Align 'openssl req' string_mask docs to how the software really works

Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23699) (cherry picked from commit 2410cb4)
openssl · Apr 4, 2024 · 442d861 · 442d861
1 parent 2fe6c0f
commit 442d861
Showing 1 changed file with 23 additions and 10 deletions.
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
@@ -472,16 +472,29 @@ any digest that has been set.
 =item B<string_mask>
 
 This option masks out the use of certain string types in certain
-fields. Most users will not need to change this option.
-
-It can be set to several values B<default> which is also the default
-option uses PrintableStrings, T61Strings and BMPStrings if the
-B<pkix> value is used then only PrintableStrings and BMPStrings will
-be used. This follows the PKIX recommendation in RFC2459. If the
-B<utf8only> option is used then only UTF8Strings will be used: this
-is the PKIX recommendation in RFC2459 after 2003. Finally the B<nombstr>
-option just uses PrintableStrings and T61Strings: certain software has
-problems with BMPStrings and UTF8Strings: in particular Netscape.
+fields. Most users will not need to change this option. It can be set to
+several values:
+
+=over 4
+
+=item B<utf8only>
+- only UTF8Strings are used (this is the default value)
+
+=item B<pkix>
+- any string type except T61Strings
+
+=item B<nombstr>
+- any string type except BMPStrings and UTF8Strings
+
+=item B<default>
+- any kind of string type
+
+=back
+
+Note that B<utf8only> is the PKIX recommendation in RFC2459 after 2003, and the
+default B<string_mask>; B<default> is not the default option. The B<nombstr>
+value is a workaround for some software that has problems with variable-sized
+BMPStrings and UTF8Strings.
 
 =item B<req_extensions>