1CONFIG(5) OpenSSL CONFIG(5)
2
6 config - OpenSSL CONF library configuration files
7
9 The OpenSSL CONF library can be used to read configuration files. It
10 is used for the OpenSSL master configuration file openssl.cnf and in a
11 few other places like SPKAC files and certificate extension files for
12 the x509 utility. OpenSSL applications can also use the CONF library
13 for their own purposes.
14 A configuration file is divided into a number of sections. Each section
16 starts with a line [ section_name ] and ends when a new section is
17 started or end of file is reached. A section name can consist of
18 alphanumeric characters and underscores.
19 The first section of a configuration file is special and is referred to
21 as the default section this is usually unnamed and is from the start of
22 file until the first named section. When a name is being looked up it
23 is first looked up in a named section (if any) and then the default
24 section.
25 The environment is mapped onto a section called ENV.
27 Comments can be included by preceding them with the # character
29 Each section in a configuration file consists of a number of name and
31 value pairs of the form name=value
32 The name string can contain any alphanumeric characters as well as a
34 few punctuation symbols such as . , ; and _.
35 The value string consists of the string following the = character until
37 end of line with any leading and trailing white space removed.
38 The value string undergoes variable expansion. This can be done by
40 including the form $var or ${var}: this will substitute the value of
41 the named variable in the current section. It is also possible to sub‐
42 stitute a value from another section using the syntax $section::name or
43 ${section::name}. By using the form $ENV::name environment variables
44 can be substituted. It is also possible to assign values to environment
45 variables by using the name ENV::name, this will work if the program
46 looks up environment variables using the CONF library instead of call‐
47 ing getenv() directly.
48 It is possible to escape certain characters by using any kind of quote
50 or the \ character. By making the last character of a line a \ a value
51 string can be spread across multiple lines. In addition the sequences
52 \n, \r, \b and \t are recognized.
53
55 In OpenSSL 0.9.7 and later applications can automatically configure
56 certain aspects of OpenSSL using the master OpenSSL configuration file,
57 or optionally an alternative configuration file. The openssl utility
58 includes this functionality: any sub command uses the master OpenSSL
59 configuration file unless an option is used in the sub command to use
60 an alternative configuration file.
61 To enable library configuration the default section needs to contain an
63 appropriate line which points to the main configuration section. The
64 default name is openssl_conf which is used by the openssl utility.
65 Other applications may use an alternative name such as myapplica‐
66 ton_conf.
67 The configuration section should consist of a set of name value pairs
69 which contain specific module configuration information. The name rep‐
70 resents the name of the configuration module the meaning of the value
71 is module specific: it may, for example, represent a further configura‐
72 tion section containing configuration module specific information. E.g.
73 openssl_conf = openssl_init
75 [openssl_init]
77 oid_section = new_oids
79 engines = engine_section
80 [new_oids]
82 ... new oids here ...
84 [engine_section]
86 ... engine stuff here ...
88 Currently there are two configuration modules. One for ASN1 objects
90 another for ENGINE configuration.
91 ASN1 OBJECT CONFIGURATION MODULE
93 This module has the name oid_section. The value of this variable points
95 to a section containing name value pairs of OIDs: the name is the OID
96 short and long name, the value is the numerical form of the OID.
97 Although some of the openssl utility sub commands already have their
98 own ASN1 OBJECT section functionality not all do. By using the ASN1
99 OBJECT configuration module all the openssl utility sub commands can
100 see the new objects as well as any compliant applications. For example:
101 [new_oids]
103 some_new_oid = 1.2.3.4
105 some_other_oid = 1.2.3.5
106 In OpenSSL 0.9.8 it is also possible to set the value to the long name
108 followed by a comma and the numerical OID form. For example:
109 shortName = some object long name, 1.2.3.4
111 ENGINE CONFIGURATION MODULE
113 This ENGINE configuration module has the name engines. The value of
115 this variable points to a section containing further ENGINE configura‐
116 tion information.
117 The section pointed to by engines is a table of engine names (though
119 see engine_id below) and further sections containing configuration
120 informations specific to each ENGINE.
121 Each ENGINE specific section is used to set default algorithms, load
123 dynamic, perform initialization and send ctrls. The actual operation
124 performed depends on the command name which is the name of the name
125 value pair. The currently supported commands are listed below.
126 For example:
128 [engine_section]
130 # Configure ENGINE named "foo"
132 foo = foo_section
133 # Configure ENGINE named "bar"
134 bar = bar_section
135 [foo_section]
137 ... foo ENGINE specific commands ...
138 [bar_section]
140 ... "bar" ENGINE specific commands ...
141 The command engine_id is used to give the ENGINE name. If used this
143 command must be first. For example:
144 [engine_section]
146 # This would normally handle an ENGINE named "foo"
147 foo = foo_section
148 [foo_section]
150 # Override default name and use "myfoo" instead.
151 engine_id = myfoo
152 The command dynamic_path loads and adds an ENGINE from the given path.
154 It is equivalent to sending the ctrls SO_PATH with the path argument
155 followed by LIST_ADD with value 2 and LOAD to the dynamic ENGINE. If
156 this is not the required behaviour then alternative ctrls can be sent
157 directly to the dynamic ENGINE using ctrl commands.
158 The command init determines whether to initialize the ENGINE. If the
160 value is 0 the ENGINE will not be initialized, if 1 and attempt it made
161 to initialized the ENGINE immediately. If the init command is not
162 present then an attempt will be made to initialize the ENGINE after all
163 commands in its section have been processed.
164 The command default_algorithms sets the default algorithms an ENGINE
166 will supply using the functions ENGINE_set_default_string()
167 If the name matches none of the above command names it is assumed to be
169 a ctrl command which is sent to the ENGINE. The value of the command is
170 the argument to the ctrl command. If the value is the string EMPTY then
171 no value is sent to the command.
172 For example:
174 [engine_section]
176 # Configure ENGINE named "foo"
178 foo = foo_section
179 [foo_section]
181 # Load engine from DSO
182 dynamic_path = /some/path/fooengine.so
183 # A foo specific ctrl.
184 some_ctrl = some_value
185 # Another ctrl that doesn't take a value.
186 other_ctrl = EMPTY
187 # Supply all default algorithms
188 default_algorithms = ALL
189
191 If a configuration file attempts to expand a variable that doesn't
192 exist then an error is flagged and the file will not load. This can
193 happen if an attempt is made to expand an environment variable that
194 doesn't exist. For example in a previous version of OpenSSL the default
195 OpenSSL master configuration file used the value of HOME which may not
196 be defined on non Unix systems and would cause an error.
197 This can be worked around by including a default section to provide a
199 default value: then if the environment lookup fails the default value
200 will be used instead. For this to work properly the default value must
201 be defined earlier in the configuration file than the expansion. See
202 the EXAMPLES section for an example of how to do this.
203 If the same variable exists in the same section then all but the last
205 value will be silently ignored. In certain circumstances such as with
206 DNs the same field may occur multiple times. This is usually worked
207 around by ignoring any characters before an initial . e.g.
208 1.OU="My first OU"
210 2.OU="My Second OU"
211
213 Here is a sample configuration file using some of the features men‐
214 tioned above.
215 # This is the default section.
217 HOME=/temp
219 RANDFILE= ${ENV::HOME}/.rnd
220 configdir=$ENV::HOME/config
221 [ section_one ]
223 # We are now in section one.
225 # Quotes permit leading and trailing whitespace
227 any = " any variable name "
228 other = A string that can \
230 cover several lines \
231 by including \\ characters
232 message = Hello World\n
234 [ section_two ]
236 greeting = $section_one::message
238 This next example shows how to expand environment variables safely.
240 Suppose you want a variable called tmpfile to refer to a temporary
242 filename. The directory it is placed in can determined by the the TEMP
243 or TMP environment variables but they may not be set to any value at
244 all. If you just include the environment variable names and the vari‐
245 able doesn't exist then this will cause an error when an attempt is
246 made to load the configuration file. By making use of the default sec‐
247 tion both values can be looked up with TEMP taking priority and /tmp
248 used if neither is defined:
249 TMP=/tmp
251 # The above value is used if TMP isn't in the environment
252 TEMP=$ENV::TMP
253 # The above value is used if TEMP isn't in the environment
254 tmpfile=${ENV::TEMP}/tmp.filename
255
257 Currently there is no way to include characters using the octal \nnn
258 form. Strings are all null terminated so nulls cannot form part of the
259 value.
260 The escaping isn't quite right: if you want to use sequences like \n
262 you can't use any quote escaping on the same line.
263 Files are loaded in a single pass. This means that an variable expan‐
265 sion will only work if the variables referenced are defined earlier in
266 the file.
267
269 x509(1), req(1), ca(1)
2700.9.8b 2004-11-25 CONFIG(5)