OPENSSL-ENV(7ossl) OpenSSL OPENSSL-ENV(7ossl)
NAME
openssl-env - OpenSSL environment variables
DESCRIPTION
The OpenSSL libraries and commands use environment variables to
override compiled-in defaults for various aspects of their behaviour.
To avoid security risks, the environment is not consulted for
security-sensitive environment variables when the executable is
set-user-ID or set-group-ID.
CTLOG_FILE
Specifies the path to a certificate transparency log list. See
CTLOG_STORE_new(3).
This variable is considered a security-sensitive environment
variable.
HOME, SYSTEMROOT, USERPROFILE
Path which RAND_file_name(3) uses as a directory for the random
seed file name when the RANDFILE environment variable is not set.
HOME is the only variable that is considered on Unix-like systems;
USERPROFILE and SYSTEMROOT are used as fallbacks on Windows
platforms.
HOME variable is considered a security-sensitive environment
variable.
HTTPS_PROXY, HTTP_PROXY, NO_PROXY, https_proxy, http_proxy, no_proxy
Specify a proxy hostname. See OSSL_HTTP_parse_url(3).
These variables are considered security-sensitive environment
variables.
LEGACY_GOST_PKCS12
Affects the way MAC is generated in PKCS#12 containers for GOST
algorithms. See PKCS12_gen_mac(3).
This variable is considered a security-sensitive environment
variable.
OPENSSL
Specifies the path to the openssl executable. Used by the rehash
script (see "Script Configuration" in openssl-rehash(1)) and by the
CA.pl script (see "NOTES" in CA.pl(1)
This variable is not considered security-sensitive.
OPENSSL_CONF, OPENSSL_CONF_INCLUDE
Specifies the path to a configuration file and the directory for
included files. See config(5).
These variables are considered security-sensitive environment
variables.
OPENSSL_CONFIG
Specifies a configuration option and filename for the req and ca
commands invoked by the CA.pl script. See CA.pl(1).
This variable is not considered security-sensitive.
OPENSSL_DEBUG_DECC_INIT
On VMS only: if this variable is set, enables verbose output of
parsing of "DECC$*" logical names, that contain C RTL features,
during library initialisation ("LIB$INITIALIZE"). If the value of
the variable is more than 1, outputs information about every
processed feature.
This variable is not considered security-sensitive.
OPENSSL_ENGINES
Specifies the directory from which dynamic engines are loaded. See
openssl-engine(1).
This variable is considered a security-sensitive environment
variable.
OPENSSL_MALLOC_FAILURES, OPENSSL_MALLOC_FD, OPENSSL_MALLOC_SEED
If built with debugging, this allows memory allocation to fail.
See OPENSSL_malloc(3).
These variables are not considered security-sensitive.
OPENSSL_MODULES
Specifies the directory from which cryptographic providers are
loaded. Equivalently, the generic -provider-path command-line
option may be used.
This variable is considered a security-sensitive environment
variable.
OPENSSL_SEC_MEM
Initializes the secure memory at the beginning of the application
which makes the secure memory calls not to fall back to regular
memory calls. The value indicates the size parameter in bytes. The
value can be expressed in binary, octal, decimal and hexadecimal.
For formatting see strtol(3). For further restrictions see
CRYPTO_secure_malloc_init(3).
This variable is not considered security-sensitive.
OPENSSL_SEC_MEM_MINSIZE
An optional variable used with OPENSSL_SEC_MEM. The value indicates
minsize parameter in bytes. The same formatting applies as above.
Default is 0. For more info see CRYPTO_secure_malloc_init(3).
This variable is not considered security-sensitive.
OPENSSL_TEST_LIBCTX
This test-only environment variable, that is recognised by the
openssl(1) command, when is set to "1", leads to creation of a
nondefault library context by the command, for which the -config
option then takes effect.
This variable is not considered security-sensitive.
OPENSSL_TRACE
By default the OpenSSL trace feature is disabled statically. To
enable it, OpenSSL must be built with tracing support, which may be
configured like this: "./config enable-trace"
Unless OpenSSL tracing support is generally disabled, enable trace
output of specific parts of OpenSSL libraries, by name. This
output usually makes sense only if you know OpenSSL internals well.
The value of this environment variable is a comma-separated list of
names, with the following available:
ALL Traces everything.
BN_CTX
Traces BIGNUM context operations.
CMP Traces CMP client and server activity.
CONF
Show details about provider and engine configuration.
DECODER
Traces decoder operations.
ENCODER
Traces encoder operations.
ENGINE_REF_COUNT
Reference counts in the ENGINE structure will be monitored with
a line of generated for each change.
ENGINE_TABLE
The function that is used by RSA, DSA (etc) code to select
registered ENGINEs, cache defaults and functional references
(etc), will generate debugging summaries.
HTTP
Traces the HTTP client and server, such as messages being sent
and received.
INIT
Traces OpenSSL library initialization and cleanup.
PKCS12_DECRYPT
Traces PKCS#12 decryption.
PKCS12_KEYGEN
Traces PKCS#12 key generation.
PKCS5V2
Traces PKCS#5 v2 key generation.
PROVIDER
Traces various operations that are performed on OpenSSL
providers during their handling by the library (see
provider(7)), such as initialisation, tear down, parameter and
capability retrieval, self-test, and so on.
QUERY
Traces operation related to addition, removal, and fetching of
methods in the so-called method store, that holds pointers to
functions provided by various providers.
REF_COUNT
Traces reference count changes in various structures, including
"BIO", "DH", "DSA", "EC_KEY", "ECX_KEY", "EVP_PKEY",
"EVP_SKEY", "RSA", "SSL", "SSL_CTX", "SSL_SESSION", "X509_CRL",
"X509_STORE", "X509", and some others.
STORE
Traces STORE operations.
TLS Traces the TLS/SSL protocol.
TLS_CIPHER
Traces the ciphers used by the TLS/SSL protocol.
TRACE
Traces the OpenSSL trace API itself.
X509V3_POLICY
Generates the complete policy tree at various points during
X.509 v3 policy evaluation.
This variable is not considered security-sensitive.
OPENSSL_WIN32_UTF8
If set, then UI_OpenSSL(3) returns UTF-8 encoded strings, rather
than ones encoded in the current code page, and the openssl(1)
program also transcodes the command-line parameters from the
current code page to UTF-8. This environment variable is only
checked on Microsoft Windows platforms.
OPENSSL_armcap, OPENSSL_ia32cap, OPENSSL_ppccap, OPENSSL_riscvcap,
OPENSSL_s390xcap, OPENSSL_sparcv9cap
OpenSSL supports a number of different algorithm implementations
for various machines and, by default, it determines which to use
based on the processor capabilities and run time feature enquiry.
These environment variables can be used to exert more control over
this selection process. See OPENSSL_ia32cap(3),
OPENSSL_riscvcap(3), and OPENSSL_s390xcap(3).
These variables are not considered security-sensitive.
OSSL_QFILTER
Used to set a QUIC qlog filter specification. See openssl-qlog(7).
This variable is considered a security-sensitive environment
variable.
QLOGDIR
Specifies a QUIC qlog output directory. See openssl-qlog(7).
This variable is considered a security-sensitive environment
variable.
RANDFILE
The state file for the random number generator. This should not be
needed in normal use. See RAND_load_file(3).
This variable is considered a security-sensitive environment
variable.
SSLKEYLOGFILE
Used to produce the standard format output file for SSL key
logging. Optionally set this variable to a filename to log all
secrets produced by SSL connections. Note, use of the environment
variable is predicated on configuring OpenSSL at build time with
the enable-sslkeylog feature. The file format standard can be
found at
<https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/>.
Note: the use of SSLKEYLOGFILE poses an explicit security risk. By
recording the exchanged keys during an SSL session, it allows any
available party with read access to the file to decrypt application
traffic sent over that session. Use of this feature should be
restricted to test and debug environments only.
This variable is considered a security-sensitive environment
variable.
SSL_CERT_DIR, SSL_CERT_FILE
Specify the default directory or file containing CA certificates.
See SSL_CTX_load_verify_locations(3).
These variables are considered security-sensitive environment
variables, except in openssl-rehash(1), where SSL_CERT_DIR is not
considered security-sensitive.
SSL_CIPHER
Used by openssl-s_time(1) in case -cipher option (that allows
modifying TLSv1.2 and below cipher list sent by the client) is not
provided, for specification of the aforementioned ciphers.
This variable is not considered security-sensitive.
TSGET
Additional arguments for the tsget(1) command.
This variable is not considered security-sensitive.
HISTORY
This section contains environment variables that are no longer
considered by the OpenSSL libraries and commands.
HARNESS_OSSL_PREFIX
This environment variable, existed in OpenSSL versions from 1.1.1
up to 3.5, allowed specification of a prefix prepended to each line
sent to the stdout by openssl(1), used by the test harness to avoid
commingling the command under test output with the output for the
TAP consumer.
This variable was not considered security-sensitive.
COPYRIGHT
Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
<https://www.openssl.org/source/license.html>.
3.6.0 2025-10-01 OPENSSL-ENV(7ossl)
openssl 3.6.0 - Generated Wed Jan 28 07:56:13 CST 2026