B<openssl> B<s_client>
[B<-help>]
-[B<-ssl_config> I<file>]
+[B<-ssl_config> I<section>]
[B<-connect> I<host:port>]
[B<-host> I<hostname>]
[B<-port> I<port>]
[B<-verifyCAstore> I<uri>]
[B<-cert> I<filename>]
[B<-certform> B<DER>|B<PEM>]
+[B<-cert_chain> I<filename>]
+[B<-build_chain>]
[B<-CRL> I<filename>]
[B<-CRLform> B<DER>|B<PEM>]
[B<-crl_download>]
[B<-key> I<filename>]
-[B<-keyform> B<DER>|B<PEM>]
-[B<-cert_chain> I<filename>]
-[B<-build_chain>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-pass> I<arg>]
-[B<-chainCApath> I<directory>]
[B<-chainCAfile> I<filename>]
+[B<-chainCApath> I<directory>]
[B<-chainCAstore> I<uri>]
[B<-requestCAfile> I<filename>]
[B<-dane_tlsa_domain> I<domain>]
[B<-dane_tlsa_rrdata> I<rrdata>]
[B<-dane_ee_no_namechecks>]
-[B<-build_chain>]
[B<-reconnect>]
[B<-showcerts>]
[B<-prexit>]
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_s_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
[B<-ssl_client_engine> I<id>]
{- $OpenSSL::safe::opt_v_synopsis -}
Print out a usage message.
-=item B<-ssl_config> I<filename>
+=item B<-ssl_config> I<section>
-Use the specified configuration file.
+Use the specified section of the configuration file to configure the B<SSL_CTX> object.
=item B<-connect> I<host>:I<port>
=item B<-cert> I<certname>
-The certificate to use, if one is requested by the server. The default is
-not to use a certificate.
+The client certificate to use, if one is requested by the server.
+The default is not to use a certificate.
-=item B<-certform> I<format>
+The chain for the client certificate may be specified using B<-cert_chain>.
+
+=item B<-certform> B<DER>|B<PEM>
+
+The client certificate file format to use; the default is B<PEM>.
+see L<openssl(1)/Format Options>.
+
+=item B<-cert_chain>
+
+A file containing untrusted certificates to use when attempting to build the
+certificate chain related to the certificate specified via the B<-cert> option.
+
+=item B<-build_chain>
-The certificate format to use: DER or PEM. PEM is the default.
+Specify whether the application should build the client certificate chain to be
+provided to the server.
=item B<-CRL> I<filename>
=item B<-CRLform> B<DER>|B<PEM>
-The CRL format; the default is B<PEM>.
+The CRL file format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-crl_download>
=item B<-key> I<keyfile>
-The private key to use. If not specified then the certificate file will
-be used.
+The client private key file to use.
+If not specified then the certificate file will be used to read also the key.
-=item B<-keyform> I<format>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The key format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
-=item B<-cert_chain>
-
-A file containing trusted certificates to use when attempting to build the
-client/server certificate chain related to the certificate specified via the
-B<-cert> option.
-
-=item B<-build_chain>
-
-Specify whether the application should build the certificate chain to be
-provided to the server.
-
=item B<-pass> I<arg>
the private key password source. For more information about the format of I<arg>
=item B<-verifyCAfile> I<filename>
-CA file for verifying the server's certificate, in PEM format.
+A file in PEM format containing trusted certificates to use
+for verifying the server's certificate.
=item B<-verifyCApath> I<dir>
-Use the specified directory as a certificate store path to verify
-the server's CA certificate.
+A directory containing trusted certificates to use
+for verifying the server's certificate.
+This directory must be in "hash format",
+see L<openssl-verify(1)> for more information.
=item B<-verifyCAstore> I<uri>
-Use the specified URI as a store URI to verify the server's certificate.
-
+The URI of a store containing trusted certificates to use
+for verifying the server's certificate.
-=item B<-chainCApath> I<directory>
+=item B<-chainCAfile> I<file>
-The directory to use for building the chain provided to the server. This
-directory must be in "hash format", see L<openssl-verify(1)> for more
-information.
+A file in PEM format containing trusted certificates to use
+when attempting to build the client certificate chain.
-=item B<-chainCAfile> I<file>
+=item B<-chainCApath> I<directory>
-A file containing trusted certificates to use when attempting to build the
-client certificate chain.
+A directory containing trusted certificates to use
+for building the client certificate chain provided to the server.
+This directory must be in "hash format",
+see L<openssl-verify(1)> for more information.
=item B<-chainCAstore> I<uri>
-The URI to use when attempting to build the client certificate chain.
+The URI of a store containing trusted certificates to use
+when attempting to build the client certificate chain.
+The URI may indicate a single certificate, as well as a collection of them.
+With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
+B<-chainCApath>, depending on if the URI indicates a directory or a
+single file.
+See L<ossl_store-file(7)> for more information on the C<file:> scheme.
=item B<-requestCAfile> I<file>
Use one or more times to specify the RRDATA fields of the DANE TLSA
RRset associated with the target service. The I<rrdata> value is
-specied in "presentation form", that is four whitespace separated
+specified in "presentation form", that is four whitespace separated
fields that specify the usage, selector, matching type and associated
data, with the last of these encoded in hexadecimal. Optional
whitespace is ignored in the associated data field. For example:
{- $OpenSSL::safe::opt_r_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
{- $OpenSSL::safe::opt_engine_item -}
=item B<-ssl_client_engine> I<id>
If a certificate is specified on the command line using the B<-cert>
option it will not be used unless the server specifically requests
-a client certificate. Therefor merely including a client certificate
+a client certificate. Therefore merely including a client certificate
on the command line is no guarantee that the certificate works.
If there are problems verifying a server certificate then the
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy