]>
Commit | Line | Data |
---|---|---|
a2151c5b DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
3f2181e6 | 5 | openssl-s_server, |
a2151c5b DSH |
6 | s_server - SSL/TLS server program |
7 | ||
8 | =head1 SYNOPSIS | |
9 | ||
a2bbe594 | 10 | B<openssl> B<s_server> |
169394d4 | 11 | [B<-help>] |
0bae1960 | 12 | [B<-port +int>] |
a22f9c84 | 13 | [B<-accept val>] |
a22f9c84 | 14 | [B<-unix val>] |
a22f9c84 E |
15 | [B<-4>] |
16 | [B<-6>] | |
0bae1960 MC |
17 | [B<-unlink>] |
18 | [B<-context val>] | |
19 | [B<-verify int>] | |
20 | [B<-Verify int>] | |
21 | [B<-cert infile>] | |
22 | [B<-nameopt val>] | |
23 | [B<-naccept +int>] | |
24 | [B<-serverinfo val>] | |
25 | [B<-certform PEM|DER>] | |
26 | [B<-key infile>] | |
27 | [B<-keyform format>] | |
28 | [B<-pass val>] | |
29 | [B<-dcert infile>] | |
30 | [B<-dcertform PEM|DER>] | |
31 | [B<-dkey infile>] | |
32 | [B<-dkeyform PEM|DER>] | |
33 | [B<-dpass val>] | |
a2151c5b DSH |
34 | [B<-nbio_test>] |
35 | [B<-crlf>] | |
36 | [B<-debug>] | |
1d8634b1 | 37 | [B<-msg>] |
0bae1960 | 38 | [B<-msgfile outfile>] |
a2151c5b | 39 | [B<-state>] |
0bae1960 MC |
40 | [B<-CAfile infile>] |
41 | [B<-CApath dir>] | |
40e2d76b MC |
42 | [B<-no-CAfile>] |
43 | [B<-no-CApath>] | |
0bae1960 MC |
44 | [B<-nocert>] |
45 | [B<-quiet>] | |
46 | [B<-no_resume_ephemeral>] | |
47 | [B<-www>] | |
48 | [B<-WWW>] | |
49 | [B<-servername>] | |
50 | [B<-servername_fatal>] | |
51 | [B<-cert2 infile>] | |
52 | [B<-key2 infile>] | |
53 | [B<-tlsextdebug>] | |
54 | [B<-HTTP>] | |
55 | [B<-id_prefix val>] | |
3ee1eac2 RS |
56 | [B<-rand file...>] |
57 | [B<-writerand file>] | |
0bae1960 MC |
58 | [B<-keymatexport val>] |
59 | [B<-keymatexportlen +int>] | |
60 | [B<-CRL infile>] | |
61 | [B<-crl_download>] | |
62 | [B<-cert_chain infile>] | |
63 | [B<-dcert_chain infile>] | |
64 | [B<-chainCApath dir>] | |
65 | [B<-verifyCApath dir>] | |
66 | [B<-no_cache>] | |
67 | [B<-ext_cache>] | |
68 | [B<-CRLform PEM|DER>] | |
69 | [B<-verify_return_error>] | |
70 | [B<-verify_quiet>] | |
71 | [B<-build_chain>] | |
72 | [B<-chainCAfile infile>] | |
73 | [B<-verifyCAfile infile>] | |
74 | [B<-ign_eof>] | |
75 | [B<-no_ign_eof>] | |
76 | [B<-status>] | |
77 | [B<-status_verbose>] | |
78 | [B<-status_timeout int>] | |
79 | [B<-status_url val>] | |
80 | [B<-status_file infile>] | |
81 | [B<-trace>] | |
82 | [B<-security_debug>] | |
83 | [B<-security_debug_verbose>] | |
84 | [B<-brief>] | |
85 | [B<-rev>] | |
86 | [B<-async>] | |
87 | [B<-ssl_config val>] | |
88 | [B<-max_send_frag +int>] | |
89 | [B<-split_send_frag +int>] | |
90 | [B<-max_pipelines +int>] | |
91 | [B<-read_buf +int>] | |
92 | [B<-no_ssl3>] | |
93 | [B<-no_tls1>] | |
94 | [B<-no_tls1_1>] | |
95 | [B<-no_tls1_2>] | |
96 | [B<-no_tls1_3>] | |
97 | [B<-bugs>] | |
98 | [B<-no_comp>] | |
99 | [B<-comp>] | |
100 | [B<-no_ticket>] | |
7ffb7fbe | 101 | [B<-num_tickets>] |
0bae1960 MC |
102 | [B<-serverpref>] |
103 | [B<-legacy_renegotiation>] | |
104 | [B<-no_renegotiation>] | |
105 | [B<-legacy_server_connect>] | |
106 | [B<-no_resumption_on_reneg>] | |
107 | [B<-no_legacy_server_connect>] | |
4e2bd9cb | 108 | [B<-allow_no_dhe_kex>] |
e1c7871d | 109 | [B<-prioritize_chacha>] |
0bae1960 MC |
110 | [B<-strict>] |
111 | [B<-sigalgs val>] | |
112 | [B<-client_sigalgs val>] | |
113 | [B<-groups val>] | |
114 | [B<-curves val>] | |
115 | [B<-named_curve val>] | |
116 | [B<-cipher val>] | |
9d2674cd | 117 | [B<-ciphersuites val>] |
0bae1960 MC |
118 | [B<-dhparam infile>] |
119 | [B<-record_padding val>] | |
120 | [B<-debug_broken_protocol>] | |
121 | [B<-policy val>] | |
122 | [B<-purpose val>] | |
123 | [B<-verify_name val>] | |
124 | [B<-verify_depth int>] | |
125 | [B<-auth_level int>] | |
126 | [B<-attime intmax>] | |
127 | [B<-verify_hostname val>] | |
128 | [B<-verify_email val>] | |
129 | [B<-verify_ip>] | |
e42d84be | 130 | [B<-ignore_critical>] |
0bae1960 MC |
131 | [B<-issuer_checks>] |
132 | [B<-crl_check>] | |
133 | [B<-crl_check_all>] | |
134 | [B<-policy_check>] | |
135 | [B<-explicit_policy>] | |
e42d84be HK |
136 | [B<-inhibit_any>] |
137 | [B<-inhibit_map>] | |
0bae1960 MC |
138 | [B<-x509_strict>] |
139 | [B<-extended_crl>] | |
140 | [B<-use_deltas>] | |
e42d84be | 141 | [B<-policy_print>] |
0bae1960 MC |
142 | [B<-check_ss_sig>] |
143 | [B<-trusted_first>] | |
e42d84be | 144 | [B<-suiteB_128_only>] |
0bae1960 | 145 | [B<-suiteB_128>] |
e42d84be | 146 | [B<-suiteB_192>] |
0bae1960 | 147 | [B<-partial_chain>] |
fa7b0111 | 148 | [B<-no_alt_chains>] |
0bae1960 MC |
149 | [B<-no_check_time>] |
150 | [B<-allow_proxy_certs>] | |
