Adding upstream version 4.23.0.upstream/4.23.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 122 insertions, 11 deletions

diff --git a/upstream/debian-unstable/man1/openssl-s_client.1ssl b/upstream/debian-unstable/man1/openssl-s_client.1ssl
index 11bdaa9f..678ff9a9 100644
--- a/upstream/debian-unstable/man1/openssl-s_client.1ssl
+++ b/upstream/debian-unstable/man1/openssl-s_client.1ssl
@@ -55,7 +55,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL-S_CLIENT 1SSL"
-.TH OPENSSL-S_CLIENT 1SSL 2024-02-03 3.1.5 OpenSSL
+.TH OPENSSL-S_CLIENT 1SSL 2024-04-04 3.2.2-dev OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -77,6 +77,7 @@ openssl\-s_client \- SSL/TLS client program
 [\fB\-unix\fR \fIpath\fR]
 [\fB\-4\fR]
 [\fB\-6\fR]
+[\fB\-quic\fR]
 [\fB\-servername\fR \fIname\fR]
 [\fB\-noservername\fR]
 [\fB\-verify\fR \fIdepth\fR]
@@ -105,15 +106,18 @@ openssl\-s_client \- SSL/TLS client program
 [\fB\-reconnect\fR]
 [\fB\-showcerts\fR]
 [\fB\-prexit\fR]
+[\fB\-no\-interactive\fR]
 [\fB\-debug\fR]
 [\fB\-trace\fR]
 [\fB\-nocommands\fR]
+[\fB\-adv\fR]
 [\fB\-security_debug\fR]
 [\fB\-security_debug_verbose\fR]
 [\fB\-msg\fR]
 [\fB\-timeout\fR]
 [\fB\-mtu\fR \fIsize\fR]
 [\fB\-no_etm\fR]
+[\fB\-no_ems\fR]
 [\fB\-keymatexport\fR \fIlabel\fR]
 [\fB\-keymatexportlen\fR \fIlen\fR]
 [\fB\-msgfile\fR \fIfilename\fR]
@@ -138,6 +142,8 @@ openssl\-s_client \- SSL/TLS client program
 [\fB\-read_buf\fR]
 [\fB\-ignore_unexpected_eof\fR]
 [\fB\-bugs\fR]
+[\fB\-no_tx_cert_comp\fR]
+[\fB\-no_rx_cert_comp\fR]
 [\fB\-comp\fR]
 [\fB\-no_comp\fR]
 [\fB\-brief\fR]
@@ -174,6 +180,8 @@ openssl\-s_client \- SSL/TLS client program
 [\fB\-srp_lateuser\fR]
 [\fB\-srp_moregroups\fR]
 [\fB\-srp_strength\fR \fInumber\fR]
+[\fB\-ktls\fR]
+[\fB\-tfo\fR]
 [\fB\-nameopt\fR \fIoption\fR]
 [\fB\-no_ssl3\fR]
 [\fB\-no_tls1\fR]
@@ -264,6 +272,8 @@ openssl\-s_client \- SSL/TLS client program
 [\fB\-verify_name\fR \fIname\fR]
 [\fB\-x509_strict\fR]
 [\fB\-issuer_checks\fR]
+[\fB\-enable_server_rpk\fR]
+[\fB\-enable_client_rpk\fR]
 [\fIhost\fR:\fIport\fR]
 .SH DESCRIPTION
 .IX Header "DESCRIPTION"
@@ -326,6 +336,10 @@ Use IPv4 only.
 .IP \fB\-6\fR 4
 .IX Item "-6"
 Use IPv6 only.
+.IP \fB\-quic\fR 4
+.IX Item "-quic"
+Connect using the QUIC protocol. If specified then the \fB\-alpn\fR option must also
+be provided.
 .IP "\fB\-servername\fR \fIname\fR" 4
 .IX Item "-servername name"
 Set the TLS SNI (Server Name Indication) extension in the ClientHello message to
@@ -513,6 +527,9 @@ because a client certificate is required or is requested only after an
 attempt is made to access a certain URL. Note: the output produced by this
 option is not always accurate because a connection might never have been
 established.
+.IP \fB\-no\-interactive\fR 4
+.IX Item "-no-interactive"
+This flag can be used to run the client in a non-interactive mode.
 .IP \fB\-state\fR 4
 .IX Item "-state"
 Prints out the SSL session states.
@@ -522,6 +539,9 @@ Print extensive debugging information including a hex dump of all traffic.
 .IP \fB\-nocommands\fR 4
 .IX Item "-nocommands"
 Do not use interactive command letters.
+.IP \fB\-adv\fR 4
+.IX Item "-adv"
+Use advanced command mode.
 .IP \fB\-security_debug\fR 4
 .IX Item "-security_debug"
 Enable security debug messages.
@@ -540,6 +560,9 @@ Set MTU of the link layer to the specified size.
 .IP \fB\-no_etm\fR 4
 .IX Item "-no_etm"
 Disable Encrypt-then-MAC negotiation.
+.IP \fB\-no_ems\fR 4
+.IX Item "-no_ems"
+Disable Extended master secret negotiation.
 .IP "\fB\-keymatexport\fR \fIlabel\fR" 4
 .IX Item "-keymatexport label"
 Export keying material using the specified label.
@@ -651,12 +674,22 @@ For more information on shutting down a connection, see \fBSSL_shutdown\fR\|(3).
 .IX Item "-bugs"
 There are several known bugs in SSL and TLS implementations. Adding this
 option enables various workarounds.
+.IP \fB\-no_tx_cert_comp\fR 4
+.IX Item "-no_tx_cert_comp"
+Disables support for sending TLSv1.3 compressed certificates.
+.IP \fB\-no_rx_cert_comp\fR 4
+.IX Item "-no_rx_cert_comp"
+Disables support for receiving TLSv1.3 compressed certificate.
 .IP \fB\-comp\fR 4
 .IX Item "-comp"
 Enables support for SSL/TLS compression.
 This option was introduced in OpenSSL 1.1.0.
 TLS compression is not recommended and is off by default as of
-OpenSSL 1.1.0.
+OpenSSL 1.1.0. TLS compression can only be used in security level 1 or
+lower. From OpenSSL 3.2.0 and above the default security level is 2, so this
+option will have no effect without also changing the security level. Use the
+\&\fB\-cipher\fR option to change the security level. See \fBopenssl\-ciphers\fR\|(1) for
+more information.
 .IP \fB\-no_comp\fR 4
 .IX Item "-no_comp"
 Disables support for SSL/TLS compression.
@@ -802,6 +835,14 @@ Tolerate other than the known \fBg\fR and \fBN\fR values.
 .IX Item "-srp_strength number"
 Set the minimal acceptable length, in bits, for \fBN\fR.  This option is
 deprecated.
+.IP \fB\-ktls\fR 4
+.IX Item "-ktls"
+Enable Kernel TLS for sending and receiving.
+This option was introduced in OpenSSL 3.2.0.
+Kernel TLS is off by default as of OpenSSL 3.2.0.
+.IP \fB\-tfo\fR 4
+.IX Item "-tfo"
+Enable creation of connections via TCP fast open (RFC7413).
 .IP "\fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR" 4
 .IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3"
 See "TLS Version Options" in \fBopenssl\fR\|(1).
@@ -849,33 +890,95 @@ See "Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for deta
 .Sp
 Verification errors are displayed, for debugging, but the command will
 proceed unless the \fB\-verify_return_error\fR option is used.
+.IP \fB\-enable_server_rpk\fR 4
+.IX Item "-enable_server_rpk"
+Enable support for receiving raw public keys (RFC7250) from the server.
+Use of X.509 certificates by the server becomes optional, and servers that
+support raw public keys may elect to use them.
+Servers that don't support raw public keys or prefer to use X.509
+certificates can still elect to send X.509 certificates as usual.
+.IP \fB\-enable_client_rpk\fR 4
+.IX Item "-enable_client_rpk"
+Enable support for sending raw public keys (RFC7250) to the server.
+A raw public key will be sent by the client, if solicited by the server,
+provided a suitable key and public certificate pair is configured.
+Some servers may nevertheless not request any client credentials,
+or may request a certificate.
 .IP \fIhost\fR:\fIport\fR 4
 .IX Item "host:port"
 Rather than providing \fB\-connect\fR, the target hostname and optional port may
 be provided as a single positional argument after all options. If neither this
 nor \fB\-connect\fR are provided, falls back to attempting to connect to
 \&\fIlocalhost\fR on port \fI4433\fR.
