| version 1.65, 2016/08/30 07:53:59 |
version 1.66, 2016/09/01 08:26:44 |
|
|
| .Fl keysig |
.Fl keysig |
| option marks the key for signing only. |
option marks the key for signing only. |
| Signing only keys can be used for S/MIME signing, authenticode |
Signing only keys can be used for S/MIME signing, authenticode |
| .Pq ActiveX control signing |
(ActiveX control signing) |
| and SSL client authentication. |
and SSL client authentication. |
| .It Fl macalg Ar alg |
.It Fl macalg Ar alg |
| Specify the MAC digest algorithm. |
Specify the MAC digest algorithm. |
| The default is SHA1. |
The default is SHA1. |
| .It Fl maciter |
.It Fl maciter |
| Included for compatability only: |
Included for compatibility only: |
| it used to be needed to use MAC iterations counts |
it used to be needed to use MAC iterations counts |
| but they are now used by default. |
but they are now used by default. |
| .It Fl name Ar name |
.It Fl name Ar name |
|
|
| .It Fl verify |
.It Fl verify |
| Verify the input data and output the recovered data. |
Verify the input data and output the recovered data. |
| .El |
.El |
| .\" |
|
| .\" S_CLIENT |
|
| .\" |
|
| .Sh S_CLIENT |
.Sh S_CLIENT |
| .nr nS 1 |
.nr nS 1 |
| .Nm "openssl s_client" |
.Nm "openssl s_client" |
| .Bk -words |
|
| .Op Fl 4 | 6 |
.Op Fl 4 | 6 |
| .Op Fl bugs |
.Op Fl bugs |
| .Op Fl CAfile Ar file |
.Op Fl CAfile Ar file |
|
|
| .Op Fl cert Ar file |
.Op Fl cert Ar file |
| .Op Fl check_ss_sig |
.Op Fl check_ss_sig |
| .Op Fl cipher Ar cipherlist |
.Op Fl cipher Ar cipherlist |
| .Oo |
.Op Fl connect Ar host Ns Op : Ns Ar port |
| .Fl connect Ar host : Ns Ar port | |
|
| .Ar host Ns / Ns Ar port |
|
| .Oc |
|
| .Op Fl crl_check |
.Op Fl crl_check |
| .Op Fl crl_check_all |
.Op Fl crl_check_all |
| .Op Fl crlf |
.Op Fl crlf |
|
|
| .Op Fl verify Ar depth |
.Op Fl verify Ar depth |
| .Op Fl x509_strict |
.Op Fl x509_strict |
| .Op Fl xmpphost Ar host |
.Op Fl xmpphost Ar host |
| .Ek |
|
| .nr nS 0 |
.nr nS 0 |
| .Pp |
.Pp |
| The |
The |
| .Nm s_client |
.Nm s_client |
| command implements a generic SSL/TLS client which connects |
command implements a generic SSL/TLS client which connects |
| to a remote host using SSL/TLS. |
to a remote host using SSL/TLS. |
| It is a |
|
| .Em very |
|
| useful diagnostic tool for SSL servers. |
|
| .Pp |
.Pp |
| |
If a connection is established with an SSL server, any data received |
| |
from the server is displayed and any key presses will be sent to the |
| |
server. |
| |
When used interactively (which means neither |
| |
.Fl quiet |
| |
nor |
| |
.Fl ign_eof |
| |
have been given), the session will be renegotiated if the line begins with an |
| |
.Cm R ; |
| |
if the line begins with a |
| |
.Cm Q |
| |
or if end of file is reached, the connection will be closed down. |
| |
.Pp |
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Fl 4 |
.It Fl 4 |
| Specify that |
Attempt connections using IPv4 only. |
| .Nm s_client |
|
| should attempt connections using IPv4 only. |
|
| .It Fl 6 |
.It Fl 6 |
| Specify that |
Attempt connections using IPv6 only. |
| .Nm s_client |
|
| should attempt connections using IPv6 only. |
|
| .It Fl bugs |
.It Fl bugs |
| There are several known bugs in SSL and TLS implementations. |
Enable various workarounds for buggy implementations. |
| Adding this option enables various workarounds. |
|
| .It Fl CAfile Ar file |
.It Fl CAfile Ar file |
| A |
A |
| .Ar file |
.Ar file |
|
|
| .Xc |
.Xc |
| Set various certificate chain validation options. |
Set various certificate chain validation options. |
| See the |
See the |
| .Nm VERIFY |
.Nm verify |
| command for details. |
command for details. |
| .It Fl cipher Ar cipherlist |
.It Fl cipher Ar cipherlist |
| This allows the cipher list sent by the client to be modified. |
Modify the cipher list sent by the client. |
| Although the server determines which cipher suite is used, it should take |
Although the server determines which cipher suite is used, it should take |
| the first supported cipher in the list sent by the client. |
the first supported cipher in the list sent by the client. |
| See the |
See the |
| .Sx CIPHERS |
.Nm ciphers |
| section above for more information. |
command for more information. |
| .It Xo |
.It Fl connect Ar host Ns Op : Ns Ar port |
| .Fl connect Ar host : Ns Ar port | |
The |
| .Ar host Ns / Ns Ar port |
|
| .Xc |
|
| This specifies the |
|
| .Ar host |
.Ar host |
| and optional |
and |
| .Ar port |
.Ar port |
| to connect to. |
to connect to. |
| If not specified, an attempt is made to connect to the local host |
If not specified, an attempt is made to connect to the local host |
| on port 4433. |
on port 4433. |
| Alternatively, the host and port pair may be separated using a forward-slash |
Alternatively, the host and port pair may be separated using a forward-slash |
