2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-s_server - SSL/TLS server program
10 B<openssl> B<s_server>
23 [B<-certform> B<DER>|B<PEM>]
24 [B<-cert_chain> I<infile>]
26 [B<-serverinfo> I<val>]
29 [B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
32 [B<-dcertform> B<DER>|B<PEM>]
33 [B<-dcert_chain> I<infile>]
35 [B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>]
41 [B<-msgfile> I<outfile>]
45 [B<-no_resume_ephemeral>]
48 [B<-http_server_binmode>]
50 [B<-servername_fatal>]
53 [B<-id_prefix> I<val>]
54 [B<-keymatexport> I<val>]
55 [B<-keymatexportlen> I<+int>]
57 [B<-CRLform> B<DER>|B<PEM>]
59 [B<-chainCAfile> I<infile>]
60 [B<-chainCApath> I<dir>]
61 [B<-chainCAstore> I<uri>]
62 [B<-verifyCAfile> I<infile>]
63 [B<-verifyCApath> I<dir>]
64 [B<-verifyCAstore> I<uri>]
67 [B<-verify_return_error>]
73 [B<-status_timeout> I<int>]
74 [B<-status_url> I<val>]
75 [B<-status_file> I<infile>]
78 [B<-security_debug_verbose>]
82 [B<-ssl_config> I<val>]
83 [B<-max_send_frag> I<+int>]
84 [B<-split_send_frag> I<+int>]
85 [B<-max_pipelines> I<+int>]
87 [B<-read_buf> I<+int>]
93 [B<-legacy_renegotiation>]
94 [B<-no_renegotiation>]
95 [B<-legacy_server_connect>]
96 [B<-no_resumption_on_reneg>]
97 [B<-no_legacy_server_connect>]
98 [B<-allow_no_dhe_kex>]
99 [B<-prioritize_chacha>]
102 [B<-client_sigalgs> I<val>]
105 [B<-named_curve> I<val>]
107 [B<-ciphersuites> I<val>]
108 [B<-dhparam> I<infile>]
109 [B<-record_padding> I<val>]
110 [B<-debug_broken_protocol>]
112 [B<-psk_identity> I<val>]
113 [B<-psk_hint> I<val>]
115 [B<-psk_session> I<file>]
116 [B<-srpvfile> I<infile>]
117 [B<-srpuserseed> I<val>]
124 [B<-nextprotoneg> I<val>]
125 [B<-use_srtp> I<val>]
128 [B<-keylogfile> I<outfile>]
129 [B<-recv_max_early_data> I<int>]
130 [B<-max_early_data> I<int>]
136 {- $OpenSSL::safe::opt_name_synopsis -}
137 {- $OpenSSL::safe::opt_version_synopsis -}
138 {- $OpenSSL::safe::opt_v_synopsis -}
139 {- $OpenSSL::safe::opt_s_synopsis -}
140 {- $OpenSSL::safe::opt_x_synopsis -}
141 {- $OpenSSL::safe::opt_trust_synopsis -}
142 {- $OpenSSL::safe::opt_r_synopsis -}
143 {- $OpenSSL::safe::opt_engine_synopsis -}
144 {- $OpenSSL::safe::opt_provider_synopsis -}
146 =for openssl ifdef unix 4 6 unlink no_dhe nextprotoneg use_srtp engine
148 =for openssl ifdef status status_verbose status_timeout status_url status_file
150 =for openssl ifdef psk_hint srpvfile srpuserseed sctp sctp_label_bug
152 =for openssl ifdef sctp sctp_label_bug trace mtu timeout listen
154 =for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 dtls mtu dtls1 dtls1_2
156 =for openssl ifdef sendfile
160 This command implements a generic SSL/TLS server which
161 listens for connections on a given port using SSL/TLS.
165 In addition to the options below, this command also supports
166 the common and server only options documented
167 L<SSL_CONF_cmd(3)/Supported Command Line Commands>
173 Print out a usage message.
175 =item B<-port> I<+int>
177 The TCP port to listen on for connections. If not specified 4433 is used.
179 =item B<-accept> I<val>
181 The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
183 =item B<-unix> I<val>
185 Unix domain socket to accept on.
197 For -unix, unlink any existing socket first.
199 =item B<-context> I<val>
201 Sets the SSL context id. It can be given any string value. If this option
202 is not present a default value will be used.
204 =item B<-verify> I<int>, B<-Verify> I<int>
206 The verify depth to use. This specifies the maximum length of the
207 client certificate chain and makes the server request a certificate from
208 the client. With the B<-verify> option a certificate is requested but the
209 client does not have to send one, with the B<-Verify> option the client
210 must supply a certificate or an error occurs.
212 If the cipher suite cannot request a client certificate (for example an
213 anonymous cipher suite or PSK) this option has no effect.
215 =item B<-cert> I<infile>
217 The certificate to use, most servers cipher suites require the use of a
218 certificate and some require a certificate with a certain public key type:
219 for example the DSS cipher suites require a certificate containing a DSS
220 (DSA) key. If not specified then the filename F<server.pem> will be used.
222 =item B<-certform> B<DER>|B<PEM>
224 The server certificate file format; the default is B<PEM>.
225 See L<openssl(1)/Format Options> for details.
229 A file containing untrusted certificates to use when attempting to build the
230 certificate chain related to the certificate specified via the B<-cert> option.
232 =item B<-build_chain>
234 Specify whether the application should build the server certificate chain to be
235 provided to the client.
237 =item B<-serverinfo> I<val>
239 A file containing one or more blocks of PEM data. Each PEM block
240 must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
241 followed by "length" bytes of extension data). If the client sends
242 an empty TLS ClientHello extension matching the type, the corresponding
243 ServerHello extension will be returned.
245 =item B<-key> I<infile>
247 The private key to use. If not specified then the certificate file will
250 =item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
252 The key format; the default is B<PEM>.
253 See L<openssl(1)/Format Options> for details.
255 =item B<-pass> I<val>
257 The private key password source.
258 For more information about the format of I<val>,
259 see L<openssl(1)/Pass Phrase Options>.
261 =item B<-dcert> I<infile>, B<-dkey> I<infile>
263 Specify an additional certificate and private key, these behave in the
264 same manner as the B<-cert> and B<-key> options except there is no default
265 if they are not specified (no additional certificate and key is used). As
266 noted above some cipher suites require a certificate containing a key of
267 a certain type. Some cipher suites need a certificate carrying an RSA key
268 and some a DSS (DSA) key. By using RSA and DSS certificates and keys
269 a server can support clients which only support RSA or DSS cipher suites
270 by using an appropriate certificate.
272 =item B<-dcert_chain>
274 A file containing untrusted certificates to use when attempting to build the
275 server certificate chain when a certificate specified via the B<-dcert> option
278 =item B<-dcertform> B<DER>|B<PEM>
280 The format of the additional certificate file; the default is B<PEM>.
281 See L<openssl(1)/Format Options>.
283 =item B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>
285 The format of the additional private key; the default is B<PEM>.
286 See L<openssl(1)/Format Options>.
288 =item B<-dpass> I<val>
290 The passphrase for the additional private key.
291 For more information about the format of I<val>,
292 see L<openssl(1)/Pass Phrase Options>.
296 Tests non blocking I/O.
300 This option translated a line feed from the terminal into CR+LF.
304 Print extensive debugging information including a hex dump of all traffic.
308 Show all protocol messages with hex dump.
310 =item B<-msgfile> I<outfile>
312 File to send output of B<-msg> or B<-trace> to, default standard output.
316 Prints the SSL session states.
318 =item B<-CRL> I<infile>
322 =item B<-CRLform> B<DER>|B<PEM>
324 The CRL file format; the default is B<PEM>.
325 See L<openssl(1)/Format Options> for details.
327 =item B<-crl_download>
329 Download CRLs from distribution points given in CDP extensions of certificates
331 =item B<-verifyCAfile> I<filename>
333 A file in PEM format CA containing trusted certificates to use
334 for verifying client certificates.
336 =item B<-verifyCApath> I<dir>
338 A directory containing trusted certificates to use
339 for verifying client certificates.
340 This directory must be in "hash format",
341 see L<openssl-verify(1)> for more information.
343 =item B<-verifyCAstore> I<uri>
345 The URI of a store containing trusted certificates to use
346 for verifying client certificates.
348 =item B<-chainCAfile> I<file>
350 A file in PEM format containing trusted certificates to use
351 when attempting to build the server certificate chain.
353 =item B<-chainCApath> I<dir>
355 A directory containing trusted certificates to use
356 for building the server certificate chain provided to the client.
357 This directory must be in "hash format",
358 see L<openssl-verify(1)> for more information.
