1CONFIG(5) OpenSSL CONFIG(5)
2
3
4
6 config - OpenSSL CONF library configuration files
7
9 The OpenSSL CONF library can be used to read configuration files. It
10 is used for the OpenSSL master configuration file openssl.cnf and in a
11 few other places like SPKAC files and certificate extension files for
12 the x509 utility. OpenSSL applications can also use the CONF library
13 for their own purposes.
14
15 A configuration file is divided into a number of sections. Each section
16 starts with a line [ section_name ] and ends when a new section is
17 started or end of file is reached. A section name can consist of
18 alphanumeric characters and underscores.
19
20 The first section of a configuration file is special and is referred to
21 as the default section this is usually unnamed and is from the start of
22 file until the first named section. When a name is being looked up it
23 is first looked up in a named section (if any) and then the default
24 section.
25
26 The environment is mapped onto a section called ENV.
27
28 Comments can be included by preceding them with the # character
29
30 Each section in a configuration file consists of a number of name and
31 value pairs of the form name=value
32
33 The name string can contain any alphanumeric characters as well as a
34 few punctuation symbols such as . , ; and _.
35
36 The value string consists of the string following the = character until
37 end of line with any leading and trailing white space removed.
38
39 The value string undergoes variable expansion. This can be done by
40 including the form $var or ${var}: this will substitute the value of
41 the named variable in the current section. It is also possible to
42 substitute a value from another section using the syntax $section::name
43 or ${section::name}. By using the form $ENV::name environment variables
44 can be substituted. It is also possible to assign values to environment
45 variables by using the name ENV::name, this will work if the program
46 looks up environment variables using the CONF library instead of
47 calling getenv() directly.
48
49 It is possible to escape certain characters by using any kind of quote
50 or the \ character. By making the last character of a line a \ a value
51 string can be spread across multiple lines. In addition the sequences
52 \n, \r, \b and \t are recognized.
53
55 In OpenSSL 0.9.7 and later applications can automatically configure
56 certain aspects of OpenSSL using the master OpenSSL configuration file,
57 or optionally an alternative configuration file. The openssl utility
58 includes this functionality: any sub command uses the master OpenSSL
59 configuration file unless an option is used in the sub command to use
60 an alternative configuration file.
61
62 To enable library configuration the default section needs to contain an
63 appropriate line which points to the main configuration section. The
64 default name is openssl_conf which is used by the openssl utility.
65 Other applications may use an alternative name such as
66 myapplicaton_conf.
67
68 The configuration section should consist of a set of name value pairs
69 which contain specific module configuration information. The name
70 represents the name of the configuration module the meaning of the
71 value is module specific: it may, for example, represent a further
72 configuration section containing configuration module specific
73 information. E.g.
74
75 openssl_conf = openssl_init
76
77 [openssl_init]
78
79 oid_section = new_oids
80 engines = engine_section
81
82 [new_oids]
83
84 ... new oids here ...
85
86 [engine_section]
87
88 ... engine stuff here ...
89
90 The features of each configuration module are described below.
91
92 ASN1 OBJECT CONFIGURATION MODULE
93 This module has the name oid_section. The value of this variable points
94 to a section containing name value pairs of OIDs: the name is the OID
95 short and long name, the value is the numerical form of the OID.
96 Although some of the openssl utility sub commands already have their
97 own ASN1 OBJECT section functionality not all do. By using the ASN1
98 OBJECT configuration module all the openssl utility sub commands can
99 see the new objects as well as any compliant applications. For example:
100
101 [new_oids]
102
103 some_new_oid = 1.2.3.4
104 some_other_oid = 1.2.3.5
105
106 In OpenSSL 0.9.8 it is also possible to set the value to the long name
107 followed by a comma and the numerical OID form. For example:
108
109 shortName = some object long name, 1.2.3.4
110
111 ENGINE CONFIGURATION MODULE
112 This ENGINE configuration module has the name engines. The value of
113 this variable points to a section containing further ENGINE
114 configuration information.
115
116 The section pointed to by engines is a table of engine names (though
117 see engine_id below) and further sections containing configuration
118 information specific to each ENGINE.
119
120 Each ENGINE specific section is used to set default algorithms, load
121 dynamic, perform initialization and send ctrls. The actual operation
122 performed depends on the command name which is the name of the name
123 value pair. The currently supported commands are listed below.
124
125 For example:
126
127 [engine_section]
128
129 # Configure ENGINE named "foo"
130 foo = foo_section
131 # Configure ENGINE named "bar"
132 bar = bar_section
133
134 [foo_section]
135 ... foo ENGINE specific commands ...
136
137 [bar_section]
138 ... "bar" ENGINE specific commands ...
139
140 The command engine_id is used to give the ENGINE name. If used this
141 command must be first. For example:
142
143 [engine_section]
144 # This would normally handle an ENGINE named "foo"
145 foo = foo_section
146
147 [foo_section]
148 # Override default name and use "myfoo" instead.
149 engine_id = myfoo
150
151 The command dynamic_path loads and adds an ENGINE from the given path.
152 It is equivalent to sending the ctrls SO_PATH with the path argument
153 followed by LIST_ADD with value 2 and LOAD to the dynamic ENGINE. If
154 this is not the required behaviour then alternative ctrls can be sent
155 directly to the dynamic ENGINE using ctrl commands.
156
157 The command init determines whether to initialize the ENGINE. If the
158 value is 0 the ENGINE will not be initialized, if 1 and attempt it made
159 to initialized the ENGINE immediately. If the init command is not
160 present then an attempt will be made to initialize the ENGINE after all
161 commands in its section have been processed.