151 | [B<-xkey>] | |
152 | [B<-xcert>] | |
153 | [B<-xchain>] | |
154 | [B<-xchain_build>] | |
155 | [B<-xcertform PEM|DER>] | |
156 | [B<-xkeyform PEM|DER>] | |
157 | [B<-nbio>] | |
158 | [B<-psk_identity val>] | |
159 | [B<-psk_hint val>] | |
160 | [B<-psk val>] | |
9e064bc1 | 161 | [B<-psk_session file>] |
0bae1960 MC |
162 | [B<-srpvfile infile>] |
163 | [B<-srpuserseed val>] | |
a2151c5b DSH |
164 | [B<-ssl3>] |
165 | [B<-tls1>] | |
582a17d6 MC |
166 | [B<-tls1_1>] |
167 | [B<-tls1_2>] | |
168 | [B<-tls1_3>] | |
35d15a39 | 169 | [B<-dtls>] |
0bae1960 MC |
170 | [B<-timeout>] |
171 | [B<-mtu +int>] | |
172 | [B<-listen>] | |
35d15a39 MC |
173 | [B<-dtls1>] |
174 | [B<-dtls1_2>] | |
19044d3c | 175 | [B<-sctp>] |
09d62b33 | 176 | [B<-sctp_label_bug>] |
a2151c5b | 177 | [B<-no_dhe>] |
0bae1960 MC |
178 | [B<-nextprotoneg val>] |
179 | [B<-use_srtp val>] | |
180 | [B<-alpn val>] | |
181 | [B<-engine val>] | |
182 | [B<-keylogfile outfile>] | |
183 | [B<-max_early_data int>] | |
6437b802 | 184 | [B<-early_data>] |
3bb5e5b0 MC |
185 | [B<-anti_replay>] |
186 | [B<-no_anti_replay>] | |
7efd0e77 | 187 | |
a2151c5b DSH |
188 | =head1 DESCRIPTION |
189 | ||
190 | The B<s_server> command implements a generic SSL/TLS server which listens | |
191 | for connections on a given port using SSL/TLS. | |
192 | ||
193 | =head1 OPTIONS | |
194 | ||
765b4137 DSH |
195 | In addition to the options below the B<s_server> utility also supports the |
196 | common and server only options documented in the | |
6f0ac0e2 RS |
197 | in the "Supported Command Line Commands" section of the L<SSL_CONF_cmd(3)> |
198 | manual page. | |
765b4137 | 199 | |
a2151c5b DSH |
200 | =over 4 |
201 | ||
169394d4 MR |
202 | =item B<-help> |
203 | ||
204 | Print out a usage message. | |
205 | ||
0bae1960 | 206 | =item B<-port +int> |
a2151c5b | 207 | |
8c73aeb6 | 208 | The TCP port to listen on for connections. If not specified 4433 is used. |
a2151c5b | 209 | |
a22f9c84 E |
210 | =item B<-accept val> |
211 | ||
212 | The optional TCP host and port to listen on for connections. If not specified, *:4433 is used. | |
213 | ||
a22f9c84 E |
214 | =item B<-unix val> |
215 | ||
216 | Unix domain socket to accept on. | |
217 | ||
a22f9c84 E |
218 | =item B<-4> |
219 | ||
220 | Use IPv4 only. | |
221 | ||
222 | =item B<-6> | |
223 | ||
224 | Use IPv6 only. | |
225 | ||
0bae1960 MC |
226 | =item B<-unlink> |
227 | ||
228 | For -unix, unlink any existing socket first. | |
229 | ||
230 | =item B<-context val> | |
a2151c5b | 231 | |
8c73aeb6 | 232 | Sets the SSL context id. It can be given any string value. If this option |
cc8709a0 | 233 | is not present a default value will be used. |
a2151c5b | 234 | |
0bae1960 MC |
235 | =item B<-verify int>, B<-Verify int> |
236 | ||
237 | The verify depth to use. This specifies the maximum length of the | |
238 | client certificate chain and makes the server request a certificate from | |
239 | the client. With the B<-verify> option a certificate is requested but the | |
240 | client does not have to send one, with the B<-Verify> option the client | |
241 | must supply a certificate or an error occurs. | |
242 | ||
243 | If the cipher suite cannot request a client certificate (for example an | |
244 | anonymous cipher suite or PSK) this option has no effect. | |
245 | ||
246 | =item B<-cert infile> | |
a2151c5b DSH |
247 | |
248 | The certificate to use, most servers cipher suites require the use of a | |
249 | certificate and some require a certificate with a certain public key type: | |
250 | for example the DSS cipher suites require a certificate containing a DSS | |
251 | (DSA) key. If not specified then the filename "server.pem" will be used. | |
252 | ||
7cacbe9d DB |
253 | =item B<-cert_chain> |
254 | ||
255 | A file containing trusted certificates to use when attempting to build the | |
256 | client/server certificate chain related to the certificate specified via the | |
257 | B<-cert> option. | |
258 | ||
259 | =item B<-build_chain> | |
260 | ||
261 | Specify whether the application should build the certificate chain to be | |
262 | provided to the client. | |
263 | ||
0bae1960 MC |
264 | =item B<-nameopt val> |
265 | ||
266 | Option which determines how the subject or issuer names are displayed. The | |
267 | B<val> argument can be a single option or multiple options separated by | |
268 | commas. Alternatively the B<-nameopt> switch may be used more than once to | |
269 | set multiple options. See the L<x509(1)> manual page for details. | |
270 | ||
271 | =item B<-naccept +int> | |
272 | ||