| character. |
character, |
| This form is useful for numeric IPv6 addresses. |
which is useful for numeric IPv6 addresses. |
| .It Fl crlf |
.It Fl crlf |
| This option translates a line feed from the terminal into CR+LF as required |
Translate a line feed from the terminal into CR+LF, |
| by some servers. |
as required by some servers. |
| .It Fl debug |
.It Fl debug |
| Print extensive debugging information including a hex dump of all traffic. |
Print extensive debugging information, including a hex dump of all traffic. |
| .It Fl ign_eof |
.It Fl ign_eof |
| Inhibit shutting down the connection when end of file is reached in the |
Inhibit shutting down the connection when end of file is reached in the input. |
| input. |
|
| .It Fl key Ar keyfile |
.It Fl key Ar keyfile |
| The private key to use. |
The private key to use. |
| If not specified, the certificate file will be used. |
If not specified, the certificate file will be used. |
| .It Fl msg |
.It Fl msg |
| Show all protocol messages with hex dump. |
Show all protocol messages with hex dump. |
| .It Fl nbio |
.It Fl nbio |
| Turns on non-blocking I/O. |
Turn on non-blocking I/O. |
| .It Fl nbio_test |
.It Fl nbio_test |
| Tests non-blocking I/O. |
Test non-blocking I/O. |
| .It Fl no_tls1 | no_tls1_1 | no_tls1_2 |
.It Fl no_tls1 | no_tls1_1 | no_tls1_2 |
| By default, the initial handshake uses a method which should be compatible |
Disable the use of TLS1.0, 1.1, and 1.2, respectively. |
| with servers supporting any version of TLS. |
|
| These options disable the use of TLS1.0, 1.1, and 1.2, respectively. |
|
| .Pp |
|
| Unfortunately there are a lot of ancient and broken servers in use which |
|
| cannot handle this technique and will fail to connect. |
|
| .It Fl no_ticket |
.It Fl no_ticket |
| Disable RFC 4507 session ticket support. |
Disable RFC 4507 session ticket support. |
| .It Fl pause |
.It Fl pause |
| Pauses 1 second between each read and write call. |
Pause 1 second between each read and write call. |
| .It Fl prexit |
.It Fl prexit |
| Print session information when the program exits. |
Print session information when the program exits. |
| This will always attempt |
This will always attempt |
|
|
| This option is useful because the cipher in use may be renegotiated |
This option is useful because the cipher in use may be renegotiated |
| or the connection may fail because a client certificate is required or is |
or the connection may fail because a client certificate is required or is |
| requested only after an attempt is made to access a certain URL. |
requested only after an attempt is made to access a certain URL. |
| .Sy Note : |
Note that the output produced by this option is not always accurate |
| the output produced by this option is not always accurate because a |
because a connection might never have been established. |
| connection might never have been established. |
|
| .It Fl proxy Ar host : Ns Ar port |
.It Fl proxy Ar host : Ns Ar port |
| Use the HTTP proxy at |
Use the HTTP proxy at |
| .Ar host |
.Ar host |
|
|
| The key is given as a hexadecimal number without the leading 0x, |
The key is given as a hexadecimal number without the leading 0x, |
| for example -psk 1a2b3c4d. |
for example -psk 1a2b3c4d. |
| .It Fl psk_identity Ar identity |
.It Fl psk_identity Ar identity |
| Use the PSK identity |
Use the PSK |
| .Ar identity |
.Ar identity |
| when using a PSK cipher suite. |
when using a PSK cipher suite. |
| .It Fl quiet |
.It Fl quiet |
|
|
| .Fl ign_eof |
.Fl ign_eof |
| as well. |
as well. |
| .It Fl reconnect |
.It Fl reconnect |
| Reconnects to the same server 5 times using the same session ID; this can |
Reconnect to the same server 5 times using the same session ID; this can |
| be used as a test that session caching is working. |
be used as a test that session caching is working. |
| .It Fl servername Ar name |
.It Fl servername Ar name |
| Include the TLS Server Name Indication (SNI) extension in the ClientHello |
Include the TLS Server Name Indication (SNI) extension in the ClientHello |
|
|
| Display the whole server certificate chain: normally only the server |
Display the whole server certificate chain: normally only the server |
| certificate itself is displayed. |
certificate itself is displayed. |
| .It Fl starttls Ar protocol |
.It Fl starttls Ar protocol |
| Send the protocol-specific message(s) to switch to TLS for communication. |
Send the protocol-specific messages to switch to TLS for communication. |
| .Ar protocol |
.Ar protocol |
| is a keyword for the intended protocol. |
is a keyword for the intended protocol. |
| Currently, the supported keywords are |
Currently, the supported keywords are |
|
|
| and |
and |
| .Qq xmpp . |
.Qq xmpp . |
| .It Fl state |
.It Fl state |
| Prints out the SSL session states. |
Print the SSL session states. |
| .It Fl tls1 | tls1_1 | tls1_2 |
.It Fl tls1 | tls1_1 | tls1_2 |
| Permit only TLS1.0, 1.1, or 1.2, respectively. |
Permit only TLS1.0, 1.1, or 1.2, respectively. |
| .It Fl tlsextdebug |
.It Fl tlsextdebug |
| Print out a hex dump of any TLS extensions received from the server. |
Print a hex dump of any TLS extensions received from the server. |
| .It Fl verify Ar depth |
.It Fl verify Ar depth |
| The verify |
Turn on server certificate verification, |
| .Ar depth |
with a maximum length of |
| to use. |
.Ar depth . |
| This specifies the maximum length of the |
|
| server certificate chain and turns on server certificate verification. |
|
| Currently the verify operation continues after errors so all the problems |
Currently the verify operation continues after errors so all the problems |
| with a certificate chain can be seen. |
with a certificate chain can be seen. |
| As a side effect the connection will never fail due to a server |
As a side effect the connection will never fail due to a server |
| certificate verify failure. |
certificate verify failure. |
| .It Fl xmpphost Ar hostname |
.It Fl xmpphost Ar hostname |
| This option, when used with |
When used with |
| .Fl starttls Ar xmpp , |
.Fl starttls Ar xmpp , |
| specifies the host for the "to" attribute of the stream element. |
specify the host for the "to" attribute of the stream element. |
| If this option is not specified then the host specified with |
If this option is not specified then the host specified with |
| .Fl connect |
.Fl connect |
| will be used. |
will be used. |
| .El |
.El |
| .Sh S_CLIENT CONNECTED COMMANDS |
|
| If a connection is established with an SSL server, any data received |
|
| from the server is displayed and any key presses will be sent to the |
|
| server. |
|
| When used interactively (which means neither |
|
| .Fl quiet |
|
| nor |
|
| .Fl ign_eof |
|
| have been given), the session will be renegotiated if the line begins with an |
|
| .Em R ; |
|
| if the line begins with a |
|
| .Em Q |
|
| or if end of file is reached, the connection will be closed down. |
|
| .Sh S_CLIENT NOTES |
|
| .Nm s_client |
|
| can be used to debug SSL servers. |
|
| To connect to an SSL HTTP server the command: |
|
| .Pp |
|
| .Dl $ openssl s_client -connect servername:443 |
|
| .Pp |
|
| would typically be used |
|
| .Pq HTTPS uses port 443 . |
|
| If the connection succeeds, an HTTP command can be given such as |
|
| .Qq GET |
|
| to retrieve a web page. |
|
| .Pp |
|
| If the handshake fails, there are several possible causes; if it is |
|
| nothing obvious like no client certificate, then the |
|
| .Fl bugs , tls1 , tls1_1, tls1_2 , no_tls1 , no_tls1_1 , |
|
| and |
|
| .Fl no_tls1_2 |
|
| options can be tried in case it is a buggy server. |
|
| .Pp |
|
| A frequent problem when attempting to get client certificates working |
|
| is that a web client complains it has no certificates or gives an empty |
|
| list to choose from. |
|
| This is normally because the server is not sending the client's certificate |
|
| authority in its |
|
| .Qq acceptable CA list |
|
| when it requests a certificate. |
|
| By using |
|
| .Nm s_client |
|
| the CA list can be viewed and checked. |
|
| However some servers only request client authentication |
|
| after a specific URL is requested. |
|
| To obtain the list in this case it is necessary to use the |
|
| .Fl prexit |
|
| option and send an HTTP request for an appropriate page. |
|
| .Pp |
|
| If a certificate is specified on the command line using the |
|
| .Fl cert |
|
| option, it will not be used unless the server specifically requests |
|
| a client certificate. |
|
| Therefore merely including a client certificate |
|
| on the command line is no guarantee that the certificate works. |
|
| .Pp |
|
| If there are problems verifying a server certificate, the |
|
| .Fl showcerts |
|
| option can be used to show the whole chain. |
|
| .Pp |
|
| Compression methods are only supported for |
|
| .Fl tls1 . |
|
| .Sh S_CLIENT BUGS |
|
| Because this program has a lot of options and also because some of |
|
| the techniques used are rather old, the C source of |
|
| .Nm s_client |
|
| is rather hard to read and not a model of how things should be done. |
|
| A typical SSL client program would be much simpler. |
|
| .Pp |
|
| The |
|
| .Fl verify |
|
| option should really exit if the server verification fails. |
|
| .Pp |
|
| The |
|
| .Fl prexit |
|
| option is a bit of a hack. |
|
| We should really report information whenever a session is renegotiated. |
|
| .\" |
.\" |
| .\" S_SERVER |
.\" S_SERVER |
| .\" |
.\" |
![[BACK]](/icons/back.gif){kind=icon}
Return to openssl.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / openssl