src/usr.bin/openssl/openssl.1 - diff

Return to openssl.1 CVS log

Up to [local] / src / usr.bin / openssl

Diff for /src/usr.bin/openssl/openssl.1 between version 1.67 and 1.68

version 1.67, 2016/09/02 18:43:52

version 1.68, 2016/09/03 13:26:55

Line 4067

.Fl verify ,

a certificate is requested but the client does not have to send one.

.El

.\"

.\" S_TIME

.\"

.Sh S_TIME

.nr nS 1

.Nm "openssl s_time"

.Bk -words

.Op Fl bugs

.Op Fl CAfile Ar file

.Op Fl CApath Ar directory

.Op Fl cert Ar file

.Op Fl cipher Ar cipherlist

.Op Fl connect Ar host : Ns Ar port

.Op Fl connect Ar host Ns Op : Ns Ar port

.Op Fl key Ar keyfile

.Op Fl nbio

.Op Fl new

Line 4088

Line 4084

.Op Fl time Ar seconds

.Op Fl verify Ar depth

.Op Fl www Ar page

.Ek

.nr nS 0

.Pp

The

.Nm s_client

.Nm s_time

command implements a generic SSL/TLS client which connects to a

remote host using SSL/TLS.

It can request a page from the server and includes

Line 4105

Line 4100

The options are as follows:

.Bl -tag -width Ds

.It Fl bugs

There are several known bugs in SSL and TLS implementations.

Enable various workarounds for buggy implementations.

Adding this option enables various workarounds.

.It Fl CAfile Ar file

A file containing trusted certificates to use during server authentication

.Ar file

containing trusted certificates to use during server authentication

and to use when attempting to build the client certificate chain.

.It Fl CApath Ar directory

The directory to use for server certificate verification.

Line 4121

Line 4117

.It Fl cert Ar file

The certificate to use, if one is requested by the server.

The default is not to use a certificate.

The file is in PEM format.

.It Fl cipher Ar cipherlist

This allows the cipher list sent by the client to be modified.

Modify the cipher list sent by the client.

Although the server determines which cipher suite is used,

it should take the first supported cipher in the list sent by the client.

See the

.Nm ciphers

command for more information.

.It Fl connect Ar host : Ns Ar port

.It Fl connect Ar host Ns Op : Ns Ar port

This specifies the host and optional port to connect to.

The host and port to connect to.

.It Fl key Ar keyfile

The private key to use.

If not specified, the certificate file will be used.

The file is in PEM format.

.It Fl nbio

Turns on non-blocking I/O.

Turn on non-blocking I/O.

.It Fl new

Performs the timing test using a new session ID for each connection.

Perform the timing test using a new session ID for each connection.

If neither

.Fl new

nor

Line 4147

Line 4141

they are both on by default and executed in sequence.

.It Fl no_shutdown

Shut down the connection without sending a

.Dq close notify

.Qq close notify

shutdown alert to the server.

.It Fl reuse

Performs the timing test using the same session ID;

Perform the timing test using the same session ID for each connection.

this can be used as a test that session caching is working.

If neither

.Fl new

nor

Line 4159

Line 4152

are specified,

they are both on by default and executed in sequence.

.It Fl time Ar seconds

Specifies how long

Limit

.Pq in seconds

.Nm s_time

should establish connections and

benchmarks to the number of

optionally transfer payload data from a server.

.Ar seconds .

The default is 30 seconds.

Server and client performance and the link speed

determine how many connections

.Nm s_time

can establish.

.It Fl verify Ar depth

The verify depth to use.

Turn on server certificate verification,

This specifies the maximum length of the server certificate chain

with a maximum length of

and turns on server certificate verification.

.Ar depth .

Currently the verify operation continues after errors, so all the problems

with a certificate chain can be seen.

As a side effect,

the connection will never fail due to a server certificate verify failure.

.It Fl www Ar page

This specifies the page to GET from the server.

The page to GET from the server.

A value of

.Sq /

gets the index.htm[l] page.

Line 4187

Line 4175

will only perform the handshake to establish SSL connections

but not transfer any payload data.

.El

.Sh S_TIME NOTES

.Nm s_client

can be used to measure the performance of an SSL connection.

To connect to an SSL HTTP server and get the default page the command

.Bd -literal -offset indent

$ openssl s_time -connect servername:443 -www / -CApath yourdir \e

-CAfile yourfile.pem -cipher commoncipher

.Ed

.Pp

would typically be used

.Pq HTTPS uses port 443 .

.Dq commoncipher

is a cipher to which both client and server can agree;

see the

.Nm ciphers

command for details.

.Pp

If the handshake fails, there are several possible causes:

if it is nothing obvious like no client certificate, the

.Fl bugs

option can be tried in case it is a buggy server.

.Pp

A frequent problem when attempting to get client certificates working

is that a web client complains it has no certificates or gives an empty

list to choose from.

This is normally because the server is not sending

the clients certificate authority in its

.Qq acceptable CA list

when it requests a certificate.

By using

.Nm s_client ,

the CA list can be viewed and checked.

However some servers only request client authentication

after a specific URL is requested.

To obtain the list in this case, it is necessary to use the

.Fl prexit

option of

.Nm s_client

and send an HTTP request for an appropriate page.

.Pp

If a certificate is specified on the command line using the

.Fl cert

option,

it will not be used unless the server specifically requests

a client certificate.

Therefore merely including a client certificate

on the command line is no guarantee that the certificate works.

.Sh S_TIME BUGS

Because this program does not have all the options of the

.Nm s_client

program to turn protocols on and off,

you may not be able to measure the performance

of all protocols with all servers.

.Pp

The

.Fl verify

option should really exit if the server verification fails.

.\"

.\" SESS_ID

.\"