X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fapps%2Fs_client.pod;h=8f64f49dd02d619d01c94abc47e2badf202b85e7;hp=32476acfc365a541f3b52a34b0a00fe34f145cff;hb=7efd0e777e65eaa6c60d85b1cc5c889f872f8fc4;hpb=13cfb043439c8e4b5b96cec42003a8d15e9387fd diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 32476acfc3..8f64f49dd0 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -9,7 +9,9 @@ s_client - SSL/TLS client program B B [B<-connect host:port>] +[B<-servername name>] [B<-verify depth>] +[B<-verify_return_error>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key filename>] @@ -17,6 +19,33 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] +[B<-attime timestamp>] +[B<-check_ss_sig>] +[B<-crl_check>] +[B<-crl_check_all>] +[B<-explicit_policy>] +[B<-extended_crl>] +[B<-ignore_critical>] +[B<-inhibit_any>] +[B<-inhibit_map>] +[B<-issuer_checks>] +[B<-partial_chain>] +[B<-policy arg>] +[B<-policy_check>] +[B<-policy_print>] +[B<-purpose purpose>] +[B<-suiteB_128>] +[B<-suiteB_128_only>] +[B<-suiteB_192>] +[B<-trusted_first>] +[B<-use_deltas>] +[B<-verify_depth num>] +[B<-verify_email email>] +[B<-verify_hostname hostname>] +[B<-verify_ip ip>] +[B<-verify_name name>] +[B<-x509_strict>] [B<-reconnect>] [B<-pause>] [B<-showcerts>] @@ -27,6 +56,7 @@ B B [B<-nbio>] [B<-crlf>] [B<-ign_eof>] +[B<-no_ign_eof>] [B<-quiet>] [B<-ssl2>] [B<-ssl3>] @@ -36,13 +66,18 @@ B B [B<-no_tls1>] [B<-bugs>] [B<-cipher cipherlist>] +[B<-serverpref>] [B<-starttls protocol>] +[B<-xmpphost hostname>] [B<-engine id>] [B<-tlsextdebug>] [B<-no_ticket>] [B<-sess_out filename>] [B<-sess_in filename>] [B<-rand file(s)>] +[B<-serverinfo types>] +[B<-status>] +[B<-nextprotoneg protocols>] =head1 DESCRIPTION @@ -64,6 +99,10 @@ manual page. This specifies the host and optional port to connect to. If not specified then an attempt is made to connect to the local host on port 4433. +=item B<-servername name> + +Set the TLS SNI (Server Name Indication) extension in the ClientHello message. + =item B<-cert certname> The certificate to use, if one is requested by the server. The default is @@ -95,6 +134,11 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. +=item B<-verify_return_error> + +Return verification errors instead of continuing. This will typically +abort the handshake with a fatal error. + =item B<-CApath directory> The directory to use for server certificate verification. This directory @@ -106,9 +150,15 @@ also used when building the client certificate chain. A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, +B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, +B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, +B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, +B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, +B<-verify_name>, B<-x509_strict> -Set various certificate chain valiadition option. See the +Set various certificate chain valiadition options. See the L|verify(1)> manual page for details. =item B<-reconnect> @@ -180,6 +230,11 @@ input. inhibit printing of session and certificate information. This implicitly turns on B<-ign_eof> as well. +=item B<-no_ign_eof> + +shut down the connection when end of file is reached in the input. +Can be used to override the implicit B<-ign_eof> after B<-quiet>. + =item B<-psk_identity identity> Use the PSK identity B when using a PSK cipher suite. @@ -218,11 +273,22 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B command for more information. +=item B<-serverpref> + +use the server's cipher preferences; only used for SSLV2. + =item B<-starttls protocol> send the protocol-specific message(s) to switch to TLS for communication. B is a keyword for the intended protocol. Currently, the only -supported keywords are "smtp", "pop3", "imap", and "ftp". +supported keywords are "smtp", "pop3", "imap", "ftp" and "xmpp". + +=item B<-xmpphost hostname> + +This option, when used with "-starttls xmpp", specifies the host for the +"to" attribute of the stream element. +If this option is not specified, then the host specified with "-connect" +will be used. =item B<-tlsextdebug> @@ -256,6 +322,29 @@ Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. +=item B<-serverinfo types> + +a list of comma-separated TLS Extension Types (numbers between 0 and +65535). Each type will be sent as an empty ClientHello TLS Extension. +The server's response (if any) will be encoded and displayed as a PEM +file. + +=item B<-status> + +sends a certificate status request to the server (OCSP stapling). The server +response (if any) is printed out. + +=item B<-nextprotoneg protocols> + +enable Next Protocol Negotiation TLS extension and provide a list of +comma-separated protocol names that the client should advertise +support for. The list should contain most wanted protocols first. +Protocol names are printable ASCII strings, for example "http/1.1" or +"spdy/3". +Empty list of protocols is treated specially and will cause the client to +advertise support for the TLS extension but disconnect just after +reciving ServerHello with a list of server supported protocols. + =back =head1 CONNECTED COMMANDS @@ -305,6 +394,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions these will only be supported if its use is disabled, for example by using the B<-no_sslv2> option. +The B utility is a test tool and is designed to continue the +handshake after any certificate verification errors. As a result it will +accept any certificate chain (trusted or not) sent by the peer. None test +applications should B do this as it makes them vulnerable to a MITM +attack. This behaviour can be changed by with the B<-verify_return_error> +option: any verify errors are then returned aborting the handshake. + =head1 BUGS Because this program has a lot of options and also because some of @@ -312,9 +408,6 @@ the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. A typical SSL client program would be much simpler. -The B<-verify> option should really exit if the server verification -fails. - The B<-prexit> option is a bit of a hack. We should really report information whenever a session is renegotiated.