=head1 SYNOPSIS
B<openssl> B<s_client>
-[B<-connect> host:port>]
+[B<-connect host:port>]
[B<-verify depth>]
[B<-cert filename>]
+[B<-certform DER|PEM>]
[B<-key filename>]
+[B<-keyform DER|PEM>]
+[B<-pass arg>]
[B<-CApath directory>]
[B<-CAfile filename>]
[B<-reconnect>]
[B<-pause>]
[B<-showcerts>]
[B<-debug>]
+[B<-msg>]
[B<-nbio_test>]
[B<-state>]
[B<-nbio>]
[B<-crlf>]
+[B<-ign_eof>]
[B<-quiet>]
[B<-ssl2>]
[B<-ssl3>]
[B<-no_tls1>]
[B<-bugs>]
[B<-cipher cipherlist>]
+[B<-starttls protocol>]
+[B<-engine id>]
+[B<-tlsextdebug>]
+[B<-no_ticket>]
+[B<-sess_out filename>]
+[B<-sess_in filename>]
+[B<-rand file(s)>]
=head1 DESCRIPTION
=head1 OPTIONS
+In addition to the options below the B<s_client> utility also supports the
+common and client only options documented in the
+B<SUPPORTED COMMAND LINE OPTIONS> section in L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>.
+
=over 4
=item B<-connect host:port>
The certificate to use, if one is requested by the server. The default is
not to use a certificate.
+=item B<-certform format>
+
+The certificate format to use: DER or PEM. PEM is the default.
+
=item B<-key keyfile>
The private key to use. If not specified then the certificate file will
be used.
+=item B<-keyform format>
+
+The private format to use: DER or PEM. PEM is the default.
+
+=item B<-pass arg>
+
+the private key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
=item B<-verify depth>
The verify depth to use. This specifies the maximum length of the
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
+
+Set various certificate chain valiadition option. See the
+L<B<verify>|verify(1)> manual page for details.
+
=item B<-reconnect>
reconnects to the same server 5 times using the same session ID, this can
print extensive debugging information including a hex dump of all traffic.
+=item B<-msg>
+
+show all protocol messages with hex dump.
+
+=item B<-trace>
+
+show verbose trace output of protocol messages. OpenSSL needs to be compiled
+with B<enable-ssl-trace> for this option to work.
+
+=item B<-msgfile>
+
+file to send output of B<-msg> or B<-trace> to, default standard output.
+
=item B<-nbio_test>
-tests non blocking I/O
+tests non-blocking I/O
=item B<-nbio>
-turns on non blocking I/O
+turns on non-blocking I/O
=item B<-crlf>
this option translated a line feed from the terminal into CR+LF as required
by some servers.
+=item B<-ign_eof>
+
+inhibit shutting down the connection when end of file is reached in the
+input.
+
=item B<-quiet>
-inhibit printing of session and certificate information.
+inhibit printing of session and certificate information. This implicitly
+turns on B<-ign_eof> as well.
+
+=item B<-psk_identity identity>
+
+Use the PSK identity B<identity> when using a PSK cipher suite.
+
+=item B<-psk key>
+
+Use the PSK key B<key> when using a PSK cipher suite. The key is
+given as a hexadecimal number without leading 0x, for example -psk
+1a2b3c4d.
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
there are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
+=item B<-brief>
+
+only provide a brief summary of connection parameters instead of the
+normal verbose output.
+
=item B<-cipher cipherlist>
this allows the cipher list sent by the client to be modified. Although
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.
+=item B<-starttls protocol>
+
+send the protocol-specific message(s) to switch to TLS for communication.
+B<protocol> is a keyword for the intended protocol. Currently, the only
+supported keywords are "smtp", "pop3", "imap", and "ftp".
+
+=item B<-tlsextdebug>
+
+print out a hex dump of any TLS extensions received from the server.
+
+=item B<-no_ticket>
+
+disable RFC4507bis session ticket support.
+
+=item B<-sess_out filename>
+
+output SSL session to B<filename>
+
+=item B<-sess_in sess.pem>
+
+load SSL session from B<filename>. The client will attempt to resume a
+connection from this session.
+
+=item B<-engine id>
+
+specifying an engine (by its unique B<id> string) will cause B<s_client>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
=back
=head1 CONNECTED COMMANDS
If a connection is established with an SSL server then any data received
from the server is displayed and any key presses will be sent to the
-server. If the line begins with an B<R> then the session will be
-renegotiated. If the line begins with a B<Q> the connection will be closed
-down.
+server. When used interactively (which means neither B<-quiet> nor B<-ign_eof>
+have been given), the session will be renegotiated if the line begins with an
+B<R>, and if the line begins with a B<Q> or if end of file is reached, the
+connection will be closed down.
=head1 NOTES
If the handshake fails then there are several possible causes, if it is
nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> can be tried
+B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
in case it is a buggy server. In particular you should play with these
options B<before> submitting a bug report to an OpenSSL mailing list.
requests a certificate. By using B<s_client> the CA list can be viewed
and checked. However some servers only request client authentication
after a specific URL is requested. To obtain the list in this case it
-is necessary to use the B<-prexit> command and send an HTTP request
+is necessary to use the B<-prexit> option and send an HTTP request
for an appropriate page.
If a certificate is specified on the command line using the B<-cert>
If there are problems verifying a server certificate then the
B<-showcerts> option can be used to show the whole chain.
+Since the SSLv23 client hello cannot include compression methods or extensions
+these will only be supported if its use is disabled, for example by using the
+B<-no_sslv2> option.
+
=head1 BUGS
Because this program has a lot of options and also because some of
=head1 SEE ALSO
-sess_id(1), s_server(1), ciphers(1)
+L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
=cut