diff options
Diffstat (limited to 'upstream/archlinux/man1/openssl-s_client.1ssl')
-rw-r--r-- | upstream/archlinux/man1/openssl-s_client.1ssl | 1071 |
1 files changed, 1071 insertions, 0 deletions
diff --git a/upstream/archlinux/man1/openssl-s_client.1ssl b/upstream/archlinux/man1/openssl-s_client.1ssl new file mode 100644 index 00000000..e42d6c11 --- /dev/null +++ b/upstream/archlinux/man1/openssl-s_client.1ssl @@ -0,0 +1,1071 @@ +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. +.ie n \{\ +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" ======================================================================== +.\" +.IX Title "OPENSSL-S_CLIENT 1ssl" +.TH OPENSSL-S_CLIENT 1ssl 2024-01-30 3.2.1 OpenSSL +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH NAME +openssl\-s_client \- SSL/TLS client program +.SH SYNOPSIS +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBs_client\fR +[\fB\-help\fR] +[\fB\-ssl_config\fR \fIsection\fR] +[\fB\-connect\fR \fIhost:port\fR] +[\fB\-host\fR \fIhostname\fR] +[\fB\-port\fR \fIport\fR] +[\fB\-bind\fR \fIhost:port\fR] +[\fB\-proxy\fR \fIhost:port\fR] +[\fB\-proxy_user\fR \fIuserid\fR] +[\fB\-proxy_pass\fR \fIarg\fR] +[\fB\-unix\fR \fIpath\fR] +[\fB\-4\fR] +[\fB\-6\fR] +[\fB\-quic\fR] +[\fB\-servername\fR \fIname\fR] +[\fB\-noservername\fR] +[\fB\-verify\fR \fIdepth\fR] +[\fB\-verify_return_error\fR] +[\fB\-verify_quiet\fR] +[\fB\-verifyCAfile\fR \fIfilename\fR] +[\fB\-verifyCApath\fR \fIdir\fR] +[\fB\-verifyCAstore\fR \fIuri\fR] +[\fB\-cert\fR \fIfilename\fR] +[\fB\-certform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR] +[\fB\-cert_chain\fR \fIfilename\fR] +[\fB\-build_chain\fR] +[\fB\-CRL\fR \fIfilename\fR] +[\fB\-CRLform\fR \fBDER\fR|\fBPEM\fR] +[\fB\-crl_download\fR] +[\fB\-key\fR \fIfilename\fR|\fIuri\fR] +[\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR] +[\fB\-pass\fR \fIarg\fR] +[\fB\-chainCAfile\fR \fIfilename\fR] +[\fB\-chainCApath\fR \fIdirectory\fR] +[\fB\-chainCAstore\fR \fIuri\fR] +[\fB\-requestCAfile\fR \fIfilename\fR] +[\fB\-dane_tlsa_domain\fR \fIdomain\fR] +[\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR] +[\fB\-dane_ee_no_namechecks\fR] +[\fB\-reconnect\fR] +[\fB\-showcerts\fR] +[\fB\-prexit\fR] +[\fB\-no\-interactive\fR] +[\fB\-debug\fR] +[\fB\-trace\fR] +[\fB\-nocommands\fR] +[\fB\-adv\fR] +[\fB\-security_debug\fR] +[\fB\-security_debug_verbose\fR] +[\fB\-msg\fR] +[\fB\-timeout\fR] +[\fB\-mtu\fR \fIsize\fR] +[\fB\-no_etm\fR] +[\fB\-no_ems\fR] +[\fB\-keymatexport\fR \fIlabel\fR] +[\fB\-keymatexportlen\fR \fIlen\fR] +[\fB\-msgfile\fR \fIfilename\fR] +[\fB\-nbio_test\fR] +[\fB\-state\fR] +[\fB\-nbio\fR] +[\fB\-crlf\fR] +[\fB\-ign_eof\fR] +[\fB\-no_ign_eof\fR] +[\fB\-psk_identity\fR \fIidentity\fR] +[\fB\-psk\fR \fIkey\fR] +[\fB\-psk_session\fR \fIfile\fR] +[\fB\-quiet\fR] +[\fB\-sctp\fR] +[\fB\-sctp_label_bug\fR] +[\fB\-fallback_scsv\fR] +[\fB\-async\fR] +[\fB\-maxfraglen\fR \fIlen\fR] +[\fB\-max_send_frag\fR] +[\fB\-split_send_frag\fR] +[\fB\-max_pipelines\fR] +[\fB\-read_buf\fR] +[\fB\-ignore_unexpected_eof\fR] +[\fB\-bugs\fR] +[\fB\-no_tx_cert_comp\fR] +[\fB\-no_rx_cert_comp\fR] +[\fB\-comp\fR] +[\fB\-no_comp\fR] +[\fB\-brief\fR] +[\fB\-legacy_server_connect\fR] +[\fB\-no_legacy_server_connect\fR] +[\fB\-allow_no_dhe_kex\fR] +[\fB\-sigalgs\fR \fIsigalglist\fR] +[\fB\-curves\fR \fIcurvelist\fR] +[\fB\-cipher\fR \fIcipherlist\fR] +[\fB\-ciphersuites\fR \fIval\fR] +[\fB\-serverpref\fR] +[\fB\-starttls\fR \fIprotocol\fR] +[\fB\-name\fR \fIhostname\fR] +[\fB\-xmpphost\fR \fIhostname\fR] +[\fB\-name\fR \fIhostname\fR] +[\fB\-tlsextdebug\fR] +[\fB\-no_ticket\fR] +[\fB\-sess_out\fR \fIfilename\fR] +[\fB\-serverinfo\fR \fItypes\fR] +[\fB\-sess_in\fR \fIfilename\fR] +[\fB\-serverinfo\fR \fItypes\fR] +[\fB\-status\fR] +[\fB\-alpn\fR \fIprotocols\fR] +[\fB\-nextprotoneg\fR \fIprotocols\fR] +[\fB\-ct\fR] +[\fB\-noct\fR] +[\fB\-ctlogfile\fR] +[\fB\-keylogfile\fR \fIfile\fR] +[\fB\-early_data\fR \fIfile\fR] +[\fB\-enable_pha\fR] +[\fB\-use_srtp\fR \fIvalue\fR] +[\fB\-srpuser\fR \fIvalue\fR] +[\fB\-srppass\fR \fIvalue\fR] +[\fB\-srp_lateuser\fR] +[\fB\-srp_moregroups\fR] +[\fB\-srp_strength\fR \fInumber\fR] +[\fB\-ktls\fR] +[\fB\-tfo\fR] +[\fB\-nameopt\fR \fIoption\fR] +[\fB\-no_ssl3\fR] +[\fB\-no_tls1\fR] +[\fB\-no_tls1_1\fR] +[\fB\-no_tls1_2\fR] +[\fB\-no_tls1_3\fR] +[\fB\-ssl3\fR] +[\fB\-tls1\fR] +[\fB\-tls1_1\fR] +[\fB\-tls1_2\fR] +[\fB\-tls1_3\fR] +[\fB\-dtls\fR] +[\fB\-dtls1\fR] +[\fB\-dtls1_2\fR] +[\fB\-xkey\fR \fIinfile\fR] +[\fB\-xcert\fR \fIfile\fR] +[\fB\-xchain\fR \fIfile\fR] +[\fB\-xchain_build\fR \fIfile\fR] +[\fB\-xcertform\fR \fBDER\fR|\fBPEM\fR]> +[\fB\-xkeyform\fR \fBDER\fR|\fBPEM\fR]> +[\fB\-CAfile\fR \fIfile\fR] +[\fB\-no\-CAfile\fR] +[\fB\-CApath\fR \fIdir\fR] +[\fB\-no\-CApath\fR] +[\fB\-CAstore\fR \fIuri\fR] +[\fB\-no\-CAstore\fR] +[\fB\-bugs\fR] +[\fB\-no_comp\fR] +[\fB\-comp\fR] +[\fB\-no_ticket\fR] +[\fB\-serverpref\fR] +[\fB\-client_renegotiation\fR] +[\fB\-legacy_renegotiation\fR] +[\fB\-no_renegotiation\fR] +[\fB\-no_resumption_on_reneg\fR] +[\fB\-legacy_server_connect\fR] +[\fB\-no_legacy_server_connect\fR] +[\fB\-no_etm\fR] +[\fB\-allow_no_dhe_kex\fR] +[\fB\-prioritize_chacha\fR] +[\fB\-strict\fR] +[\fB\-sigalgs\fR \fIalgs\fR] +[\fB\-client_sigalgs\fR \fIalgs\fR] +[\fB\-groups\fR \fIgroups\fR] +[\fB\-curves\fR \fIcurves\fR] +[\fB\-named_curve\fR \fIcurve\fR] +[\fB\-cipher\fR \fIciphers\fR] +[\fB\-ciphersuites\fR \fI1.3ciphers\fR] +[\fB\-min_protocol\fR \fIminprot\fR] +[\fB\-max_protocol\fR \fImaxprot\fR] +[\fB\-record_padding\fR \fIpadding\fR] +[\fB\-debug_broken_protocol\fR] +[\fB\-no_middlebox\fR] +[\fB\-rand\fR \fIfiles\fR] +[\fB\-writerand\fR \fIfile\fR] +[\fB\-provider\fR \fIname\fR] +[\fB\-provider\-path\fR \fIpath\fR] +[\fB\-propquery\fR \fIpropq\fR] +[\fB\-engine\fR \fIid\fR] +[\fB\-ssl_client_engine\fR \fIid\fR] +[\fB\-allow_proxy_certs\fR] +[\fB\-attime\fR \fItimestamp\fR] +[\fB\-no_check_time\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-partial_chain\fR] +[\fB\-policy\fR \fIarg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose\fR \fIpurpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] +[\fB\-no_alt_chains\fR] +[\fB\-use_deltas\fR] +[\fB\-auth_level\fR \fInum\fR] +[\fB\-verify_depth\fR \fInum\fR] +[\fB\-verify_email\fR \fIemail\fR] +[\fB\-verify_hostname\fR \fIhostname\fR] +[\fB\-verify_ip\fR \fIip\fR] +[\fB\-verify_name\fR \fIname\fR] +[\fB\-x509_strict\fR] +[\fB\-issuer_checks\fR] +[\fB\-enable_server_rpk\fR] +[\fB\-enable_client_rpk\fR] +[\fIhost\fR:\fIport\fR] +.SH DESCRIPTION +.IX Header "DESCRIPTION" +This command implements a generic SSL/TLS client which +connects to a remote host using SSL/TLS. It is a \fIvery\fR useful diagnostic +tool for SSL servers. +.SH OPTIONS +.IX Header "OPTIONS" +In addition to the options below, this command also supports the +common and client only options documented +in the "Supported Command Line Commands" section of the \fBSSL_CONF_cmd\fR\|(3) +manual page. +.IP \fB\-help\fR 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-ssl_config\fR \fIsection\fR" 4 +.IX Item "-ssl_config section" +Use the specified section of the configuration file to configure the \fBSSL_CTX\fR object. +.IP "\fB\-connect\fR \fIhost\fR:\fIport\fR" 4 +.IX Item "-connect host:port" +This specifies the host and optional port to connect to. It is possible to +select the host and port using the optional target positional argument instead. +If neither this nor the target positional argument are specified then an attempt +is made to connect to the local host on port 4433. +.IP "\fB\-host\fR \fIhostname\fR" 4 +.IX Item "-host hostname" +Host to connect to; use \fB\-connect\fR instead. +.IP "\fB\-port\fR \fIport\fR" 4 +.IX Item "-port port" +Connect to the specified port; use \fB\-connect\fR instead. +.IP "\fB\-bind\fR \fIhost:port\fR" 4 +.IX Item "-bind host:port" +This specifies the host address and or port to bind as the source for the +connection. For Unix-domain sockets the port is ignored and the host is +used as the source socket address. +.IP "\fB\-proxy\fR \fIhost:port\fR" 4 +.IX Item "-proxy host:port" +When used with the \fB\-connect\fR flag, the program uses the host and port +specified with this flag and issues an HTTP CONNECT command to connect +to the desired server. +.IP "\fB\-proxy_user\fR \fIuserid\fR" 4 +.IX Item "-proxy_user userid" +When used with the \fB\-proxy\fR flag, the program will attempt to authenticate +with the specified proxy using basic (base64) authentication. +NB: Basic authentication is insecure; the credentials are sent to the proxy +in easily reversible base64 encoding before any TLS/SSL session is established. +Therefore, these credentials are easily recovered by anyone able to sniff/trace +the network. Use with caution. +.IP "\fB\-proxy_pass\fR \fIarg\fR" 4 +.IX Item "-proxy_pass arg" +The proxy password source, used with the \fB\-proxy_user\fR flag. +For more information about the format of \fBarg\fR +see \fBopenssl\-passphrase\-options\fR\|(1). +.IP "\fB\-unix\fR \fIpath\fR" 4 +.IX Item "-unix path" +Connect over the specified Unix-domain socket. +.IP \fB\-4\fR 4 +.IX Item "-4" +Use IPv4 only. +.IP \fB\-6\fR 4 +.IX Item "-6" +Use IPv6 only. +.IP \fB\-quic\fR 4 +.IX Item "-quic" +Connect using the QUIC protocol. If specified then the \fB\-alpn\fR option must also +be provided. +.IP "\fB\-servername\fR \fIname\fR" 4 +.IX Item "-servername name" +Set the TLS SNI (Server Name Indication) extension in the ClientHello message to +the given value. +If \fB\-servername\fR is not provided, the TLS SNI extension will be populated with +the name given to \fB\-connect\fR if it follows a DNS name format. If \fB\-connect\fR is +not provided either, the SNI is set to "localhost". +This is the default since OpenSSL 1.1.1. +.Sp +Even though SNI should normally be a DNS name and not an IP address, if +\&\fB\-servername\fR is provided then that name will be sent, regardless of whether +it is a DNS name or not. +.Sp +This option cannot be used in conjunction with \fB\-noservername\fR. +.IP \fB\-noservername\fR 4 +.IX Item "-noservername" +Suppresses sending of the SNI (Server Name Indication) extension in the +ClientHello message. Cannot be used in conjunction with the \fB\-servername\fR or +\&\fB\-dane_tlsa_domain\fR options. +.IP "\fB\-cert\fR \fIfilename\fR" 4 +.IX Item "-cert filename" +The client certificate to use, if one is requested by the server. +The default is not to use a certificate. +.Sp +The chain for the client certificate may be specified using \fB\-cert_chain\fR. +.IP "\fB\-certform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR" 4 +.IX Item "-certform DER|PEM|P12" +The client certificate file format to use; unspecified by default. +See \fBopenssl\-format\-options\fR\|(1) for details. +.IP \fB\-cert_chain\fR 4 +.IX Item "-cert_chain" +A file or URI of untrusted certificates to use when attempting to build the +certificate chain related to the certificate specified via the \fB\-cert\fR option. +The input can be in PEM, DER, or PKCS#12 format. +.IP \fB\-build_chain\fR 4 +.IX Item "-build_chain" +Specify whether the application should build the client certificate chain to be +provided to the server. +.IP "\fB\-CRL\fR \fIfilename\fR" 4 +.IX Item "-CRL filename" +CRL file to use to check the server's certificate. +.IP "\fB\-CRLform\fR \fBDER\fR|\fBPEM\fR" 4 +.IX Item "-CRLform DER|PEM" +The CRL file format; unspecified by default. +See \fBopenssl\-format\-options\fR\|(1) for details. +.IP \fB\-crl_download\fR 4 +.IX Item "-crl_download" +Download CRL from distribution points in the certificate. +.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4 +.IX Item "-key filename|uri" +The client private key to use. +If not specified then the certificate file will be used to read also the key. +.IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4 +.IX Item "-keyform DER|PEM|P12|ENGINE" +The key format; unspecified by default. +See \fBopenssl\-format\-options\fR\|(1) for details. +.IP "\fB\-pass\fR \fIarg\fR" 4 +.IX Item "-pass arg" +the private key and certificate file password source. +For more information about the format of \fIarg\fR +see \fBopenssl\-passphrase\-options\fR\|(1). +.IP "\fB\-verify\fR \fIdepth\fR" 4 +.IX Item "-verify depth" +The verify depth to use. This specifies the maximum length of the +server certificate chain and turns on server certificate verification. +Currently the verify operation continues after errors so all the problems +with a certificate chain can be seen. As a side effect the connection +will never fail due to a server certificate verify failure. +.IP \fB\-verify_return_error\fR 4 +.IX Item "-verify_return_error" +Return verification errors instead of continuing. This will typically +abort the handshake with a fatal error. +.IP \fB\-verify_quiet\fR 4 +.IX Item "-verify_quiet" +Limit verify output to only errors. +.IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4 +.IX Item "-verifyCAfile filename" +A file in PEM format containing trusted certificates to use +for verifying the server's certificate. +.IP "\fB\-verifyCApath\fR \fIdir\fR" 4 +.IX Item "-verifyCApath dir" +A directory containing trusted certificates to use +for verifying the server's certificate. +This directory must be in "hash format", +see \fBopenssl\-verify\fR\|(1) for more information. +.IP "\fB\-verifyCAstore\fR \fIuri\fR" 4 +.IX Item "-verifyCAstore uri" +The URI of a store containing trusted certificates to use +for verifying the server's certificate. +.IP "\fB\-chainCAfile\fR \fIfile\fR" 4 +.IX Item "-chainCAfile file" +A file in PEM format containing trusted certificates to use +when attempting to build the client certificate chain. +.IP "\fB\-chainCApath\fR \fIdirectory\fR" 4 +.IX Item "-chainCApath directory" +A directory containing trusted certificates to use +for building the client certificate chain provided to the server. +This directory must be in "hash format", +see \fBopenssl\-verify\fR\|(1) for more information. +.IP "\fB\-chainCAstore\fR \fIuri\fR" 4 +.IX Item "-chainCAstore uri" +The URI of a store containing trusted certificates to use +when attempting to build the client certificate chain. +The URI may indicate a single certificate, as well as a collection of them. +With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-chainCAfile\fR or +\&\fB\-chainCApath\fR, depending on if the URI indicates a directory or a +single file. +See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme. +.IP "\fB\-requestCAfile\fR \fIfile\fR" 4 +.IX Item "-requestCAfile file" +A file containing a list of certificates whose subject names will be sent +to the server in the \fBcertificate_authorities\fR extension. Only supported +for TLS 1.3 +.IP "\fB\-dane_tlsa_domain\fR \fIdomain\fR" 4 +.IX Item "-dane_tlsa_domain domain" +Enable RFC6698/RFC7671 DANE TLSA authentication and specify the +TLSA base domain which becomes the default SNI hint and the primary +reference identifier for hostname checks. This must be used in +combination with at least one instance of the \fB\-dane_tlsa_rrdata\fR +option below. +.Sp +When DANE authentication succeeds, the diagnostic output will include +the lowest (closest to 0) depth at which a TLSA record authenticated +a chain certificate. When that TLSA record is a "2 1 0" trust +anchor public key that signed (rather than matched) the top-most +certificate of the chain, the result is reported as "TA public key +verified". Otherwise, either the TLSA record "matched TA certificate" +at a positive depth or else "matched EE certificate" at depth 0. +.IP "\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR" 4 +.IX Item "-dane_tlsa_rrdata rrdata" +Use one or more times to specify the RRDATA fields of the DANE TLSA +RRset associated with the target service. The \fIrrdata\fR value is +specified in "presentation form", that is four whitespace separated +fields that specify the usage, selector, matching type and associated +data, with the last of these encoded in hexadecimal. Optional +whitespace is ignored in the associated data field. For example: +.Sp +.Vb 12 +\& $ openssl s_client \-brief \-starttls smtp \e +\& \-connect smtp.example.com:25 \e +\& \-dane_tlsa_domain smtp.example.com \e +\& \-dane_tlsa_rrdata "2 1 1 +\& B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E 02CF362B" \e +\& \-dane_tlsa_rrdata "2 1 1 +\& 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18" +\& ... +\& Verification: OK +\& Verified peername: smtp.example.com +\& DANE TLSA 2 1 1 ...ee12d2cc90180517616e8a18 matched TA certificate at depth 1 +\& ... +.Ve +.IP \fB\-dane_ee_no_namechecks\fR 4 +.IX Item "-dane_ee_no_namechecks" +This disables server name checks when authenticating via \fBDANE\-EE\fR\|(3) TLSA +records. +For some applications, primarily web browsers, it is not safe to disable name +checks due to "unknown key share" attacks, in which a malicious server can +convince a client that a connection to a victim server is instead a secure +connection to the malicious server. +The malicious server may then be able to violate cross-origin scripting +restrictions. +Thus, despite the text of RFC7671, name checks are by default enabled for +\&\fBDANE\-EE\fR\|(3) TLSA records, and can be disabled in applications where it is safe +to do so. +In particular, SMTP and XMPP clients should set this option as SRV and MX +records already make it possible for a remote domain to redirect client +connections to any server of its choice, and in any case SMTP and XMPP clients +do not execute scripts downloaded from remote servers. +.IP \fB\-reconnect\fR 4 +.IX Item "-reconnect" +Reconnects to the same server 5 times using the same session ID, this can +be used as a test that session caching is working. +.IP \fB\-showcerts\fR 4 +.IX Item "-showcerts" +Displays the server certificate list as sent by the server: it only consists of +certificates the server has sent (in the order the server has sent them). It is +\&\fBnot\fR a verified chain. +.IP \fB\-prexit\fR 4 +.IX Item "-prexit" +Print session information when the program exits. This will always attempt +to print out information even if the connection fails. Normally information +will only be printed out once if the connection succeeds. This option is useful +because the cipher in use may be renegotiated or the connection may fail +because a client certificate is required or is requested only after an +attempt is made to access a certain URL. Note: the output produced by this +option is not always accurate because a connection might never have been +established. +.IP \fB\-no\-interactive\fR 4 +.IX Item "-no-interactive" +This flag can be used to run the client in a non-interactive mode. +.IP \fB\-state\fR 4 +.IX Item "-state" +Prints out the SSL session states. +.IP \fB\-debug\fR 4 +.IX Item "-debug" +Print extensive debugging information including a hex dump of all traffic. +.IP \fB\-nocommands\fR 4 +.IX Item "-nocommands" +Do not use interactive command letters. +.IP \fB\-adv\fR 4 +.IX Item "-adv" +Use advanced command mode. +.IP \fB\-security_debug\fR 4 +.IX Item "-security_debug" +Enable security debug messages. +.IP \fB\-security_debug_verbose\fR 4 +.IX Item "-security_debug_verbose" +Output more security debug output. +.IP \fB\-msg\fR 4 +.IX Item "-msg" +Show protocol messages. +.IP \fB\-timeout\fR 4 +.IX Item "-timeout" +Enable send/receive timeout on DTLS connections. +.IP "\fB\-mtu\fR \fIsize\fR" 4 +.IX Item "-mtu size" +Set MTU of the link layer to the specified size. +.IP \fB\-no_etm\fR 4 +.IX Item "-no_etm" +Disable Encrypt-then-MAC negotiation. +.IP \fB\-no_ems\fR 4 +.IX Item "-no_ems" +Disable Extended master secret negotiation. +.IP "\fB\-keymatexport\fR \fIlabel\fR" 4 +.IX Item "-keymatexport label" +Export keying material using the specified label. +.IP "\fB\-keymatexportlen\fR \fIlen\fR" 4 +.IX Item "-keymatexportlen len" +Export the specified number of bytes of keying material; default is 20. +.Sp +Show all protocol messages with hex dump. +.IP \fB\-trace\fR 4 +.IX Item "-trace" +Show verbose trace output of protocol messages. +.IP "\fB\-msgfile\fR \fIfilename\fR" 4 +.IX Item "-msgfile filename" +File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output. +.IP \fB\-nbio_test\fR 4 +.IX Item "-nbio_test" +Tests nonblocking I/O +.IP \fB\-nbio\fR 4 +.IX Item "-nbio" +Turns on nonblocking I/O +.IP \fB\-crlf\fR 4 +.IX Item "-crlf" +This option translated a line feed from the terminal into CR+LF as required +by some servers. +.IP \fB\-ign_eof\fR 4 +.IX Item "-ign_eof" +Inhibit shutting down the connection when end of file is reached in the +input. +.IP \fB\-quiet\fR 4 +.IX Item "-quiet" +Inhibit printing of session and certificate information. This implicitly +turns on \fB\-ign_eof\fR as well. +.IP \fB\-no_ign_eof\fR 4 +.IX Item "-no_ign_eof" +Shut down the connection when end of file is reached in the input. +Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR. +.IP "\fB\-psk_identity\fR \fIidentity\fR" 4 +.IX Item "-psk_identity identity" +Use the PSK identity \fIidentity\fR when using a PSK cipher suite. +The default value is "Client_identity" (without the quotes). +.IP "\fB\-psk\fR \fIkey\fR" 4 +.IX Item "-psk key" +Use the PSK key \fIkey\fR when using a PSK cipher suite. The key is +given as a hexadecimal number without leading 0x, for example \-psk +1a2b3c4d. +This option must be provided in order to use a PSK cipher. +.IP "\fB\-psk_session\fR \fIfile\fR" 4 +.IX Item "-psk_session file" +Use the pem encoded SSL_SESSION data stored in \fIfile\fR as the basis of a PSK. +Note that this will only work if TLSv1.3 is negotiated. +.IP \fB\-sctp\fR 4 +.IX Item "-sctp" +Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in +conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only +available where OpenSSL has support for SCTP enabled. +.IP \fB\-sctp_label_bug\fR 4 +.IX Item "-sctp_label_bug" +Use the incorrect behaviour of older OpenSSL implementations when computing +endpoint-pair shared secrets for DTLS/SCTP. This allows communication with +older broken implementations but breaks interoperability with correct +implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only +available where OpenSSL has support for SCTP enabled. +.IP \fB\-fallback_scsv\fR 4 +.IX Item "-fallback_scsv" +Send TLS_FALLBACK_SCSV in the ClientHello. +.IP \fB\-async\fR 4 +.IX Item "-async" +Switch on asynchronous mode. Cryptographic operations will be performed +asynchronously. This will only have an effect if an asynchronous capable engine +is also used via the \fB\-engine\fR option. For test purposes the dummy async engine +(dasync) can be used (if available). +.IP "\fB\-maxfraglen\fR \fIlen\fR" 4 +.IX Item "-maxfraglen len" +Enable Maximum Fragment Length Negotiation; allowed values are +\&\f(CW512\fR, \f(CW1024\fR, \f(CW2048\fR, and \f(CW4096\fR. +.IP "\fB\-max_send_frag\fR \fIint\fR" 4 +.IX Item "-max_send_frag int" +The maximum size of data fragment to send. +See \fBSSL_CTX_set_max_send_fragment\fR\|(3) for further information. +.IP "\fB\-split_send_frag\fR \fIint\fR" 4 +.IX Item "-split_send_frag int" +The size used to split data for encrypt pipelines. If more data is written in +one go than this value then it will be split into multiple pipelines, up to the +maximum number of pipelines defined by max_pipelines. This only has an effect if +a suitable cipher suite has been negotiated, an engine that supports pipelining +has been loaded, and max_pipelines is greater than 1. See +\&\fBSSL_CTX_set_split_send_fragment\fR\|(3) for further information. +.IP "\fB\-max_pipelines\fR \fIint\fR" 4 +.IX Item "-max_pipelines int" +The maximum number of encrypt/decrypt pipelines to be used. This will only have +an effect if an engine has been loaded that supports pipelining (e.g. the dasync +engine) and a suitable cipher suite has been negotiated. The default value is 1. +See \fBSSL_CTX_set_max_pipelines\fR\|(3) for further information. +.IP "\fB\-read_buf\fR \fIint\fR" 4 +.IX Item "-read_buf int" +The default read buffer size to be used for connections. This will only have an +effect if the buffer size is larger than the size that would otherwise be used +and pipelining is in use (see \fBSSL_CTX_set_default_read_buffer_len\fR\|(3) for +further information). +.IP \fB\-ignore_unexpected_eof\fR 4 +.IX Item "-ignore_unexpected_eof" +Some TLS implementations do not send the mandatory close_notify alert on +shutdown. If the application tries to wait for the close_notify alert but the +peer closes the connection without sending it, an error is generated. When this +option is enabled the peer does not need to send the close_notify alert and a +closed connection will be treated as if the close_notify alert was received. +For more information on shutting down a connection, see \fBSSL_shutdown\fR\|(3). +.IP \fB\-bugs\fR 4 +.IX Item "-bugs" +There are several known bugs in SSL and TLS implementations. Adding this +option enables various workarounds. +.IP \fB\-no_tx_cert_comp\fR 4 +.IX Item "-no_tx_cert_comp" +Disables support for sending TLSv1.3 compressed certificates. +.IP \fB\-no_rx_cert_comp\fR 4 +.IX Item "-no_rx_cert_comp" +Disables support for receiving TLSv1.3 compressed certificate. +.IP \fB\-comp\fR 4 +.IX Item "-comp" +Enables support for SSL/TLS compression. +This option was introduced in OpenSSL 1.1.0. +TLS compression is not recommended and is off by default as of +OpenSSL 1.1.0. TLS compression can only be used in security level 1 or +lower. From OpenSSL 3.2.0 and above the default security level is 2, so this +option will have no effect without also changing the security level. Use the +\&\fB\-cipher\fR option to change the security level. See \fBopenssl\-ciphers\fR\|(1) for +more information. +.IP \fB\-no_comp\fR 4 +.IX Item "-no_comp" +Disables support for SSL/TLS compression. +TLS compression is not recommended and is off by default as of +OpenSSL 1.1.0. +.IP \fB\-brief\fR 4 +.IX Item "-brief" +Only provide a brief summary of connection parameters instead of the +normal verbose output. +.IP "\fB\-sigalgs\fR \fIsigalglist\fR" 4 +.IX Item "-sigalgs sigalglist" +Specifies the list of signature algorithms that are sent by the client. +The server selects one entry in the list based on its preferences. +For example strings, see \fBSSL_CTX_set1_sigalgs\fR\|(3) +.IP "\fB\-curves\fR \fIcurvelist\fR" 4 +.IX Item "-curves curvelist" +Specifies the list of supported curves to be sent by the client. The curve is +ultimately selected by the server. For a list of all curves, use: +.Sp +.Vb 1 +\& $ openssl ecparam \-list_curves +.Ve +.IP "\fB\-cipher\fR \fIcipherlist\fR" 4 +.IX Item "-cipher cipherlist" +This allows the TLSv1.2 and below cipher list sent by the client to be modified. +This list will be combined with any TLSv1.3 ciphersuites that have been +configured. Although the server determines which ciphersuite is used it should +take the first supported cipher in the list sent by the client. See +\&\fBopenssl\-ciphers\fR\|(1) for more information. +.IP "\fB\-ciphersuites\fR \fIval\fR" 4 +.IX Item "-ciphersuites val" +This allows the TLSv1.3 ciphersuites sent by the client to be modified. This +list will be combined with any TLSv1.2 and below ciphersuites that have been +configured. Although the server determines which cipher suite is used it should +take the first supported cipher in the list sent by the client. See +\&\fBopenssl\-ciphers\fR\|(1) for more information. The format for this list is a simple +colon (":") separated list of TLSv1.3 ciphersuite names. +.IP "\fB\-starttls\fR \fIprotocol\fR" 4 +.IX Item "-starttls protocol" +Send the protocol-specific message(s) to switch to TLS for communication. +\&\fIprotocol\fR is a keyword for the intended protocol. Currently, the only +supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", +"irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap". +.IP "\fB\-xmpphost\fR \fIhostname\fR" 4 +.IX Item "-xmpphost hostname" +This option, when used with "\-starttls xmpp" or "\-starttls xmpp-server", +specifies the host for the "to" attribute of the stream element. +If this option is not specified, then the host specified with "\-connect" +will be used. +.Sp +This option is an alias of the \fB\-name\fR option for "xmpp" and "xmpp-server". +.IP "\fB\-name\fR \fIhostname\fR" 4 +.IX Item "-name hostname" +This option is used to specify hostname information for various protocols +used with \fB\-starttls\fR option. Currently only "xmpp", "xmpp-server", +"smtp" and "lmtp" can utilize this \fB\-name\fR option. +.Sp +If this option is used with "\-starttls xmpp" or "\-starttls xmpp-server", +if specifies the host for the "to" attribute of the stream element. If this +option is not specified, then the host specified with "\-connect" will be used. +.Sp +If this option is used with "\-starttls lmtp" or "\-starttls smtp", it specifies +the name to use in the "LMTP LHLO" or "SMTP EHLO" message, respectively. If +this option is not specified, then "mail.example.com" will be used. +.IP \fB\-tlsextdebug\fR 4 +.IX Item "-tlsextdebug" +Print out a hex dump of any TLS extensions received from the server. +.IP \fB\-no_ticket\fR 4 +.IX Item "-no_ticket" +Disable RFC4507bis session ticket support. +.IP "\fB\-sess_out\fR \fIfilename\fR" 4 +.IX Item "-sess_out filename" +Output SSL session to \fIfilename\fR. +.IP "\fB\-sess_in\fR \fIfilename\fR" 4 +.IX Item "-sess_in filename" +Load SSL session from \fIfilename\fR. The client will attempt to resume a +connection from this session. +.IP "\fB\-serverinfo\fR \fItypes\fR" 4 +.IX Item "-serverinfo types" +A list of comma-separated TLS Extension Types (numbers between 0 and +65535). Each type will be sent as an empty ClientHello TLS Extension. +The server's response (if any) will be encoded and displayed as a PEM +file. +.IP \fB\-status\fR 4 +.IX Item "-status" +Sends a certificate status request to the server (OCSP stapling). The server +response (if any) is printed out. +.IP "\fB\-alpn\fR \fIprotocols\fR, \fB\-nextprotoneg\fR \fIprotocols\fR" 4 +.IX Item "-alpn protocols, -nextprotoneg protocols" +These flags enable the Enable the Application-Layer Protocol Negotiation +or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the +IETF standard and replaces NPN. +The \fIprotocols\fR list is a comma-separated list of protocol names that +the client should advertise support for. The list should contain the most +desirable protocols first. Protocol names are printable ASCII strings, +for example "http/1.1" or "spdy/3". +An empty list of protocols is treated specially and will cause the +client to advertise support for the TLS extension but disconnect just +after receiving ServerHello with a list of server supported protocols. +The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used. +.IP "\fB\-ct\fR, \fB\-noct\fR" 4 +.IX Item "-ct, -noct" +Use one of these two options to control whether Certificate Transparency (CT) +is enabled (\fB\-ct\fR) or disabled (\fB\-noct\fR). +If CT is enabled, signed certificate timestamps (SCTs) will be requested from +the server and reported at handshake completion. +.Sp +Enabling CT also enables OCSP stapling, as this is one possible delivery method +for SCTs. +.IP \fB\-ctlogfile\fR 4 +.IX Item "-ctlogfile" +A file containing a list of known Certificate Transparency logs. See +\&\fBSSL_CTX_set_ctlog_list_file\fR\|(3) for the expected file format. +.IP "\fB\-keylogfile\fR \fIfile\fR" 4 +.IX Item "-keylogfile file" +Appends TLS secrets to the specified keylog file such that external programs +(like Wireshark) can decrypt TLS connections. +.IP "\fB\-early_data\fR \fIfile\fR" 4 +.IX Item "-early_data file" +Reads the contents of the specified file and attempts to send it as early data +to the server. This will only work with resumed sessions that support early +data and when the server accepts the early data. +.IP \fB\-enable_pha\fR 4 +.IX Item "-enable_pha" +For TLSv1.3 only, send the Post-Handshake Authentication extension. This will +happen whether or not a certificate has been provided via \fB\-cert\fR. +.IP "\fB\-use_srtp\fR \fIvalue\fR" 4 +.IX Item "-use_srtp value" +Offer SRTP key management, where \fBvalue\fR is a colon-separated profile list. +.IP "\fB\-srpuser\fR \fIvalue\fR" 4 +.IX Item "-srpuser value" +Set the SRP username to the specified value. This option is deprecated. +.IP "\fB\-srppass\fR \fIvalue\fR" 4 +.IX Item "-srppass value" +Set the SRP password to the specified value. This option is deprecated. +.IP \fB\-srp_lateuser\fR 4 +.IX Item "-srp_lateuser" +SRP username for the second ClientHello message. This option is deprecated. +.IP "\fB\-srp_moregroups\fR This option is deprecated." 4 +.IX Item "-srp_moregroups This option is deprecated." +Tolerate other than the known \fBg\fR and \fBN\fR values. +.IP "\fB\-srp_strength\fR \fInumber\fR" 4 +.IX Item "-srp_strength number" +Set the minimal acceptable length, in bits, for \fBN\fR. This option is +deprecated. +.IP \fB\-ktls\fR 4 +.IX Item "-ktls" +Enable Kernel TLS for sending and receiving. +This option was introduced in OpenSSL 3.2.0. +Kernel TLS is off by default as of OpenSSL 3.2.0. +.IP \fB\-tfo\fR 4 +.IX Item "-tfo" +Enable creation of connections via TCP fast open (RFC7413). +.IP "\fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR" 4 +.IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3" +See "TLS Version Options" in \fBopenssl\fR\|(1). +.