The OpenSSL libraries use environment variables to override the
compiled-in default paths for various data.
-To avoid security risks, the environment is usually not consulted when
-the executable is set-user-ID or set-group-ID.
+To avoid security risks, the environment is not consulted
+for security-sensitive environment variables when the executable
+is set-user-ID or set-group-ID.
=over 4
Specifies the path to a certificate transparency log list.
See L<CTLOG_STORE_new(3)>.
+This variable is considered a security-sensitive environment variable.
+
=item B<HTTPS_PROXY>, B<HTTP_PROXY>, B<NO_PROXY>, B<https_proxy>, B<http_proxy>, B<no_proxy>
Specify a proxy hostname.
See L<OSSL_HTTP_parse_url(3)>.
+These variables are considered security-sensitive environment variables.
+
=item B<LEGACY_GOST_PKCS12>
Affects the way MAC is generated in PKCS#12 containers for GOST algorithms.
See L<PKCS12_gen_mac(3)>.
+This variable is considered a security-sensitive environment variable.
+
=item B<OPENSSL>
Specifies the path to the B<openssl> executable. Used by
the B<rehash> script (see L<openssl-rehash(1)/Script Configuration>)
and by the B<CA.pl> script (see L<CA.pl(1)/NOTES>
+This variable is not considered security-sensitive.
+
=item B<OPENSSL_CONF>, B<OPENSSL_CONF_INCLUDE>
Specifies the path to a configuration file and the directory for
included files.
See L<config(5)>.
+These variables are considered security-sensitive environment variables.
+
=item B<OPENSSL_CONFIG>
Specifies a configuration option and filename for the B<req> and B<ca>
commands invoked by the B<CA.pl> script.
See L<CA.pl(1)>.
+This variable is not considered security-sensitive.
+
=item B<OPENSSL_DEBUG_DECC_INIT>
On VMS only: if this variable is set, enables verbose output of parsing
initialisation (C<LIB$INITIALIZE>). If the value of the variable is more
than 1, outputs information about every processed feature.
+This variable is not considered security-sensitive.
+
=item B<OPENSSL_ENGINES>
Specifies the directory from which dynamic engines are loaded.
See L<openssl-engine(1)>.
+This variable is considered a security-sensitive environment variable.
+
=item B<OPENSSL_MALLOC_FAILURES>, B<OPENSSL_MALLOC_FD>, B<OPENSSL_MALLOC_SEED>
If built with debugging, this allows memory allocation to fail.
See L<OPENSSL_malloc(3)>.
+These variables are not considered security-sensitive.
+
=item B<OPENSSL_MODULES>
Specifies the directory from which cryptographic providers are loaded.
Equivalently, the generic B<-provider-path> command-line option may be used.
+This variable is considered a security-sensitive environment variable.
+
=item B<OPENSSL_SEC_MEM>
Initializes the secure memory at the beginning of the application which makes
binary, octal, decimal and hexadecimal. For formatting see B<strtol(3)>.
For further restrictions see L<CRYPTO_secure_malloc_init(3)>.
+This variable is not considered security-sensitive.
+
=item B<OPENSSL_SEC_MEM_MINSIZE>
An optional variable used with B<OPENSSL_SEC_MEM>. The value indicates
B<minsize> parameter in bytes. The same formatting applies as above.
Default is 0. For more info see L<CRYPTO_secure_malloc_init(3)>.
+This variable is not considered security-sensitive.
+
=item B<OPENSSL_TRACE>
By default the OpenSSL trace feature is disabled statically.
=back
+This variable is not considered security-sensitive.
+
=item B<OPENSSL_WIN32_UTF8>
If set, then L<UI_OpenSSL(3)> returns UTF-8 encoded strings, rather than
variables can be used to exert more control over this selection process.
See L<OPENSSL_ia32cap(3)>, L<OPENSSL_riscvcap(3)>, and L<OPENSSL_s390xcap(3)>.
+These variables are not considered security-sensitive.
+
=item B<OSSL_QFILTER>
Used to set a QUIC qlog filter specification. See L<openssl-qlog(7)>.
+This variable is considered a security-sensitive environment variable.
+
=item B<QLOGDIR>
Specifies a QUIC qlog output directory. See L<openssl-qlog(7)>.
+This variable is considered a security-sensitive environment variable.
+
=item B<RANDFILE>
The state file for the random number generator.
This should not be needed in normal use.
See L<RAND_load_file(3)>.
+This variable is considered a security-sensitive environment variable.
+
=item B<SSLKEYLOGFILE>
Used to produce the standard format output file for SSL key logging. Optionally
read access to the file to decrypt application traffic sent over that session.
Use of this feature should be restricted to test and debug environments only.
+This variable is considered a security-sensitive environment variable.
+
=item B<SSL_CERT_DIR>, B<SSL_CERT_FILE>
Specify the default directory or file containing CA certificates.
See L<SSL_CTX_load_verify_locations(3)>.
+These variables are considered security-sensitive environment variables,
+except in L<openssl-rehash(1)>, where B<SSL_CERT_DIR> is not considered
+security-sensitive.
+
=item B<SSL_CIPHER>
Used by L<openssl-s_time(1)> in case B<-cipher> option (that allows modifying
TLSv1.2 and below cipher list sent by the client) is not provided,
for specification of the aforementioned ciphers.
+This variable is not considered security-sensitive.
+
=item B<TSGET>
Additional arguments for the L<tsget(1)> command.
+This variable is not considered security-sensitive.
+
=back
=head1 HISTORY
projects / thirdparty / openssl.git / commitdiff
