xref: /freebsd/crypto/openssl/doc/man7/openssl-env.pod (revision 0d0c8621fd181e507f0fb50ffcca606faf66a8c2)

=pod

=head1 NAME

openssl-env - OpenSSL environment variables

=head1 DESCRIPTION

The OpenSSL libraries use environment variables to override the
compiled-in default paths for various data.
To avoid security risks, the environment is usually not consulted when
the executable is set-user-ID or set-group-ID.

=over 4

=item B<CTLOG_FILE>

Specifies the path to a certificate transparency log list.
See L<CTLOG_STORE_new(3)>.

=item B<OPENSSL>

Specifies the path to the B<openssl> executable. Used by
the B<rehash> script (see L<openssl-rehash(1)/Script Configuration>)
and by the B<CA.pl> script (see L<CA.pl(1)/NOTES>

=item B<OPENSSL_CONF>, B<OPENSSL_CONF_INCLUDE>

Specifies the path to a configuration file and the directory for
included files.
See L<config(5)>.

=item B<OPENSSL_CONFIG>

Specifies a configuration option and filename for the B<req> and B<ca>
commands invoked by the B<CA.pl> script.
See L<CA.pl(1)>.

=item B<OPENSSL_ENGINES>

Specifies the directory from which dynamic engines are loaded.
See L<openssl-engine(1)>.

=item B<OPENSSL_MALLOC_FD>, B<OPENSSL_MALLOC_FAILURES>

If built with debugging, this allows memory allocation to fail.
See L<OPENSSL_malloc(3)>.

=item B<OPENSSL_MODULES>

Specifies the directory from which cryptographic providers are loaded.
Equivalently, the generic B<-provider-path> command-line option may be used.

=item B<OPENSSL_TRACE>

By default the OpenSSL trace feature is disabled statically.
To enable it, OpenSSL must be built with tracing support,
which may be configured like this: C<./config enable-trace>

Unless OpenSSL tracing support is generally disabled,
enable trace output of specific parts of OpenSSL libraries, by name.
This output usually makes sense only if you know OpenSSL internals well.

The value of this environment varialble is a comma-separated list of names,
with the following available:

=over 4

=item B<TRACE>

Traces the OpenSSL trace API itself.

=item B<INIT>

Traces OpenSSL library initialization and cleanup.

=item B<TLS>

Traces the TLS/SSL protocol.

=item B<TLS_CIPHER>

Traces the ciphers used by the TLS/SSL protocol.

=item B<CONF>

Show details about provider and engine configuration.

=item B<ENGINE_TABLE>

The function that is used by RSA, DSA (etc) code to select registered
ENGINEs, cache defaults and functional references (etc), will generate
debugging summaries.

=item B<ENGINE_REF_COUNT>

Reference counts in the ENGINE structure will be monitored with a line
of generated for each change.

=item B<PKCS5V2>

Traces PKCS#5 v2 key generation.

=item B<PKCS12_KEYGEN>

Traces PKCS#12 key generation.

=item B<PKCS12_DECRYPT>

Traces PKCS#12 decryption.

=item B<X509V3_POLICY>

Generates the complete policy tree at various points during X.509 v3
policy evaluation.

=item B<BN_CTX>

Traces BIGNUM context operations.

=item B<CMP>

Traces CMP client and server activity.

=item B<STORE>

Traces STORE operations.

=item B<DECODER>

Traces decoder operations.

=item B<ENCODER>

Traces encoder operations.

=item B<REF_COUNT>

Traces decrementing certain ASN.1 structure references.

=item B<HTTP>

Traces the HTTP client and server, such as messages being sent and received.

=back

=item B<OPENSSL_WIN32_UTF8>

If set, then L<UI_OpenSSL(3)> returns UTF-8 encoded strings, rather than
ones encoded in the current code page, and
the L<openssl(1)> program also transcodes the command-line parameters
from the current code page to UTF-8.
This environment variable is only checked on Microsoft Windows platforms.

=item B<RANDFILE>

The state file for the random number generator.
This should not be needed in normal use.
See L<RAND_load_file(3)>.

=item B<SSL_CERT_DIR>, B<SSL_CERT_FILE>

Specify the default directory or file containing CA certificates.
See L<SSL_CTX_load_verify_locations(3)>.

=item B<TSGET>

Additional arguments for the L<tsget(1)> command.

=item B<OPENSSL_ia32cap>, B<OPENSSL_sparcv9cap>, B<OPENSSL_ppccap>, B<OPENSSL_armcap>, B<OPENSSL_s390xcap>

OpenSSL supports a number of different algorithm implementations for
various machines and, by default, it determines which to use based on the
processor capabilities and run time feature enquiry.  These environment
variables can be used to exert more control over this selection process.
See L<OPENSSL_ia32cap(3)>, L<OPENSSL_s390xcap(3)>.

=item B<NO_PROXY>, B<HTTPS_PROXY>, B<HTTP_PROXY>

Specify a proxy hostname.
See L<OSSL_HTTP_parse_url(3)>.

=back

=head1 COPYRIGHT

Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut