[B<-verifyCApath> I<dir>]
[B<-verifyCAstore> I<uri>]
[B<-cert> I<filename>]
-[B<-certform> B<DER>|B<PEM>]
+[B<-certform> B<DER>|B<PEM>|B<P12>]
[B<-cert_chain> I<filename>]
[B<-build_chain>]
[B<-CRL> I<filename>]
[B<-CRLform> B<DER>|B<PEM>]
[B<-crl_download>]
[B<-key> I<filename>]
-[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-pass> I<arg>]
[B<-chainCAfile> I<filename>]
[B<-chainCApath> I<directory>]
[B<-split_send_frag>]
[B<-max_pipelines>]
[B<-read_buf>]
+[B<-ignore_unexpected_eof>]
[B<-bugs>]
[B<-comp>]
[B<-no_comp>]
with the specified proxy using basic (base64) authentication.
NB: Basic authentication is insecure; the credentials are sent to the proxy
in easily reversible base64 encoding before any TLS/SSL session is established.
-Therefore these credentials are easily recovered by anyone able to sniff/trace
+Therefore, these credentials are easily recovered by anyone able to sniff/trace
the network. Use with caution.
=item B<-proxy_pass> I<arg>
ClientHello message. Cannot be used in conjunction with the B<-servername> or
<-dane_tlsa_domain> options.
-=item B<-cert> I<certname>
+=item B<-cert> I<filename>
The client certificate to use, if one is requested by the server.
The default is not to use a certificate.
The chain for the client certificate may be specified using B<-cert_chain>.
-=item B<-certform> B<DER>|B<PEM>
+=item B<-certform> B<DER>|B<PEM>|B<P12>
The client certificate file format to use; the default is B<PEM>.
-see L<openssl(1)/Format Options>.
+This option has no effect and is retained for backward compatibility only.
=item B<-cert_chain>
-A file containing untrusted certificates to use when attempting to build the
+A file or URI of untrusted certificates to use when attempting to build the
certificate chain related to the certificate specified via the B<-cert> option.
+The input can be in PEM, DER, or PKCS#12 format.
=item B<-build_chain>
The client private key file to use.
If not specified then the certificate file will be used to read also the key.
-=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key format; the default is B<PEM>.
+The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl(1)/Format Options> for details.
=item B<-pass> I<arg>
-the private key password source. For more information about the format of I<arg>
+the private key and certifiate file password source.
+For more information about the format of I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-verify> I<depth>
=item B<-nbio_test>
-Tests non-blocking I/O
+Tests nonblocking I/O
=item B<-nbio>
-Turns on non-blocking I/O
+Turns on nonblocking I/O
=item B<-crlf>
and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
further information).
+=item B<-ignore_unexpected_eof>
+
+Some TLS implementations do not send the mandatory close_notify alert on
+shutdown. If the application tries to wait for the close_notify alert but the
+peer closes the connection without sending it, an error is generated. When this
+option is enabled the peer does not need to send the close_notify alert and a
+closed connection will be treated as if the close_notify alert was received.
+For more information on shutting down a connection, see L<SSL_shutdown(3)>.
+
=item B<-bugs>
There are several known bugs in SSL and TLS implementations. Adding this
list to choose from. This is normally because the server is not sending
the clients certificate authority in its "acceptable CA list" when it
requests a certificate. By using this command, the CA list can be viewed
-and checked. However some servers only request client authentication
+and checked. However, some servers only request client authentication
after a specific URL is requested. To obtain the list in this case it
is necessary to use the B<-prexit> option and send an HTTP request
for an appropriate page.
If a certificate is specified on the command line using the B<-cert>
option it will not be used unless the server specifically requests
-a client certificate. Therefore merely including a client certificate
+a client certificate. Therefore, merely including a client certificate
on the command line is no guarantee that the certificate works.
If there are problems verifying a server certificate then the
This command is a test tool and is designed to continue the
handshake after any certificate verification errors. As a result it will
-accept any certificate chain (trusted or not) sent by the peer. None test
+accept any certificate chain (trusted or not) sent by the peer. Non-test
applications should B<not> do this as it makes them vulnerable to a MITM
attack. This behaviour can be changed by with the B<-verify_return_error>
option: any verify errors are then returned aborting the handshake.
The B<-no_alt_chains> option was added in OpenSSL 1.1.0.
The B<-name> option was added in OpenSSL 1.1.1.
+The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
+
+All B<-keyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0
+and have no effect.
+
+The B<-engine> option was deprecated in OpenSSL 3.0.
+
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.