===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/openssl.1,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- src/usr.bin/openssl/openssl.1	2016/08/30 07:53:59	1.65
+++ src/usr.bin/openssl/openssl.1	2016/09/01 08:26:44	1.66
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.65 2016/08/30 07:53:59 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.66 2016/09/01 08:26:44 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: August 30 2016 $
+.Dd $Mdocdate: September 1 2016 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -2694,13 +2694,13 @@
 .Fl keysig
 option marks the key for signing only.
 Signing only keys can be used for S/MIME signing, authenticode
-.Pq ActiveX control signing
+(ActiveX control signing)
 and SSL client authentication.
 .It Fl macalg Ar alg
 Specify the MAC digest algorithm.
 The default is SHA1.
 .It Fl maciter
-Included for compatability only:
+Included for compatibility only:
 it used to be needed to use MAC iterations counts
 but they are now used by default.
 .It Fl name Ar name
@@ -3612,13 +3612,9 @@
 .It Fl verify
 Verify the input data and output the recovered data.
 .El
-.\"
-.\" S_CLIENT
-.\"
 .Sh S_CLIENT
 .nr nS 1
 .Nm "openssl s_client"
-.Bk -words
 .Op Fl 4 | 6
 .Op Fl bugs
 .Op Fl CAfile Ar file
@@ -3626,10 +3622,7 @@
 .Op Fl cert Ar file
 .Op Fl check_ss_sig
 .Op Fl cipher Ar cipherlist
-.Oo
-.Fl connect Ar host : Ns Ar port |
-.Ar host Ns / Ns Ar port
-.Oc
+.Op Fl connect Ar host Ns Op : Ns Ar port
 .Op Fl crl_check
 .Op Fl crl_check_all
 .Op Fl crlf
@@ -3665,30 +3658,34 @@
 .Op Fl verify Ar depth
 .Op Fl x509_strict
 .Op Fl xmpphost Ar host
-.Ek
 .nr nS 0
 .Pp
 The
 .Nm s_client
 command implements a generic SSL/TLS client which connects
 to a remote host using SSL/TLS.
-It is a
-.Em very
-useful diagnostic tool for SSL servers.
 .Pp
+If a connection is established with an SSL server, any data received
+from the server is displayed and any key presses will be sent to the
+server.
+When used interactively (which means neither
+.Fl quiet
+nor
+.Fl ign_eof
+have been given), the session will be renegotiated if the line begins with an
+.Cm R ;
+if the line begins with a
+.Cm Q
+or if end of file is reached, the connection will be closed down.
+.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl 4
-Specify that
-.Nm s_client
-should attempt connections using IPv4 only.
+Attempt connections using IPv4 only.
 .It Fl 6
-Specify that
-.Nm s_client
-should attempt connections using IPv6 only.
+Attempt connections using IPv6 only.
 .It Fl bugs
-There are several known bugs in SSL and TLS implementations.
-Adding this option enables various workarounds.
+Enable various workarounds for buggy implementations.
 .It Fl CAfile Ar file
 A
 .Ar file
@@ -3719,57 +3716,48 @@
 .Xc
 Set various certificate chain validation options.
 See the
-.Nm VERIFY
+.Nm verify
 command for details.
 .It Fl cipher Ar cipherlist
-This allows the cipher list sent by the client to be modified.
+Modify the cipher list sent by the client.
 Although the server determines which cipher suite is used, it should take
 the first supported cipher in the list sent by the client.
 See the
-.Sx CIPHERS
-section above for more information.
-.It Xo
-.Fl connect Ar host : Ns Ar port |
-.Ar host Ns / Ns Ar port
-.Xc
-This specifies the
+.Nm ciphers
+command for more information.
+.It Fl connect Ar host Ns Op : Ns Ar port
+The
 .Ar host
-and optional
+and
 .Ar port
 to connect to.
 If not specified, an attempt is made to connect to the local host
 on port 4433.
 Alternatively, the host and port pair may be separated using a forward-slash
-character.
-This form is useful for numeric IPv6 addresses.
+character,
+which is useful for numeric IPv6 addresses.
 .It Fl crlf
-This option translates a line feed from the terminal into CR+LF as required
-by some servers.
+Translate a line feed from the terminal into CR+LF,
+as required by some servers.
 .It Fl debug
-Print extensive debugging information including a hex dump of all traffic.
+Print extensive debugging information, including a hex dump of all traffic.
 .It Fl ign_eof
-Inhibit shutting down the connection when end of file is reached in the
-input.
+Inhibit shutting down the connection when end of file is reached in the input.
 .It Fl key Ar keyfile
 The private key to use.
 If not specified, the certificate file will be used.
 .It Fl msg
 Show all protocol messages with hex dump.
 .It Fl nbio
-Turns on non-blocking I/O.
+Turn on non-blocking I/O.
 .It Fl nbio_test
-Tests non-blocking I/O.
+Test non-blocking I/O.
 .It Fl no_tls1 | no_tls1_1 | no_tls1_2
-By default, the initial handshake uses a method which should be compatible
-with servers supporting any version of TLS.
-These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
-.Pp
-Unfortunately there are a lot of ancient and broken servers in use which
-cannot handle this technique and will fail to connect.
+Disable the use of TLS1.0, 1.1, and 1.2, respectively.
 .It Fl no_ticket
 Disable RFC 4507 session ticket support.
 .It Fl pause
-Pauses 1 second between each read and write call.
+Pause 1 second between each read and write call.
 .It Fl prexit
 Print session information when the program exits.
 This will always attempt
@@ -3778,9 +3766,8 @@
 This option is useful because the cipher in use may be renegotiated
 or the connection may fail because a client certificate is required or is
 requested only after an attempt is made to access a certain URL.
-.Sy Note :
-the output produced by this option is not always accurate because a
-connection might never have been established.
+Note that the output produced by this option is not always accurate
+because a connection might never have been established.
 .It Fl proxy Ar host : Ns Ar port
 Use the HTTP proxy at
 .Ar host
@@ -3799,7 +3786,7 @@
 The key is given as a hexadecimal number without the leading 0x,
 for example -psk 1a2b3c4d.
 .It Fl psk_identity Ar identity
-Use the PSK identity
+Use the PSK
 .Ar identity
 when using a PSK cipher suite.
 .It Fl quiet
@@ -3808,7 +3795,7 @@
 .Fl ign_eof
 as well.
 .It Fl reconnect
-Reconnects to the same server 5 times using the same session ID; this can
+Reconnect to the same server 5 times using the same session ID; this can
 be used as a test that session caching is working.
 .It Fl servername Ar name
 Include the TLS Server Name Indication (SNI) extension in the ClientHello
@@ -3818,7 +3805,7 @@
 Display the whole server certificate chain: normally only the server
 certificate itself is displayed.
 .It Fl starttls Ar protocol
-Send the protocol-specific message(s) to switch to TLS for communication.
+Send the protocol-specific messages to switch to TLS for communication.
 .Ar protocol
 is a keyword for the intended protocol.
 Currently, the supported keywords are
@@ -3829,106 +3816,27 @@
 and
 .Qq xmpp .
 .It Fl state
-Prints out the SSL session states.
+Print the SSL session states.
 .It Fl tls1 | tls1_1 | tls1_2
 Permit only TLS1.0, 1.1, or 1.2, respectively.
 .It Fl tlsextdebug
-Print out a hex dump of any TLS extensions received from the server.
+Print a hex dump of any TLS extensions received from the server.
 .It Fl verify Ar depth
-The verify
-.Ar depth
-to use.
-This specifies the maximum length of the
-server certificate chain and turns on server certificate verification.
+Turn on server certificate verification,
+with a maximum length of
+.Ar depth .
 Currently the verify operation continues after errors so all the problems
 with a certificate chain can be seen.
 As a side effect the connection will never fail due to a server
 certificate verify failure.
 .It Fl xmpphost Ar hostname
-This option, when used with
+When used with
 .Fl starttls Ar xmpp ,
-specifies the host for the "to" attribute of the stream element.
+specify the host for the "to" attribute of the stream element.
 If this option is not specified then the host specified with
 .Fl connect
 will be used.
 .El
-.Sh S_CLIENT CONNECTED COMMANDS
-If a connection is established with an SSL server, any data received
-from the server is displayed and any key presses will be sent to the
-server.
-When used interactively (which means neither
-.Fl quiet
-nor
-.Fl ign_eof
-have been given), the session will be renegotiated if the line begins with an
-.Em R ;
-if the line begins with a
-.Em Q
-or if end of file is reached, the connection will be closed down.
-.Sh S_CLIENT NOTES
-.Nm s_client
-can be used to debug SSL servers.
-To connect to an SSL HTTP server the command:
-.Pp
-.Dl $ openssl s_client -connect servername:443
-.Pp
-would typically be used
-.Pq HTTPS uses port 443 .
-If the connection succeeds, an HTTP command can be given such as
-.Qq GET
-to retrieve a web page.
-.Pp
-If the handshake fails, there are several possible causes; if it is
-nothing obvious like no client certificate, then the
-.Fl bugs , tls1 , tls1_1, tls1_2 , no_tls1 , no_tls1_1 ,
-and
-.Fl no_tls1_2
-options can be tried in case it is a buggy server.
-.Pp
-A frequent problem when attempting to get client certificates working
-is that a web client complains it has no certificates or gives an empty
-list to choose from.
-This is normally because the server is not sending the client's certificate
-authority in its
-.Qq acceptable CA list
-when it requests a certificate.
-By using
-.Nm s_client
-the CA list can be viewed and checked.
-However some servers only request client authentication
-after a specific URL is requested.
-To obtain the list in this case it is necessary to use the
-.Fl prexit
-option and send an HTTP request for an appropriate page.
-.Pp
-If a certificate is specified on the command line using the
-.Fl cert
-option, it will not be used unless the server specifically requests
-a client certificate.
-Therefore merely including a client certificate
-on the command line is no guarantee that the certificate works.
-.Pp
-If there are problems verifying a server certificate, the
-.Fl showcerts
-option can be used to show the whole chain.
-.Pp
-Compression methods are only supported for
-.Fl tls1 .
-.Sh S_CLIENT BUGS
-Because this program has a lot of options and also because some of
-the techniques used are rather old, the C source of
-.Nm s_client
-is rather hard to read and not a model of how things should be done.
-A typical SSL client program would be much simpler.
-.Pp
-The
-.Fl verify
-option should really exit if the server verification fails.
-.Pp
-The
-.Fl prexit
-option is a bit of a hack.
-We should really report information whenever a session is renegotiated.
 .\"
 .\" S_SERVER
 .\"