[B<-4>]
[B<-6>]
[B<-servername name>]
+[B<-noservername>]
[B<-verify depth>]
[B<-verify_return_error>]
[B<-cert filename>]
[B<-dtls>]
[B<-dtls1>]
[B<-dtls1_2>]
+[B<-sctp>]
[B<-fallback_scsv>]
[B<-async>]
+[B<-max_send_frag>]
[B<-split_send_frag>]
[B<-max_pipelines>]
[B<-read_buf>]
[B<-bugs>]
[B<-comp>]
[B<-no_comp>]
+[B<-allow_no_dhe_kex>]
[B<-sigalgs sigalglist>]
[B<-curves curvelist>]
[B<-cipher cipherlist>]
[B<-no_ticket>]
[B<-sess_out filename>]
[B<-sess_in filename>]
-[B<-rand file(s)>]
+[B<-rand file...>]
+[B<-writerand file>]
[B<-serverinfo types>]
[B<-status>]
[B<-alpn protocols>]
[B<-nextprotoneg protocols>]
-[B<-ct|noct>]
+[B<-ct>]
+[B<-noct>]
[B<-ctlogfile>]
[B<-keylogfile file>]
[B<-early_data file>]
+[B<target>]
=head1 DESCRIPTION
=item B<-connect host:port>
-This specifies the host and optional port to connect to. If not specified
-then an attempt is made to connect to the local host on port 4433.
+This specifies the host and optional port to connect to. It is possible to
+select the host and port using the optional target positional argument instead.
+If neither this nor the target positonal argument are specified then an attempt
+is made to connect to the local host on port 4433.
=item B<-proxy host:port>
=item B<-servername name>
-Set the TLS SNI (Server Name Indication) extension in the ClientHello message.
+Set the TLS SNI (Server Name Indication) extension in the ClientHello message to
+the given value. If both this option and the B<-noservername> are not given, the
+TLS SNI extension is still set to the hostname provided to the B<-connect> option,
+or "localhost" if B<-connect> has not been supplied. This is default since OpenSSL
+1.1.1.
+
+Even though SNI name should normally be a DNS name and not an IP address, this
+option will not make the distinction when parsing B<-connect> and will send
+IP address if one passed.
+
+=item B<-noservername>
+
+Suppresses sending of the SNI (Server Name Indication) extension in the
+ClientHello message. Cannot be used in conjunction with the B<-servername> or
+<-dane_tlsa_domain> options.
=item B<-cert certname>
=item B<-psk_identity identity>
Use the PSK identity B<identity> when using a PSK cipher suite.
+The default value is "Client_identity" (without the quotes).
=item B<-psk key>
Use the PSK key B<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
+This option must be provided in order to use a PSK cipher.
=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
whilst B<-dtls1> and B<-dtls1_2> will only support DTLS1.0 and DTLS1.2
respectively.
+=item B<-sctp>
+
+Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
+conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
+available where OpenSSL has support for SCTP enabled.
+
=item B<-fallback_scsv>
Send TLS_FALLBACK_SCSV in the ClientHello.
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).
+=item B<-max_send_frag int>
+
+The maximum size of data fragment to send.
+See L<SSL_CTX_set_max_send_fragment(3)> for further information.
+
=item B<-split_send_frag int>
The size used to split data for encrypt pipelines. If more data is written in
Send the protocol-specific message(s) to switch to TLS for communication.
B<protocol> is a keyword for the intended protocol. Currently, the only
supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
-"irc", "postgres", "lmtp", "nntp", "sieve" and "ldap".
+"irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap".
=item B<-xmpphost hostname>
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-rand file(s)>
+=item B<-rand file...>
A file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)>).
+generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
+=item [B<-writerand file>]
+
+Writes random data to the specified I<file> upon exit.
+This can be used with a subsequent B<-rand> flag.
+
=item B<-serverinfo types>
A list of comma-separated TLS Extension Types (numbers between 0 and
An empty list of protocols is treated specially and will cause the
client to advertise support for the TLS extension but disconnect just
after receiving ServerHello with a list of server supported protocols.
+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
-=item B<-ct|noct>
+=item B<-ct>, B<-noct>
Use one of these two options to control whether Certificate Transparency (CT)
is enabled (B<-ct>) or disabled (B<-noct>).
to the server. This will only work with resumed sessions that support early
data and when the server accepts the early data.
+=item B<[target]>
+
+Rather than providing B<-connect>, the target hostname and optional port may
+be provided as a single positional argument after all options. If neither this
+nor B<-connect> are provided, falls back to attempting to connect to localhost
+on port 4433.
+
=back
=head1 CONNECTED COMMANDS
=head1 SEE ALSO
-L<SSL_CONF_cmd(3)>,
-L<sess_id(1)>, L<s_server(1)>, L<ciphers(1)>
+L<SSL_CONF_cmd(3)>, L<sess_id(1)>, L<s_server(1)>, L<ciphers(1)>,
+L<SSL_CTX_set_max_send_fragment(3)>, L<SSL_CTX_set_split_send_fragment(3)>
+L<SSL_CTX_set_max_pipelines(3)>
=head1 HISTORY