273 | The server will exit after receiving the specified number of connections, | |
274 | default unlimited. | |
275 | ||
276 | =item B<-serverinfo val> | |
277 | ||
278 | A file containing one or more blocks of PEM data. Each PEM block | |
279 | must encode a TLS ServerHello extension (2 bytes type, 2 bytes length, | |
280 | followed by "length" bytes of extension data). If the client sends | |
281 | an empty TLS ClientHello extension matching the type, the corresponding | |
282 | ServerHello extension will be returned. | |
283 | ||
284 | =item B<-certform PEM|DER> | |
826a42a0 DSH |
285 | |
286 | The certificate format to use: DER or PEM. PEM is the default. | |
287 | ||
0bae1960 | 288 | =item B<-key infile> |
a2151c5b DSH |
289 | |
290 | The private key to use. If not specified then the certificate file will | |
291 | be used. | |
292 | ||
826a42a0 DSH |
293 | =item B<-keyform format> |
294 | ||
295 | The private format to use: DER or PEM. PEM is the default. | |
296 | ||
0bae1960 | 297 | =item B<-pass val> |
826a42a0 | 298 | |
0bae1960 | 299 | The private key password source. For more information about the format of B<val> |
9b86974e | 300 | see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. |
826a42a0 | 301 | |
0bae1960 | 302 | =item B<-dcert infile>, B<-dkey infile> |
a2151c5b | 303 | |
8c73aeb6 | 304 | Specify an additional certificate and private key, these behave in the |
a2151c5b DSH |
305 | same manner as the B<-cert> and B<-key> options except there is no default |
306 | if they are not specified (no additional certificate and key is used). As | |
307 | noted above some cipher suites require a certificate containing a key of | |
308 | a certain type. Some cipher suites need a certificate carrying an RSA key | |
309 | and some a DSS (DSA) key. By using RSA and DSS certificates and keys | |
310 | a server can support clients which only support RSA or DSS cipher suites | |
311 | by using an appropriate certificate. | |
312 | ||
7cacbe9d DB |
313 | =item B<-dcert_chain> |
314 | ||
315 | A file containing trusted certificates to use when attempting to build the | |
316 | server certificate chain when a certificate specified via the B<-dcert> option | |
317 | is in use. | |
318 | ||
0bae1960 | 319 | =item B<-dcertform PEM|DER>, B<-dkeyform PEM|DER>, B<-dpass val> |
826a42a0 | 320 | |
8c73aeb6 | 321 | Additional certificate and private key format and passphrase respectively. |
826a42a0 | 322 | |
7cacbe9d DB |
323 | =item B<-xkey infile>, B<-xcert infile>, B<-xchain> |
324 | ||
325 | Specify an extra certificate, private key and certificate chain. These behave | |
326 | in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options. When | |
327 | specified, the callback returning the first valid chain will be in use by | |
328 | the server. | |
329 | ||
330 | =item B<-xchain_build> | |
331 | ||
332 | Specify whether the application should build the certificate chain to be | |
333 | provided to the client for the extra certificates provided via B<-xkey infile>, | |
334 | B<-xcert infile>, B<-xchain> options. | |
335 | ||
336 | =item B<-xcertform PEM|DER>, B<-xkeyform PEM|DER> | |
337 | ||
338 | Extra certificate and private key format respectively. | |
339 | ||
0bae1960 | 340 | =item B<-nbio_test> |
a2151c5b | 341 | |
0bae1960 | 342 | Tests non blocking I/O. |
a2151c5b | 343 | |
0bae1960 | 344 | =item B<-crlf> |
a2151c5b | 345 | |
0bae1960 | 346 | This option translated a line feed from the terminal into CR+LF. |
a2151c5b | 347 | |
0bae1960 | 348 | =item B<-debug> |
a2151c5b | 349 | |
0bae1960 | 350 | Print extensive debugging information including a hex dump of all traffic. |
a2151c5b | 351 | |
0bae1960 | 352 | =item B<-msg> |
51e00db2 | 353 | |
0bae1960 | 354 | Show all protocol messages with hex dump. |
51e00db2 | 355 | |
0bae1960 | 356 | =item B<-msgfile outfile> |
a2151c5b | 357 | |
0bae1960 | 358 | File to send output of B<-msg> or B<-trace> to, default standard output. |
a2151c5b | 359 | |
0bae1960 MC |
360 | =item B<-state> |
361 | ||
362 | Prints the SSL session states. | |
363 | ||
364 | =item B<-CAfile infile> | |
a2151c5b DSH |
365 | |
366 | A file containing trusted certificates to use during client authentication | |
367 | and to use when attempting to build the server certificate chain. The list | |
368 | is also used in the list of acceptable client CAs passed to the client when | |
369 | a certificate is requested. | |
370 | ||
0bae1960 MC |
371 | =item B<-CApath dir> |
372 | ||
373 | The directory to use for client certificate verification. This directory | |
7cacbe9d | 374 | must be in "hash format", see L<verify(1)> for more information. These are |
0bae1960 MC |
375 | also used when building the server certificate chain. |
376 | ||
7cacbe9d DB |
377 | =item B<-chainCApath dir> |
378 | ||
379 | The directory to use for building the chain provided to the client. This | |
380 | directory must be in "hash format", see L<verify(1)> for more information. | |
381 | ||
382 | =item B<-chainCAfile file> | |
383 | ||
384 | A file containing trusted certificates to use when attempting to build the | |
385 | server certificate chain. | |
386 | ||
40e2d76b MC |
387 | =item B<-no-CAfile> |
388 | ||
c4de074e | 389 | Do not load the trusted CA certificates from the default file location. |
40e2d76b MC |
390 | |
391 | =item B<-no-CApath> | |
392 | ||
c4de074e | 393 | Do not load the trusted CA certificates from the default directory location. |
40e2d76b | 394 | |
0bae1960 | 395 | =item B<-nocert> |
8d419330 | 396 | |
0bae1960 MC |
397 | If this option is set then no certificate is used. This restricts the |
398 | cipher suites available to the anonymous ones (currently just anonymous | |
399 | DH). | |
8d419330 | 400 | |
0bae1960 | 401 | =item B<-quiet> |
a2151c5b | 402 | |
0bae1960 | 403 | Inhibit printing of session and certificate information. |
a2151c5b | 404 | |
0bae1960 | 405 | =item B<-www> |
a2151c5b | 406 | |
0bae1960 MC |
407 | Sends a status message back to the client when it connects. This includes |
408 | information about the ciphers used and various session parameters. | |
409 | The output is in HTML format so this option will normally be used with a | |
6ef40f1f | 410 | web browser. Cannot be used in conjunction with B<-early_data>. |
a2151c5b | 411 | |
0bae1960 | 412 | =item B<-WWW> |
1d8634b1 | 413 | |
0bae1960 MC |
414 | Emulates a simple web server. Pages will be resolved relative to the |
415 | current directory, for example if the URL https://myhost/page.html is | |
6ef40f1f MC |
416 | requested the file ./page.html will be loaded. Cannot be used in conjunction |
417 | with B<-early_data>. | |
1d8634b1 | 418 | |
0bae1960 | 419 | =item B<-tlsextdebug> |
8dbeb110 | 420 | |
0bae1960 | 421 | Print a hex dump of any TLS extensions received from the server. |
8dbeb110 | 422 | |
0bae1960 | 423 | =item B<-HTTP> |
8dbeb110 | 424 | |
0bae1960 MC |
425 | Emulates a simple web server. Pages will be resolved relative to the |
426 | current directory, for example if the URL https://myhost/page.html is | |
427 | requested the file ./page.html will be loaded. The files loaded are | |
428 | assumed to contain a complete and correct HTTP response (lines that | |
6ef40f1f MC |
429 | are part of the HTTP response line and headers must end with CRLF). Cannot be |
430 | used in conjunction with B<-early_data>. | |
8dbeb110 | 431 | |
0bae1960 | 432 | =item B<-id_prefix val> |
a2151c5b | 433 | |
0bae1960 MC |
434 | Generate SSL/TLS session IDs prefixed by B<val>. This is mostly useful |
435 | for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple | |
436 | servers, when each of which might be generating a unique range of session | |
437 | IDs (eg. with a certain prefix). | |
a2151c5b | 438 | |
3ee1eac2 | 439 | =item B<-rand file...> |
a2151c5b | 440 | |
0bae1960 | 441 | A file or files containing random data used to seed the random number |
3ee1eac2 | 442 | generator. |
0bae1960 MC |
443 | Multiple files can be specified separated by an OS-dependent character. |
444 | The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for | |
445 | all others. | |
a2151c5b | 446 | |
3ee1eac2 RS |
447 | =item [B<-writerand file>] |
448 | ||
449 | Writes random data to the specified I<file> upon exit. | |
450 | This can be used with a subsequent B<-rand> flag. | |
451 | ||
0bae1960 | 452 | =item B<-verify_return_error> |
a2151c5b | 453 | |
0bae1960 MC |
454 | Verification errors normally just print a message but allow the |
455 | connection to continue, for debugging purposes. | |
456 | If this option is used, then verification errors close the connection. | |
a2151c5b | 457 | |
0bae1960 | 458 | =item B<-status> |
a2151c5b | 459 | |
0bae1960 | 460 | Enables certificate status request support (aka OCSP stapling). |
a2151c5b | 461 | |
0bae1960 | 462 | =item B<-status_verbose> |
ddac1974 | 463 | |
0bae1960 MC |
464 | Enables certificate status request support (aka OCSP stapling) and gives |
465 | a verbose printout of the OCSP response. | |
ddac1974 | 466 | |
0bae1960 | 467 | =item B<-status_timeout int> |
720b6cbe | 468 | |
0bae1960 | 469 | Sets the timeout for OCSP response to B<int> seconds. |
720b6cbe | 470 | |
0bae1960 | 471 | =item B<-status_url val> |
ddac1974 | 472 | |
0bae1960 MC |
473 | Sets a fallback responder URL to use if no responder URL is present in the |
474 | server certificate. Without this option an error is returned if the server | |
475 | certificate does not contain a responder address. | |
ddac1974 | 476 | |
0bae1960 | 477 | =item B<-status_file infile> |
a2151c5b | 478 | |
0bae1960 MC |
479 | Overrides any OCSP responder URLs from the certificate and always provides the |
480 | OCSP Response stored in the file. The file must be in DER format. | |
a2151c5b | 481 | |
0bae1960 | 482 | =item B<-trace> |
35d15a39 | 483 | |
0bae1960 MC |
484 | Show verbose trace output of protocol messages. OpenSSL needs to be compiled |
485 | with B<enable-ssl-trace> for this option to work. | |
35d15a39 | 486 | |
0bae1960 | 487 | =item B<-brief> |
35d15a39 | 488 | |
0bae1960 MC |
489 | Provide a brief summary of connection parameters instead of the normal verbose |
490 | output. | |
35d15a39 | 491 | |
0bae1960 | 492 | =item B<-rev> |
19044d3c | 493 | |
0bae1960 | 494 | Simple test server which just reverses the text received from the client |
6ef40f1f MC |
495 | and sends it back to the server. Also sets B<-brief>. Cannot be used in |
496 | conjunction with B<-early_data>. | |
19044d3c | 497 | |
bc8857bf MC |
498 | =item B<-async> |
499 | ||
8c73aeb6 | 500 | Switch on asynchronous mode. Cryptographic operations will be performed |
bc8857bf MC |
501 | asynchronously. This will only have an effect if an asynchronous capable engine |
502 | is also used via the B<-engine> option. For test purposes the dummy async engine | |
503 | (dasync) can be used (if available). | |
504 | ||
0bae1960 | 505 | =item B<-max_send_frag +int> |
28e5ea88 F |
506 | |
507 | The maximum size of data fragment to send. | |
508 | See L<SSL_CTX_set_max_send_fragment(3)> for further information. | |
509 | ||
0bae1960 | 510 | =item B<-split_send_frag +int> |
0df80881 MC |
511 | |
512 | The size used to split data for encrypt pipelines. If more data is written in | |
513 | one go than this value then it will be split into multiple pipelines, up to the | |
514 | maximum number of pipelines defined by max_pipelines. This only has an effect if | |
c4de074e | 515 | a suitable cipher suite has been negotiated, an engine that supports pipelining |
0df80881 MC |
516 | has been loaded, and max_pipelines is greater than 1. See |
517 | L<SSL_CTX_set_split_send_fragment(3)> for further information. | |
518 | ||
0bae1960 | 519 | =item B<-max_pipelines +int> |
0df80881 MC |
520 | |
521 | The maximum number of encrypt/decrypt pipelines to be used. This will only have | |
522 | an effect if an engine has been loaded that supports pipelining (e.g. the dasync | |
c4de074e | 523 | engine) and a suitable cipher suite has been negotiated. The default value is 1. |
0df80881 MC |
524 | See L<SSL_CTX_set_max_pipelines(3)> for further information. |
525 | ||
0bae1960 | 526 | =item B<-read_buf +int> |
0df80881 MC |
527 | |
528 | The default read buffer size to be used for connections. This will only have an | |
529 | effect if the buffer size is larger than the size that would otherwise be used | |
530 | and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for | |
531 | further information). | |
532 | ||
0bae1960 MC |
533 | =item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> |
534 | ||
535 | These options require or disable the use of the specified SSL or TLS protocols. | |
536 | By default B<s_server> will negotiate the highest mutually supported protocol | |
537 | version. | |
538 | When a specific TLS version is required, only that version will be accepted | |
539 | from the client. | |
ed4fc853 RS |
540 | Note that not all protocols and flags may be available, depending on how |
541 | OpenSSL was built. | |
0bae1960 | 542 | |
a2151c5b DSH |
543 | =item B<-bugs> |
544 | ||
8c73aeb6 | 545 | There are several known bug in SSL and TLS implementations. Adding this |
a2151c5b DSH |
546 | option enables various workarounds. |
547 | ||
0bae1960 MC |
548 | =item B<-no_comp> |
549 | ||
550 | Disable negotiation of TLS compression. | |
551 | TLS compression is not recommended and is off by default as of | |
552 | OpenSSL 1.1.0. | |
553 | ||
cc5a9ba4 VD |
554 | =item B<-comp> |
555 | ||
556 | Enable negotiation of TLS compression. | |
557 | This option was introduced in OpenSSL 1.1.0. | |
558 | TLS compression is not recommended and is off by default as of | |
559 | OpenSSL 1.1.0. | |
560 | ||
0bae1960 | 561 | =item B<-no_ticket> |
cc5a9ba4 | 562 | |
7ffb7fbe MC |
563 | Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3 |
564 | is negotiated. See B<-num_tickets>. | |
565 | ||
566 | =item B<-num_tickets> | |
567 | ||
568 | Control the number of tickets that will be sent to the client after a full | |
569 | handshake in TLSv1.3. The default number of tickets is 2. This option does not | |
570 | affect the number of tickets sent after a resumption handshake. | |
cc5a9ba4 | 571 | |
0bae1960 | 572 | =item B<-serverpref> |
765b4137 | 573 | |
0bae1960 MC |
574 | Use the server's cipher preferences, rather than the client's preferences. |
575 | ||
e1c7871d TS |
576 | =item B<-prioritize_chacha> |
577 | ||
578 | Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>. | |
579 | ||
0bae1960 MC |
580 | =item B<-no_resumption_on_reneg> |
581 | ||
582 | Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option. | |
765b4137 | 583 | |
0bae1960 | 584 | =item B<-client_sigalgs val> |
254b58fd SC |
585 | |
586 | Signature algorithms to support for client certificate authentication | |
c4de074e | 587 | (colon-separated list). |
254b58fd | 588 | |
0bae1960 | 589 | =item B<-named_curve val> |
254b58fd SC |
590 | |
591 | Specifies the elliptic curve to use. NOTE: this is single curve, not a list. | |
592 | For a list of all possible curves, use: | |
593 | ||
594 | $ openssl ecparam -list_curves | |
595 | ||
0bae1960 | 596 | =item B<-cipher val> |
a2151c5b | 597 | |
9d2674cd MC |
598 | This allows the list of TLSv1.2 and below ciphersuites used by the server to be |
599 | modified. This list is combined with any TLSv1.3 ciphersuites that have been | |
600 | configured. When the client sends a list of supported ciphers the first client | |
601 | cipher also included in the server list is used. Because the client specifies | |
602 | the preference order, the order of the server cipherlist is irrelevant. See | |
fabce041 | 603 | the B<ciphers> command for more information. |
a2151c5b | 604 | |
9d2674cd MC |
605 | =item B<-ciphersuites val> |
606 | ||
607 | This allows the list of TLSv1.3 ciphersuites used by the server to be modified. | |
608 | This list is combined with any TLSv1.2 and below ciphersuites that have been | |
609 | configured. When the client sends a list of supported ciphers the first client | |
610 | cipher also included in the server list is used. Because the client specifies | |
611 | the preference order, the order of the server cipherlist is irrelevant. See | |
612 | the B<ciphers> command for more information. The format for this list is a | |
613 | simple colon (":") separated list of TLSv1.3 ciphersuite names. | |
614 | ||
0bae1960 | 615 | =item B<-dhparam infile> |
7b825005 | 616 | |
0bae1960 MC |
617 | The DH parameter file to use. The ephemeral DH cipher suites generate keys |
618 | using a set of DH parameters. If not specified then an attempt is made to | |
619 | load the parameters from the server certificate file. | |
620 | If this fails then a static set of parameters hard coded into the B<s_server> | |
621 | program will be used. | |
765b4137 | 622 | |
0bae1960 MC |
623 | =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, |
624 | B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, | |
625 | B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, | |
626 | B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, | |
627 | B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, | |
628 | B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, | |
629 | B<-verify_ip>, B<-verify_name>, B<-x509_strict> | |
5270e702 | 630 | |
0bae1960 MC |
631 | Set different peer certificate verification options. |
632 | See the L<verify(1)> manual page for details. | |
5270e702 | 633 | |
0bae1960 | 634 | =item B<-crl_check>, B<-crl_check_all> |
e986704d | 635 | |
0bae1960 MC |
636 | Check the peer certificate has not been revoked by its CA. |
637 | The CRL(s) are appended to the certificate file. With the B<-crl_check_all> | |
638 | option all CRLs of all CAs in the chain are checked. | |
e986704d | 639 | |
0bae1960 | 640 | =item B<-nbio> |
52b621db | 641 | |
0bae1960 | 642 | Turns on non blocking I/O. |
52b621db | 643 | |
0bae1960 | 644 | =item B<-psk_identity val> |
9cd50f73 | 645 | |
0bae1960 MC |
646 | Expect the client to send PSK identity B<val> when using a PSK |
647 | cipher suite, and warn if they do not. By default, the expected PSK | |
648 | identity is the string "Client_identity". | |
9cd50f73 | 649 | |
0bae1960 | 650 | =item B<-psk_hint val> |
36086186 | 651 | |
0bae1960 | 652 | Use the PSK identity hint B<val> when using a PSK cipher suite. |
36086186 | 653 | |
0bae1960 | 654 | =item B<-psk val> |
cba3f1c7 | 655 | |
0bae1960 MC |
656 | Use the PSK key B<val> when using a PSK cipher suite. The key is |
657 | given as a hexadecimal number without leading 0x, for example -psk | |
658 | 1a2b3c4d. | |
659 | This option must be provided in order to use a PSK cipher. | |
cba3f1c7 | 660 | |
9e064bc1 MC |
661 | =item B<-psk_session file> |
662 | ||
663 | Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK. | |
664 | Note that this will only work if TLSv1.3 is negotiated. | |
665 | ||
0bae1960 | 666 | =item B<-listen> |
cba3f1c7 | 667 | |
0bae1960 MC |
668 | This option can only be used in conjunction with one of the DTLS options above. |
669 | With this option B<s_server> will listen on a UDP port for incoming connections. | |
670 | Any ClientHellos that arrive will be checked to see if they have a cookie in | |
671 | them or not. | |
672 | Any without a cookie will be responded to with a HelloVerifyRequest. | |
673 | If a ClientHello with a cookie is received then B<s_server> will connect to | |
674 | that peer and complete the handshake. | |
cba3f1c7 | 675 | |
0bae1960 | 676 | =item B<-dtls>, B<-dtls1>, B<-dtls1_2> |
cba3f1c7 | 677 | |
0bae1960 MC |
678 | These options make B<s_server> use DTLS protocols instead of TLS. |
679 | With B<-dtls>, B<s_server> will negotiate any supported DTLS protocol version, | |
680 | whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and DTLSv1.2 | |
681 | respectively. | |
cba3f1c7 | 682 | |
0bae1960 | 683 | =item B<-sctp> |
cba3f1c7 | 684 | |
0bae1960 MC |
685 | Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in |
686 | conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only | |
687 | available where OpenSSL has support for SCTP enabled. | |
cba3f1c7 | 688 | |
09d62b33 MT |
689 | =item B<-sctp_label_bug> |
690 | ||
691 | Use the incorrect behaviour of older OpenSSL implementations when computing | |
692 | endpoint-pair shared secrets for DTLS/SCTP. This allows communication with | |
693 | older broken implementations but breaks interoperability with correct | |
694 | implementations. Must be used in conjunction with B<-sctp>. This option is only | |
695 | available where OpenSSL has support for SCTP enabled. | |
696 | ||
0bae1960 | 697 | =item B<-no_dhe> |
acf65ae5 | 698 | |
0bae1960 MC |
699 | If this option is set then no DH parameters will be loaded effectively |
700 | disabling the ephemeral DH cipher suites. | |
acf65ae5 | 701 | |
0bae1960 | 702 | =item B<-alpn val>, B<-nextprotoneg val> |
7efd0e77 | 703 | |
c4de074e P |
704 | These flags enable the Enable the Application-Layer Protocol Negotiation |
705 | or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the | |
706 | IETF standard and replaces NPN. | |
0bae1960 | 707 | The B<val> list is a comma-separated list of supported protocol |
c4de074e | 708 | names. The list should contain the most desirable protocols first. |
7efd0e77 HK |
709 | Protocol names are printable ASCII strings, for example "http/1.1" or |
710 | "spdy/3". | |
837f87c2 | 711 | The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. |
7efd0e77 | 712 | |
0bae1960 MC |
713 | =item B<-engine val> |
714 | ||
715 | Specifying an engine (by its unique id string in B<val>) will cause B<s_server> | |
716 | to attempt to obtain a functional reference to the specified engine, | |
717 | thus initialising it if needed. The engine will then be set as the default | |
718 | for all available algorithms. | |
719 | ||
720 | =item B<-keylogfile outfile> | |
39176d44 PW |
721 | |
722 | Appends TLS secrets to the specified keylog file such that external programs | |
723 | (like Wireshark) can decrypt TLS connections. | |
724 | ||
0bae1960 | 725 | =item B<-max_early_data int> |
6437b802 MC |
726 | |
727 | Change the default maximum early data bytes that are specified for new sessions | |
728 | and any incoming early data (when used in conjunction with the B<-early_data> | |
83750d9b MC |
729 | flag). The default value is approximately 16k. The argument must be an integer |
730 | greater than or equal to 0. | |
6437b802 MC |
731 | |
732 | =item B<-early_data> | |
733 | ||
6ef40f1f MC |
734 | Accept early data where possible. Cannot be used in conjunction with B<-www>, |
735 | B<-WWW>, B<-HTTP> or B<-rev>. | |
6437b802 | 736 | |
3bb5e5b0 MC |
737 | =item B<-anti_replay>, B<-no_anti_replay> |
738 | ||
739 | Switches replay protection on or off, respectively. Replay protection is on by | |
740 | default unless overridden by a configuration file. When it is on, OpenSSL will | |
741 | automatically detect if a session ticket has been used more than once, TLSv1.3 | |
742 | has been negotiated, and early data is enabled on the server. A full handshake | |
743 | is forced if a session ticket is used a second or subsequent time. Any early | |
744 | data that was sent will be rejected. | |
745 | ||
a2151c5b DSH |
746 | =back |
747 | ||
748 | =head1 CONNECTED COMMANDS | |
749 | ||
750 | If a connection request is established with an SSL client and neither the | |
4b08eaf5 | 751 | B<-www> nor the B<-WWW> option has been used then normally any data received |
8c73aeb6 | 752 | from the client is displayed and any key presses will be sent to the client. |
4b08eaf5 | 753 | |
3d0dde84 MC |
754 | Certain commands are also recognized which perform special operations. These |
755 | commands are a letter which must appear at the start of a line. They are listed | |
756 | below. | |
4b08eaf5 DSH |
757 | |
758 | =over 4 | |
759 | ||
760 | =item B<q> | |
761 | ||
c4de074e | 762 | End the current SSL connection but still accept new connections. |
4b08eaf5 DSH |
763 | |
764 | =item B<Q> | |
765 | ||
c4de074e | 766 | End the current SSL connection and exit. |
4b08eaf5 DSH |
767 | |
768 | =item B<r> | |
769 | ||
3d0dde84 | 770 | Renegotiate the SSL session (TLSv1.2 and below only). |
4b08eaf5 DSH |
771 | |
772 | =item B<R> | |
773 | ||
3d0dde84 MC |
774 | Renegotiate the SSL session and request a client certificate (TLSv1.2 and below |
775 | only). | |
4b08eaf5 DSH |
776 | |
777 | =item B<P> | |
778 | ||
c4de074e | 779 | Send some plain text down the underlying TCP connection: this should |
4b08eaf5 DSH |
780 | cause the client to disconnect due to a protocol violation. |
781 | ||
782 | =item B<S> | |
783 | ||
c4de074e | 784 | Print out some session cache status information. |
4b08eaf5 | 785 | |
3d0dde84 MC |
786 | =item B<B> |
787 | ||
788 | Send a heartbeat message to the client (DTLS only) | |
789 | ||
790 | =item B<k> | |
791 | ||
792 | Send a key update message to the client (TLSv1.3 only) | |
793 | ||
794 | =item B<K> | |
795 | ||
796 | Send a key update message to the client and request one back (TLSv1.3 only) | |
797 | ||
798 | =item B<c> | |
799 | ||
800 | Send a certificate request to the client (TLSv1.3 only) | |
801 | ||
4b08eaf5 | 802 | =back |
a2151c5b DSH |
803 | |
804 | =head1 NOTES | |
805 | ||
806 | B<s_server> can be used to debug SSL clients. To accept connections from | |
807 | a web browser the command: | |
808 | ||
809 | openssl s_server -accept 443 -www | |
810 | ||
811 | can be used for example. | |
812 | ||
a2151c5b | 813 | Although specifying an empty list of CAs when requesting a client certificate |
4b08eaf5 DSH |
814 | is strictly speaking a protocol violation, some SSL clients interpret this to |
815 | mean any CA is acceptable. This is useful for debugging purposes. | |
a2151c5b DSH |
816 | |
817 | The session parameters can printed out using the B<sess_id> program. | |
818 | ||
819 | =head1 BUGS | |
820 | ||
8c73aeb6 VD |
821 | Because this program has a lot of options and also because some of the |
822 | techniques used are rather old, the C source of B<s_server> is rather hard to | |
823 | read and not a model of how things should be done. | |
824 | A typical SSL server program would be much simpler. | |
a2151c5b DSH |
825 | |
826 | The output of common ciphers is wrong: it just gives the list of ciphers that | |
4b08eaf5 | 827 | OpenSSL recognizes and the client supports. |
a2151c5b DSH |
828 | |
829 | There should be a way for the B<s_server> program to print out details of any | |
830 | unknown cipher suites a client says it supports. | |
831 | ||
832 | =head1 SEE ALSO | |
833 | ||
28e5ea88 | 834 | L<SSL_CONF_cmd(3)>, L<sess_id(1)>, L<s_client(1)>, L<ciphers(1)> |
dfee8626 RS |
835 | L<SSL_CTX_set_max_send_fragment(3)>, |
836 | L<SSL_CTX_set_split_send_fragment(3)>, | |
28e5ea88 | 837 | L<SSL_CTX_set_max_pipelines(3)> |
a2151c5b | 838 | |
fa7b0111 MC |
839 | =head1 HISTORY |
840 | ||
fc5ecadd | 841 | The -no_alt_chains option was added in OpenSSL 1.1.0. |
e1c7871d | 842 | |
fc5ecadd DMSP |
843 | The |
844 | -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1. | |
fa7b0111 | 845 | |
e2f92610 RS |
846 | =head1 COPYRIGHT |
847 | ||
b0edda11 | 848 | Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 849 | |
449040b4 | 850 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
851 | this file except in compliance with the License. You can obtain a copy |
852 | in the file LICENSE in the source distribution or at | |
853 | L<https://www.openssl.org/source/license.html>. | |
854 | ||
855 | =cut |