version 1.65, 2016/08/30 07:53:59 |
version 1.66, 2016/09/01 08:26:44 |
|
|
.Fl keysig |
.Fl keysig |
option marks the key for signing only. |
option marks the key for signing only. |
Signing only keys can be used for S/MIME signing, authenticode |
Signing only keys can be used for S/MIME signing, authenticode |
.Pq ActiveX control signing |
(ActiveX control signing) |
and SSL client authentication. |
and SSL client authentication. |
.It Fl macalg Ar alg |
.It Fl macalg Ar alg |
Specify the MAC digest algorithm. |
Specify the MAC digest algorithm. |
The default is SHA1. |
The default is SHA1. |
.It Fl maciter |
.It Fl maciter |
Included for compatability only: |
Included for compatibility only: |
it used to be needed to use MAC iterations counts |
it used to be needed to use MAC iterations counts |
but they are now used by default. |
but they are now used by default. |
.It Fl name Ar name |
.It Fl name Ar name |
|
|
.It Fl verify |
.It Fl verify |
Verify the input data and output the recovered data. |
Verify the input data and output the recovered data. |
.El |
.El |
.\" |
|
.\" S_CLIENT |
|
.\" |
|
.Sh S_CLIENT |
.Sh S_CLIENT |
.nr nS 1 |
.nr nS 1 |
.Nm "openssl s_client" |
.Nm "openssl s_client" |
.Bk -words |
|
.Op Fl 4 | 6 |
.Op Fl 4 | 6 |
.Op Fl bugs |
.Op Fl bugs |
.Op Fl CAfile Ar file |
.Op Fl CAfile Ar file |
|
|
.Op Fl cert Ar file |
.Op Fl cert Ar file |
.Op Fl check_ss_sig |
.Op Fl check_ss_sig |
.Op Fl cipher Ar cipherlist |
.Op Fl cipher Ar cipherlist |
.Oo |
.Op Fl connect Ar host Ns Op : Ns Ar port |
.Fl connect Ar host : Ns Ar port | |
|
.Ar host Ns / Ns Ar port |
|
.Oc |
|
.Op Fl crl_check |
.Op Fl crl_check |
.Op Fl crl_check_all |
.Op Fl crl_check_all |
.Op Fl crlf |
.Op Fl crlf |
|
|
.Op Fl verify Ar depth |
.Op Fl verify Ar depth |
.Op Fl x509_strict |
.Op Fl x509_strict |
.Op Fl xmpphost Ar host |
.Op Fl xmpphost Ar host |
.Ek |
|
.nr nS 0 |
.nr nS 0 |
.Pp |
.Pp |
The |
The |
.Nm s_client |
.Nm s_client |
command implements a generic SSL/TLS client which connects |
command implements a generic SSL/TLS client which connects |
to a remote host using SSL/TLS. |
to a remote host using SSL/TLS. |
It is a |
|
.Em very |
|
useful diagnostic tool for SSL servers. |
|
.Pp |
.Pp |
|
If a connection is established with an SSL server, any data received |
|
from the server is displayed and any key presses will be sent to the |
|
server. |
|
When used interactively (which means neither |
|
.Fl quiet |
|
nor |
|
.Fl ign_eof |
|
have been given), the session will be renegotiated if the line begins with an |
|
.Cm R ; |
|
if the line begins with a |
|
.Cm Q |
|
or if end of file is reached, the connection will be closed down. |
|
.Pp |
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl 4 |
.It Fl 4 |
Specify that |
Attempt connections using IPv4 only. |
.Nm s_client |
|
should attempt connections using IPv4 only. |
|
.It Fl 6 |
.It Fl 6 |
Specify that |
Attempt connections using IPv6 only. |
.Nm s_client |
|
should attempt connections using IPv6 only. |
|
.It Fl bugs |
.It Fl bugs |
There are several known bugs in SSL and TLS implementations. |
Enable various workarounds for buggy implementations. |
Adding this option enables various workarounds. |
|
.It Fl CAfile Ar file |
.It Fl CAfile Ar file |
A |
A |
.Ar file |
.Ar file |
|
|
.Xc |
.Xc |
Set various certificate chain validation options. |
Set various certificate chain validation options. |
See the |
See the |
.Nm VERIFY |
.Nm verify |
command for details. |
command for details. |
.It Fl cipher Ar cipherlist |
.It Fl cipher Ar cipherlist |
This allows the cipher list sent by the client to be modified. |
Modify the cipher list sent by the client. |
Although the server determines which cipher suite is used, it should take |
Although the server determines which cipher suite is used, it should take |
the first supported cipher in the list sent by the client. |
the first supported cipher in the list sent by the client. |
See the |
See the |
.Sx CIPHERS |
.Nm ciphers |
section above for more information. |
command for more information. |
.It Xo |
.It Fl connect Ar host Ns Op : Ns Ar port |
.Fl connect Ar host : Ns Ar port | |
The |
.Ar host Ns / Ns Ar port |
|
.Xc |
|
This specifies the |
|
.Ar host |
.Ar host |
and optional |
and |
.Ar port |
.Ar port |
to connect to. |
to connect to. |
If not specified, an attempt is made to connect to the local host |
If not specified, an attempt is made to connect to the local host |
on port 4433. |
on port 4433. |
Alternatively, the host and port pair may be separated using a forward-slash |
Alternatively, the host and port pair may be separated using a forward-slash |
character. |
character, |
This form is useful for numeric IPv6 addresses. |
which is useful for numeric IPv6 addresses. |
.It Fl crlf |
.It Fl crlf |
This option translates a line feed from the terminal into CR+LF as required |
Translate a line feed from the terminal into CR+LF, |
by some servers. |
as required by some servers. |
.It Fl debug |
.It Fl debug |
Print extensive debugging information including a hex dump of all traffic. |
Print extensive debugging information, including a hex dump of all traffic. |
.It Fl ign_eof |
.It Fl ign_eof |
Inhibit shutting down the connection when end of file is reached in the |
Inhibit shutting down the connection when end of file is reached in the input. |
input. |
|
.It Fl key Ar keyfile |
.It Fl key Ar keyfile |
The private key to use. |
The private key to use. |
If not specified, the certificate file will be used. |
If not specified, the certificate file will be used. |
.It Fl msg |
.It Fl msg |
Show all protocol messages with hex dump. |
Show all protocol messages with hex dump. |
.It Fl nbio |
.It Fl nbio |
Turns on non-blocking I/O. |
Turn on non-blocking I/O. |
.It Fl nbio_test |
.It Fl nbio_test |
Tests non-blocking I/O. |
Test non-blocking I/O. |
.It Fl no_tls1 | no_tls1_1 | no_tls1_2 |
.It Fl no_tls1 | no_tls1_1 | no_tls1_2 |
By default, the initial handshake uses a method which should be compatible |
Disable the use of TLS1.0, 1.1, and 1.2, respectively. |
with servers supporting any version of TLS. |
|
These options disable the use of TLS1.0, 1.1, and 1.2, respectively. |
|
.Pp |
|
Unfortunately there are a lot of ancient and broken servers in use which |
|
cannot handle this technique and will fail to connect. |
|
.It Fl no_ticket |
.It Fl no_ticket |
Disable RFC 4507 session ticket support. |
Disable RFC 4507 session ticket support. |
.It Fl pause |
.It Fl pause |
Pauses 1 second between each read and write call. |
Pause 1 second between each read and write call. |
.It Fl prexit |
.It Fl prexit |
Print session information when the program exits. |
Print session information when the program exits. |
This will always attempt |
This will always attempt |
|
|
This option is useful because the cipher in use may be renegotiated |
This option is useful because the cipher in use may be renegotiated |
or the connection may fail because a client certificate is required or is |
or the connection may fail because a client certificate is required or is |
requested only after an attempt is made to access a certain URL. |
requested only after an attempt is made to access a certain URL. |
.Sy Note : |
Note that the output produced by this option is not always accurate |
the output produced by this option is not always accurate because a |
because a connection might never have been established. |
connection might never have been established. |
|
.It Fl proxy Ar host : Ns Ar port |
.It Fl proxy Ar host : Ns Ar port |
Use the HTTP proxy at |
Use the HTTP proxy at |
.Ar host |
.Ar host |
|
|
The key is given as a hexadecimal number without the leading 0x, |
The key is given as a hexadecimal number without the leading 0x, |
for example -psk 1a2b3c4d. |
for example -psk 1a2b3c4d. |
.It Fl psk_identity Ar identity |
.It Fl psk_identity Ar identity |
Use the PSK identity |
Use the PSK |
.Ar identity |
.Ar identity |
when using a PSK cipher suite. |
when using a PSK cipher suite. |
.It Fl quiet |
.It Fl quiet |
|
|
.Fl ign_eof |
.Fl ign_eof |
as well. |
as well. |
.It Fl reconnect |
.It Fl reconnect |
Reconnects to the same server 5 times using the same session ID; this can |
Reconnect to the same server 5 times using the same session ID; this can |
be used as a test that session caching is working. |
be used as a test that session caching is working. |
.It Fl servername Ar name |
.It Fl servername Ar name |
Include the TLS Server Name Indication (SNI) extension in the ClientHello |
Include the TLS Server Name Indication (SNI) extension in the ClientHello |
|
|
Display the whole server certificate chain: normally only the server |
Display the whole server certificate chain: normally only the server |
certificate itself is displayed. |
certificate itself is displayed. |
.It Fl starttls Ar protocol |
.It Fl starttls Ar protocol |
Send the protocol-specific message(s) to switch to TLS for communication. |
Send the protocol-specific messages to switch to TLS for communication. |
.Ar protocol |
.Ar protocol |
is a keyword for the intended protocol. |
is a keyword for the intended protocol. |
Currently, the supported keywords are |
Currently, the supported keywords are |
|
|
and |
and |
.Qq xmpp . |
.Qq xmpp . |
.It Fl state |
.It Fl state |
Prints out the SSL session states. |
Print the SSL session states. |
.It Fl tls1 | tls1_1 | tls1_2 |
.It Fl tls1 | tls1_1 | tls1_2 |
Permit only TLS1.0, 1.1, or 1.2, respectively. |
Permit only TLS1.0, 1.1, or 1.2, respectively. |
.It Fl tlsextdebug |
.It Fl tlsextdebug |
Print out a hex dump of any TLS extensions received from the server. |
Print a hex dump of any TLS extensions received from the server. |
.It Fl verify Ar depth |
.It Fl verify Ar depth |
The verify |
Turn on server certificate verification, |
.Ar depth |
with a maximum length of |
to use. |
.Ar depth . |
This specifies the maximum length of the |
|
server certificate chain and turns on server certificate verification. |
|
Currently the verify operation continues after errors so all the problems |
Currently the verify operation continues after errors so all the problems |
with a certificate chain can be seen. |
with a certificate chain can be seen. |
As a side effect the connection will never fail due to a server |
As a side effect the connection will never fail due to a server |
certificate verify failure. |
certificate verify failure. |
.It Fl xmpphost Ar hostname |
.It Fl xmpphost Ar hostname |
This option, when used with |
When used with |
.Fl starttls Ar xmpp , |
.Fl starttls Ar xmpp , |
specifies the host for the "to" attribute of the stream element. |
specify the host for the "to" attribute of the stream element. |
If this option is not specified then the host specified with |
If this option is not specified then the host specified with |
.Fl connect |
.Fl connect |
will be used. |
will be used. |
.El |
.El |
.Sh S_CLIENT CONNECTED COMMANDS |
|
If a connection is established with an SSL server, any data received |
|
from the server is displayed and any key presses will be sent to the |
|
server. |
|
When used interactively (which means neither |
|
.Fl quiet |
|
nor |
|
.Fl ign_eof |
|
have been given), the session will be renegotiated if the line begins with an |
|
.Em R ; |
|
if the line begins with a |
|
.Em Q |
|
or if end of file is reached, the connection will be closed down. |
|
.Sh S_CLIENT NOTES |
|
.Nm s_client |
|
can be used to debug SSL servers. |
|
To connect to an SSL HTTP server the command: |
|
.Pp |
|
.Dl $ openssl s_client -connect servername:443 |
|
.Pp |
|
would typically be used |
|
.Pq HTTPS uses port 443 . |
|
If the connection succeeds, an HTTP command can be given such as |
|
.Qq GET |
|
to retrieve a web page. |
|
.Pp |
|
If the handshake fails, there are several possible causes; if it is |
|
nothing obvious like no client certificate, then the |
|
.Fl bugs , tls1 , tls1_1, tls1_2 , no_tls1 , no_tls1_1 , |
|
and |
|
.Fl no_tls1_2 |
|
options can be tried in case it is a buggy server. |
|
.Pp |
|
A frequent problem when attempting to get client certificates working |
|
is that a web client complains it has no certificates or gives an empty |
|
list to choose from. |
|
This is normally because the server is not sending the client's certificate |
|
authority in its |
|
.Qq acceptable CA list |
|
when it requests a certificate. |
|
By using |
|
.Nm s_client |
|
the CA list can be viewed and checked. |
|
However some servers only request client authentication |
|
after a specific URL is requested. |
|
To obtain the list in this case it is necessary to use the |
|
.Fl prexit |
|
option and send an HTTP request for an appropriate page. |
|
.Pp |
|
If a certificate is specified on the command line using the |
|
.Fl cert |
|
option, it will not be used unless the server specifically requests |
|
a client certificate. |
|
Therefore merely including a client certificate |
|
on the command line is no guarantee that the certificate works. |
|
.Pp |
|
If there are problems verifying a server certificate, the |
|
.Fl showcerts |
|
option can be used to show the whole chain. |
|
.Pp |
|
Compression methods are only supported for |
|
.Fl tls1 . |
|
.Sh S_CLIENT BUGS |
|
Because this program has a lot of options and also because some of |
|
the techniques used are rather old, the C source of |
|
.Nm s_client |
|
is rather hard to read and not a model of how things should be done. |
|
A typical SSL client program would be much simpler. |
|
.Pp |
|
The |
|
.Fl verify |
|
option should really exit if the server verification fails. |
|
.Pp |
|
The |
|
.Fl prexit |
|
option is a bit of a hack. |
|
We should really report information whenever a session is renegotiated. |
|
.\" |
.\" |
.\" S_SERVER |
.\" S_SERVER |
.\" |
.\" |