OLD | NEW |
1 | 1 |
2 =pod | 2 =pod |
3 | 3 |
4 =head1 NAME | 4 =head1 NAME |
5 | 5 |
6 s_client - SSL/TLS client program | 6 s_client - SSL/TLS client program |
7 | 7 |
8 =head1 SYNOPSIS | 8 =head1 SYNOPSIS |
9 | 9 |
10 B<openssl> B<s_client> | 10 B<openssl> B<s_client> |
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
94 | 94 |
95 The directory to use for server certificate verification. This directory | 95 The directory to use for server certificate verification. This directory |
96 must be in "hash format", see B<verify> for more information. These are | 96 must be in "hash format", see B<verify> for more information. These are |
97 also used when building the client certificate chain. | 97 also used when building the client certificate chain. |
98 | 98 |
99 =item B<-CAfile file> | 99 =item B<-CAfile file> |
100 | 100 |
101 A file containing trusted certificates to use during server authentication | 101 A file containing trusted certificates to use during server authentication |
102 and to use when attempting to build the client certificate chain. | 102 and to use when attempting to build the client certificate chain. |
103 | 103 |
| 104 =item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all,
-policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> |
| 105 |
| 106 Set various certificate chain valiadition option. See the |
| 107 L<B<verify>|verify(1)> manual page for details. |
| 108 |
104 =item B<-reconnect> | 109 =item B<-reconnect> |
105 | 110 |
106 reconnects to the same server 5 times using the same session ID, this can | 111 reconnects to the same server 5 times using the same session ID, this can |
107 be used as a test that session caching is working. | 112 be used as a test that session caching is working. |
108 | 113 |
109 =item B<-pause> | 114 =item B<-pause> |
110 | 115 |
111 pauses 1 second between each read and write call. | 116 pauses 1 second between each read and write call. |
112 | 117 |
113 =item B<-showcerts> | 118 =item B<-showcerts> |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
154 =item B<-ign_eof> | 159 =item B<-ign_eof> |
155 | 160 |
156 inhibit shutting down the connection when end of file is reached in the | 161 inhibit shutting down the connection when end of file is reached in the |
157 input. | 162 input. |
158 | 163 |
159 =item B<-quiet> | 164 =item B<-quiet> |
160 | 165 |
161 inhibit printing of session and certificate information. This implicitly | 166 inhibit printing of session and certificate information. This implicitly |
162 turns on B<-ign_eof> as well. | 167 turns on B<-ign_eof> as well. |
163 | 168 |
| 169 =item B<-psk_identity identity> |
| 170 |
| 171 Use the PSK identity B<identity> when using a PSK cipher suite. |
| 172 |
| 173 =item B<-psk key> |
| 174 |
| 175 Use the PSK key B<key> when using a PSK cipher suite. The key is |
| 176 given as a hexadecimal number without leading 0x, for example -psk |
| 177 1a2b3c4d. |
| 178 |
164 =item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> | 179 =item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> |
165 | 180 |
166 these options disable the use of certain SSL or TLS protocols. By default | 181 these options disable the use of certain SSL or TLS protocols. By default |
167 the initial handshake uses a method which should be compatible with all | 182 the initial handshake uses a method which should be compatible with all |
168 servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. | 183 servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. |
169 | 184 |
170 Unfortunately there are a lot of ancient and broken servers in use which | 185 Unfortunately there are a lot of ancient and broken servers in use which |
171 cannot handle this technique and will fail to connect. Some servers only | 186 cannot handle this technique and will fail to connect. Some servers only |
172 work if TLS is turned off with the B<-no_tls> option others will only | 187 work if TLS is turned off with the B<-no_tls> option others will only |
173 support SSL v2 and may need the B<-ssl2> option. | 188 support SSL v2 and may need the B<-ssl2> option. |
(...skipping 11 matching lines...) Expand all Loading... |
185 command for more information. | 200 command for more information. |
186 | 201 |
187 =item B<-starttls protocol> | 202 =item B<-starttls protocol> |
188 | 203 |
189 send the protocol-specific message(s) to switch to TLS for communication. | 204 send the protocol-specific message(s) to switch to TLS for communication. |
190 B<protocol> is a keyword for the intended protocol. Currently, the only | 205 B<protocol> is a keyword for the intended protocol. Currently, the only |
191 supported keywords are "smtp", "pop3", "imap", and "ftp". | 206 supported keywords are "smtp", "pop3", "imap", and "ftp". |
192 | 207 |
193 =item B<-tlsextdebug> | 208 =item B<-tlsextdebug> |
194 | 209 |
195 print out a hex dump of any TLS extensions received from the server. Note: this | 210 print out a hex dump of any TLS extensions received from the server. |
196 option is only available if extension support is explicitly enabled at compile | |
197 time | |
198 | 211 |
199 =item B<-no_ticket> | 212 =item B<-no_ticket> |
200 | 213 |
201 disable RFC4507bis session ticket support. Note: this option is only available | 214 disable RFC4507bis session ticket support. |
202 if extension support is explicitly enabled at compile time | |
203 | 215 |
204 =item B<-sess_out filename> | 216 =item B<-sess_out filename> |
205 | 217 |
206 output SSL session to B<filename> | 218 output SSL session to B<filename> |
207 | 219 |
208 =item B<-sess_in sess.pem> | 220 =item B<-sess_in sess.pem> |
209 | 221 |
210 load SSL session from B<filename>. The client will attempt to resume a | 222 load SSL session from B<filename>. The client will attempt to resume a |
211 connection from this session. | 223 connection from this session. |
212 | 224 |
213 =item B<-engine id> | 225 =item B<-engine id> |
214 | 226 |
215 specifying an engine (by it's unique B<id> string) will cause B<s_client> | 227 specifying an engine (by its unique B<id> string) will cause B<s_client> |
216 to attempt to obtain a functional reference to the specified engine, | 228 to attempt to obtain a functional reference to the specified engine, |
217 thus initialising it if needed. The engine will then be set as the default | 229 thus initialising it if needed. The engine will then be set as the default |
218 for all available algorithms. | 230 for all available algorithms. |
219 | 231 |
220 =item B<-rand file(s)> | 232 =item B<-rand file(s)> |
221 | 233 |
222 a file or files containing random data used to seed the random number | 234 a file or files containing random data used to seed the random number |
223 generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). | 235 generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). |
224 Multiple files can be specified separated by a OS-dependent character. | 236 Multiple files can be specified separated by a OS-dependent character. |
225 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for | 237 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
267 a client certificate. Therefor merely including a client certificate | 279 a client certificate. Therefor merely including a client certificate |
268 on the command line is no guarantee that the certificate works. | 280 on the command line is no guarantee that the certificate works. |
269 | 281 |
270 If there are problems verifying a server certificate then the | 282 If there are problems verifying a server certificate then the |
271 B<-showcerts> option can be used to show the whole chain. | 283 B<-showcerts> option can be used to show the whole chain. |
272 | 284 |
273 Since the SSLv23 client hello cannot include compression methods or extensions | 285 Since the SSLv23 client hello cannot include compression methods or extensions |
274 these will only be supported if its use is disabled, for example by using the | 286 these will only be supported if its use is disabled, for example by using the |
275 B<-no_sslv2> option. | 287 B<-no_sslv2> option. |
276 | 288 |
277 TLS extensions are only supported in OpenSSL 0.9.8 if they are explictly | |
278 enabled at compile time using for example the B<enable-tlsext> switch. | |
279 | |
280 =head1 BUGS | 289 =head1 BUGS |
281 | 290 |
282 Because this program has a lot of options and also because some of | 291 Because this program has a lot of options and also because some of |
283 the techniques used are rather old, the C source of s_client is rather | 292 the techniques used are rather old, the C source of s_client is rather |
284 hard to read and not a model of how things should be done. A typical | 293 hard to read and not a model of how things should be done. A typical |
285 SSL client program would be much simpler. | 294 SSL client program would be much simpler. |
286 | 295 |
287 The B<-verify> option should really exit if the server verification | 296 The B<-verify> option should really exit if the server verification |
288 fails. | 297 fails. |
289 | 298 |
290 The B<-prexit> option is a bit of a hack. We should really report | 299 The B<-prexit> option is a bit of a hack. We should really report |
291 information whenever a session is renegotiated. | 300 information whenever a session is renegotiated. |
292 | 301 |
293 =head1 SEE ALSO | 302 =head1 SEE ALSO |
294 | 303 |
295 L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)> | 304 L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)> |
296 | 305 |
297 =cut | 306 =cut |
OLD | NEW |