[B<-reconnect>]
[B<-showcerts>]
[B<-prexit>]
+[B<-no-interactive>]
[B<-debug>]
[B<-trace>]
[B<-nocommands>]
[B<-msg>]
[B<-timeout>]
[B<-mtu> I<size>]
+[B<-no_etm>]
+[B<-no_ems>]
[B<-keymatexport> I<label>]
[B<-keymatexportlen> I<len>]
[B<-msgfile> I<filename>]
[B<-comp>]
[B<-no_comp>]
[B<-brief>]
+[B<-legacy_server_connect>]
[B<-allow_no_dhe_kex>]
[B<-sigalgs> I<sigalglist>]
[B<-curves> I<curvelist>]
[B<-srp_lateuser>]
[B<-srp_moregroups>]
[B<-srp_strength> I<number>]
+[B<-ktls>]
+[B<-tfo>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_version_synopsis -}
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_v_synopsis -}
[I<host>:I<port>]
-=for openssl ifdef engine ssl_client_engine ct noct ctlogfile
-
-=for openssl ifdef ssl3 unix 4 6 use_srtp status trace wdebug nextprotoneg
-
-=for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 dtls mtu dtls1 dtls1_2
-
-=for openssl ifdef sctp_label_bug sctp
-
-=for openssl ifdef srpuser srppass srp_lateuser srp_moregroups srp_strength
-
=head1 DESCRIPTION
This command implements a generic SSL/TLS client which
Suppresses sending of the SNI (Server Name Indication) extension in the
ClientHello message. Cannot be used in conjunction with the B<-servername> or
-<-dane_tlsa_domain> options.
+B<-dane_tlsa_domain> options.
=item B<-cert> I<filename>
=item B<-certform> B<DER>|B<PEM>|B<P12>
-The client certificate file format to use; the default is B<PEM>.
-This option has no effect and is retained for backward compatibility only.
+The client certificate file format to use; unspecified by default.
+See L<openssl-format-options(1)> for details.
=item B<-cert_chain>
=item B<-CRLform> B<DER>|B<PEM>
-The CRL file format; the default is B<PEM>.
+The CRL file format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-crl_download>
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The key format; the default is B<PEM>.
-The only value with effect is B<ENGINE>; all others have become obsolete.
+The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
=item B<-pass> I<arg>
-the private key and certifiate file password source.
+the private key and certificate file password source.
For more information about the format of I<arg>
see L<openssl-passphrase-options(1)>.
option is not always accurate because a connection might never have been
established.
+=item B<-no-interactive>
+
+This flag can be used to run the client in a non-interactive mode.
+
=item B<-state>
Prints out the SSL session states.
Set MTU of the link layer to the specified size.
+=item B<-no_etm>
+
+Disable Encrypt-then-MAC negotiation.
+
+=item B<-no_ems>
+
+Disable Extended master secret negotiation.
+
=item B<-keymatexport> I<label>
Export keying material using the specified label.
=item B<-trace>
-Show verbose trace output of protocol messages. OpenSSL needs to be compiled
-with B<enable-ssl-trace> for this option to work.
+Show verbose trace output of protocol messages.
=item B<-msgfile> I<filename>
Set the minimal acceptable length, in bits, for B<N>. This option is
deprecated.
+=item B<-ktls>
+
+Enable Kernel TLS for sending and receiving.
+This option was introduced in OpenSSL 3.1.0.
+Kernel TLS is off by default as of OpenSSL 3.1.0.
+
+=item B<-tfo>
+
+Enable creation of connections via TCP fast open (RFC7413).
+
{- $OpenSSL::safe::opt_version_item -}
{- $OpenSSL::safe::opt_name_item -}
The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
-All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
-and have no effect.
-
The B<-engine> option was deprecated in OpenSSL 3.0.
+The -tfo option was added in OpenSSL 3.1.
+
=head1 COPYRIGHT
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy