summaryrefslogtreecommitdiffstats
path: root/upstream/debian-unstable/man1/openssl-s_client.1ssl
diff options
context:
space:
mode:
Diffstat (limited to 'upstream/debian-unstable/man1/openssl-s_client.1ssl')
-rw-r--r--upstream/debian-unstable/man1/openssl-s_client.1ssl960
1 files changed, 960 insertions, 0 deletions
diff --git a/upstream/debian-unstable/man1/openssl-s_client.1ssl b/upstream/debian-unstable/man1/openssl-s_client.1ssl
new file mode 100644
index 00000000..11bdaa9f
--- /dev/null
+++ b/upstream/debian-unstable/man1/openssl-s_client.1ssl
@@ -0,0 +1,960 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+. ds C` ""
+. ds C' ""
+'br\}
+.el\{\
+. ds C`
+. ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+. if \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. if !\nF==2 \{\
+. nr % 0
+. nr F 2
+. \}
+. \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-S_CLIENT 1SSL"
+.TH OPENSSL-S_CLIENT 1SSL 2024-02-03 3.1.5 OpenSSL
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+openssl\-s_client \- SSL/TLS client program
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBs_client\fR
+[\fB\-help\fR]
+[\fB\-ssl_config\fR \fIsection\fR]
+[\fB\-connect\fR \fIhost:port\fR]
+[\fB\-host\fR \fIhostname\fR]
+[\fB\-port\fR \fIport\fR]
+[\fB\-bind\fR \fIhost:port\fR]
+[\fB\-proxy\fR \fIhost:port\fR]
+[\fB\-proxy_user\fR \fIuserid\fR]
+[\fB\-proxy_pass\fR \fIarg\fR]
+[\fB\-unix\fR \fIpath\fR]
+[\fB\-4\fR]
+[\fB\-6\fR]
+[\fB\-servername\fR \fIname\fR]
+[\fB\-noservername\fR]
+[\fB\-verify\fR \fIdepth\fR]
+[\fB\-verify_return_error\fR]
+[\fB\-verify_quiet\fR]
+[\fB\-verifyCAfile\fR \fIfilename\fR]
+[\fB\-verifyCApath\fR \fIdir\fR]
+[\fB\-verifyCAstore\fR \fIuri\fR]
+[\fB\-cert\fR \fIfilename\fR]
+[\fB\-certform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR]
+[\fB\-cert_chain\fR \fIfilename\fR]
+[\fB\-build_chain\fR]
+[\fB\-CRL\fR \fIfilename\fR]
+[\fB\-CRLform\fR \fBDER\fR|\fBPEM\fR]
+[\fB\-crl_download\fR]
+[\fB\-key\fR \fIfilename\fR|\fIuri\fR]
+[\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR]
+[\fB\-pass\fR \fIarg\fR]
+[\fB\-chainCAfile\fR \fIfilename\fR]
+[\fB\-chainCApath\fR \fIdirectory\fR]
+[\fB\-chainCAstore\fR \fIuri\fR]
+[\fB\-requestCAfile\fR \fIfilename\fR]
+[\fB\-dane_tlsa_domain\fR \fIdomain\fR]
+[\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR]
+[\fB\-dane_ee_no_namechecks\fR]
+[\fB\-reconnect\fR]
+[\fB\-showcerts\fR]
+[\fB\-prexit\fR]
+[\fB\-debug\fR]
+[\fB\-trace\fR]
+[\fB\-nocommands\fR]
+[\fB\-security_debug\fR]
+[\fB\-security_debug_verbose\fR]
+[\fB\-msg\fR]
+[\fB\-timeout\fR]
+[\fB\-mtu\fR \fIsize\fR]
+[\fB\-no_etm\fR]
+[\fB\-keymatexport\fR \fIlabel\fR]
+[\fB\-keymatexportlen\fR \fIlen\fR]
+[\fB\-msgfile\fR \fIfilename\fR]
+[\fB\-nbio_test\fR]
+[\fB\-state\fR]
+[\fB\-nbio\fR]
+[\fB\-crlf\fR]
+[\fB\-ign_eof\fR]
+[\fB\-no_ign_eof\fR]
+[\fB\-psk_identity\fR \fIidentity\fR]
+[\fB\-psk\fR \fIkey\fR]
+[\fB\-psk_session\fR \fIfile\fR]
+[\fB\-quiet\fR]
+[\fB\-sctp\fR]
+[\fB\-sctp_label_bug\fR]
+[\fB\-fallback_scsv\fR]
+[\fB\-async\fR]
+[\fB\-maxfraglen\fR \fIlen\fR]
+[\fB\-max_send_frag\fR]
+[\fB\-split_send_frag\fR]
+[\fB\-max_pipelines\fR]
+[\fB\-read_buf\fR]
+[\fB\-ignore_unexpected_eof\fR]
+[\fB\-bugs\fR]
+[\fB\-comp\fR]
+[\fB\-no_comp\fR]
+[\fB\-brief\fR]
+[\fB\-legacy_server_connect\fR]
+[\fB\-no_legacy_server_connect\fR]
+[\fB\-allow_no_dhe_kex\fR]
+[\fB\-sigalgs\fR \fIsigalglist\fR]
+[\fB\-curves\fR \fIcurvelist\fR]
+[\fB\-cipher\fR \fIcipherlist\fR]
+[\fB\-ciphersuites\fR \fIval\fR]
+[\fB\-serverpref\fR]
+[\fB\-starttls\fR \fIprotocol\fR]
+[\fB\-name\fR \fIhostname\fR]
+[\fB\-xmpphost\fR \fIhostname\fR]
+[\fB\-name\fR \fIhostname\fR]
+[\fB\-tlsextdebug\fR]
+[\fB\-no_ticket\fR]
+[\fB\-sess_out\fR \fIfilename\fR]
+[\fB\-serverinfo\fR \fItypes\fR]
+[\fB\-sess_in\fR \fIfilename\fR]
+[\fB\-serverinfo\fR \fItypes\fR]
+[\fB\-status\fR]
+[\fB\-alpn\fR \fIprotocols\fR]
+[\fB\-nextprotoneg\fR \fIprotocols\fR]
+[\fB\-ct\fR]
+[\fB\-noct\fR]
+[\fB\-ctlogfile\fR]
+[\fB\-keylogfile\fR \fIfile\fR]
+[\fB\-early_data\fR \fIfile\fR]
+[\fB\-enable_pha\fR]
+[\fB\-use_srtp\fR \fIvalue\fR]
+[\fB\-srpuser\fR \fIvalue\fR]
+[\fB\-srppass\fR \fIvalue\fR]
+[\fB\-srp_lateuser\fR]
+[\fB\-srp_moregroups\fR]
+[\fB\-srp_strength\fR \fInumber\fR]
+[\fB\-nameopt\fR \fIoption\fR]
+[\fB\-no_ssl3\fR]
+[\fB\-no_tls1\fR]
+[\fB\-no_tls1_1\fR]
+[\fB\-no_tls1_2\fR]
+[\fB\-no_tls1_3\fR]
+[\fB\-ssl3\fR]
+[\fB\-tls1\fR]
+[\fB\-tls1_1\fR]
+[\fB\-tls1_2\fR]
+[\fB\-tls1_3\fR]
+[\fB\-dtls\fR]
+[\fB\-dtls1\fR]
+[\fB\-dtls1_2\fR]
+[\fB\-xkey\fR \fIinfile\fR]
+[\fB\-xcert\fR \fIfile\fR]
+[\fB\-xchain\fR \fIfile\fR]
+[\fB\-xchain_build\fR \fIfile\fR]
+[\fB\-xcertform\fR \fBDER\fR|\fBPEM\fR]>
+[\fB\-xkeyform\fR \fBDER\fR|\fBPEM\fR]>
+[\fB\-CAfile\fR \fIfile\fR]
+[\fB\-no\-CAfile\fR]
+[\fB\-CApath\fR \fIdir\fR]
+[\fB\-no\-CApath\fR]
+[\fB\-CAstore\fR \fIuri\fR]
+[\fB\-no\-CAstore\fR]
+[\fB\-bugs\fR]
+[\fB\-no_comp\fR]
+[\fB\-comp\fR]
+[\fB\-no_ticket\fR]
+[\fB\-serverpref\fR]
+[\fB\-client_renegotiation\fR]
+[\fB\-legacy_renegotiation\fR]
+[\fB\-no_renegotiation\fR]
+[\fB\-no_resumption_on_reneg\fR]
+[\fB\-legacy_server_connect\fR]
+[\fB\-no_legacy_server_connect\fR]
+[\fB\-no_etm\fR]
+[\fB\-allow_no_dhe_kex\fR]
+[\fB\-prioritize_chacha\fR]
+[\fB\-strict\fR]
+[\fB\-sigalgs\fR \fIalgs\fR]
+[\fB\-client_sigalgs\fR \fIalgs\fR]
+[\fB\-groups\fR \fIgroups\fR]
+[\fB\-curves\fR \fIcurves\fR]
+[\fB\-named_curve\fR \fIcurve\fR]
+[\fB\-cipher\fR \fIciphers\fR]
+[\fB\-ciphersuites\fR \fI1.3ciphers\fR]
+[\fB\-min_protocol\fR \fIminprot\fR]
+[\fB\-max_protocol\fR \fImaxprot\fR]
+[\fB\-record_padding\fR \fIpadding\fR]
+[\fB\-debug_broken_protocol\fR]
+[\fB\-no_middlebox\fR]
+[\fB\-rand\fR \fIfiles\fR]
+[\fB\-writerand\fR \fIfile\fR]
+[\fB\-provider\fR \fIname\fR]
+[\fB\-provider\-path\fR \fIpath\fR]
+[\fB\-propquery\fR \fIpropq\fR]
+[\fB\-engine\fR \fIid\fR]
+[\fB\-ssl_client_engine\fR \fIid\fR]
+[\fB\-allow_proxy_certs\fR]
+[\fB\-attime\fR \fItimestamp\fR]
+[\fB\-no_check_time\fR]
+[\fB\-check_ss_sig\fR]
+[\fB\-crl_check\fR]
+[\fB\-crl_check_all\fR]
+[\fB\-explicit_policy\fR]
+[\fB\-extended_crl\fR]
+[\fB\-ignore_critical\fR]
+[\fB\-inhibit_any\fR]
+[\fB\-inhibit_map\fR]
+[\fB\-partial_chain\fR]
+[\fB\-policy\fR \fIarg\fR]
+[\fB\-policy_check\fR]
+[\fB\-policy_print\fR]
+[\fB\-purpose\fR \fIpurpose\fR]
+[\fB\-suiteB_128\fR]
+[\fB\-suiteB_128_only\fR]
+[\fB\-suiteB_192\fR]
+[\fB\-trusted_first\fR]
+[\fB\-no_alt_chains\fR]
+[\fB\-use_deltas\fR]
+[\fB\-auth_level\fR \fInum\fR]
+[\fB\-verify_depth\fR \fInum\fR]
+[\fB\-verify_email\fR \fIemail\fR]
+[\fB\-verify_hostname\fR \fIhostname\fR]
+[\fB\-verify_ip\fR \fIip\fR]
+[\fB\-verify_name\fR \fIname\fR]
+[\fB\-x509_strict\fR]
+[\fB\-issuer_checks\fR]
+[\fIhost\fR:\fIport\fR]
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+This command implements a generic SSL/TLS client which
+connects to a remote host using SSL/TLS. It is a \fIvery\fR useful diagnostic
+tool for SSL servers.
+.SH OPTIONS
+.IX Header "OPTIONS"
+In addition to the options below, this command also supports the
+common and client only options documented
+in the "Supported Command Line Commands" section of the \fBSSL_CONF_cmd\fR\|(3)
+manual page.
+.IP \fB\-help\fR 4
+.IX Item "-help"
+Print out a usage message.
+.IP "\fB\-ssl_config\fR \fIsection\fR" 4
+.IX Item "-ssl_config section"
+Use the specified section of the configuration file to configure the \fBSSL_CTX\fR object.
+.IP "\fB\-connect\fR \fIhost\fR:\fIport\fR" 4
+.IX Item "-connect host:port"
+This specifies the host and optional port to connect to. It is possible to
+select the host and port using the optional target positional argument instead.
+If neither this nor the target positional argument are specified then an attempt
+is made to connect to the local host on port 4433.
+.IP "\fB\-host\fR \fIhostname\fR" 4
+.IX Item "-host hostname"
+Host to connect to; use \fB\-connect\fR instead.
+.IP "\fB\-port\fR \fIport\fR" 4
+.IX Item "-port port"
+Connect to the specified port; use \fB\-connect\fR instead.
+.IP "\fB\-bind\fR \fIhost:port\fR" 4
+.IX Item "-bind host:port"
+This specifies the host address and or port to bind as the source for the
+connection. For Unix-domain sockets the port is ignored and the host is
+used as the source socket address.
+.IP "\fB\-proxy\fR \fIhost:port\fR" 4
+.IX Item "-proxy host:port"
+When used with the \fB\-connect\fR flag, the program uses the host and port
+specified with this flag and issues an HTTP CONNECT command to connect
+to the desired server.
+.IP "\fB\-proxy_user\fR \fIuserid\fR" 4
+.IX Item "-proxy_user userid"
+When used with the \fB\-proxy\fR flag, the program will attempt to authenticate
+with the specified proxy using basic (base64) authentication.
+NB: Basic authentication is insecure; the credentials are sent to the proxy
+in easily reversible base64 encoding before any TLS/SSL session is established.
+Therefore, these credentials are easily recovered by anyone able to sniff/trace
+the network. Use with caution.
+.IP "\fB\-proxy_pass\fR \fIarg\fR" 4
+.IX Item "-proxy_pass arg"
+The proxy password source, used with the \fB\-proxy_user\fR flag.
+For more information about the format of \fBarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-unix\fR \fIpath\fR" 4
+.IX Item "-unix path"
+Connect over the specified Unix-domain socket.
+.IP \fB\-4\fR 4
+.IX Item "-4"
+Use IPv4 only.
+.IP \fB\-6\fR 4
+.IX Item "-6"
+Use IPv6 only.
+.IP "\fB\-servername\fR \fIname\fR" 4
+.IX Item "-servername name"
+Set the TLS SNI (Server Name Indication) extension in the ClientHello message to
+the given value.
+If \fB\-servername\fR is not provided, the TLS SNI extension will be populated with
+the name given to \fB\-connect\fR if it follows a DNS name format. If \fB\-connect\fR is
+not provided either, the SNI is set to "localhost".
+This is the default since OpenSSL 1.1.1.
+.Sp
+Even though SNI should normally be a DNS name and not an IP address, if
+\&\fB\-servername\fR is provided then that name will be sent, regardless of whether
+it is a DNS name or not.
+.Sp
+This option cannot be used in conjunction with \fB\-noservername\fR.
+.IP \fB\-noservername\fR 4
+.IX Item "-noservername"
+Suppresses sending of the SNI (Server Name Indication) extension in the
+ClientHello message. Cannot be used in conjunction with the \fB\-servername\fR or
+\&\fB\-dane_tlsa_domain\fR options.
+.IP "\fB\-cert\fR \fIfilename\fR" 4
+.IX Item "-cert filename"
+The client certificate to use, if one is requested by the server.
+The default is not to use a certificate.
+.Sp
+The chain for the client certificate may be specified using \fB\-cert_chain\fR.
+.IP "\fB\-certform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR" 4
+.IX Item "-certform DER|PEM|P12"
+The client certificate file format to use; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP \fB\-cert_chain\fR 4
+.IX Item "-cert_chain"
+A file or URI of untrusted certificates to use when attempting to build the
+certificate chain related to the certificate specified via the \fB\-cert\fR option.
+The input can be in PEM, DER, or PKCS#12 format.
+.IP \fB\-build_chain\fR 4
+.IX Item "-build_chain"
+Specify whether the application should build the client certificate chain to be
+provided to the server.
+.IP "\fB\-CRL\fR \fIfilename\fR" 4
+.IX Item "-CRL filename"
+CRL file to use to check the server's certificate.
+.IP "\fB\-CRLform\fR \fBDER\fR|\fBPEM\fR" 4
+.IX Item "-CRLform DER|PEM"
+The CRL file format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP \fB\-crl_download\fR 4
+.IX Item "-crl_download"
+Download CRL from distribution points in the certificate.
+.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
+.IX Item "-key filename|uri"
+The client private key to use.
+If not specified then the certificate file will be used to read also the key.
+.IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
+.IX Item "-keyform DER|PEM|P12|ENGINE"
+The key format; unspecified by default.
+See \fBopenssl\-format\-options\fR\|(1) for details.
+.IP "\fB\-pass\fR \fIarg\fR" 4
+.IX Item "-pass arg"
+the private key and certificate file password source.
+For more information about the format of \fIarg\fR
+see \fBopenssl\-passphrase\-options\fR\|(1).
+.IP "\fB\-verify\fR \fIdepth\fR" 4
+.IX Item "-verify depth"
+The verify depth to use. This specifies the maximum length of the
+server certificate chain and turns on server certificate verification.
+Currently the verify operation continues after errors so all the problems
+with a certificate chain can be seen. As a side effect the connection
+will never fail due to a server certificate verify failure.
+.IP \fB\-verify_return_error\fR 4
+.IX Item "-verify_return_error"
+Return verification errors instead of continuing. This will typically
+abort the handshake with a fatal error.
+.IP \fB\-verify_quiet\fR 4
+.IX Item "-verify_quiet"
+Limit verify output to only errors.
+.IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4
+.IX Item "-verifyCAfile filename"
+A file in PEM format containing trusted certificates to use
+for verifying the server's certificate.
+.IP "\fB\-verifyCApath\fR \fIdir\fR" 4
+.IX Item "-verifyCApath dir"
+A directory containing trusted certificates to use
+for verifying the server's certificate.
+This directory must be in "hash format",
+see \fBopenssl\-verify\fR\|(1) for more information.
+.IP "\fB\-verifyCAstore\fR \fIuri\fR" 4
+.IX Item "-verifyCAstore uri"
+The URI of a store containing trusted certificates to use
+for verifying the server's certificate.
+.IP "\fB\-chainCAfile\fR \fIfile\fR" 4
+.IX Item "-chainCAfile file"
+A file in PEM format containing trusted certificates to use
+when attempting to build the client certificate chain.
+.IP "\fB\-chainCApath\fR \fIdirectory\fR" 4
+.IX Item "-chainCApath directory"
+A directory containing trusted certificates to use
+for building the client certificate chain provided to the server.
+This directory must be in "hash format",
+see \fBopenssl\-verify\fR\|(1) for more information.
+.IP "\fB\-chainCAstore\fR \fIuri\fR" 4
+.IX Item "-chainCAstore uri"
+The URI of a store containing trusted certificates to use
+when attempting to build the client certificate chain.
+The URI may indicate a single certificate, as well as a collection of them.
+With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-chainCAfile\fR or
+\&\fB\-chainCApath\fR, depending on if the URI indicates a directory or a
+single file.
+See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme.
+.IP "\fB\-requestCAfile\fR \fIfile\fR" 4
+.IX Item "-requestCAfile file"
+A file containing a list of certificates whose subject names will be sent
+to the server in the \fBcertificate_authorities\fR extension. Only supported
+for TLS 1.3
+.IP "\fB\-dane_tlsa_domain\fR \fIdomain\fR" 4
+.IX Item "-dane_tlsa_domain domain"
+Enable RFC6698/RFC7671 DANE TLSA authentication and specify the
+TLSA base domain which becomes the default SNI hint and the primary
+reference identifier for hostname checks. This must be used in
+combination with at least one instance of the \fB\-dane_tlsa_rrdata\fR
+option below.
+.Sp
+When DANE authentication succeeds, the diagnostic output will include
+the lowest (closest to 0) depth at which a TLSA record authenticated
+a chain certificate. When that TLSA record is a "2 1 0" trust
+anchor public key that signed (rather than matched) the top-most
+certificate of the chain, the result is reported as "TA public key
+verified". Otherwise, either the TLSA record "matched TA certificate"
+at a positive depth or else "matched EE certificate" at depth 0.
+.IP "\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR" 4
+.IX Item "-dane_tlsa_rrdata rrdata"
+Use one or more times to specify the RRDATA fields of the DANE TLSA
+RRset associated with the target service. The \fIrrdata\fR value is
+specified in "presentation form", that is four whitespace separated
+fields that specify the usage, selector, matching type and associated
+data, with the last of these encoded in hexadecimal. Optional
+whitespace is ignored in the associated data field. For example:
+.Sp
+.Vb 12
+\& $ openssl s_client \-brief \-starttls smtp \e
+\& \-connect smtp.example.com:25 \e
+\& \-dane_tlsa_domain smtp.example.com \e
+\& \-dane_tlsa_rrdata "2 1 1
+\& B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E 02CF362B" \e
+\& \-dane_tlsa_rrdata "2 1 1
+\& 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18"
+\& ...
+\& Verification: OK
+\& Verified peername: smtp.example.com
+\& DANE TLSA 2 1 1 ...ee12d2cc90180517616e8a18 matched TA certificate at depth 1
+\& ...
+.Ve
+.IP \fB\-dane_ee_no_namechecks\fR 4
+.IX Item "-dane_ee_no_namechecks"
+This disables server name checks when authenticating via \fBDANE\-EE\fR\|(3) TLSA
+records.
+For some applications, primarily web browsers, it is not safe to disable name
+checks due to "unknown key share" attacks, in which a malicious server can
+convince a client that a connection to a victim server is instead a secure
+connection to the malicious server.
+The malicious server may then be able to violate cross-origin scripting
+restrictions.
+Thus, despite the text of RFC7671, name checks are by default enabled for
+\&\fBDANE\-EE\fR\|(3) TLSA records, and can be disabled in applications where it is safe
+to do so.
+In particular, SMTP and XMPP clients should set this option as SRV and MX
+records already make it possible for a remote domain to redirect client
+connections to any server of its choice, and in any case SMTP and XMPP clients
+do not execute scripts downloaded from remote servers.
+.IP \fB\-reconnect\fR 4
+.IX Item "-reconnect"
+Reconnects to the same server 5 times using the same session ID, this can
+be used as a test that session caching is working.
+.IP \fB\-showcerts\fR 4
+.IX Item "-showcerts"
+Displays the server certificate list as sent by the server: it only consists of
+certificates the server has sent (in the order the server has sent them). It is
+\&\fBnot\fR a verified chain.
+.IP \fB\-prexit\fR 4
+.IX Item "-prexit"
+Print session information when the program exits. This will always attempt
+to print out information even if the connection fails. Normally information
+will only be printed out once if the connection succeeds. This option is useful
+because the cipher in use may be renegotiated or the connection may fail
+because a client certificate is required or is requested only after an
+attempt is made to access a certain URL. Note: the output produced by this
+option is not always accurate because a connection might never have been
+established.
+.IP \fB\-state\fR 4
+.IX Item "-state"
+Prints out the SSL session states.
+.IP \fB\-debug\fR 4
+.IX Item "-debug"
+Print extensive debugging information including a hex dump of all traffic.
+.IP \fB\-nocommands\fR 4
+.IX Item "-nocommands"
+Do not use interactive command letters.
+.IP \fB\-security_debug\fR 4
+.IX Item "-security_debug"
+Enable security debug messages.
+.IP \fB\-security_debug_verbose\fR 4
+.IX Item "-security_debug_verbose"
+Output more security debug output.
+.IP \fB\-msg\fR 4
+.IX Item "-msg"
+Show protocol messages.
+.IP \fB\-timeout\fR 4
+.IX Item "-timeout"
+Enable send/receive timeout on DTLS connections.
+.IP "\fB\-mtu\fR \fIsize\fR" 4
+.IX Item "-mtu size"
+Set MTU of the link layer to the specified size.
+.IP \fB\-no_etm\fR 4
+.IX Item "-no_etm"
+Disable Encrypt-then-MAC negotiation.
+.IP "\fB\-keymatexport\fR \fIlabel\fR" 4
+.IX Item "-keymatexport label"
+Export keying material using the specified label.
+.IP "\fB\-keymatexportlen\fR \fIlen\fR" 4
+.IX Item "-keymatexportlen len"
+Export the specified number of bytes of keying material; default is 20.
+.Sp
+Show all protocol messages with hex dump.
+.IP \fB\-trace\fR 4
+.IX Item "-trace"
+Show verbose trace output of protocol messages.
+.IP "\fB\-msgfile\fR \fIfilename\fR" 4
+.IX Item "-msgfile filename"
+File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
+.IP \fB\-nbio_test\fR 4
+.IX Item "-nbio_test"
+Tests nonblocking I/O
+.IP \fB\-nbio\fR 4
+.IX Item "-nbio"
+Turns on nonblocking I/O
+.IP \fB\-crlf\fR 4
+.IX Item "-crlf"
+This option translated a line feed from the terminal into CR+LF as required
+by some servers.
+.IP \fB\-ign_eof\fR 4
+.IX Item "-ign_eof"
+Inhibit shutting down the connection when end of file is reached in the
+input.
+.IP \fB\-quiet\fR 4
+.IX Item "-quiet"
+Inhibit printing of session and certificate information. This implicitly
+turns on \fB\-ign_eof\fR as well.
+.IP \fB\-no_ign_eof\fR 4
+.IX Item "-no_ign_eof"
+Shut down the connection when end of file is reached in the input.
+Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR.
+.IP "\fB\-psk_identity\fR \fIidentity\fR" 4
+.IX Item "-psk_identity identity"
+Use the PSK identity \fIidentity\fR when using a PSK cipher suite.
+The default value is "Client_identity" (without the quotes).
+.IP "\fB\-psk\fR \fIkey\fR" 4
+.IX Item "-psk key"
+Use the PSK key \fIkey\fR when using a PSK cipher suite. The key is
+given as a hexadecimal number without leading 0x, for example \-psk
+1a2b3c4d.
+This option must be provided in order to use a PSK cipher.
+.IP "\fB\-psk_session\fR \fIfile\fR" 4
+.IX Item "-psk_session file"
+Use the pem encoded SSL_SESSION data stored in \fIfile\fR as the basis of a PSK.
+Note that this will only work if TLSv1.3 is negotiated.
+.IP \fB\-sctp\fR 4
+.IX Item "-sctp"
+Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
+conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only
+available where OpenSSL has support for SCTP enabled.
+.IP \fB\-sctp_label_bug\fR 4
+.IX Item "-sctp_label_bug"
+Use the incorrect behaviour of older OpenSSL implementations when computing
+endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
+older broken implementations but breaks interoperability with correct
+implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only
+available where OpenSSL has support for SCTP enabled.
+.IP \fB\-fallback_scsv\fR 4
+.IX Item "-fallback_scsv"
+Send TLS_FALLBACK_SCSV in the ClientHello.
+.IP \fB\-async\fR 4
+.IX Item "-async"
+Switch on asynchronous mode. Cryptographic operations will be performed
+asynchronously. This will only have an effect if an asynchronous capable engine
+is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
+(dasync) can be used (if available).
+.IP "\fB\-maxfraglen\fR \fIlen\fR" 4
+.IX Item "-maxfraglen len"
+Enable Maximum Fragment Length Negotiation; allowed values are
+\&\f(CW512\fR, \f(CW1024\fR, \f(CW2048\fR, and \f(CW4096\fR.
+.IP "\fB\-max_send_frag\fR \fIint\fR" 4
+.IX Item "-max_send_frag int"
+The maximum size of data fragment to send.
+See \fBSSL_CTX_set_max_send_fragment\fR\|(3) for further information.
+.IP "\fB\-split_send_frag\fR \fIint\fR" 4
+.IX Item "-split_send_frag int"
+The size used to split data for encrypt pipelines. If more data is written in
+one go than this value then it will be split into multiple pipelines, up to the
+maximum number of pipelines defined by max_pipelines. This only has an effect if
+a suitable cipher suite has been negotiated, an engine that supports pipelining
+has been loaded, and max_pipelines is greater than 1. See
+\&\fBSSL_CTX_set_split_send_fragment\fR\|(3) for further information.
+.IP "\fB\-max_pipelines\fR \fIint\fR" 4
+.IX Item "-max_pipelines int"
+The maximum number of encrypt/decrypt pipelines to be used. This will only have
+an effect if an engine has been loaded that supports pipelining (e.g. the dasync
+engine) and a suitable cipher suite has been negotiated. The default value is 1.
+See \fBSSL_CTX_set_max_pipelines\fR\|(3) for further information.
+.IP "\fB\-read_buf\fR \fIint\fR" 4
+.IX Item "-read_buf int"
+The default read buffer size to be used for connections. This will only have an
+effect if the buffer size is larger than the size that would otherwise be used
+and pipelining is in use (see \fBSSL_CTX_set_default_read_buffer_len\fR\|(3) for
+further information).
+.IP \fB\-ignore_unexpected_eof\fR 4
+.IX Item "-ignore_unexpected_eof"
+Some TLS implementations do not send the mandatory close_notify alert on
+shutdown. If the application tries to wait for the close_notify alert but the
+peer closes the connection without sending it, an error is generated. When this
+option is enabled the peer does not need to send the close_notify alert and a
+closed connection will be treated as if the close_notify alert was received.
+For more information on shutting down a connection, see \fBSSL_shutdown\fR\|(3).
+.IP \fB\-bugs\fR 4
+.IX Item "-bugs"
+There are several known bugs in SSL and TLS implementations. Adding this
+option enables various workarounds.
+.IP \fB\-comp\fR 4
+.IX Item "-comp"
+Enables support for SSL/TLS compression.
+This option was introduced in OpenSSL 1.1.0.
+TLS compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+.IP \fB\-no_comp\fR 4
+.IX Item "-no_comp"
+Disables support for SSL/TLS compression.
+TLS compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+.IP \fB\-brief\fR 4
+.IX Item "-brief"
+Only provide a brief summary of connection parameters instead of the
+normal verbose output.
+.IP "\fB\-sigalgs\fR \fIsigalglist\fR" 4
+.IX Item "-sigalgs sigalglist"
+Specifies the list of signature algorithms that are sent by the client.
+The server selects one entry in the list based on its preferences.
+For example strings, see \fBSSL_CTX_set1_sigalgs\fR\|(3)
+.IP "\fB\-curves\fR \fIcurvelist\fR" 4
+.IX Item "-curves curvelist"
+Specifies the list of supported curves to be sent by the client. The curve is
+ultimately selected by the server. For a list of all curves, use:
+.Sp
+.Vb 1
+\& $ openssl ecparam \-list_curves
+.Ve
+.IP "\fB\-cipher\fR \fIcipherlist\fR" 4
+.IX Item "-cipher cipherlist"
+This allows the TLSv1.2 and below cipher list sent by the client to be modified.
+This list will be combined with any TLSv1.3 ciphersuites that have been
+configured. Although the server determines which ciphersuite is used it should
+take the first supported cipher in the list sent by the client. See
+\&\fBopenssl\-ciphers\fR\|(1) for more information.
+.IP "\fB\-ciphersuites\fR \fIval\fR" 4
+.IX Item "-ciphersuites val"
+This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
+list will be combined with any TLSv1.2 and below ciphersuites that have been
+configured. Although the server determines which cipher suite is used it should
+take the first supported cipher in the list sent by the client. See
+\&\fBopenssl\-ciphers\fR\|(1) for more information. The format for this list is a simple
+colon (":") separated list of TLSv1.3 ciphersuite names.
+.IP "\fB\-starttls\fR \fIprotocol\fR" 4
+.IX Item "-starttls protocol"
+Send the protocol-specific message(s) to switch to TLS for communication.
+\&\fIprotocol\fR is a keyword for the intended protocol. Currently, the only
+supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
+"irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap".
+.IP "\fB\-xmpphost\fR \fIhostname\fR" 4
+.IX Item "-xmpphost hostname"
+This option, when used with "\-starttls xmpp" or "\-starttls xmpp-server",
+specifies the host for the "to" attribute of the stream element.
+If this option is not specified, then the host specified with "\-connect"
+will be used.
+.Sp
+This option is an alias of the \fB\-name\fR option for "xmpp" and "xmpp-server".
+.IP "\fB\-name\fR \fIhostname\fR" 4
+.IX Item "-name hostname"
+This option is used to specify hostname information for various protocols
+used with \fB\-starttls\fR option. Currently only "xmpp", "xmpp-server",
+"smtp" and "lmtp" can utilize this \fB\-name\fR option.
+.Sp
+If this option is used with "\-starttls xmpp" or "\-starttls xmpp-server",
+if specifies the host for the "to" attribute of the stream element. If this
+option is not specified, then the host specified with "\-connect" will be used.
+.Sp
+If this option is used with "\-starttls lmtp" or "\-starttls smtp", it specifies
+the name to use in the "LMTP LHLO" or "SMTP EHLO" message, respectively. If
+this option is not specified, then "mail.example.com" will be used.
+.IP \fB\-tlsextdebug\fR 4
+.IX Item "-tlsextdebug"
+Print out a hex dump of any TLS extensions received from the server.
+.IP \fB\-no_ticket\fR 4
+.IX Item "-no_ticket"
+Disable RFC4507bis session ticket support.
+.IP "\fB\-sess_out\fR \fIfilename\fR" 4
+.IX Item "-sess_out filename"
+Output SSL session to \fIfilename\fR.
+.IP "\fB\-sess_in\fR \fIfilename\fR" 4
+.IX Item "-sess_in filename"
+Load SSL session from \fIfilename\fR. The client will attempt to resume a
+connection from this session.
+.IP "\fB\-serverinfo\fR \fItypes\fR" 4
+.IX Item "-serverinfo types"
+A list of comma-separated TLS Extension Types (numbers between 0 and
+65535). Each type will be sent as an empty ClientHello TLS Extension.
+The server's response (if any) will be encoded and displayed as a PEM
+file.
+.IP \fB\-status\fR 4
+.IX Item "-status"
+Sends a certificate status request to the server (OCSP stapling). The server
+response (if any) is printed out.
+.IP "\fB\-alpn\fR \fIprotocols\fR, \fB\-nextprotoneg\fR \fIprotocols\fR" 4
+.IX Item "-alpn protocols, -nextprotoneg protocols"
+These flags enable the Enable the Application-Layer Protocol Negotiation
+or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
+IETF standard and replaces NPN.
+The \fIprotocols\fR list is a comma-separated list of protocol names that
+the client should advertise support for. The list should contain the most
+desirable protocols first. Protocol names are printable ASCII strings,
+for example "http/1.1" or "spdy/3".
+An empty list of protocols is treated specially and will cause the
+client to advertise support for the TLS extension but disconnect just
+after receiving ServerHello with a list of server supported protocols.
+The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used.
+.IP "\fB\-ct\fR, \fB\-noct\fR" 4
+.IX Item "-ct, -noct"
+Use one of these two options to control whether Certificate Transparency (CT)
+is enabled (\fB\-ct\fR) or disabled (\fB\-noct\fR).
+If CT is enabled, signed certificate timestamps (SCTs) will be requested from
+the server and reported at handshake completion.
+.Sp
+Enabling CT also enables OCSP stapling, as this is one possible delivery method
+for SCTs.
+.IP \fB\-ctlogfile\fR 4
+.IX Item "-ctlogfile"
+A file containing a list of known Certificate Transparency logs. See
+\&\fBSSL_CTX_set_ctlog_list_file\fR\|(3) for the expected file format.
+.IP "\fB\-keylogfile\fR \fIfile\fR" 4
+.IX Item "-keylogfile file"
+Appends TLS secrets to the specified keylog file such that external programs
+(like Wireshark) can decrypt TLS connections.
+.IP "\fB\-early_data\fR \fIfile\fR" 4
+.IX Item "-early_data file"
+Reads the contents of the specified file and attempts to send it as early data
+to the server. This will only work with resumed sessions that support early
+data and when the server accepts the early data.
+.IP \fB\-enable_pha\fR 4
+.IX Item "-enable_pha"
+For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
+happen whether or not a certificate has been provided via \fB\-cert\fR.
+.IP "\fB\-use_srtp\fR \fIvalue\fR" 4
+.IX Item "-use_srtp value"
+Offer SRTP key management, where \fBvalue\fR is a colon-separated profile list.
+.IP "\fB\-srpuser\fR \fIvalue\fR" 4
+.IX Item "-srpuser value"
+Set the SRP username to the specified value. This option is deprecated.
+.IP "\fB\-srppass\fR \fIvalue\fR" 4
+.IX Item "-srppass value"
+Set the SRP password to the specified value. This option is deprecated.
+.IP \fB\-srp_lateuser\fR 4
+.IX Item "-srp_lateuser"
+SRP username for the second ClientHello message. This option is deprecated.
+.IP "\fB\-srp_moregroups\fR This option is deprecated." 4
+.IX Item "-srp_moregroups This option is deprecated."
+Tolerate other than the known \fBg\fR and \fBN\fR values.
+.IP "\fB\-srp_strength\fR \fInumber\fR" 4
+.IX Item "-srp_strength number"
+Set the minimal acceptable length, in bits, for \fBN\fR. This option is
+deprecated.
+.IP "\fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR" 4
+.IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3"
+See "TLS Version Options" in \fBopenssl\fR\|(1).
+.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
+.IX Item "-dtls, -dtls1, -dtls1_2"
+These specify the use of DTLS instead of TLS.
+See "TLS Version Options" in \fBopenssl\fR\|(1).
+.IP "\fB\-nameopt\fR \fIoption\fR" 4
+.IX Item "-nameopt option"
+This specifies how the subject or issuer names are displayed.
+See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
+.IP "\fB\-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIfile\fR, \fB\-xchain\fR \fIfile\fR, \fB\-xchain_build\fR \fIfile\fR, \fB\-xcertform\fR \fBDER\fR|\fBPEM\fR, \fB\-xkeyform\fR \fBDER\fR|\fBPEM\fR" 4
+.IX Item "-xkey infile, -xcert file, -xchain file, -xchain_build file, -xcertform DER|PEM, -xkeyform DER|PEM"
+Set extended certificate verification options.
+See "Extended Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
+.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
+See "Trusted Certificate Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.IP "\fB\-bugs\fR, \fB\-comp\fR, \fB\-no_comp\fR, \fB\-no_ticket\fR, \fB\-serverpref\fR, \fB\-client_renegotiation\fR, \fB\-legacy_renegotiation\fR, \fB\-no_renegotiation\fR, \fB\-no_resumption_on_reneg\fR, \fB\-legacy_server_connect\fR, \fB\-no_legacy_server_connect\fR, \fB\-no_etm\fR \fB\-allow_no_dhe_kex\fR, \fB\-prioritize_chacha\fR, \fB\-strict\fR, \fB\-sigalgs\fR \fIalgs\fR, \fB\-client_sigalgs\fR \fIalgs\fR, \fB\-groups\fR \fIgroups\fR, \fB\-curves\fR \fIcurves\fR, \fB\-named_curve\fR \fIcurve\fR, \fB\-cipher\fR \fIciphers\fR, \fB\-ciphersuites\fR \fI1.3ciphers\fR, \fB\-min_protocol\fR \fIminprot\fR, \fB\-max_protocol\fR \fImaxprot\fR, \fB\-record_padding\fR \fIpadding\fR, \fB\-debug_broken_protocol\fR, \fB\-no_middlebox\fR" 4
+.IX Item "-bugs, -comp, -no_comp, -no_ticket, -serverpref, -client_renegotiation, -legacy_renegotiation, -no_renegotiation, -no_resumption_on_reneg, -legacy_server_connect, -no_legacy_server_connect, -no_etm -allow_no_dhe_kex, -prioritize_chacha, -strict, -sigalgs algs, -client_sigalgs algs, -groups groups, -curves curves, -named_curve curve, -cipher ciphers, -ciphersuites 1.3ciphers, -min_protocol minprot, -max_protocol maxprot, -record_padding padding, -debug_broken_protocol, -no_middlebox"
+See "SUPPORTED COMMAND LINE COMMANDS" in \fBSSL_CONF_cmd\fR\|(3) for details.
+.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
+.IX Item "-rand files, -writerand file"
+See "Random State Options" in \fBopenssl\fR\|(1) for details.
+.IP "\fB\-provider\fR \fIname\fR" 4
+.IX Item "-provider name"
+.PD 0
+.IP "\fB\-provider\-path\fR \fIpath\fR" 4
+.IX Item "-provider-path path"
+.IP "\fB\-propquery\fR \fIpropq\fR" 4
+.IX Item "-propquery propq"
+.PD
+See "Provider Options" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
+.IP "\fB\-engine\fR \fIid\fR" 4
+.IX Item "-engine id"
+See "Engine Options" in \fBopenssl\fR\|(1).
+This option is deprecated.
+.IP "\fB\-ssl_client_engine\fR \fIid\fR" 4
+.IX Item "-ssl_client_engine id"
+Specify engine to be used for client certificate operations.
+.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
+.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
+Set various options of certificate chain verification.
+See "Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
+.Sp
+Verification errors are displayed, for debugging, but the command will
+proceed unless the \fB\-verify_return_error\fR option is used.
+.IP \fIhost\fR:\fIport\fR 4
+.IX Item "host:port"
+Rather than providing \fB\-connect\fR, the target hostname and optional port may
+be provided as a single positional argument after all options. If neither this
+nor \fB\-connect\fR are provided, falls back to attempting to connect to
+\&\fIlocalhost\fR on port \fI4433\fR.
+.SH "CONNECTED COMMANDS"
+.IX Header "CONNECTED COMMANDS"
+If a connection is established with an SSL server then any data received
+from the server is displayed and any key presses will be sent to the
+server. If end of file is reached then the connection will be closed down. When
+used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR have been
+given), then certain commands are also recognized which perform special
+operations. These commands are a letter which must appear at the start of a
+line. They are listed below.
+.IP \fBQ\fR 4
+.IX Item "Q"
+End the current SSL connection and exit.
+.IP \fBR\fR 4
+.IX Item "R"
+Renegotiate the SSL session (TLSv1.2 and below only).
+.IP \fBk\fR 4
+.IX Item "k"
+Send a key update message to the server (TLSv1.3 only)
+.IP \fBK\fR 4
+.IX Item "K"
+Send a key update message to the server and request one back (TLSv1.3 only)
+.SH NOTES
+.IX Header "NOTES"
+This command can be used to debug SSL servers. To connect to an SSL HTTP
+server the command:
+.PP
+.Vb 1
+\& openssl s_client \-connect servername:443
+.Ve
+.PP
+would typically be used (https uses port 443). If the connection succeeds
+then an HTTP command can be given such as "GET /" to retrieve a web page.
+.PP
+If the handshake fails then there are several possible causes, if it is
+nothing obvious like no client certificate then the \fB\-bugs\fR,
+\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried
+in case it is a buggy server. In particular you should play with these
+options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
+.PP
+A frequent problem when attempting to get client certificates working
+is that a web client complains it has no certificates or gives an empty
+list to choose from. This is normally because the server is not sending
+the clients certificate authority in its "acceptable CA list" when it
+requests a certificate. By using this command, the CA list can be viewed
+and checked. However, some servers only request client authentication
+after a specific URL is requested. To obtain the list in this case it
+is necessary to use the \fB\-prexit\fR option and send an HTTP request
+for an appropriate page.
+.PP
+If a certificate is specified on the command line using the \fB\-cert\fR
+option it will not be used unless the server specifically requests
+a client certificate. Therefore, merely including a client certificate
+on the command line is no guarantee that the certificate works.
+.PP
+If there are problems verifying a server certificate then the
+\&\fB\-showcerts\fR option can be used to show all the certificates sent by the
+server.
+.PP
+This command is a test tool and is designed to continue the
+handshake after any certificate verification errors. As a result it will
+accept any certificate chain (trusted or not) sent by the peer. Non-test
+applications should \fBnot\fR do this as it makes them vulnerable to a MITM
+attack. This behaviour can be changed by with the \fB\-verify_return_error\fR
+option: any verify errors are then returned aborting the handshake.
+.PP
+The \fB\-bind\fR option may be useful if the server or a firewall requires
+connections to come from some particular address and or port.
+.SH BUGS
+.IX Header "BUGS"
+Because this program has a lot of options and also because some of the
+techniques used are rather old, the C source for this command is rather
+hard to read and not a model of how things should be done.
+A typical SSL client program would be much simpler.
+.PP
+The \fB\-prexit\fR option is a bit of a hack. We should really report
+information whenever a session is renegotiated.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-sess_id\fR\|(1),
+\&\fBopenssl\-s_server\fR\|(1),
+\&\fBopenssl\-ciphers\fR\|(1),
+\&\fBSSL_CONF_cmd\fR\|(3),
+\&\fBSSL_CTX_set_max_send_fragment\fR\|(3),
+\&\fBSSL_CTX_set_split_send_fragment\fR\|(3),
+\&\fBSSL_CTX_set_max_pipelines\fR\|(3),
+\&\fBossl_store\-file\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fB\-no_alt_chains\fR option was added in OpenSSL 1.1.0.
+The \fB\-name\fR option was added in OpenSSL 1.1.1.
+.PP
+The \fB\-certform\fR option has become obsolete in OpenSSL 3.0.0 and has no effect.
+.PP
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.