source-git / openssl

Clone
Source Code
GIT

Blame doc/man1/s_server.pod

c8 c8s master
  1.   dd46e1f777d2d56ed692a3e9100ebe5052e12513
  2.   doc
  3.   man1
  4.   s_server.pod
Blob History Raw
Packit Service 084de1 
=pod
Packit Service 084de1
Packit Service 084de1 
=head1 NAME
Packit Service 084de1
Packit Service 084de1 
openssl-s_server,
Packit Service 084de1 
s_server - SSL/TLS server program
Packit Service 084de1
Packit Service 084de1 
=head1 SYNOPSIS
Packit Service 084de1
Packit Service 084de1 
B<openssl> B<s_server>
Packit Service 084de1 
[B<-help>]
Packit Service 084de1 
[B<-port +int>]
Packit Service 084de1 
[B<-accept val>]
Packit Service 084de1 
[B<-unix val>]
Packit Service 084de1 
[B<-4>]
Packit Service 084de1 
[B<-6>]
Packit Service 084de1 
[B<-unlink>]
Packit Service 084de1 
[B<-context val>]
Packit Service 084de1 
[B<-verify int>]
Packit Service 084de1 
[B<-Verify int>]
Packit Service 084de1 
[B<-cert infile>]
Packit Service 084de1 
[B<-nameopt val>]
Packit Service 084de1 
[B<-naccept +int>]
Packit Service 084de1 
[B<-serverinfo val>]
Packit Service 084de1 
[B<-certform PEM|DER>]
Packit Service 084de1 
[B<-key infile>]
Packit Service 084de1 
[B<-keyform format>]
Packit Service 084de1 
[B<-pass val>]
Packit Service 084de1 
[B<-dcert infile>]
Packit Service 084de1 
[B<-dcertform PEM|DER>]
Packit Service 084de1 
[B<-dkey infile>]
Packit Service 084de1 
[B<-dkeyform PEM|DER>]
Packit Service 084de1 
[B<-dpass val>]
Packit Service 084de1 
[B<-nbio_test>]
Packit Service 084de1 
[B<-crlf>]
Packit Service 084de1 
[B<-debug>]
Packit Service 084de1 
[B<-msg>]
Packit Service 084de1 
[B<-msgfile outfile>]
Packit Service 084de1 
[B<-state>]
Packit Service 084de1 
[B<-CAfile infile>]
Packit Service 084de1 
[B<-CApath dir>]
Packit Service 084de1 
[B<-no-CAfile>]
Packit Service 084de1 
[B<-no-CApath>]
Packit Service 084de1 
[B<-nocert>]
Packit Service 084de1 
[B<-quiet>]
Packit Service 084de1 
[B<-no_resume_ephemeral>]
Packit Service 084de1 
[B<-www>]
Packit Service 084de1 
[B<-WWW>]
Packit Service 084de1 
[B<-servername>]
Packit Service 084de1 
[B<-servername_fatal>]
Packit Service 084de1 
[B<-cert2 infile>]
Packit Service 084de1 
[B<-key2 infile>]
Packit Service 084de1 
[B<-tlsextdebug>]
Packit Service 084de1 
[B<-HTTP>]
Packit Service 084de1 
[B<-id_prefix val>]
Packit Service 084de1 
[B<-rand file...>]
Packit Service 084de1 
[B<-writerand file>]
Packit Service 084de1 
[B<-keymatexport val>]
Packit Service 084de1 
[B<-keymatexportlen +int>]
Packit Service 084de1 
[B<-CRL infile>]
Packit Service 084de1 
[B<-crl_download>]
Packit Service 084de1 
[B<-cert_chain infile>]
Packit Service 084de1 
[B<-dcert_chain infile>]
Packit Service 084de1 
[B<-chainCApath dir>]
Packit Service 084de1 
[B<-verifyCApath dir>]
Packit Service 084de1 
[B<-no_cache>]
Packit Service 084de1 
[B<-ext_cache>]
Packit Service 084de1 
[B<-CRLform PEM|DER>]
Packit Service 084de1 
[B<-verify_return_error>]
Packit Service 084de1 
[B<-verify_quiet>]
Packit Service 084de1 
[B<-build_chain>]
Packit Service 084de1 
[B<-chainCAfile infile>]
Packit Service 084de1 
[B<-verifyCAfile infile>]
Packit Service 084de1 
[B<-ign_eof>]
Packit Service 084de1 
[B<-no_ign_eof>]
Packit Service 084de1 
[B<-status>]
Packit Service 084de1 
[B<-status_verbose>]
Packit Service 084de1 
[B<-status_timeout int>]
Packit Service 084de1 
[B<-status_url val>]
Packit Service 084de1 
[B<-status_file infile>]
Packit Service 084de1 
[B<-trace>]
Packit Service 084de1 
[B<-security_debug>]
Packit Service 084de1 
[B<-security_debug_verbose>]
Packit Service 084de1 
[B<-brief>]
Packit Service 084de1 
[B<-rev>]
Packit Service 084de1 
[B<-async>]
Packit Service 084de1 
[B<-ssl_config val>]
Packit Service 084de1 
[B<-max_send_frag +int>]
Packit Service 084de1 
[B<-split_send_frag +int>]
Packit Service 084de1 
[B<-max_pipelines +int>]
Packit Service 084de1 
[B<-read_buf +int>]
Packit Service 084de1 
[B<-no_ssl3>]
Packit Service 084de1 
[B<-no_tls1>]
Packit Service 084de1 
[B<-no_tls1_1>]
Packit Service 084de1 
[B<-no_tls1_2>]
Packit Service 084de1 
[B<-no_tls1_3>]
Packit Service 084de1 
[B<-bugs>]
Packit Service 084de1 
[B<-no_comp>]
Packit Service 084de1 
[B<-comp>]
Packit Service 084de1 
[B<-no_ticket>]
Packit Service 084de1 
[B<-num_tickets>]
Packit Service 084de1 
[B<-serverpref>]
Packit Service 084de1 
[B<-legacy_renegotiation>]
Packit Service 084de1 
[B<-no_renegotiation>]
Packit Service 084de1 
[B<-legacy_server_connect>]
Packit Service 084de1 
[B<-no_resumption_on_reneg>]
Packit Service 084de1 
[B<-no_legacy_server_connect>]
Packit Service 084de1 
[B<-allow_no_dhe_kex>]
Packit Service 084de1 
[B<-prioritize_chacha>]
Packit Service 084de1 
[B<-strict>]
Packit Service 084de1 
[B<-sigalgs val>]
Packit Service 084de1 
[B<-client_sigalgs val>]
Packit Service 084de1 
[B<-groups val>]
Packit Service 084de1 
[B<-curves val>]
Packit Service 084de1 
[B<-named_curve val>]
Packit Service 084de1 
[B<-cipher val>]
Packit Service 084de1 
[B<-ciphersuites val>]
Packit Service 084de1 
[B<-dhparam infile>]
Packit Service 084de1 
[B<-record_padding val>]
Packit Service 084de1 
[B<-debug_broken_protocol>]
Packit Service 084de1 
[B<-policy val>]
Packit Service 084de1 
[B<-purpose val>]
Packit Service 084de1 
[B<-verify_name val>]
Packit Service 084de1 
[B<-verify_depth int>]
Packit Service 084de1 
[B<-auth_level int>]
Packit Service 084de1 
[B<-attime intmax>]
Packit Service 084de1 
[B<-verify_hostname val>]
Packit Service 084de1 
[B<-verify_email val>]
Packit Service 084de1 
[B<-verify_ip>]
Packit Service 084de1 
[B<-ignore_critical>]
Packit Service 084de1 
[B<-issuer_checks>]
Packit Service 084de1 
[B<-crl_check>]
Packit Service 084de1 
[B<-crl_check_all>]
Packit Service 084de1 
[B<-policy_check>]
Packit Service 084de1 
[B<-explicit_policy>]
Packit Service 084de1 
[B<-inhibit_any>]
Packit Service 084de1 
[B<-inhibit_map>]
Packit Service 084de1 
[B<-x509_strict>]
Packit Service 084de1 
[B<-extended_crl>]
Packit Service 084de1 
[B<-use_deltas>]
Packit Service 084de1 
[B<-policy_print>]
Packit Service 084de1 
[B<-check_ss_sig>]
Packit Service 084de1 
[B<-trusted_first>]
Packit Service 084de1 
[B<-suiteB_128_only>]
Packit Service 084de1 
[B<-suiteB_128>]
Packit Service 084de1 
[B<-suiteB_192>]
Packit Service 084de1 
[B<-partial_chain>]
Packit Service 084de1 
[B<-no_alt_chains>]
Packit Service 084de1 
[B<-no_check_time>]
Packit Service 084de1 
[B<-allow_proxy_certs>]
Packit Service 084de1 
[B<-xkey>]
Packit Service 084de1 
[B<-xcert>]
Packit Service 084de1 
[B<-xchain>]
Packit Service 084de1 
[B<-xchain_build>]
Packit Service 084de1 
[B<-xcertform PEM|DER>]
Packit Service 084de1 
[B<-xkeyform PEM|DER>]
Packit Service 084de1 
[B<-nbio>]
Packit Service 084de1 
[B<-psk_identity val>]
Packit Service 084de1 
[B<-psk_hint val>]
Packit Service 084de1 
[B<-psk val>]
Packit Service 084de1 
[B<-psk_session file>]
Packit Service 084de1 
[B<-srpvfile infile>]
Packit Service 084de1 
[B<-srpuserseed val>]
Packit Service 084de1 
[B<-ssl3>]
Packit Service 084de1 
[B<-tls1>]
Packit Service 084de1 
[B<-tls1_1>]
Packit Service 084de1 
[B<-tls1_2>]
Packit Service 084de1 
[B<-tls1_3>]
Packit Service 084de1 
[B<-dtls>]
Packit Service 084de1 
[B<-timeout>]
Packit Service 084de1 
[B<-mtu +int>]
Packit Service 084de1 
[B<-listen>]
Packit Service 084de1 
[B<-dtls1>]
Packit Service 084de1 
[B<-dtls1_2>]
Packit Service 084de1 
[B<-sctp>]
Packit Service 084de1 
[B<-sctp_label_bug>]
Packit Service 084de1 
[B<-no_dhe>]
Packit Service 084de1 
[B<-nextprotoneg val>]
Packit Service 084de1 
[B<-use_srtp val>]
Packit Service 084de1 
[B<-alpn val>]
Packit Service 084de1 
[B<-engine val>]
Packit Service 084de1 
[B<-keylogfile outfile>]
Packit Service 084de1 
[B<-max_early_data int>]
Packit Service 084de1 
[B<-early_data>]
Packit Service 084de1 
[B<-anti_replay>]
Packit Service 084de1 
[B<-no_anti_replay>]
Packit Service 084de1
Packit Service 084de1 
=head1 DESCRIPTION
Packit Service 084de1
Packit Service 084de1 
The B<s_server> command implements a generic SSL/TLS server which listens
Packit Service 084de1 
for connections on a given port using SSL/TLS.
Packit Service 084de1
Packit Service 084de1 
=head1 OPTIONS
Packit Service 084de1
Packit Service 084de1 
In addition to the options below the B<s_server> utility also supports the
Packit Service 084de1 
common and server only options documented
Packit Service 084de1 
in the "Supported Command Line Commands" section of the L<SSL_CONF_cmd(3)>
Packit Service 084de1 
manual page.
Packit Service 084de1
Packit Service 084de1 
=over 4
Packit Service 084de1
Packit Service 084de1 
=item B<-help>
Packit Service 084de1
Packit Service 084de1 
Print out a usage message.
Packit Service 084de1
Packit Service 084de1 
=item B<-port +int>
Packit Service 084de1
Packit Service 084de1 
The TCP port to listen on for connections. If not specified 4433 is used.
Packit Service 084de1
Packit Service 084de1 
=item B<-accept val>
Packit Service 084de1
Packit Service 084de1 
The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
Packit Service 084de1
Packit Service 084de1 
=item B<-unix val>
Packit Service 084de1
Packit Service 084de1 
Unix domain socket to accept on.
Packit Service 084de1
Packit Service 084de1 
=item B<-4>
Packit Service 084de1
Packit Service 084de1 
Use IPv4 only.
Packit Service 084de1
Packit Service 084de1 
=item B<-6>
Packit Service 084de1
Packit Service 084de1 
Use IPv6 only.
Packit Service 084de1
Packit Service 084de1 
=item B<-unlink>
Packit Service 084de1
Packit Service 084de1 
For -unix, unlink any existing socket first.
Packit Service 084de1
Packit Service 084de1 
=item B<-context val>
Packit Service 084de1
Packit Service 084de1 
Sets the SSL context id. It can be given any string value. If this option
Packit Service 084de1 
is not present a default value will be used.
Packit Service 084de1
Packit Service 084de1 
=item B<-verify int>, B<-Verify int>
Packit Service 084de1
Packit Service 084de1 
The verify depth to use. This specifies the maximum length of the
Packit Service 084de1 
client certificate chain and makes the server request a certificate from
Packit Service 084de1 
the client. With the B<-verify> option a certificate is requested but the
Packit Service 084de1 
client does not have to send one, with the B<-Verify> option the client
Packit Service 084de1 
must supply a certificate or an error occurs.
Packit Service 084de1
Packit Service 084de1 
If the cipher suite cannot request a client certificate (for example an
Packit Service 084de1 
anonymous cipher suite or PSK) this option has no effect.
Packit Service 084de1
Packit Service 084de1 
=item B<-cert infile>
Packit Service 084de1
Packit Service 084de1 
The certificate to use, most servers cipher suites require the use of a
Packit Service 084de1 
certificate and some require a certificate with a certain public key type:
Packit Service 084de1 
for example the DSS cipher suites require a certificate containing a DSS
Packit Service 084de1 
(DSA) key. If not specified then the filename "server.pem" will be used.
Packit Service 084de1
Packit Service 084de1 
=item B<-cert_chain>
Packit Service 084de1
Packit Service 084de1 
A file containing trusted certificates to use when attempting to build the
Packit Service 084de1 
client/server certificate chain related to the certificate specified via the
Packit Service 084de1 
B<-cert> option.
Packit Service 084de1
Packit Service 084de1 
=item B<-build_chain>
Packit Service 084de1
Packit Service 084de1 
Specify whether the application should build the certificate chain to be
Packit Service 084de1 
provided to the client.
Packit Service 084de1
Packit Service 084de1 
=item B<-nameopt val>
Packit Service 084de1
Packit Service 084de1 
Option which determines how the subject or issuer names are displayed. The
Packit Service 084de1 
B<val> argument can be a single option or multiple options separated by
Packit Service 084de1 
commas.  Alternatively the B<-nameopt> switch may be used more than once to
Packit Service 084de1 
set multiple options. See the L<x509(1)> manual page for details.
Packit Service 084de1
Packit Service 084de1 
=item B<-naccept +int>
Packit Service 084de1
Packit Service 084de1 
The server will exit after receiving the specified number of connections,
Packit Service 084de1 
default unlimited.
Packit Service 084de1
Packit Service 084de1 
=item B<-serverinfo val>
Packit Service 084de1
Packit Service 084de1 
A file containing one or more blocks of PEM data.  Each PEM block
Packit Service 084de1 
must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
Packit Service 084de1 
followed by "length" bytes of extension data).  If the client sends
Packit Service 084de1 
an empty TLS ClientHello extension matching the type, the corresponding
Packit Service 084de1 
ServerHello extension will be returned.
Packit Service 084de1
Packit Service 084de1 
=item B<-certform PEM|DER>
Packit Service 084de1
Packit Service 084de1 
The certificate format to use: DER or PEM. PEM is the default.
Packit Service 084de1
Packit Service 084de1 
=item B<-key infile>
Packit Service 084de1
Packit Service 084de1 
The private key to use. If not specified then the certificate file will
Packit Service 084de1 
be used.
Packit Service 084de1
Packit Service 084de1 
=item B<-keyform format>
Packit Service 084de1
Packit Service 084de1 
The private format to use: DER or PEM. PEM is the default.
Packit Service 084de1
Packit Service 084de1 
=item B<-pass val>
Packit Service 084de1
Packit Service 084de1 
The private key password source. For more information about the format of B<val>
Packit Service 084de1 
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
Packit Service 084de1
Packit Service 084de1 
=item B<-dcert infile>, B<-dkey infile>
Packit Service 084de1
Packit Service 084de1 
Specify an additional certificate and private key, these behave in the
Packit Service 084de1 
same manner as the B<-cert> and B<-key> options except there is no default
Packit Service 084de1 
if they are not specified (no additional certificate and key is used). As
Packit Service 084de1 
noted above some cipher suites require a certificate containing a key of
Packit Service 084de1 
a certain type. Some cipher suites need a certificate carrying an RSA key
Packit Service 084de1 
and some a DSS (DSA) key. By using RSA and DSS certificates and keys
Packit Service 084de1 
a server can support clients which only support RSA or DSS cipher suites
Packit Service 084de1 
by using an appropriate certificate.
Packit Service 084de1
Packit Service 084de1 
=item B<-dcert_chain>
Packit Service 084de1
Packit Service 084de1 
A file containing trusted certificates to use when attempting to build the
Packit Service 084de1 
server certificate chain when a certificate specified via the B<-dcert> option
Packit Service 084de1 
is in use.
Packit Service 084de1
Packit Service 084de1 
=item B<-dcertform PEM|DER>, B<-dkeyform PEM|DER>, B<-dpass val>
Packit Service 084de1
Packit Service 084de1 
Additional certificate and private key format and passphrase respectively.
Packit Service 084de1
Packit Service 084de1 
=item B<-xkey infile>, B<-xcert infile>, B<-xchain>
Packit Service 084de1
Packit Service 084de1 
Specify an extra certificate, private key and certificate chain. These behave
Packit Service 084de1 
in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options.  When
Packit Service 084de1 
specified, the callback returning the first valid chain will be in use by
Packit Service 084de1 
the server.
Packit Service 084de1
Packit Service 084de1 
=item B<-xchain_build>
Packit Service 084de1
Packit Service 084de1 
Specify whether the application should build the certificate chain to be
Packit Service 084de1 
provided to the client for the extra certificates provided via B<-xkey infile>,
Packit Service 084de1 
B<-xcert infile>, B<-xchain> options.
Packit Service 084de1
Packit Service 084de1 
=item B<-xcertform PEM|DER>, B<-xkeyform PEM|DER>
Packit Service 084de1
Packit Service 084de1 
Extra certificate and private key format respectively.
Packit Service 084de1
Packit Service 084de1 
=item B<-nbio_test>
Packit Service 084de1
Packit Service 084de1 
Tests non blocking I/O.
Packit Service 084de1
Packit Service 084de1 
=item B<-crlf>
Packit Service 084de1
Packit Service 084de1 
This option translated a line feed from the terminal into CR+LF.
Packit Service 084de1
Packit Service 084de1 
=item B<-debug>
Packit Service 084de1
Packit Service 084de1 
Print extensive debugging information including a hex dump of all traffic.
Packit Service 084de1
Packit Service 084de1 
=item B<-msg>
Packit Service 084de1
Packit Service 084de1 
Show all protocol messages with hex dump.
Packit Service 084de1
Packit Service 084de1 
=item B<-msgfile outfile>
Packit Service 084de1
Packit Service 084de1 
File to send output of B<-msg> or B<-trace> to, default standard output.
Packit Service 084de1
Packit Service 084de1 
=item B<-state>
Packit Service 084de1
Packit Service 084de1 
Prints the SSL session states.
Packit Service 084de1
Packit Service 084de1 
=item B<-CAfile infile>
Packit Service 084de1
Packit Service 084de1 
A file containing trusted certificates to use during client authentication
Packit Service 084de1 
and to use when attempting to build the server certificate chain. The list
Packit Service 084de1 
is also used in the list of acceptable client CAs passed to the client when
Packit Service 084de1 
a certificate is requested.
Packit Service 084de1
Packit Service 084de1 
=item B<-CApath dir>
Packit Service 084de1
Packit Service 084de1 
The directory to use for client certificate verification. This directory
Packit Service 084de1 
must be in "hash format", see L<verify(1)> for more information. These are
Packit Service 084de1 
also used when building the server certificate chain.
Packit Service 084de1
Packit Service 084de1 
=item B<-chainCApath dir>
Packit Service 084de1
Packit Service 084de1 
The directory to use for building the chain provided to the client. This
Packit Service 084de1 
directory must be in "hash format", see L<verify(1)> for more information.
Packit Service 084de1
Packit Service 084de1 
=item B<-chainCAfile file>
Packit Service 084de1
Packit Service 084de1 
A file containing trusted certificates to use when attempting to build the
Packit Service 084de1 
server certificate chain.
Packit Service 084de1
Packit Service 084de1 
=item B<-no-CAfile>
Packit Service 084de1
Packit Service 084de1 
Do not load the trusted CA certificates from the default file location.
Packit Service 084de1
Packit Service 084de1 
=item B<-no-CApath>
Packit Service 084de1
Packit Service 084de1 
Do not load the trusted CA certificates from the default directory location.
Packit Service 084de1
Packit Service 084de1 
=item B<-nocert>
Packit Service 084de1
Packit Service 084de1 
If this option is set then no certificate is used. This restricts the
Packit Service 084de1 
cipher suites available to the anonymous ones (currently just anonymous
Packit Service 084de1 
DH).
Packit Service 084de1
Packit Service 084de1 
=item B<-quiet>
Packit Service 084de1
Packit Service 084de1 
Inhibit printing of session and certificate information.
Packit Service 084de1
Packit Service 084de1 
=item B<-www>
Packit Service 084de1
Packit Service 084de1 
Sends a status message back to the client when it connects. This includes
Packit Service 084de1 
information about the ciphers used and various session parameters.
Packit Service 084de1 
The output is in HTML format so this option will normally be used with a
Packit Service 084de1 
web browser. Cannot be used in conjunction with B<-early_data>.
Packit Service 084de1
Packit Service 084de1 
=item B<-WWW>
Packit Service 084de1
Packit Service 084de1 
Emulates a simple web server. Pages will be resolved relative to the
Packit Service 084de1 
current directory, for example if the URL https://myhost/page.html is
Packit Service 084de1 
requested the file ./page.html will be loaded. Cannot be used in conjunction
Packit Service 084de1 
with B<-early_data>.
Packit Service 084de1
Packit Service 084de1 
=item B<-tlsextdebug>
Packit Service 084de1
Packit Service 084de1 
Print a hex dump of any TLS extensions received from the server.
Packit Service 084de1
Packit Service 084de1 
=item B<-HTTP>
Packit Service 084de1
Packit Service 084de1 
Emulates a simple web server. Pages will be resolved relative to the
Packit Service 084de1 
current directory, for example if the URL https://myhost/page.html is
Packit Service 084de1 
requested the file ./page.html will be loaded. The files loaded are
Packit Service 084de1 
assumed to contain a complete and correct HTTP response (lines that
Packit Service 084de1 
are part of the HTTP response line and headers must end with CRLF). Cannot be
Packit Service 084de1 
used in conjunction with B<-early_data>.
Packit Service 084de1
Packit Service 084de1 
=item B<-id_prefix val>
Packit Service 084de1
Packit Service 084de1 
Generate SSL/TLS session IDs prefixed by B<val>. This is mostly useful
Packit Service 084de1 
for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
Packit Service 084de1 
servers, when each of which might be generating a unique range of session
Packit Service 084de1 
IDs (eg. with a certain prefix).
Packit Service 084de1
Packit Service 084de1 
=item B<-rand file...>
Packit Service 084de1
Packit Service 084de1 
A file or files containing random data used to seed the random number
Packit Service 084de1 
generator.
Packit Service 084de1 
Multiple files can be specified separated by an OS-dependent character.
Packit Service 084de1 
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
Packit Service 084de1 
all others.
Packit Service 084de1
Packit Service 084de1 
=item [B<-writerand file>]
Packit Service 084de1
Packit Service 084de1 
Writes random data to the specified I<file> upon exit.
Packit Service 084de1 
This can be used with a subsequent B<-rand> flag.
Packit Service 084de1
Packit Service 084de1 
=item B<-verify_return_error>
Packit Service 084de1
Packit Service 084de1 
Verification errors normally just print a message but allow the
Packit Service 084de1 
connection to continue, for debugging purposes.
Packit Service 084de1 
If this option is used, then verification errors close the connection.
Packit Service 084de1
Packit Service 084de1 
=item B<-status>
Packit Service 084de1
Packit Service 084de1 
Enables certificate status request support (aka OCSP stapling).
Packit Service 084de1
Packit Service 084de1 
=item B<-status_verbose>
Packit Service 084de1
Packit Service 084de1 
Enables certificate status request support (aka OCSP stapling) and gives
Packit Service 084de1 
a verbose printout of the OCSP response.
Packit Service 084de1
Packit Service 084de1 
=item B<-status_timeout int>
Packit Service 084de1
Packit Service 084de1 
Sets the timeout for OCSP response to B<int> seconds.
Packit Service 084de1
Packit Service 084de1 
=item B<-status_url val>
Packit Service 084de1
Packit Service 084de1 
Sets a fallback responder URL to use if no responder URL is present in the
Packit Service 084de1 
server certificate. Without this option an error is returned if the server
Packit Service 084de1 
certificate does not contain a responder address.
Packit Service 084de1
Packit Service 084de1 
=item B<-status_file infile>
Packit Service 084de1
Packit Service 084de1 
Overrides any OCSP responder URLs from the certificate and always provides the
Packit Service 084de1 
OCSP Response stored in the file. The file must be in DER format.
Packit Service 084de1
Packit Service 084de1 
=item B<-trace>
Packit Service 084de1
Packit Service 084de1 
Show verbose trace output of protocol messages. OpenSSL needs to be compiled
Packit Service 084de1 
with B<enable-ssl-trace> for this option to work.
Packit Service 084de1
Packit Service 084de1 
=item B<-brief>
Packit Service 084de1
Packit Service 084de1 
Provide a brief summary of connection parameters instead of the normal verbose
Packit Service 084de1 
output.
Packit Service 084de1
Packit Service 084de1 
=item B<-rev>
Packit Service 084de1
Packit Service 084de1 
Simple test server which just reverses the text received from the client
Packit Service 084de1 
and sends it back to the server. Also sets B<-brief>. Cannot be used in
Packit Service 084de1 
conjunction with B<-early_data>.
Packit Service 084de1
Packit Service 084de1 
=item B<-async>
Packit Service 084de1
Packit Service 084de1 
Switch on asynchronous mode. Cryptographic operations will be performed
Packit Service 084de1 
asynchronously. This will only have an effect if an asynchronous capable engine
Packit Service 084de1 
is also used via the B<-engine> option. For test purposes the dummy async engine
Packit Service 084de1 
(dasync) can be used (if available).
Packit Service 084de1
Packit Service 084de1 
=item B<-max_send_frag +int>
Packit Service 084de1
Packit Service 084de1 
The maximum size of data fragment to send.
Packit Service 084de1 
See L<SSL_CTX_set_max_send_fragment(3)> for further information.
Packit Service 084de1
Packit Service 084de1 
=item B<-split_send_frag +int>
Packit Service 084de1
Packit Service 084de1 
The size used to split data for encrypt pipelines. If more data is written in
Packit Service 084de1 
one go than this value then it will be split into multiple pipelines, up to the
Packit Service 084de1 
maximum number of pipelines defined by max_pipelines. This only has an effect if
Packit Service 084de1 
a suitable cipher suite has been negotiated, an engine that supports pipelining
Packit Service 084de1 
has been loaded, and max_pipelines is greater than 1. See
Packit Service 084de1 
L<SSL_CTX_set_split_send_fragment(3)> for further information.
Packit Service 084de1
Packit Service 084de1 
=item B<-max_pipelines +int>
Packit Service 084de1
Packit Service 084de1 
The maximum number of encrypt/decrypt pipelines to be used. This will only have
Packit Service 084de1 
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
Packit Service 084de1 
engine) and a suitable cipher suite has been negotiated. The default value is 1.
Packit Service 084de1 
See L<SSL_CTX_set_max_pipelines(3)> for further information.
Packit Service 084de1
Packit Service 084de1 
=item B<-read_buf +int>
Packit Service 084de1
Packit Service 084de1 
The default read buffer size to be used for connections. This will only have an
Packit Service 084de1 
effect if the buffer size is larger than the size that would otherwise be used
Packit Service 084de1 
and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
Packit Service 084de1 
further information).
Packit Service 084de1
Packit Service 084de1 
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
Packit Service 084de1
Packit Service 084de1 
These options require or disable the use of the specified SSL or TLS protocols.
Packit Service 084de1 
By default B<s_server> will negotiate the highest mutually supported protocol
Packit Service 084de1 
version.
Packit Service 084de1 
When a specific TLS version is required, only that version will be accepted
Packit Service 084de1 
from the client.
Packit Service 084de1 
Note that not all protocols and flags may be available, depending on how
Packit Service 084de1 
OpenSSL was built.
Packit Service 084de1
Packit Service 084de1 
=item B<-bugs>
Packit Service 084de1
Packit Service 084de1 
There are several known bugs in SSL and TLS implementations. Adding this
Packit Service 084de1 
option enables various workarounds.
Packit Service 084de1
Packit Service 084de1 
=item B<-no_comp>
Packit Service 084de1
Packit Service 084de1 
Disable negotiation of TLS compression.
Packit Service 084de1 
TLS compression is not recommended and is off by default as of
Packit Service 084de1 
OpenSSL 1.1.0.
Packit Service 084de1
Packit Service 084de1 
=item B<-comp>
Packit Service 084de1
Packit Service 084de1 
Enable negotiation of TLS compression.
Packit Service 084de1 
This option was introduced in OpenSSL 1.1.0.
Packit Service 084de1 
TLS compression is not recommended and is off by default as of
Packit Service 084de1 
OpenSSL 1.1.0.
Packit Service 084de1
Packit Service 084de1 
=item B<-no_ticket>
Packit Service 084de1
Packit Service 084de1 
Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
Packit Service 084de1 
is negotiated. See B<-num_tickets>.
Packit Service 084de1
Packit Service 084de1 
=item B<-num_tickets>
Packit Service 084de1
Packit Service 084de1 
Control the number of tickets that will be sent to the client after a full
Packit Service 084de1 
handshake in TLSv1.3. The default number of tickets is 2. This option does not
Packit Service 084de1 
affect the number of tickets sent after a resumption handshake.
Packit Service 084de1
Packit Service 084de1 
=item B<-serverpref>
Packit Service 084de1
Packit Service 084de1 
Use the server's cipher preferences, rather than the client's preferences.
Packit Service 084de1
Packit Service 084de1 
=item B<-prioritize_chacha>
Packit Service 084de1
Packit Service 084de1 
Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.
Packit Service 084de1
Packit Service 084de1 
=item B<-no_resumption_on_reneg>
Packit Service 084de1
Packit Service 084de1 
Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
Packit Service 084de1
Packit Service 084de1 
=item B<-client_sigalgs val>
Packit Service 084de1
Packit Service 084de1 
Signature algorithms to support for client certificate authentication
Packit Service 084de1 
(colon-separated list).
Packit Service 084de1
Packit Service 084de1 
=item B<-named_curve val>
Packit Service 084de1
Packit Service 084de1 
Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
Packit Service 084de1 
For a list of all possible curves, use:
Packit Service 084de1
Packit Service 084de1 
    $ openssl ecparam -list_curves
Packit Service 084de1
Packit Service 084de1 
=item B<-cipher val>
Packit Service 084de1
Packit Service 084de1 
This allows the list of TLSv1.2 and below ciphersuites used by the server to be
Packit Service 084de1 
modified. This list is combined with any TLSv1.3 ciphersuites that have been
Packit Service 084de1 
configured. When the client sends a list of supported ciphers the first client
Packit Service 084de1 
cipher also included in the server list is used. Because the client specifies
Packit Service 084de1 
the preference order, the order of the server cipherlist is irrelevant. See
Packit Service 084de1 
the B<ciphers> command for more information.
Packit Service 084de1
Packit Service 084de1 
=item B<-ciphersuites val>
Packit Service 084de1
Packit Service 084de1 
This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
Packit Service 084de1 
This list is combined with any TLSv1.2 and below ciphersuites that have been
Packit Service 084de1 
configured. When the client sends a list of supported ciphers the first client
Packit Service 084de1 
cipher also included in the server list is used. Because the client specifies
Packit Service 084de1 
the preference order, the order of the server cipherlist is irrelevant. See
Packit Service 084de1 
the B<ciphers> command for more information. The format for this list is a
Packit Service 084de1 
simple colon (":") separated list of TLSv1.3 ciphersuite names.
Packit Service 084de1
Packit Service 084de1 
=item B<-dhparam infile>
Packit Service 084de1
Packit Service 084de1 
The DH parameter file to use. The ephemeral DH cipher suites generate keys
Packit Service 084de1 
using a set of DH parameters. If not specified then an attempt is made to
Packit Service 084de1 
load the parameters from the server certificate file.
Packit Service 084de1 
If this fails then a static set of parameters hard coded into the B<s_server>
Packit Service 084de1 
program will be used.
Packit Service 084de1
Packit Service 084de1 
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
Packit Service 084de1 
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
Packit Service 084de1 
B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>,
Packit Service 084de1 
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
Packit Service 084de1 
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
Packit Service 084de1 
B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
Packit Service 084de1 
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Packit Service 084de1
Packit Service 084de1 
Set different peer certificate verification options.
Packit Service 084de1 
See the L<verify(1)> manual page for details.
Packit Service 084de1
Packit Service 084de1 
=item B<-crl_check>, B<-crl_check_all>
Packit Service 084de1
Packit Service 084de1 
Check the peer certificate has not been revoked by its CA.
Packit Service 084de1 
The CRL(s) are appended to the certificate file. With the B<-crl_check_all>
Packit Service 084de1 
option all CRLs of all CAs in the chain are checked.
Packit Service 084de1
Packit Service 084de1 
=item B<-nbio>
Packit Service 084de1
Packit Service 084de1 
Turns on non blocking I/O.
Packit Service 084de1
Packit Service 084de1 
=item B<-psk_identity val>
Packit Service 084de1
Packit Service 084de1 
Expect the client to send PSK identity B<val> when using a PSK
Packit Service 084de1 
cipher suite, and warn if they do not.  By default, the expected PSK
Packit Service 084de1 
identity is the string "Client_identity".
Packit Service 084de1
Packit Service 084de1 
=item B<-psk_hint val>
Packit Service 084de1
Packit Service 084de1 
Use the PSK identity hint B<val> when using a PSK cipher suite.
Packit Service 084de1
Packit Service 084de1 
=item B<-psk val>
Packit Service 084de1
Packit Service 084de1 
Use the PSK key B<val> when using a PSK cipher suite. The key is
Packit Service 084de1 
given as a hexadecimal number without leading 0x, for example -psk
Packit Service 084de1 
1a2b3c4d.
Packit Service 084de1 
This option must be provided in order to use a PSK cipher.
Packit Service 084de1
Packit Service 084de1 
=item B<-psk_session file>
Packit Service 084de1
Packit Service 084de1 
Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
Packit Service 084de1 
Note that this will only work if TLSv1.3 is negotiated.
Packit Service 084de1
Packit Service 084de1 
=item B<-listen>
Packit Service 084de1
Packit Service 084de1 
This option can only be used in conjunction with one of the DTLS options above.
Packit Service 084de1 
With this option B<s_server> will listen on a UDP port for incoming connections.
Packit Service 084de1 
Any ClientHellos that arrive will be checked to see if they have a cookie in
Packit Service 084de1 
them or not.
Packit Service 084de1 
Any without a cookie will be responded to with a HelloVerifyRequest.
Packit Service 084de1 
If a ClientHello with a cookie is received then B<s_server> will connect to
Packit Service 084de1 
that peer and complete the handshake.
Packit Service 084de1
Packit Service 084de1 
=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
Packit Service 084de1
Packit Service 084de1 
These options make B<s_server> use DTLS protocols instead of TLS.
Packit Service 084de1 
With B<-dtls>, B<s_server> will negotiate any supported DTLS protocol version,
Packit Service 084de1 
whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and DTLSv1.2
Packit Service 084de1 
respectively.
Packit Service 084de1
Packit Service 084de1 
=item B<-sctp>
Packit Service 084de1
Packit Service 084de1 
Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
Packit Service 084de1 
conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
Packit Service 084de1 
available where OpenSSL has support for SCTP enabled.
Packit Service 084de1
Packit Service 084de1 
=item B<-sctp_label_bug>
Packit Service 084de1
Packit Service 084de1 
Use the incorrect behaviour of older OpenSSL implementations when computing
Packit Service 084de1 
endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
Packit Service 084de1 
older broken implementations but breaks interoperability with correct
Packit Service 084de1 
implementations. Must be used in conjunction with B<-sctp>. This option is only
Packit Service 084de1 
available where OpenSSL has support for SCTP enabled.
Packit Service 084de1
Packit Service 084de1 
=item B<-no_dhe>
Packit Service 084de1
Packit Service 084de1 
If this option is set then no DH parameters will be loaded effectively
Packit Service 084de1 
disabling the ephemeral DH cipher suites.
Packit Service 084de1
Packit Service 084de1 
=item B<-alpn val>, B<-nextprotoneg val>
Packit Service 084de1
Packit Service 084de1 
These flags enable the Enable the Application-Layer Protocol Negotiation
Packit Service 084de1 
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
Packit Service 084de1 
IETF standard and replaces NPN.
Packit Service 084de1 
The B<val> list is a comma-separated list of supported protocol
Packit Service 084de1 
names.  The list should contain the most desirable protocols first.
Packit Service 084de1 
Protocol names are printable ASCII strings, for example "http/1.1" or
Packit Service 084de1 
"spdy/3".
Packit Service 084de1 
The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
Packit Service 084de1
Packit Service 084de1 
=item B<-engine val>
Packit Service 084de1
Packit Service 084de1 
Specifying an engine (by its unique id string in B<val>) will cause B<s_server>
Packit Service 084de1 
to attempt to obtain a functional reference to the specified engine,
Packit Service 084de1 
thus initialising it if needed. The engine will then be set as the default
Packit Service 084de1 
for all available algorithms.
Packit Service 084de1
Packit Service 084de1 
=item B<-keylogfile outfile>
Packit Service 084de1
Packit Service 084de1 
Appends TLS secrets to the specified keylog file such that external programs
Packit Service 084de1 
(like Wireshark) can decrypt TLS connections.
Packit Service 084de1
Packit Service 084de1 
=item B<-max_early_data int>
Packit Service 084de1
Packit Service 084de1 
Change the default maximum early data bytes that are specified for new sessions
Packit Service 084de1 
and any incoming early data (when used in conjunction with the B<-early_data>
Packit Service 084de1 
flag). The default value is approximately 16k. The argument must be an integer
Packit Service 084de1 
greater than or equal to 0.
Packit Service 084de1
Packit Service 084de1 
=item B<-early_data>
Packit Service 084de1
Packit Service 084de1 
Accept early data where possible. Cannot be used in conjunction with B<-www>,
Packit Service 084de1 
B<-WWW>, B<-HTTP> or B<-rev>.
Packit Service 084de1
Packit Service 084de1 
=item B<-anti_replay>, B<-no_anti_replay>
Packit Service 084de1
Packit Service 084de1 
Switches replay protection on or off, respectively. Replay protection is on by
Packit Service 084de1 
default unless overridden by a configuration file. When it is on, OpenSSL will
Packit Service 084de1 
automatically detect if a session ticket has been used more than once, TLSv1.3
Packit Service 084de1 
has been negotiated, and early data is enabled on the server. A full handshake
Packit Service 084de1 
is forced if a session ticket is used a second or subsequent time. Any early
Packit Service 084de1 
data that was sent will be rejected.
Packit Service 084de1
Packit Service 084de1 
=back
Packit Service 084de1
Packit Service 084de1 
=head1 CONNECTED COMMANDS
Packit Service 084de1
Packit Service 084de1 
If a connection request is established with an SSL client and neither the
Packit Service 084de1 
B<-www> nor the B<-WWW> option has been used then normally any data received
Packit Service 084de1 
from the client is displayed and any key presses will be sent to the client.
Packit Service 084de1
Packit Service 084de1 
Certain commands are also recognized which perform special operations. These
Packit Service 084de1 
commands are a letter which must appear at the start of a line. They are listed
Packit Service 084de1 
below.
Packit Service 084de1
Packit Service 084de1 
=over 4
Packit Service 084de1
Packit Service 084de1 
=item B<q>
Packit Service 084de1
Packit Service 084de1 
End the current SSL connection but still accept new connections.
Packit Service 084de1
Packit Service 084de1 
=item B<Q>
Packit Service 084de1
Packit Service 084de1 
End the current SSL connection and exit.
Packit Service 084de1
Packit Service 084de1 
=item B<r>
Packit Service 084de1
Packit Service 084de1 
Renegotiate the SSL session (TLSv1.2 and below only).
Packit Service 084de1
Packit Service 084de1 
=item B<R>
Packit Service 084de1
Packit Service 084de1 
Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
Packit Service 084de1 
only).
Packit Service 084de1
Packit Service 084de1 
=item B
Packit Service 084de1
Packit Service 084de1 
Send some plain text down the underlying TCP connection: this should
Packit Service 084de1 
cause the client to disconnect due to a protocol violation.
Packit Service 084de1
Packit Service 084de1 
=item B<S>
Packit Service 084de1
Packit Service 084de1 
Print out some session cache status information.
Packit Service 084de1
Packit Service 084de1 
=item B
Packit Service 084de1
Packit Service 084de1 
Send a heartbeat message to the client (DTLS only)
Packit Service 084de1
Packit Service 084de1 
=item B<k>
Packit Service 084de1
Packit Service 084de1 
Send a key update message to the client (TLSv1.3 only)
Packit Service 084de1
Packit Service 084de1 
=item B<K>
Packit Service 084de1
Packit Service 084de1 
Send a key update message to the client and request one back (TLSv1.3 only)
Packit Service 084de1
Packit Service 084de1 
=item B<c>
Packit Service 084de1
Packit Service 084de1 
Send a certificate request to the client (TLSv1.3 only)
Packit Service 084de1
Packit Service 084de1 
=back
Packit Service 084de1
Packit Service 084de1 
=head1 NOTES
Packit Service 084de1
Packit Service 084de1 
B<s_server> can be used to debug SSL clients. To accept connections from
Packit Service 084de1 
a web browser the command:
Packit Service 084de1
Packit Service 084de1 
 openssl s_server -accept 443 -www
Packit Service 084de1
Packit Service 084de1 
can be used for example.
Packit Service 084de1
Packit Service 084de1 
Although specifying an empty list of CAs when requesting a client certificate
Packit Service 084de1 
is strictly speaking a protocol violation, some SSL clients interpret this to
Packit Service 084de1 
mean any CA is acceptable. This is useful for debugging purposes.
Packit Service 084de1
Packit Service 084de1 
The session parameters can printed out using the B<sess_id> program.
Packit Service 084de1
Packit Service 084de1 
=head1 BUGS
Packit Service 084de1
Packit Service 084de1 
Because this program has a lot of options and also because some of the
Packit Service 084de1 
techniques used are rather old, the C source of B<s_server> is rather hard to
Packit Service 084de1 
read and not a model of how things should be done.
Packit Service 084de1 
A typical SSL server program would be much simpler.
Packit Service 084de1
Packit Service 084de1 
The output of common ciphers is wrong: it just gives the list of ciphers that
Packit Service 084de1 
OpenSSL recognizes and the client supports.
Packit Service 084de1
Packit Service 084de1 
There should be a way for the B<s_server> program to print out details of any
Packit Service 084de1 
unknown cipher suites a client says it supports.
Packit Service 084de1
Packit Service 084de1 
=head1 SEE ALSO
Packit Service 084de1
Packit Service 084de1 
L<SSL_CONF_cmd(3)>, L<sess_id(1)>, L<s_client(1)>, L<ciphers(1)>
Packit Service 084de1 
L<SSL_CTX_set_max_send_fragment(3)>,
Packit Service 084de1 
L<SSL_CTX_set_split_send_fragment(3)>,
Packit Service 084de1 
L<SSL_CTX_set_max_pipelines(3)>
Packit Service 084de1
Packit Service 084de1 
=head1 HISTORY
Packit Service 084de1
Packit Service 084de1 
The -no_alt_chains option was added in OpenSSL 1.1.0.
Packit Service 084de1
Packit Service 084de1 
The
Packit Service 084de1 
-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
Packit Service 084de1
Packit Service 084de1 
=head1 COPYRIGHT
Packit Service 084de1
Packit Service 084de1 
Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Packit Service 084de1
Packit Service 084de1 
Licensed under the OpenSSL license (the "License").  You may not use
Packit Service 084de1 
this file except in compliance with the License.  You can obtain a copy
Packit Service 084de1 
in the file LICENSE in the source distribution or at
Packit Service 084de1 
L<https://www.openssl.org/source/license.html>.
Packit Service 084de1
Packit Service 084de1 
=cut

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation