2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-s_server - SSL/TLS server program
10 B<openssl> B<s_server>
23 [B<-certform> B<DER>|B<PEM>|B<P12>]
24 [B<-cert_chain> I<infile>]
26 [B<-serverinfo> I<val>]
27 [B<-key> I<filename>|I<uri>]
28 [B<-key2> I<filename>|I<uri>]
29 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
32 [B<-dcertform> B<DER>|B<PEM>|B<P12>]
33 [B<-dcert_chain> I<infile>]
34 [B<-dkey> I<filename>|I<uri>]
35 [B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
41 [B<-msgfile> I<outfile>]
45 [B<-no_resume_ephemeral>]
48 [B<-http_server_binmode>]
50 [B<-ignore_unexpected_eof>]
52 [B<-servername_fatal>]
55 [B<-id_prefix> I<val>]
56 [B<-keymatexport> I<val>]
57 [B<-keymatexportlen> I<+int>]
59 [B<-CRLform> B<DER>|B<PEM>]
61 [B<-chainCAfile> I<infile>]
62 [B<-chainCApath> I<dir>]
63 [B<-chainCAstore> I<uri>]
64 [B<-verifyCAfile> I<infile>]
65 [B<-verifyCApath> I<dir>]
66 [B<-verifyCAstore> I<uri>]
69 [B<-verify_return_error>]
75 [B<-status_timeout> I<int>]
76 [B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>]
77 [B<-no_proxy> I<addresses>]
78 [B<-status_url> I<val>]
79 [B<-status_file> I<infile>]
82 [B<-security_debug_verbose>]
86 [B<-ssl_config> I<val>]
87 [B<-max_send_frag> I<+int>]
88 [B<-split_send_frag> I<+int>]
89 [B<-max_pipelines> I<+int>]
91 [B<-read_buf> I<+int>]
97 [B<-legacy_renegotiation>]
98 [B<-no_renegotiation>]
99 [B<-no_resumption_on_reneg>]
100 [B<-no_legacy_server_connect>]
101 [B<-allow_no_dhe_kex>]
102 [B<-prioritize_chacha>]
105 [B<-client_sigalgs> I<val>]
108 [B<-named_curve> I<val>]
110 [B<-ciphersuites> I<val>]
111 [B<-dhparam> I<infile>]
112 [B<-record_padding> I<val>]
113 [B<-debug_broken_protocol>]
115 [B<-psk_identity> I<val>]
116 [B<-psk_hint> I<val>]
118 [B<-psk_session> I<file>]
119 [B<-srpvfile> I<infile>]
120 [B<-srpuserseed> I<val>]
127 [B<-nextprotoneg> I<val>]
128 [B<-use_srtp> I<val>]
131 [B<-keylogfile> I<outfile>]
132 [B<-recv_max_early_data> I<int>]
133 [B<-max_early_data> I<int>]
139 {- $OpenSSL::safe::opt_name_synopsis -}
140 {- $OpenSSL::safe::opt_version_synopsis -}
141 {- $OpenSSL::safe::opt_v_synopsis -}
142 {- $OpenSSL::safe::opt_s_synopsis -}
143 {- $OpenSSL::safe::opt_x_synopsis -}
144 {- $OpenSSL::safe::opt_trust_synopsis -}
145 {- $OpenSSL::safe::opt_r_synopsis -}
146 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
150 This command implements a generic SSL/TLS server which
151 listens for connections on a given port using SSL/TLS.
155 In addition to the options below, this command also supports
156 the common and server only options documented
157 L<SSL_CONF_cmd(3)/Supported Command Line Commands>
163 Print out a usage message.
165 =item B<-port> I<+int>
167 The TCP port to listen on for connections. If not specified 4433 is used.
169 =item B<-accept> I<val>
171 The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
173 =item B<-unix> I<val>
175 Unix domain socket to accept on.
187 For -unix, unlink any existing socket first.
189 =item B<-context> I<val>
191 Sets the SSL context id. It can be given any string value. If this option
192 is not present a default value will be used.
194 =item B<-verify> I<int>, B<-Verify> I<int>
196 The verify depth to use. This specifies the maximum length of the
197 client certificate chain and makes the server request a certificate from
198 the client. With the B<-verify> option a certificate is requested but the
199 client does not have to send one, with the B<-Verify> option the client
200 must supply a certificate or an error occurs.
202 If the cipher suite cannot request a client certificate (for example an
203 anonymous cipher suite or PSK) this option has no effect.
205 =item B<-cert> I<infile>
207 The certificate to use, most servers cipher suites require the use of a
208 certificate and some require a certificate with a certain public key type:
209 for example the DSS cipher suites require a certificate containing a DSS
210 (DSA) key. If not specified then the filename F<server.pem> will be used.
212 =item B<-cert2> I<infile>
214 The certificate file to use for servername; default is C<server2.pem>.
216 =item B<-certform> B<DER>|B<PEM>|B<P12>
218 The server certificate file format; unspecified by default.
219 See L<openssl-format-options(1)> for details.
223 A file or URI of untrusted certificates to use when attempting to build the
224 certificate chain related to the certificate specified via the B<-cert> option.
225 The input can be in PEM, DER, or PKCS#12 format.
227 =item B<-build_chain>
229 Specify whether the application should build the server certificate chain to be
230 provided to the client.
232 =item B<-serverinfo> I<val>
234 A file containing one or more blocks of PEM data. Each PEM block
235 must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
236 followed by "length" bytes of extension data). If the client sends
237 an empty TLS ClientHello extension matching the type, the corresponding
238 ServerHello extension will be returned.
240 =item B<-key> I<filename>|I<uri>
242 The private key to use. If not specified then the certificate file will
245 =item B<-key2> I<filename>|I<uri>
247 The private Key file to use for servername if not given via B<-cert2>.
249 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
251 The key format; unspecified by default.
252 See L<openssl-format-options(1)> for details.
254 =item B<-pass> I<val>
256 The private key and certificate file password source.
257 For more information about the format of I<val>,
258 see L<openssl-passphrase-options(1)>.
260 =item B<-dcert> I<infile>, B<-dkey> I<filename>|I<uri>
262 Specify an additional certificate and private key, these behave in the
263 same manner as the B<-cert> and B<-key> options except there is no default
264 if they are not specified (no additional certificate and key is used). As
265 noted above some cipher suites require a certificate containing a key of
266 a certain type. Some cipher suites need a certificate carrying an RSA key
267 and some a DSS (DSA) key. By using RSA and DSS certificates and keys
268 a server can support clients which only support RSA or DSS cipher suites
269 by using an appropriate certificate.
271 =item B<-dcert_chain>
273 A file or URI of untrusted certificates to use when attempting to build the
274 server certificate chain when a certificate specified via the B<-dcert> option
276 The input can be in PEM, DER, or PKCS#12 format.
278 =item B<-dcertform> B<DER>|B<PEM>|B<P12>
280 The format of the additional certificate file; unspecified by default.
281 See L<openssl-format-options(1)> for details.
283 =item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
285 The format of the additional private key; unspecified by default.
286 See L<openssl-format-options(1)> for details.
288 =item B<-dpass> I<val>
290 The passphrase for the additional private key and certificate.
291 For more information about the format of I<val>,
292 see L<openssl-passphrase-options(1)>.
296 Tests non blocking I/O.
300 This option translated a line feed from the terminal into CR+LF.
304 Print extensive debugging information including a hex dump of all traffic.
308 Show all protocol messages with hex dump.
310 =item B<-msgfile> I<outfile>
312 File to send output of B<-msg> or B<-trace> to, default standard output.
316 Prints the SSL session states.
318 =item B<-CRL> I<infile>
322 =item B<-CRLform> B<DER>|B<PEM>
324 The CRL file format; unspecified by default.
325 See L<openssl-format-options(1)> for details.
327 =item B<-crl_download>
329 Download CRLs from distribution points given in CDP extensions of certificates
331 =item B<-verifyCAfile> I<filename>
333 A file in PEM format CA containing trusted certificates to use
334 for verifying client certificates.
336 =item B<-verifyCApath> I<dir>
338 A directory containing trusted certificates to use
339 for verifying client certificates.
340 This directory must be in "hash format",
341 see L<openssl-verify(1)> for more information.
343 =item B<-verifyCAstore> I<uri>
345 The URI of a store containing trusted certificates to use
346 for verifying client certificates.
348 =item B<-chainCAfile> I<file>
350 A file in PEM format containing trusted certificates to use
351 when attempting to build the server certificate chain.
353 =item B<-chainCApath> I<dir>
355 A directory containing trusted certificates to use
356 for building the server certificate chain provided to the client.
357 This directory must be in "hash format",
358 see L<openssl-verify(1)> for more information.
360 =item B<-chainCAstore> I<uri>
362 The URI of a store containing trusted certificates to use
363 for building the server certificate chain provided to the client.
364 The URI may indicate a single certificate, as well as a collection of them.
365 With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
366 B<-chainCApath>, depending on if the URI indicates a directory or a
368 See L<ossl_store-file(7)> for more information on the C<file:> scheme.
372 If this option is set then no certificate is used. This restricts the
373 cipher suites available to the anonymous ones (currently just anonymous
378 Inhibit printing of session and certificate information.
380 =item B<-tlsextdebug>
382 Print a hex dump of any TLS extensions received from the server.
386 Sends a status message back to the client when it connects. This includes
387 information about the ciphers used and various session parameters.
388 The output is in HTML format so this option can be used with a web browser.
389 The special URL C</renegcert> turns on client cert validation, and C</reneg>
390 tells the server to request renegotiation.
391 The B<-early_data> option cannot be used with this option.
393 =item B<-WWW>, B<-HTTP>
395 Emulates a simple web server. Pages will be resolved relative to the
396 current directory, for example if the URL C<https://myhost/page.html> is
397 requested the file F<./page.html> will be sent.
398 If the B<-HTTP> flag is used, the files are sent directly, and should contain
399 any HTTP response headers (including status response line).
400 If the B<-WWW> option is used,
401 the response headers are generated by the server, and the file extension is
402 examined to determine the B<Content-Type> header.
403 Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are
405 In addition, the special URL C</stats> will return status
406 information like the B<-www> option.
407 Neither of these options can be used in conjunction with B<-early_data>.
409 =item B<-http_server_binmode>
411 When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
412 by the client in binary mode.
414 =item B<-no_ca_names>
416 Disable TLS Extension CA Names. You may want to disable it for security reasons
417 or for compatibility with some Windows TLS implementations crashing when this
418 extension is larger than 1024 bytes.
420 =item B<-ignore_unexpected_eof>
422 Some TLS implementations do not send the mandatory close_notify alert on
423 shutdown. If the application tries to wait for the close_notify alert but the
424 peer closes the connection without sending it, an error is generated. When this
425 option is enabled the peer does not need to send the close_notify alert and a
426 closed connection will be treated as if the close_notify alert was received.
427 For more information on shutting down a connection, see L<SSL_shutdown(3)>.
429 =item B<-id_prefix> I<val>
431 Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
432 for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple
433 servers, when each of which might be generating a unique range of session
434 IDs (e.g. with a certain prefix).
436 =item B<-verify_return_error>
438 Verification errors normally just print a message but allow the
439 connection to continue, for debugging purposes.
440 If this option is used, then verification errors close the connection.
444 Enables certificate status request support (aka OCSP stapling).
446 =item B<-status_verbose>
448 Enables certificate status request support (aka OCSP stapling) and gives
449 a verbose printout of the OCSP response.
451 =item B<-status_timeout> I<int>
453 Sets the timeout for OCSP response to I<int> seconds.
455 =item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>
457 The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy>
459 The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
460 the optional C<http://> or C<https://> prefix is ignored,
461 as well as any userinfo and path components.
462 Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
463 in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
465 =item B<-no_proxy> I<addresses>
467 List of IP addresses and/or DNS names of servers
468 not to use an HTTP(S) proxy for, separated by commas and/or whitespace
469 (where in the latter case the whole argument must be enclosed in "...").
470 Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>.
472 =item B<-status_url> I<val>
474 Sets a fallback responder URL to use if no responder URL is present in the
475 server certificate. Without this option an error is returned if the server
476 certificate does not contain a responder address.
477 The optional userinfo and fragment URL components are ignored.
478 Any given query component is handled as part of the path component.
480 =item B<-status_file> I<infile>
482 Overrides any OCSP responder URLs from the certificate and always provides the
483 OCSP Response stored in the file. The file must be in DER format.
487 Show verbose trace output of protocol messages. OpenSSL needs to be compiled
488 with B<enable-ssl-trace> for this option to work.
492 Provide a brief summary of connection parameters instead of the normal verbose
497 Simple test server which just reverses the text received from the client
498 and sends it back to the server. Also sets B<-brief>. Cannot be used in
499 conjunction with B<-early_data>.
503 Switch on asynchronous mode. Cryptographic operations will be performed
504 asynchronously. This will only have an effect if an asynchronous capable engine
505 is also used via the B<-engine> option. For test purposes the dummy async engine
506 (dasync) can be used (if available).
508 =item B<-max_send_frag> I<+int>
510 The maximum size of data fragment to send.
511 See L<SSL_CTX_set_max_send_fragment(3)> for further information.
513 =item B<-split_send_frag> I<+int>
515 The size used to split data for encrypt pipelines. If more data is written in
516 one go than this value then it will be split into multiple pipelines, up to the
517 maximum number of pipelines defined by max_pipelines. This only has an effect if
518 a suitable cipher suite has been negotiated, an engine that supports pipelining
519 has been loaded, and max_pipelines is greater than 1. See
520 L<SSL_CTX_set_split_send_fragment(3)> for further information.
522 =item B<-max_pipelines> I<+int>
524 The maximum number of encrypt/decrypt pipelines to be used. This will only have
525 an effect if an engine has been loaded that supports pipelining (e.g. the dasync
526 engine) and a suitable cipher suite has been negotiated. The default value is 1.
527 See L<SSL_CTX_set_max_pipelines(3)> for further information.
529 =item B<-naccept> I<+int>
531 The server will exit after receiving the specified number of connections,
534 =item B<-read_buf> I<+int>
536 The default read buffer size to be used for connections. This will only have an
537 effect if the buffer size is larger than the size that would otherwise be used
538 and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
539 further information).
543 There are several known bugs in SSL and TLS implementations. Adding this
544 option enables various workarounds.
548 Disable negotiation of TLS compression.
549 TLS compression is not recommended and is off by default as of
554 Enable negotiation of TLS compression.
555 This option was introduced in OpenSSL 1.1.0.
556 TLS compression is not recommended and is off by default as of
561 Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
562 is negotiated. See B<-num_tickets>.
564 =item B<-num_tickets>
566 Control the number of tickets that will be sent to the client after a full
567 handshake in TLSv1.3. The default number of tickets is 2. This option does not
568 affect the number of tickets sent after a resumption handshake.
572 Use the server's cipher preferences, rather than the client's preferences.
574 =item B<-prioritize_chacha>
576 Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.
578 =item B<-no_resumption_on_reneg>
580 Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
582 =item B<-client_sigalgs> I<val>
584 Signature algorithms to support for client certificate authentication
585 (colon-separated list).
587 =item B<-named_curve> I<val>
589 Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
590 For a list of all possible curves, use:
592 $ openssl ecparam -list_curves
594 =item B<-cipher> I<val>
596 This allows the list of TLSv1.2 and below ciphersuites used by the server to be
597 modified. This list is combined with any TLSv1.3 ciphersuites that have been
598 configured. When the client sends a list of supported ciphers the first client
599 cipher also included in the server list is used. Because the client specifies
600 the preference order, the order of the server cipherlist is irrelevant. See
601 L<openssl-ciphers(1)> for more information.
603 =item B<-ciphersuites> I<val>
605 This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
606 This list is combined with any TLSv1.2 and below ciphersuites that have been
607 configured. When the client sends a list of supported ciphers the first client
608 cipher also included in the server list is used. Because the client specifies
609 the preference order, the order of the server cipherlist is irrelevant. See
610 L<openssl-ciphers(1)> command for more information. The format for this list is
611 a simple colon (":") separated list of TLSv1.3 ciphersuite names.
613 =item B<-dhparam> I<infile>
615 The DH parameter file to use. The ephemeral DH cipher suites generate keys
616 using a set of DH parameters. If not specified then an attempt is made to
617 load the parameters from the server certificate file.
618 If this fails then a static set of parameters hard coded into this command
623 Turns on non blocking I/O.
625 =item B<-psk_identity> I<val>
627 Expect the client to send PSK identity I<val> when using a PSK
628 cipher suite, and warn if they do not. By default, the expected PSK
629 identity is the string "Client_identity".
631 =item B<-psk_hint> I<val>
633 Use the PSK identity hint I<val> when using a PSK cipher suite.
637 Use the PSK key I<val> when using a PSK cipher suite. The key is
638 given as a hexadecimal number without leading 0x, for example -psk
640 This option must be provided in order to use a PSK cipher.
642 =item B<-psk_session> I<file>
644 Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
645 Note that this will only work if TLSv1.3 is negotiated.
649 This option can only be used in conjunction with one of the DTLS options above.
650 With this option, this command will listen on a UDP port for incoming
652 Any ClientHellos that arrive will be checked to see if they have a cookie in
654 Any without a cookie will be responded to with a HelloVerifyRequest.
655 If a ClientHello with a cookie is received then this command will
656 connect to that peer and complete the handshake.
660 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
661 conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
662 available where OpenSSL has support for SCTP enabled.
664 =item B<-sctp_label_bug>
666 Use the incorrect behaviour of older OpenSSL implementations when computing
667 endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
668 older broken implementations but breaks interoperability with correct
669 implementations. Must be used in conjunction with B<-sctp>. This option is only
670 available where OpenSSL has support for SCTP enabled.
674 If this option is set then no DH parameters will be loaded effectively
675 disabling the ephemeral DH cipher suites.
677 =item B<-alpn> I<val>, B<-nextprotoneg> I<val>
679 These flags enable the Application-Layer Protocol Negotiation
680 or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
681 IETF standard and replaces NPN.
682 The I<val> list is a comma-separated list of supported protocol
683 names. The list should contain the most desirable protocols first.
684 Protocol names are printable ASCII strings, for example "http/1.1" or
686 The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
690 If this option is set and KTLS is enabled, SSL_sendfile() will be used
691 instead of BIO_write() to send the HTTP response requested by a client.
692 This option is only valid if B<-WWW> or B<-HTTP> is specified.
694 =item B<-keylogfile> I<outfile>
696 Appends TLS secrets to the specified keylog file such that external programs
697 (like Wireshark) can decrypt TLS connections.
699 =item B<-max_early_data> I<int>
701 Change the default maximum early data bytes that are specified for new sessions
702 and any incoming early data (when used in conjunction with the B<-early_data>
703 flag). The default value is approximately 16k. The argument must be an integer
704 greater than or equal to 0.
706 =item B<-recv_max_early_data> I<int>
708 Specify the hard limit on the maximum number of early data bytes that will
713 Accept early data where possible. Cannot be used in conjunction with B<-www>,
714 B<-WWW>, B<-HTTP> or B<-rev>.
718 Require TLSv1.3 cookies.
720 =item B<-anti_replay>, B<-no_anti_replay>
722 Switches replay protection on or off, respectively. Replay protection is on by
723 default unless overridden by a configuration file. When it is on, OpenSSL will
724 automatically detect if a session ticket has been used more than once, TLSv1.3
725 has been negotiated, and early data is enabled on the server. A full handshake
726 is forced if a session ticket is used a second or subsequent time. Any early
727 data that was sent will be rejected.
729 {- $OpenSSL::safe::opt_name_item -}
731 {- $OpenSSL::safe::opt_version_item -}
733 {- $OpenSSL::safe::opt_s_item -}
735 {- $OpenSSL::safe::opt_x_item -}
737 {- $OpenSSL::safe::opt_trust_item -}
739 {- $OpenSSL::safe::opt_r_item -}
741 {- $OpenSSL::safe::opt_engine_item -}
743 {- $OpenSSL::safe::opt_provider_item -}
745 {- $OpenSSL::safe::opt_v_item -}
747 If the server requests a client certificate, then
748 verification errors are displayed, for debugging, but the command will
749 proceed unless the B<-verify_return_error> option is used.
753 =head1 CONNECTED COMMANDS
755 If a connection request is established with an SSL client and neither the
756 B<-www> nor the B<-WWW> option has been used then normally any data received
757 from the client is displayed and any key presses will be sent to the client.
759 Certain commands are also recognized which perform special operations. These
760 commands are a letter which must appear at the start of a line. They are listed
767 End the current SSL connection but still accept new connections.
771 End the current SSL connection and exit.
775 Renegotiate the SSL session (TLSv1.2 and below only).
779 Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
784 Send some plain text down the underlying TCP connection: this should
785 cause the client to disconnect due to a protocol violation.
789 Print out some session cache status information.
793 Send a key update message to the client (TLSv1.3 only)
797 Send a key update message to the client and request one back (TLSv1.3 only)
801 Send a certificate request to the client (TLSv1.3 only)
807 This command can be used to debug SSL clients. To accept connections
808 from a web browser the command:
810 openssl s_server -accept 443 -www
812 can be used for example.
814 Although specifying an empty list of CAs when requesting a client certificate
815 is strictly speaking a protocol violation, some SSL clients interpret this to
816 mean any CA is acceptable. This is useful for debugging purposes.
818 The session parameters can printed out using the L<openssl-sess_id(1)> command.
822 Because this program has a lot of options and also because some of the
823 techniques used are rather old, the C source for this command is rather
824 hard to read and not a model of how things should be done.
825 A typical SSL server program would be much simpler.
827 The output of common ciphers is wrong: it just gives the list of ciphers that
828 OpenSSL recognizes and the client supports.
830 There should be a way for this command to print out details
831 of any unknown cipher suites a client says it supports.
836 L<openssl-sess_id(1)>,
837 L<openssl-s_client(1)>,
838 L<openssl-ciphers(1)>,
840 L<SSL_CTX_set_max_send_fragment(3)>,
841 L<SSL_CTX_set_split_send_fragment(3)>,
842 L<SSL_CTX_set_max_pipelines(3)>,
843 L<ossl_store-file(7)>
847 The -no_alt_chains option was added in OpenSSL 1.1.0.
850 -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
852 The B<-engine> option was deprecated in OpenSSL 3.0.
856 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
858 Licensed under the Apache License 2.0 (the "License"). You may not use
859 this file except in compliance with the License. You can obtain a copy
860 in the file LICENSE in the source distribution or at
861 L<https://www.openssl.org/source/license.html>.