Skip to content

openssl-env

NAME

openssl-env - OpenSSL environment variables

DESCRIPTION

The OpenSSL libraries and commands use environment variables to override compiled-in defaults for various aspects of their behaviour. To avoid security risks, the environment is not consulted for security-sensitive environment variables when the executable is set-user-ID or set-group-ID.

  • CTLOG_FILE

    Specifies the path to a certificate transparency log list. See CTLOG_STORE_new(3).

    This variable is considered a security-sensitive environment variable.

  • HOME, SYSTEMROOT, USERPROFILE

    Path which RAND_file_name(3) uses as a directory for the random seed file name when the RANDFILE environment variable is not set. HOME is the only variable that is considered on Unix-like systems; USERPROFILE and SYSTEMROOT are used as fallbacks on Windows platforms.

    HOME variable is considered a security-sensitive environment variable.

  • HTTPS_PROXY, HTTP_PROXY, NO_PROXY, https_proxy, http_proxy, no_proxy

    Specify a proxy hostname. See OSSL_HTTP_parse_url(3).

    These variables are considered security-sensitive environment variables.

  • LEGACY_GOST_PKCS12

    Affects the way MAC is generated in PKCS#12 containers for GOST algorithms. See PKCS12_gen_mac(3).

    This variable is considered a security-sensitive environment variable.

  • OPENSSL

    Specifies the path to the openssl executable. Used by the rehash script (see "Script Configuration" in openssl-rehash(1)) and by the CA.pl script (see "NOTES" in CA.pl(1)

    This variable is not considered security-sensitive.

  • OPENSSL_CONF, OPENSSL_CONF_INCLUDE

    Specifies the path to a configuration file and the directory for included files. See config(5).

    These variables are considered security-sensitive environment variables.

  • OPENSSL_CONFIG

    Specifies a configuration option and filename for the req and ca commands invoked by the CA.pl script. See CA.pl(1).

    This variable is not considered security-sensitive.

  • OPENSSL_DEBUG_DECC_INIT

    On VMS only: if this variable is set, enables verbose output of parsing of DECC$* logical names, that contain C RTL features, during library initialisation (LIB$INITIALIZE). If the value of the variable is more than 1, outputs information about every processed feature.

    This variable is not considered security-sensitive.

  • OPENSSL_MALLOC_FAILURES, OPENSSL_MALLOC_FD, OPENSSL_MALLOC_SEED

    If built with debugging, this allows memory allocation to fail. See OPENSSL_malloc(3).

    These variables are not considered security-sensitive.

  • OPENSSL_MODULES

    Specifies the directory from which cryptographic providers are loaded. Equivalently, the generic -provider-path command-line option may be used.

    This variable is considered a security-sensitive environment variable.

  • OPENSSL_SEC_MEM

    Initializes the secure memory at the beginning of the application which makes the secure memory calls not to fall back to regular memory calls. The value indicates the size parameter in bytes. The value can be expressed in binary, octal, decimal and hexadecimal. For formatting see strtol(3). For further restrictions see CRYPTO_secure_malloc_init(3).

    This variable is not considered security-sensitive.

  • OPENSSL_SEC_MEM_MINSIZE

    An optional variable used with OPENSSL_SEC_MEM. The value indicates minsize parameter in bytes. The same formatting applies as above. Default is 0. For more info see CRYPTO_secure_malloc_init(3).

    This variable is not considered security-sensitive.

  • OPENSSL_TEST_LIBCTX

    This test-only environment variable, that is recognised by the openssl(1) command, when is set to "1", leads to creation of a nondefault library context by the command, for which the -config option then takes effect.

    This variable is not considered security-sensitive.

  • OPENSSL_TRACE

    By default the OpenSSL trace feature is disabled statically. To enable it, OpenSSL must be built with tracing support, which may be configured like this: ./config enable-trace

    Unless OpenSSL tracing support is generally disabled, enable trace output of specific parts of OpenSSL libraries, by name. This output usually makes sense only if you know OpenSSL internals well.

    The value of this environment variable is a comma-separated list of names, with the following available:

    • ALL

      Traces everything.

    • BN_CTX

      Traces BIGNUM context operations.

    • CMP

      Traces CMP client and server activity.

    • CONF

      Show details about provider configuration.

    • DECODER

      Traces decoder operations.

    • ENCODER

      Traces encoder operations.

    • HTTP

      Traces the HTTP client and server, such as messages being sent and received.

    • INIT

      Traces OpenSSL library initialization and cleanup.

    • PKCS12_DECRYPT

      Traces PKCS#12 decryption.

    • PKCS12_KEYGEN

      Traces PKCS#12 key generation.

    • PKCS5V2

      Traces PKCS#5 v2 key generation.

    • PROVIDER

      Traces various operations that are performed on OpenSSL providers during their handling by the library (see provider(7)), such as initialisation, tear down, parameter and capability retrieval, self-test, and so on.

    • QUERY

      Traces operation related to addition, removal, and fetching of methods in the so-called method store, that holds pointers to functions provided by various providers.

    • REF_COUNT

      Traces reference count changes in various structures, including BIO, DH, DSA, EC_KEY, ECX_KEY, EVP_PKEY, EVP_SKEY, RSA, SSL, SSL_CTX, SSL_SESSION, X509_CRL, X509_STORE, X509, and some others.

    • STORE

      Traces STORE operations.

    • TLS

      Traces the TLS/SSL protocol.

    • TLS_CIPHER

      Traces the ciphers used by the TLS/SSL protocol.

    • TRACE

      Traces the OpenSSL trace API itself.

    • X509V3_POLICY

      Generates the complete policy tree at various points during X.509 v3 policy evaluation.

    This variable is not considered security-sensitive.

  • OPENSSL_WIN32_UTF8

    If set, then UI_OpenSSL(3) returns UTF-8 encoded strings, rather than ones encoded in the current code page, and the openssl(1) program also transcodes the command-line parameters from the current code page to UTF-8. This environment variable is only checked on Microsoft Windows platforms.

  • OPENSSL_armcap, OPENSSL_ia32cap, OPENSSL_ppccap, OPENSSL_riscvcap, OPENSSL_s390xcap, OPENSSL_sparcv9cap

    OpenSSL supports a number of different algorithm implementations for various machines and, by default, it determines which to use based on the processor capabilities and run time feature enquiry. These environment variables can be used to exert more control over this selection process. See OPENSSL_ia32cap(3), OPENSSL_riscvcap(3), and OPENSSL_s390xcap(3).

    These variables are not considered security-sensitive.

  • OSSL_QFILTER

    Used to set a QUIC qlog filter specification. See openssl-qlog(7).

    This variable is considered a security-sensitive environment variable.

  • QLOGDIR

    Specifies a QUIC qlog output directory. See openssl-qlog(7).

    This variable is considered a security-sensitive environment variable.

  • RANDFILE

    The state file for the random number generator. This should not be needed in normal use. See RAND_load_file(3).

    This variable is considered a security-sensitive environment variable.

  • SSLKEYLOGFILE

    Used to produce the standard format output file for SSL key logging. Optionally set this variable to a filename to log all secrets produced by SSL connections. Note, use of the environment variable is predicated on configuring OpenSSL at build time with the enable-sslkeylog feature. The file format standard can be found at https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/. Note: the use of SSLKEYLOGFILE poses an explicit security risk. By recording the exchanged keys during an SSL session, it allows any available party with read access to the file to decrypt application traffic sent over that session. Use of this feature should be restricted to test and debug environments only.

    This variable is considered a security-sensitive environment variable.

  • SSL_CERT_DIR, SSL_CERT_FILE

    Specify the default directory or file containing CA certificates. See SSL_CTX_load_verify_locations(3).

    These variables are considered security-sensitive environment variables, except in openssl-rehash(1), where SSL_CERT_DIR is not considered security-sensitive.

  • SSL_CIPHER

    Used by openssl-s_time(1) in case -cipher option (that allows modifying TLSv1.2 and below cipher list sent by the client) is not provided, for specification of the aforementioned ciphers.

    This variable is not considered security-sensitive.

  • TSGET

    Additional arguments for the tsget(1) command.

    This variable is not considered security-sensitive.

HISTORY

This section contains environment variables that are no longer considered by the OpenSSL libraries and commands.

  • HARNESS_OSSL_PREFIX

    This environment variable, existed in OpenSSL versions from 1.1.1 up to 3.5, allowed specification of a prefix prepended to each line sent to the stdout by openssl(1), used by the test harness to avoid commingling the command under test output with the output for the TAP consumer.

    This variable was not considered security-sensitive.

  • OPENSSL_ENGINES

    This variable, support for which was removed in OpenSSL 4.0, specified the directory from which dynamic engines were loaded.

Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.