1CONFIG(5)                           OpenSSL                          CONFIG(5)
2
3
4

NAME

6       config - OpenSSL CONF library configuration files
7

DESCRIPTION

9       The OpenSSL CONF library can be used to read configuration files.  It
10       is used for the OpenSSL master configuration file openssl.cnf and in a
11       few other places like SPKAC files and certificate extension files for
12       the x509 utility. OpenSSL applications can also use the CONF library
13       for their own purposes.
14
15       A configuration file is divided into a number of sections. Each section
16       starts with a line [ section_name ] and ends when a new section is
17       started or end of file is reached. A section name can consist of
18       alphanumeric characters and underscores.
19
20       The first section of a configuration file is special and is referred to
21       as the default section this is usually unnamed and is from the start of
22       file until the first named section. When a name is being looked up it
23       is first looked up in a named section (if any) and then the default
24       section.
25
26       The environment is mapped onto a section called ENV.
27
28       Comments can be included by preceding them with the # character
29
30       Each section in a configuration file consists of a number of name and
31       value pairs of the form name=value
32
33       The name string can contain any alphanumeric characters as well as a
34       few punctuation symbols such as . , ; and _.
35
36       The value string consists of the string following the = character until
37       end of line with any leading and trailing white space removed.
38
39       The value string undergoes variable expansion. This can be done by
40       including the form $var or ${var}: this will substitute the value of
41       the named variable in the current section. It is also possible to sub‐
42       stitute a value from another section using the syntax $section::name or
43       ${section::name}. By using the form $ENV::name environment variables
44       can be substituted. It is also possible to assign values to environment
45       variables by using the name ENV::name, this will work if the program
46       looks up environment variables using the CONF library instead of call‐
47       ing getenv() directly.
48
49       It is possible to escape certain characters by using any kind of quote
50       or the \ character. By making the last character of a line a \ a value
51       string can be spread across multiple lines. In addition the sequences
52       \n, \r, \b and \t are recognized.
53

OPENSSL LIBRARY CONFIGURATION

55       In OpenSSL 0.9.7 and later applications can automatically configure
56       certain aspects of OpenSSL using the master OpenSSL configuration file,
57       or optionally an alternative configuration file. The openssl utility
58       includes this functionality: any sub command uses the master OpenSSL
59       configuration file unless an option is used in the sub command to use
60       an alternative configuration file.
61
62       To enable library configuration the default section needs to contain an
63       appropriate line which points to the main configuration section. The
64       default name is openssl_conf which is used by the openssl utility.
65       Other applications may use an alternative name such as myapplica‐
66       ton_conf.
67
68       The configuration section should consist of a set of name value pairs
69       which contain specific module configuration information. The name rep‐
70       resents the name of the configuration module the meaning of the value
71       is module specific: it may, for example, represent a further configura‐
72       tion section containing configuration module specific information. E.g.
73
74        openssl_conf = openssl_init
75
76        [openssl_init]
77
78        oid_section = new_oids
79        engines = engine_section
80
81        [new_oids]
82
83        ... new oids here ...
84
85        [engine_section]
86
87        ... engine stuff here ...
88
89       Currently there are two configuration modules. One for ASN1 objects
90       another for ENGINE configuration.
91
92       ASN1 OBJECT CONFIGURATION MODULE
93
94       This module has the name oid_section. The value of this variable points
95       to a section containing name value pairs of OIDs: the name is the OID
96       short and long name, the value is the numerical form of the OID.
97       Although some of the openssl utility sub commands already have their
98       own ASN1 OBJECT section functionality not all do. By using the ASN1
99       OBJECT configuration module all the openssl utility sub commands can
100       see the new objects as well as any compliant applications. For example:
101
102        [new_oids]
103
104        some_new_oid = 1.2.3.4
105        some_other_oid = 1.2.3.5
106
107       In OpenSSL 0.9.8 it is also possible to set the value to the long name
108       followed by a comma and the numerical OID form. For example:
109
110        shortName = some object long name, 1.2.3.4
111
112       ENGINE CONFIGURATION MODULE
113
114       This ENGINE configuration module has the name engines. The value of
115       this variable points to a section containing further ENGINE configura‐
116       tion information.
117
118       The section pointed to by engines is a table of engine names (though
119       see engine_id below) and further sections containing configuration
120       informations specific to each ENGINE.
121
122       Each ENGINE specific section is used to set default algorithms, load
123       dynamic, perform initialization and send ctrls. The actual operation
124       performed depends on the command name which is the name of the name
125       value pair. The currently supported commands are listed below.
126
127       For example:
128
129        [engine_section]
130
131        # Configure ENGINE named "foo"
132        foo = foo_section
133        # Configure ENGINE named "bar"
134        bar = bar_section
135
136        [foo_section]
137        ... foo ENGINE specific commands ...
138
139        [bar_section]
140        ... "bar" ENGINE specific commands ...
141
142       The command engine_id is used to give the ENGINE name. If used this
143       command must be first. For example:
144
145        [engine_section]
146        # This would normally handle an ENGINE named "foo"
147        foo = foo_section
148
149        [foo_section]
150        # Override default name and use "myfoo" instead.
151        engine_id = myfoo
152
153       The command dynamic_path loads and adds an ENGINE from the given path.
154       It is equivalent to sending the ctrls SO_PATH with the path argument
155       followed by LIST_ADD with value 2 and LOAD to the dynamic ENGINE. If
156       this is not the required behaviour then alternative ctrls can be sent
157       directly to the dynamic ENGINE using ctrl commands.
158
159       The command init determines whether to initialize the ENGINE. If the
160       value is 0 the ENGINE will not be initialized, if 1 and attempt it made
161       to initialized the ENGINE immediately. If the init command is not
162       present then an attempt will be made to initialize the ENGINE after all
163       commands in its section have been processed.
164
165       The command default_algorithms sets the default algorithms an ENGINE
166       will supply using the functions ENGINE_set_default_string()
167
168       If the name matches none of the above command names it is assumed to be
169       a ctrl command which is sent to the ENGINE. The value of the command is
170       the argument to the ctrl command. If the value is the string EMPTY then
171       no value is sent to the command.
172
173       For example:
174
175        [engine_section]
176
177        # Configure ENGINE named "foo"
178        foo = foo_section
179
180        [foo_section]
181        # Load engine from DSO
182        dynamic_path = /some/path/fooengine.so
183        # A foo specific ctrl.
184        some_ctrl = some_value
185        # Another ctrl that doesn't take a value.
186        other_ctrl = EMPTY
187        # Supply all default algorithms
188        default_algorithms = ALL
189

NOTES

191       If a configuration file attempts to expand a variable that doesn't
192       exist then an error is flagged and the file will not load. This can
193       happen if an attempt is made to expand an environment variable that
194       doesn't exist. For example in a previous version of OpenSSL the default
195       OpenSSL master configuration file used the value of HOME which may not
196       be defined on non Unix systems and would cause an error.
197
198       This can be worked around by including a default section to provide a
199       default value: then if the environment lookup fails the default value
200       will be used instead. For this to work properly the default value must
201       be defined earlier in the configuration file than the expansion. See
202       the EXAMPLES section for an example of how to do this.
203
204       If the same variable exists in the same section then all but the last
205       value will be silently ignored. In certain circumstances such as with
206       DNs the same field may occur multiple times. This is usually worked
207       around by ignoring any characters before an initial . e.g.
208
209        1.OU="My first OU"
210        2.OU="My Second OU"
211

EXAMPLES

213       Here is a sample configuration file using some of the features men‐
214       tioned above.
215
216        # This is the default section.
217
218        HOME=/temp
219        RANDFILE= ${ENV::HOME}/.rnd
220        configdir=$ENV::HOME/config
221
222        [ section_one ]
223
224        # We are now in section one.
225
226        # Quotes permit leading and trailing whitespace
227        any = " any variable name "
228
229        other = A string that can \
230        cover several lines \
231        by including \\ characters
232
233        message = Hello World\n
234
235        [ section_two ]
236
237        greeting = $section_one::message
238
239       This next example shows how to expand environment variables safely.
240
241       Suppose you want a variable called tmpfile to refer to a temporary
242       filename. The directory it is placed in can determined by the the TEMP
243       or TMP environment variables but they may not be set to any value at
244       all. If you just include the environment variable names and the vari‐
245       able doesn't exist then this will cause an error when an attempt is
246       made to load the configuration file. By making use of the default sec‐
247       tion both values can be looked up with TEMP taking priority and /tmp
248       used if neither is defined:
249
250        TMP=/tmp
251        # The above value is used if TMP isn't in the environment
252        TEMP=$ENV::TMP
253        # The above value is used if TEMP isn't in the environment
254        tmpfile=${ENV::TEMP}/tmp.filename
255

BUGS

257       Currently there is no way to include characters using the octal \nnn
258       form. Strings are all null terminated so nulls cannot form part of the
259       value.
260
261       The escaping isn't quite right: if you want to use sequences like \n
262       you can't use any quote escaping on the same line.
263
264       Files are loaded in a single pass. This means that an variable expan‐
265       sion will only work if the variables referenced are defined earlier in
266       the file.
267

SEE ALSO

269       x509(1), req(1), ca(1)
270
271
272
2730.9.8b                            2004-11-25                         CONFIG(5)
Impressum