| 1 | =pod
|
|---|
| 2 |
|
|---|
| 3 | =head1 NAME
|
|---|
| 4 |
|
|---|
| 5 | openssl-env - OpenSSL environment variables
|
|---|
| 6 |
|
|---|
| 7 | =head1 DESCRIPTION
|
|---|
| 8 |
|
|---|
| 9 | The OpenSSL libraries use environment variables to override the
|
|---|
| 10 | compiled-in default paths for various data.
|
|---|
| 11 | To avoid security risks, the environment is usually not consulted when
|
|---|
| 12 | the executable is set-user-ID or set-group-ID.
|
|---|
| 13 |
|
|---|
| 14 | =over 4
|
|---|
| 15 |
|
|---|
| 16 | =item B<CTLOG_FILE>
|
|---|
| 17 |
|
|---|
| 18 | Specifies the path to a certificate transparency log list.
|
|---|
| 19 | See L<CTLOG_STORE_new(3)>.
|
|---|
| 20 |
|
|---|
| 21 | =item B<OPENSSL>
|
|---|
| 22 |
|
|---|
| 23 | Specifies the path to the B<openssl> executable. Used by
|
|---|
| 24 | the B<rehash> script (see L<openssl-rehash(1)/Script Configuration>)
|
|---|
| 25 | and by the B<CA.pl> script (see L<CA.pl(1)/NOTES>
|
|---|
| 26 |
|
|---|
| 27 | =item B<OPENSSL_CONF>, B<OPENSSL_CONF_INCLUDE>
|
|---|
| 28 |
|
|---|
| 29 | Specifies the path to a configuration file and the directory for
|
|---|
| 30 | included files.
|
|---|
| 31 | See L<config(5)>.
|
|---|
| 32 |
|
|---|
| 33 | =item B<OPENSSL_CONFIG>
|
|---|
| 34 |
|
|---|
| 35 | Specifies a configuration option and filename for the B<req> and B<ca>
|
|---|
| 36 | commands invoked by the B<CA.pl> script.
|
|---|
| 37 | See L<CA.pl(1)>.
|
|---|
| 38 |
|
|---|
| 39 | =item B<OPENSSL_ENGINES>
|
|---|
| 40 |
|
|---|
| 41 | Specifies the directory from which dynamic engines are loaded.
|
|---|
| 42 | See L<openssl-engine(1)>.
|
|---|
| 43 |
|
|---|
| 44 | =item B<OPENSSL_MALLOC_FD>, B<OPENSSL_MALLOC_FAILURES>
|
|---|
| 45 |
|
|---|
| 46 | If built with debugging, this allows memory allocation to fail.
|
|---|
| 47 | See L<OPENSSL_malloc(3)>.
|
|---|
| 48 |
|
|---|
| 49 | =item B<OPENSSL_MODULES>
|
|---|
| 50 |
|
|---|
| 51 | Specifies the directory from which cryptographic providers are loaded.
|
|---|
| 52 | Equivalently, the generic B<-provider-path> command-line option may be used.
|
|---|
| 53 |
|
|---|
| 54 | =item B<OPENSSL_TRACE>
|
|---|
| 55 |
|
|---|
| 56 | By default the OpenSSL trace feature is disabled statically.
|
|---|
| 57 | To enable it, OpenSSL must be built with tracing support,
|
|---|
| 58 | which may be configured like this: C<./config enable-trace>
|
|---|
| 59 |
|
|---|
| 60 | Unless OpenSSL tracing support is generally disabled,
|
|---|
| 61 | enable trace output of specific parts of OpenSSL libraries, by name.
|
|---|
| 62 | This output usually makes sense only if you know OpenSSL internals well.
|
|---|
| 63 |
|
|---|
| 64 | The value of this environment varialble is a comma-separated list of names,
|
|---|
| 65 | with the following available:
|
|---|
| 66 |
|
|---|
| 67 | =over 4
|
|---|
| 68 |
|
|---|
| 69 | =item B<TRACE>
|
|---|
| 70 |
|
|---|
| 71 | Traces the OpenSSL trace API itself.
|
|---|
| 72 |
|
|---|
| 73 | =item B<INIT>
|
|---|
| 74 |
|
|---|
| 75 | Traces OpenSSL library initialization and cleanup.
|
|---|
| 76 |
|
|---|
| 77 | =item B<TLS>
|
|---|
| 78 |
|
|---|
| 79 | Traces the TLS/SSL protocol.
|
|---|
| 80 |
|
|---|
| 81 | =item B<TLS_CIPHER>
|
|---|
| 82 |
|
|---|
| 83 | Traces the ciphers used by the TLS/SSL protocol.
|
|---|
| 84 |
|
|---|
| 85 | =item B<CONF>
|
|---|
| 86 |
|
|---|
| 87 | Show details about provider and engine configuration.
|
|---|
| 88 |
|
|---|
| 89 | =item B<ENGINE_TABLE>
|
|---|
| 90 |
|
|---|
| 91 | The function that is used by RSA, DSA (etc) code to select registered
|
|---|
| 92 | ENGINEs, cache defaults and functional references (etc), will generate
|
|---|
| 93 | debugging summaries.
|
|---|
| 94 |
|
|---|
| 95 | =item B<ENGINE_REF_COUNT>
|
|---|
| 96 |
|
|---|
| 97 | Reference counts in the ENGINE structure will be monitored with a line
|
|---|
| 98 | of generated for each change.
|
|---|
| 99 |
|
|---|
| 100 | =item B<PKCS5V2>
|
|---|
| 101 |
|
|---|
| 102 | Traces PKCS#5 v2 key generation.
|
|---|
| 103 |
|
|---|
| 104 | =item B<PKCS12_KEYGEN>
|
|---|
| 105 |
|
|---|
| 106 | Traces PKCS#12 key generation.
|
|---|
| 107 |
|
|---|
| 108 | =item B<PKCS12_DECRYPT>
|
|---|
| 109 |
|
|---|
| 110 | Traces PKCS#12 decryption.
|
|---|
| 111 |
|
|---|
| 112 | =item B<X509V3_POLICY>
|
|---|
| 113 |
|
|---|
| 114 | Generates the complete policy tree at various points during X.509 v3
|
|---|
| 115 | policy evaluation.
|
|---|
| 116 |
|
|---|
| 117 | =item B<BN_CTX>
|
|---|
| 118 |
|
|---|
| 119 | Traces BIGNUM context operations.
|
|---|
| 120 |
|
|---|
| 121 | =item B<CMP>
|
|---|
| 122 |
|
|---|
| 123 | Traces CMP client and server activity.
|
|---|
| 124 |
|
|---|
| 125 | =item B<STORE>
|
|---|
| 126 |
|
|---|
| 127 | Traces STORE operations.
|
|---|
| 128 |
|
|---|
| 129 | =item B<DECODER>
|
|---|
| 130 |
|
|---|
| 131 | Traces decoder operations.
|
|---|
| 132 |
|
|---|
| 133 | =item B<ENCODER>
|
|---|
| 134 |
|
|---|
| 135 | Traces encoder operations.
|
|---|
| 136 |
|
|---|
| 137 | =item B<REF_COUNT>
|
|---|
| 138 |
|
|---|
| 139 | Traces decrementing certain ASN.1 structure references.
|
|---|
| 140 |
|
|---|
| 141 | =item B<HTTP>
|
|---|
| 142 |
|
|---|
| 143 | Traces the HTTP client and server, such as messages being sent and received.
|
|---|
| 144 |
|
|---|
| 145 | =back
|
|---|
| 146 |
|
|---|
| 147 | =item B<OPENSSL_WIN32_UTF8>
|
|---|
| 148 |
|
|---|
| 149 | If set, then L<UI_OpenSSL(3)> returns UTF-8 encoded strings, rather than
|
|---|
| 150 | ones encoded in the current code page, and
|
|---|
| 151 | the L<openssl(1)> program also transcodes the command-line parameters
|
|---|
| 152 | from the current code page to UTF-8.
|
|---|
| 153 | This environment variable is only checked on Microsoft Windows platforms.
|
|---|
| 154 |
|
|---|
| 155 | =item B<RANDFILE>
|
|---|
| 156 |
|
|---|
| 157 | The state file for the random number generator.
|
|---|
| 158 | This should not be needed in normal use.
|
|---|
| 159 | See L<RAND_load_file(3)>.
|
|---|
| 160 |
|
|---|
| 161 | =item B<SSL_CERT_DIR>, B<SSL_CERT_FILE>
|
|---|
| 162 |
|
|---|
| 163 | Specify the default directory or file containing CA certificates.
|
|---|
| 164 | See L<SSL_CTX_load_verify_locations(3)>.
|
|---|
| 165 |
|
|---|
| 166 | =item B<TSGET>
|
|---|
| 167 |
|
|---|
| 168 | Additional arguments for the L<tsget(1)> command.
|
|---|
| 169 |
|
|---|
| 170 | =item B<OPENSSL_ia32cap>, B<OPENSSL_sparcv9cap>, B<OPENSSL_ppccap>, B<OPENSSL_armcap>, B<OPENSSL_s390xcap>, B<OPENSSL_riscvcap>
|
|---|
| 171 |
|
|---|
| 172 | OpenSSL supports a number of different algorithm implementations for
|
|---|
| 173 | various machines and, by default, it determines which to use based on the
|
|---|
| 174 | processor capabilities and run time feature enquiry. These environment
|
|---|
| 175 | variables can be used to exert more control over this selection process.
|
|---|
| 176 | See L<OPENSSL_ia32cap(3)>, L<OPENSSL_s390xcap(3)> and L<OPENSSL_riscvcap(3)>.
|
|---|
| 177 |
|
|---|
| 178 | =item B<NO_PROXY>, B<HTTPS_PROXY>, B<HTTP_PROXY>
|
|---|
| 179 |
|
|---|
| 180 | Specify a proxy hostname.
|
|---|
| 181 | See L<OSSL_HTTP_parse_url(3)>.
|
|---|
| 182 |
|
|---|
| 183 | =item B<QLOGDIR>
|
|---|
| 184 |
|
|---|
| 185 | Specifies a QUIC qlog output directory. See L<openssl-qlog(7)>.
|
|---|
| 186 |
|
|---|
| 187 | =item B<OSSL_QFILTER>
|
|---|
| 188 |
|
|---|
| 189 | Used to set a QUIC qlog filter specification. See L<openssl-qlog(7)>.
|
|---|
| 190 |
|
|---|
| 191 | =back
|
|---|
| 192 |
|
|---|
| 193 | =head1 COPYRIGHT
|
|---|
| 194 |
|
|---|
| 195 | Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 196 |
|
|---|
| 197 | Licensed under the Apache License 2.0 (the "License"). You may not use
|
|---|
| 198 | this file except in compliance with the License. You can obtain a copy
|
|---|
| 199 | in the file LICENSE in the source distribution or at
|
|---|
| 200 | L<https://www.openssl.org/source/license.html>.
|
|---|
| 201 |
|
|---|
| 202 | =cut
|
|---|
