| version 1.66, 2016/09/01 08:26:44 |
version 1.67, 2016/09/02 18:43:52 |
|
|
| .Fl connect |
.Fl connect |
| will be used. |
will be used. |
| .El |
.El |
| .\" |
|
| .\" S_SERVER |
|
| .\" |
|
| .Sh S_SERVER |
.Sh S_SERVER |
| .nr nS 1 |
.nr nS 1 |
| .Nm "openssl s_server" |
.Nm "openssl s_server" |
| .Bk -words |
|
| .Op Fl accept Ar port |
.Op Fl accept Ar port |
| .Op Fl bugs |
.Op Fl bugs |
| .Op Fl CAfile Ar file |
.Op Fl CAfile Ar file |
|
|
| .Op Fl verify Ar depth |
.Op Fl verify Ar depth |
| .Op Fl WWW |
.Op Fl WWW |
| .Op Fl www |
.Op Fl www |
| .Ek |
|
| .nr nS 0 |
.nr nS 0 |
| .Pp |
.Pp |
| The |
The |
|
|
| command implements a generic SSL/TLS server which listens |
command implements a generic SSL/TLS server which listens |
| for connections on a given port using SSL/TLS. |
for connections on a given port using SSL/TLS. |
| .Pp |
.Pp |
| |
If a connection request is established with a client and neither the |
| |
.Fl www |
| |
nor the |
| |
.Fl WWW |
| |
option has been used, then any data received |
| |
from the client is displayed and any key presses are sent to the client. |
| |
Certain single letter commands perform special operations: |
| |
.Pp |
| |
.Bl -tag -width "XXXX" -compact |
| |
.It Ic P |
| |
Send plain text, which should cause the client to disconnect. |
| |
.It Ic Q |
| |
End the current SSL connection and exit. |
| |
.It Ic q |
| |
End the current SSL connection, but still accept new connections. |
| |
.It Ic R |
| |
Renegotiate the SSL session and request a client certificate. |
| |
.It Ic r |
| |
Renegotiate the SSL session. |
| |
.It Ic S |
| |
Print out some session cache status information. |
| |
.El |
| |
.Pp |
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Fl accept Ar port |
.It Fl accept Ar port |
| The TCP |
Listen on TCP |
| .Ar port |
.Ar port |
| to listen on for connections. |
for connections. |
| If not specified, 4433 is used. |
The default is port 4433. |
| .It Fl bugs |
.It Fl bugs |
| There are several known bugs in SSL and TLS implementations. |
Enable various workarounds for buggy implementations. |
| Adding this option enables various workarounds. |
|
| .It Fl CAfile Ar file |
.It Fl CAfile Ar file |
| A file containing trusted certificates to use during client authentication |
A |
| |
.Ar file |
| |
containing trusted certificates to use during client authentication |
| and to use when attempting to build the server certificate chain. |
and to use when attempting to build the server certificate chain. |
| The list is also used in the list of acceptable client CAs passed to the |
The list is also used in the list of acceptable client CAs passed to the |
| client when a certificate is requested. |
client when a certificate is requested. |
|
|
| for more information. |
for more information. |
| These are also used when building the server certificate chain. |
These are also used when building the server certificate chain. |
| .It Fl cert Ar file |
.It Fl cert Ar file |
| The certificate to use; most server's cipher suites require the use of a |
The certificate to use: most server's cipher suites require the use of a |
| certificate and some require a certificate with a certain public key type: |
certificate and some require a certificate with a certain public key type. |
| for example the DSS cipher suites require a certificate containing a DSS |
For example, the DSS cipher suites require a certificate containing a DSS |
| .Pq DSA |
(DSA) key. |
| key. |
|
| If not specified, the file |
If not specified, the file |
| .Pa server.pem |
.Pa server.pem |
| will be used. |
will be used. |
| .It Fl cipher Ar cipherlist |
.It Fl cipher Ar cipherlist |
| |
Modify the cipher list used by the server. |
| This allows the cipher list used by the server to be modified. |
This allows the cipher list used by the server to be modified. |
| When the client sends a list of supported ciphers, the first client cipher |
When the client sends a list of supported ciphers, the first client cipher |
| also included in the server list is used. |
also included in the server list is used. |
| Because the client specifies the preference order, the order of the server |
Because the client specifies the preference order, the order of the server |
| cipherlist is irrelevant. |
cipherlist is irrelevant. |
| See the |
See the |
| .Sx CIPHERS |
.Nm ciphers |
| section for more information. |
command for more information. |
| .It Fl context Ar id |
.It Fl context Ar id |
| Sets the SSL context ID. |
Set the SSL context ID. |
| It can be given any string value. |
It can be given any string value. |
| If this option is not present, a default value will be used. |
|
| .It Fl crl_check , crl_check_all |
.It Fl crl_check , crl_check_all |
| Check the peer certificate has not been revoked by its CA. |
Check the peer certificate has not been revoked by its CA. |
| The CRLs are appended to the certificate file. |
The CRLs are appended to the certificate file. |
| With the |
|
| .Fl crl_check_all |
.Fl crl_check_all |
| option, all CRLs of all CAs in the chain are checked. |
checks all CRLs of all CAs in the chain. |
| .It Fl crlf |
.It Fl crlf |
| This option translates a line feed from the terminal into CR+LF. |
Translate a line feed from the terminal into CR+LF. |
| .It Fl dcert Ar file , Fl dkey Ar file |
.It Fl dcert Ar file , Fl dkey Ar file |
| Specify an additional certificate and private key; these behave in the |
Specify an additional certificate and private key; these behave in the |
| same manner as the |
same manner as the |
|
|
| and |
and |
| .Fl key |
.Fl key |
| options except there is no default if they are not specified |
options except there is no default if they are not specified |
| .Pq no additional certificate or key is used . |
(no additional certificate or key is used). |
| As noted above some cipher suites require a certificate containing a key of |
|
| a certain type. |
|
| Some cipher suites need a certificate carrying an RSA key |
|
| and some a DSS |
|
| .Pq DSA |
|
| key. |
|
| By using RSA and DSS certificates and keys, |
By using RSA and DSS certificates and keys, |
| a server can support clients which only support RSA or DSS cipher suites |
a server can support clients which only support RSA or DSS cipher suites |
| by using an appropriate certificate. |
by using an appropriate certificate. |
| .It Fl debug |
.It Fl debug |
| Print extensive debugging information including a hex dump of all traffic. |
Print extensive debugging information, including a hex dump of all traffic. |
| .It Fl dhparam Ar file |
.It Fl dhparam Ar file |
| The DH parameter file to use. |
The DH parameter file to use. |
| The ephemeral DH cipher suites generate keys |
The ephemeral DH cipher suites generate keys |
|
|
| .Nm s_server |
.Nm s_server |
| program will be used. |
program will be used. |
| .It Fl hack |
.It Fl hack |
| This option enables a further workaround for some early Netscape |
Enables a further workaround for some early Netscape SSL code. |
| SSL code |
|
| .Pq \&? . |
|
| .It Fl HTTP |
.It Fl HTTP |
| Emulates a simple web server. |
Emulate a simple web server. |
| Pages will be resolved relative to the current directory; |
Pages are resolved relative to the current directory. |
| for example if the URL |
For example if the URL |
| .Pa https://myhost/page.html |
.Pa https://myhost/page.html |
| is requested, the file |
is requested, the file |
| .Pa ./page.html |
.Pa ./page.html |
|
|
| Generate SSL/TLS session IDs prefixed by |
Generate SSL/TLS session IDs prefixed by |
| .Ar arg . |
.Ar arg . |
| This is mostly useful for testing any SSL/TLS code |
This is mostly useful for testing any SSL/TLS code |
| .Pq e.g. proxies |
(e.g. proxies) |
| that wish to deal with multiple servers, when each of which might be |
that wish to deal with multiple servers, when each of which might be |
| generating a unique range of session IDs |
generating a unique range of session IDs |
| .Pq e.g. with a certain prefix . |
(e.g. with a certain prefix). |
| .It Fl key Ar keyfile |
.It Fl key Ar keyfile |
| The private key to use. |
The private key to use. |
| If not specified, the certificate file will be used. |
If not specified, the certificate file will be used. |
| .It Fl msg |
.It Fl msg |
| Show all protocol messages with hex dump. |
Show all protocol messages with hex dump. |
| .It Fl nbio |
.It Fl nbio |
| Turns on non-blocking I/O. |
Turn on non-blocking I/O. |
| .It Fl nbio_test |
.It Fl nbio_test |
| Tests non-blocking I/O. |
Test non-blocking I/O. |
| .It Fl no_dhe |
.It Fl no_dhe |
| If this option is set, no DH parameters will be loaded, effectively |
Disable ephemeral DH cipher suites. |
| disabling the ephemeral DH cipher suites. |
|
| .It Fl no_tls1 | no_tls1_1 | no_tls1_2 |
.It Fl no_tls1 | no_tls1_1 | no_tls1_2 |
| By default, the initial handshake uses a method which should be compatible |
Disable the use of TLS1.0, 1.1, and 1.2, respectively. |
| with clients supporting any version of TLS. |
|
| These options disable the use of TLS1.0, 1.1, and 1.2, respectively. |
|
| .It Fl no_tmp_rsa |
.It Fl no_tmp_rsa |
| Certain export cipher suites sometimes use a temporary RSA key; this option |
Disable temporary RSA key generation. |
| disables temporary RSA key generation. |
|
| .It Fl nocert |
.It Fl nocert |
| If this option is set, no certificate is used. |
Do not use a certificate. |
| This restricts the cipher suites available to the anonymous ones |
This restricts the cipher suites available to the anonymous ones |
| .Pq currently just anonymous DH . |
(currently just anonymous DH). |
| .It Fl psk Ar key |
