B<openssl> B<s_server>
[B<-accept port>]
+[B<-naccept count>]
[B<-context id>]
[B<-verify depth>]
[B<-Verify depth>]
+[B<-crl_check>]
+[B<-crl_check_all>]
[B<-cert filename>]
[B<-certform DER|PEM>]
[B<-key keyfile>]
[B<-state>]
[B<-CApath directory>]
[B<-CAfile filename>]
+[B<-attime timestamp>]
+[B<-check_ss_sig>]
+[B<-explicit_policy>]
+[B<-extended_crl>]
+[B<-ignore_critical>]
+[B<-inhibit_any>]
+[B<-inhibit_map>]
+[B<-issuer_checks>]
+[B<-partial_chain>]
+[B<-policy arg>]
+[B<-policy_check>]
+[B<-policy_print>]
+[B<-purpose purpose>]
+[B<-suiteB_128>]
+[B<-suiteB_128_only>]
+[B<-suiteB_192>]
+[B<-trusted_first>]
+[B<-use_deltas>]
+[B<-verify_depth num>]
+[B<-verify_email email>]
+[B<-verify_hostname hostname>]
+[B<-verify_ip ip>]
+[B<-verify_name name>]
+[B<-x509_strict>]
[B<-nocert>]
[B<-cipher cipherlist>]
+[B<-serverpref>]
[B<-quiet>]
[B<-no_tmp_rsa>]
[B<-ssl2>]
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_dhe>]
+[B<-no_ecdhe>]
[B<-bugs>]
+[B<-brief>]
[B<-hack>]
[B<-www>]
[B<-WWW>]
[B<-HTTP>]
[B<-engine id>]
+[B<-tlsextdebug>]
+[B<-no_ticket>]
[B<-id_prefix arg>]
[B<-rand file(s)>]
-
+[B<-serverinfo file>]
+[B<-no_resumption_on_reneg>]
=head1 DESCRIPTION
The B<s_server> command implements a generic SSL/TLS server which listens
=head1 OPTIONS
+In addition to the options below the B<s_server> utility also supports the
+common and server only options documented in the
+L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)/SUPPORTED COMMAND LINE COMMANDS> manual
+page.
+
=over 4
=item B<-accept port>
the TCP port to listen on for connections. If not specified 4433 is used.
+=item B<-naccept count>
+
+The server will exit after receiving B<number> connections, default unlimited.
+
=item B<-context id>
sets the SSL context id. It can be given any string value. If this option
=item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
-addtional certificate and private key format and passphrase respectively.
+additional certificate and private key format and passphrase respectively.
=item B<-nocert>
if this option is set then no DH parameters will be loaded effectively
disabling the ephemeral DH cipher suites.
+=item B<-no_ecdhe>
+
+if this option is set then no ECDH parameters will be loaded effectively
+disabling the ephemeral ECDH cipher suites.
+
=item B<-no_tmp_rsa>
certain export cipher suites sometimes use a temporary RSA key, this option
client does not have to send one, with the B<-Verify> option the client
must supply a certificate or an error occurs.
+=item B<-crl_check>, B<-crl_check_all>
+
+Check the peer certificate has not been revoked by its CA.
+The CRL(s) are appended to the certificate file. With the B<-crl_check_all>
+option all CRLs of all CAs in the chain are checked.
+
=item B<-CApath directory>
The directory to use for client certificate verification. This directory
is also used in the list of acceptable client CAs passed to the client when
a certificate is requested.
+=item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>,
+B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,
+B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
+B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>,
+B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
+B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+
+Set different peer certificate verification options.
+See the L<B<verify>|verify(1)> manual page for details.
+
=item B<-state>
prints out the SSL session states.
show all protocol messages with hex dump.
+=item B<-trace>
+
+show verbose trace output of protocol messages. OpenSSL needs to be compiled
+with B<enable-ssl-trace> for this option to work.
+
+=item B<-msgfile>
+
+file to send output of B<-msg> or B<-trace> to, default standard output.
+
=item B<-nbio_test>
tests non blocking I/O
there are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
+=item B<-brief>
+
+only provide a brief summary of connection parameters instead of the
+normal verbose output.
+
=item B<-hack>
this option enables a further workaround for some some early Netscape
the preference order, the order of the server cipherlist irrelevant. See
the B<ciphers> command for more information.
+=item B<-serverpref>
+
+use the server's cipher preferences, rather than the client's preferences.
+
+=item B<-tlsextdebug>
+
+print out a hex dump of any TLS extensions received from the server.
+
+=item B<-no_ticket>
+
+disable RFC4507bis session ticket support.
+
=item B<-www>
sends a status message back to the client when it connects. This includes
assumed to contain a complete and correct HTTP response (lines that
are part of the HTTP response line and headers must end with CRLF).
+=item B<-rev>
+
+simple test server which just reverses the text received from the client
+and sends it back to the server. Also sets B<-brief>.
+
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<s_server>
+specifying an engine (by its unique B<id> string) will cause B<s_server>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
+=item B<-serverinfo file>
+
+a file containing one or more blocks of PEM data. Each PEM block
+must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
+followed by "length" bytes of extension data). If the client sends
+an empty TLS ClientHello extension matching the type, the corresponding
+ServerHello extension will be returned.
+
+=item B<-no_resumption_on_reneg>
+
+set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag.
+
=back
=head1 CONNECTED COMMANDS