360 =item B<-chainCAstore> I<uri>
362 The URI of a store containing trusted certificates to use
363 for building the server certificate chain provided to the client.
364 The URI may indicate a single certificate, as well as a collection of them.
365 With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
366 B<-chainCApath>, depending on if the URI indicates a directory or a
368 See L<ossl_store-file(7)> for more information on the C<file:> scheme.
372 If this option is set then no certificate is used. This restricts the
373 cipher suites available to the anonymous ones (currently just anonymous
378 Inhibit printing of session and certificate information.
380 =item B<-tlsextdebug>
382 Print a hex dump of any TLS extensions received from the server.
386 Sends a status message back to the client when it connects. This includes
387 information about the ciphers used and various session parameters.
388 The output is in HTML format so this option can be used with a web browser.
389 The special URL C</renegcert> turns on client cert validation, and C</reneg>
390 tells the server to request renegotiation.
391 The B<-early_data> option cannot be used with this option.
393 =item B<-WWW>, B<-HTTP>
395 Emulates a simple web server. Pages will be resolved relative to the
396 current directory, for example if the URL C<https://myhost/page.html> is
397 requested the file F<./page.html> will be sent.
398 If the B<-HTTP> flag is used, the files are sent directly, and should contain
399 any HTTP response headers (including status response line).
400 If the B<-WWW> option is used,
401 the response headers are generated by the server, and the file extension is
402 examined to determine the B<Content-Type> header.
403 Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are
405 In addition, the special URL C</stats> will return status
406 information like the B<-www> option.
407 Neither of these options can be used in conjunction with B<-early_data>.
409 =item B<-http_server_binmode>
411 When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
412 by the client in binary mode.
414 =item B<-id_prefix> I<val>
416 Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
417 for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
418 servers, when each of which might be generating a unique range of session
419 IDs (eg. with a certain prefix).
421 =item B<-verify_return_error>
423 Verification errors normally just print a message but allow the
424 connection to continue, for debugging purposes.
425 If this option is used, then verification errors close the connection.
429 Enables certificate status request support (aka OCSP stapling).
431 =item B<-status_verbose>
433 Enables certificate status request support (aka OCSP stapling) and gives
434 a verbose printout of the OCSP response.
436 =item B<-status_timeout> I<int>
438 Sets the timeout for OCSP response to I<int> seconds.
440 =item B<-status_url> I<val>
442 Sets a fallback responder URL to use if no responder URL is present in the
443 server certificate. Without this option an error is returned if the server
444 certificate does not contain a responder address.
446 =item B<-status_file> I<infile>
448 Overrides any OCSP responder URLs from the certificate and always provides the
449 OCSP Response stored in the file. The file must be in DER format.
453 Show verbose trace output of protocol messages. OpenSSL needs to be compiled
454 with B<enable-ssl-trace> for this option to work.
458 Provide a brief summary of connection parameters instead of the normal verbose
463 Simple test server which just reverses the text received from the client
464 and sends it back to the server. Also sets B<-brief>. Cannot be used in
465 conjunction with B<-early_data>.
469 Switch on asynchronous mode. Cryptographic operations will be performed
470 asynchronously. This will only have an effect if an asynchronous capable engine
471 is also used via the B<-engine> option. For test purposes the dummy async engine
472 (dasync) can be used (if available).
474 =item B<-max_send_frag> I<+int>
476 The maximum size of data fragment to send.
477 See L<SSL_CTX_set_max_send_fragment(3)> for further information.
479 =item B<-split_send_frag> I<+int>
481 The size used to split data for encrypt pipelines. If more data is written in
482 one go than this value then it will be split into multiple pipelines, up to the
483 maximum number of pipelines defined by max_pipelines. This only has an effect if
484 a suitable cipher suite has been negotiated, an engine that supports pipelining
485 has been loaded, and max_pipelines is greater than 1. See
486 L<SSL_CTX_set_split_send_fragment(3)> for further information.
488 =item B<-max_pipelines> I<+int>
490 The maximum number of encrypt/decrypt pipelines to be used. This will only have
491 an effect if an engine has been loaded that supports pipelining (e.g. the dasync
492 engine) and a suitable cipher suite has been negotiated. The default value is 1.
493 See L<SSL_CTX_set_max_pipelines(3)> for further information.
495 =item B<-naccept> I<+int>
497 The server will exit after receiving the specified number of connections,
500 =item B<-read_buf> I<+int>
502 The default read buffer size to be used for connections. This will only have an
503 effect if the buffer size is larger than the size that would otherwise be used
504 and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
505 further information).
509 There are several known bugs in SSL and TLS implementations. Adding this
510 option enables various workarounds.
514 Disable negotiation of TLS compression.
515 TLS compression is not recommended and is off by default as of
520 Enable negotiation of TLS compression.
521 This option was introduced in OpenSSL 1.1.0.
522 TLS compression is not recommended and is off by default as of
527 Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
528 is negotiated. See B<-num_tickets>.
530 =item B<-num_tickets>
532 Control the number of tickets that will be sent to the client after a full
533 handshake in TLSv1.3. The default number of tickets is 2. This option does not
534 affect the number of tickets sent after a resumption handshake.
538 Use the server's cipher preferences, rather than the client's preferences.
540 =item B<-prioritize_chacha>
542 Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.
544 =item B<-no_resumption_on_reneg>
546 Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
548 =item B<-client_sigalgs> I<val>
550 Signature algorithms to support for client certificate authentication
551 (colon-separated list).
553 =item B<-named_curve> I<val>
555 Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
556 For a list of all possible curves, use:
558 $ openssl ecparam -list_curves
560 =item B<-cipher> I<val>
562 This allows the list of TLSv1.2 and below ciphersuites used by the server to be
563 modified. This list is combined with any TLSv1.3 ciphersuites that have been
564 configured. When the client sends a list of supported ciphers the first client
565 cipher also included in the server list is used. Because the client specifies
566 the preference order, the order of the server cipherlist is irrelevant. See
567 L<openssl-ciphers(1)> for more information.
569 =item B<-ciphersuites> I<val>
571 This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
572 This list is combined with any TLSv1.2 and below ciphersuites that have been
573 configured. When the client sends a list of supported ciphers the first client
574 cipher also included in the server list is used. Because the client specifies
575 the preference order, the order of the server cipherlist is irrelevant. See
576 L<openssl-ciphers(1)> command for more information. The format for this list is
577 a simple colon (":") separated list of TLSv1.3 ciphersuite names.
579 =item B<-dhparam> I<infile>
581 The DH parameter file to use. The ephemeral DH cipher suites generate keys
582 using a set of DH parameters. If not specified then an attempt is made to
583 load the parameters from the server certificate file.
584 If this fails then a static set of parameters hard coded into this command
589 Turns on non blocking I/O.
591 =item B<-psk_identity> I<val>
593 Expect the client to send PSK identity I<val> when using a PSK
594 cipher suite, and warn if they do not. By default, the expected PSK
595 identity is the string "Client_identity".
597 =item B<-psk_hint> I<val>
599 Use the PSK identity hint I<val> when using a PSK cipher suite.
603 Use the PSK key I<val> when using a PSK cipher suite. The key is
604 given as a hexadecimal number without leading 0x, for example -psk
606 This option must be provided in order to use a PSK cipher.
608 =item B<-psk_session> I<file>
610 Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
611 Note that this will only work if TLSv1.3 is negotiated.
615 This option can only be used in conjunction with one of the DTLS options above.
616 With this option, this command will listen on a UDP port for incoming
618 Any ClientHellos that arrive will be checked to see if they have a cookie in
620 Any without a cookie will be responded to with a HelloVerifyRequest.
621 If a ClientHello with a cookie is received then this command will
622 connect to that peer and complete the handshake.
626 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
627 conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
628 available where OpenSSL has support for SCTP enabled.
630 =item B<-sctp_label_bug>
632 Use the incorrect behaviour of older OpenSSL implementations when computing
633 endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
634 older broken implementations but breaks interoperability with correct
635 implementations. Must be used in conjunction with B<-sctp>. This option is only
636 available where OpenSSL has support for SCTP enabled.
640 If this option is set then no DH parameters will be loaded effectively
641 disabling the ephemeral DH cipher suites.
643 =item B<-alpn> I<val>, B<-nextprotoneg> I<val>
645 These flags enable the Enable the Application-Layer Protocol Negotiation
646 or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
647 IETF standard and replaces NPN.
648 The I<val> list is a comma-separated list of supported protocol
649 names. The list should contain the most desirable protocols first.
650 Protocol names are printable ASCII strings, for example "http/1.1" or
652 The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
656 If this option is set and KTLS is enabled, SSL_sendfile() will be used
657 instead of BIO_write() to send the HTTP response requested by a client.
658 This option is only valid if B<-WWW> or B<-HTTP> is specified.
660 =item B<-keylogfile> I<outfile>
662 Appends TLS secrets to the specified keylog file such that external programs
663 (like Wireshark) can decrypt TLS connections.
665 =item B<-max_early_data> I<int>
667 Change the default maximum early data bytes that are specified for new sessions
668 and any incoming early data (when used in conjunction with the B<-early_data>
669 flag). The default value is approximately 16k. The argument must be an integer
670 greater than or equal to 0.
672 =item B<-recv_max_early_data> I<int>
674 Specify the hard limit on the maximum number of early data bytes that will
679 Accept early data where possible. Cannot be used in conjunction with B<-www>,
680 B<-WWW>, B<-HTTP> or B<-rev>.
684 Require TLSv1.3 cookies.
686 =item B<-anti_replay>, B<-no_anti_replay>
688 Switches replay protection on or off, respectively. Replay protection is on by
689 default unless overridden by a configuration file. When it is on, OpenSSL will
690 automatically detect if a session ticket has been used more than once, TLSv1.3
691 has been negotiated, and early data is enabled on the server. A full handshake
692 is forced if a session ticket is used a second or subsequent time. Any early
693 data that was sent will be rejected.
695 {- $OpenSSL::safe::opt_name_item -}
697 {- $OpenSSL::safe::opt_version_item -}
699 {- $OpenSSL::safe::opt_s_item -}
701 {- $OpenSSL::safe::opt_x_item -}
703 {- $OpenSSL::safe::opt_trust_item -}
705 {- $OpenSSL::safe::opt_r_item -}
707 {- $OpenSSL::safe::opt_engine_item -}
709 {- $OpenSSL::safe::opt_provider_item -}
711 {- $OpenSSL::safe::opt_v_item -}
713 If the server requests a client certificate, then
714 verification errors are displayed, for debugging, but the command will
715 proceed unless the B<-verify_return_error> option is used.
719 =head1 CONNECTED COMMANDS
721 If a connection request is established with an SSL client and neither the
722 B<-www> nor the B<-WWW> option has been used then normally any data received
723 from the client is displayed and any key presses will be sent to the client.
725 Certain commands are also recognized which perform special operations. These
726 commands are a letter which must appear at the start of a line. They are listed
733 End the current SSL connection but still accept new connections.
737 End the current SSL connection and exit.
741 Renegotiate the SSL session (TLSv1.2 and below only).
745 Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
750 Send some plain text down the underlying TCP connection: this should
751 cause the client to disconnect due to a protocol violation.
755 Print out some session cache status information.
759 Send a key update message to the client (TLSv1.3 only)
763 Send a key update message to the client and request one back (TLSv1.3 only)
767 Send a certificate request to the client (TLSv1.3 only)
773 This command can be used to debug SSL clients. To accept connections
774 from a web browser the command:
776 openssl s_server -accept 443 -www
778 can be used for example.
780 Although specifying an empty list of CAs when requesting a client certificate
781 is strictly speaking a protocol violation, some SSL clients interpret this to
782 mean any CA is acceptable. This is useful for debugging purposes.
784 The session parameters can printed out using the L<openssl-sess_id(1)> command.
788 Because this program has a lot of options and also because some of the
789 techniques used are rather old, the C source for this command is rather
790 hard to read and not a model of how things should be done.
791 A typical SSL server program would be much simpler.
793 The output of common ciphers is wrong: it just gives the list of ciphers that
794 OpenSSL recognizes and the client supports.
796 There should be a way for this command to print out details
797 of any unknown cipher suites a client says it supports.
802 L<openssl-sess_id(1)>,
803 L<openssl-s_client(1)>,
804 L<openssl-ciphers(1)>,
806 L<SSL_CTX_set_max_send_fragment(3)>,
807 L<SSL_CTX_set_split_send_fragment(3)>,
808 L<SSL_CTX_set_max_pipelines(3)>,
809 L<ossl_store-file(7)>
813 The -no_alt_chains option was added in OpenSSL 1.1.0.
816 -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
820 Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
822 Licensed under the Apache License 2.0 (the "License"). You may not use
823 this file except in compliance with the License. You can obtain a copy
824 in the file LICENSE in the source distribution or at
825 L<https://www.openssl.org/source/license.html>.