.It Fl psk Ar key |
| Use the PSK key |
Use the PSK key |
| .Ar key |
.Ar key |
|
|
| .It Fl serverpref |
.It Fl serverpref |
| Use server's cipher preferences. |
Use server's cipher preferences. |
| .It Fl state |
.It Fl state |
| Prints out the SSL session states. |
Print the SSL session states. |
| .It Fl tls1 | tls1_1 | tls1_2 |
.It Fl tls1 | tls1_1 | tls1_2 |
| Permit only TLS1.0, 1.1, or 1.2, respectively. |
Permit only TLS1.0, 1.1, or 1.2, respectively. |
| .It Fl WWW |
.It Fl WWW |
| Emulates a simple web server. |
Emulate a simple web server. |
| Pages will be resolved relative to the current directory; |
Pages are resolved relative to the current directory. |
| for example if the URL |
For example if the URL |
| .Pa https://myhost/page.html |
.Pa https://myhost/page.html |
| is requested, the file |
is requested, the file |
| .Pa ./page.html |
.Pa ./page.html |
| will be loaded. |
will be loaded. |
| .It Fl www |
.It Fl www |
| Sends a status message back to the client when it connects. |
Send a status message to the client when it connects, |
| This includes lots of information about the ciphers used and various |
including information about the ciphers used and various session parameters. |
| session parameters. |
|
| The output is in HTML format so this option will normally be used with a |
The output is in HTML format so this option will normally be used with a |
| web browser. |
web browser. |
| .It Fl Verify Ar depth , Fl verify Ar depth |
.It Fl Verify Ar depth , Fl verify Ar depth |
| The verify |
Request a certificate chain from the client, |
| .Ar depth |
with a maximum length of |
| to use. |
.Ar depth . |
| This specifies the maximum length of the client certificate chain |
With |
| and makes the server request a certificate from the client. |
.Fl Verify , |
| With the |
the client must supply a certificate or an error occurs; |
| .Fl Verify |
with |
| option, the client must supply a certificate or an error occurs. |
.Fl verify , |
| With the |
a certificate is requested but the client does not have to send one. |
| .Fl verify |
|
| option, a certificate is requested but the client does not have to send one. |
|
| .El |
.El |
| .Sh S_SERVER CONNECTED COMMANDS |
|
| If a connection request is established with an SSL client and neither the |
|
| .Fl www |
|
| nor the |
|
| .Fl WWW |
|
| option has been used, then normally any data received |
|
| from the client is displayed and any key presses will be sent to the client. |
|
| .Pp |
|
| Certain single letter commands are also recognized which perform special |
|
| operations: these are listed below. |
|
| .Bl -tag -width "XXXX" |
|
| .It Ar P |
|
| Send some plain text down the underlying TCP connection: this should |
|
| cause the client to disconnect due to a protocol violation. |
|
| .It Ar Q |
|
| End the current SSL connection and exit. |
|
| .It Ar q |
|
| End the current SSL connection, but still accept new connections. |
|
| .It Ar R |
|
| Renegotiate the SSL session and request a client certificate. |
|
| .It Ar r |
|
| Renegotiate the SSL session. |
|
| .It Ar S |
|
| Print out some session cache status information. |
|
| .El |
|
| .Sh S_SERVER NOTES |
|
| .Nm s_server |
|
| can be used to debug SSL clients. |
|
| To accept connections from a web browser the command: |
|
| .Pp |
|
| .Dl $ openssl s_server -accept 443 -www |
|
| .Pp |
|
| can be used, for example. |
|
| .Pp |
|
| Most web browsers |
|
| .Pq in particular Netscape and MSIE |
|
| only support RSA cipher suites, so they cannot connect to servers |
|
| which don't use a certificate carrying an RSA key or a version of |
|
| .Nm OpenSSL |
|
| with RSA disabled. |
|
| .Pp |
|
| Although specifying an empty list of CAs when requesting a client certificate |
|
| is strictly speaking a protocol violation, some SSL |
|
| clients interpret this to mean any CA is acceptable. |
|
| This is useful for debugging purposes. |
|
| .Pp |
|
| The session parameters can printed out using the |
|
| .Nm sess_id |
|
| program. |
|
| .Sh S_SERVER BUGS |
|
| Because this program has a lot of options and also because some of |
|
| the techniques used are rather old, the C source of |
|
| .Nm s_server |
|
| is rather hard to read and not a model of how things should be done. |
|
| A typical SSL server program would be much simpler. |
|
| .Pp |
|
| The output of common ciphers is wrong: it just gives the list of ciphers that |
|
| .Nm OpenSSL |
|
| recognizes and the client supports. |
|
| .Pp |
|
| There should be a way for the |
|
| .Nm s_server |
|
| program to print out details of any |
|
| unknown cipher suites a client says it supports. |
|
| .\" |
.\" |
| .\" S_TIME |
.\" S_TIME |
| .\" |
.\" |
![[BACK]](/icons/back.gif){kind=icon}
Return to openssl.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / openssl