=head1 SYNOPSIS
-B<openssl> B<s_client>
+B<openssl> B<s_server>
[B<-accept port>]
+[B<-naccept count>]
[B<-context id>]
[B<-verify depth>]
[B<-Verify depth>]
+[B<-crl_check>]
+[B<-crl_check_all>]
[B<-cert filename>]
+[B<-certform DER|PEM>]
[B<-key keyfile>]
+[B<-keyform DER|PEM>]
+[B<-pass arg>]
[B<-dcert filename>]
+[B<-dcertform DER|PEM>]
[B<-dkey keyfile>]
+[B<-dkeyform DER|PEM>]
+[B<-dpass arg>]
[B<-dhparam filename>]
[B<-nbio>]
[B<-nbio_test>]
[B<-crlf>]
[B<-debug>]
+[B<-msg>]
[B<-state>]
[B<-CApath directory>]
[B<-CAfile filename>]
[B<-no_tls1>]
[B<-no_dhe>]
[B<-bugs>]
+[B<-brief>]
[B<-hack>]
[B<-www>]
[B<-WWW>]
-
+[B<-HTTP>]
+[B<-engine id>]
+[B<-tlsextdebug>]
+[B<-no_ticket>]
+[B<-id_prefix arg>]
+[B<-rand file(s)>]
+[B<-serverinfo file>]
+[B<-auth>]
+[B<-auth_require_reneg>]
+[B<-no_resumption_on_reneg>]
=head1 DESCRIPTION
The B<s_server> command implements a generic SSL/TLS server which listens
=head1 OPTIONS
+In addition to the options below the B<s_server> utility also supports the
+common and server only options documented in the
+L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)/SUPPORTED COMMAND LINE COMMANDS> manual
+page.
+
=over 4
=item B<-accept port>
the TCP port to listen on for connections. If not specified 4433 is used.
+=item B<-naccept count>
+
+The server will exit after receiving B<number> connections, default unlimited.
+
=item B<-context id>
sets the SSL context id. It can be given any string value. If this option
for example the DSS cipher suites require a certificate containing a DSS
(DSA) key. If not specified then the filename "server.pem" will be used.
+=item B<-certform format>
+
+The certificate format to use: DER or PEM. PEM is the default.
+
=item B<-key keyfile>
The private key to use. If not specified then the certificate file will
be used.
+=item B<-keyform format>
+
+The private format to use: DER or PEM. PEM is the default.
+
+=item B<-pass arg>
+
+the private key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
=item B<-dcert filename>, B<-dkey keyname>
specify an additional certificate and private key, these behave in the
a server can support clients which only support RSA or DSS cipher suites
by using an appropriate certificate.
+=item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
+
+additional certificate and private key format and passphrase respectively.
+
=item B<-nocert>
if this option is set then no certificate is used. This restricts the
load the parameters from the server certificate file. If this fails then
a static set of parameters hard coded into the s_server program will be used.
-=item B<-nodhe>
+=item B<-no_dhe>
if this option is set then no DH parameters will be loaded effectively
disabling the ephemeral DH cipher suites.
client does not have to send one, with the B<-Verify> option the client
must supply a certificate or an error occurs.
+=item B<-crl_check>, B<-crl_check_all>
+
+Check the peer certificate has not been revoked by its CA.
+The CRL(s) are appended to the certificate file. With the B<-crl_check_all>
+option all CRLs of all CAs in the chain are checked.
+
=item B<-CApath directory>
The directory to use for client certificate verification. This directory
print extensive debugging information including a hex dump of all traffic.
+=item B<-msg>
+
+show all protocol messages with hex dump.
+
+=item B<-trace>
+
+show verbose trace output of protocol messages. OpenSSL needs to be compiled
+with B<enable-ssl-trace> for this option to work.
+
+=item B<-msgfile>
+
+file to send output of B<-msg> or B<-trace> to, default standard output.
+
=item B<-nbio_test>
tests non blocking I/O
inhibit printing of session and certificate information.
+=item B<-psk_hint hint>
+
+Use the PSK identity hint B<hint> when using a PSK cipher suite.
+
+=item B<-psk key>
+
+Use the PSK key B<key> when using a PSK cipher suite. The key is
+given as a hexadecimal number without leading 0x, for example -psk
+1a2b3c4d.
+
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
these options disable the use of certain SSL or TLS protocols. By default
there are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
+=item B<-brief>
+
+only provide a brief summary of connection parameters instead of the
+normal verbose output.
+
=item B<-hack>
this option enables a further workaround for some some early Netscape
=item B<-cipher cipherlist>
-this allows the cipher list sent by the client to be modified. See the
-B<ciphers> command for more information.
+this allows the cipher list used by the server to be modified. When
+the client sends a list of supported ciphers the first client cipher
+also included in the server list is used. Because the client specifies
+the preference order, the order of the server cipherlist irrelevant. See
+the B<ciphers> command for more information.
+
+=item B<-tlsextdebug>
+
+print out a hex dump of any TLS extensions received from the server.
+
+=item B<-no_ticket>
+
+disable RFC4507bis session ticket support.
=item B<-www>
current directory, for example if the URL https://myhost/page.html is
requested the file ./page.html will be loaded.
+=item B<-HTTP>
+
+emulates a simple web server. Pages will be resolved relative to the
+current directory, for example if the URL https://myhost/page.html is
+requested the file ./page.html will be loaded. The files loaded are
+assumed to contain a complete and correct HTTP response (lines that
+are part of the HTTP response line and headers must end with CRLF).
+
+=item B<-rev>
+
+simple test server which just reverses the text received from the client
+and sends it back to the server. Also sets B<-brief>.
+
+=item B<-engine id>
+
+specifying an engine (by its unique B<id> string) will cause B<s_server>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
+=item B<-id_prefix arg>
+
+generate SSL/TLS session IDs prefixed by B<arg>. This is mostly useful
+for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
+servers, when each of which might be generating a unique range of session
+IDs (eg. with a certain prefix).
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
+=item B<-serverinfo file>
+
+a file containing one or more blocks of PEM data. Each PEM block
+must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
+followed by "length" bytes of extension data). If the client sends
+an empty TLS ClientHello extension matching the type, the corresponding
+ServerHello extension will be returned.
+
+=item B<-auth>
+
+send RFC 5878 client and server authorization extensions in the Client Hello as well as
+supplemental data if the server also sent the authorization extensions in the Server Hello.
+
+=item B<-auth_require_reneg>
+
+only send RFC 5878 client and server authorization extensions during renegotiation.
+
+=item B<-no_resumption_on_reneg>
+
+set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Required in order to receive supplemental data
+during renegotiation if auth and auth_require_reneg are set.
+
=back
=head1 CONNECTED COMMANDS
B<-www> nor the B<-WWW> option has been used then normally any data received
from the client is displayed and any key presses will be sent to the client.
-Certain single letter commands are also recognised which perform special
+Certain single letter commands are also recognized which perform special
operations: these are listed below.
=over 4
=head1 SEE ALSO
-sess_id(1), s_client(1), ciphers(1)
+L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
=cut
projects / openssl.git / blobdiff