OPENSSL-ENV(7SSL) OpenSSL OPENSSL-ENV(7SSL)
NAME
openssl-env - OpenSSL environment variables
DESCRIPTION
The OpenSSL libraries use environment variables to override the
compiled-in default paths for various data. To avoid security risks,
the environment is usually not consulted when the executable is set-
user-ID or set-group-ID.
CTLOG_FILE
Specifies the path to a certificate transparency log list. See
CTLOG_STORE_new(3).
OPENSSL
Specifies the path to the openssl executable. Used by the rehash
script (see "Script Configuration" in openssl-rehash(1)) and by the
CA.pl script (see "NOTES" in CA.pl(1)
OPENSSL_CONF, OPENSSL_CONF_INCLUDE
Specifies the path to a configuration file and the directory for
included files. See config(5).
OPENSSL_CONFIG
Specifies a configuration option and filename for the req and ca
commands invoked by the CA.pl script. See CA.pl(1).
OPENSSL_ENGINES
Specifies the directory from which dynamic engines are loaded. See
openssl-engine(1).
OPENSSL_MALLOC_FD, OPENSSL_MALLOC_FAILURES
If built with debugging, this allows memory allocation to fail. See
OPENSSL_malloc(3).
OPENSSL_MODULES
Specifies the directory from which cryptographic providers are
loaded. Equivalently, the generic -provider-path command-line
option may be used.
OPENSSL_TRACE
By default the OpenSSL trace feature is disabled statically. To
enable it, OpenSSL must be built with tracing support, which may be
configured like this: "./config enable-trace"
Unless OpenSSL tracing support is generally disabled, enable trace
output of specific parts of OpenSSL libraries, by name. This output
usually makes sense only if you know OpenSSL internals well.
The value of this environment variable is a comma-separated list of
names, with the following available:
TRACE
Traces the OpenSSL trace API itself.
INIT
Traces OpenSSL library initialization and cleanup.
TLS Traces the TLS/SSL protocol.
TLS_CIPHER
Traces the ciphers used by the TLS/SSL protocol.
CONF
Show details about provider and engine configuration.
ENGINE_TABLE
The function that is used by RSA, DSA (etc) code to select
registered ENGINEs, cache defaults and functional references
(etc), will generate debugging summaries.
ENGINE_REF_COUNT
Reference counts in the ENGINE structure will be monitored with
a line of generated for each change.
PKCS5V2
Traces PKCS#5 v2 key generation.
PKCS12_KEYGEN
Traces PKCS#12 key generation.
PKCS12_DECRYPT
Traces PKCS#12 decryption.
X509V3_POLICY
Generates the complete policy tree at various points during
X.509 v3 policy evaluation.
BN_CTX
Traces BIGNUM context operations.
CMP Traces CMP client and server activity.
STORE
Traces STORE operations.
DECODER
Traces decoder operations.
ENCODER
Traces encoder operations.
REF_COUNT
Traces decrementing certain ASN.1 structure references.
HTTP
Traces the HTTP client and server, such as messages being sent
and received.
OPENSSL_WIN32_UTF8
If set, then UI_OpenSSL(3) returns UTF-8 encoded strings, rather
than ones encoded in the current code page, and the openssl(1)
program also transcodes the command-line parameters from the current
code page to UTF-8. This environment variable is only checked on
Microsoft Windows platforms.
RANDFILE
The state file for the random number generator. This should not be
needed in normal use. See RAND_load_file(3).
SSL_CERT_DIR, SSL_CERT_FILE
Specify the default directory or file containing CA certificates.
See SSL_CTX_load_verify_locations(3).
TSGET
Additional arguments for the tsget(1) command.
OPENSSL_ia32cap, OPENSSL_sparcv9cap, OPENSSL_ppccap, OPENSSL_armcap,
OPENSSL_s390xcap, OPENSSL_riscvcap
OpenSSL supports a number of different algorithm implementations for
various machines and, by default, it determines which to use based
on the processor capabilities and run time feature enquiry. These
environment variables can be used to exert more control over this
selection process. See OPENSSL_ia32cap(3), OPENSSL_ppccap(3),
OPENSSL_riscvcap(3), and OPENSSL_s390xcap(3).
NO_PROXY, HTTPS_PROXY, HTTP_PROXY
Specify a proxy hostname. See OSSL_HTTP_parse_url(3).
QLOGDIR
Specifies a QUIC qlog output directory. See openssl-qlog(7).
OSSL_QFILTER
Used to set a QUIC qlog filter specification. See openssl-qlog(7).
SSLKEYLOGFILE
Used to produce the standard format output file for SSL key logging.
Optionally set this variable to a filename to log all secrets
produced by SSL connections. Note, use of the environment variable
is predicated on configuring OpenSSL at build time with the enable-
sslkeylog feature. The file format standard can be found at
<https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/>.
Note: the use of SSLKEYLOGFILE poses an explicit security risk. By
recording the exchanged keys during an SSL session, it allows any
available party with read access to the file to decrypt application
traffic sent over that session. Use of this feature should be
restricted to test and debug environments only.
COPYRIGHT
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
<https://www.openssl.org/source/license.html>.
3.5.5 2026-01-27 OPENSSL-ENV(7SSL)
Generated by dwww version 1.16 on Fri Mar 20 17:16:07 CET 2026.