162
163 The command default_algorithms sets the default algorithms an ENGINE
164 will supply using the functions ENGINE_set_default_string()
165
166 If the name matches none of the above command names it is assumed to be
167 a ctrl command which is sent to the ENGINE. The value of the command is
168 the argument to the ctrl command. If the value is the string EMPTY then
169 no value is sent to the command.
170
171 For example:
172
173 [engine_section]
174
175 # Configure ENGINE named "foo"
176 foo = foo_section
177
178 [foo_section]
179 # Load engine from DSO
180 dynamic_path = /some/path/fooengine.so
181 # A foo specific ctrl.
182 some_ctrl = some_value
183 # Another ctrl that doesn't take a value.
184 other_ctrl = EMPTY
185 # Supply all default algorithms
186 default_algorithms = ALL
187
188 EVP CONFIGURATION MODULE
189 This modules has the name alg_section which points to a section
190 containing algorithm commands.
191
192 Currently the only algorithm command supported is fips_mode whose value
193 should be a boolean string such as on or off. If the value is on this
194 attempt to enter FIPS mode. If the call fails or the library is not
195 FIPS capable then an error occurs.
196
197 For example:
198
199 alg_section = evp_settings
200
201 [evp_settings]
202
203 fips_mode = on
204
206 If a configuration file attempts to expand a variable that doesn't
207 exist then an error is flagged and the file will not load. This can
208 happen if an attempt is made to expand an environment variable that
209 doesn't exist. For example in a previous version of OpenSSL the default
210 OpenSSL master configuration file used the value of HOME which may not
211 be defined on non Unix systems and would cause an error.
212
213 This can be worked around by including a default section to provide a
214 default value: then if the environment lookup fails the default value
215 will be used instead. For this to work properly the default value must
216 be defined earlier in the configuration file than the expansion. See
217 the EXAMPLES section for an example of how to do this.
218
219 If the same variable exists in the same section then all but the last
220 value will be silently ignored. In certain circumstances such as with
221 DNs the same field may occur multiple times. This is usually worked
222 around by ignoring any characters before an initial . e.g.
223
224 1.OU="My first OU"
225 2.OU="My Second OU"
226
228 Here is a sample configuration file using some of the features
229 mentioned above.
230
231 # This is the default section.
232
233 HOME=/temp
234 RANDFILE= ${ENV::HOME}/.rnd
235 configdir=$ENV::HOME/config
236
237 [ section_one ]
238
239 # We are now in section one.
240
241 # Quotes permit leading and trailing whitespace
242 any = " any variable name "
243
244 other = A string that can \
245 cover several lines \
246 by including \\ characters
247
248 message = Hello World\n
249
250 [ section_two ]
251
252 greeting = $section_one::message
253
254 This next example shows how to expand environment variables safely.
255
256 Suppose you want a variable called tmpfile to refer to a temporary
257 filename. The directory it is placed in can determined by the the TEMP
258 or TMP environment variables but they may not be set to any value at
259 all. If you just include the environment variable names and the
260 variable doesn't exist then this will cause an error when an attempt is
261 made to load the configuration file. By making use of the default
262 section both values can be looked up with TEMP taking priority and /tmp
263 used if neither is defined:
264
265 TMP=/tmp
266 # The above value is used if TMP isn't in the environment
267 TEMP=$ENV::TMP
268 # The above value is used if TEMP isn't in the environment
269 tmpfile=${ENV::TEMP}/tmp.filename
270
271 Simple OpenSSL library configuration example to enter FIPS mode:
272
273 # Default appname: should match "appname" parameter (if any)
274 # supplied to CONF_modules_load_file et al.
275 openssl_conf = openssl_conf_section
276
277 [openssl_conf_section]
278 # Configuration module list
279 alg_section = evp_sect
280
281 [evp_sect]
282 # Set to "yes" to enter FIPS mode if supported
283 fips_mode = yes
284
285 Note: in the above example you will get an error in non FIPS capable
286 versions of OpenSSL.
287
288 More complex OpenSSL library configuration. Add OID and don't enter
289 FIPS mode:
290
291 # Default appname: should match "appname" parameter (if any)
292 # supplied to CONF_modules_load_file et al.
293 openssl_conf = openssl_conf_section
294
295 [openssl_conf_section]
296 # Configuration module list
297 alg_section = evp_sect
298 oid_section = new_oids
299
300 [evp_sect]
301 # This will have no effect as FIPS mode is off by default.
302 # Set to "yes" to enter FIPS mode, if supported
303 fips_mode = no
304
305 [new_oids]
306 # New OID, just short name
307 newoid1 = 1.2.3.4.1
308 # New OID shortname and long name
309 newoid2 = New OID 2 long name, 1.2.3.4.2
310
311 The above examples can be used with with any application supporting
312 library configuration if "openssl_conf" is modified to match the
313 appropriate "appname".
314
315 For example if the second sample file above is saved to "example.cnf"
316 then the command line:
317
318 OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
319
320 will output:
321
322 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1
323
324 showing that the OID "newoid1" has been added as "1.2.3.4.1".
325
327 Currently there is no way to include characters using the octal \nnn
328 form. Strings are all null terminated so nulls cannot form part of the
329 value.
330
331 The escaping isn't quite right: if you want to use sequences like \n
332 you can't use any quote escaping on the same line.
333
334 Files are loaded in a single pass. This means that an variable
335 expansion will only work if the variables referenced are defined
336 earlier in the file.
337
339 x509(1), req(1), ca(1)
340
341
342
3431.0.2k 2017-01-26 CONFIG(5)