openssl-s_client.1 - OpenGrok cross reference for /freebsd/secure/usr.bin/openssl/man/openssl-s

Lines Matching +full:host +full:- +full:only
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OPENSSL-S_CLIENT 1ossl"
58 .TH OPENSSL-S_CLIENT 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-s_client \- SSL/TLS client program
68 [\fB\-help\fR]
69 [\fB\-ssl_config\fR \fIsection\fR]
70 [\fB\-connect\fR \fIhost\fR:\fIport\fR]
71 [\fB\-host\fR \fIhostname\fR]
72 [\fB\-port\fR \fIport\fR]
73 [\fB\-bind\fR \fIhost\fR:\fIport\fR]
74 [\fB\-proxy\fR \fIhost\fR:\fIport\fR]
75 [\fB\-proxy_user\fR \fIuserid\fR]
76 [\fB\-proxy_pass\fR \fIarg\fR]
77 [\fB\-unix\fR \fIpath\fR]
78 [\fB\-4\fR]
79 [\fB\-6\fR]
80 [\fB\-quic\fR]
81 [\fB\-servername\fR \fIname\fR]
82 [\fB\-noservername\fR]
83 [\fB\-verify\fR \fIdepth\fR]
84 [\fB\-verify_return_error\fR]
85 [\fB\-verify_quiet\fR]
86 [\fB\-verifyCAfile\fR \fIfilename\fR]
87 [\fB\-verifyCApath\fR \fIdir\fR]
88 [\fB\-verifyCAstore\fR \fIuri\fR]
89 [\fB\-cert\fR \fIfilename\fR]
90 [\fB\-certform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR]
91 [\fB\-cert_chain\fR \fIfilename\fR]
92 [\fB\-build_chain\fR]
93 [\fB\-CRL\fR \fIfilename\fR]
94 [\fB\-CRLform\fR \fBDER\fR|\fBPEM\fR]
95 [\fB\-crl_download\fR]
96 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
97 [\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR]
98 [\fB\-pass\fR \fIarg\fR]
99 [\fB\-chainCAfile\fR \fIfilename\fR]
100 [\fB\-chainCApath\fR \fIdirectory\fR]
101 [\fB\-chainCAstore\fR \fIuri\fR]
102 [\fB\-requestCAfile\fR \fIfilename\fR]
103 [\fB\-dane_tlsa_domain\fR \fIdomain\fR]
104 [\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR]
105 [\fB\-dane_ee_no_namechecks\fR]
106 [\fB\-reconnect\fR]
107 [\fB\-showcerts\fR]
108 [\fB\-prexit\fR]
109 [\fB\-no\-interactive\fR]
110 [\fB\-debug\fR]
111 [\fB\-trace\fR]
112 [\fB\-nocommands\fR]
113 [\fB\-adv\fR]
114 [\fB\-security_debug\fR]
115 [\fB\-security_debug_verbose\fR]
116 [\fB\-msg\fR]
117 [\fB\-timeout\fR]
118 [\fB\-mtu\fR \fIsize\fR]
119 [\fB\-no_ems\fR]
120 [\fB\-keymatexport\fR \fIlabel\fR]
121 [\fB\-keymatexportlen\fR \fIlen\fR]
122 [\fB\-msgfile\fR \fIfilename\fR]
123 [\fB\-nbio_test\fR]
124 [\fB\-state\fR]
125 [\fB\-nbio\fR]
126 [\fB\-crlf\fR]
127 [\fB\-ign_eof\fR]
128 [\fB\-no_ign_eof\fR]
129 [\fB\-psk_identity\fR \fIidentity\fR]
130 [\fB\-psk\fR \fIkey\fR]
131 [\fB\-psk_session\fR \fIfile\fR]
132 [\fB\-quiet\fR]
133 [\fB\-sctp\fR]
134 [\fB\-sctp_label_bug\fR]
135 [\fB\-fallback_scsv\fR]
136 [\fB\-async\fR]
137 [\fB\-maxfraglen\fR \fIlen\fR]
138 [\fB\-max_send_frag\fR]
139 [\fB\-split_send_frag\fR]
140 [\fB\-max_pipelines\fR]
141 [\fB\-read_buf\fR]
142 [\fB\-ignore_unexpected_eof\fR]
143 [\fB\-no_tx_cert_comp\fR]
144 [\fB\-no_rx_cert_comp\fR]
145 [\fB\-brief\fR]
146 [\fB\-starttls\fR \fIprotocol\fR]
147 [\fB\-xmpphost\fR \fIhostname\fR]
148 [\fB\-name\fR \fIhostname\fR]
149 [\fB\-tlsextdebug\fR]
150 [\fB\-sess_out\fR \fIfilename\fR]
151 [\fB\-sess_in\fR \fIfilename\fR]
152 [\fB\-serverinfo\fR \fItypes\fR]
153 [\fB\-status\fR]
154 [\fB\-alpn\fR \fIprotocols\fR]
155 [\fB\-nextprotoneg\fR \fIprotocols\fR]
156 [\fB\-ct\fR]
157 [\fB\-noct\fR]
158 [\fB\-ctlogfile\fR]
159 [\fB\-keylogfile\fR \fIfile\fR]
160 [\fB\-early_data\fR \fIfile\fR]
161 [\fB\-enable_pha\fR]
162 [\fB\-use_srtp\fR \fIvalue\fR]
163 [\fB\-srpuser\fR \fIvalue\fR]
164 [\fB\-srppass\fR \fIvalue\fR]
165 [\fB\-srp_lateuser\fR]
166 [\fB\-srp_moregroups\fR]
167 [\fB\-srp_strength\fR \fInumber\fR]
168 [\fB\-ktls\fR]
169 [\fB\-tfo\fR]
170 [\fB\-nameopt\fR \fIoption\fR]
171 [\fB\-no_ssl3\fR]
172 [\fB\-no_tls1\fR]
173 [\fB\-no_tls1_1\fR]
174 [\fB\-no_tls1_2\fR]
175 [\fB\-no_tls1_3\fR]
176 [\fB\-ssl3\fR]
177 [\fB\-tls1\fR]
178 [\fB\-tls1_1\fR]
179 [\fB\-tls1_2\fR]
180 [\fB\-tls1_3\fR]
181 [\fB\-dtls\fR]
182 [\fB\-dtls1\fR]
183 [\fB\-dtls1_2\fR]
184 [\fB\-xkey\fR \fIinfile\fR]
185 [\fB\-xcert\fR \fIfile\fR]
186 [\fB\-xchain\fR \fIfile\fR]
187 [\fB\-xchain_build\fR \fIfile\fR]
188 [\fB\-xcertform\fR \fBDER\fR|\fBPEM\fR]>
189 [\fB\-xkeyform\fR \fBDER\fR|\fBPEM\fR]>
190 [\fB\-CAfile\fR \fIfile\fR]
191 [\fB\-no\-CAfile\fR]
192 [\fB\-CApath\fR \fIdir\fR]
193 [\fB\-no\-CApath\fR]
194 [\fB\-CAstore\fR \fIuri\fR]
195 [\fB\-no\-CAstore\fR]
196 [\fB\-bugs\fR]
197 [\fB\-no_comp\fR]
198 [\fB\-comp\fR]
199 [\fB\-no_ticket\fR]
200 [\fB\-serverpref\fR]
201 [\fB\-client_renegotiation\fR]
202 [\fB\-legacy_renegotiation\fR]
203 [\fB\-no_renegotiation\fR]
204 [\fB\-no_resumption_on_reneg\fR]
205 [\fB\-legacy_server_connect\fR]
206 [\fB\-no_legacy_server_connect\fR]
207 [\fB\-no_etm\fR]
208 [\fB\-allow_no_dhe_kex\fR]
209 [\fB\-prefer_no_dhe_kex\fR]
210 [\fB\-prioritize_chacha\fR]
211 [\fB\-strict\fR]
212 [\fB\-sigalgs\fR \fIalgs\fR]
213 [\fB\-client_sigalgs\fR \fIalgs\fR]
214 [\fB\-groups\fR \fIgroups\fR]
215 [\fB\-curves\fR \fIcurves\fR]
216 [\fB\-named_curve\fR \fIcurve\fR]
217 [\fB\-cipher\fR \fIciphers\fR]
218 [\fB\-ciphersuites\fR \fI1.3ciphers\fR]
219 [\fB\-min_protocol\fR \fIminprot\fR]
220 [\fB\-max_protocol\fR \fImaxprot\fR]
221 [\fB\-record_padding\fR \fIpadding\fR]
222 [\fB\-debug_broken_protocol\fR]
223 [\fB\-no_middlebox\fR]
224 [\fB\-rand\fR \fIfiles\fR]
225 [\fB\-writerand\fR \fIfile\fR]
226 [\fB\-provider\fR \fIname\fR]
227 [\fB\-provider\-path\fR \fIpath\fR]
228 [\fB\-provparam\fR \fI[name:]key=value\fR]
229 [\fB\-propquery\fR \fIpropq\fR]
230 [\fB\-engine\fR \fIid\fR]
231 [\fB\-ssl_client_engine\fR \fIid\fR]
232 [\fB\-allow_proxy_certs\fR]
233 [\fB\-attime\fR \fItimestamp\fR]
234 [\fB\-no_check_time\fR]
235 [\fB\-check_ss_sig\fR]
236 [\fB\-crl_check\fR]
237 [\fB\-crl_check_all\fR]
238 [\fB\-explicit_policy\fR]
239 [\fB\-extended_crl\fR]
240 [\fB\-ignore_critical\fR]
241 [\fB\-inhibit_any\fR]
242 [\fB\-inhibit_map\fR]
243 [\fB\-partial_chain\fR]
244 [\fB\-policy\fR \fIarg\fR]
245 [\fB\-policy_check\fR]
246 [\fB\-policy_print\fR]
247 [\fB\-purpose\fR \fIpurpose\fR]
248 [\fB\-suiteB_128\fR]
249 [\fB\-suiteB_128_only\fR]
250 [\fB\-suiteB_192\fR]
251 [\fB\-trusted_first\fR]
252 [\fB\-no_alt_chains\fR]
253 [\fB\-use_deltas\fR]
254 [\fB\-auth_level\fR \fInum\fR]
255 [\fB\-verify_depth\fR \fInum\fR]
256 [\fB\-verify_email\fR \fIemail\fR]
257 [\fB\-verify_hostname\fR \fIhostname\fR]
258 [\fB\-verify_ip\fR \fIip\fR]
259 [\fB\-verify_name\fR \fIname\fR]
260 [\fB\-x509_strict\fR]
261 [\fB\-issuer_checks\fR]
262 [\fB\-enable_server_rpk\fR]
263 [\fB\-enable_client_rpk\fR]
264 [\fIhost\fR:\fIport\fR]
268 connects to a remote host using SSL/TLS. It is a \fIvery\fR useful diagnostic
273 common and client only options documented
276 .IP \fB\-help\fR 4
277 .IX Item "-help"
279 .IP "\fB\-ssl_config\fR \fIsection\fR" 4
280 .IX Item "-ssl_config section"
282 .IP "\fB\-connect\fR \fIhost\fR:\fIport\fR" 4
283 .IX Item "-connect host:port"
284 This specifies the host and optional port to connect to. It is possible to
285 select the host and port using the optional target positional argument instead.
287 is made to connect to the local host on port 4433.
288 If the host string is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*…
289 .IP "\fB\-host\fR \fIhostname\fR" 4
290 .IX Item "-host hostname"
291 Host to connect to; use \fB\-connect\fR instead.
292 .IP "\fB\-port\fR \fIport\fR" 4
293 .IX Item "-port port"
294 Connect to the specified port; use \fB\-connect\fR instead.
295 .IP "\fB\-bind\fR \fIhost\fR:\fIport\fR" 4
296 .IX Item "-bind host:port"
297 This specifies the host address and or port to bind as the source for the
298 connection.  For Unix-domain sockets the port is ignored and the host is
300 If the host string is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*…
301 .IP "\fB\-proxy\fR \fIhost\fR:\fIport\fR" 4
302 .IX Item "-proxy host:port"
303 When used with the \fB\-connect\fR flag, the program uses the host and port
306 If the host string is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*…
307 .IP "\fB\-proxy_user\fR \fIuserid\fR" 4
308 .IX Item "-proxy_user userid"
309 When used with the \fB\-proxy\fR flag, the program will attempt to authenticate
315 .IP "\fB\-proxy_pass\fR \fIarg\fR" 4
316 .IX Item "-proxy_pass arg"
317 The proxy password source, used with the \fB\-proxy_user\fR flag.
319 see \fBopenssl\-passphrase\-options\fR\|(1).
320 .IP "\fB\-unix\fR \fIpath\fR" 4
321 .IX Item "-unix path"
322 Connect over the specified Unix-domain socket.
323 .IP \fB\-4\fR 4
324 .IX Item "-4"
325 Use IPv4 only.
326 .IP \fB\-6\fR 4
327 .IX Item "-6"
328 Use IPv6 only.
329 .IP \fB\-quic\fR 4
330 .IX Item "-quic"
331 Connect using the QUIC protocol. If specified then the \fB\-alpn\fR option must also
333 .IP "\fB\-servername\fR \fIname\fR" 4
334 .IX Item "-servername name"
337 If \fB\-servername\fR is not provided, the TLS SNI extension will be populated with
338 the name given to \fB\-connect\fR if it follows a DNS name format. If \fB\-connect\fR is
343 \&\fB\-servername\fR is provided then that name will be sent, regardless of whether
346 This option cannot be used in conjunction with \fB\-noservername\fR.
347 .IP \fB\-noservername\fR 4
348 .IX Item "-noservername"
350 ClientHello message. Cannot be used in conjunction with the \fB\-servername\fR or
351 \&\fB\-dane_tlsa_domain\fR options.
352 .IP "\fB\-cert\fR \fIfilename\fR" 4
353 .IX Item "-cert filename"
357 The chain for the client certificate may be specified using \fB\-cert_chain\fR.
358 .IP "\fB\-certform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR" 4
359 .IX Item "-certform DER|PEM|P12"
361 See \fBopenssl\-format\-options\fR\|(1) for details.
362 .IP \fB\-cert_chain\fR 4
363 .IX Item "-cert_chain"
365 certificate chain related to the certificate specified via the \fB\-cert\fR option.
367 .IP \fB\-build_chain\fR 4
368 .IX Item "-build_chain"
371 .IP "\fB\-CRL\fR \fIfilename\fR" 4
372 .IX Item "-CRL filename"
374 .IP "\fB\-CRLform\fR \fBDER\fR|\fBPEM\fR" 4
375 .IX Item "-CRLform DER|PEM"
377 See \fBopenssl\-format\-options\fR\|(1) for details.
378 .IP \fB\-crl_download\fR 4
379 .IX Item "-crl_download"
381 is ignored if \fB\-crl_check\fR option is not provided. Note that the maximum size
383 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
384 .IX Item "-key filename|uri"
387 .IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
388 .IX Item "-keyform DER|PEM|P12|ENGINE"
390 See \fBopenssl\-format\-options\fR\|(1) for details.
391 .IP "\fB\-pass\fR \fIarg\fR" 4
392 .IX Item "-pass arg"
395 see \fBopenssl\-passphrase\-options\fR\|(1).
396 .IP "\fB\-verify\fR \fIdepth\fR" 4
397 .IX Item "-verify depth"
400 Unless the \fB\-verify_return_error\fR option is given,
407 For details see "Certificate Extensions" in \fBopenssl\-verification\-options\fR\|(1).
408 .IP \fB\-verify_return_error\fR 4
409 .IX Item "-verify_return_error"
410 Turns on server certificate verification, like with \fB\-verify\fR,
413 .IP \fB\-verify_quiet\fR 4
414 .IX Item "-verify_quiet"
415 Limit verify output to only errors.
416 .IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4
417 .IX Item "-verifyCAfile filename"
420 .IP "\fB\-verifyCApath\fR \fIdir\fR" 4
421 .IX Item "-verifyCApath dir"
425 see \fBopenssl\-verify\fR\|(1) for more information.
426 .IP "\fB\-verifyCAstore\fR \fIuri\fR" 4
427 .IX Item "-verifyCAstore uri"
430 .IP "\fB\-chainCAfile\fR \fIfile\fR" 4
431 .IX Item "-chainCAfile file"
434 .IP "\fB\-chainCApath\fR \fIdirectory\fR" 4
435 .IX Item "-chainCApath directory"
439 see \fBopenssl\-verify\fR\|(1) for more information.
440 .IP "\fB\-chainCAstore\fR \fIuri\fR" 4
441 .IX Item "-chainCAstore uri"
445 With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-chainCAfile\fR or
446 \&\fB\-chainCApath\fR, depending on if the URI indicates a directory or a
448 See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme.
449 .IP "\fB\-requestCAfile\fR \fIfile\fR" 4
450 .IX Item "-requestCAfile file"
452 to the server in the \fBcertificate_authorities\fR extension. Only supported
454 .IP "\fB\-dane_tlsa_domain\fR \fIdomain\fR" 4
455 .IX Item "-dane_tlsa_domain domain"
459 combination with at least one instance of the \fB\-dane_tlsa_rrdata\fR
465 anchor public key that signed (rather than matched) the top-most
469 .IP "\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR" 4
470 .IX Item "-dane_tlsa_rrdata rrdata"
479 \&  $ openssl s_client \-brief \-starttls smtp \e
480 \&    \-connect smtp.example.com:25 \e
481 \&    \-dane_tlsa_domain smtp.example.com \e
482 \&    \-dane_tlsa_rrdata "2 1 1
484 \&    \-dane_tlsa_rrdata "2 1 1
492 .IP \fB\-dane_ee_no_namechecks\fR 4
493 .IX Item "-dane_ee_no_namechecks"
494 This disables server name checks when authenticating via \fBDANE\-EE\fR\|(3) TLSA
500 The malicious server may then be able to violate cross-origin scripting
503 \&\fBDANE\-EE\fR\|(3) TLSA records, and can be disabled in applications where it is safe
509 .IP \fB\-reconnect\fR 4
510 .IX Item "-reconnect"
513 .IP \fB\-showcerts\fR 4
514 .IX Item "-showcerts"
515 Displays the server certificate list as sent by the server: it only consists of
518 .IP \fB\-prexit\fR 4
519 .IX Item "-prexit"
522 will only be printed out once if the connection succeeds. This option is useful
524 because a client certificate is required or is requested only after an
528 .IP \fB\-no\-interactive\fR 4
529 .IX Item "-no-interactive"
530 This flag can be used to run the client in a non-interactive mode.
531 .IP \fB\-state\fR 4
532 .IX Item "-state"
534 .IP \fB\-debug\fR 4
535 .IX Item "-debug"
537 .IP \fB\-nocommands\fR 4
538 .IX Item "-nocommands"
540 .IP \fB\-adv\fR 4
541 .IX Item "-adv"
543 .IP \fB\-security_debug\fR 4
544 .IX Item "-security_debug"
546 .IP \fB\-security_debug_verbose\fR 4
547 .IX Item "-security_debug_verbose"
549 .IP \fB\-msg\fR 4
550 .IX Item "-msg"
552 .IP \fB\-timeout\fR 4
553 .IX Item "-timeout"
555 .IP "\fB\-mtu\fR \fIsize\fR" 4
556 .IX Item "-mtu size"
558 .IP \fB\-no_ems\fR 4
559 .IX Item "-no_ems"
561 .IP "\fB\-keymatexport\fR \fIlabel\fR" 4
562 .IX Item "-keymatexport label"
564 .IP "\fB\-keymatexportlen\fR \fIlen\fR" 4
565 .IX Item "-keymatexportlen len"
569 .IP \fB\-trace\fR 4
570 .IX Item "-trace"
572 .IP "\fB\-msgfile\fR \fIfilename\fR" 4
573 .IX Item "-msgfile filename"
574 File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
575 .IP \fB\-nbio_test\fR 4
576 .IX Item "-nbio_test"
578 .IP \fB\-nbio\fR 4
579 .IX Item "-nbio"
581 .IP \fB\-crlf\fR 4
582 .IX Item "-crlf"
585 .IP \fB\-ign_eof\fR 4
586 .IX Item "-ign_eof"
588 input. This implicitly turns on \fB\-nocommands\fR as well.
589 .IP \fB\-quiet\fR 4
590 .IX Item "-quiet"
592 turns on \fB\-ign_eof\fR and \fB\-nocommands\fR as well.
593 .IP \fB\-no_ign_eof\fR 4
594 .IX Item "-no_ign_eof"
596 Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR.
597 .IP "\fB\-psk_identity\fR \fIidentity\fR" 4
598 .IX Item "-psk_identity identity"
601 .IP "\fB\-psk\fR \fIkey\fR" 4
602 .IX Item "-psk key"
604 given as a hexadecimal number without leading 0x, for example \-psk
607 .IP "\fB\-psk_session\fR \fIfile\fR" 4
608 .IX Item "-psk_session file"
610 Note that this will only work if TLSv1.3 is negotiated.
611 .IP \fB\-sctp\fR 4
612 .IX Item "-sctp"
614 conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only
616 .IP \fB\-sctp_label_bug\fR 4
617 .IX Item "-sctp_label_bug"
619 endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
621 implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only
623 .IP \fB\-fallback_scsv\fR 4
624 .IX Item "-fallback_scsv"
626 .IP \fB\-async\fR 4
627 .IX Item "-async"
629 asynchronously. This will only have an effect if an asynchronous capable engine
630 is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
632 .IP "\fB\-maxfraglen\fR \fIlen\fR" 4
633 .IX Item "-maxfraglen len"
636 .IP "\fB\-max_send_frag\fR \fIint\fR" 4
637 .IX Item "-max_send_frag int"
640 .IP "\fB\-split_send_frag\fR \fIint\fR" 4
641 .IX Item "-split_send_frag int"
644 maximum number of pipelines defined by max_pipelines. This only has an effect if
648 .IP "\fB\-max_pipelines\fR \fIint\fR" 4
649 .IX Item "-max_pipelines int"
650 The maximum number of encrypt/decrypt pipelines to be used. This will only have
654 .IP "\fB\-read_buf\fR \fIint\fR" 4
655 .IX Item "-read_buf int"
656 The default read buffer size to be used for connections. This will only have an
660 .IP \fB\-ignore_unexpected_eof\fR 4
661 .IX Item "-ignore_unexpected_eof"
668 .IP \fB\-no_tx_cert_comp\fR 4
669 .IX Item "-no_tx_cert_comp"
671 .IP \fB\-no_rx_cert_comp\fR 4
672 .IX Item "-no_rx_cert_comp"
674 .IP \fB\-brief\fR 4
675 .IX Item "-brief"
676 Only provide a brief summary of connection parameters instead of the
678 .IP "\fB\-starttls\fR \fIprotocol\fR" 4
679 .IX Item "-starttls protocol"
680 Send the protocol-specific message(s) to switch to TLS for communication.
681 \&\fIprotocol\fR is a keyword for the intended protocol.  Currently, the only
682 supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
684 .IP "\fB\-xmpphost\fR \fIhostname\fR" 4
685 .IX Item "-xmpphost hostname"
686 This option, when used with "\-starttls xmpp" or "\-starttls xmpp-server",
687 specifies the host for the "to" attribute of the stream element.
688 If this option is not specified, then the host specified with "\-connect"
691 This option is an alias of the \fB\-name\fR option for "xmpp" and "xmpp-server".
692 .IP "\fB\-name\fR \fIhostname\fR" 4
693 .IX Item "-name hostname"
695 used with \fB\-starttls\fR option. Currently only "xmpp", "xmpp-server",
696 "smtp" and "lmtp" can utilize this \fB\-name\fR option.
698 If this option is used with "\-starttls xmpp" or "\-starttls xmpp-server",
699 if specifies the host for the "to" attribute of the stream element. If this
700 option is not specified, then the host specified with "\-connect" will be used.
702 If this option is used with "\-starttls lmtp" or "\-starttls smtp", it specifies
705 .IP \fB\-tlsextdebug\fR 4
706 .IX Item "-tlsextdebug"
708 .IP "\fB\-sess_out\fR \fIfilename\fR" 4
709 .IX Item "-sess_out filename"
711 .IP "\fB\-sess_in\fR \fIfilename\fR" 4
712 .IX Item "-sess_in filename"
715 .IP "\fB\-serverinfo\fR \fItypes\fR" 4
716 .IX Item "-serverinfo types"
717 A list of comma-separated TLS Extension Types (numbers between 0 and
721 .IP \fB\-status\fR 4
722 .IX Item "-status"
725 .IP "\fB\-alpn\fR \fIprotocols\fR, \fB\-nextprotoneg\fR \fIprotocols\fR" 4
726 .IX Item "-alpn protocols, -nextprotoneg protocols"
727 These flags enable the Enable the Application-Layer Protocol Negotiation
730 The \fIprotocols\fR list is a comma-separated list of protocol names that
737 The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used.
738 .IP "\fB\-ct\fR, \fB\-noct\fR" 4
739 .IX Item "-ct, -noct"
741 is enabled (\fB\-ct\fR) or disabled (\fB\-noct\fR).
747 .IP \fB\-ctlogfile\fR 4
748 .IX Item "-ctlogfile"
751 .IP "\fB\-keylogfile\fR \fIfile\fR" 4
752 .IX Item "-keylogfile file"
755 .IP "\fB\-early_data\fR \fIfile\fR" 4
756 .IX Item "-early_data file"
758 to the server. This will only work with resumed sessions that support early
760 .IP \fB\-enable_pha\fR 4
761 .IX Item "-enable_pha"
762 For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
763 happen whether or not a certificate has been provided via \fB\-cert\fR.
764 .IP "\fB\-use_srtp\fR \fIvalue\fR" 4
765 .IX Item "-use_srtp value"
766 Offer SRTP key management, where \fBvalue\fR is a colon-separated profile list.
767 .IP "\fB\-srpuser\fR \fIvalue\fR" 4
768 .IX Item "-srpuser value"
770 .IP "\fB\-srppass\fR \fIvalue\fR" 4
771 .IX Item "-srppass value"
773 .IP \fB\-srp_lateuser\fR 4
774 .IX Item "-srp_lateuser"
776 .IP "\fB\-srp_moregroups\fR  This option is deprecated." 4
777 .IX Item "-srp_moregroups This option is deprecated."
779 .IP "\fB\-srp_strength\fR \fInumber\fR" 4
780 .IX Item "-srp_strength number"
783 .IP \fB\-ktls\fR 4
784 .IX Item "-ktls"
788 .IP \fB\-tfo\fR 4
789 .IX Item "-tfo"
791 …-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR, \fB\-ssl3\f…
792 .IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3, -ssl3, -tls1, -tls1_1, -tls1_2, -…
794 .IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
795 .IX Item "-dtls, -dtls1, -dtls1_2"
798 .IP "\fB\-nameopt\fR \fIoption\fR" 4
799 .IX Item "-nameopt option"
801 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
802 …-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIfile\fR, \fB\-xchain\fR \fIfile\fR, \fB\-xchain_build\fR \…
803 .IX Item "-xkey infile, -xcert file, -xchain file, -xchain_build file, -xcertform DER|PEM, -xkeyfor…
805 See "Extended Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
806 .IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \…
807 .IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
808 See "Trusted Certificate Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
809 …-bugs\fR, \fB\-comp\fR, \fB\-no_comp\fR, \fB\-no_ticket\fR, \fB\-serverpref\fR, \fB\-client_renego…
810 …-bugs, -comp, -no_comp, -no_ticket, -serverpref, -client_renegotiation, -legacy_renegotiation, -no…
812 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
813 .IX Item "-rand files, -writerand file"
815 .IP "\fB\-provider\fR \fIname\fR" 4
816 .IX Item "-provider name"
818 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
819 .IX Item "-provider-path path"
820 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
821 .IX Item "-provparam [name:]key=value"
822 .IP "\fB\-propquery\fR \fIpropq\fR" 4
823 .IX Item "-propquery propq"
826 .IP "\fB\-engine\fR \fIid\fR" 4
827 .IX Item "-engine id"
830 .IP "\fB\-ssl_client_engine\fR \fIid\fR" 4
831 .IX Item "-ssl_client_engine id"
833 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
834 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
836 See "Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
839 proceed unless the \fB\-verify_return_error\fR option is used.
840 .IP \fB\-enable_server_rpk\fR 4
841 .IX Item "-enable_server_rpk"
847 .IP \fB\-enable_client_rpk\fR 4
848 .IX Item "-enable_client_rpk"
854 .IP \fIhost\fR:\fIport\fR 4
855 .IX Item "host:port"
856 Rather than providing \fB\-connect\fR, the target host and optional port may
858 nor \fB\-connect\fR are provided, falls back to attempting to connect to
860 If the host string is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*…
867 When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR have been
868 given), and neither of \fB\-adv\fR or \fB\-nocommands\fR are given then "Basic" command
878 Renegotiate the SSL session (TLSv1.2 and below only).
884 Send a key update message to the server (TLSv1.3 only)
887 Send a key update message to the server and request one back (TLSv1.3 only)
890 If \fB\-adv\fR has been given then "advanced" command mode is entered. As with basic
899 "{keyup:req}". Some commands are only available when certain protocol versions
919 Send a Key Update message. TLSv1.3 only. This command takes an optional
925 Initiate a renegotiation with the server. (D)TLSv1.2 or below only.
928 Indicate FIN on the current stream. QUIC only. Once FIN has been sent any
936 \& openssl s_client \-connect servername:443
943 nothing obvious like no client certificate then the \fB\-bugs\fR,
944 \&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried
953 and checked. However, some servers only request client authentication
955 is necessary to use the \fB\-prexit\fR option and send an HTTP request
958 If a certificate is specified on the command line using the \fB\-cert\fR
964 \&\fB\-showcerts\fR option can be used to show all the certificates sent by the
969 accept any certificate chain (trusted or not) sent by the peer. Non-test
971 attack. This behaviour can be changed by with the \fB\-verify_return_error\fR
974 The \fB\-bind\fR option may be useful if the server or a firewall requires
976 .SS "Note on Non-Interactive Use"
977 .IX Subsection "Note on Non-Interactive Use"
978 When \fBs_client\fR is run in a non-interactive environment (e.g., a cron job or
980 especially with TLS 1.3. To prevent this, you can use the \fB\-ign_eof\fR flag,
986 \& openssl s_client \-connect <server address>:443 \-tls1_3
987 \&                  \-sess_out /path/to/tls_session_params_file
988 \&                  \-ign_eof </dev/null
991 However, relying solely on \fB\-ign_eof\fR can lead to issues if the server keeps
1000 \& $ openssl s_client \-brief \-ign_eof \-starttls smtp
1001 \&                    \-connect <server address>:25 </dev/null
1010 To avoid such hangs, it's better to use an application-level command to
1014 \& printf \*(AqQUIT\er\en\*(Aq | openssl s_client \-connect <server address>:25
1015 \&                                      \-starttls smtp \-brief \-ign_eof
1023 \&     | openssl s_client \-connect <server address>:443 \-brief
1035 The \fB\-prexit\fR option is a bit of a hack. We should really report
1040 \&\fBopenssl\-sess_id\fR\|(1),
1041 \&\fBopenssl\-s_server\fR\|(1),
1042 \&\fBopenssl\-ciphers\fR\|(1),
1047 \&\fBossl_store\-file\fR\|(7)
1050 The \fB\-no_alt_chains\fR option was added in OpenSSL 1.1.0.
1051 The \fB\-name\fR option was added in OpenSSL 1.1.1.
1053 The \fB\-certform\fR option has become obsolete in OpenSSL 3.0.0 and has no effect.
1055 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
1058 \&\fB\-enable_client_rpk\fR,
1059 \&\fB\-enable_server_rpk\fR,
1060 \&\fB\-no_rx_cert_comp\fR,
1061 \&\fB\-no_tx_cert_comp\fR,
1062 and \fB\-tfo\fR
1066 Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved.