl = EMPTY
186 # Supply all default algorithms
187 default_algorithms = ALL
188
190 If a configuration file attempts to expand a variable that doesn't
191 exist then an error is flagged and the file will not load. This can
192 happen if an attempt is made to expand an environment variable that
193 doesn't exist. For example in a previous version of OpenSSL the default
194 OpenSSL master configuration file used the value of HOME which may not
195 be defined on non Unix systems and would cause an error.
196 This can be worked around by including a default section to provide a
198 default value: then if the environment lookup fails the default value
199 will be used instead. For this to work properly the default value must
200 be defined earlier in the configuration file than the expansion. See
201 the EXAMPLES section for an example of how to do this.
202 If the same variable exists in the same section then all but the last
204 value will be silently ignored. In certain circumstances such as with
205 DNs the same field may occur multiple times. This is usually worked
206 around by ignoring any characters before an initial . e.g.
207 1.OU="My first OU"
209 2.OU="My Second OU"
210
212 Here is a sample configuration file using some of the features
213 mentioned above.
214 # This is the default section.
216 HOME=/temp
218 RANDFILE= ${ENV::HOME}/.rnd
219 configdir=$ENV::HOME/config
220 [ section_one ]
222 # We are now in section one.
224 # Quotes permit leading and trailing whitespace
226 any = " any variable name "
227 other = A string that can \
229 cover several lines \
230 by including \\ characters
231 message = Hello World\n
233 [ section_two ]
235 greeting = $section_one::message
237 This next example shows how to expand environment variables safely.
239 Suppose you want a variable called tmpfile to refer to a temporary
241 filename. The directory it is placed in can determined by the the TEMP
242 or TMP environment variables but they may not be set to any value at
243 all. If you just include the environment variable names and the
244 variable doesn't exist then this will cause an error when an attempt is
245 made to load the configuration file. By making use of the default
246 section both values can be looked up with TEMP taking priority and /tmp
247 used if neither is defined:
248 TMP=/tmp
250 # The above value is used if TMP isn't in the environment
251 TEMP=$ENV::TMP
252 # The above value is used if TEMP isn't in the environment
253 tmpfile=${ENV::TEMP}/tmp.filename
254
256 Currently there is no way to include characters using the octal \nnn
257 form. Strings are all null terminated so nulls cannot form part of the
258 value.
259 The escaping isn't quite right: if you want to use sequences like \n
261 you can't use any quote escaping on the same line.
262 Files are loaded in a single pass. This means that an variable
264 expansion will only work if the variables referenced are defined
265 earlier in the file.
266
268 x509(1), req(1), ca(1)
2691.0.1e 2013-02-11 CONFIG(5)