Lines Matching +full:srp +full:- +full:capable
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-s_client - SSL/TLS client program
11 [B<-help>]
12 [B<-ssl_config> I<section>]
13 [B<-connect> I<host>:I<port>]
14 [B<-host> I<hostname>]
15 [B<-port> I<port>]
16 [B<-bind> I<host>:I<port>]
17 [B<-proxy> I<host>:I<port>]
18 [B<-proxy_user> I<userid>]
19 [B<-proxy_pass> I<arg>]
20 [B<-unix> I<path>]
21 [B<-4>]
22 [B<-6>]
23 [B<-servername> I<name>]
24 [B<-noservername>]
25 [B<-verify> I<depth>]
26 [B<-verify_return_error>]
27 [B<-verify_quiet>]
28 [B<-verifyCAfile> I<filename>]
29 [B<-verifyCApath> I<dir>]
30 [B<-verifyCAstore> I<uri>]
31 [B<-cert> I<filename>]
32 [B<-certform> B<DER>|B<PEM>|B<P12>]
33 [B<-cert_chain> I<filename>]
34 [B<-build_chain>]
35 [B<-CRL> I<filename>]
36 [B<-CRLform> B<DER>|B<PEM>]
37 [B<-crl_download>]
38 [B<-key> I<filename>|I<uri>]
39 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
40 [B<-pass> I<arg>]
41 [B<-chainCAfile> I<filename>]
42 [B<-chainCApath> I<directory>]
43 [B<-chainCAstore> I<uri>]
44 [B<-requestCAfile> I<filename>]
45 [B<-dane_tlsa_domain> I<domain>]
46 [B<-dane_tlsa_rrdata> I<rrdata>]
47 [B<-dane_ee_no_namechecks>]
48 [B<-reconnect>]
49 [B<-showcerts>]
50 [B<-prexit>]
51 [B<-debug>]
52 [B<-trace>]
53 [B<-nocommands>]
54 [B<-security_debug>]
55 [B<-security_debug_verbose>]
56 [B<-msg>]
57 [B<-timeout>]
58 [B<-mtu> I<size>]
59 [B<-no_etm>]
60 [B<-keymatexport> I<label>]
61 [B<-keymatexportlen> I<len>]
62 [B<-msgfile> I<filename>]
63 [B<-nbio_test>]
64 [B<-state>]
65 [B<-nbio>]
66 [B<-crlf>]
67 [B<-ign_eof>]
68 [B<-no_ign_eof>]
69 [B<-psk_identity> I<identity>]
70 [B<-psk> I<key>]
71 [B<-psk_session> I<file>]
72 [B<-quiet>]
73 [B<-sctp>]
74 [B<-sctp_label_bug>]
75 [B<-fallback_scsv>]
76 [B<-async>]
77 [B<-maxfraglen> I<len>]
78 [B<-max_send_frag>]
79 [B<-split_send_frag>]
80 [B<-max_pipelines>]
81 [B<-read_buf>]
82 [B<-ignore_unexpected_eof>]
83 [B<-bugs>]
84 [B<-comp>]
85 [B<-no_comp>]
86 [B<-brief>]
87 [B<-legacy_server_connect>]
88 [B<-no_legacy_server_connect>]
89 [B<-allow_no_dhe_kex>]
90 [B<-sigalgs> I<sigalglist>]
91 [B<-curves> I<curvelist>]
92 [B<-cipher> I<cipherlist>]
93 [B<-ciphersuites> I<val>]
94 [B<-serverpref>]
95 [B<-starttls> I<protocol>]
96 [B<-name> I<hostname>]
97 [B<-xmpphost> I<hostname>]
98 [B<-name> I<hostname>]
99 [B<-tlsextdebug>]
100 [B<-no_ticket>]
101 [B<-sess_out> I<filename>]
102 [B<-serverinfo> I<types>]
103 [B<-sess_in> I<filename>]
104 [B<-serverinfo> I<types>]
105 [B<-status>]
106 [B<-alpn> I<protocols>]
107 [B<-nextprotoneg> I<protocols>]
108 [B<-ct>]
109 [B<-noct>]
110 [B<-ctlogfile>]
111 [B<-keylogfile> I<file>]
112 [B<-early_data> I<file>]
113 [B<-enable_pha>]
114 [B<-use_srtp> I<value>]
115 [B<-srpuser> I<value>]
116 [B<-srppass> I<value>]
117 [B<-srp_lateuser>]
118 [B<-srp_moregroups>]
119 [B<-srp_strength> I<number>]
120 {- $OpenSSL::safe::opt_name_synopsis -}
121 {- $OpenSSL::safe::opt_version_synopsis -}
122 {- $OpenSSL::safe::opt_x_synopsis -}
123 {- $OpenSSL::safe::opt_trust_synopsis -}
124 {- $OpenSSL::safe::opt_s_synopsis -}
125 {- $OpenSSL::safe::opt_r_synopsis -}
126 {- $OpenSSL::safe::opt_provider_synopsis -}
127 {- $OpenSSL::safe::opt_engine_synopsis -}[B<-ssl_client_engine> I<id>]
128 {- $OpenSSL::safe::opt_v_synopsis -}
146 =item B<-help>
150 =item B<-ssl_config> I<section>
154 =item B<-connect> I<host>:I<port>
162 =item B<-host> I<hostname>
164 Host to connect to; use B<-connect> instead.
166 =item B<-port> I<port>
168 Connect to the specified port; use B<-connect> instead.
170 =item B<-bind> I<host>:I<port>
173 connection. For Unix-domain sockets the port is ignored and the host is
177 =item B<-proxy> I<host>:I<port>
179 When used with the B<-connect> flag, the program uses the host and port
184 =item B<-proxy_user> I<userid>
186 When used with the B<-proxy> flag, the program will attempt to authenticate
193 =item B<-proxy_pass> I<arg>
195 The proxy password source, used with the B<-proxy_user> flag.
197 see L<openssl-passphrase-options(1)>.
199 =item B<-unix> I<path>
201 Connect over the specified Unix-domain socket.
203 =item B<-4>
207 =item B<-6>
211 =item B<-servername> I<name>
215 If B<-servername> is not provided, the TLS SNI extension will be populated with
216 the name given to B<-connect> if it follows a DNS name format. If B<-connect> is
221 B<-servername> is provided then that name will be sent, regardless of whether
224 This option cannot be used in conjunction with B<-noservername>.
226 =item B<-noservername>
229 ClientHello message. Cannot be used in conjunction with the B<-servername> or
230 B<-dane_tlsa_domain> options.
232 =item B<-cert> I<filename>
237 The chain for the client certificate may be specified using B<-cert_chain>.
239 =item B<-certform> B<DER>|B<PEM>|B<P12>
242 See L<openssl-format-options(1)> for details.
244 =item B<-cert_chain>
247 certificate chain related to the certificate specified via the B<-cert> option.
250 =item B<-build_chain>
255 =item B<-CRL> I<filename>
259 =item B<-CRLform> B<DER>|B<PEM>
262 See L<openssl-format-options(1)> for details.
264 =item B<-crl_download>
267 is ignored if B<-crl_check> option is not provided. Note that the maximum size
270 =item B<-key> I<filename>|I<uri>
275 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
278 See L<openssl-format-options(1)> for details.
280 =item B<-pass> I<arg>
284 see L<openssl-passphrase-options(1)>.
286 =item B<-verify> I<depth>
290 Unless the B<-verify_return_error> option is given,
297 For details see L<openssl-verification-options(1)/Certificate Extensions>.
299 =item B<-verify_return_error>
301 Turns on server certificate verification, like with B<-verify>,
305 =item B<-verify_quiet>
309 =item B<-verifyCAfile> I<filename>
314 =item B<-verifyCApath> I<dir>
319 see L<openssl-verify(1)> for more information.
321 =item B<-verifyCAstore> I<uri>
326 =item B<-chainCAfile> I<file>
331 =item B<-chainCApath> I<directory>
336 see L<openssl-verify(1)> for more information.
338 =item B<-chainCAstore> I<uri>
343 With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
344 B<-chainCApath>, depending on if the URI indicates a directory or a
346 See L<ossl_store-file(7)> for more information on the C<file:> scheme.
348 =item B<-requestCAfile> I<file>
354 =item B<-dane_tlsa_domain> I<domain>
359 combination with at least one instance of the B<-dane_tlsa_rrdata>
365 anchor public key that signed (rather than matched) the top-most
370 =item B<-dane_tlsa_rrdata> I<rrdata>
379 $ openssl s_client -brief -starttls smtp \
380 -connect smtp.example.com:25 \
381 -dane_tlsa_domain smtp.example.com \
382 -dane_tlsa_rrdata "2 1 1
384 -dane_tlsa_rrdata "2 1 1
392 =item B<-dane_ee_no_namechecks>
394 This disables server name checks when authenticating via DANE-EE(3) TLSA
400 The malicious server may then be able to violate cross-origin scripting
403 DANE-EE(3) TLSA records, and can be disabled in applications where it is safe
410 =item B<-reconnect>
415 =item B<-showcerts>
421 =item B<-prexit>
432 =item B<-state>
436 =item B<-debug>
440 =item B<-nocommands>
444 =item B<-security_debug>
448 =item B<-security_debug_verbose>
452 =item B<-msg>
456 =item B<-timeout>
460 =item B<-mtu> I<size>
464 =item B<-no_etm>
466 Disable Encrypt-then-MAC negotiation.
468 =item B<-keymatexport> I<label>
472 =item B<-keymatexportlen> I<len>
478 =item B<-trace>
482 =item B<-msgfile> I<filename>
484 File to send output of B<-msg> or B<-trace> to, default standard output.
486 =item B<-nbio_test>
490 =item B<-nbio>
494 =item B<-crlf>
499 =item B<-ign_eof>
504 =item B<-quiet>
507 turns on B<-ign_eof> as well.
509 =item B<-no_ign_eof>
512 Can be used to override the implicit B<-ign_eof> after B<-quiet>.
514 =item B<-psk_identity> I<identity>
519 =item B<-psk> I<key>
522 given as a hexadecimal number without leading 0x, for example -psk
526 =item B<-psk_session> I<file>
531 =item B<-sctp>
534 conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
537 =item B<-sctp_label_bug>
540 endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
542 implementations. Must be used in conjunction with B<-sctp>. This option is only
545 =item B<-fallback_scsv>
549 =item B<-async>
552 asynchronously. This will only have an effect if an asynchronous capable engine
553 is also used via the B<-engine> option. For test purposes the dummy async engine
556 =item B<-maxfraglen> I<len>
561 =item B<-max_send_frag> I<int>
566 =item B<-split_send_frag> I<int>
575 =item B<-max_pipelines> I<int>
582 =item B<-read_buf> I<int>
589 =item B<-ignore_unexpected_eof>
598 =item B<-bugs>
603 =item B<-comp>
610 =item B<-no_comp>
616 =item B<-brief>
621 =item B<-sigalgs> I<sigalglist>
627 =item B<-curves> I<curvelist>
633 and X448 or FFDHE groups, and may also include groups implemented in 3rd-party
636 $ openssl ecparam -list_curves
638 =item B<-cipher> I<cipherlist>
644 L<openssl-ciphers(1)> for more information.
646 =item B<-ciphersuites> I<val>
652 L<openssl-ciphers(1)> for more information. The format for this list is a simple
655 =item B<-starttls> I<protocol>
657 Send the protocol-specific message(s) to switch to TLS for communication.
659 supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
662 =item B<-xmpphost> I<hostname>
664 This option, when used with "-starttls xmpp" or "-starttls xmpp-server",
666 If this option is not specified, then the host specified with "-connect"
669 This option is an alias of the B<-name> option for "xmpp" and "xmpp-server".
671 =item B<-name> I<hostname>
674 used with B<-starttls> option. Currently only "xmpp", "xmpp-server",
675 "smtp" and "lmtp" can utilize this B<-name> option.
677 If this option is used with "-starttls xmpp" or "-starttls xmpp-server",
679 option is not specified, then the host specified with "-connect" will be used.
681 If this option is used with "-starttls lmtp" or "-starttls smtp", it specifies
685 =item B<-tlsextdebug>
689 =item B<-no_ticket>
693 =item B<-sess_out> I<filename>
697 =item B<-sess_in> I<filename>
702 =item B<-serverinfo> I<types>
704 A list of comma-separated TLS Extension Types (numbers between 0 and
709 =item B<-status>
714 =item B<-alpn> I<protocols>, B<-nextprotoneg> I<protocols>
716 These flags enable the Enable the Application-Layer Protocol Negotiation
719 The I<protocols> list is a comma-separated list of protocol names that
726 The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
728 =item B<-ct>, B<-noct>
731 is enabled (B<-ct>) or disabled (B<-noct>).
738 =item B<-ctlogfile>
743 =item B<-keylogfile> I<file>
748 =item B<-early_data> I<file>
754 =item B<-enable_pha>
756 For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
757 happen whether or not a certificate has been provided via B<-cert>.
759 =item B<-use_srtp> I<value>
761 Offer SRTP key management, where B<value> is a colon-separated profile list.
763 =item B<-srpuser> I<value>
765 Set the SRP username to the specified value. This option is deprecated.
767 =item B<-srppass> I<value>
769 Set the SRP password to the specified value. This option is deprecated.
771 =item B<-srp_lateuser>
773 SRP username for the second ClientHello message. This option is deprecated.
775 =item B<-srp_moregroups> This option is deprecated.
779 =item B<-srp_strength> I<number>
784 {- $OpenSSL::safe::opt_version_item -}
786 {- $OpenSSL::safe::opt_name_item -}
788 {- $OpenSSL::safe::opt_x_item -}
790 {- $OpenSSL::safe::opt_trust_item -}
792 {- $OpenSSL::safe::opt_s_item -}
794 {- $OpenSSL::safe::opt_r_item -}
796 {- $OpenSSL::safe::opt_provider_item -}
798 {- $OpenSSL::safe::opt_engine_item -}
800 {- output_off() if $disabled{"deprecated-3.0"}; "" -}
801 =item B<-ssl_client_engine> I<id>
804 {- output_on() if $disabled{"deprecated-3.0"}; "" -}
806 {- $OpenSSL::safe::opt_v_item -}
809 proceed unless the B<-verify_return_error> option is used.
813 Rather than providing B<-connect>, the target host and optional port may
815 nor B<-connect> are provided, falls back to attempting to connect to
826 used interactively (which means neither B<-quiet> nor B<-ign_eof> have been
856 openssl s_client -connect servername:443
862 nothing obvious like no client certificate then the B<-bugs>,
863 B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
874 is necessary to use the B<-prexit> option and send an HTTP request
877 If a certificate is specified on the command line using the B<-cert>
883 B<-showcerts> option can be used to show all the certificates sent by the
888 accept any certificate chain (trusted or not) sent by the peer. Non-test
890 attack. This behaviour can be changed by with the B<-verify_return_error>
893 The B<-bind> option may be useful if the server or a firewall requires
896 =head2 Note on Non-Interactive Use
898 When B<s_client> is run in a non-interactive environment (e.g., a cron job or
900 especially with TLS 1.3. To prevent this, you can use the B<-ign_eof> flag,
905 openssl s_client -connect <server address>:443 -tls1_3
906 -sess_out /path/to/tls_session_params_file
907 -ign_eof </dev/null
909 However, relying solely on B<-ign_eof> can lead to issues if the server keeps
917 $ openssl s_client -brief -ign_eof -starttls smtp
918 -connect <server address>:25 </dev/null
926 To avoid such hangs, it's better to use an application-level command to
929 printf 'QUIT\r\n' | openssl s_client -connect <server address>:25
930 -starttls smtp -brief -ign_eof
936 | openssl s_client -connect <server address>:443 -brief
948 The B<-prexit> option is a bit of a hack. We should really report
954 L<openssl-sess_id(1)>,
955 L<openssl-s_server(1)>,
956 L<openssl-ciphers(1)>,
961 L<ossl_store-file(7)>
965 The B<-no_alt_chains> option was added in OpenSSL 1.1.0.
966 The B<-name> option was added in OpenSSL 1.1.1.
968 The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
970 The B<-engine> option was deprecated in OpenSSL 3.0.
974 Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.