1018 lines
43 KiB
HTML
1018 lines
43 KiB
HTML
|
<?xml version="1.0" ?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
||
|
<head>
|
||
|
<title>openssl-s_server</title>
|
||
|
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
||
|
<link rev="made" href="mailto:root@localhost" />
|
||
|
</head>
|
||
|
|
||
|
<body style="background-color: white">
|
||
|
|
||
|
|
||
|
<!-- INDEX BEGIN -->
|
||
|
<div name="index">
|
||
|
<p><a name="__index__"></a></p>
|
||
|
|
||
|
<ul>
|
||
|
|
||
|
<li><a href="#name">NAME</a></li>
|
||
|
<li><a href="#synopsis">SYNOPSIS</a></li>
|
||
|
<li><a href="#description">DESCRIPTION</a></li>
|
||
|
<li><a href="#options">OPTIONS</a></li>
|
||
|
<li><a href="#connected_commands">CONNECTED COMMANDS</a></li>
|
||
|
<li><a href="#notes">NOTES</a></li>
|
||
|
<li><a href="#bugs">BUGS</a></li>
|
||
|
<li><a href="#see_also">SEE ALSO</a></li>
|
||
|
<li><a href="#history">HISTORY</a></li>
|
||
|
<li><a href="#copyright">COPYRIGHT</a></li>
|
||
|
</ul>
|
||
|
|
||
|
<hr name="index" />
|
||
|
</div>
|
||
|
<!-- INDEX END -->
|
||
|
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="name">NAME</a></h1>
|
||
|
<p>openssl-s_server - SSL/TLS server program</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
||
|
<p><strong>openssl</strong> <strong>s_server</strong>
|
||
|
[<strong>-help</strong>]
|
||
|
[<strong>-port</strong> <em>+int</em>]
|
||
|
[<strong>-accept</strong> <em>val</em>]
|
||
|
[<strong>-unix</strong> <em>val</em>]
|
||
|
[<strong>-4</strong>]
|
||
|
[<strong>-6</strong>]
|
||
|
[<strong>-unlink</strong>]
|
||
|
[<strong>-context</strong> <em>val</em>]
|
||
|
[<strong>-verify</strong> <em>int</em>]
|
||
|
[<strong>-Verify</strong> <em>int</em>]
|
||
|
[<strong>-cert</strong> <em>infile</em>]
|
||
|
[<strong>-naccept</strong> <em>+int</em>]
|
||
|
[<strong>-serverinfo</strong> <em>val</em>]
|
||
|
[<strong>-certform</strong> <strong>DER</strong>|<strong>PEM</strong>]
|
||
|
[<strong>-key</strong> <em>infile</em>]
|
||
|
[<strong>-keyform</strong> <strong>DER</strong>|<strong>PEM</strong>]
|
||
|
[<strong>-pass</strong> <em>val</em>]
|
||
|
[<strong>-dcert</strong> <em>infile</em>]
|
||
|
[<strong>-dcertform</strong> <strong>DER</strong>|<strong>PEM</strong>]
|
||
|
[<strong>-dkey</strong> <em>infile</em>]
|
||
|
[<strong>-dkeyform</strong> <strong>DER</strong>|<strong>PEM</strong>]
|
||
|
[<strong>-dpass</strong> <em>val</em>]
|
||
|
[<strong>-nbio_test</strong>]
|
||
|
[<strong>-crlf</strong>]
|
||
|
[<strong>-debug</strong>]
|
||
|
[<strong>-msg</strong>]
|
||
|
[<strong>-msgfile</strong> <em>outfile</em>]
|
||
|
[<strong>-state</strong>]
|
||
|
[<strong>-nocert</strong>]
|
||
|
[<strong>-quiet</strong>]
|
||
|
[<strong>-no_resume_ephemeral</strong>]
|
||
|
[<strong>-www</strong>]
|
||
|
[<strong>-WWW</strong>]
|
||
|
[<strong>-http_server_binmode</strong>]
|
||
|
[<strong>-servername</strong>]
|
||
|
[<strong>-servername_fatal</strong>]
|
||
|
[<strong>-cert2</strong> <em>infile</em>]
|
||
|
[<strong>-key2</strong> <em>infile</em>]
|
||
|
[<strong>-tlsextdebug</strong>]
|
||
|
[<strong>-HTTP</strong>]
|
||
|
[<strong>-id_prefix</strong> <em>val</em>]
|
||
|
[<strong>-keymatexport</strong> <em>val</em>]
|
||
|
[<strong>-keymatexportlen</strong> <em>+int</em>]
|
||
|
[<strong>-CRLform</strong> <strong>DER</strong>|<strong>PEM</strong>]
|
||
|
[<strong>-CRL</strong> <em>infile</em>]
|
||
|
[<strong>-crl_download</strong>]
|
||
|
[<strong>-cert_chain</strong> <em>infile</em>]
|
||
|
[<strong>-dcert_chain</strong> <em>infile</em>]
|
||
|
[<strong>-chainCApath</strong> <em>dir</em>]
|
||
|
[<strong>-verifyCApath</strong> <em>dir</em>]
|
||
|
[<strong>-chainCAstore</strong> <em>uri</em>]
|
||
|
[<strong>-verifyCAstore</strong> <em>uri</em>]
|
||
|
[<strong>-no_cache</strong>]
|
||
|
[<strong>-ext_cache</strong>]
|
||
|
[<strong>-verify_return_error</strong>]
|
||
|
[<strong>-verify_quiet</strong>]
|
||
|
[<strong>-build_chain</strong>]
|
||
|
[<strong>-chainCAfile</strong> <em>infile</em>]
|
||
|
[<strong>-verifyCAfile</strong> <em>infile</em>]
|
||
|
[<strong>-ign_eof</strong>]
|
||
|
[<strong>-no_ign_eof</strong>]
|
||
|
[<strong>-status</strong>]
|
||
|
[<strong>-status_verbose</strong>]
|
||
|
[<strong>-status_timeout</strong> <em>int</em>]
|
||
|
[<strong>-status_url</strong> <em>val</em>]
|
||
|
[<strong>-status_file</strong> <em>infile</em>]
|
||
|
[<strong>-trace</strong>]
|
||
|
[<strong>-security_debug</strong>]
|
||
|
[<strong>-security_debug_verbose</strong>]
|
||
|
[<strong>-brief</strong>]
|
||
|
[<strong>-rev</strong>]
|
||
|
[<strong>-async</strong>]
|
||
|
[<strong>-ssl_config</strong> <em>val</em>]
|
||
|
[<strong>-max_send_frag</strong> <em>+int</em>]
|
||
|
[<strong>-split_send_frag</strong> <em>+int</em>]
|
||
|
[<strong>-max_pipelines</strong> <em>+int</em>]
|
||
|
[<strong>-read_buf</strong> <em>+int</em>]
|
||
|
[<strong>-bugs</strong>]
|
||
|
[<strong>-no_comp</strong>]
|
||
|
[<strong>-comp</strong>]
|
||
|
[<strong>-no_ticket</strong>]
|
||
|
[<strong>-serverpref</strong>]
|
||
|
[<strong>-legacy_renegotiation</strong>]
|
||
|
[<strong>-no_renegotiation</strong>]
|
||
|
[<strong>-legacy_server_connect</strong>]
|
||
|
[<strong>-no_resumption_on_reneg</strong>]
|
||
|
[<strong>-no_legacy_server_connect</strong>]
|
||
|
[<strong>-allow_no_dhe_kex</strong>]
|
||
|
[<strong>-prioritize_chacha</strong>]
|
||
|
[<strong>-strict</strong>]
|
||
|
[<strong>-sigalgs</strong> <em>val</em>]
|
||
|
[<strong>-client_sigalgs</strong> <em>val</em>]
|
||
|
[<strong>-groups</strong> <em>val</em>]
|
||
|
[<strong>-curves</strong> <em>val</em>]
|
||
|
[<strong>-named_curve</strong> <em>val</em>]
|
||
|
[<strong>-cipher</strong> <em>val</em>]
|
||
|
[<strong>-ciphersuites</strong> <em>val</em>]
|
||
|
[<strong>-dhparam</strong> <em>infile</em>]
|
||
|
[<strong>-record_padding</strong> <em>val</em>]
|
||
|
[<strong>-debug_broken_protocol</strong>]
|
||
|
[<strong>-nbio</strong>]
|
||
|
[<strong>-psk_identity</strong> <em>val</em>]
|
||
|
[<strong>-psk_hint</strong> <em>val</em>]
|
||
|
[<strong>-psk</strong> <em>val</em>]
|
||
|
[<strong>-psk_session</strong> <em>file</em>]
|
||
|
[<strong>-srpvfile</strong> <em>infile</em>]
|
||
|
[<strong>-srpuserseed</strong> <em>val</em>]
|
||
|
[<strong>-timeout</strong>]
|
||
|
[<strong>-mtu</strong> <em>+int</em>]
|
||
|
[<strong>-listen</strong>]
|
||
|
[<strong>-sctp</strong>]
|
||
|
[<strong>-sctp_label_bug</strong>]
|
||
|
[<strong>-no_dhe</strong>]
|
||
|
[<strong>-nextprotoneg</strong> <em>val</em>]
|
||
|
[<strong>-use_srtp</strong> <em>val</em>]
|
||
|
[<strong>-alpn</strong> <em>val</em>]
|
||
|
[<strong>-keylogfile</strong> <em>outfile</em>]
|
||
|
[<strong>-recv_max_early_data</strong> <em>int</em>]
|
||
|
[<strong>-max_early_data</strong> <em>int</em>]
|
||
|
[<strong>-early_data</strong>]
|
||
|
[<strong>-stateless</strong>]
|
||
|
[<strong>-anti_replay</strong>]
|
||
|
[<strong>-no_anti_replay</strong>]
|
||
|
[<strong>-num_tickets</strong>]
|
||
|
[<strong>-nameopt</strong> <em>option</em>]
|
||
|
[<strong>-no_ssl3</strong>]
|
||
|
[<strong>-no_tls1</strong>]
|
||
|
[<strong>-no_tls1_1</strong>]
|
||
|
[<strong>-no_tls1_2</strong>]
|
||
|
[<strong>-no_tls1_3</strong>]
|
||
|
[<strong>-ssl3</strong>]
|
||
|
[<strong>-tls1</strong>]
|
||
|
[<strong>-tls1_1</strong>]
|
||
|
[<strong>-tls1_2</strong>]
|
||
|
[<strong>-tls1_3</strong>]
|
||
|
[<strong>-dtls</strong>]
|
||
|
[<strong>-dtls1</strong>]
|
||
|
[<strong>-dtls1_2</strong>]
|
||
|
[<strong>-allow_proxy_certs</strong>]
|
||
|
[<strong>-attime</strong> <em>timestamp</em>]
|
||
|
[<strong>-no_check_time</strong>]
|
||
|
[<strong>-check_ss_sig</strong>]
|
||
|
[<strong>-crl_check</strong>]
|
||
|
[<strong>-crl_check_all</strong>]
|
||
|
[<strong>-explicit_policy</strong>]
|
||
|
[<strong>-extended_crl</strong>]
|
||
|
[<strong>-ignore_critical</strong>]
|
||
|
[<strong>-inhibit_any</strong>]
|
||
|
[<strong>-inhibit_map</strong>]
|
||
|
[<strong>-partial_chain</strong>]
|
||
|
[<strong>-policy</strong> <em>arg</em>]
|
||
|
[<strong>-policy_check</strong>]
|
||
|
[<strong>-policy_print</strong>]
|
||
|
[<strong>-purpose</strong> <em>purpose</em>]
|
||
|
[<strong>-suiteB_128</strong>]
|
||
|
[<strong>-suiteB_128_only</strong>]
|
||
|
[<strong>-suiteB_192</strong>]
|
||
|
[<strong>-trusted_first</strong>]
|
||
|
[<strong>-no_alt_chains</strong>]
|
||
|
[<strong>-use_deltas</strong>]
|
||
|
[<strong>-auth_level</strong> <em>num</em>]
|
||
|
[<strong>-verify_depth</strong> <em>num</em>]
|
||
|
[<strong>-verify_email</strong> <em>email</em>]
|
||
|
[<strong>-verify_hostname</strong> <em>hostname</em>]
|
||
|
[<strong>-verify_ip</strong> <em>ip</em>]
|
||
|
[<strong>-verify_name</strong> <em>name</em>]
|
||
|
[<strong>-x509_strict</strong>]
|
||
|
[<strong>-issuer_checks</strong>]</p>
|
||
|
<p>[<strong>-bugs</strong>]
|
||
|
[<strong>-no_comp</strong>]
|
||
|
[<strong>-comp</strong>]
|
||
|
[<strong>-no_ticket</strong>]
|
||
|
[<strong>-serverpref</strong>]
|
||
|
[<strong>-legacy_renegotiation</strong>]
|
||
|
[<strong>-no_renegotiation</strong>]
|
||
|
[<strong>-no_resumption_on_reneg</strong>]
|
||
|
[<strong>-legacy_server_connect</strong>]
|
||
|
[<strong>-no_legacy_server_connect</strong>]
|
||
|
[<strong>-allow_no_dhe_kex</strong>]
|
||
|
[<strong>-prioritize_chacha</strong>]
|
||
|
[<strong>-strict</strong>]
|
||
|
[<strong>-sigalgs</strong> <em>algs</em>]
|
||
|
[<strong>-client_sigalgs</strong> <em>algs</em>]
|
||
|
[<strong>-groups</strong> <em>groups</em>]
|
||
|
[<strong>-curves</strong> <em>curves</em>]
|
||
|
[<strong>-named_curve</strong> <em>curve</em>]
|
||
|
[<strong>-cipher</strong> <em>ciphers</em>]
|
||
|
[<strong>-ciphersuites</strong> <em>1.3ciphers</em>]
|
||
|
[<strong>-min_protocol</strong> <em>minprot</em>]
|
||
|
[<strong>-max_protocol</strong> <em>maxprot</em>]
|
||
|
[<strong>-record_padding</strong> <em>padding</em>]
|
||
|
[<strong>-debug_broken_protocol</strong>]
|
||
|
[<strong>-no_middlebox</strong>]
|
||
|
[<strong>-xkey</strong>] <em>infile</em>
|
||
|
[<strong>-xcert</strong> <em>file</em>]
|
||
|
[<strong>-xchain</strong>] <em>file</em>
|
||
|
[<strong>-xchain_build</strong>] <em>file</em>
|
||
|
[<strong>-xcertform</strong> <strong>DER</strong>|<strong>PEM</strong>]>
|
||
|
[<strong>-xkeyform</strong> <strong>DER</strong>|<strong>PEM</strong>]>
|
||
|
[<strong>-CAfile</strong> <em>file</em>]
|
||
|
[<strong>-no-CAfile</strong>]
|
||
|
[<strong>-CApath</strong> <em>dir</em>]
|
||
|
[<strong>-no-CApath</strong>]
|
||
|
[<strong>-CAstore</strong> <em>uri</em>]
|
||
|
[<strong>-no-CAstore</strong>]
|
||
|
[<strong>-rand</strong> <em>files</em>]
|
||
|
[<strong>-writerand</strong> <em>file</em>]
|
||
|
[<strong>-engine</strong> <em>id</em>]</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="description">DESCRIPTION</a></h1>
|
||
|
<p>This command implements a generic SSL/TLS server which
|
||
|
listens for connections on a given port using SSL/TLS.</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="options">OPTIONS</a></h1>
|
||
|
<p>In addition to the options below, this command also supports
|
||
|
the common and server only options documented
|
||
|
<em>SSL_CONF_cmd(3)/Supported Command Line Commands</em></p>
|
||
|
<dl>
|
||
|
<dt><strong><a name="help" class="item"><strong>-help</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Print out a usage message.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="port_int" class="item"><strong>-port</strong> <em>+int</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The TCP port to listen on for connections. If not specified 4433 is used.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="accept_val" class="item"><strong>-accept</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="unix_val" class="item"><strong>-unix</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Unix domain socket to accept on.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="4" class="item"><strong>-4</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Use IPv4 only.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="6" class="item"><strong>-6</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Use IPv6 only.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="unlink" class="item"><strong>-unlink</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>For -unix, unlink any existing socket first.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="context_val" class="item"><strong>-context</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Sets the SSL context id. It can be given any string value. If this option
|
||
|
is not present a default value will be used.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="verify_int_verify_int" class="item"><strong>-verify</strong> <em>int</em>, <strong>-Verify</strong> <em>int</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The verify depth to use. This specifies the maximum length of the
|
||
|
client certificate chain and makes the server request a certificate from
|
||
|
the client. With the <strong>-verify</strong> option a certificate is requested but the
|
||
|
client does not have to send one, with the <strong>-Verify</strong> option the client
|
||
|
must supply a certificate or an error occurs.</p>
|
||
|
<p>If the cipher suite cannot request a client certificate (for example an
|
||
|
anonymous cipher suite or PSK) this option has no effect.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="cert_infile" class="item"><strong>-cert</strong> <em>infile</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The certificate to use, most servers cipher suites require the use of a
|
||
|
certificate and some require a certificate with a certain public key type:
|
||
|
for example the DSS cipher suites require a certificate containing a DSS
|
||
|
(DSA) key. If not specified then the filename <em class="file">server.pem</em> will be used.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="cert_chain" class="item"><strong>-cert_chain</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>A file containing trusted certificates to use when attempting to build the
|
||
|
client/server certificate chain related to the certificate specified via the
|
||
|
<strong>-cert</strong> option.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="build_chain" class="item"><strong>-build_chain</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Specify whether the application should build the certificate chain to be
|
||
|
provided to the client.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="naccept_int" class="item"><strong>-naccept</strong> <em>+int</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The server will exit after receiving the specified number of connections,
|
||
|
default unlimited.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="serverinfo_val" class="item"><strong>-serverinfo</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>A file containing one or more blocks of PEM data. Each PEM block
|
||
|
must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
|
||
|
followed by "length" bytes of extension data). If the client sends
|
||
|
an empty TLS ClientHello extension matching the type, the corresponding
|
||
|
ServerHello extension will be returned.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="certform_der_pem_crlform_der_pem" class="item"><strong>-certform</strong> <strong>DER</strong>|<strong>PEM</strong>, <strong>-CRLForm</strong> <strong>DER</strong>|<strong>PEM</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The certificate and CRL format; the default is PEM.
|
||
|
See <em>openssl(1)/Format Options</em> for details.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="key_infile" class="item"><strong>-key</strong> <em>infile</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The private key to use. If not specified then the certificate file will
|
||
|
be used.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="keyform_der_pem" class="item"><strong>-keyform</strong> <strong>DER</strong>|<strong>PEM</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The key format; the default is <strong>PEM</strong>.
|
||
|
See <em>openssl(1)/Format Options</em> for details.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="pass_val" class="item"><strong>-pass</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The private key password source.
|
||
|
For more information about the format of <em>val</em>,
|
||
|
see <em>openssl(1)/Pass Phrase Options</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="dcert_infile_dkey_infile" class="item"><strong>-dcert</strong> <em>infile</em>, <strong>-dkey</strong> <em>infile</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Specify an additional certificate and private key, these behave in the
|
||
|
same manner as the <strong>-cert</strong> and <strong>-key</strong> options except there is no default
|
||
|
if they are not specified (no additional certificate and key is used). As
|
||
|
noted above some cipher suites require a certificate containing a key of
|
||
|
a certain type. Some cipher suites need a certificate carrying an RSA key
|
||
|
and some a DSS (DSA) key. By using RSA and DSS certificates and keys
|
||
|
a server can support clients which only support RSA or DSS cipher suites
|
||
|
by using an appropriate certificate.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="dcert_chain" class="item"><strong>-dcert_chain</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>A file containing trusted certificates to use when attempting to build the
|
||
|
server certificate chain when a certificate specified via the <strong>-dcert</strong> option
|
||
|
is in use.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="dcertform_der_pem_dkeyform_der_pem" class="item"><strong>-dcertform</strong> <strong>DER</strong>|<strong>PEM</strong>, <strong>-dkeyform</strong> <strong>DER</strong>|<strong>PEM</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The format of the certificate and private key; the default is <strong>PEM</strong>
|
||
|
see <em>openssl(1)/Format Options</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="dpass_val" class="item"><strong>-dpass</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The passphrase for the additional private key.
|
||
|
For more information about the format of <em>val</em>,
|
||
|
see <em>openssl(1)/Pass Phrase Options</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="nbio_test" class="item"><strong>-nbio_test</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Tests non blocking I/O.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="crlf" class="item"><strong>-crlf</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>This option translated a line feed from the terminal into CR+LF.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="debug" class="item"><strong>-debug</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Print extensive debugging information including a hex dump of all traffic.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="msg" class="item"><strong>-msg</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Show all protocol messages with hex dump.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="msgfile_outfile" class="item"><strong>-msgfile</strong> <em>outfile</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>File to send output of <strong>-msg</strong> or <strong>-trace</strong> to, default standard output.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="state" class="item"><strong>-state</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Prints the SSL session states.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="chaincapath_dir" class="item"><strong>-chainCApath</strong> <em>dir</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The directory to use for building the chain provided to the client. This
|
||
|
directory must be in "hash format", see <em>openssl-verify(1)</em> for more
|
||
|
information.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="chaincafile_file" class="item"><strong>-chainCAfile</strong> <em>file</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>A file containing trusted certificates to use when attempting to build the
|
||
|
server certificate chain.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="chaincastore_uri" class="item"><strong>-chainCAstore</strong> <em>uri</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The URI to a store to use for building the chain provided to the client.
|
||
|
The URI may indicate a single certificate, as well as a collection of
|
||
|
them.
|
||
|
With URIs in the <code>file:</code> scheme, this acts as <strong>-chainCAfile</strong> or
|
||
|
<strong>-chainCApath</strong>, depending on if the URI indicates a directory or a
|
||
|
single file.
|
||
|
See <em>ossl_store-file(7)</em> for more information on the <code>file:</code> scheme.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="nocert" class="item"><strong>-nocert</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>If this option is set then no certificate is used. This restricts the
|
||
|
cipher suites available to the anonymous ones (currently just anonymous
|
||
|
DH).</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="quiet" class="item"><strong>-quiet</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Inhibit printing of session and certificate information.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="tlsextdebug" class="item"><strong>-tlsextdebug</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Print a hex dump of any TLS extensions received from the server.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="www" class="item"><strong>-www</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Sends a status message back to the client when it connects. This includes
|
||
|
information about the ciphers used and various session parameters.
|
||
|
The output is in HTML format so this option can be used with a web browser.
|
||
|
The special URL <code>/renegcert</code> turns on client cert validation, and <code>/reneg</code>
|
||
|
tells the server to request renegotiation.
|
||
|
The <strong>-early_data</strong> option cannot be used with this option.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="www_http" class="item"><strong>-WWW</strong>, <strong>-HTTP</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Emulates a simple web server. Pages will be resolved relative to the
|
||
|
current directory, for example if the URL <code>https://myhost/page.html</code> is
|
||
|
requested the file <em class="file">./page.html</em> will be sent.
|
||
|
If the <strong>-HTTP</strong> flag is used, the files are sent directly, and should contain
|
||
|
any HTTP response headers (including status response line).
|
||
|
If the <strong>-WWW</strong> option is used,
|
||
|
the response headers are generated by the server, and the file extension is
|
||
|
examined to determine the <strong>Content-Type</strong> header.
|
||
|
Extensions of <code>html</code>, <code>htm</code>, and <code>php</code> are <code>text/html</code> and all others are
|
||
|
<code>text/plain</code>.
|
||
|
In addition, the special URL <code>/stats</code> will return status
|
||
|
information like the <strong>-www</strong> option.
|
||
|
Neither of these options can be used in conjunction with <strong>-early_data</strong>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="http_server_binmode" class="item"><strong>-http_server_binmode</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>When acting as web-server (using option <strong>-WWW</strong> or <strong>-HTTP</strong>) open files requested
|
||
|
by the client in binary mode.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="id_prefix_val" class="item"><strong>-id_prefix</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Generate SSL/TLS session IDs prefixed by <em>val</em>. This is mostly useful
|
||
|
for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
|
||
|
servers, when each of which might be generating a unique range of session
|
||
|
IDs (eg. with a certain prefix).</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="verify_return_error" class="item"><strong>-verify_return_error</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Verification errors normally just print a message but allow the
|
||
|
connection to continue, for debugging purposes.
|
||
|
If this option is used, then verification errors close the connection.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="status" class="item"><strong>-status</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Enables certificate status request support (aka OCSP stapling).</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="status_verbose" class="item"><strong>-status_verbose</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Enables certificate status request support (aka OCSP stapling) and gives
|
||
|
a verbose printout of the OCSP response.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="status_timeout_int" class="item"><strong>-status_timeout</strong> <em>int</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Sets the timeout for OCSP response to <em>int</em> seconds.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="status_url_val" class="item"><strong>-status_url</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Sets a fallback responder URL to use if no responder URL is present in the
|
||
|
server certificate. Without this option an error is returned if the server
|
||
|
certificate does not contain a responder address.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="status_file_infile" class="item"><strong>-status_file</strong> <em>infile</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Overrides any OCSP responder URLs from the certificate and always provides the
|
||
|
OCSP Response stored in the file. The file must be in DER format.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="trace" class="item"><strong>-trace</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Show verbose trace output of protocol messages. OpenSSL needs to be compiled
|
||
|
with <strong>enable-ssl-trace</strong> for this option to work.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="brief" class="item"><strong>-brief</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Provide a brief summary of connection parameters instead of the normal verbose
|
||
|
output.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="rev" class="item"><strong>-rev</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Simple test server which just reverses the text received from the client
|
||
|
and sends it back to the server. Also sets <strong>-brief</strong>. Cannot be used in
|
||
|
conjunction with <strong>-early_data</strong>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="async" class="item"><strong>-async</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Switch on asynchronous mode. Cryptographic operations will be performed
|
||
|
asynchronously. This will only have an effect if an asynchronous capable engine
|
||
|
is also used via the <strong>-engine</strong> option. For test purposes the dummy async engine
|
||
|
(dasync) can be used (if available).</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="max_send_frag_int" class="item"><strong>-max_send_frag</strong> <em>+int</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The maximum size of data fragment to send.
|
||
|
See <em>SSL_CTX_set_max_send_fragment(3)</em> for further information.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="split_send_frag_int" class="item"><strong>-split_send_frag</strong> <em>+int</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The size used to split data for encrypt pipelines. If more data is written in
|
||
|
one go than this value then it will be split into multiple pipelines, up to the
|
||
|
maximum number of pipelines defined by max_pipelines. This only has an effect if
|
||
|
a suitable cipher suite has been negotiated, an engine that supports pipelining
|
||
|
has been loaded, and max_pipelines is greater than 1. See
|
||
|
<em>SSL_CTX_set_split_send_fragment(3)</em> for further information.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="max_pipelines_int" class="item"><strong>-max_pipelines</strong> <em>+int</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The maximum number of encrypt/decrypt pipelines to be used. This will only have
|
||
|
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
|
||
|
engine) and a suitable cipher suite has been negotiated. The default value is 1.
|
||
|
See <em>SSL_CTX_set_max_pipelines(3)</em> for further information.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="read_buf_int" class="item"><strong>-read_buf</strong> <em>+int</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The default read buffer size to be used for connections. This will only have an
|
||
|
effect if the buffer size is larger than the size that would otherwise be used
|
||
|
and pipelining is in use (see <em>SSL_CTX_set_default_read_buffer_len(3)</em> for
|
||
|
further information).</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="bugs" class="item"><strong>-bugs</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>There are several known bugs in SSL and TLS implementations. Adding this
|
||
|
option enables various workarounds.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="no_comp" class="item"><strong>-no_comp</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Disable negotiation of TLS compression.
|
||
|
TLS compression is not recommended and is off by default as of
|
||
|
OpenSSL 1.1.0.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="comp" class="item"><strong>-comp</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Enable negotiation of TLS compression.
|
||
|
This option was introduced in OpenSSL 1.1.0.
|
||
|
TLS compression is not recommended and is off by default as of
|
||
|
OpenSSL 1.1.0.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="no_ticket" class="item"><strong>-no_ticket</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Disable <a href="http://www.ietf.org/rfc/rfc4507.txt" class="rfc">RFC4507</a>bis session ticket support. This option has no effect if TLSv1.3
|
||
|
is negotiated. See <strong>-num_tickets</strong>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="num_tickets" class="item"><strong>-num_tickets</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Control the number of tickets that will be sent to the client after a full
|
||
|
handshake in TLSv1.3. The default number of tickets is 2. This option does not
|
||
|
affect the number of tickets sent after a resumption handshake.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="serverpref" class="item"><strong>-serverpref</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Use the server's cipher preferences, rather than the client's preferences.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="prioritize_chacha" class="item"><strong>-prioritize_chacha</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Prioritize ChaCha ciphers when preferred by clients. Requires <strong>-serverpref</strong>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="no_resumption_on_reneg" class="item"><strong>-no_resumption_on_reneg</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Set the <strong>SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION</strong> option.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="client_sigalgs_val" class="item"><strong>-client_sigalgs</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Signature algorithms to support for client certificate authentication
|
||
|
(colon-separated list).</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="named_curve_val" class="item"><strong>-named_curve</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
|
||
|
For a list of all possible curves, use:</p>
|
||
|
<pre>
|
||
|
$ openssl ecparam -list_curves</pre>
|
||
|
</dd>
|
||
|
<dt><strong><a name="cipher_val" class="item"><strong>-cipher</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>This allows the list of TLSv1.2 and below ciphersuites used by the server to be
|
||
|
modified. This list is combined with any TLSv1.3 ciphersuites that have been
|
||
|
configured. When the client sends a list of supported ciphers the first client
|
||
|
cipher also included in the server list is used. Because the client specifies
|
||
|
the preference order, the order of the server cipherlist is irrelevant. See
|
||
|
<em>openssl-ciphers(1)</em> for more information.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="ciphersuites_val" class="item"><strong>-ciphersuites</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
|
||
|
This list is combined with any TLSv1.2 and below ciphersuites that have been
|
||
|
configured. When the client sends a list of supported ciphers the first client
|
||
|
cipher also included in the server list is used. Because the client specifies
|
||
|
the preference order, the order of the server cipherlist is irrelevant. See
|
||
|
<em>openssl-ciphers(1)</em> command for more information. The format for this list is
|
||
|
a simple colon (":") separated list of TLSv1.3 ciphersuite names.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="dhparam_infile" class="item"><strong>-dhparam</strong> <em>infile</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>The DH parameter file to use. The ephemeral DH cipher suites generate keys
|
||
|
using a set of DH parameters. If not specified then an attempt is made to
|
||
|
load the parameters from the server certificate file.
|
||
|
If this fails then a static set of parameters hard coded into this command
|
||
|
will be used.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="nbio" class="item"><strong>-nbio</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Turns on non blocking I/O.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="psk_identity_val" class="item"><strong>-psk_identity</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Expect the client to send PSK identity <em>val</em> when using a PSK
|
||
|
cipher suite, and warn if they do not. By default, the expected PSK
|
||
|
identity is the string "Client_identity".</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="psk_hint_val" class="item"><strong>-psk_hint</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Use the PSK identity hint <em>val</em> when using a PSK cipher suite.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="psk_val" class="item"><strong>-psk</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Use the PSK key <em>val</em> when using a PSK cipher suite. The key is
|
||
|
given as a hexadecimal number without leading 0x, for example -psk
|
||
|
1a2b3c4d.
|
||
|
This option must be provided in order to use a PSK cipher.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="psk_session_file" class="item"><strong>-psk_session</strong> <em>file</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Use the pem encoded SSL_SESSION data stored in <em>file</em> as the basis of a PSK.
|
||
|
Note that this will only work if TLSv1.3 is negotiated.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="listen" class="item"><strong>-listen</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>This option can only be used in conjunction with one of the DTLS options above.
|
||
|
With this option, this command will listen on a UDP port for incoming
|
||
|
connections.
|
||
|
Any ClientHellos that arrive will be checked to see if they have a cookie in
|
||
|
them or not.
|
||
|
Any without a cookie will be responded to with a HelloVerifyRequest.
|
||
|
If a ClientHello with a cookie is received then this command will
|
||
|
connect to that peer and complete the handshake.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="sctp" class="item"><strong>-sctp</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
|
||
|
conjunction with <strong>-dtls</strong>, <strong>-dtls1</strong> or <strong>-dtls1_2</strong>. This option is only
|
||
|
available where OpenSSL has support for SCTP enabled.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="sctp_label_bug" class="item"><strong>-sctp_label_bug</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Use the incorrect behaviour of older OpenSSL implementations when computing
|
||
|
endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
|
||
|
older broken implementations but breaks interoperability with correct
|
||
|
implementations. Must be used in conjunction with <strong>-sctp</strong>. This option is only
|
||
|
available where OpenSSL has support for SCTP enabled.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="no_dhe" class="item"><strong>-no_dhe</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>If this option is set then no DH parameters will be loaded effectively
|
||
|
disabling the ephemeral DH cipher suites.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="alpn_val_nextprotoneg_val" class="item"><strong>-alpn</strong> <em>val</em>, <strong>-nextprotoneg</strong> <em>val</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>These flags enable the Enable the Application-Layer Protocol Negotiation
|
||
|
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
|
||
|
IETF standard and replaces NPN.
|
||
|
The <em>val</em> list is a comma-separated list of supported protocol
|
||
|
names. The list should contain the most desirable protocols first.
|
||
|
Protocol names are printable ASCII strings, for example "http/1.1" or
|
||
|
"spdy/3".
|
||
|
The flag <strong>-nextprotoneg</strong> cannot be specified if <strong>-tls1_3</strong> is used.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="keylogfile_outfile" class="item"><strong>-keylogfile</strong> <em>outfile</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Appends TLS secrets to the specified keylog file such that external programs
|
||
|
(like Wireshark) can decrypt TLS connections.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="max_early_data_int" class="item"><strong>-max_early_data</strong> <em>int</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Change the default maximum early data bytes that are specified for new sessions
|
||
|
and any incoming early data (when used in conjunction with the <strong>-early_data</strong>
|
||
|
flag). The default value is approximately 16k. The argument must be an integer
|
||
|
greater than or equal to 0.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="recv_max_early_data_int" class="item"><strong>-recv_max_early_data</strong> <em>int</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Specify the hard limit on the maximum number of early data bytes that will
|
||
|
be accepted.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="early_data" class="item"><strong>-early_data</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Accept early data where possible. Cannot be used in conjunction with <strong>-www</strong>,
|
||
|
<strong>-WWW</strong>, <strong>-HTTP</strong> or <strong>-rev</strong>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="stateless" class="item"><strong>-stateless</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Require TLSv1.3 cookies.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="anti_replay_no_anti_replay" class="item"><strong>-anti_replay</strong>, <strong>-no_anti_replay</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Switches replay protection on or off, respectively. Replay protection is on by
|
||
|
default unless overridden by a configuration file. When it is on, OpenSSL will
|
||
|
automatically detect if a session ticket has been used more than once, TLSv1.3
|
||
|
has been negotiated, and early data is enabled on the server. A full handshake
|
||
|
is forced if a session ticket is used a second or subsequent time. Any early
|
||
|
data that was sent will be rejected.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="nameopt_option" class="item"><strong>-nameopt</strong> <em>option</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>This specifies how the subject or issuer names are displayed.
|
||
|
See <em>openssl(1)/Name Format Options</em> for details.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="no_ssl3_no_tls1_no_tls1_1_no_tls1_2_no_tls1_3_ssl3_tls1_tls1_1_tls1_2_tls1_3" class="item"><strong>-no_ssl3</strong>, <strong>-no_tls1</strong>, <strong>-no_tls1_1</strong>, <strong>-no_tls1_2</strong>, <strong>-no_tls1_3</strong>,
|
||
|
<strong>-ssl3</strong>, <strong>-tls1</strong>, <strong>-tls1_1</strong>, <strong>-tls1_2</strong>, <strong>-tls1_3</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>See <em>openssl(1)/TLS Version Options</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="dtls_dtls1_dtls1_2" class="item"><strong>-dtls</strong>, <strong>-dtls1</strong>, <strong>-dtls1_2</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>These specify the use of DTLS instead of TLS.
|
||
|
See <em>openssl(1)/TLS Version Options</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="bugs_comp_no_comp_no_ticket_serverpref_legacy_renegotiation_no_renegotiation_no_resumption_on_reneg_legacy_server_connect_no_legacy_server_connect_allow_no_dhe_kex_prioritize_chacha_strict_sigalgs_algs_client_sigalgs_algs_groups_groups_curves_curves_named_curve_curve_cipher_ciphers_ciphersuites_1_3ciphers_min_protocol_minprot_max_protocol_maxprot_record_padding_padding_debug_broken_protocol_no_middlebox" class="item"><strong>-bugs</strong>, <strong>-comp</strong>, <strong>-no_comp</strong>, <strong>-no_ticket</strong>, <strong>-serverpref</strong>,
|
||
|
<strong>-legacy_renegotiation</strong>, <strong>-no_renegotiation</strong>, <strong>-no_resumption_on_reneg</strong>,
|
||
|
<strong>-legacy_server_connect</strong>, <strong>-no_legacy_server_connect</strong>,
|
||
|
<strong>-allow_no_dhe_kex</strong>, <strong>-prioritize_chacha</strong>, <strong>-strict</strong>, <strong>-sigalgs</strong>
|
||
|
<em>algs</em>, <strong>-client_sigalgs</strong> <em>algs</em>, <strong>-groups</strong> <em>groups</em>, <strong>-curves</strong>
|
||
|
<em>curves</em>, <strong>-named_curve</strong> <em>curve</em>, <strong>-cipher</strong> <em>ciphers</em>, <strong>-ciphersuites</strong>
|
||
|
<em>1.3ciphers</em>, <strong>-min_protocol</strong> <em>minprot</em>, <strong>-max_protocol</strong> <em>maxprot</em>,
|
||
|
<strong>-record_padding</strong> <em>padding</em>, <strong>-debug_broken_protocol</strong>, <strong>-no_middlebox</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>See <em>SSL_CONF_cmd(3)/SUPPORTED COMMAND LINE COMMANDS</em> for details.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="xkey_infile_xcert_file_xchain_file_xchain_build_file_xcertform_der_pem_xkeyform_der_pem" class="item"><strong>xkey</strong> <em>infile</em>, <strong>-xcert</strong> <em>file</em>, <strong>-xchain</strong> <em>file</em>,
|
||
|
<strong>-xchain_build</strong> <em>file</em>, <strong>-xcertform</strong> <strong>DER</strong>|<strong>PEM</strong>,
|
||
|
<strong>-xkeyform</strong> <strong>DER</strong>|<strong>PEM</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Set extended certificate verification options.
|
||
|
See <em>openssl(1)/Extended Verification Options</em> for details.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="cafile_file_no_cafile_capath_dir_no_capath_castore_uri_no_castore" class="item"><strong>-CAfile</strong> <em>file</em>, <strong>-no-CAfile</strong>, <strong>-CApath</strong> <em>dir</em>, <strong>-no-CApath</strong>,
|
||
|
<strong>-CAstore</strong> <em>uri</em>, <strong>-no-CAstore</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>See <em>openssl(1)/Trusted Certificate Options</em> for details.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="rand_files_writerand_file" class="item"><strong>-rand</strong> <em>files</em>, <strong>-writerand</strong> <em>file</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>See <em>openssl(1)/Random State Options</em> for details.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="engine_id" class="item"><strong>-engine</strong> <em>id</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>See <em>openssl(1)/Engine Options</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="allow_proxy_certs_attime_no_check_time_check_ss_sig_crl_check_crl_check_all_explicit_policy_extended_crl_ignore_critical_inhibit_any_inhibit_map_no_alt_chains_partial_chain_policy_policy_check_policy_print_purpose_suiteb_128_suiteb_128_only_suiteb_192_trusted_first_use_deltas_auth_level_verify_depth_verify_email_verify_hostname_verify_ip_verify_name_x509_strict_issuer_checks" class="item"><strong>-allow_proxy_certs</strong>, <strong>-attime</strong>, <strong>-no_check_time</strong>,
|
||
|
<strong>-check_ss_sig</strong>, <strong>-crl_check</strong>, <strong>-crl_check_all</strong>,
|
||
|
<strong>-explicit_policy</strong>, <strong>-extended_crl</strong>, <strong>-ignore_critical</strong>, <strong>-inhibit_any</strong>,
|
||
|
<strong>-inhibit_map</strong>, <strong>-no_alt_chains</strong>, <strong>-partial_chain</strong>, <strong>-policy</strong>,
|
||
|
<strong>-policy_check</strong>, <strong>-policy_print</strong>, <strong>-purpose</strong>, <strong>-suiteB_128</strong>,
|
||
|
<strong>-suiteB_128_only</strong>, <strong>-suiteB_192</strong>, <strong>-trusted_first</strong>, <strong>-use_deltas</strong>,
|
||
|
<strong>-auth_level</strong>, <strong>-verify_depth</strong>, <strong>-verify_email</strong>, <strong>-verify_hostname</strong>,
|
||
|
<strong>-verify_ip</strong>, <strong>-verify_name</strong>, <strong>-x509_strict</strong> <strong>-issuer_checks</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Set various options of certificate chain verification.
|
||
|
See <em>openssl(1)/Verification Options</em> for details.</p>
|
||
|
<p>If the server requests a client certificate, then
|
||
|
verification errors are displayed, for debugging, but the command will
|
||
|
proceed unless the <strong>-verify_return_error</strong> option is used.</p>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="connected_commands">CONNECTED COMMANDS</a></h1>
|
||
|
<p>If a connection request is established with an SSL client and neither the
|
||
|
<strong>-www</strong> nor the <strong>-WWW</strong> option has been used then normally any data received
|
||
|
from the client is displayed and any key presses will be sent to the client.</p>
|
||
|
<p>Certain commands are also recognized which perform special operations. These
|
||
|
commands are a letter which must appear at the start of a line. They are listed
|
||
|
below.</p>
|
||
|
<dl>
|
||
|
<dt><strong><a name="q" class="item"><strong>q</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>End the current SSL connection but still accept new connections.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="q" class="item"><strong>Q</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>End the current SSL connection and exit.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="r" class="item"><strong>r</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Renegotiate the SSL session (TLSv1.2 and below only).</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="r" class="item"><strong>R</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
|
||
|
only).</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="p" class="item"><strong>P</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Send some plain text down the underlying TCP connection: this should
|
||
|
cause the client to disconnect due to a protocol violation.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="s" class="item"><strong>S</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Print out some session cache status information.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="k" class="item"><strong>k</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Send a key update message to the client (TLSv1.3 only)</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="k" class="item"><strong>K</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Send a key update message to the client and request one back (TLSv1.3 only)</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="c" class="item"><strong>c</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Send a certificate request to the client (TLSv1.3 only)</p>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="notes">NOTES</a></h1>
|
||
|
<p>This command can be used to debug SSL clients. To accept connections
|
||
|
from a web browser the command:</p>
|
||
|
<pre>
|
||
|
openssl s_server -accept 443 -www</pre>
|
||
|
<p>can be used for example.</p>
|
||
|
<p>Although specifying an empty list of CAs when requesting a client certificate
|
||
|
is strictly speaking a protocol violation, some SSL clients interpret this to
|
||
|
mean any CA is acceptable. This is useful for debugging purposes.</p>
|
||
|
<p>The session parameters can printed out using the <em>openssl-sess_id(1)</em> command.</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="bugs">BUGS</a></h1>
|
||
|
<p>Because this program has a lot of options and also because some of the
|
||
|
techniques used are rather old, the C source for this command is rather
|
||
|
hard to read and not a model of how things should be done.
|
||
|
A typical SSL server program would be much simpler.</p>
|
||
|
<p>The output of common ciphers is wrong: it just gives the list of ciphers that
|
||
|
OpenSSL recognizes and the client supports.</p>
|
||
|
<p>There should be a way for this command to print out details
|
||
|
of any unknown cipher suites a client says it supports.</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="see_also">SEE ALSO</a></h1>
|
||
|
<p><em>openssl(1)</em>,
|
||
|
<em>openssl-sess_id(1)</em>,
|
||
|
<em>openssl-s_client(1)</em>,
|
||
|
<em>openssl-ciphers(1)</em>,
|
||
|
<em>SSL_CONF_cmd(3)</em>,
|
||
|
<em>SSL_CTX_set_max_send_fragment(3)</em>,
|
||
|
<em>SSL_CTX_set_split_send_fragment(3)</em>,
|
||
|
<em>SSL_CTX_set_max_pipelines(3)</em>,
|
||
|
<em>ossl_store-file(7)</em></p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="history">HISTORY</a></h1>
|
||
|
<p>The -no_alt_chains option was added in OpenSSL 1.1.0.</p>
|
||
|
<p>The
|
||
|
-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="copyright">COPYRIGHT</a></h1>
|
||
|
<p>Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.</p>
|
||
|
<p>Licensed under the Apache License 2.0 (the "License"). You may not use
|
||
|
this file except in compliance with the License. You can obtain a copy
|
||
|
in the file LICENSE in the source distribution or at
|
||
|
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
|
||
|
|
||
|
</body>
|
||
|
|
||
|
</html>
|