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4 +.IX Item "-dtls, -dtls1, -dtls1_2" +These specify the use of DTLS instead of TLS. +See "TLS Version Options" in \fBopenssl\fR\|(1). +.IP "\fB\-nameopt\fR \fIoption\fR" 4 +.IX Item "-nameopt option" +This specifies how the subject or issuer names are displayed. +See \fBopenssl\-namedisplay\-options\fR\|(1) for details. +.IP "\fB\-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIfile\fR, \fB\-xchain\fR \fIfile\fR, \fB\-xchain_build\fR \fIfile\fR, \fB\-xcertform\fR \fBDER\fR|\fBPEM\fR, \fB\-xkeyform\fR \fBDER\fR|\fBPEM\fR" 4 +.IX Item "-xkey infile, -xcert file, -xchain file, -xchain_build file, -xcertform DER|PEM, -xkeyform DER|PEM" +Set extended certificate verification options. +See "Extended Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for details. +.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4 +.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore" +See "Trusted Certificate Options" in \fBopenssl\-verification\-options\fR\|(1) for details. +.IP "\fB\-bugs\fR, \fB\-comp\fR, \fB\-no_comp\fR, \fB\-no_ticket\fR, \fB\-serverpref\fR, \fB\-client_renegotiation\fR, \fB\-legacy_renegotiation\fR, \fB\-no_renegotiation\fR, \fB\-no_resumption_on_reneg\fR, \fB\-legacy_server_connect\fR, \fB\-no_legacy_server_connect\fR, \fB\-no_etm\fR \fB\-allow_no_dhe_kex\fR, \fB\-prioritize_chacha\fR, \fB\-strict\fR, \fB\-sigalgs\fR \fIalgs\fR, \fB\-client_sigalgs\fR \fIalgs\fR, \fB\-groups\fR \fIgroups\fR, \fB\-curves\fR \fIcurves\fR, \fB\-named_curve\fR \fIcurve\fR, \fB\-cipher\fR \fIciphers\fR, \fB\-ciphersuites\fR \fI1.3ciphers\fR, \fB\-min_protocol\fR \fIminprot\fR, \fB\-max_protocol\fR \fImaxprot\fR, \fB\-record_padding\fR \fIpadding\fR, \fB\-debug_broken_protocol\fR, \fB\-no_middlebox\fR" 4 +.IX Item "-bugs, -comp, -no_comp, -no_ticket, -serverpref, -client_renegotiation, -legacy_renegotiation, -no_renegotiation, -no_resumption_on_reneg, -legacy_server_connect, -no_legacy_server_connect, -no_etm -allow_no_dhe_kex, -prioritize_chacha, -strict, -sigalgs algs, -client_sigalgs algs, -groups groups, -curves curves, -named_curve curve, -cipher ciphers, -ciphersuites 1.3ciphers, -min_protocol minprot, -max_protocol maxprot, -record_padding padding, -debug_broken_protocol, -no_middlebox" +See "SUPPORTED COMMAND LINE COMMANDS" in \fBSSL_CONF_cmd\fR\|(3) for details. +.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4 +.IX Item "-rand files, -writerand file" +See "Random State Options" in \fBopenssl\fR\|(1) for details. +.IP "\fB\-provider\fR \fIname\fR" 4 +.IX Item "-provider name" +.PD 0 +.IP "\fB\-provider\-path\fR \fIpath\fR" 4 +.IX Item "-provider-path path" +.IP "\fB\-propquery\fR \fIpropq\fR" 4 +.IX Item "-propquery propq" +.PD +See "Provider Options" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7). +.IP "\fB\-engine\fR \fIid\fR" 4 +.IX Item "-engine id" +See "Engine Options" in \fBopenssl\fR\|(1). +This option is deprecated. +.IP "\fB\-ssl_client_engine\fR \fIid\fR" 4 +.IX Item "-ssl_client_engine id" +Specify engine to be used for client certificate operations. +.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4 +.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks" +Set various options of certificate chain verification. +See "Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for details. +.Sp +Verification errors are displayed, for debugging, but the command will +proceed unless the \fB\-verify_return_error\fR option is used. +.IP \fB\-enable_server_rpk\fR 4 +.IX Item "-enable_server_rpk" +Enable support for receiving raw public keys (RFC7250) from the server. +Use of X.509 certificates by the server becomes optional, and servers that +support raw public keys may elect to use them. +Servers that don't support raw public keys or prefer to use X.509 +certificates can still elect to send X.509 certificates as usual. +.IP \fB\-enable_client_rpk\fR 4 +.IX Item "-enable_client_rpk" +Enable support for sending raw public keys (RFC7250) to the server. +A raw public key will be sent by the client, if solicited by the server, +provided a suitable key and public certificate pair is configured. +Some servers may nevertheless not request any client credentials, +or may request a certificate. +.IP \fIhost\fR:\fIport\fR 4 +.IX Item "host:port" +Rather than providing \fB\-connect\fR, the target hostname and optional port may +be provided as a single positional argument after all options. If neither this +nor \fB\-connect\fR are provided, falls back to attempting to connect to +\&\fIlocalhost\fR on port \fI4433\fR. +.SH "CONNECTED COMMANDS (BASIC)" +.IX Header "CONNECTED COMMANDS (BASIC)" +If a connection is established with an SSL/TLS server then any data received +from the server is displayed and any key presses will be sent to the +server. If end of file is reached then the connection will be closed down. +.PP +When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR have been +given), and neither of \fB\-adv\fR or \fB\-nocommands\fR are given then "Basic" command +mode is entered. In this mode certain commands are recognized which perform +special operations. These commands are a letter which must appear at the start +of a line. All further data after the initial letter on the line is ignored. +The commands are listed below. +.IP \fBQ\fR 4 +.IX Item "Q" +End the current SSL connection and exit. +.IP \fBR\fR 4 +.IX Item "R" +Renegotiate the SSL session (TLSv1.2 and below only). +.IP \fBC\fR 4 +.IX Item "C" +Attempt to reconnect to the server using a resumption handshake. +.IP \fBk\fR 4 +.IX Item "k" +Send a key update message to the server (TLSv1.3 only) +.IP \fBK\fR 4 +.IX Item "K" +Send a key update message to the server and request one back (TLSv1.3 only) +.SH "CONNECTED COMMANDS (ADVANCED)" +.IX Header "CONNECTED COMMANDS (ADVANCED)" +If \fB\-adv\fR has been given then "advanced" command mode is entered. As with basic +mode, if a connection is established with an SSL/TLS server then any data +received from the server is displayed and any key presses will be sent to the +server. If end of file is reached then the connection will be closed down. +.PP +Special commands can be supplied by enclosing them in braces, e.g. "{help}" or +"{quit}". These commands can appear anywhere in the text entered into s_client, +but they are not sent to the server. Some commands can take an argument by +ending the command name with ":" and then providing the argument, e.g. +"{keyup:req}". Some commands are only available when certain protocol versions +have been negotiated. +.PP +If a newline appears at the end of a line entered into s_client then this is +also sent to the server. If a command appears on a line on its own with no other +text on the same line, then the newline is suppressed and not sent to the +server. +.PP +The following commands are recognised. +.IP \fBhelp\fR 4 +.IX Item "help" +Prints out summary help text about the available commands. +.IP \fBquit\fR 4 +.IX Item "quit" +Close the connection to the peer +.IP \fBreconnect\fR 4 +.IX Item "reconnect" +Reconnect to the peer and attempt a resumption handshake +.IP \fBkeyup\fR 4 +.IX Item "keyup" +Send a Key Update message. TLSv1.3 only. This command takes an optional +argument. If the argument "req" is supplied then the peer is also requested to +update its keys. Otherwise if "noreq" is supplied the the peer is not requested +to update its keys. The default is "req". +.IP \fBreneg\fR 4 +.IX Item "reneg" +Initiate a renegotiation with the server. (D)TLSv1.2 or below only. +.IP \fBfin\fR 4 +.IX Item "fin" +Indicate FIN on the current stream. QUIC only. Once FIN has been sent any +further text entered for this stream is ignored. +.SH NOTES +.IX Header "NOTES" +This command can be used to debug SSL servers. To connect to an SSL HTTP +server the command: +.PP +.Vb 1 +\& openssl s_client \-connect servername:443 +.Ve +.PP +would typically be used (https uses port 443). If the connection succeeds +then an HTTP command can be given such as "GET /" to retrieve a web page. +.PP +If the handshake fails then there are several possible causes, if it is +nothing obvious like no client certificate then the \fB\-bugs\fR, +\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried +in case it is a buggy server. In particular you should play with these +options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. +.PP +A frequent problem when attempting to get client certificates working +is that a web client complains it has no certificates or gives an empty +list to choose from. This is normally because the server is not sending +the clients certificate authority in its "acceptable CA list" when it +requests a certificate. By using this command, the CA list can be viewed +and checked. However, some servers only request client authentication +after a specific URL is requested. To obtain the list in this case it +is necessary to use the \fB\-prexit\fR option and send an HTTP request +for an appropriate page. +.PP +If a certificate is specified on the command line using the \fB\-cert\fR +option it will not be used unless the server specifically requests +a client certificate. Therefore, merely including a client certificate +on the command line is no guarantee that the certificate works. +.PP +If there are problems verifying a server certificate then the +\&\fB\-showcerts\fR option can be used to show all the certificates sent by the +server. +.PP +This command is a test tool and is designed to continue the +handshake after any certificate verification errors. As a result it will +accept any certificate chain (trusted or not) sent by the peer. Non-test +applications should \fBnot\fR do this as it makes them vulnerable to a MITM +attack. This behaviour can be changed by with the \fB\-verify_return_error\fR +option: any verify errors are then returned aborting the handshake. +.PP +The \fB\-bind\fR option may be useful if the server or a firewall requires +connections to come from some particular address and or port. +.SH BUGS +.IX Header "BUGS" +Because this program has a lot of options and also because some of the +techniques used are rather old, the C source for this command is rather +hard to read and not a model of how things should be done. +A typical SSL client program would be much simpler. +.PP +The \fB\-prexit\fR option is a bit of a hack. We should really report +information whenever a session is renegotiated. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fBopenssl\fR\|(1), +\&\fBopenssl\-sess_id\fR\|(1), +\&\fBopenssl\-s_server\fR\|(1), +\&\fBopenssl\-ciphers\fR\|(1), +\&\fBSSL_CONF_cmd\fR\|(3), +\&\fBSSL_CTX_set_max_send_fragment\fR\|(3), +\&\fBSSL_CTX_set_split_send_fragment\fR\|(3), +\&\fBSSL_CTX_set_max_pipelines\fR\|(3), +\&\fBossl_store\-file\fR\|(7) +.SH HISTORY +.IX Header "HISTORY" +The \fB\-no_alt_chains\fR option was added in OpenSSL 1.1.0. +The \fB\-name\fR option was added in OpenSSL 1.1.1. +.PP +The \fB\-certform\fR option has become obsolete in OpenSSL 3.0.0 and has no effect. +.PP +The \fB\-engine\fR option was deprecated in OpenSSL 3.0. +.PP +The +\&\fB\-enable_client_rpk\fR, +\&\fB\-enable_server_rpk\fR, +\&\fB\-no_rx_cert_comp\fR, +\&\fB\-no_tx_cert_comp\fR, +and \fB\-tfo\fR +options were added in OpenSSL 3.2. +.SH COPYRIGHT +.IX Header "COPYRIGHT" +Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +<https://www.openssl.org/source/license.html>. |