-.SH "CONNECTED COMMANDS"
-.IX Header "CONNECTED COMMANDS"
-If a connection is established with an SSL server then any data received
+.SH "CONNECTED COMMANDS (BASIC)"
+.IX Header "CONNECTED COMMANDS (BASIC)"
+If a connection is established with an SSL/TLS server then any data received
 from the server is displayed and any key presses will be sent to the
-server. If end of file is reached then the connection will be closed down. When
-used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR have been
-given), then certain commands are also recognized which perform special
-operations. These commands are a letter which must appear at the start of a
-line. They are listed below.
+server. If end of file is reached then the connection will be closed down.
+.PP
+When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR have been
+given), and neither of \fB\-adv\fR or \fB\-nocommands\fR are given then "Basic" command
+mode is entered. In this mode certain commands are recognized which perform
+special operations. These commands are a letter which must appear at the start
+of a line. All further data after the initial letter on the line is ignored.
+The commands are listed below.
 .IP \fBQ\fR 4
 .IX Item "Q"
 End the current SSL connection and exit.
 .IP \fBR\fR 4
 .IX Item "R"
 Renegotiate the SSL session (TLSv1.2 and below only).
+.IP \fBC\fR 4
+.IX Item "C"
+Attempt to reconnect to the server using a resumption handshake.
 .IP \fBk\fR 4
 .IX Item "k"
 Send a key update message to the server (TLSv1.3 only)
 .IP \fBK\fR 4
 .IX Item "K"
 Send a key update message to the server and request one back (TLSv1.3 only)
+.SH "CONNECTED COMMANDS (ADVANCED)"
+.IX Header "CONNECTED COMMANDS (ADVANCED)"
+If \fB\-adv\fR has been given then "advanced" command mode is entered. As with basic
+mode, if a connection is established with an SSL/TLS server then any data
+received from the server is displayed and any key presses will be sent to the
+server. If end of file is reached then the connection will be closed down.
+.PP
+Special commands can be supplied by enclosing them in braces, e.g. "{help}" or
+"{quit}". These commands can appear anywhere in the text entered into s_client,
+but they are not sent to the server. Some commands can take an argument by
+ending the command name with ":" and then providing the argument, e.g.
+"{keyup:req}". Some commands are only available when certain protocol versions
+have been negotiated.
+.PP
+If a newline appears at the end of a line entered into s_client then this is
+also sent to the server. If a command appears on a line on its own with no other
+text on the same line, then the newline is suppressed and not sent to the
+server.
+.PP
+The following commands are recognised.
+.IP \fBhelp\fR 4
+.IX Item "help"
+Prints out summary help text about the available commands.
+.IP \fBquit\fR 4
+.IX Item "quit"
+Close the connection to the peer
+.IP \fBreconnect\fR 4
+.IX Item "reconnect"
+Reconnect to the peer and attempt a resumption handshake
+.IP \fBkeyup\fR 4
+.IX Item "keyup"
+Send a Key Update message. TLSv1.3 only. This command takes an optional
+argument. If the argument "req" is supplied then the peer is also requested to
+update its keys. Otherwise if "noreq" is supplied the the peer is not requested
+to update its keys. The default is "req".
+.IP \fBreneg\fR 4
+.IX Item "reneg"
+Initiate a renegotiation with the server. (D)TLSv1.2 or below only.
+.IP \fBfin\fR 4
+.IX Item "fin"
+Indicate FIN on the current stream. QUIC only. Once FIN has been sent any
+further text entered for this stream is ignored.
 .SH NOTES
 .IX Header "NOTES"
 This command can be used to debug SSL servers. To connect to an SSL HTTP
@@ -950,9 +1053,17 @@ The \fB\-name\fR option was added in OpenSSL 1.1.1.
 The \fB\-certform\fR option has become obsolete in OpenSSL 3.0.0 and has no effect.
 .PP
 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+.PP
+The
+\&\fB\-enable_client_rpk\fR,
+\&\fB\-enable_server_rpk\fR,
+\&\fB\-no_rx_cert_comp\fR,
+\&\fB\-no_tx_cert_comp\fR,
+and \fB\-tfo\fR
+options were added in OpenSSL 3.2.
 .SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy