| s_client.1 (273399) | s_client.1 (279264) |
|---|---|
| 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.28) | 1.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) |
| 2.\" 3.\" Standard preamble: 4.\" ======================================================================== 5.de Sp \" Vertical space (when we can't use .PP) 6.if t .sp .5v 7.if n .sp 8.. 9.de Vb \" Begin verbatim text --- 23 unchanged lines hidden (view full) --- 33. ds C` "" 34. ds C' "" 35'br\} 36.el\{\ 37. ds -- \|\(em\| 38. ds PI \(*p 39. ds L" `` 40. ds R" '' | 2.\" 3.\" Standard preamble: 4.\" ======================================================================== 5.de Sp \" Vertical space (when we can't use .PP) 6.if t .sp .5v 7.if n .sp 8.. 9.de Vb \" Begin verbatim text --- 23 unchanged lines hidden (view full) --- 33. ds C` "" 34. ds C' "" 35'br\} 36.el\{\ 37. ds -- \|\(em\| 38. ds PI \(*p 39. ds L" `` 40. ds R" '' |
| 41. ds C` 42. ds C' |
|
| 41'br\} 42.\" 43.\" Escape single quotes in literal strings from groff's Unicode transform. 44.ie \n(.g .ds Aq \(aq 45.el .ds Aq ' 46.\" 47.\" If the F register is turned on, we'll generate index entries on stderr for 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index 49.\" entries marked with X<> in POD. Of course, you'll have to process the 50.\" output yourself in some meaningful fashion. | 43'br\} 44.\" 45.\" Escape single quotes in literal strings from groff's Unicode transform. 46.ie \n(.g .ds Aq \(aq 47.el .ds Aq ' 48.\" 49.\" If the F register is turned on, we'll generate index entries on stderr for 50.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index 51.\" entries marked with X<> in POD. Of course, you'll have to process the 52.\" output yourself in some meaningful fashion. |
| 51.ie \nF \{\ 52. de IX 53. tm Index:\\$1\t\\n%\t"\\$2" | 53.\" 54.\" Avoid warning from groff about undefined register 'F'. 55.de IX |
| 54.. | 56.. |
| 55. nr % 0 56. rr F 57.\} 58.el \{\ 59. de IX | 57.nr rF 0 58.if \n(.g .if rF .nr rF 1 59.if (\n(rF:(\n(.g==0)) \{ 60. if \nF \{ 61. de IX 62. tm Index:\\$1\t\\n%\t"\\$2" |
| 60.. | 63.. |
| 64. if !\nF==2 \{ 65. nr % 0 66. nr F 2 67. \} 68. \} |
|
| 61.\} | 69.\} |
| 70.rr rF |
|
| 62.\" 63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). 64.\" Fear. Run. Save yourself. No user-serviceable parts. 65. \" fudge factors for nroff and troff 66.if n \{\ 67. ds #H 0 68. ds #V .8m 69. ds #F .3m --- 49 unchanged lines hidden (view full) --- 119. ds Th \o'LP' 120. ds ae ae 121. ds Ae AE 122.\} 123.rm #[ #] #H #V #F C 124.\" ======================================================================== 125.\" 126.IX Title "S_CLIENT 1" | 71.\" 72.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). 73.\" Fear. Run. Save yourself. No user-serviceable parts. 74. \" fudge factors for nroff and troff 75.if n \{\ 76. ds #H 0 77. ds #V .8m 78. ds #F .3m --- 49 unchanged lines hidden (view full) --- 128. ds Th \o'LP' 129. ds ae ae 130. ds Ae AE 131.\} 132.rm #[ #] #H #V #F C 133.\" ======================================================================== 134.\" 135.IX Title "S_CLIENT 1" |
| 127.TH S_CLIENT 1 "2014-10-15" "1.0.1j" "OpenSSL" | 136.TH S_CLIENT 1 "2015-01-15" "1.0.1l" "OpenSSL" |
| 128.\" For nroff, turn off justification. Always turn off hyphenation; it makes 129.\" way too many mistakes in technical documents. 130.if n .ad l 131.nh 132.SH "NAME" 133s_client \- SSL/TLS client program 134.SH "SYNOPSIS" 135.IX Header "SYNOPSIS" --- 37 unchanged lines hidden (view full) --- 173[\fB\-sess_out filename\fR] 174[\fB\-sess_in filename\fR] 175[\fB\-rand file(s)\fR] 176[\fB\-status\fR] 177[\fB\-nextprotoneg protocols\fR] 178.SH "DESCRIPTION" 179.IX Header "DESCRIPTION" 180The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects | 137.\" For nroff, turn off justification. Always turn off hyphenation; it makes 138.\" way too many mistakes in technical documents. 139.if n .ad l 140.nh 141.SH "NAME" 142s_client \- SSL/TLS client program 143.SH "SYNOPSIS" 144.IX Header "SYNOPSIS" --- 37 unchanged lines hidden (view full) --- 182[\fB\-sess_out filename\fR] 183[\fB\-sess_in filename\fR] 184[\fB\-rand file(s)\fR] 185[\fB\-status\fR] 186[\fB\-nextprotoneg protocols\fR] 187.SH "DESCRIPTION" 188.IX Header "DESCRIPTION" 189The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects |
| 181to a remote host using \s-1SSL/TLS\s0. It is a \fIvery\fR useful diagnostic tool for | 190to a remote host using \s-1SSL/TLS.\s0 It is a \fIvery\fR useful diagnostic tool for |
| 182\&\s-1SSL\s0 servers. 183.SH "OPTIONS" 184.IX Header "OPTIONS" 185.IP "\fB\-connect host:port\fR" 4 186.IX Item "-connect host:port" 187This specifies the host and optional port to connect to. If not specified 188then an attempt is made to connect to the local host on port 4433. 189.IP "\fB\-servername name\fR" 4 190.IX Item "-servername name" | 191\&\s-1SSL\s0 servers. 192.SH "OPTIONS" 193.IX Header "OPTIONS" 194.IP "\fB\-connect host:port\fR" 4 195.IX Item "-connect host:port" 196This specifies the host and optional port to connect to. If not specified 197then an attempt is made to connect to the local host on port 4433. 198.IP "\fB\-servername name\fR" 4 199.IX Item "-servername name" |
| 191Set the \s-1TLS\s0 \s-1SNI\s0 (Server Name Indication) extension in the ClientHello message. | 200Set the \s-1TLS SNI \s0(Server Name Indication) extension in the ClientHello message. |
| 192.IP "\fB\-cert certname\fR" 4 193.IX Item "-cert certname" 194The certificate to use, if one is requested by the server. The default is 195not to use a certificate. 196.IP "\fB\-certform format\fR" 4 197.IX Item "-certform format" | 201.IP "\fB\-cert certname\fR" 4 202.IX Item "-cert certname" 203The certificate to use, if one is requested by the server. The default is 204not to use a certificate. 205.IP "\fB\-certform format\fR" 4 206.IX Item "-certform format" |
| 198The certificate format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default. | 207The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. |
| 199.IP "\fB\-key keyfile\fR" 4 200.IX Item "-key keyfile" 201The private key to use. If not specified then the certificate file will 202be used. 203.IP "\fB\-keyform format\fR" 4 204.IX Item "-keyform format" | 208.IP "\fB\-key keyfile\fR" 4 209.IX Item "-key keyfile" 210The private key to use. If not specified then the certificate file will 211be used. 212.IP "\fB\-keyform format\fR" 4 213.IX Item "-keyform format" |
| 205The private format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default. | 214The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. |
| 206.IP "\fB\-pass arg\fR" 4 207.IX Item "-pass arg" 208the private key password source. For more information about the format of \fBarg\fR | 215.IP "\fB\-pass arg\fR" 4 216.IX Item "-pass arg" 217the private key password source. For more information about the format of \fBarg\fR |
| 209see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). | 218see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). |
| 210.IP "\fB\-verify depth\fR" 4 211.IX Item "-verify depth" 212The verify depth to use. This specifies the maximum length of the 213server certificate chain and turns on server certificate verification. 214Currently the verify operation continues after errors so all the problems 215with a certificate chain can be seen. As a side effect the connection 216will never fail due to a server certificate verify failure. 217.IP "\fB\-verify_return_error\fR" 4 --- 10 unchanged lines hidden (view full) --- 228A file containing trusted certificates to use during server authentication 229and to use when attempting to build the client certificate chain. 230.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig\fR" 4 231.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig" 232Set various certificate chain valiadition option. See the 233\&\fBverify\fR manual page for details. 234.IP "\fB\-reconnect\fR" 4 235.IX Item "-reconnect" | 219.IP "\fB\-verify depth\fR" 4 220.IX Item "-verify depth" 221The verify depth to use. This specifies the maximum length of the 222server certificate chain and turns on server certificate verification. 223Currently the verify operation continues after errors so all the problems 224with a certificate chain can be seen. As a side effect the connection 225will never fail due to a server certificate verify failure. 226.IP "\fB\-verify_return_error\fR" 4 --- 10 unchanged lines hidden (view full) --- 237A file containing trusted certificates to use during server authentication 238and to use when attempting to build the client certificate chain. 239.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig\fR" 4 240.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig" 241Set various certificate chain valiadition option. See the 242\&\fBverify\fR manual page for details. 243.IP "\fB\-reconnect\fR" 4 244.IX Item "-reconnect" |
| 236reconnects to the same server 5 times using the same session \s-1ID\s0, this can | 245reconnects to the same server 5 times using the same session \s-1ID,\s0 this can |
| 237be used as a test that session caching is working. 238.IP "\fB\-pause\fR" 4 239.IX Item "-pause" 240pauses 1 second between each read and write call. 241.IP "\fB\-showcerts\fR" 4 242.IX Item "-showcerts" 243display the whole server certificate chain: normally only the server 244certificate itself is displayed. 245.IP "\fB\-prexit\fR" 4 246.IX Item "-prexit" 247print session information when the program exits. This will always attempt 248to print out information even if the connection fails. Normally information 249will only be printed out once if the connection succeeds. This option is useful 250because the cipher in use may be renegotiated or the connection may fail 251because a client certificate is required or is requested only after an | 246be used as a test that session caching is working. 247.IP "\fB\-pause\fR" 4 248.IX Item "-pause" 249pauses 1 second between each read and write call. 250.IP "\fB\-showcerts\fR" 4 251.IX Item "-showcerts" 252display the whole server certificate chain: normally only the server 253certificate itself is displayed. 254.IP "\fB\-prexit\fR" 4 255.IX Item "-prexit" 256print session information when the program exits. This will always attempt 257to print out information even if the connection fails. Normally information 258will only be printed out once if the connection succeeds. This option is useful 259because the cipher in use may be renegotiated or the connection may fail 260because a client certificate is required or is requested only after an |
| 252attempt is made to access a certain \s-1URL\s0. Note: the output produced by this | 261attempt is made to access a certain \s-1URL.\s0 Note: the output produced by this |
| 253option is not always accurate because a connection might never have been 254established. 255.IP "\fB\-state\fR" 4 256.IX Item "-state" 257prints out the \s-1SSL\s0 session states. 258.IP "\fB\-debug\fR" 4 259.IX Item "-debug" 260print extensive debugging information including a hex dump of all traffic. --- 47 unchanged lines hidden (view full) --- 308.IP "\fB\-cipher cipherlist\fR" 4 309.IX Item "-cipher cipherlist" 310this allows the cipher list sent by the client to be modified. Although 311the server determines which cipher suite is used it should take the first 312supported cipher in the list sent by the client. See the \fBciphers\fR 313command for more information. 314.IP "\fB\-serverpref\fR" 4 315.IX Item "-serverpref" | 262option is not always accurate because a connection might never have been 263established. 264.IP "\fB\-state\fR" 4 265.IX Item "-state" 266prints out the \s-1SSL\s0 session states. 267.IP "\fB\-debug\fR" 4 268.IX Item "-debug" 269print extensive debugging information including a hex dump of all traffic. --- 47 unchanged lines hidden (view full) --- 317.IP "\fB\-cipher cipherlist\fR" 4 318.IX Item "-cipher cipherlist" 319this allows the cipher list sent by the client to be modified. Although 320the server determines which cipher suite is used it should take the first 321supported cipher in the list sent by the client. See the \fBciphers\fR 322command for more information. 323.IP "\fB\-serverpref\fR" 4 324.IX Item "-serverpref" |
| 316use the server's cipher preferences; only used for \s-1SSLV2\s0. | 325use the server's cipher preferences; only used for \s-1SSLV2.\s0 |
| 317.IP "\fB\-starttls protocol\fR" 4 318.IX Item "-starttls protocol" 319send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication. 320\&\fBprotocol\fR is a keyword for the intended protocol. Currently, the only 321supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", and \*(L"ftp\*(R". 322.IP "\fB\-tlsextdebug\fR" 4 323.IX Item "-tlsextdebug" 324print out a hex dump of any \s-1TLS\s0 extensions received from the server. --- 39 unchanged lines hidden (view full) --- 364If a connection is established with an \s-1SSL\s0 server then any data received 365from the server is displayed and any key presses will be sent to the 366server. When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR 367have been given), the session will be renegotiated if the line begins with an 368\&\fBR\fR, and if the line begins with a \fBQ\fR or if end of file is reached, the 369connection will be closed down. 370.SH "NOTES" 371.IX Header "NOTES" | 326.IP "\fB\-starttls protocol\fR" 4 327.IX Item "-starttls protocol" 328send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication. 329\&\fBprotocol\fR is a keyword for the intended protocol. Currently, the only 330supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", and \*(L"ftp\*(R". 331.IP "\fB\-tlsextdebug\fR" 4 332.IX Item "-tlsextdebug" 333print out a hex dump of any \s-1TLS\s0 extensions received from the server. --- 39 unchanged lines hidden (view full) --- 373If a connection is established with an \s-1SSL\s0 server then any data received 374from the server is displayed and any key presses will be sent to the 375server. When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR 376have been given), the session will be renegotiated if the line begins with an 377\&\fBR\fR, and if the line begins with a \fBQ\fR or if end of file is reached, the 378connection will be closed down. 379.SH "NOTES" 380.IX Header "NOTES" |
| 372\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL\s0 \s-1HTTP\s0 | 381\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL HTTP\s0 |
| 373server the command: 374.PP 375.Vb 1 376\& openssl s_client \-connect servername:443 377.Ve 378.PP 379would typically be used (https uses port 443). If the connection succeeds | 382server the command: 383.PP 384.Vb 1 385\& openssl s_client \-connect servername:443 386.Ve 387.PP 388would typically be used (https uses port 443). If the connection succeeds |
| 380then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET\s0 /\*(R" to retrieve a web page. | 389then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET /\*(R"\s0 to retrieve a web page. |
| 381.PP 382If the handshake fails then there are several possible causes, if it is 383nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR, 384\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried 385in case it is a buggy server. In particular you should play with these 386options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. 387.PP 388A frequent problem when attempting to get client certificates working --- 39 unchanged lines hidden --- | 390.PP 391If the handshake fails then there are several possible causes, if it is 392nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR, 393\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried 394in case it is a buggy server. In particular you should play with these 395options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. 396.PP 397A frequent problem when attempting to get client certificates working --- 39 unchanged lines hidden --- |