diff options
Diffstat (limited to 'upstream/debian-unstable/man1/openssl-s_server.1ssl')
| -rw-r--r-- | upstream/debian-unstable/man1/openssl-s_server.1ssl | 78 |
1 files changed, 73 insertions, 5 deletions
diff --git a/upstream/debian-unstable/man1/openssl-s_server.1ssl b/upstream/debian-unstable/man1/openssl-s_server.1ssl index 46056cb7..1c5cfe80 100644 --- a/upstream/debian-unstable/man1/openssl-s_server.1ssl +++ b/upstream/debian-unstable/man1/openssl-s_server.1ssl @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "OPENSSL-S_SERVER 1SSL" -.TH OPENSSL-S_SERVER 1SSL 2024-02-03 3.1.5 OpenSSL +.TH OPENSSL-S_SERVER 1SSL 2024-04-04 3.2.2-dev OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -128,6 +128,7 @@ openssl\-s_server \- SSL/TLS server program [\fB\-ign_eof\fR] [\fB\-no_ign_eof\fR] [\fB\-no_etm\fR] +[\fB\-no_ems\fR] [\fB\-status\fR] [\fB\-status_verbose\fR] [\fB\-status_timeout\fR \fIint\fR] @@ -148,6 +149,8 @@ openssl\-s_server \- SSL/TLS server program [\fB\-naccept\fR \fI+int\fR] [\fB\-read_buf\fR \fI+int\fR] [\fB\-bugs\fR] +[\fB\-no_tx_cert_comp\fR] +[\fB\-no_rx_cert_comp\fR] [\fB\-no_comp\fR] [\fB\-comp\fR] [\fB\-no_ticket\fR] @@ -184,7 +187,9 @@ openssl\-s_server \- SSL/TLS server program [\fB\-no_dhe\fR] [\fB\-nextprotoneg\fR \fIval\fR] [\fB\-alpn\fR \fIval\fR] +[\fB\-ktls\fR] [\fB\-sendfile\fR] +[\fB\-zerocopy_sendfile\fR] [\fB\-keylogfile\fR \fIoutfile\fR] [\fB\-recv_max_early_data\fR \fIint\fR] [\fB\-max_early_data\fR \fIint\fR] @@ -193,6 +198,8 @@ openssl\-s_server \- SSL/TLS server program [\fB\-anti_replay\fR] [\fB\-no_anti_replay\fR] [\fB\-num_tickets\fR] +[\fB\-tfo\fR] +[\fB\-cert_comp\fR] [\fB\-nameopt\fR \fIoption\fR] [\fB\-no_ssl3\fR] [\fB\-no_tls1\fR] @@ -282,6 +289,8 @@ openssl\-s_server \- SSL/TLS server program [\fB\-provider\fR \fIname\fR] [\fB\-provider\-path\fR \fIpath\fR] [\fB\-propquery\fR \fIpropq\fR] +[\fB\-enable_server_rpk\fR] +[\fB\-enable_client_rpk\fR] .SH DESCRIPTION .IX Header "DESCRIPTION" This command implements a generic SSL/TLS server which @@ -562,6 +571,9 @@ Do not ignore input EOF. .IP \fB\-no_etm\fR 4 .IX Item "-no_etm" Disable Encrypt-then-MAC negotiation. +.IP \fB\-no_ems\fR 4 +.IX Item "-no_ems" +Disable Extended master secret negotiation. .IP \fB\-status\fR 4 .IX Item "-status" Enables certificate status request support (aka OCSP stapling). @@ -650,6 +662,12 @@ further information). .IX Item "-bugs" There are several known bugs in SSL and TLS implementations. Adding this option enables various workarounds. +.IP \fB\-no_tx_cert_comp\fR 4 +.IX Item "-no_tx_cert_comp" +Disables support for sending TLSv1.3 compressed certificates. +.IP \fB\-no_rx_cert_comp\fR 4 +.IX Item "-no_rx_cert_comp" +Disables support for receiving TLSv1.3 compressed certificates. .IP \fB\-no_comp\fR 4 .IX Item "-no_comp" Disable negotiation of TLS compression. @@ -657,10 +675,14 @@ TLS compression is not recommended and is off by default as of OpenSSL 1.1.0. .IP \fB\-comp\fR 4 .IX Item "-comp" -Enable negotiation of TLS compression. +Enables support for SSL/TLS compression. This option was introduced in OpenSSL 1.1.0. TLS compression is not recommended and is off by default as of -OpenSSL 1.1.0. +OpenSSL 1.1.0. TLS compression can only be used in security level 1 or +lower. From OpenSSL 3.2.0 and above the default security level is 2, so this +option will have no effect without also changing the security level. Use the +\&\fB\-cipher\fR option to change the security level. See \fBopenssl\-ciphers\fR\|(1) for +more information. .IP \fB\-no_ticket\fR 4 .IX Item "-no_ticket" Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3 @@ -789,11 +811,25 @@ names. The list should contain the most desirable protocols first. Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used. +.IP \fB\-ktls\fR 4 +.IX Item "-ktls" +Enable Kernel TLS for sending and receiving. +This option was introduced in OpenSSL 3.2.0. +Kernel TLS is off by default as of OpenSSL 3.2.0. .IP \fB\-sendfile\fR 4 .IX Item "-sendfile" If this option is set and KTLS is enabled, \fBSSL_sendfile()\fR will be used instead of \fBBIO_write()\fR to send the HTTP response requested by a client. -This option is only valid if \fB\-WWW\fR or \fB\-HTTP\fR is specified. +This option is only valid when \fB\-ktls\fR along with \fB\-WWW\fR or \fB\-HTTP\fR +are specified. +.IP \fB\-zerocopy_sendfile\fR 4 +.IX Item "-zerocopy_sendfile" +If this option is set, \fBSSL_sendfile()\fR will use the zerocopy TX mode, which gives +a performance boost when used with KTLS hardware offload. Note that invalid +TLS records might be transmitted if the file is changed while being sent. +This option depends on \fB\-sendfile\fR; when used alone, \fB\-sendfile\fR is implied, +and a warning is shown. Note that KTLS sendfile on FreeBSD always runs in the +zerocopy mode. .IP "\fB\-keylogfile\fR \fIoutfile\fR" 4 .IX Item "-keylogfile outfile" Appends TLS secrets to the specified keylog file such that external programs @@ -823,6 +859,12 @@ automatically detect if a session ticket has been used more than once, TLSv1.3 has been negotiated, and early data is enabled on the server. A full handshake is forced if a session ticket is used a second or subsequent time. Any early data that was sent will be rejected. +.IP \fB\-tfo\fR 4 +.IX Item "-tfo" +Enable acceptance of TCP Fast Open (RFC7413) connections. +.IP \fB\-cert_comp\fR 4 +.IX Item "-cert_comp" +Pre-compresses certificates (RFC8879) that will be sent during the handshake. .IP "\fB\-nameopt\fR \fIoption\fR" 4 .IX Item "-nameopt option" This specifies how the subject or issuer names are displayed. @@ -868,6 +910,24 @@ See "Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for deta If the server requests a client certificate, then verification errors are displayed, for debugging, but the command will proceed unless the \fB\-verify_return_error\fR option is used. +.IP \fB\-enable_server_rpk\fR 4 +.IX Item "-enable_server_rpk" +Enable support for sending raw public keys (RFC7250) to the client. +A raw public key will be sent by the server, if solicited by the client, +provided a suitable key and public certificate pair is configured. +Clients that don't support raw public keys or prefer to use X.509 +certificates can still elect to receive X.509 certificates as usual. +.Sp +Raw public keys are extracted from the configured certificate/private key. +.IP \fB\-enable_client_rpk\fR 4 +.IX Item "-enable_client_rpk" +Enable support for receiving raw public keys (RFC7250) from the client. +Use of X.509 certificates by the client becomes optional, and clients that +support raw public keys may elect to use them. +Clients that don't support raw public keys or prefer to use X.509 +certificates can still elect to send X.509 certificates as usual. +.Sp +Raw public keys are extracted from the configured certificate/private key. .SH "CONNECTED COMMANDS" .IX Header "CONNECTED COMMANDS" If a connection request is established with an SSL client and neither the @@ -954,9 +1014,17 @@ The .PP The \fB\-srpvfile\fR, \fB\-srpuserseed\fR, and \fB\-engine\fR option were deprecated in OpenSSL 3.0. +.PP +The +\&\fB\-enable_client_rpk\fR, +\&\fB\-enable_server_rpk\fR, +\&\fB\-no_rx_cert_comp\fR, +\&\fB\-no_tx_cert_comp\fR, +and \fB\-tfo\fR +options were added in OpenSSL 3.2. .SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy |