Lines Matching +full:1 +full:- +full:of +full:- +full:4
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
51 .\" entries marked with X<> in POD. Of course, you'll have to process the
62 . tm Index:\\$1\t\\n%\t"\\$2"
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-S_CLIENT 1ossl"
134 .TH OPENSSL-S_CLIENT 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-s_client \- SSL/TLS client program
144 [\fB\-help\fR]
145 [\fB\-ssl_config\fR \fIsection\fR]
146 [\fB\-connect\fR \fIhost:port\fR]
147 [\fB\-host\fR \fIhostname\fR]
148 [\fB\-port\fR \fIport\fR]
149 [\fB\-bind\fR \fIhost:port\fR]
150 [\fB\-proxy\fR \fIhost:port\fR]
151 [\fB\-proxy_user\fR \fIuserid\fR]
152 [\fB\-proxy_pass\fR \fIarg\fR]
153 [\fB\-unix\fR \fIpath\fR]
154 [\fB\-4\fR]
155 [\fB\-6\fR]
156 [\fB\-servername\fR \fIname\fR]
157 [\fB\-noservername\fR]
158 [\fB\-verify\fR \fIdepth\fR]
159 [\fB\-verify_return_error\fR]
160 [\fB\-verify_quiet\fR]
161 [\fB\-verifyCAfile\fR \fIfilename\fR]
162 [\fB\-verifyCApath\fR \fIdir\fR]
163 [\fB\-verifyCAstore\fR \fIuri\fR]
164 [\fB\-cert\fR \fIfilename\fR]
165 [\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
166 [\fB\-cert_chain\fR \fIfilename\fR]
167 [\fB\-build_chain\fR]
168 [\fB\-CRL\fR \fIfilename\fR]
169 [\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
170 [\fB\-crl_download\fR]
171 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
172 [\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
173 [\fB\-pass\fR \fIarg\fR]
174 [\fB\-chainCAfile\fR \fIfilename\fR]
175 [\fB\-chainCApath\fR \fIdirectory\fR]
176 [\fB\-chainCAstore\fR \fIuri\fR]
177 [\fB\-requestCAfile\fR \fIfilename\fR]
178 [\fB\-dane_tlsa_domain\fR \fIdomain\fR]
179 [\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR]
180 [\fB\-dane_ee_no_namechecks\fR]
181 [\fB\-reconnect\fR]
182 [\fB\-showcerts\fR]
183 [\fB\-prexit\fR]
184 [\fB\-debug\fR]
185 [\fB\-trace\fR]
186 [\fB\-nocommands\fR]
187 [\fB\-security_debug\fR]
188 [\fB\-security_debug_verbose\fR]
189 [\fB\-msg\fR]
190 [\fB\-timeout\fR]
191 [\fB\-mtu\fR \fIsize\fR]
192 [\fB\-no_etm\fR]
193 [\fB\-keymatexport\fR \fIlabel\fR]
194 [\fB\-keymatexportlen\fR \fIlen\fR]
195 [\fB\-msgfile\fR \fIfilename\fR]
196 [\fB\-nbio_test\fR]
197 [\fB\-state\fR]
198 [\fB\-nbio\fR]
199 [\fB\-crlf\fR]
200 [\fB\-ign_eof\fR]
201 [\fB\-no_ign_eof\fR]
202 [\fB\-psk_identity\fR \fIidentity\fR]
203 [\fB\-psk\fR \fIkey\fR]
204 [\fB\-psk_session\fR \fIfile\fR]
205 [\fB\-quiet\fR]
206 [\fB\-sctp\fR]
207 [\fB\-sctp_label_bug\fR]
208 [\fB\-fallback_scsv\fR]
209 [\fB\-async\fR]
210 [\fB\-maxfraglen\fR \fIlen\fR]
211 [\fB\-max_send_frag\fR]
212 [\fB\-split_send_frag\fR]
213 [\fB\-max_pipelines\fR]
214 [\fB\-read_buf\fR]
215 [\fB\-ignore_unexpected_eof\fR]
216 [\fB\-bugs\fR]
217 [\fB\-comp\fR]
218 [\fB\-no_comp\fR]
219 [\fB\-brief\fR]
220 [\fB\-legacy_server_connect\fR]
221 [\fB\-no_legacy_server_connect\fR]
222 [\fB\-allow_no_dhe_kex\fR]
223 [\fB\-sigalgs\fR \fIsigalglist\fR]
224 [\fB\-curves\fR \fIcurvelist\fR]
225 [\fB\-cipher\fR \fIcipherlist\fR]
226 [\fB\-ciphersuites\fR \fIval\fR]
227 [\fB\-serverpref\fR]
228 [\fB\-starttls\fR \fIprotocol\fR]
229 [\fB\-name\fR \fIhostname\fR]
230 [\fB\-xmpphost\fR \fIhostname\fR]
231 [\fB\-name\fR \fIhostname\fR]
232 [\fB\-tlsextdebug\fR]
233 [\fB\-no_ticket\fR]
234 [\fB\-sess_out\fR \fIfilename\fR]
235 [\fB\-serverinfo\fR \fItypes\fR]
236 [\fB\-sess_in\fR \fIfilename\fR]
237 [\fB\-serverinfo\fR \fItypes\fR]
238 [\fB\-status\fR]
239 [\fB\-alpn\fR \fIprotocols\fR]
240 [\fB\-nextprotoneg\fR \fIprotocols\fR]
241 [\fB\-ct\fR]
242 [\fB\-noct\fR]
243 [\fB\-ctlogfile\fR]
244 [\fB\-keylogfile\fR \fIfile\fR]
245 [\fB\-early_data\fR \fIfile\fR]
246 [\fB\-enable_pha\fR]
247 [\fB\-use_srtp\fR \fIvalue\fR]
248 [\fB\-srpuser\fR \fIvalue\fR]
249 [\fB\-srppass\fR \fIvalue\fR]
250 [\fB\-srp_lateuser\fR]
251 [\fB\-srp_moregroups\fR]
252 [\fB\-srp_strength\fR \fInumber\fR]
253 [\fB\-nameopt\fR \fIoption\fR]
254 [\fB\-no_ssl3\fR]
255 [\fB\-no_tls1\fR]
256 [\fB\-no_tls1_1\fR]
257 [\fB\-no_tls1_2\fR]
258 [\fB\-no_tls1_3\fR]
259 [\fB\-ssl3\fR]
260 [\fB\-tls1\fR]
261 [\fB\-tls1_1\fR]
262 [\fB\-tls1_2\fR]
263 [\fB\-tls1_3\fR]
264 [\fB\-dtls\fR]
265 [\fB\-dtls1\fR]
266 [\fB\-dtls1_2\fR]
267 [\fB\-xkey\fR \fIinfile\fR]
268 [\fB\-xcert\fR \fIfile\fR]
269 [\fB\-xchain\fR \fIfile\fR]
270 [\fB\-xchain_build\fR \fIfile\fR]
271 [\fB\-xcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
272 [\fB\-xkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
273 [\fB\-CAfile\fR \fIfile\fR]
274 [\fB\-no\-CAfile\fR]
275 [\fB\-CApath\fR \fIdir\fR]
276 [\fB\-no\-CApath\fR]
277 [\fB\-CAstore\fR \fIuri\fR]
278 [\fB\-no\-CAstore\fR]
279 [\fB\-bugs\fR]
280 [\fB\-no_comp\fR]
281 [\fB\-comp\fR]
282 [\fB\-no_ticket\fR]
283 [\fB\-serverpref\fR]
284 [\fB\-client_renegotiation\fR]
285 [\fB\-legacy_renegotiation\fR]
286 [\fB\-no_renegotiation\fR]
287 [\fB\-no_resumption_on_reneg\fR]
288 [\fB\-legacy_server_connect\fR]
289 [\fB\-no_legacy_server_connect\fR]
290 [\fB\-no_etm\fR]
291 [\fB\-allow_no_dhe_kex\fR]
292 [\fB\-prioritize_chacha\fR]
293 [\fB\-strict\fR]
294 [\fB\-sigalgs\fR \fIalgs\fR]
295 [\fB\-client_sigalgs\fR \fIalgs\fR]
296 [\fB\-groups\fR \fIgroups\fR]
297 [\fB\-curves\fR \fIcurves\fR]
298 [\fB\-named_curve\fR \fIcurve\fR]
299 [\fB\-cipher\fR \fIciphers\fR]
300 [\fB\-ciphersuites\fR \fI1.3ciphers\fR]
301 [\fB\-min_protocol\fR \fIminprot\fR]
302 [\fB\-max_protocol\fR \fImaxprot\fR]
303 [\fB\-record_padding\fR \fIpadding\fR]
304 [\fB\-debug_broken_protocol\fR]
305 [\fB\-no_middlebox\fR]
306 [\fB\-rand\fR \fIfiles\fR]
307 [\fB\-writerand\fR \fIfile\fR]
308 [\fB\-provider\fR \fIname\fR]
309 [\fB\-provider\-path\fR \fIpath\fR]
310 [\fB\-propquery\fR \fIpropq\fR]
311 [\fB\-engine\fR \fIid\fR]
312 [\fB\-ssl_client_engine\fR \fIid\fR]
313 [\fB\-allow_proxy_certs\fR]
314 [\fB\-attime\fR \fItimestamp\fR]
315 [\fB\-no_check_time\fR]
316 [\fB\-check_ss_sig\fR]
317 [\fB\-crl_check\fR]
318 [\fB\-crl_check_all\fR]
319 [\fB\-explicit_policy\fR]
320 [\fB\-extended_crl\fR]
321 [\fB\-ignore_critical\fR]
322 [\fB\-inhibit_any\fR]
323 [\fB\-inhibit_map\fR]
324 [\fB\-partial_chain\fR]
325 [\fB\-policy\fR \fIarg\fR]
326 [\fB\-policy_check\fR]
327 [\fB\-policy_print\fR]
328 [\fB\-purpose\fR \fIpurpose\fR]
329 [\fB\-suiteB_128\fR]
330 [\fB\-suiteB_128_only\fR]
331 [\fB\-suiteB_192\fR]
332 [\fB\-trusted_first\fR]
333 [\fB\-no_alt_chains\fR]
334 [\fB\-use_deltas\fR]
335 [\fB\-auth_level\fR \fInum\fR]
336 [\fB\-verify_depth\fR \fInum\fR]
337 [\fB\-verify_email\fR \fIemail\fR]
338 [\fB\-verify_hostname\fR \fIhostname\fR]
339 [\fB\-verify_ip\fR \fIip\fR]
340 [\fB\-verify_name\fR \fIname\fR]
341 [\fB\-x509_strict\fR]
342 [\fB\-issuer_checks\fR]
346 This command implements a generic \s-1SSL/TLS\s0 client which
347 connects to a remote host using \s-1SSL/TLS.\s0 It is a \fIvery\fR useful diagnostic
348 tool for \s-1SSL\s0 servers.
353 in the \*(L"Supported Command Line Commands\*(R" section of the \fBSSL_CONF_cmd\fR\|(3)
355 .IP "\fB\-help\fR" 4
356 .IX Item "-help"
358 .IP "\fB\-ssl_config\fR \fIsection\fR" 4
359 .IX Item "-ssl_config section"
360 Use the specified section of the configuration file to configure the \fB\s-1SSL_CTX\s0\fR object.
361 .IP "\fB\-connect\fR \fIhost\fR:\fIport\fR" 4
362 .IX Item "-connect host:port"
367 .IP "\fB\-host\fR \fIhostname\fR" 4
368 .IX Item "-host hostname"
369 Host to connect to; use \fB\-connect\fR instead.
370 .IP "\fB\-port\fR \fIport\fR" 4
371 .IX Item "-port port"
372 Connect to the specified port; use \fB\-connect\fR instead.
373 .IP "\fB\-bind\fR \fIhost:port\fR" 4
374 .IX Item "-bind host:port"
376 connection. For Unix-domain sockets the port is ignored and the host is
378 .IP "\fB\-proxy\fR \fIhost:port\fR" 4
379 .IX Item "-proxy host:port"
380 When used with the \fB\-connect\fR flag, the program uses the host and port
381 specified with this flag and issues an \s-1HTTP CONNECT\s0 command to connect
383 .IP "\fB\-proxy_user\fR \fIuserid\fR" 4
384 .IX Item "-proxy_user userid"
385 When used with the \fB\-proxy\fR flag, the program will attempt to authenticate
387 \&\s-1NB:\s0 Basic authentication is insecure; the credentials are sent to the proxy
388 in easily reversible base64 encoding before any \s-1TLS/SSL\s0 session is established.
391 .IP "\fB\-proxy_pass\fR \fIarg\fR" 4
392 .IX Item "-proxy_pass arg"
393 The proxy password source, used with the \fB\-proxy_user\fR flag.
394 For more information about the format of \fBarg\fR
395 see \fBopenssl\-passphrase\-options\fR\|(1).
396 .IP "\fB\-unix\fR \fIpath\fR" 4
397 .IX Item "-unix path"
398 Connect over the specified Unix-domain socket.
399 .IP "\fB\-4\fR" 4
400 .IX Item "-4"
402 .IP "\fB\-6\fR" 4
403 .IX Item "-6"
405 .IP "\fB\-servername\fR \fIname\fR" 4
406 .IX Item "-servername name"
407 Set the \s-1TLS SNI\s0 (Server Name Indication) extension in the ClientHello message to
409 If \fB\-servername\fR is not provided, the \s-1TLS SNI\s0 extension will be populated with
410 the name given to \fB\-connect\fR if it follows a \s-1DNS\s0 name format. If \fB\-connect\fR is
411 not provided either, the \s-1SNI\s0 is set to \*(L"localhost\*(R".
412 This is the default since OpenSSL 1.1.1.
414 Even though \s-1SNI\s0 should normally be a \s-1DNS\s0 name and not an \s-1IP\s0 address, if
415 \&\fB\-servername\fR is provided then that name will be sent, regardless of whether
416 it is a \s-1DNS\s0 name or not.
418 This option cannot be used in conjunction with \fB\-noservername\fR.
419 .IP "\fB\-noservername\fR" 4
420 .IX Item "-noservername"
421 Suppresses sending of the \s-1SNI\s0 (Server Name Indication) extension in the
422 ClientHello message. Cannot be used in conjunction with the \fB\-servername\fR or
423 \&\fB\-dane_tlsa_domain\fR options.
424 .IP "\fB\-cert\fR \fIfilename\fR" 4
425 .IX Item "-cert filename"
429 The chain for the client certificate may be specified using \fB\-cert_chain\fR.
430 .IP "\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
431 .IX Item "-certform DER|PEM|P12"
433 See \fBopenssl\-format\-options\fR\|(1) for details.
434 .IP "\fB\-cert_chain\fR" 4
435 .IX Item "-cert_chain"
436 A file or \s-1URI\s0 of untrusted certificates to use when attempting to build the
437 certificate chain related to the certificate specified via the \fB\-cert\fR option.
438 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
439 .IP "\fB\-build_chain\fR" 4
440 .IX Item "-build_chain"
443 .IP "\fB\-CRL\fR \fIfilename\fR" 4
444 .IX Item "-CRL filename"
445 \&\s-1CRL\s0 file to use to check the server's certificate.
446 .IP "\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
447 .IX Item "-CRLform DER|PEM"
448 The \s-1CRL\s0 file format; unspecified by default.
449 See \fBopenssl\-format\-options\fR\|(1) for details.
450 .IP "\fB\-crl_download\fR" 4
451 .IX Item "-crl_download"
452 Download \s-1CRL\s0 from distribution points in the certificate.
453 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
454 .IX Item "-key filename|uri"
457 .IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
458 .IX Item "-keyform DER|PEM|P12|ENGINE"
460 See \fBopenssl\-format\-options\fR\|(1) for details.
461 .IP "\fB\-pass\fR \fIarg\fR" 4
462 .IX Item "-pass arg"
464 For more information about the format of \fIarg\fR
465 see \fBopenssl\-passphrase\-options\fR\|(1).
466 .IP "\fB\-verify\fR \fIdepth\fR" 4
467 .IX Item "-verify depth"
468 The verify depth to use. This specifies the maximum length of the
473 .IP "\fB\-verify_return_error\fR" 4
474 .IX Item "-verify_return_error"
475 Return verification errors instead of continuing. This will typically
477 .IP "\fB\-verify_quiet\fR" 4
478 .IX Item "-verify_quiet"
480 .IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4
481 .IX Item "-verifyCAfile filename"
482 A file in \s-1PEM\s0 format containing trusted certificates to use
484 .IP "\fB\-verifyCApath\fR \fIdir\fR" 4
485 .IX Item "-verifyCApath dir"
489 see \fBopenssl\-verify\fR\|(1) for more information.
490 .IP "\fB\-verifyCAstore\fR \fIuri\fR" 4
491 .IX Item "-verifyCAstore uri"
492 The \s-1URI\s0 of a store containing trusted certificates to use
494 .IP "\fB\-chainCAfile\fR \fIfile\fR" 4
495 .IX Item "-chainCAfile file"
496 A file in \s-1PEM\s0 format containing trusted certificates to use
498 .IP "\fB\-chainCApath\fR \fIdirectory\fR" 4
499 .IX Item "-chainCApath directory"
503 see \fBopenssl\-verify\fR\|(1) for more information.
504 .IP "\fB\-chainCAstore\fR \fIuri\fR" 4
505 .IX Item "-chainCAstore uri"
506 The \s-1URI\s0 of a store containing trusted certificates to use
508 The \s-1URI\s0 may indicate a single certificate, as well as a collection of them.
509 With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-chainCAfile\fR or
510 \&\fB\-chainCApath\fR, depending on if the \s-1URI\s0 indicates a directory or a
512 See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme.
513 .IP "\fB\-requestCAfile\fR \fIfile\fR" 4
514 .IX Item "-requestCAfile file"
515 A file containing a list of certificates whose subject names will be sent
517 for \s-1TLS 1.3\s0
518 .IP "\fB\-dane_tlsa_domain\fR \fIdomain\fR" 4
519 .IX Item "-dane_tlsa_domain domain"
520 Enable \s-1RFC6698/RFC7671 DANE TLSA\s0 authentication and specify the
521 \&\s-1TLSA\s0 base domain which becomes the default \s-1SNI\s0 hint and the primary
523 combination with at least one instance of the \fB\-dane_tlsa_rrdata\fR
526 When \s-1DANE\s0 authentication succeeds, the diagnostic output will include
527 the lowest (closest to 0) depth at which a \s-1TLSA\s0 record authenticated
528 a chain certificate. When that \s-1TLSA\s0 record is a \*(L"2 1 0\*(R" trust
529 anchor public key that signed (rather than matched) the top-most
530 certificate of the chain, the result is reported as \*(L"\s-1TA\s0 public key
531 verified\*(R". Otherwise, either the \s-1TLSA\s0 record \*(L"matched \s-1TA\s0 certificate\*(R"
532 at a positive depth or else \*(L"matched \s-1EE\s0 certificate\*(R" at depth 0.
533 .IP "\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR" 4
534 .IX Item "-dane_tlsa_rrdata rrdata"
535 Use one or more times to specify the \s-1RRDATA\s0 fields of the \s-1DANE TLSA\s0
539 data, with the last of these encoded in hexadecimal. Optional
543 \& $ openssl s_client \-brief \-starttls smtp \e
544 \& \-connect smtp.example.com:25 \e
545 \& \-dane_tlsa_domain smtp.example.com \e
546 \& \-dane_tlsa_rrdata "2 1 1
548 \& \-dane_tlsa_rrdata "2 1 1
553 \& DANE TLSA 2 1 1 ...ee12d2cc90180517616e8a18 matched TA certificate at depth 1
556 .IP "\fB\-dane_ee_no_namechecks\fR" 4
557 .IX Item "-dane_ee_no_namechecks"
558 This disables server name checks when authenticating via \s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0
564 The malicious server may then be able to violate cross-origin scripting
566 Thus, despite the text of \s-1RFC7671,\s0 name checks are by default enabled for
567 \&\s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records, and can be disabled in applications where it is s…
569 In particular, \s-1SMTP\s0 and \s-1XMPP\s0 clients should set this option as \s-1SRV\s0 and \s-1MX\…
571 connections to any server of its choice, and in any case \s-1SMTP\s0 and \s-1XMPP\s0 clients
573 .IP "\fB\-reconnect\fR" 4
574 .IX Item "-reconnect"
575 Reconnects to the same server 5 times using the same session \s-1ID,\s0 this can
577 .IP "\fB\-showcerts\fR" 4
578 .IX Item "-showcerts"
579 Displays the server certificate list as sent by the server: it only consists of
582 .IP "\fB\-prexit\fR" 4
583 .IX Item "-prexit"
589 attempt is made to access a certain \s-1URL.\s0 Note: the output produced by this
592 .IP "\fB\-state\fR" 4
593 .IX Item "-state"
594 Prints out the \s-1SSL\s0 session states.
595 .IP "\fB\-debug\fR" 4
596 .IX Item "-debug"
597 Print extensive debugging information including a hex dump of all traffic.
598 .IP "\fB\-nocommands\fR" 4
599 .IX Item "-nocommands"
601 .IP "\fB\-security_debug\fR" 4
602 .IX Item "-security_debug"
604 .IP "\fB\-security_debug_verbose\fR" 4
605 .IX Item "-security_debug_verbose"
607 .IP "\fB\-msg\fR" 4
608 .IX Item "-msg"
610 .IP "\fB\-timeout\fR" 4
611 .IX Item "-timeout"
612 Enable send/receive timeout on \s-1DTLS\s0 connections.
613 .IP "\fB\-mtu\fR \fIsize\fR" 4
614 .IX Item "-mtu size"
615 Set \s-1MTU\s0 of the link layer to the specified size.
616 .IP "\fB\-no_etm\fR" 4
617 .IX Item "-no_etm"
618 Disable Encrypt-then-MAC negotiation.
619 .IP "\fB\-keymatexport\fR \fIlabel\fR" 4
620 .IX Item "-keymatexport label"
622 .IP "\fB\-keymatexportlen\fR \fIlen\fR" 4
623 .IX Item "-keymatexportlen len"
624 Export the specified number of bytes of keying material; default is 20.
627 .IP "\fB\-trace\fR" 4
628 .IX Item "-trace"
629 Show verbose trace output of protocol messages.
630 .IP "\fB\-msgfile\fR \fIfilename\fR" 4
631 .IX Item "-msgfile filename"
632 File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
633 .IP "\fB\-nbio_test\fR" 4
634 .IX Item "-nbio_test"
636 .IP "\fB\-nbio\fR" 4
637 .IX Item "-nbio"
639 .IP "\fB\-crlf\fR" 4
640 .IX Item "-crlf"
641 This option translated a line feed from the terminal into \s-1CR+LF\s0 as required
643 .IP "\fB\-ign_eof\fR" 4
644 .IX Item "-ign_eof"
645 Inhibit shutting down the connection when end of file is reached in the
647 .IP "\fB\-quiet\fR" 4
648 .IX Item "-quiet"
649 Inhibit printing of session and certificate information. This implicitly
650 turns on \fB\-ign_eof\fR as well.
651 .IP "\fB\-no_ign_eof\fR" 4
652 .IX Item "-no_ign_eof"
653 Shut down the connection when end of file is reached in the input.
654 Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR.
655 .IP "\fB\-psk_identity\fR \fIidentity\fR" 4
656 .IX Item "-psk_identity identity"
657 Use the \s-1PSK\s0 identity \fIidentity\fR when using a \s-1PSK\s0 cipher suite.
659 .IP "\fB\-psk\fR \fIkey\fR" 4
660 .IX Item "-psk key"
661 Use the \s-1PSK\s0 key \fIkey\fR when using a \s-1PSK\s0 cipher suite. The key is
662 given as a hexadecimal number without leading 0x, for example \-psk
664 This option must be provided in order to use a \s-1PSK\s0 cipher.
665 .IP "\fB\-psk_session\fR \fIfile\fR" 4
666 .IX Item "-psk_session file"
667 Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fIfile\fR as the basis of a \s-1PSK.\s0
669 .IP "\fB\-sctp\fR" 4
670 .IX Item "-sctp"
671 Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in
672 conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only
673 available where OpenSSL has support for \s-1SCTP\s0 enabled.
674 .IP "\fB\-sctp_label_bug\fR" 4
675 .IX Item "-sctp_label_bug"
676 Use the incorrect behaviour of older OpenSSL implementations when computing
677 endpoint-pair shared secrets for \s-1DTLS/SCTP.\s0 This allows communication with
679 implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only
680 available where OpenSSL has support for \s-1SCTP\s0 enabled.
681 .IP "\fB\-fallback_scsv\fR" 4
682 .IX Item "-fallback_scsv"
683 Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello.
684 .IP "\fB\-async\fR" 4
685 .IX Item "-async"
688 is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
690 .IP "\fB\-maxfraglen\fR \fIlen\fR" 4
691 .IX Item "-maxfraglen len"
694 .IP "\fB\-max_send_frag\fR \fIint\fR" 4
695 .IX Item "-max_send_frag int"
696 The maximum size of data fragment to send.
698 .IP "\fB\-split_send_frag\fR \fIint\fR" 4
699 .IX Item "-split_send_frag int"
702 maximum number of pipelines defined by max_pipelines. This only has an effect if
704 has been loaded, and max_pipelines is greater than 1. See
706 .IP "\fB\-max_pipelines\fR \fIint\fR" 4
707 .IX Item "-max_pipelines int"
708 The maximum number of encrypt/decrypt pipelines to be used. This will only have
710 engine) and a suitable cipher suite has been negotiated. The default value is 1.
712 .IP "\fB\-read_buf\fR \fIint\fR" 4
713 .IX Item "-read_buf int"
718 .IP "\fB\-ignore_unexpected_eof\fR" 4
719 .IX Item "-ignore_unexpected_eof"
720 Some \s-1TLS\s0 implementations do not send the mandatory close_notify alert on
726 .IP "\fB\-bugs\fR" 4
727 .IX Item "-bugs"
728 There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
730 .IP "\fB\-comp\fR" 4
731 .IX Item "-comp"
732 Enables support for \s-1SSL/TLS\s0 compression.
734 \&\s-1TLS\s0 compression is not recommended and is off by default as of
736 .IP "\fB\-no_comp\fR" 4
737 .IX Item "-no_comp"
738 Disables support for \s-1SSL/TLS\s0 compression.
739 \&\s-1TLS\s0 compression is not recommended and is off by default as of
741 .IP "\fB\-brief\fR" 4
742 .IX Item "-brief"
743 Only provide a brief summary of connection parameters instead of the
745 .IP "\fB\-sigalgs\fR \fIsigalglist\fR" 4
746 .IX Item "-sigalgs sigalglist"
747 Specifies the list of signature algorithms that are sent by the client.
750 .IP "\fB\-curves\fR \fIcurvelist\fR" 4
751 .IX Item "-curves curvelist"
752 Specifies the list of supported curves to be sent by the client. The curve is
753 ultimately selected by the server. For a list of all curves, use:
755 .Vb 1
756 \& $ openssl ecparam \-list_curves
758 .IP "\fB\-cipher\fR \fIcipherlist\fR" 4
759 .IX Item "-cipher cipherlist"
764 \&\fBopenssl\-ciphers\fR\|(1) for more information.
765 .IP "\fB\-ciphersuites\fR \fIval\fR" 4
766 .IX Item "-ciphersuites val"
771 \&\fBopenssl\-ciphers\fR\|(1) for more information. The format for this list is a simple
772 colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
773 .IP "\fB\-starttls\fR \fIprotocol\fR" 4
774 .IX Item "-starttls protocol"
775 Send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication.
777 …(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", \*(L"ftp\*(R", \*(L"xmpp\*(R", \*(L"xmpp-server\*(R",
779 .IP "\fB\-xmpphost\fR \fIhostname\fR" 4
780 .IX Item "-xmpphost hostname"
781 This option, when used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R",
782 specifies the host for the \*(L"to\*(R" attribute of the stream element.
783 If this option is not specified, then the host specified with \*(L"\-connect\*(R"
786 This option is an alias of the \fB\-name\fR option for \*(L"xmpp\*(R" and \*(L"xmpp-server\*(R".
787 .IP "\fB\-name\fR \fIhostname\fR" 4
788 .IX Item "-name hostname"
790 used with \fB\-starttls\fR option. Currently only \*(L"xmpp\*(R", \*(L"xmpp-server\*(R",
791 \&\*(L"smtp\*(R" and \*(L"lmtp\*(R" can utilize this \fB\-name\fR option.
793 If this option is used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R",
794 if specifies the host for the \*(L"to\*(R" attribute of the stream element. If this
795 option is not specified, then the host specified with \*(L"\-connect\*(R" will be used.
797 If this option is used with \*(L"\-starttls lmtp\*(R" or \*(L"\-starttls smtp\*(R", it specifies
798 the name to use in the \*(L"\s-1LMTP LHLO\*(R"\s0 or \*(L"\s-1SMTP EHLO\*(R"\s0 message, respective…
800 .IP "\fB\-tlsextdebug\fR" 4
801 .IX Item "-tlsextdebug"
802 Print out a hex dump of any \s-1TLS\s0 extensions received from the server.
803 .IP "\fB\-no_ticket\fR" 4
804 .IX Item "-no_ticket"
806 .IP "\fB\-sess_out\fR \fIfilename\fR" 4
807 .IX Item "-sess_out filename"
808 Output \s-1SSL\s0 session to \fIfilename\fR.
809 .IP "\fB\-sess_in\fR \fIfilename\fR" 4
810 .IX Item "-sess_in filename"
811 Load \s-1SSL\s0 session from \fIfilename\fR. The client will attempt to resume a
813 .IP "\fB\-serverinfo\fR \fItypes\fR" 4
814 .IX Item "-serverinfo types"
815 A list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and
816 65535). Each type will be sent as an empty ClientHello \s-1TLS\s0 Extension.
817 The server's response (if any) will be encoded and displayed as a \s-1PEM\s0
819 .IP "\fB\-status\fR" 4
820 .IX Item "-status"
821 Sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server
823 .IP "\fB\-alpn\fR \fIprotocols\fR, \fB\-nextprotoneg\fR \fIprotocols\fR" 4
824 .IX Item "-alpn protocols, -nextprotoneg protocols"
825 These flags enable the Enable the Application-Layer Protocol Negotiation
826 or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the
827 \&\s-1IETF\s0 standard and replaces \s-1NPN.\s0
828 The \fIprotocols\fR list is a comma-separated list of protocol names that
830 desirable protocols first. Protocol names are printable \s-1ASCII\s0 strings,
832 An empty list of protocols is treated specially and will cause the
833 client to advertise support for the \s-1TLS\s0 extension but disconnect just
834 after receiving ServerHello with a list of server supported protocols.
835 The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used.
836 .IP "\fB\-ct\fR, \fB\-noct\fR" 4
837 .IX Item "-ct, -noct"
838 Use one of these two options to control whether Certificate Transparency (\s-1CT\s0)
839 is enabled (\fB\-ct\fR) or disabled (\fB\-noct\fR).
840 If \s-1CT\s0 is enabled, signed certificate timestamps (SCTs) will be requested from
843 Enabling \s-1CT\s0 also enables \s-1OCSP\s0 stapling, as this is one possible delivery method
845 .IP "\fB\-ctlogfile\fR" 4
846 .IX Item "-ctlogfile"
847 A file containing a list of known Certificate Transparency logs. See
849 .IP "\fB\-keylogfile\fR \fIfile\fR" 4
850 .IX Item "-keylogfile file"
851 Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs
852 (like Wireshark) can decrypt \s-1TLS\s0 connections.
853 .IP "\fB\-early_data\fR \fIfile\fR" 4
854 .IX Item "-early_data file"
855 Reads the contents of the specified file and attempts to send it as early data
858 .IP "\fB\-enable_pha\fR" 4
859 .IX Item "-enable_pha"
860 For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
861 happen whether or not a certificate has been provided via \fB\-cert\fR.
862 .IP "\fB\-use_srtp\fR \fIvalue\fR" 4
863 .IX Item "-use_srtp value"
864 Offer \s-1SRTP\s0 key management, where \fBvalue\fR is a colon-separated profile list.
865 .IP "\fB\-srpuser\fR \fIvalue\fR" 4
866 .IX Item "-srpuser value"
867 Set the \s-1SRP\s0 username to the specified value. This option is deprecated.
868 .IP "\fB\-srppass\fR \fIvalue\fR" 4
869 .IX Item "-srppass value"
870 Set the \s-1SRP\s0 password to the specified value. This option is deprecated.
871 .IP "\fB\-srp_lateuser\fR" 4
872 .IX Item "-srp_lateuser"
873 \&\s-1SRP\s0 username for the second ClientHello message. This option is deprecated.
874 .IP "\fB\-srp_moregroups\fR This option is deprecated." 4
875 .IX Item "-srp_moregroups This option is deprecated."
877 .IP "\fB\-srp_strength\fR \fInumber\fR" 4
878 .IX Item "-srp_strength number"
881 …-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR, \fB\-ssl3\f…
882 .IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3, -ssl3, -tls1, -tls1_1, -tls1_2, -…
883 See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
884 .IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
885 .IX Item "-dtls, -dtls1, -dtls1_2"
886 These specify the use of \s-1DTLS\s0 instead of \s-1TLS.\s0
887 See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
888 .IP "\fB\-nameopt\fR \fIoption\fR" 4
889 .IX Item "-nameopt option"
891 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
892 …-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIfile\fR, \fB\-xchain\fR \fIfile\fR, \fB\-xchain_build\fR \…
893 .IX Item "-xkey infile, -xcert file, -xchain file, -xchain_build file, -xcertform DER|PEM, -xkeyfor…
895 See \*(L"Extended Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for detail…
896 …P "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \f…
897 .IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
898 See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
899 …-bugs\fR, \fB\-comp\fR, \fB\-no_comp\fR, \fB\-no_ticket\fR, \fB\-serverpref\fR, \fB\-client_renego…
900 …-bugs, -comp, -no_comp, -no_ticket, -serverpref, -client_renegotiation, -legacy_renegotiation, -no…
901 See \*(L"\s-1SUPPORTED COMMAND LINE COMMANDS\*(R"\s0 in \fBSSL_CONF_cmd\fR\|(3) for details.
902 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
903 .IX Item "-rand files, -writerand file"
904 See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
905 .IP "\fB\-provider\fR \fIname\fR" 4
906 .IX Item "-provider name"
908 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
909 .IX Item "-provider-path path"
910 .IP "\fB\-propquery\fR \fIpropq\fR" 4
911 .IX Item "-propquery propq"
913 See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
914 .IP "\fB\-engine\fR \fIid\fR" 4
915 .IX Item "-engine id"
916 See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
918 .IP "\fB\-ssl_client_engine\fR \fIid\fR" 4
919 .IX Item "-ssl_client_engine id"
921 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
922 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
923 Set various options of certificate chain verification.
924 See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
927 proceed unless the \fB\-verify_return_error\fR option is used.
928 .IP "\fIhost\fR:\fIport\fR" 4
930 Rather than providing \fB\-connect\fR, the target hostname and optional port may
932 nor \fB\-connect\fR are provided, falls back to attempting to connect to
936 If a connection is established with an \s-1SSL\s0 server then any data received
938 server. If end of file is reached then the connection will be closed down. When
939 used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR have been
941 operations. These commands are a letter which must appear at the start of a
943 .IP "\fBQ\fR" 4
945 End the current \s-1SSL\s0 connection and exit.
946 .IP "\fBR\fR" 4
948 Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only).
949 .IP "\fBk\fR" 4
952 .IP "\fBK\fR" 4
957 This command can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL HTTP\s0
960 .Vb 1
961 \& openssl s_client \-connect servername:443
965 then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET /\*(R"\s0 to retrieve a web page.
968 nothing obvious like no client certificate then the \fB\-bugs\fR,
969 \&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried
976 the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
977 requests a certificate. By using this command, the \s-1CA\s0 list can be viewed
979 after a specific \s-1URL\s0 is requested. To obtain the list in this case it
980 is necessary to use the \fB\-prexit\fR option and send an \s-1HTTP\s0 request
983 If a certificate is specified on the command line using the \fB\-cert\fR
989 \&\fB\-showcerts\fR option can be used to show all the certificates sent by the
994 accept any certificate chain (trusted or not) sent by the peer. Non-test
995 applications should \fBnot\fR do this as it makes them vulnerable to a \s-1MITM\s0
996 attack. This behaviour can be changed by with the \fB\-verify_return_error\fR
999 The \fB\-bind\fR option may be useful if the server or a firewall requires
1003 Because this program has a lot of options and also because some of the
1005 hard to read and not a model of how things should be done.
1006 A typical \s-1SSL\s0 client program would be much simpler.
1008 The \fB\-prexit\fR option is a bit of a hack. We should really report
1012 \&\fBopenssl\fR\|(1),
1013 \&\fBopenssl\-sess_id\fR\|(1),
1014 \&\fBopenssl\-s_server\fR\|(1),
1015 \&\fBopenssl\-ciphers\fR\|(1),
1020 \&\fBossl_store\-file\fR\|(7)
1023 The \fB\-no_alt_chains\fR option was added in OpenSSL 1.1.0.
1024 The \fB\-name\fR option was added in OpenSSL 1.1.1.
1026 The \fB\-certform\fR option has become obsolete in OpenSSL 3.0.0 and has no effect.
1028 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
1031 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
1035 in the file \s-1LICENSE\s0 in the source distribution or at