263 lines
11 KiB
HTML
263 lines
11 KiB
HTML
<?xml version="1.0" ?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<title>s_time</title>
|
|
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
|
<link rev="made" href="mailto:root@localhost" />
|
|
</head>
|
|
|
|
<body style="background-color: white">
|
|
|
|
|
|
<!-- INDEX BEGIN -->
|
|
<div name="index">
|
|
<p><a name="__index__"></a></p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="#name">NAME</a></li>
|
|
<li><a href="#synopsis">SYNOPSIS</a></li>
|
|
<li><a href="#description">DESCRIPTION</a></li>
|
|
<li><a href="#options">OPTIONS</a></li>
|
|
<li><a href="#notes">NOTES</a></li>
|
|
<li><a href="#bugs">BUGS</a></li>
|
|
<li><a href="#see_also">SEE ALSO</a></li>
|
|
<li><a href="#copyright">COPYRIGHT</a></li>
|
|
</ul>
|
|
|
|
<hr name="index" />
|
|
</div>
|
|
<!-- INDEX END -->
|
|
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="name">NAME</a></h1>
|
|
<p>openssl-s_time,
|
|
s_time - SSL/TLS performance timing program</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
|
<p><strong>openssl</strong> <strong>s_time</strong>
|
|
[<strong>-help</strong>]
|
|
[<strong>-connect host:port</strong>]
|
|
[<strong>-www page</strong>]
|
|
[<strong>-cert filename</strong>]
|
|
[<strong>-key filename</strong>]
|
|
[<strong>-CApath directory</strong>]
|
|
[<strong>-cafile filename</strong>]
|
|
[<strong>-no-CAfile</strong>]
|
|
[<strong>-no-CApath</strong>]
|
|
[<strong>-reuse</strong>]
|
|
[<strong>-new</strong>]
|
|
[<strong>-verify depth</strong>]
|
|
[<strong>-nameopt option</strong>]
|
|
[<strong>-time seconds</strong>]
|
|
[<strong>-ssl3</strong>]
|
|
[<strong>-bugs</strong>]
|
|
[<strong>-cipher cipherlist</strong>]
|
|
[<strong>-ciphersuites val</strong>]</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="description">DESCRIPTION</a></h1>
|
|
<p>The <strong>s_time</strong> command implements a generic SSL/TLS client which connects to a
|
|
remote host using SSL/TLS. It can request a page from the server and includes
|
|
the time to transfer the payload data in its timing measurements. It measures
|
|
the number of connections within a given timeframe, the amount of data
|
|
transferred (if any), and calculates the average time spent for one connection.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="options">OPTIONS</a></h1>
|
|
<dl>
|
|
<dt><strong><a name="help" class="item"><strong>-help</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Print out a usage message.</p>
|
|
</dd>
|
|
<dt><strong><a name="connect_host_port" class="item"><strong>-connect host:port</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This specifies the host and optional port to connect to.</p>
|
|
</dd>
|
|
<dt><strong><a name="www_page" class="item"><strong>-www page</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This specifies the page to GET from the server. A value of '/' gets the
|
|
index.htm[l] page. If this parameter is not specified, then <strong>s_time</strong> will only
|
|
perform the handshake to establish SSL connections but not transfer any
|
|
payload data.</p>
|
|
</dd>
|
|
<dt><strong><a name="cert_certname" class="item"><strong>-cert certname</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The certificate to use, if one is requested by the server. The default is
|
|
not to use a certificate. The file is in PEM format.</p>
|
|
</dd>
|
|
<dt><strong><a name="key_keyfile" class="item"><strong>-key keyfile</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The private key to use. If not specified then the certificate file will
|
|
be used. The file is in PEM format.</p>
|
|
</dd>
|
|
<dt><strong><a name="verify_depth" class="item"><strong>-verify depth</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The verify depth to use. This specifies the maximum length of the
|
|
server certificate chain and turns on server certificate verification.
|
|
Currently the verify operation continues after errors so all the problems
|
|
with a certificate chain can be seen. As a side effect the connection
|
|
will never fail due to a server certificate verify failure.</p>
|
|
</dd>
|
|
<dt><strong><a name="nameopt_option" class="item"><strong>-nameopt option</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Option which determines how the subject or issuer names are displayed. The
|
|
<strong>option</strong> argument can be a single option or multiple options separated by
|
|
commas. Alternatively the <strong>-nameopt</strong> switch may be used more than once to
|
|
set multiple options. See the <em>x509(1)</em> manual page for details.</p>
|
|
</dd>
|
|
<dt><strong><a name="capath_directory" class="item"><strong>-CApath directory</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The directory to use for server certificate verification. This directory
|
|
must be in "hash format", see <strong>verify</strong> for more information. These are
|
|
also used when building the client certificate chain.</p>
|
|
</dd>
|
|
<dt><strong><a name="cafile_file" class="item"><strong>-CAfile file</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>A file containing trusted certificates to use during server authentication
|
|
and to use when attempting to build the client certificate chain.</p>
|
|
</dd>
|
|
<dt><strong><a name="no_cafile" class="item"><strong>-no-CAfile</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Do not load the trusted CA certificates from the default file location</p>
|
|
</dd>
|
|
<dt><strong><a name="no_capath" class="item"><strong>-no-CApath</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Do not load the trusted CA certificates from the default directory location</p>
|
|
</dd>
|
|
<dt><strong><a name="new" class="item"><strong>-new</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Performs the timing test using a new session ID for each connection.
|
|
If neither <strong>-new</strong> nor <strong>-reuse</strong> are specified, they are both on by default
|
|
and executed in sequence.</p>
|
|
</dd>
|
|
<dt><strong><a name="reuse" class="item"><strong>-reuse</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Performs the timing test using the same session ID; this can be used as a test
|
|
that session caching is working. If neither <strong>-new</strong> nor <strong>-reuse</strong> are
|
|
specified, they are both on by default and executed in sequence.</p>
|
|
</dd>
|
|
<dt><strong><a name="ssl3" class="item"><strong>-ssl3</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This option disables the use of SSL version 3. By default
|
|
the initial handshake uses a method which should be compatible with all
|
|
servers and permit them to use SSL v3 or TLS as appropriate.</p>
|
|
<p>The timing program is not as rich in options to turn protocols on and off as
|
|
the <em>s_client(1)</em> program and may not connect to all servers.
|
|
Unfortunately there are a lot of ancient and broken servers in use which
|
|
cannot handle this technique and will fail to connect. Some servers only
|
|
work if TLS is turned off with the <strong>-ssl3</strong> option.</p>
|
|
<p>Note that this option may not be available, depending on how
|
|
OpenSSL was built.</p>
|
|
</dd>
|
|
<dt><strong><a name="bugs" class="item"><strong>-bugs</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>There are several known bugs in SSL and TLS implementations. Adding this
|
|
option enables various workarounds.</p>
|
|
</dd>
|
|
<dt><strong><a name="cipher_cipherlist" class="item"><strong>-cipher cipherlist</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This allows the TLSv1.2 and below cipher list sent by the client to be modified.
|
|
This list will be combined with any TLSv1.3 ciphersuites that have been
|
|
configured. Although the server determines which cipher suite is used it should
|
|
take the first supported cipher in the list sent by the client. See
|
|
<em>ciphers(1)</em> for more information.</p>
|
|
</dd>
|
|
<dt><strong><a name="ciphersuites_val" class="item"><strong>-ciphersuites val</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
|
|
list will be combined with any TLSv1.2 and below ciphersuites that have been
|
|
configured. Although the server determines which cipher suite is used it should
|
|
take the first supported cipher in the list sent by the client. See
|
|
<em>ciphers(1)</em> for more information. The format for this list is a simple
|
|
colon (":") separated list of TLSv1.3 ciphersuite names.</p>
|
|
</dd>
|
|
<dt><strong><a name="time_length" class="item"><strong>-time length</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Specifies how long (in seconds) <strong>s_time</strong> should establish connections and
|
|
optionally transfer payload data from a server. Server and client performance
|
|
and the link speed determine how many connections <strong>s_time</strong> can establish.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="notes">NOTES</a></h1>
|
|
<p><strong>s_time</strong> can be used to measure the performance of an SSL connection.
|
|
To connect to an SSL HTTP server and get the default page the command</p>
|
|
<pre>
|
|
openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]</pre>
|
|
<p>would typically be used (https uses port 443). 'commoncipher' is a cipher to
|
|
which both client and server can agree, see the <em>ciphers(1)</em> command
|
|
for details.</p>
|
|
<p>If the handshake fails then there are several possible causes, if it is
|
|
nothing obvious like no client certificate then the <strong>-bugs</strong> and
|
|
<strong>-ssl3</strong> options can be tried
|
|
in case it is a buggy server. In particular you should play with these
|
|
options <strong>before</strong> submitting a bug report to an OpenSSL mailing list.</p>
|
|
<p>A frequent problem when attempting to get client certificates working
|
|
is that a web client complains it has no certificates or gives an empty
|
|
list to choose from. This is normally because the server is not sending
|
|
the clients certificate authority in its "acceptable CA list" when it
|
|
requests a certificate. By using <em>s_client(1)</em> the CA list can be
|
|
viewed and checked. However some servers only request client authentication
|
|
after a specific URL is requested. To obtain the list in this case it
|
|
is necessary to use the <strong>-prexit</strong> option of <em>s_client(1)</em> and
|
|
send an HTTP request for an appropriate page.</p>
|
|
<p>If a certificate is specified on the command line using the <strong>-cert</strong>
|
|
option it will not be used unless the server specifically requests
|
|
a client certificate. Therefor merely including a client certificate
|
|
on the command line is no guarantee that the certificate works.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="bugs">BUGS</a></h1>
|
|
<p>Because this program does not have all the options of the
|
|
<em>s_client(1)</em> program to turn protocols on and off, you may not be
|
|
able to measure the performance of all protocols with all servers.</p>
|
|
<p>The <strong>-verify</strong> option should really exit if the server verification
|
|
fails.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="see_also">SEE ALSO</a></h1>
|
|
<p><em>s_client(1)</em>, <em>s_server(1)</em>, <em>ciphers(1)</em></p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="copyright">COPYRIGHT</a></h1>
|
|
<p>Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved.</p>
|
|
<p>Licensed under the OpenSSL license (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
|
|
|
|
</body>
|
|
|
|
</html>
|