s_client.pod (238405) | s_client.pod (264278) |
---|---|
1 2=pod 3 4=head1 NAME 5 6s_client - SSL/TLS client program 7 8=head1 SYNOPSIS 9 10B<openssl> B<s_client> 11[B<-connect host:port>] 12[B<-verify depth>] | 1 2=pod 3 4=head1 NAME 5 6s_client - SSL/TLS client program 7 8=head1 SYNOPSIS 9 10B<openssl> B<s_client> 11[B<-connect host:port>] 12[B<-verify depth>] |
13[B<-verify_return_error>] |
|
13[B<-cert filename>] 14[B<-certform DER|PEM>] 15[B<-key filename>] 16[B<-keyform DER|PEM>] 17[B<-pass arg>] 18[B<-CApath directory>] 19[B<-CAfile filename>] 20[B<-reconnect>] --- 64 unchanged lines hidden (view full) --- 85=item B<-verify depth> 86 87The verify depth to use. This specifies the maximum length of the 88server certificate chain and turns on server certificate verification. 89Currently the verify operation continues after errors so all the problems 90with a certificate chain can be seen. As a side effect the connection 91will never fail due to a server certificate verify failure. 92 | 14[B<-cert filename>] 15[B<-certform DER|PEM>] 16[B<-key filename>] 17[B<-keyform DER|PEM>] 18[B<-pass arg>] 19[B<-CApath directory>] 20[B<-CAfile filename>] 21[B<-reconnect>] --- 64 unchanged lines hidden (view full) --- 86=item B<-verify depth> 87 88The verify depth to use. This specifies the maximum length of the 89server certificate chain and turns on server certificate verification. 90Currently the verify operation continues after errors so all the problems 91with a certificate chain can be seen. As a side effect the connection 92will never fail due to a server certificate verify failure. 93 |
94=item B<-verify_return_error> 95 96Return verification errors instead of continuing. This will typically 97abort the handshake with a fatal error. 98 |
|
93=item B<-CApath directory> 94 95The directory to use for server certificate verification. This directory 96must be in "hash format", see B<verify> for more information. These are 97also used when building the client certificate chain. 98 99=item B<-CAfile file> 100 --- 180 unchanged lines hidden (view full) --- 281 282If there are problems verifying a server certificate then the 283B<-showcerts> option can be used to show the whole chain. 284 285Since the SSLv23 client hello cannot include compression methods or extensions 286these will only be supported if its use is disabled, for example by using the 287B<-no_sslv2> option. 288 | 99=item B<-CApath directory> 100 101The directory to use for server certificate verification. This directory 102must be in "hash format", see B<verify> for more information. These are 103also used when building the client certificate chain. 104 105=item B<-CAfile file> 106 --- 180 unchanged lines hidden (view full) --- 287 288If there are problems verifying a server certificate then the 289B<-showcerts> option can be used to show the whole chain. 290 291Since the SSLv23 client hello cannot include compression methods or extensions 292these will only be supported if its use is disabled, for example by using the 293B<-no_sslv2> option. 294 |
295The B<s_client> utility is a test tool and is designed to continue the 296handshake after any certificate verification errors. As a result it will 297accept any certificate chain (trusted or not) sent by the peer. None test 298applications should B<not> do this as it makes them vulnerable to a MITM 299attack. This behaviour can be changed by with the B<-verify_return_error> 300option: any verify errors are then returned aborting the handshake. 301 |
|
289=head1 BUGS 290 291Because this program has a lot of options and also because some of 292the techniques used are rather old, the C source of s_client is rather 293hard to read and not a model of how things should be done. A typical 294SSL client program would be much simpler. 295 | 302=head1 BUGS 303 304Because this program has a lot of options and also because some of 305the techniques used are rather old, the C source of s_client is rather 306hard to read and not a model of how things should be done. A typical 307SSL client program would be much simpler. 308 |
296The B<-verify> option should really exit if the server verification 297fails. 298 | |
299The B<-prexit> option is a bit of a hack. We should really report 300information whenever a session is renegotiated. 301 302=head1 SEE ALSO 303 304L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)> 305 306=cut | 309The B<-prexit> option is a bit of a hack. We should really report 310information whenever a session is renegotiated. 311 312=head1 SEE ALSO 313 314L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)> 315 316=cut |