SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation

[openssl.git] / doc / man1 / openssl-s_server.pod.in

diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index ed2d049081142b8fdb142317c74671449cacc467..c9f4bfc11b8252a17648a6dcd4457ed54fb074cf 100644 (file)
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -19,16 +19,20 @@ B<openssl> B<s_server>
 [B<-verify> I<int>]
 [B<-Verify> I<int>]
 [B<-cert> I<infile>]
 [B<-verify> I<int>]
 [B<-Verify> I<int>]
 [B<-cert> I<infile>]

-[B<-naccept> I<+int>]
-[B<-serverinfo> I<val>]
+[B<-cert2> I<infile>]

 [B<-certform> B<DER>|B<PEM>]
 [B<-certform> B<DER>|B<PEM>]

+[B<-cert_chain> I<infile>]
+[B<-build_chain>]
+[B<-serverinfo> I<val>]

 [B<-key> I<infile>]
 [B<-key> I<infile>]

-[B<-keyform> B<DER>|B<PEM>]
+[B<-key2> I<infile>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]

 [B<-pass> I<val>]
 [B<-dcert> I<infile>]
 [B<-dcertform> B<DER>|B<PEM>]
 [B<-pass> I<val>]
 [B<-dcert> I<infile>]
 [B<-dcertform> B<DER>|B<PEM>]

+[B<-dcert_chain> I<infile>]

 [B<-dkey> I<infile>]
 [B<-dkey> I<infile>]

-[B<-dkeyform> B<DER>|B<PEM>]
+[B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>]

 [B<-dpass> I<val>]
 [B<-nbio_test>]
 [B<-crlf>]
 [B<-dpass> I<val>]
 [B<-nbio_test>]
 [B<-crlf>]


@@ -41,30 +45,28 @@ B<openssl> B<s_server>
 [B<-no_resume_ephemeral>]
 [B<-www>]
 [B<-WWW>]
 [B<-no_resume_ephemeral>]
 [B<-www>]
 [B<-WWW>]

+[B<-http_server_binmode>]
+[B<-no_ca_names>]

 [B<-servername>]
 [B<-servername_fatal>]
 [B<-servername>]
 [B<-servername_fatal>]

-[B<-cert2> I<infile>]
-[B<-key2> I<infile>]

 [B<-tlsextdebug>]
 [B<-HTTP>]
 [B<-id_prefix> I<val>]
 [B<-keymatexport> I<val>]
 [B<-keymatexportlen> I<+int>]
 [B<-CRL> I<infile>]
 [B<-tlsextdebug>]
 [B<-HTTP>]
 [B<-id_prefix> I<val>]
 [B<-keymatexport> I<val>]
 [B<-keymatexportlen> I<+int>]
 [B<-CRL> I<infile>]

+[B<-CRLform> B<DER>|B<PEM>]

 [B<-crl_download>]
 [B<-crl_download>]

-[B<-cert_chain> I<infile>]
-[B<-dcert_chain> I<infile>]
+[B<-chainCAfile> I<infile>]

 [B<-chainCApath> I<dir>]
 [B<-chainCApath> I<dir>]

-[B<-verifyCApath> I<dir>]

 [B<-chainCAstore> I<uri>]
 [B<-chainCAstore> I<uri>]

+[B<-verifyCAfile> I<infile>]
+[B<-verifyCApath> I<dir>]

 [B<-verifyCAstore> I<uri>]
 [B<-no_cache>]
 [B<-ext_cache>]
 [B<-verify_return_error>]
 [B<-verify_quiet>]
 [B<-verifyCAstore> I<uri>]
 [B<-no_cache>]
 [B<-ext_cache>]
 [B<-verify_return_error>]
 [B<-verify_quiet>]

-[B<-build_chain>]
-[B<-chainCAfile> I<infile>]
-[B<-verifyCAfile> I<infile>]

 [B<-ign_eof>]
 [B<-no_ign_eof>]
 [B<-status>]
 [B<-ign_eof>]
 [B<-no_ign_eof>]
 [B<-status>]


@@ -82,17 +84,12 @@ B<openssl> B<s_server>
 [B<-max_send_frag> I<+int>]
 [B<-split_send_frag> I<+int>]
 [B<-max_pipelines> I<+int>]
 [B<-max_send_frag> I<+int>]
 [B<-split_send_frag> I<+int>]
 [B<-max_pipelines> I<+int>]

+[B<-naccept> I<+int>]

 [B<-read_buf> I<+int>]
 [B<-read_buf> I<+int>]

-[B<-no_ssl3>]
-[B<-no_tls1>]
-[B<-no_tls1_1>]
-[B<-no_tls1_2>]
-[B<-no_tls1_3>]

 [B<-bugs>]
 [B<-no_comp>]
 [B<-comp>]
 [B<-no_ticket>]
 [B<-bugs>]
 [B<-no_comp>]
 [B<-comp>]
 [B<-no_ticket>]

-[B<-num_tickets>]

 [B<-serverpref>]
 [B<-legacy_renegotiation>]
 [B<-no_renegotiation>]
 [B<-serverpref>]
 [B<-legacy_renegotiation>]
 [B<-no_renegotiation>]


@@ -112,36 +109,6 @@ B<openssl> B<s_server>
 [B<-dhparam> I<infile>]
 [B<-record_padding> I<val>]
 [B<-debug_broken_protocol>]
 [B<-dhparam> I<infile>]
 [B<-record_padding> I<val>]
 [B<-debug_broken_protocol>]

-[B<-policy> I<val>]
-[B<-purpose> I<val>]
-[B<-verify_name> I<val>]
-[B<-verify_depth> I<int>]
-[B<-auth_level> I<int>]
-[B<-attime> I<intmax>]
-[B<-verify_hostname> I<val>]
-[B<-verify_email> I<val>]
-[B<-verify_ip>]
-[B<-ignore_critical>]
-[B<-issuer_checks>]
-[B<-crl_check>]
-[B<-crl_check_all>]
-[B<-policy_check>]
-[B<-explicit_policy>]
-[B<-inhibit_any>]
-[B<-inhibit_map>]
-[B<-x509_strict>]
-[B<-extended_crl>]
-[B<-use_deltas>]
-[B<-policy_print>]
-[B<-check_ss_sig>]
-[B<-trusted_first>]
-[B<-suiteB_128_only>]
-[B<-suiteB_128>]
-[B<-suiteB_192>]
-[B<-partial_chain>]
-[B<-no_alt_chains>]
-[B<-no_check_time>]
-[B<-allow_proxy_certs>]

 [B<-nbio>]
 [B<-psk_identity> I<val>]
 [B<-psk_hint> I<val>]
 [B<-nbio>]
 [B<-psk_identity> I<val>]
 [B<-psk_hint> I<val>]


@@ -149,34 +116,33 @@ B<openssl> B<s_server>
 [B<-psk_session> I<file>]
 [B<-srpvfile> I<infile>]
 [B<-srpuserseed> I<val>]
 [B<-psk_session> I<file>]
 [B<-srpvfile> I<infile>]
 [B<-srpuserseed> I<val>]

-[B<-ssl3>]
-[B<-tls1>]
-[B<-tls1_1>]
-[B<-tls1_2>]
-[B<-tls1_3>]
-[B<-dtls>]

 [B<-timeout>]
 [B<-mtu> I<+int>]
 [B<-listen>]
 [B<-timeout>]
 [B<-mtu> I<+int>]
 [B<-listen>]

-[B<-dtls1>]
-[B<-dtls1_2>]

 [B<-sctp>]
 [B<-sctp_label_bug>]
 [B<-no_dhe>]
 [B<-nextprotoneg> I<val>]
 [B<-use_srtp> I<val>]
 [B<-alpn> I<val>]
 [B<-sctp>]
 [B<-sctp_label_bug>]
 [B<-no_dhe>]
 [B<-nextprotoneg> I<val>]
 [B<-use_srtp> I<val>]
 [B<-alpn> I<val>]

-[B<-engine> I<val>]
+[B<-sendfile>]

 [B<-keylogfile> I<outfile>]
 [B<-keylogfile> I<outfile>]

+[B<-recv_max_early_data> I<int>]

 [B<-max_early_data> I<int>]
 [B<-early_data>]
 [B<-max_early_data> I<int>]
 [B<-early_data>]

+[B<-stateless>]

 [B<-anti_replay>]
 [B<-no_anti_replay>]
 [B<-anti_replay>]
 [B<-no_anti_replay>]

-[B<-http_server_binmode>]
+[B<-num_tickets>]

 {- $OpenSSL::safe::opt_name_synopsis -}
 {- $OpenSSL::safe::opt_name_synopsis -}

+{- $OpenSSL::safe::opt_version_synopsis -}
+{- $OpenSSL::safe::opt_v_synopsis -}
+{- $OpenSSL::safe::opt_s_synopsis -}

 {- $OpenSSL::safe::opt_x_synopsis -}
 {- $OpenSSL::safe::opt_trust_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
 {- $OpenSSL::safe::opt_x_synopsis -}
 {- $OpenSSL::safe::opt_trust_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}

+{- $OpenSSL::safe::opt_engine_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}

 
 =for openssl ifdef unix 4 6 unlink no_dhe nextprotoneg use_srtp engine
 
 
 =for openssl ifdef unix 4 6 unlink no_dhe nextprotoneg use_srtp engine
 


@@ -188,6 +154,8 @@ B<openssl> B<s_server>
 
 =for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 dtls mtu dtls1 dtls1_2
 
 
 =for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 dtls mtu dtls1 dtls1_2
 

+=for openssl ifdef sendfile
+

 =head1 DESCRIPTION
 
 This command implements a generic SSL/TLS server which
 =head1 DESCRIPTION
 
 This command implements a generic SSL/TLS server which


@@ -252,22 +220,21 @@ certificate and some require a certificate with a certain public key type:
 for example the DSS cipher suites require a certificate containing a DSS
 (DSA) key. If not specified then the filename F<server.pem> will be used.
 
 for example the DSS cipher suites require a certificate containing a DSS
 (DSA) key. If not specified then the filename F<server.pem> will be used.
 

+=item B<-certform> B<DER>|B<PEM>
+
+The server certificate file format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+

 =item B<-cert_chain>
 
 =item B<-cert_chain>
 

-A file containing trusted certificates to use when attempting to build the
-client/server certificate chain related to the certificate specified via the
-B<-cert> option.
+A file containing untrusted certificates to use when attempting to build the
+certificate chain related to the certificate specified via the B<-cert> option.

 
 =item B<-build_chain>
 
 
 =item B<-build_chain>
 

-Specify whether the application should build the certificate chain to be
+Specify whether the application should build the server certificate chain to be

 provided to the client.
 
 provided to the client.
 

-=item B<-naccept> I<+int>
-
-The server will exit after receiving the specified number of connections,
-default unlimited.
-

 =item B<-serverinfo> I<val>
 
 A file containing one or more blocks of PEM data.  Each PEM block
 =item B<-serverinfo> I<val>
 
 A file containing one or more blocks of PEM data.  Each PEM block


@@ -276,17 +243,12 @@ followed by "length" bytes of extension data).  If the client sends
 an empty TLS ClientHello extension matching the type, the corresponding
 ServerHello extension will be returned.
 
 an empty TLS ClientHello extension matching the type, the corresponding
 ServerHello extension will be returned.
 

-=item B<-certform> B<DER>|B<PEM>, B<-CRLForm> B<DER>|B<PEM>
-
-The certificate and CRL format; the default is PEM.
-See L<openssl(1)/Format Options> for details.
-

 =item B<-key> I<infile>
 
 The private key to use. If not specified then the certificate file will
 be used.
 
 =item B<-key> I<infile>
 
 The private key to use. If not specified then the certificate file will
 be used.
 

-=item B<-keyform> B<DER>|B<PEM>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>

 
 The key format; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 
 The key format; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.


@@ -310,14 +272,19 @@ by using an appropriate certificate.
 
 =item B<-dcert_chain>
 
 
 =item B<-dcert_chain>
 

-A file containing trusted certificates to use when attempting to build the
+A file containing untrusted certificates to use when attempting to build the

 server certificate chain when a certificate specified via the B<-dcert> option
 is in use.
 
 server certificate chain when a certificate specified via the B<-dcert> option
 is in use.
 

-=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>
+=item B<-dcertform> B<DER>|B<PEM>
+
+The format of the additional certificate file; the default is B<PEM>.
+See L<openssl(1)/Format Options>.

 
 

-The format of the certificate and private key; the default is B<PEM>
-see L<openssl(1)/Format Options>.
+=item B<-dkeyform> B<DER>|B<PEM>|B<ENGINE>
+
+The format of the additional private key; the default is B<PEM>.
+See L<openssl(1)/Format Options>.

 
 =item B<-dpass> I<val>
 
 
 =item B<-dpass> I<val>
 


@@ -349,22 +316,53 @@ File to send output of B<-msg> or B<-trace> to, default standard output.
 
 Prints the SSL session states.
 
 
 Prints the SSL session states.
 

-=item B<-chainCApath> I<dir>
+=item B<-CRL> I<infile>
+
+The CRL file to use.
+
+=item B<-CRLform> B<DER>|B<PEM>
+
+The CRL file format; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
+
+=item B<-crl_download>
+
+Download CRLs from distribution points given in CDP extensions of certificates

 
 

-The directory to use for building the chain provided to the client. This
-directory must be in "hash format", see L<openssl-verify(1)> for more
-information.
+=item B<-verifyCAfile> I<filename>
+
+A file in PEM format CA containing trusted certificates to use
+for verifying client certificates.
+
+=item B<-verifyCApath> I<dir>
+
+A directory containing trusted certificates to use
+for verifying client certificates.
+This directory must be in "hash format",
+see L<openssl-verify(1)> for more information.
+
+=item B<-verifyCAstore> I<uri>
+
+The URI of a store containing trusted certificates to use
+for verifying client certificates.

 
 =item B<-chainCAfile> I<file>
 
 
 =item B<-chainCAfile> I<file>
 

-A file containing trusted certificates to use when attempting to build the
-server certificate chain.
+A file in PEM format containing trusted certificates to use
+when attempting to build the server certificate chain.
+
+=item B<-chainCApath> I<dir>
+
+A directory containing trusted certificates to use
+for building the server certificate chain provided to the client.
+This directory must be in "hash format",
+see L<openssl-verify(1)> for more information.

 
 =item B<-chainCAstore> I<uri>
 
 
 =item B<-chainCAstore> I<uri>
 

-The URI to a store to use for building the chain provided to the client.
-The URI may indicate a single certificate, as well as a collection of
-them.
+The URI of a store containing trusted certificates to use
+for building the server certificate chain provided to the client.
+The URI may indicate a single certificate, as well as a collection of them.

 With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
 B<-chainCApath>, depending on if the URI indicates a directory or a
 single file.
 With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
 B<-chainCApath>, depending on if the URI indicates a directory or a
 single file.


@@ -380,32 +378,45 @@ DH).
 
 Inhibit printing of session and certificate information.
 
 
 Inhibit printing of session and certificate information.
 

+=item B<-tlsextdebug>
+
+Print a hex dump of any TLS extensions received from the server.
+

 =item B<-www>
 
 Sends a status message back to the client when it connects. This includes
 information about the ciphers used and various session parameters.
 =item B<-www>
 
 Sends a status message back to the client when it connects. This includes
 information about the ciphers used and various session parameters.

-The output is in HTML format so this option will normally be used with a
-web browser. Cannot be used in conjunction with B<-early_data>.
+The output is in HTML format so this option can be used with a web browser.
+The special URL C</renegcert> turns on client cert validation, and C</reneg>
+tells the server to request renegotiation.
+The B<-early_data> option cannot be used with this option.

 
 

-=item B<-WWW>
+=item B<-WWW>, B<-HTTP>

 
 Emulates a simple web server. Pages will be resolved relative to the
 
 Emulates a simple web server. Pages will be resolved relative to the

-current directory, for example if the URL https://myhost/page.html is
-requested the file F<./page.html> will be loaded. Cannot be used in conjunction
-with B<-early_data>.
+current directory, for example if the URL C<https://myhost/page.html> is
+requested the file F<./page.html> will be sent.
+If the B<-HTTP> flag is used, the files are sent directly, and should contain
+any HTTP response headers (including status response line).
+If the B<-WWW> option is used,
+the response headers are generated by the server, and the file extension is
+examined to determine the B<Content-Type> header.
+Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are
+C<text/plain>.
+In addition, the special URL C</stats> will return status
+information like the B<-www> option.
+Neither of these options can be used in conjunction with B<-early_data>.

 
 

-=item B<-tlsextdebug>
+=item B<-http_server_binmode>

 
 

-Print a hex dump of any TLS extensions received from the server.
+When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
+by the client in binary mode.

 
 

-=item B<-HTTP>
+=item B<-no_ca_names>

 
 

-Emulates a simple web server. Pages will be resolved relative to the
-current directory, for example if the URL https://myhost/page.html is
-requested the file F<./page.html> will be loaded. The files loaded are
-assumed to contain a complete and correct HTTP response (lines that
-are part of the HTTP response line and headers must end with CRLF). Cannot be
-used in conjunction with B<-early_data>.
+Disable TLS Extension CA Names. You may want to disable it for security reasons
+or for compatibility with some Windows TLS implementations crashing when this
+extension is larger than 1024 bytes.

 
 =item B<-id_prefix> I<val>
 
 
 =item B<-id_prefix> I<val>
 


@@ -488,6 +499,11 @@ an effect if an engine has been loaded that supports pipelining (e.g. the dasync
 engine) and a suitable cipher suite has been negotiated. The default value is 1.
 See L<SSL_CTX_set_max_pipelines(3)> for further information.
 
 engine) and a suitable cipher suite has been negotiated. The default value is 1.
 See L<SSL_CTX_set_max_pipelines(3)> for further information.
 

+=item B<-naccept> I<+int>
+
+The server will exit after receiving the specified number of connections,
+default unlimited.
+

 =item B<-read_buf> I<+int>
 
 The default read buffer size to be used for connections. This will only have an
 =item B<-read_buf> I<+int>
 
 The default read buffer size to be used for connections. This will only have an


@@ -495,16 +511,6 @@ effect if the buffer size is larger than the size that would otherwise be used
 and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
 further information).
 
 and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
 further information).
 

-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
-
-These options require or disable the use of the specified SSL or TLS protocols.
-By default, this command will negotiate the highest mutually supported
-protocol version.
-When a specific TLS version is required, only that version will be accepted
-from the client.
-Note that not all protocols and flags may be available, depending on how
-OpenSSL was built.
-

 =item B<-bugs>
 
 There are several known bugs in SSL and TLS implementations. Adding this
 =item B<-bugs>
 
 There are several known bugs in SSL and TLS implementations. Adding this


@@ -585,23 +591,6 @@ load the parameters from the server certificate file.
 If this fails then a static set of parameters hard coded into this command
 will be used.
 
 If this fails then a static set of parameters hard coded into this command
 will be used.
 

-=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>,
-B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
-B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
-
-Set different peer certificate verification options.
-See the L<openssl-verify(1)> manual page for details.
-
-=item B<-crl_check>, B<-crl_check_all>
-
-Check the peer certificate has not been revoked by its CA.
-The CRL(s) are appended to the certificate file. With the B<-crl_check_all>
-option all CRLs of all CAs in the chain are checked.
-

 =item B<-nbio>
 
 Turns on non blocking I/O.
 =item B<-nbio>
 
 Turns on non blocking I/O.


@@ -639,13 +628,6 @@ Any without a cookie will be responded to with a HelloVerifyRequest.
 If a ClientHello with a cookie is received then this command will
 connect to that peer and complete the handshake.
 
 If a ClientHello with a cookie is received then this command will
 connect to that peer and complete the handshake.
 

-=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
-
-These options make this command use DTLS protocols instead of TLS.
-With B<-dtls>, it will negotiate any supported DTLS protocol
-version, whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and
-DTLSv1.2 respectively.
-

 =item B<-sctp>
 
 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
 =item B<-sctp>
 
 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in


@@ -676,12 +658,11 @@ Protocol names are printable ASCII strings, for example "http/1.1" or
 "spdy/3".
 The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
 
 "spdy/3".
 The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
 

-=item B<-engine> I<val>
+=item B<-sendfile>

 
 

-Specifying an engine (by its unique id string in I<val>) will cause
-this command to attempt to obtain a functional reference to the
-specified engine, thus initialising it if needed. The engine will then be
-set as the default for all available algorithms.
+If this option is set and KTLS is enabled, SSL_sendfile() will be used
+instead of BIO_write() to send the HTTP response requested by a client.
+This option is only valid if B<-WWW> or B<-HTTP> is specified.

 
 =item B<-keylogfile> I<outfile>
 
 
 =item B<-keylogfile> I<outfile>
 


@@ -695,11 +676,20 @@ and any incoming early data (when used in conjunction with the B<-early_data>
 flag). The default value is approximately 16k. The argument must be an integer
 greater than or equal to 0.
 
 flag). The default value is approximately 16k. The argument must be an integer
 greater than or equal to 0.
 

+=item B<-recv_max_early_data> I<int>
+
+Specify the hard limit on the maximum number of early data bytes that will
+be accepted.
+

 =item B<-early_data>
 
 Accept early data where possible. Cannot be used in conjunction with B<-www>,
 B<-WWW>, B<-HTTP> or B<-rev>.
 
 =item B<-early_data>
 
 Accept early data where possible. Cannot be used in conjunction with B<-www>,
 B<-WWW>, B<-HTTP> or B<-rev>.
 

+=item B<-stateless>
+
+Require TLSv1.3 cookies.
+

 =item B<-anti_replay>, B<-no_anti_replay>
 
 Switches replay protection on or off, respectively. Replay protection is on by
 =item B<-anti_replay>, B<-no_anti_replay>
 
 Switches replay protection on or off, respectively. Replay protection is on by


@@ -709,12 +699,11 @@ has been negotiated, and early data is enabled on the server. A full handshake
 is forced if a session ticket is used a second or subsequent time. Any early
 data that was sent will be rejected.
 
 is forced if a session ticket is used a second or subsequent time. Any early
 data that was sent will be rejected.
 

-=item B<-http_server_binmode>
+{- $OpenSSL::safe::opt_name_item -}

 
 

-When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
-by the client in binary mode.
+{- $OpenSSL::safe::opt_version_item -}

 
 

-{- $OpenSSL::safe::opt_name_item -}
+{- $OpenSSL::safe::opt_s_item -}

 
 {- $OpenSSL::safe::opt_x_item -}
 
 
 {- $OpenSSL::safe::opt_x_item -}
 


@@ -722,6 +711,16 @@ by the client in binary mode.
 
 {- $OpenSSL::safe::opt_r_item -}
 
 
 {- $OpenSSL::safe::opt_r_item -}
 

+{- $OpenSSL::safe::opt_engine_item -}
+
+{- $OpenSSL::safe::opt_provider_item -}
+
+{- $OpenSSL::safe::opt_v_item -}
+
+If the server requests a client certificate, then
+verification errors are displayed, for debugging, but the command will
+proceed unless the B<-verify_return_error> option is used.
+

 =back
 
 =head1 CONNECTED COMMANDS
 =back
 
 =head1 CONNECTED COMMANDS


@@ -825,7 +824,7 @@ The
 
 =head1 COPYRIGHT
 
 
 =head1 COPYRIGHT
 

-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.

 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy