From: Norbert Pocs Date: Fri, 12 Sep 2025 13:38:01 +0000 (+0200) Subject: apps/: Update docs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2c1bfa59272b8c29c4566560dbde55185b4e7e6;p=thirdparty%2Fopenssl.git apps/: Update docs Signed-off-by: Norbert Pocs Reviewed-by: Matt Caswell Reviewed-by: Saša Nedvědický Reviewed-by: Neil Horman Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/28384) --- diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 04075004bcb..33bc11a4319 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -37,7 +37,7 @@ B B [B<-md> I] [B<-policy> I] [B<-keyfile> I|I] -[B<-keyform> B|B|B|B] +[B<-keyform> B|B|B] [B<-key> I] [B<-passin> I] [B<-cert> I] @@ -66,7 +66,7 @@ B B [B<-rand_serial>] [B<-multivalue-rdn>] {- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I...] =head1 DESCRIPTION @@ -171,7 +171,7 @@ See L for details. The CA private key to sign certificate requests with. This must match with B<-cert>. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The format of the private key input file; unspecified by default. See L for details. @@ -355,8 +355,6 @@ This option has been deprecated and has no effect. {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -800,7 +798,7 @@ nevertheless some people are using it for this purpose at least internally. When doing so, specific care should be taken to properly secure the private key(s) used for signing certificates. It is advisable to keep them in a secure HW storage such as a smart card or HSM -and access them via a suitable engine or crypto provider. +and access them via a suitable crypto provider. This command is effectively a single user command: no locking is done on the various files and attempts to run more than one B @@ -847,11 +845,11 @@ The B<-section> option was added in OpenSSL 3.0.0. The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and has no effect. -The B<-engine> option was deprecated in OpenSSL 3.0. - Since OpenSSL 3.2, generated certificates bear X.509 version 3, and key identifier extensions are included by default. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 SEE ALSO L, diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index d4c7a3bb3f4..696df2febda 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -101,7 +101,7 @@ Credentials format options: [B<-crlform> I] [B<-keyform> I] [B<-otherpass> I] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} Random state options: @@ -945,8 +945,6 @@ If not given here, the password will be prompted for if needed. For more information about the format of I see L. -{- $OpenSSL::safe::opt_engine_item -} - =back =head2 Provider options @@ -1501,8 +1499,6 @@ L, L, L The B application was added in OpenSSL 3.0. -The B<-engine> option was deprecated in OpenSSL 3.0. - The B<-oldwithold>, B<-newwithnew>, B<-newwithold>, B<-oldwithnew>, The B<-srvcertout>, and B<-serial> option were added in OpenSSL 3.2, as well as an extension of B<-cacertsout> to use when getting CA certificates. @@ -1517,6 +1513,8 @@ and B<-rsp_crl> options were added in OpenSSL 3.4. B<-centralkeygen>, B<-newkeyout>, B<-rsp_key> and B<-rsp_keypass> were added in OpenSSL 3.5. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 7e4272877f2..4d79fe9add0 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -58,8 +58,8 @@ Keys and password options: [B<-inkey> I|I] [B<-passin> I] [B<-keyopt> I:I] -[B<-keyform> B|B|B|B] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +[B<-keyform> B|B|B] +{- $OpenSSL::safe::opt_provider_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} Encryption options: @@ -375,13 +375,11 @@ set customised parameters for the preceding key or certificate. It can currently be used to set RSA-PSS for signing, RSA-OAEP for encryption or to modify default parameters for ECDH. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The format of the private key file; unspecified by default. See L for details. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} {- $OpenSSL::safe::opt_r_item -} @@ -948,12 +946,12 @@ The -no_alt_chains option was added in OpenSSL 1.0.2b. The B<-nameopt> option was added in OpenSSL 3.0.0. -The B<-engine> option was deprecated in OpenSSL 3.0. - The B<-digest> option was added in OpenSSL 3.2. The B<-recip_kdf> and B<-recip_ukm> options were added in OpenSSL 3.6. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index 579a8aed0b4..eaf332367db 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -20,7 +20,7 @@ B B|I [B<-r>] [B<-out> I] [B<-sign> I|I] -[B<-keyform> B|B|B|B] +[B<-keyform> B|B|B] [B<-passin> I] [B<-verify> I] [B<-prverify> I] @@ -32,9 +32,6 @@ B B|I [B<-mac> I] [B<-macopt> I:I] [B<-fips-fingerprint>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- output_off() if $disabled{"deprecated-3.0"}; "" --}[B<-engine_impl> I]{- - output_on() if $disabled{"deprecated-3.0"}; "" -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} [I ...] @@ -126,7 +123,7 @@ be set. For these algorithms the input is buffered (and not digested) before signing. For these algorithms, if the input is larger than 16MB an error will occur. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The format of the key to sign with; unspecified by default. See L for details. @@ -193,8 +190,7 @@ option. Create MAC (keyed Message Authentication Code). The most popular MAC algorithm is HMAC (hash-based MAC), but there are other MAC algorithms -which are not based on hash, for instance B algorithm, -supported by the B engine. MAC keys and other options should be set +which are not based on hash. MAC keys and other options should be set via B<-macopt> parameter. Cannot be used together with -hmac, -hmac-env and -hmac-stdin. @@ -261,17 +257,6 @@ Compute HMAC using a specific key for certain OpenSSL-FIPS operations. {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} -{- output_off() if $disabled{"deprecated-3.0"}; "" -} -The engine is not used for digests unless the B<-engine_impl> option is -used or it is configured to do so, see L. - -=item B<-engine_impl> I - -When used with the B<-engine> option, it specifies to also use -engine I for digest operations. - -{- output_on() if $disabled{"deprecated-3.0"}; "" -} {- $OpenSSL::safe::opt_provider_item -} =item I ... @@ -341,7 +326,7 @@ L The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. The FIPS-related options were removed in OpenSSL 1.1.0. -The B<-engine> and B<-engine_impl> options were deprecated in OpenSSL 3.0. +The B<-engine> and B<-engine_impl> options were removed in OpenSSL 4.0. The B<-hmac-env> and B<-hmac-stdin> options were added in OpenSSL 4.0. diff --git a/doc/man1/openssl-dhparam.pod.in b/doc/man1/openssl-dhparam.pod.in index 62ea9d2a43d..cc23c2575a1 100644 --- a/doc/man1/openssl-dhparam.pod.in +++ b/doc/man1/openssl-dhparam.pod.in @@ -22,7 +22,7 @@ B [B<-2>] [B<-3>] [B<-5>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} [I] @@ -101,8 +101,6 @@ This option inhibits the output of the encoded version of the parameters. This option prints out the DH parameters in human readable form. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_provider_item -} @@ -133,10 +131,10 @@ L. =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. - The B<-C> option was removed in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-dsa.pod.in b/doc/man1/openssl-dsa.pod.in index 116cafd71e7..01a82a94094 100644 --- a/doc/man1/openssl-dsa.pod.in +++ b/doc/man1/openssl-dsa.pod.in @@ -39,7 +39,7 @@ B B [B<-pvk-strong>] [B<-pvk-weak>] [B<-pvk-none>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -137,8 +137,6 @@ Enable 'Weak' PVK encoding level. Don't enforce PVK encoding. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -182,7 +180,7 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-dsaparam.pod.in b/doc/man1/openssl-dsaparam.pod.in index 68cc83aa637..322c719a6a5 100644 --- a/doc/man1/openssl-dsaparam.pod.in +++ b/doc/man1/openssl-dsaparam.pod.in @@ -19,7 +19,7 @@ B [B<-verbose>] [B<-quiet>] {- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I] [I] @@ -90,8 +90,6 @@ be handy during batch scripts and pipelines. {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} - =item I This optional argument specifies that a parameter set should be generated of @@ -119,10 +117,10 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. - The B<-C> option was removed in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in index 51200076a89..a60b796c00d 100644 --- a/doc/man1/openssl-ec.pod.in +++ b/doc/man1/openssl-ec.pod.in @@ -13,7 +13,7 @@ openssl-ec - EC key processing B B [B<-help>] -[B<-inform> B|B|B|B] +[B<-inform> B|B|B] [B<-outform> B|B] [B<-in> I|I] [B<-passin> I] @@ -31,7 +31,7 @@ B B [B<-param_enc> I] [B<-no_public>] [B<-check>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -49,7 +49,7 @@ PKCS#8 private key format use the L command. Print out a usage message. -=item B<-inform> B|B|B|B +=item B<-inform> B|B|B The key input format; unspecified by default. See L for details. @@ -144,8 +144,6 @@ This option omits the public key components from the private key output. This option checks the consistency of an EC private or public key. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -192,11 +190,11 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. - The B<-conv_form> and B<-no_public> options are no longer supported with keys loaded from an engine in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-ecparam.pod.in b/doc/man1/openssl-ecparam.pod.in index 27ce10490fe..ca4e002762e 100644 --- a/doc/man1/openssl-ecparam.pod.in +++ b/doc/man1/openssl-ecparam.pod.in @@ -23,7 +23,7 @@ B [B<-param_enc> I] [B<-no_seed>] [B<-genkey>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -121,8 +121,6 @@ is included in the ECParameters structure (see RFC 3279). This option will generate an EC private key using the specified parameters. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_provider_item -} @@ -172,10 +170,10 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. - The B<-C> option was removed in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in index fb4f72ed8a1..429ef9abcff 100644 --- a/doc/man1/openssl-enc.pod.in +++ b/doc/man1/openssl-enc.pod.in @@ -41,7 +41,7 @@ B B|I [B<-none>] [B<-skeymgmt> I] [B<-skeyopt> I:I] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} B I [B<...>] @@ -241,26 +241,15 @@ any options implying raw key directly or indirectly. {- $OpenSSL::safe::opt_provider_item -} -{- $OpenSSL::safe::opt_engine_item -} - =back =head1 NOTES The program can be called either as C> or -C>. The first form doesn't work with -engine-provided ciphers, because this form is processed before the -configuration file is read and any ENGINEs loaded. +C>. Use the L command to get a list of supported ciphers. -Engines which provide entirely new encryption algorithms (such as the ccgost -engine which provides gost89 algorithm) should be configured in the -configuration file. Engines specified on the command line using B<-engine> -option can only be used for hardware-assisted implementations of -ciphers which are supported by the OpenSSL core or another engine specified -in the configuration file. - -When the enc command lists supported ciphers, ciphers provided by engines, +When the enc command lists supported ciphers, ciphers provided by providers, specified in the configuration files are listed too. A password will be prompted for to derive the key and IV if necessary. @@ -310,11 +299,11 @@ to the output. =head1 SUPPORTED CIPHERS Note that some of these ciphers can be disabled at compile time -and some are available only if an appropriate engine is configured +and some are available only if an appropriate provider is configured in the configuration file. The output when invoking this command with the B<-list> option (that is C) is a list of ciphers, supported by your version of OpenSSL, including -ones provided by configured engines. +ones provided by configured providers. This command does not support authenticated encryption modes like CCM and GCM, and will not support such modes in the future. @@ -380,9 +369,6 @@ In both cases, no IV is needed. See example below. desx DESX algorithm. - gost89 GOST 28147-89 in CFB mode (provided by ccgost engine) - gost89-cnt GOST 28147-89 in CNT mode (provided by ccgost engine) - idea-cbc IDEA algorithm in CBC mode idea same as idea-cbc idea-cfb IDEA in CFB mode @@ -507,12 +493,14 @@ The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0. The B<-list> option was added in OpenSSL 1.1.1e. -The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0. +The B<-ciphers> option was deprecated in OpenSSL 3.0. The B<-saltlen> option was added in OpenSSL 3.2. The B<-skeymgmt> and B<-skeyopt> options were added in OpenSSL 3.5. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-format-options.pod b/doc/man1/openssl-format-options.pod index a9bd1d6971e..b85b34a682f 100644 --- a/doc/man1/openssl-format-options.pod +++ b/doc/man1/openssl-format-options.pod @@ -22,11 +22,6 @@ format is no more needed and the openssl commands will automatically try all the possible formats. However if the B or B input format is specified it will be enforced. -In order to access a key via an engine the input format B may be used; -alternatively the key identifier in the argument of the respective key -option may be preceded by C. -See L for an example usage of the latter. - =head1 OPTIONS =head2 Format Options @@ -65,12 +60,6 @@ is described in each command documentation. A binary format, encoded or parsed according to Distinguished Encoding Rules (DER) of the ASN.1 data language. -=item B - -Used to specify that the cryptographic material is in an OpenSSL B. -An engine must be configured or specified using the B<-engine> option. -A password or PIN may be supplied to the engine using the B<-passin> option. - =item B A DER-encoded file containing a PKCS#12 object. diff --git a/doc/man1/openssl-gendsa.pod.in b/doc/man1/openssl-gendsa.pod.in index cfbb305eb3e..a546b8b7253 100644 --- a/doc/man1/openssl-gendsa.pod.in +++ b/doc/man1/openssl-gendsa.pod.in @@ -26,7 +26,7 @@ B B [B<-verbose>] [B<-quiet>] {- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I] =head1 DESCRIPTION @@ -71,8 +71,6 @@ be handy during batch scripts and pipelines. {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} - =item I The DSA parameter file to use. The parameters in this file determine @@ -99,7 +97,7 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-genpkey.pod.in b/doc/man1/openssl-genpkey.pod.in index 9824aa7a847..6eb185ac6d1 100644 --- a/doc/man1/openssl-genpkey.pod.in +++ b/doc/man1/openssl-genpkey.pod.in @@ -26,7 +26,6 @@ B B [B<-genparam>] [B<-text>] {- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} {- $OpenSSL::safe::opt_config_synopsis -} @@ -125,8 +124,6 @@ parameters along with the PEM or DER structure. {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} {- $OpenSSL::safe::opt_config_item -} @@ -441,7 +438,7 @@ L above. =head1 NOTES The use of the genpkey program is encouraged over the algorithm specific -utilities because additional algorithm options and ENGINE provided algorithms +utilities because additional algorithm options and provider provided algorithms can be used. =head1 EXAMPLES @@ -552,10 +549,10 @@ were added in OpenSSL 1.0.2. The ability to generate X25519 keys was added in OpenSSL 1.1.0. The ability to generate X448, ED25519 and ED448 keys was added in OpenSSL 1.1.1. -The B<-engine> option was deprecated in OpenSSL 3.0. - Support for B and B was added in OpenSSL 3.5. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-genrsa.pod.in b/doc/man1/openssl-genrsa.pod.in index c75d52ceae7..374301e181a 100644 --- a/doc/man1/openssl-genrsa.pod.in +++ b/doc/man1/openssl-genrsa.pod.in @@ -31,7 +31,7 @@ B B [B<-quiet>] [B<-traditional>] {- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [B] =head1 DESCRIPTION @@ -90,8 +90,6 @@ Write the key using the traditional PKCS#1 format instead of the PKCS#8 format. {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =item B @@ -121,6 +119,10 @@ L, L, L +=head1 HISTORY + +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-info.pod.in b/doc/man1/openssl-info.pod.in index ac3a36d54c7..33618874dd7 100644 --- a/doc/man1/openssl-info.pod.in +++ b/doc/man1/openssl-info.pod.in @@ -10,7 +10,6 @@ openssl-info - print OpenSSL built-in information B [B<-help>] [B<-configdir>] -[B<-enginesdir>] [B<-modulesdir> ] [B<-dsoext>] [B<-dirnamesep>] @@ -40,14 +39,9 @@ Print out a usage message. Outputs the default directory for OpenSSL configuration files. -=item B<-enginesdir> - -Outputs the default directory for OpenSSL engine modules. - =item B<-modulesdir> -Outputs the default directory for OpenSSL dynamically loadable modules -other than engine modules. +Outputs the default directory for OpenSSL dynamically loadable modules. =item B<-dsoext> @@ -86,6 +80,8 @@ This command was added in OpenSSL 3.0. The B<-windowscontext> option was added in OpenSSL 3.4. +The B<-enginesdir> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-list.pod.in b/doc/man1/openssl-list.pod.in index dce292a3f54..9159eebd80d 100644 --- a/doc/man1/openssl-list.pod.in +++ b/doc/man1/openssl-list.pod.in @@ -44,8 +44,6 @@ B [B<-public-key-methods>] [B<-store-loaders>] [B<-providers>] -{- output_off() if $disabled{"deprecated-3.0"}; "" --}[B<-engines>] {- output_on() if $disabled{"deprecated-3.0"}; "" -}[B<-disabled>] [B<-objects>] @@ -251,13 +249,6 @@ Display a list of all loaded providers with their names, version and status. In verbose mode, the full version and all provider parameters will additionally be displayed. - -=item B<-engines> - -This option is deprecated. - -Display a list of loaded engines. - =item B<-disabled> Display a list of disabled features, those that were compiled out @@ -309,11 +300,13 @@ In both cases, C is the name of the provider. =head1 HISTORY -The B<-engines>, B<-digest-commands>, and B<-cipher-commands> options +The B<-digest-commands>, and B<-cipher-commands> options were deprecated in OpenSSL 3.0. The B<-skey-managers> option was added in OpenSSL 3.5. +The B<-engines> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index de2672537d4..48a9d4d06fe 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -21,7 +21,7 @@ B B [B<-nocerts>] [B<-noout>] [B<-legacy>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} PKCS#12 input (parsing) options: @@ -153,8 +153,6 @@ If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is AES_256_CBC with PBKDF2 for key derivation. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} {- $OpenSSL::safe::opt_r_item -} @@ -485,10 +483,11 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. The B<-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead. The B<-macsaltlen> option default changed from 8 to 16 bytes in OpenSSL 3.6. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-pkcs7.pod.in b/doc/man1/openssl-pkcs7.pod.in index 412c7592d9b..d86b6a34009 100644 --- a/doc/man1/openssl-pkcs7.pod.in +++ b/doc/man1/openssl-pkcs7.pod.in @@ -22,7 +22,7 @@ B B [B<-quiet>] [B<-text>] [B<-noout>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -79,8 +79,6 @@ issuer names. Don't output the encoded version of the PKCS#7 structure (or certificates if B<-print_certs> is set). -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -102,7 +100,7 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-pkcs8.pod.in b/doc/man1/openssl-pkcs8.pod.in index 72ab63a0584..e2356b4aea7 100644 --- a/doc/man1/openssl-pkcs8.pod.in +++ b/doc/man1/openssl-pkcs8.pod.in @@ -29,7 +29,7 @@ B B [B<-scrypt_p> I

] [B<-saltlen> I] {- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -161,8 +161,6 @@ and 8 (64 bits) for PBES1. {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -285,7 +283,7 @@ L The B<-iter> option was added in OpenSSL 1.1.0. -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index 64e28bcadab..238d0c812ad 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -13,11 +13,11 @@ openssl-pkey - public or private key processing command B B [B<-help>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [B<-check>] [B<-pubcheck>] [B<-in> I|I] -[B<-inform> B|B|B|B] +[B<-inform> B|B|B] [B<-passin> I] [B<-pubin>] [B<-out> I] @@ -47,8 +47,6 @@ converted between various forms and their components printed. Print out a usage message. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =item B<-check> @@ -75,7 +73,7 @@ or standard input if this option is not specified. If the key input is encrypted and B<-passin> is not given a pass phrase will be prompted for. -=item B<-inform> B|B|B|B +=item B<-inform> B|B|B The key input format; unspecified by default. See L for details. @@ -230,7 +228,7 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-pkeyparam.pod.in b/doc/man1/openssl-pkeyparam.pod.in index b8b1792f289..13d97f5dc0a 100644 --- a/doc/man1/openssl-pkeyparam.pod.in +++ b/doc/man1/openssl-pkeyparam.pod.in @@ -18,7 +18,7 @@ B B [B<-text>] [B<-noout>] [B<-check>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -58,8 +58,6 @@ Do not output the encoded version of the parameters. This option checks the correctness of parameters. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -87,7 +85,7 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in index c5fb8378e8b..750455c9956 100644 --- a/doc/man1/openssl-pkeyutl.pod.in +++ b/doc/man1/openssl-pkeyutl.pod.in @@ -16,7 +16,7 @@ B B [B<-secret> I] [B<-sigfile> I] [B<-inkey> I|I] -[B<-keyform> B|B|B|B] +[B<-keyform> B|B|B] [B<-passin> I] [B<-pubin>] [B<-certin>] @@ -28,7 +28,7 @@ B B [B<-decrypt>] [B<-derive>] [B<-peerkey> I] -[B<-peerform> B|B|B|B] +[B<-peerform> B|B|B] [B<-encap>] [B<-decap>] [B<-kdf> I] @@ -38,7 +38,6 @@ B B [B<-pkeyopt_passin> I[:I]] [B<-hexdump>] [B<-asn1parse>] -{- $OpenSSL::safe::opt_engine_synopsis -}[B<-engine_impl>] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} {- $OpenSSL::safe::opt_config_synopsis -} @@ -113,7 +112,7 @@ Signature file, required and allowed for B<-verify> operations only. The input key, by default it should be a private key. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The key format; unspecified by default. See L for details. @@ -191,7 +190,7 @@ File containing the peer public or private (EC)DH key to use with the key derivation (agreement) operation. Its type must match the type of the own private key given with B<-inkey>. -=item B<-peerform> B|B|B|B +=item B<-peerform> B|B|B The peer key format; unspecified by default. See L for details. @@ -284,15 +283,6 @@ When combined with the B<-verifyrecover> option, this may be useful in case an ASN.1 DER-encoded structure had been signed directly (without hashing it) and when checking a signature in PKCS#1 v1.5 format, which has a DER encoding. -{- $OpenSSL::safe::opt_engine_item -} - -{- output_off() if $disabled{"deprecated-3.0"}; "" -} -=item B<-engine_impl> - -When used with the B<-engine> option, it specifies to also use -engine I for crypto operations. -{- output_on() if $disabled{"deprecated-3.0"}; "" -} - {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_provider_item -} @@ -689,7 +679,7 @@ no longer required when signing or verifying with an Ed25519 or Ed448 key. Also since OpenSSL 3.5, the B<-kemop> option is no longer required for any of the supported algorithms, the only supported B is now the default. -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-rand.pod.in b/doc/man1/openssl-rand.pod.in index 7c07df3f147..d38961acc30 100644 --- a/doc/man1/openssl-rand.pod.in +++ b/doc/man1/openssl-rand.pod.in @@ -12,7 +12,7 @@ B [B<-out> I] [B<-base64>] [B<-hex>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} I[K|M|G|T] @@ -55,8 +55,6 @@ Perform base64 encoding on the output. Show the output as a hex string. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_provider_item -} @@ -72,7 +70,7 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 97a4a5b01c5..8e3dea6a2c5 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -27,9 +27,8 @@ B B [B<-noenc>] [B<-nodes>] [B<-key> I|I] -[B<-keyform> B|B|B|B] +[B<-keyform> B|B|B] [B<-keyout> I] -[B<-keygen_engine> I] [B<-I>] [B<-config> I] [B<-section> I] @@ -59,7 +58,7 @@ B B [B<-quiet>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -203,10 +202,7 @@ any necessary parameters should be specified via the B<-pkeyopt> option. BI generates a DSA key using the parameters in the file I. BI generates EC key (usable both with -ECDSA or ECDH algorithms), BI generates GOST R -34.10-2001 key (requires B engine configured in the configuration -file). If just B is specified a parameter set should be -specified by B<-pkeyopt> I +ECDSA or ECDH algorithms). =item B<-pkeyopt> I:I @@ -226,7 +222,7 @@ For certificate signing this option is overridden by the B<-CA> option. This option also accepts PKCS#8 format private keys for PEM format files. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The format of the private key; unspecified by default. See L for details. @@ -449,17 +445,10 @@ Print fewer details about the operations being performed, which may be handy during batch scripts or pipelines (specifically "progress dots" during key generation are suppressed). -=item B<-keygen_engine> I - -Specifies an engine (by its unique I string) which would be used -for key generation operations. - {- $OpenSSL::safe::opt_name_item -} {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -842,8 +831,7 @@ The B<-section> option was added in OpenSSL 3.0.0. The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and has no effect. -The B<-engine> option was deprecated in OpenSSL 3.0. -The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead. +The <-nodes> option was deprecated in OpenSSL 3.0; use B<-noenc> instead. The B<-reqexts> option has been made an alias of B<-extensions> in OpenSSL 3.2. @@ -853,6 +841,8 @@ and key identifier extensions are included by default. Since OpenSSL 3.3, the B<-verify> option will exit with 1 on failure. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in index faa4872e19e..b06a05b602a 100644 --- a/doc/man1/openssl-rsa.pod.in +++ b/doc/man1/openssl-rsa.pod.in @@ -13,7 +13,7 @@ openssl-rsa - RSA key processing command B B [B<-help>] -[B<-inform> B|B|B|B] +[B<-inform> B|B|B] [B<-outform> B|B] [B<-in> I|I] [B<-passin> I] @@ -43,7 +43,7 @@ B B [B<-pvk-strong>] [B<-pvk-weak>] [B<-pvk-none>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -58,7 +58,7 @@ various forms and their components printed out. Print out a usage message. -=item B<-inform> B|B|B|B +=item B<-inform> B|B|B The key input format; unspecified by default. See L for details. @@ -147,8 +147,6 @@ Enable 'Weak' PVK encoding level. Don't enforce PVK encoding. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -203,7 +201,7 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in index 41d0d309dd2..677daf0f097 100644 --- a/doc/man1/openssl-rsautl.pod.in +++ b/doc/man1/openssl-rsautl.pod.in @@ -14,7 +14,7 @@ B B [B<-rev>] [B<-out> I] [B<-inkey> I|I] -[B<-keyform> B|B|B|B] +[B<-keyform> B|B|B] [B<-pubin>] [B<-certin>] [B<-sign>] @@ -27,7 +27,7 @@ B B [B<-raw>] [B<-hexdump>] [B<-asn1parse>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -69,7 +69,7 @@ default. The input key, by default it should be an RSA private key. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The key format; unspecified by default. See L for details. @@ -121,8 +121,6 @@ Hex dump the output data. Parse the ASN.1 output data, this is useful when combined with the B<-verify> option. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_provider_item -} @@ -235,7 +233,7 @@ L This command was deprecated in OpenSSL 3.0. -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 4c0759ab0f5..83b05812097 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -37,7 +37,7 @@ B B [B<-CRLform> B|B] [B<-crl_download>] [B<-key> I|I] -[B<-keyform> B|B|B|B] +[B<-keyform> B|B|B] [B<-pass> I] [B<-chainCAfile> I] [B<-chainCApath> I] @@ -119,7 +119,6 @@ B B {- $OpenSSL::safe::opt_s_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}[B<-ssl_client_engine> I] {- $OpenSSL::safe::opt_v_synopsis -} [B<-enable_server_rpk>] [B<-enable_client_rpk>] @@ -274,7 +273,7 @@ of CRL is limited by L function. The client private key to use. If not specified then the certificate file will be used to read also the key. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The key format; unspecified by default. See L for details. @@ -785,14 +784,6 @@ Enable creation of connections via TCP fast open (RFC7413). {- $OpenSSL::safe::opt_provider_item -} -{- $OpenSSL::safe::opt_engine_item -} - -{- output_off() if $disabled{"deprecated-3.0"}; "" -} -=item B<-ssl_client_engine> I - -Specify engine to be used for client certificate operations. -{- output_on() if $disabled{"deprecated-3.0"}; "" -} - {- $OpenSSL::safe::opt_v_item -} Verification errors are displayed, for debugging, but the command will @@ -1033,7 +1024,7 @@ The B<-name> option was added in OpenSSL 1.1.1. The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect. -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. The B<-enable_client_rpk>, diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 4c30c9c6283..f16ed8d326f 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -28,13 +28,13 @@ B B [B<-serverinfo> I] [B<-key> I|I] [B<-key2> I|I] -[B<-keyform> B|B|B|B] +[B<-keyform> B|B|B] [B<-pass> I] [B<-dcert> I] [B<-dcertform> B|B|B] [B<-dcert_chain> I] [B<-dkey> I|I] -[B<-dkeyform> B|B|B|B] +[B<-dkeyform> B|B|B] [B<-dpass> I] [B<-nbio_test>] [B<-crlf>] @@ -132,7 +132,7 @@ B B {- $OpenSSL::safe::opt_x_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [B<-enable_server_rpk>] [B<-enable_client_rpk>] @@ -243,7 +243,7 @@ be used. The private Key file to use for servername if not given via B<-cert2>. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The key format; unspecified by default. See L for details. @@ -277,7 +277,7 @@ The input can be in PEM, DER, or PKCS#12 format. The format of the additional certificate file; unspecified by default. See L for details. -=item B<-dkeyform> B|B|B|B +=item B<-dkeyform> B|B|B The format of the additional private key; unspecified by default. See L for details. @@ -794,8 +794,6 @@ Pre-compresses certificates (RFC8879) that will be sent during the handshake. {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} {- $OpenSSL::safe::opt_v_item -} @@ -925,7 +923,7 @@ The -no_alt_chains option was added in OpenSSL 1.1.0. The -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1. -The B<-srpvfile>, B<-srpuserseed>, and B<-engine> +The B<-srpvfile> and B<-srpuserseed> option were deprecated in OpenSSL 3.0. The @@ -938,6 +936,8 @@ options were added in OpenSSL 3.2. The B<-status_all> option was added in OpenSSL 3.6. +The B option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index 0a8fe013665..061f1f23fba 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -32,7 +32,7 @@ B B [B<-recip> I< file>] [B<-inform> B|B|B] [B<-outform> B|B|B] -[B<-keyform> B|B|B|B] +[B<-keyform> B|B|B] [B<-passin> I] [B<-inkey> I|I] [B<-out> I] @@ -46,7 +46,7 @@ B B [B<-stream>] [B<-md> I] {- $OpenSSL::safe::opt_trust_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_v_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} {- $OpenSSL::safe::opt_config_synopsis -} @@ -125,7 +125,7 @@ The output format of the PKCS#7 (S/MIME) structure (if one is being written); the default is B. See L for details. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The key format; unspecified by default. See L for details. @@ -277,8 +277,6 @@ Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_trust_item -} -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_provider_item -} @@ -475,7 +473,7 @@ added in OpenSSL 1.0.0 The -no_alt_chains option was added in OpenSSL 1.1.0. -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-speed.pod.in b/doc/man1/openssl-speed.pod.in index 83a35bb52b1..88628277775 100644 --- a/doc/man1/openssl-speed.pod.in +++ b/doc/man1/openssl-speed.pod.in @@ -29,7 +29,7 @@ B [B<-mlock>] [B<-testmode>] {- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I ...] =head1 DESCRIPTION @@ -53,8 +53,7 @@ see L. =item B<-elapsed> When calculating operations- or bytes-per-second, use wall-clock time -instead of CPU user time as divisor. It can be useful when testing speed -of hardware engines. +instead of CPU user time as divisor. =item B<-evp> I @@ -139,8 +138,6 @@ the speed command will return with a failure result. {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =item I ... @@ -167,6 +164,8 @@ DSA512 was removed in OpenSSL 3.2. The B<-testmode> option was added in OpenSSL 3.4. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-spkac.pod.in b/doc/man1/openssl-spkac.pod.in index 5e55a7498b6..53f12400dc7 100644 --- a/doc/man1/openssl-spkac.pod.in +++ b/doc/man1/openssl-spkac.pod.in @@ -17,7 +17,7 @@ B B [B<-out> I] [B<-digest> I] [B<-key> I|I] -[B<-keyform> B|B|B|B] +[B<-keyform> B|B|B] [B<-passin> I] [B<-challenge> I] [B<-pubkey>] @@ -25,7 +25,7 @@ B B [B<-spksect> I

] [B<-noout>] [B<-verify>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -62,7 +62,7 @@ Create an SPKAC file using the private key specified by I or I. The B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if present. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The key format; unspecified by default. See L for details. @@ -101,8 +101,6 @@ being created). Verifies the digital signature on the supplied SPKAC. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -153,10 +151,10 @@ L =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. - The B<-digest> option was added in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man1/openssl-srp.pod.in b/doc/man1/openssl-srp.pod.in index 26f7ebcef9c..87f54cf381d 100644 --- a/doc/man1/openssl-srp.pod.in +++ b/doc/man1/openssl-srp.pod.in @@ -20,7 +20,7 @@ B [B<-userinfo> I] [B<-passin> I] [B<-passout> I] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} {- $OpenSSL::safe::opt_config_synopsis -} [I ...] @@ -90,8 +90,6 @@ The password source for the input and output file. For more information about the format of B see L. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_provider_item -} @@ -104,7 +102,7 @@ see L. =head1 HISTORY -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-storeutl.pod.in b/doc/man1/openssl-storeutl.pod.in index 75acb077430..38dd1df645f 100644 --- a/doc/man1/openssl-storeutl.pod.in +++ b/doc/man1/openssl-storeutl.pod.in @@ -27,7 +27,7 @@ B B [B<-alias> I] [B<-fingerprint> I] [B<-I>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} I =head1 DESCRIPTION @@ -124,8 +124,6 @@ Search for an object having the given fingerprint. The digest that was used to compute the fingerprint given with B<-fingerprint>. -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -138,7 +136,7 @@ L This command was added in OpenSSL 1.1.1. -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 202f218f316..da8e9b6f837 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -43,7 +43,7 @@ B<-reply> [B<-out> I] [B<-token_out>] [B<-text>] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} B B B<-verify> @@ -295,8 +295,6 @@ response (TimeStampResp). (Optional) If this option is specified the output is human-readable text format instead of DER. (Optional) -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -641,7 +639,7 @@ seeding mechanism. The new seeding mechanism makes it unnecessary to define a RANDFILE for saving and restoring randomness. This option is retained mainly for compatibility reasons. -The B<-engine> option was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 SEE ALSO diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in index 7e51af6eac1..0f6a1ba4631 100644 --- a/doc/man1/openssl-verify.pod.in +++ b/doc/man1/openssl-verify.pod.in @@ -18,7 +18,7 @@ B B [B<-vfyopt> I:I] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_v_synopsis -} +{- $OpenSSL::safe::opt_v_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} [B<-->] [I ...] @@ -77,13 +77,6 @@ Names and values of these options are algorithm-specific. {- $OpenSSL::safe::opt_name_item -} -{- $OpenSSL::safe::opt_engine_item -} -{- output_off() if $disabled{"deprecated-3.0"}; "" -} -To load certificates or CRLs that require engine support, specify the -B<-engine> option before any of the -B<-trusted>, B<-untrusted> or B<-CRLfile> options. -{- output_on() if $disabled{"deprecated-3.0"}; "" -} - {- $OpenSSL::safe::opt_trust_item -} {- $OpenSSL::safe::opt_v_item -} @@ -136,7 +129,7 @@ L The B<-show_chain> option was added in OpenSSL 1.1.0. -The B<-engine option> was deprecated in OpenSSL 3.0. +The B<-engine> option was removed in OpenSSL 4.0. =head1 COPYRIGHT diff --git a/doc/man1/openssl-version.pod.in b/doc/man1/openssl-version.pod.in index 5dad0e5032a..ba666244f3c 100644 --- a/doc/man1/openssl-version.pod.in +++ b/doc/man1/openssl-version.pod.in @@ -16,7 +16,6 @@ B [B<-f>] [B<-p>] [B<-d>] -[B<-e>] [B<-m>] [B<-r>] [B<-c>] @@ -62,10 +61,6 @@ Platform setting. OPENSSLDIR setting. -=item B<-e> - -ENGINESDIR settings. - =item B<-m> MODULESDIR settings. @@ -89,7 +84,7 @@ non-Windows platforms. =head1 HISTORY In OpenSSL versions prior to 3.4, OpenSSL had a limitation regarding the -B, B and B build time macros. These macros +B and B build time macros. These macros were defined at build time, and represented filesystem paths. This is common practice on unix like systems, as there was an expectation that a given build would be installed to a pre-determined location. On Windows however, there is @@ -98,7 +93,7 @@ B was introduced as a new build time variable to define a set of registry keys identified by the name openssl--, in which the value is derived from the version string in the openssl source, and the extension is derived from the B variable. The values of -B, B and B can be set to various paths +B and B can be set to various paths underneath this key to break the requirement to predict the installation path at build time. diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index 835a55eddf2..43a5747d805 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -18,7 +18,7 @@ B B [B<-inform> B|B] [B<-vfyopt> I:I] [B<-key> I|I] -[B<-keyform> B|B|B|B] +[B<-keyform> B|B|B] [B<-signkey> I|I] [B<-out> I] [B<-outform> B|B] @@ -72,7 +72,7 @@ B B [B<-CA> I|I] [B<-CAform> B|B|B] [B<-CAkey> I|I] -[B<-CAkeyform> B|B|B|B] +[B<-CAkeyform> B|B|B] [B<-CAserial> I] [B<-CAcreateserial>] [B<-trustout>] @@ -82,7 +82,7 @@ B B [B<-clrreject>] [B<-addreject> I] {- $OpenSSL::safe::opt_r_synopsis -} -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -193,7 +193,7 @@ B<-not_before> and B<-not_after>. This option is an alias of B<-key>. -=item B<-keyform> B|B|B|B +=item B<-keyform> B|B|B The key input format; unspecified by default. See L for details. @@ -546,7 +546,7 @@ Sets the CA private key to sign a certificate with. The private key must match the public key of the certificate given with B<-CA>. If this option is not provided then the key must be present in the B<-CA> input. -=item B<-CAkeyform> B|B|B|B +=item B<-CAkeyform> B|B|B The format for the CA key; unspecified by default. See L for details. @@ -645,8 +645,6 @@ It accepts the same values as the B<-addtrust> option. {- $OpenSSL::safe::opt_r_item -} -{- $OpenSSL::safe::opt_engine_item -} - {- $OpenSSL::safe::opt_provider_item -} =back @@ -843,13 +841,13 @@ form must have their links rebuilt using L or similar. The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0, keeping the old name as an alias. -The B<-engine> option was deprecated in OpenSSL 3.0. - The B<-C> option was removed in OpenSSL 3.0. Since OpenSSL 3.2, generated certificates bear X.509 version 3, and key identifier extensions are included by default. +The B<-engine> option was removed in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.