X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=doc%2Fapps%2Fs_client.pod;h=04982e64141753858feaae31aaf780da6760f966;hb=035014cd22c502bca93c73e6475da73ee31f1078;hp=e5fe26b19010d82055cb34e0145f16ea181abf00;hpb=fc1d88f02f45812fb1515bf83aa8f7eaadf4d0f5;p=openssl.git diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index e5fe26b190..04982e6414 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -9,6 +9,7 @@ s_client - SSL/TLS client program B B [B<-connect host:port>] +[B<-proxy host:port>] [B<-servername name>] [B<-verify depth>] [B<-verify_return_error>] @@ -19,7 +20,6 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] -[B<-trusted_first>] [B<-attime timestamp>] [B<-check_ss_sig>] [B<-crl_check>] @@ -39,6 +39,7 @@ B B [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] +[B<-no_alt_chains>] [B<-use_deltas>] [B<-verify_depth num>] [B<-verify_email email>] @@ -58,12 +59,13 @@ B B [B<-ign_eof>] [B<-no_ign_eof>] [B<-quiet>] -[B<-ssl2>] [B<-ssl3>] [B<-tls1>] -[B<-no_ssl2>] [B<-no_ssl3>] [B<-no_tls1>] +[B<-no_tls1_1>] +[B<-no_tls1_2>] +[B<-fallback_scsv>] [B<-bugs>] [B<-cipher cipherlist>] [B<-serverpref>] @@ -76,8 +78,8 @@ B B [B<-sess_in filename>] [B<-rand file(s)>] [B<-serverinfo types>] -[B<-auth>] -[B<-auth_require_reneg>] +[B<-status>] +[B<-nextprotoneg protocols>] =head1 DESCRIPTION @@ -99,6 +101,12 @@ manual page. This specifies the host and optional port to connect to. If not specified then an attempt is made to connect to the local host on port 4433. +=item B<-proxy host:port> + +When used with the B<-connect> flag, the program uses the host and port +specified with this flag and issues an HTTP CONNECT command to connect +to the desired server. + =item B<-servername name> Set the TLS SNI (Server Name Indication) extension in the ClientHello message. @@ -124,7 +132,7 @@ The private format to use: DER or PEM. PEM is the default. =item B<-pass arg> the private key password source. For more information about the format of B -see the B section in L. +see the B section in L. =item B<-verify depth> @@ -154,12 +162,12 @@ and to use when attempting to build the client certificate chain. B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, +B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> -Set various certificate chain valiadition options. See the -L|verify(1)> manual page for details. +Set various certificate chain validation options. See the +L manual page for details. =item B<-reconnect> @@ -245,16 +253,19 @@ Use the PSK key B when using a PSK cipher suite. The key is given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> +=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all -servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. +servers and permit them to use SSL v3 or TLS as appropriate. -Unfortunately there are a lot of ancient and broken servers in use which +Unfortunately there are still ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only -work if TLS is turned off with the B<-no_tls> option others will only -support SSL v2 and may need the B<-ssl2> option. +work if TLS is turned off. + +=item B<-fallback_scsv> + +Send TLS_FALLBACK_SCSV in the ClientHello. =item B<-bugs> @@ -273,20 +284,17 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B command for more information. -=item B<-serverpref> - -use the server's cipher preferences; only used for SSLV2. - =item B<-starttls protocol> send the protocol-specific message(s) to switch to TLS for communication. B is a keyword for the intended protocol. Currently, the only -supported keywords are "smtp", "pop3", "imap", "ftp" and "xmpp". +supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", +and "xmpp-server". =item B<-xmpphost hostname> -This option, when used with "-starttls xmpp", specifies the host for the -"to" attribute of the stream element. +This option, when used with "-starttls xmpp" or "-starttls xmpp-server", +specifies the host for the "to" attribute of the stream element. If this option is not specified, then the host specified with "-connect" will be used. @@ -317,7 +325,7 @@ for all available algorithms. =item B<-rand file(s)> a file or files containing random data used to seed the random number -generator, or an EGD socket (see L). +generator, or an EGD socket (see L). Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. @@ -329,14 +337,21 @@ a list of comma-separated TLS Extension Types (numbers between 0 and The server's response (if any) will be encoded and displayed as a PEM file. -=item B<-auth> +=item B<-status> -send RFC 5878 client and server authorization extensions in the Client Hello as well as -supplemental data if the server also sent the authorization extensions in the Server Hello. +sends a certificate status request to the server (OCSP stapling). The server +response (if any) is printed out. -=item B<-auth_require_reneg> +=item B<-nextprotoneg protocols> -only send RFC 5878 client and server authorization extensions during renegotiation. +enable Next Protocol Negotiation TLS extension and provide a list of +comma-separated protocol names that the client should advertise +support for. The list should contain most wanted protocols first. +Protocol names are printable ASCII strings, for example "http/1.1" or +"spdy/3". +Empty list of protocols is treated specially and will cause the client to +advertise support for the TLS extension but disconnect just after +receiving ServerHello with a list of server supported protocols. =back @@ -360,8 +375,8 @@ would typically be used (https uses port 443). If the connection succeeds then an HTTP command can be given such as "GET /" to retrieve a web page. If the handshake fails then there are several possible causes, if it is -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, -B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried +nothing obvious like no client certificate then the B<-bugs>, +B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried in case it is a buggy server. In particular you should play with these options B submitting a bug report to an OpenSSL mailing list. @@ -383,10 +398,6 @@ on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then the B<-showcerts> option can be used to show the whole chain. -Since the SSLv23 client hello cannot include compression methods or extensions -these will only be supported if its use is disabled, for example by using the -B<-no_sslv2> option. - The B utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will accept any certificate chain (trusted or not) sent by the peer. None test @@ -406,6 +417,10 @@ information whenever a session is renegotiated. =head1 SEE ALSO -L, L, L +L, L, L + +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.1.0. =cut