Skip to content

openssl-env

NAME

openssl-env - OpenSSL environment variables

DESCRIPTION

The OpenSSL libraries use environment variables to override the compiled-in default paths for various data. To avoid security risks, the environment is usually not consulted when the executable is set-user-ID or set-group-ID.

  • CTLOG_FILE

    Specifies the path to a certificate transparency log list. See CTLOG_STORE_new(3).

  • OPENSSL

    Specifies the path to the openssl executable. Used by the rehash script (see "Script Configuration" in openssl-rehash(1)) and by the CA.pl script (see "NOTES" in CA.pl(1)

  • OPENSSL_CONF, OPENSSL_CONF_INCLUDE

    Specifies the path to a configuration file and the directory for included files. See config(5).

  • OPENSSL_CONFIG

    Specifies a configuration option and filename for the req and ca commands invoked by the CA.pl script. See CA.pl(1).

  • OPENSSL_ENGINES

    Specifies the directory from which dynamic engines are loaded. See openssl-engine(1).

  • OPENSSL_MALLOC_FD, OPENSSL_MALLOC_FAILURES

    If built with debugging, this allows memory allocation to fail. See OPENSSL_malloc(3).

  • OPENSSL_MODULES

    Specifies the directory from which cryptographic providers are loaded. Equivalently, the generic -provider-path command-line option may be used.

  • OPENSSL_TRACE

    By default the OpenSSL trace feature is disabled statically. To enable it, OpenSSL must be built with tracing support, which may be configured like this: ./config enable-trace

    Unless OpenSSL tracing support is generally disabled, enable trace output of specific parts of OpenSSL libraries, by name. This output usually makes sense only if you know OpenSSL internals well.

    The value of this environment varialble is a comma-separated list of names, with the following available:

    • TRACE

      Traces the OpenSSL trace API itself.

    • INIT

      Traces OpenSSL library initialization and cleanup.

    • TLS

      Traces the TLS/SSL protocol.

    • TLS_CIPHER

      Traces the ciphers used by the TLS/SSL protocol.

    • CONF

      Show details about provider and engine configuration.

    • ENGINE_TABLE

      The function that is used by RSA, DSA (etc) code to select registered ENGINEs, cache defaults and functional references (etc), will generate debugging summaries.

    • ENGINE_REF_COUNT

      Reference counts in the ENGINE structure will be monitored with a line of generated for each change.

    • PKCS5V2

      Traces PKCS#5 v2 key generation.

    • PKCS12_KEYGEN

      Traces PKCS#12 key generation.

    • PKCS12_DECRYPT

      Traces PKCS#12 decryption.

    • X509V3_POLICY

      Generates the complete policy tree at various points during X.509 v3 policy evaluation.

    • BN_CTX

      Traces BIGNUM context operations.

    • CMP

      Traces CMP client and server activity.

    • STORE

      Traces STORE operations.

    • DECODER

      Traces decoder operations.

    • ENCODER

      Traces encoder operations.

    • REF_COUNT

      Traces decrementing certain ASN.1 structure references.

    • HTTP

      Traces the HTTP client and server, such as messages being sent and received.

  • OPENSSL_WIN32_UTF8

    If set, then UI_OpenSSL(3) returns UTF-8 encoded strings, rather than ones encoded in the current code page, and the openssl(1) program also transcodes the command-line parameters from the current code page to UTF-8. This environment variable is only checked on Microsoft Windows platforms.

  • RANDFILE

    The state file for the random number generator. This should not be needed in normal use. See RAND_load_file(3).

  • SSL_CERT_DIR, SSL_CERT_FILE

    Specify the default directory or file containing CA certificates. See SSL_CTX_load_verify_locations(3).

  • TSGET

    Additional arguments for the tsget(1) command.

  • OPENSSL_ia32cap, OPENSSL_sparcv9cap, OPENSSL_ppccap, OPENSSL_armcap, OPENSSL_s390xcap, OPENSSL_riscvcap

    OpenSSL supports a number of different algorithm implementations for various machines and, by default, it determines which to use based on the processor capabilities and run time feature enquiry. These environment variables can be used to exert more control over this selection process. See OPENSSL_ia32cap(3), OPENSSL_s390xcap(3) and OPENSSL_riscvcap(3).

  • NO_PROXY, HTTPS_PROXY, HTTP_PROXY

    Specify a proxy hostname. See OSSL_HTTP_parse_url(3).

  • QLOGDIR

    Specifies a QUIC qlog output directory. See openssl-qlog(7).

  • OSSL_QFILTER

    Used to set a QUIC qlog filter specification. See openssl-qlog(7).

  • SSLKEYLOGFILE

    Used to produce the standard format output file for SSL key logging. Optionally set this variable to a filename to log all secrets produced by SSL connections. Note, use of the environment variable is predicated on configuring OpenSSL at build time with the enable-sslkeylog feature. The file format standard can be found at https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/. Note: the use of SSLKEYLOGFILE poses an explicit security risk. By recording the exchanged keys during an SSL session, it allows any available party with read access to the file to decrypt application traffic sent over that session. Use of this feature should be restricted to test and debug environments only.

Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.