[B<-verify> I<int>]
[B<-Verify> I<int>]
[B<-cert> I<infile>]
-[B<-naccept> I<+int>]
+[B<-cert2> I<infile>]
+[B<-certform> B<DER>|B<PEM>|B<P12>]
+[B<-cert_chain> I<infile>]
+[B<-build_chain>]
[B<-serverinfo> I<val>]
-[B<-certform> B<DER>|B<PEM>]
[B<-key> I<infile>]
-[B<-keyform> B<DER>|B<PEM>]
+[B<-key2> I<infile>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-pass> I<val>]
[B<-dcert> I<infile>]
-[B<-dcertform> B<DER>|B<PEM>]
+[B<-dcertform> B<DER>|B<PEM>|B<P12>]
+[B<-dcert_chain> I<infile>]
[B<-dkey> I<infile>]
-[B<-dkeyform> B<DER>|B<PEM>]
+[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-dpass> I<val>]
[B<-nbio_test>]
[B<-crlf>]
[B<-no_resume_ephemeral>]
[B<-www>]
[B<-WWW>]
+[B<-http_server_binmode>]
+[B<-no_ca_names>]
[B<-servername>]
[B<-servername_fatal>]
-[B<-cert2> I<infile>]
-[B<-key2> I<infile>]
[B<-tlsextdebug>]
[B<-HTTP>]
[B<-id_prefix> I<val>]
[B<-keymatexport> I<val>]
[B<-keymatexportlen> I<+int>]
-[B<-CRLform> B<DER>|B<PEM>]
[B<-CRL> I<infile>]
+[B<-CRLform> B<DER>|B<PEM>]
[B<-crl_download>]
-[B<-cert_chain> I<infile>]
-[B<-dcert_chain> I<infile>]
+[B<-chainCAfile> I<infile>]
[B<-chainCApath> I<dir>]
-[B<-verifyCApath> I<dir>]
[B<-chainCAstore> I<uri>]
+[B<-verifyCAfile> I<infile>]
+[B<-verifyCApath> I<dir>]
[B<-verifyCAstore> I<uri>]
[B<-no_cache>]
[B<-ext_cache>]
[B<-verify_return_error>]
[B<-verify_quiet>]
-[B<-build_chain>]
-[B<-chainCAfile> I<infile>]
-[B<-verifyCAfile> I<infile>]
[B<-ign_eof>]
[B<-no_ign_eof>]
[B<-status>]
[B<-max_send_frag> I<+int>]
[B<-split_send_frag> I<+int>]
[B<-max_pipelines> I<+int>]
+[B<-naccept> I<+int>]
[B<-read_buf> I<+int>]
[B<-bugs>]
[B<-no_comp>]
[B<-comp>]
[B<-no_ticket>]
-[B<-num_tickets>]
[B<-serverpref>]
[B<-legacy_renegotiation>]
[B<-no_renegotiation>]
[B<-nextprotoneg> I<val>]
[B<-use_srtp> I<val>]
[B<-alpn> I<val>]
+[B<-sendfile>]
[B<-keylogfile> I<outfile>]
-[B<-max_early_data> I<int>]
[B<-recv_max_early_data> I<int>]
+[B<-max_early_data> I<int>]
[B<-early_data>]
[B<-stateless>]
[B<-anti_replay>]
[B<-no_anti_replay>]
-[B<-http_server_binmode>]
+[B<-num_tickets>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_version_synopsis -}
{- $OpenSSL::safe::opt_v_synopsis -}
+{- $OpenSSL::safe::opt_s_synopsis -}
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=for openssl ifdef unix 4 6 unlink no_dhe nextprotoneg use_srtp engine
=for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 dtls mtu dtls1 dtls1_2
+=for openssl ifdef sendfile
+
=head1 DESCRIPTION
This command implements a generic SSL/TLS server which
for example the DSS cipher suites require a certificate containing a DSS
(DSA) key. If not specified then the filename F<server.pem> will be used.
+=item B<-certform> B<DER>|B<PEM>|B<P12>
+
+The server certificate file format.
+This option has no effect and is retained for backward compatibility only.
+
=item B<-cert_chain>
-A file containing trusted certificates to use when attempting to build the
-client/server certificate chain related to the certificate specified via the
-B<-cert> option.
+A file containing untrusted certificates to use when attempting to build the
+certificate chain related to the certificate specified via the B<-cert> option.
=item B<-build_chain>
-Specify whether the application should build the certificate chain to be
+Specify whether the application should build the server certificate chain to be
provided to the client.
-=item B<-naccept> I<+int>
-
-The server will exit after receiving the specified number of connections,
-default unlimited.
-
=item B<-serverinfo> I<val>
A file containing one or more blocks of PEM data. Each PEM block
an empty TLS ClientHello extension matching the type, the corresponding
ServerHello extension will be returned.
-=item B<-certform> B<DER>|B<PEM>, B<-CRLForm> B<DER>|B<PEM>
-
-The certificate and CRL format; the default is PEM.
-See L<openssl(1)/Format Options> for details.
-
=item B<-key> I<infile>
The private key to use. If not specified then the certificate file will
be used.
-=item B<-keyform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-pass> I<val>
=item B<-dcert_chain>
-A file containing trusted certificates to use when attempting to build the
+A file containing untrusted certificates to use when attempting to build the
server certificate chain when a certificate specified via the B<-dcert> option
is in use.
-=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>
+=item B<-dcertform> B<DER>|B<PEM>|B<P12>
+
+The format of the additional certificate file.
+This option has no effect and is retained for backward compatibility only.
+
+=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
-The format of the certificate and private key; the default is B<PEM>
-see L<openssl(1)/Format Options>.
+The format of the additional private key; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
+See L<openssl(1)/Format Options>.
=item B<-dpass> I<val>
Prints the SSL session states.
-=item B<-chainCApath> I<dir>
+=item B<-CRL> I<infile>
+
+The CRL file to use.
+
+=item B<-CRLform> B<DER>|B<PEM>
+
+The CRL file format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-crl_download>
+
+Download CRLs from distribution points given in CDP extensions of certificates
+
+=item B<-verifyCAfile> I<filename>
+
+A file in PEM format CA containing trusted certificates to use
+for verifying client certificates.
+
+=item B<-verifyCApath> I<dir>
-The directory to use for building the chain provided to the client. This
-directory must be in "hash format", see L<openssl-verify(1)> for more
-information.
+A directory containing trusted certificates to use
+for verifying client certificates.
+This directory must be in "hash format",
+see L<openssl-verify(1)> for more information.
+
+=item B<-verifyCAstore> I<uri>
+
+The URI of a store containing trusted certificates to use
+for verifying client certificates.
=item B<-chainCAfile> I<file>
-A file containing trusted certificates to use when attempting to build the
-server certificate chain.
+A file in PEM format containing trusted certificates to use
+when attempting to build the server certificate chain.
+
+=item B<-chainCApath> I<dir>
+
+A directory containing trusted certificates to use
+for building the server certificate chain provided to the client.
+This directory must be in "hash format",
+see L<openssl-verify(1)> for more information.
=item B<-chainCAstore> I<uri>
-The URI to a store to use for building the chain provided to the client.
-The URI may indicate a single certificate, as well as a collection of
-them.
+The URI of a store containing trusted certificates to use
+for building the server certificate chain provided to the client.
+The URI may indicate a single certificate, as well as a collection of them.
With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
B<-chainCApath>, depending on if the URI indicates a directory or a
single file.
information like the B<-www> option.
Neither of these options can be used in conjunction with B<-early_data>.
+=item B<-http_server_binmode>
+
+When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
+by the client in binary mode.
+
+=item B<-no_ca_names>
+
+Disable TLS Extension CA Names. You may want to disable it for security reasons
+or for compatibility with some Windows TLS implementations crashing when this
+extension is larger than 1024 bytes.
+
=item B<-id_prefix> I<val>
Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
engine) and a suitable cipher suite has been negotiated. The default value is 1.
See L<SSL_CTX_set_max_pipelines(3)> for further information.
+=item B<-naccept> I<+int>
+
+The server will exit after receiving the specified number of connections,
+default unlimited.
+
=item B<-read_buf> I<+int>
The default read buffer size to be used for connections. This will only have an
"spdy/3".
The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
+=item B<-sendfile>
+
+If this option is set and KTLS is enabled, SSL_sendfile() will be used
+instead of BIO_write() to send the HTTP response requested by a client.
+This option is only valid if B<-WWW> or B<-HTTP> is specified.
+
=item B<-keylogfile> I<outfile>
Appends TLS secrets to the specified keylog file such that external programs
is forced if a session ticket is used a second or subsequent time. Any early
data that was sent will be rejected.
-=item B<-http_server_binmode>
-
-When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
-by the client in binary mode.
-
{- $OpenSSL::safe::opt_name_item -}
{- $OpenSSL::safe::opt_version_item -}
+{- $OpenSSL::safe::opt_s_item -}
+
{- $OpenSSL::safe::opt_x_item -}
{- $OpenSSL::safe::opt_trust_item -}
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_provider_item -}
+
{- $OpenSSL::safe::opt_v_item -}
If the server requests a client certificate, then
The
-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
+All B<-keyform> and B<-dkeyform> values except B<ENGINE>
+have become obsolete in OpenSSL 3.0.0 and have no effect.
+
+The B<-certform> and B<-dcertform> options have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy