From: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Date: Mon, 27 May 2024 06:12:31 +0000 (+0200)
Subject: Update configurable sigalgs documentation for providers
X-Git-Tag: openssl-3.3.1~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=52bd95e7122f396caaba1df3c324b73cf8838c20;p=thirdparty%2Fopenssl.git

Update configurable sigalgs documentation for providers

also adding to SignatureAlgorithms section

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24499)

(cherry picked from commit 90e7c12f1b238ed714786fafc26d05b59a63752b)
---

diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 5dc468dc2e8..d9596b82317 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -118,15 +118,18 @@ algorithms to support.
 
 The B<algs> argument should be a colon separated list of signature
 algorithms in order of decreasing preference of the form B<algorithm+hash>
-or B<signature_scheme>. B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and
+or B<signature_scheme>. For the default providers shipped with OpenSSL,
+B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and
 B<hash> is a supported algorithm OID short name such as B<SHA1>, B<SHA224>,
-B<SHA256>, B<SHA384> of B<SHA512>.  Note: algorithm and hash names are case
+B<SHA256>, B<SHA384> or B<SHA512>.  Note: algorithm and hash names are case
 sensitive.  B<signature_scheme> is one of the signature schemes defined in
 TLSv1.3, specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>,
-B<ed25519>, or B<rsa_pss_pss_sha256>.
+B<ed25519>, or B<rsa_pss_pss_sha256>. Additional providers may make available
+further algorithms via the TLS_SIGALG capability.
+See L<provider-base(7)/CAPABILITIES>.
 
-If this option is not set then all signature algorithms supported by the
-OpenSSL library are permissible.
+If this option is not set then all signature algorithms supported by all
+activated providers are permissible.
 
 Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
 using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*>
@@ -369,16 +372,19 @@ servers it is used to determine which signature algorithms to support.
 
 The B<value> argument should be a colon separated list of signature algorithms
 in order of decreasing preference of the form B<algorithm+hash> or
-B<signature_scheme>. B<algorithm>
-is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
-OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
+B<signature_scheme>. For the default providers shipped with OpenSSL,
+B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported
+algorithm OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384>
+or B<SHA512>.
 Note: algorithm and hash names are case sensitive.
 B<signature_scheme> is one of the signature schemes defined in TLSv1.3,
 specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, B<ed25519>,
 or B<rsa_pss_pss_sha256>.
+Additional providers may make available further algorithms via the TLS_SIGALG
+capability. See L<provider-base(7)/CAPABILITIES>.
 
-If this option is not set then all signature algorithms supported by the
-OpenSSL library are permissible.
+If this option is not set then all signature algorithms supported by all
+activated providers are permissible.
 
 Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
 using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*>