X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fapps%2Fs_client.pod;h=12a6ef7cf8485e1f11d269a4a04f68aa2c3e0b81;hp=2057dc86e0e0f8049d742e39ba25177d5d6bd22e;hb=593e9c638c58e1a510c519db0d024527113330f3;hpb=fb0e87fb67a358b40a1d56d2df3a611a09899780 diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 2057dc86e0..12a6ef7cf8 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -9,6 +9,7 @@ s_client - SSL/TLS client program B B [B<-connect host:port>] +[B<-proxy host:port>] [B<-servername name>] [B<-verify depth>] [B<-verify_return_error>] @@ -19,7 +20,6 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] -[B<-trusted_first>] [B<-attime timestamp>] [B<-check_ss_sig>] [B<-crl_check>] @@ -39,6 +39,7 @@ B B [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] +[B<-no_alt_chains>] [B<-use_deltas>] [B<-verify_depth num>] [B<-verify_email email>] @@ -58,10 +59,8 @@ B B [B<-ign_eof>] [B<-no_ign_eof>] [B<-quiet>] -[B<-ssl2>] [B<-ssl3>] [B<-tls1>] -[B<-no_ssl2>] [B<-no_ssl3>] [B<-no_tls1>] [B<-no_tls1_1>] @@ -102,6 +101,12 @@ manual page. This specifies the host and optional port to connect to. If not specified then an attempt is made to connect to the local host on port 4433. +=item B<-proxy host:port> + +When used with the B<-connect> flag, the program uses the host and port +specified with this flag and issues an HTTP CONNECT command to connect +to the desired server. + =item B<-servername name> Set the TLS SNI (Server Name Indication) extension in the ClientHello message. @@ -157,11 +162,11 @@ and to use when attempting to build the client certificate chain. B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, +B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> -Set various certificate chain valiadition options. See the +Set various certificate chain validation options. See the L|verify(1)> manual page for details. =item B<-reconnect> @@ -248,11 +253,11 @@ Use the PSK key B when using a PSK cipher suite. The key is given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> +=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all -servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. +servers and permit them to use SSL v3 or TLS as appropriate. Unfortunately there are still ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only @@ -279,10 +284,6 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B command for more information. -=item B<-serverpref> - -use the server's cipher preferences; only used for SSLV2. - =item B<-starttls protocol> send the protocol-specific message(s) to switch to TLS for communication. @@ -349,7 +350,7 @@ Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". Empty list of protocols is treated specially and will cause the client to advertise support for the TLS extension but disconnect just after -reciving ServerHello with a list of server supported protocols. +receiving ServerHello with a list of server supported protocols. =back @@ -373,8 +374,8 @@ would typically be used (https uses port 443). If the connection succeeds then an HTTP command can be given such as "GET /" to retrieve a web page. If the handshake fails then there are several possible causes, if it is -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, -B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried +nothing obvious like no client certificate then the B<-bugs>, +B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried in case it is a buggy server. In particular you should play with these options B submitting a bug report to an OpenSSL mailing list. @@ -396,10 +397,6 @@ on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then the B<-showcerts> option can be used to show the whole chain. -Since the SSLv23 client hello cannot include compression methods or extensions -these will only be supported if its use is disabled, for example by using the -B<-no_sslv2> option. - The B utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will accept any certificate chain (trusted or not) sent by the peer. None test @@ -421,4 +418,8 @@ information whenever a session is renegotiated. L, L, L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.1.0. + =cut