ClientHello message. Cannot be used in conjunction with the B<-servername> or
<-dane_tlsa_domain> options.
-=item B<-cert> I<certname>
+=item B<-cert> I<filename>
The client certificate to use, if one is requested by the server.
The default is not to use a certificate.
=item B<-cert_chain>
-A file containing untrusted certificates to use when attempting to build the
+A file or URI of untrusted certificates to use when attempting to build the
certificate chain related to the certificate specified via the B<-cert> option.
+The input can be in PEM, DER, or PKCS#12 format.
=item B<-build_chain>
=item B<-pass> I<arg>
-the private key password source. For more information about the format of I<arg>
+the private key and certifiate file password source.
+For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-verify> I<depth>
=item B<-nbio_test>
-Tests non-blocking I/O
+Tests nonblocking I/O
=item B<-nbio>
-Turns on non-blocking I/O
+Turns on nonblocking I/O
=item B<-crlf>
This command is a test tool and is designed to continue the
handshake after any certificate verification errors. As a result it will
-accept any certificate chain (trusted or not) sent by the peer. None test
+accept any certificate chain (trusted or not) sent by the peer. Non-test
applications should B<not> do this as it makes them vulnerable to a MITM
attack. This behaviour can be changed by with the B<-verify_return_error>
option: any verify errors are then returned aborting the handshake.
All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
and have no effect.
+The B<-engine> option was deprecated in OpenSSL 3.0.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.