Lines Matching +full:trace +full:- +full:buffer +full:- +full:extension
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-S_CLIENT 1ossl"
134 .TH OPENSSL-S_CLIENT 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-s_client \- SSL/TLS client program
144 [\fB\-help\fR]
145 [\fB\-ssl_config\fR \fIsection\fR]
146 [\fB\-connect\fR \fIhost:port\fR]
147 [\fB\-host\fR \fIhostname\fR]
148 [\fB\-port\fR \fIport\fR]
149 [\fB\-bind\fR \fIhost:port\fR]
150 [\fB\-proxy\fR \fIhost:port\fR]
151 [\fB\-proxy_user\fR \fIuserid\fR]
152 [\fB\-proxy_pass\fR \fIarg\fR]
153 [\fB\-unix\fR \fIpath\fR]
154 [\fB\-4\fR]
155 [\fB\-6\fR]
156 [\fB\-servername\fR \fIname\fR]
157 [\fB\-noservername\fR]
158 [\fB\-verify\fR \fIdepth\fR]
159 [\fB\-verify_return_error\fR]
160 [\fB\-verify_quiet\fR]
161 [\fB\-verifyCAfile\fR \fIfilename\fR]
162 [\fB\-verifyCApath\fR \fIdir\fR]
163 [\fB\-verifyCAstore\fR \fIuri\fR]
164 [\fB\-cert\fR \fIfilename\fR]
165 [\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
166 [\fB\-cert_chain\fR \fIfilename\fR]
167 [\fB\-build_chain\fR]
168 [\fB\-CRL\fR \fIfilename\fR]
169 [\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
170 [\fB\-crl_download\fR]
171 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
172 [\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
173 [\fB\-pass\fR \fIarg\fR]
174 [\fB\-chainCAfile\fR \fIfilename\fR]
175 [\fB\-chainCApath\fR \fIdirectory\fR]
176 [\fB\-chainCAstore\fR \fIuri\fR]
177 [\fB\-requestCAfile\fR \fIfilename\fR]
178 [\fB\-dane_tlsa_domain\fR \fIdomain\fR]
179 [\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR]
180 [\fB\-dane_ee_no_namechecks\fR]
181 [\fB\-reconnect\fR]
182 [\fB\-showcerts\fR]
183 [\fB\-prexit\fR]
184 [\fB\-debug\fR]
185 [\fB\-trace\fR]
186 [\fB\-nocommands\fR]
187 [\fB\-security_debug\fR]
188 [\fB\-security_debug_verbose\fR]
189 [\fB\-msg\fR]
190 [\fB\-timeout\fR]
191 [\fB\-mtu\fR \fIsize\fR]
192 [\fB\-no_etm\fR]
193 [\fB\-keymatexport\fR \fIlabel\fR]
194 [\fB\-keymatexportlen\fR \fIlen\fR]
195 [\fB\-msgfile\fR \fIfilename\fR]
196 [\fB\-nbio_test\fR]
197 [\fB\-state\fR]
198 [\fB\-nbio\fR]
199 [\fB\-crlf\fR]
200 [\fB\-ign_eof\fR]
201 [\fB\-no_ign_eof\fR]
202 [\fB\-psk_identity\fR \fIidentity\fR]
203 [\fB\-psk\fR \fIkey\fR]
204 [\fB\-psk_session\fR \fIfile\fR]
205 [\fB\-quiet\fR]
206 [\fB\-sctp\fR]
207 [\fB\-sctp_label_bug\fR]
208 [\fB\-fallback_scsv\fR]
209 [\fB\-async\fR]
210 [\fB\-maxfraglen\fR \fIlen\fR]
211 [\fB\-max_send_frag\fR]
212 [\fB\-split_send_frag\fR]
213 [\fB\-max_pipelines\fR]
214 [\fB\-read_buf\fR]
215 [\fB\-ignore_unexpected_eof\fR]
216 [\fB\-bugs\fR]
217 [\fB\-comp\fR]
218 [\fB\-no_comp\fR]
219 [\fB\-brief\fR]
220 [\fB\-legacy_server_connect\fR]
221 [\fB\-no_legacy_server_connect\fR]
222 [\fB\-allow_no_dhe_kex\fR]
223 [\fB\-sigalgs\fR \fIsigalglist\fR]
224 [\fB\-curves\fR \fIcurvelist\fR]
225 [\fB\-cipher\fR \fIcipherlist\fR]
226 [\fB\-ciphersuites\fR \fIval\fR]
227 [\fB\-serverpref\fR]
228 [\fB\-starttls\fR \fIprotocol\fR]
229 [\fB\-name\fR \fIhostname\fR]
230 [\fB\-xmpphost\fR \fIhostname\fR]
231 [\fB\-name\fR \fIhostname\fR]
232 [\fB\-tlsextdebug\fR]
233 [\fB\-no_ticket\fR]
234 [\fB\-sess_out\fR \fIfilename\fR]
235 [\fB\-serverinfo\fR \fItypes\fR]
236 [\fB\-sess_in\fR \fIfilename\fR]
237 [\fB\-serverinfo\fR \fItypes\fR]
238 [\fB\-status\fR]
239 [\fB\-alpn\fR \fIprotocols\fR]
240 [\fB\-nextprotoneg\fR \fIprotocols\fR]
241 [\fB\-ct\fR]
242 [\fB\-noct\fR]
243 [\fB\-ctlogfile\fR]
244 [\fB\-keylogfile\fR \fIfile\fR]
245 [\fB\-early_data\fR \fIfile\fR]
246 [\fB\-enable_pha\fR]
247 [\fB\-use_srtp\fR \fIvalue\fR]
248 [\fB\-srpuser\fR \fIvalue\fR]
249 [\fB\-srppass\fR \fIvalue\fR]
250 [\fB\-srp_lateuser\fR]
251 [\fB\-srp_moregroups\fR]
252 [\fB\-srp_strength\fR \fInumber\fR]
253 [\fB\-nameopt\fR \fIoption\fR]
254 [\fB\-no_ssl3\fR]
255 [\fB\-no_tls1\fR]
256 [\fB\-no_tls1_1\fR]
257 [\fB\-no_tls1_2\fR]
258 [\fB\-no_tls1_3\fR]
259 [\fB\-ssl3\fR]
260 [\fB\-tls1\fR]
261 [\fB\-tls1_1\fR]
262 [\fB\-tls1_2\fR]
263 [\fB\-tls1_3\fR]
264 [\fB\-dtls\fR]
265 [\fB\-dtls1\fR]
266 [\fB\-dtls1_2\fR]
267 [\fB\-xkey\fR \fIinfile\fR]
268 [\fB\-xcert\fR \fIfile\fR]
269 [\fB\-xchain\fR \fIfile\fR]
270 [\fB\-xchain_build\fR \fIfile\fR]
271 [\fB\-xcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
272 [\fB\-xkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
273 [\fB\-CAfile\fR \fIfile\fR]
274 [\fB\-no\-CAfile\fR]
275 [\fB\-CApath\fR \fIdir\fR]
276 [\fB\-no\-CApath\fR]
277 [\fB\-CAstore\fR \fIuri\fR]
278 [\fB\-no\-CAstore\fR]
279 [\fB\-bugs\fR]
280 [\fB\-no_comp\fR]
281 [\fB\-comp\fR]
282 [\fB\-no_ticket\fR]
283 [\fB\-serverpref\fR]
284 [\fB\-client_renegotiation\fR]
285 [\fB\-legacy_renegotiation\fR]
286 [\fB\-no_renegotiation\fR]
287 [\fB\-no_resumption_on_reneg\fR]
288 [\fB\-legacy_server_connect\fR]
289 [\fB\-no_legacy_server_connect\fR]
290 [\fB\-no_etm\fR]
291 [\fB\-allow_no_dhe_kex\fR]
292 [\fB\-prioritize_chacha\fR]
293 [\fB\-strict\fR]
294 [\fB\-sigalgs\fR \fIalgs\fR]
295 [\fB\-client_sigalgs\fR \fIalgs\fR]
296 [\fB\-groups\fR \fIgroups\fR]
297 [\fB\-curves\fR \fIcurves\fR]
298 [\fB\-named_curve\fR \fIcurve\fR]
299 [\fB\-cipher\fR \fIciphers\fR]
300 [\fB\-ciphersuites\fR \fI1.3ciphers\fR]
301 [\fB\-min_protocol\fR \fIminprot\fR]
302 [\fB\-max_protocol\fR \fImaxprot\fR]
303 [\fB\-record_padding\fR \fIpadding\fR]
304 [\fB\-debug_broken_protocol\fR]
305 [\fB\-no_middlebox\fR]
306 [\fB\-rand\fR \fIfiles\fR]
307 [\fB\-writerand\fR \fIfile\fR]
308 [\fB\-provider\fR \fIname\fR]
309 [\fB\-provider\-path\fR \fIpath\fR]
310 [\fB\-propquery\fR \fIpropq\fR]
311 [\fB\-engine\fR \fIid\fR]
312 [\fB\-ssl_client_engine\fR \fIid\fR]
313 [\fB\-allow_proxy_certs\fR]
314 [\fB\-attime\fR \fItimestamp\fR]
315 [\fB\-no_check_time\fR]
316 [\fB\-check_ss_sig\fR]
317 [\fB\-crl_check\fR]
318 [\fB\-crl_check_all\fR]
319 [\fB\-explicit_policy\fR]
320 [\fB\-extended_crl\fR]
321 [\fB\-ignore_critical\fR]
322 [\fB\-inhibit_any\fR]
323 [\fB\-inhibit_map\fR]
324 [\fB\-partial_chain\fR]
325 [\fB\-policy\fR \fIarg\fR]
326 [\fB\-policy_check\fR]
327 [\fB\-policy_print\fR]
328 [\fB\-purpose\fR \fIpurpose\fR]
329 [\fB\-suiteB_128\fR]
330 [\fB\-suiteB_128_only\fR]
331 [\fB\-suiteB_192\fR]
332 [\fB\-trusted_first\fR]
333 [\fB\-no_alt_chains\fR]
334 [\fB\-use_deltas\fR]
335 [\fB\-auth_level\fR \fInum\fR]
336 [\fB\-verify_depth\fR \fInum\fR]
337 [\fB\-verify_email\fR \fIemail\fR]
338 [\fB\-verify_hostname\fR \fIhostname\fR]
339 [\fB\-verify_ip\fR \fIip\fR]
340 [\fB\-verify_name\fR \fIname\fR]
341 [\fB\-x509_strict\fR]
342 [\fB\-issuer_checks\fR]
346 This command implements a generic \s-1SSL/TLS\s0 client which
347 connects to a remote host using \s-1SSL/TLS.\s0 It is a \fIvery\fR useful diagnostic
348 tool for \s-1SSL\s0 servers.
355 .IP "\fB\-help\fR" 4
356 .IX Item "-help"
358 .IP "\fB\-ssl_config\fR \fIsection\fR" 4
359 .IX Item "-ssl_config section"
360 Use the specified section of the configuration file to configure the \fB\s-1SSL_CTX\s0\fR object.
361 .IP "\fB\-connect\fR \fIhost\fR:\fIport\fR" 4
362 .IX Item "-connect host:port"
367 .IP "\fB\-host\fR \fIhostname\fR" 4
368 .IX Item "-host hostname"
369 Host to connect to; use \fB\-connect\fR instead.
370 .IP "\fB\-port\fR \fIport\fR" 4
371 .IX Item "-port port"
372 Connect to the specified port; use \fB\-connect\fR instead.
373 .IP "\fB\-bind\fR \fIhost:port\fR" 4
374 .IX Item "-bind host:port"
376 connection. For Unix-domain sockets the port is ignored and the host is
378 .IP "\fB\-proxy\fR \fIhost:port\fR" 4
379 .IX Item "-proxy host:port"
380 When used with the \fB\-connect\fR flag, the program uses the host and port
381 specified with this flag and issues an \s-1HTTP CONNECT\s0 command to connect
383 .IP "\fB\-proxy_user\fR \fIuserid\fR" 4
384 .IX Item "-proxy_user userid"
385 When used with the \fB\-proxy\fR flag, the program will attempt to authenticate
387 \&\s-1NB:\s0 Basic authentication is insecure; the credentials are sent to the proxy
388 in easily reversible base64 encoding before any \s-1TLS/SSL\s0 session is established.
389 Therefore, these credentials are easily recovered by anyone able to sniff/trace
391 .IP "\fB\-proxy_pass\fR \fIarg\fR" 4
392 .IX Item "-proxy_pass arg"
393 The proxy password source, used with the \fB\-proxy_user\fR flag.
395 see \fBopenssl\-passphrase\-options\fR\|(1).
396 .IP "\fB\-unix\fR \fIpath\fR" 4
397 .IX Item "-unix path"
398 Connect over the specified Unix-domain socket.
399 .IP "\fB\-4\fR" 4
400 .IX Item "-4"
402 .IP "\fB\-6\fR" 4
403 .IX Item "-6"
405 .IP "\fB\-servername\fR \fIname\fR" 4
406 .IX Item "-servername name"
407 Set the \s-1TLS SNI\s0 (Server Name Indication) extension in the ClientHello message to
409 If \fB\-servername\fR is not provided, the \s-1TLS SNI\s0 extension will be populated with
410 the name given to \fB\-connect\fR if it follows a \s-1DNS\s0 name format. If \fB\-connect\fR is
411 not provided either, the \s-1SNI\s0 is set to \*(L"localhost\*(R".
414 Even though \s-1SNI\s0 should normally be a \s-1DNS\s0 name and not an \s-1IP\s0 address, if
415 \&\fB\-servername\fR is provided then that name will be sent, regardless of whether
416 it is a \s-1DNS\s0 name or not.
418 This option cannot be used in conjunction with \fB\-noservername\fR.
419 .IP "\fB\-noservername\fR" 4
420 .IX Item "-noservername"
421 Suppresses sending of the \s-1SNI\s0 (Server Name Indication) extension in the
422 ClientHello message. Cannot be used in conjunction with the \fB\-servername\fR or
423 \&\fB\-dane_tlsa_domain\fR options.
424 .IP "\fB\-cert\fR \fIfilename\fR" 4
425 .IX Item "-cert filename"
429 The chain for the client certificate may be specified using \fB\-cert_chain\fR.
430 .IP "\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
431 .IX Item "-certform DER|PEM|P12"
433 See \fBopenssl\-format\-options\fR\|(1) for details.
434 .IP "\fB\-cert_chain\fR" 4
435 .IX Item "-cert_chain"
436 A file or \s-1URI\s0 of untrusted certificates to use when attempting to build the
437 certificate chain related to the certificate specified via the \fB\-cert\fR option.
438 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
439 .IP "\fB\-build_chain\fR" 4
440 .IX Item "-build_chain"
443 .IP "\fB\-CRL\fR \fIfilename\fR" 4
444 .IX Item "-CRL filename"
445 \&\s-1CRL\s0 file to use to check the server's certificate.
446 .IP "\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
447 .IX Item "-CRLform DER|PEM"
448 The \s-1CRL\s0 file format; unspecified by default.
449 See \fBopenssl\-format\-options\fR\|(1) for details.
450 .IP "\fB\-crl_download\fR" 4
451 .IX Item "-crl_download"
452 Download \s-1CRL\s0 from distribution points in the certificate.
453 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
454 .IX Item "-key filename|uri"
457 .IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
458 .IX Item "-keyform DER|PEM|P12|ENGINE"
460 See \fBopenssl\-format\-options\fR\|(1) for details.
461 .IP "\fB\-pass\fR \fIarg\fR" 4
462 .IX Item "-pass arg"
465 see \fBopenssl\-passphrase\-options\fR\|(1).
466 .IP "\fB\-verify\fR \fIdepth\fR" 4
467 .IX Item "-verify depth"
473 .IP "\fB\-verify_return_error\fR" 4
474 .IX Item "-verify_return_error"
477 .IP "\fB\-verify_quiet\fR" 4
478 .IX Item "-verify_quiet"
480 .IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4
481 .IX Item "-verifyCAfile filename"
482 A file in \s-1PEM\s0 format containing trusted certificates to use
484 .IP "\fB\-verifyCApath\fR \fIdir\fR" 4
485 .IX Item "-verifyCApath dir"
489 see \fBopenssl\-verify\fR\|(1) for more information.
490 .IP "\fB\-verifyCAstore\fR \fIuri\fR" 4
491 .IX Item "-verifyCAstore uri"
492 The \s-1URI\s0 of a store containing trusted certificates to use
494 .IP "\fB\-chainCAfile\fR \fIfile\fR" 4
495 .IX Item "-chainCAfile file"
496 A file in \s-1PEM\s0 format containing trusted certificates to use
498 .IP "\fB\-chainCApath\fR \fIdirectory\fR" 4
499 .IX Item "-chainCApath directory"
503 see \fBopenssl\-verify\fR\|(1) for more information.
504 .IP "\fB\-chainCAstore\fR \fIuri\fR" 4
505 .IX Item "-chainCAstore uri"
506 The \s-1URI\s0 of a store containing trusted certificates to use
508 The \s-1URI\s0 may indicate a single certificate, as well as a collection of them.
509 With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-chainCAfile\fR or
510 \&\fB\-chainCApath\fR, depending on if the \s-1URI\s0 indicates a directory or a
512 See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme.
513 .IP "\fB\-requestCAfile\fR \fIfile\fR" 4
514 .IX Item "-requestCAfile file"
516 to the server in the \fBcertificate_authorities\fR extension. Only supported
517 for \s-1TLS 1.3\s0
518 .IP "\fB\-dane_tlsa_domain\fR \fIdomain\fR" 4
519 .IX Item "-dane_tlsa_domain domain"
520 Enable \s-1RFC6698/RFC7671 DANE TLSA\s0 authentication and specify the
521 \&\s-1TLSA\s0 base domain which becomes the default \s-1SNI\s0 hint and the primary
523 combination with at least one instance of the \fB\-dane_tlsa_rrdata\fR
526 When \s-1DANE\s0 authentication succeeds, the diagnostic output will include
527 the lowest (closest to 0) depth at which a \s-1TLSA\s0 record authenticated
528 a chain certificate. When that \s-1TLSA\s0 record is a \*(L"2 1 0\*(R" trust
529 anchor public key that signed (rather than matched) the top-most
530 certificate of the chain, the result is reported as \*(L"\s-1TA\s0 public key
531 verified\*(R". Otherwise, either the \s-1TLSA\s0 record \*(L"matched \s-1TA\s0 certificate\*(R"
532 at a positive depth or else \*(L"matched \s-1EE\s0 certificate\*(R" at depth 0.
533 .IP "\fB\-dane_tlsa_rrdata\fR \fIrrdata\fR" 4
534 .IX Item "-dane_tlsa_rrdata rrdata"
535 Use one or more times to specify the \s-1RRDATA\s0 fields of the \s-1DANE TLSA\s0
543 \& $ openssl s_client \-brief \-starttls smtp \e
544 \& \-connect smtp.example.com:25 \e
545 \& \-dane_tlsa_domain smtp.example.com \e
546 \& \-dane_tlsa_rrdata "2 1 1
548 \& \-dane_tlsa_rrdata "2 1 1
556 .IP "\fB\-dane_ee_no_namechecks\fR" 4
557 .IX Item "-dane_ee_no_namechecks"
558 This disables server name checks when authenticating via \s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0
564 The malicious server may then be able to violate cross-origin scripting
566 Thus, despite the text of \s-1RFC7671,\s0 name checks are by default enabled for
567 \&\s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records, and can be disabled in applications where it is s…
569 In particular, \s-1SMTP\s0 and \s-1XMPP\s0 clients should set this option as \s-1SRV\s0 and \s-1MX\…
571 connections to any server of its choice, and in any case \s-1SMTP\s0 and \s-1XMPP\s0 clients
573 .IP "\fB\-reconnect\fR" 4
574 .IX Item "-reconnect"
575 Reconnects to the same server 5 times using the same session \s-1ID,\s0 this can
577 .IP "\fB\-showcerts\fR" 4
578 .IX Item "-showcerts"
582 .IP "\fB\-prexit\fR" 4
583 .IX Item "-prexit"
589 attempt is made to access a certain \s-1URL.\s0 Note: the output produced by this
592 .IP "\fB\-state\fR" 4
593 .IX Item "-state"
594 Prints out the \s-1SSL\s0 session states.
595 .IP "\fB\-debug\fR" 4
596 .IX Item "-debug"
598 .IP "\fB\-nocommands\fR" 4
599 .IX Item "-nocommands"
601 .IP "\fB\-security_debug\fR" 4
602 .IX Item "-security_debug"
604 .IP "\fB\-security_debug_verbose\fR" 4
605 .IX Item "-security_debug_verbose"
607 .IP "\fB\-msg\fR" 4
608 .IX Item "-msg"
610 .IP "\fB\-timeout\fR" 4
611 .IX Item "-timeout"
612 Enable send/receive timeout on \s-1DTLS\s0 connections.
613 .IP "\fB\-mtu\fR \fIsize\fR" 4
614 .IX Item "-mtu size"
615 Set \s-1MTU\s0 of the link layer to the specified size.
616 .IP "\fB\-no_etm\fR" 4
617 .IX Item "-no_etm"
618 Disable Encrypt-then-MAC negotiation.
619 .IP "\fB\-keymatexport\fR \fIlabel\fR" 4
620 .IX Item "-keymatexport label"
622 .IP "\fB\-keymatexportlen\fR \fIlen\fR" 4
623 .IX Item "-keymatexportlen len"
627 .IP "\fB\-trace\fR" 4
628 .IX Item "-trace"
629 Show verbose trace output of protocol messages.
630 .IP "\fB\-msgfile\fR \fIfilename\fR" 4
631 .IX Item "-msgfile filename"
632 File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
633 .IP "\fB\-nbio_test\fR" 4
634 .IX Item "-nbio_test"
636 .IP "\fB\-nbio\fR" 4
637 .IX Item "-nbio"
639 .IP "\fB\-crlf\fR" 4
640 .IX Item "-crlf"
641 This option translated a line feed from the terminal into \s-1CR+LF\s0 as required
643 .IP "\fB\-ign_eof\fR" 4
644 .IX Item "-ign_eof"
647 .IP "\fB\-quiet\fR" 4
648 .IX Item "-quiet"
650 turns on \fB\-ign_eof\fR as well.
651 .IP "\fB\-no_ign_eof\fR" 4
652 .IX Item "-no_ign_eof"
654 Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR.
655 .IP "\fB\-psk_identity\fR \fIidentity\fR" 4
656 .IX Item "-psk_identity identity"
657 Use the \s-1PSK\s0 identity \fIidentity\fR when using a \s-1PSK\s0 cipher suite.
659 .IP "\fB\-psk\fR \fIkey\fR" 4
660 .IX Item "-psk key"
661 Use the \s-1PSK\s0 key \fIkey\fR when using a \s-1PSK\s0 cipher suite. The key is
662 given as a hexadecimal number without leading 0x, for example \-psk
664 This option must be provided in order to use a \s-1PSK\s0 cipher.
665 .IP "\fB\-psk_session\fR \fIfile\fR" 4
666 .IX Item "-psk_session file"
667 Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fIfile\fR as the basis of a \s-1PSK.\s0
669 .IP "\fB\-sctp\fR" 4
670 .IX Item "-sctp"
671 Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in
672 conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only
673 available where OpenSSL has support for \s-1SCTP\s0 enabled.
674 .IP "\fB\-sctp_label_bug\fR" 4
675 .IX Item "-sctp_label_bug"
677 endpoint-pair shared secrets for \s-1DTLS/SCTP.\s0 This allows communication with
679 implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only
680 available where OpenSSL has support for \s-1SCTP\s0 enabled.
681 .IP "\fB\-fallback_scsv\fR" 4
682 .IX Item "-fallback_scsv"
683 Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello.
684 .IP "\fB\-async\fR" 4
685 .IX Item "-async"
688 is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
690 .IP "\fB\-maxfraglen\fR \fIlen\fR" 4
691 .IX Item "-maxfraglen len"
694 .IP "\fB\-max_send_frag\fR \fIint\fR" 4
695 .IX Item "-max_send_frag int"
698 .IP "\fB\-split_send_frag\fR \fIint\fR" 4
699 .IX Item "-split_send_frag int"
706 .IP "\fB\-max_pipelines\fR \fIint\fR" 4
707 .IX Item "-max_pipelines int"
712 .IP "\fB\-read_buf\fR \fIint\fR" 4
713 .IX Item "-read_buf int"
714 The default read buffer size to be used for connections. This will only have an
715 effect if the buffer size is larger than the size that would otherwise be used
718 .IP "\fB\-ignore_unexpected_eof\fR" 4
719 .IX Item "-ignore_unexpected_eof"
720 Some \s-1TLS\s0 implementations do not send the mandatory close_notify alert on
726 .IP "\fB\-bugs\fR" 4
727 .IX Item "-bugs"
728 There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
730 .IP "\fB\-comp\fR" 4
731 .IX Item "-comp"
732 Enables support for \s-1SSL/TLS\s0 compression.
734 \&\s-1TLS\s0 compression is not recommended and is off by default as of
736 .IP "\fB\-no_comp\fR" 4
737 .IX Item "-no_comp"
738 Disables support for \s-1SSL/TLS\s0 compression.
739 \&\s-1TLS\s0 compression is not recommended and is off by default as of
741 .IP "\fB\-brief\fR" 4
742 .IX Item "-brief"
745 .IP "\fB\-sigalgs\fR \fIsigalglist\fR" 4
746 .IX Item "-sigalgs sigalglist"
750 .IP "\fB\-curves\fR \fIcurvelist\fR" 4
751 .IX Item "-curves curvelist"
756 \& $ openssl ecparam \-list_curves
758 .IP "\fB\-cipher\fR \fIcipherlist\fR" 4
759 .IX Item "-cipher cipherlist"
764 \&\fBopenssl\-ciphers\fR\|(1) for more information.
765 .IP "\fB\-ciphersuites\fR \fIval\fR" 4
766 .IX Item "-ciphersuites val"
771 \&\fBopenssl\-ciphers\fR\|(1) for more information. The format for this list is a simple
773 .IP "\fB\-starttls\fR \fIprotocol\fR" 4
774 .IX Item "-starttls protocol"
775 Send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication.
777 …(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", \*(L"ftp\*(R", \*(L"xmpp\*(R", \*(L"xmpp-server\*(R",
779 .IP "\fB\-xmpphost\fR \fIhostname\fR" 4
780 .IX Item "-xmpphost hostname"
781 This option, when used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R",
783 If this option is not specified, then the host specified with \*(L"\-connect\*(R"
786 This option is an alias of the \fB\-name\fR option for \*(L"xmpp\*(R" and \*(L"xmpp-server\*(R".
787 .IP "\fB\-name\fR \fIhostname\fR" 4
788 .IX Item "-name hostname"
790 used with \fB\-starttls\fR option. Currently only \*(L"xmpp\*(R", \*(L"xmpp-server\*(R",
791 \&\*(L"smtp\*(R" and \*(L"lmtp\*(R" can utilize this \fB\-name\fR option.
793 If this option is used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R",
795 option is not specified, then the host specified with \*(L"\-connect\*(R" will be used.
797 If this option is used with \*(L"\-starttls lmtp\*(R" or \*(L"\-starttls smtp\*(R", it specifies
798 the name to use in the \*(L"\s-1LMTP LHLO\*(R"\s0 or \*(L"\s-1SMTP EHLO\*(R"\s0 message, respective…
800 .IP "\fB\-tlsextdebug\fR" 4
801 .IX Item "-tlsextdebug"
802 Print out a hex dump of any \s-1TLS\s0 extensions received from the server.
803 .IP "\fB\-no_ticket\fR" 4
804 .IX Item "-no_ticket"
806 .IP "\fB\-sess_out\fR \fIfilename\fR" 4
807 .IX Item "-sess_out filename"
808 Output \s-1SSL\s0 session to \fIfilename\fR.
809 .IP "\fB\-sess_in\fR \fIfilename\fR" 4
810 .IX Item "-sess_in filename"
811 Load \s-1SSL\s0 session from \fIfilename\fR. The client will attempt to resume a
813 .IP "\fB\-serverinfo\fR \fItypes\fR" 4
814 .IX Item "-serverinfo types"
815 A list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and
816 65535). Each type will be sent as an empty ClientHello \s-1TLS\s0 Extension.
817 The server's response (if any) will be encoded and displayed as a \s-1PEM\s0
819 .IP "\fB\-status\fR" 4
820 .IX Item "-status"
821 Sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server
823 .IP "\fB\-alpn\fR \fIprotocols\fR, \fB\-nextprotoneg\fR \fIprotocols\fR" 4
824 .IX Item "-alpn protocols, -nextprotoneg protocols"
825 These flags enable the Enable the Application-Layer Protocol Negotiation
826 or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the
827 \&\s-1IETF\s0 standard and replaces \s-1NPN.\s0
828 The \fIprotocols\fR list is a comma-separated list of protocol names that
830 desirable protocols first. Protocol names are printable \s-1ASCII\s0 strings,
833 client to advertise support for the \s-1TLS\s0 extension but disconnect just
835 The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used.
836 .IP "\fB\-ct\fR, \fB\-noct\fR" 4
837 .IX Item "-ct, -noct"
838 Use one of these two options to control whether Certificate Transparency (\s-1CT\s0)
839 is enabled (\fB\-ct\fR) or disabled (\fB\-noct\fR).
840 If \s-1CT\s0 is enabled, signed certificate timestamps (SCTs) will be requested from
843 Enabling \s-1CT\s0 also enables \s-1OCSP\s0 stapling, as this is one possible delivery method
845 .IP "\fB\-ctlogfile\fR" 4
846 .IX Item "-ctlogfile"
849 .IP "\fB\-keylogfile\fR \fIfile\fR" 4
850 .IX Item "-keylogfile file"
851 Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs
852 (like Wireshark) can decrypt \s-1TLS\s0 connections.
853 .IP "\fB\-early_data\fR \fIfile\fR" 4
854 .IX Item "-early_data file"
858 .IP "\fB\-enable_pha\fR" 4
859 .IX Item "-enable_pha"
860 For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
861 happen whether or not a certificate has been provided via \fB\-cert\fR.
862 .IP "\fB\-use_srtp\fR \fIvalue\fR" 4
863 .IX Item "-use_srtp value"
864 Offer \s-1SRTP\s0 key management, where \fBvalue\fR is a colon-separated profile list.
865 .IP "\fB\-srpuser\fR \fIvalue\fR" 4
866 .IX Item "-srpuser value"
867 Set the \s-1SRP\s0 username to the specified value. This option is deprecated.
868 .IP "\fB\-srppass\fR \fIvalue\fR" 4
869 .IX Item "-srppass value"
870 Set the \s-1SRP\s0 password to the specified value. This option is deprecated.
871 .IP "\fB\-srp_lateuser\fR" 4
872 .IX Item "-srp_lateuser"
873 \&\s-1SRP\s0 username for the second ClientHello message. This option is deprecated.
874 .IP "\fB\-srp_moregroups\fR This option is deprecated." 4
875 .IX Item "-srp_moregroups This option is deprecated."
877 .IP "\fB\-srp_strength\fR \fInumber\fR" 4
878 .IX Item "-srp_strength number"
881 …-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR, \fB\-ssl3\f…
882 .IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3, -ssl3, -tls1, -tls1_1, -tls1_2, -…
883 See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
884 .IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
885 .IX Item "-dtls, -dtls1, -dtls1_2"
886 These specify the use of \s-1DTLS\s0 instead of \s-1TLS.\s0
887 See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
888 .IP "\fB\-nameopt\fR \fIoption\fR" 4
889 .IX Item "-nameopt option"
891 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
892 …-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIfile\fR, \fB\-xchain\fR \fIfile\fR, \fB\-xchain_build\fR \…
893 .IX Item "-xkey infile, -xcert file, -xchain file, -xchain_build file, -xcertform DER|PEM, -xkeyfor…
895 See \*(L"Extended Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for detail…
896 .IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \…
897 .IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
898 See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
899 …-bugs\fR, \fB\-comp\fR, \fB\-no_comp\fR, \fB\-no_ticket\fR, \fB\-serverpref\fR, \fB\-client_renego…
900 …-bugs, -comp, -no_comp, -no_ticket, -serverpref, -client_renegotiation, -legacy_renegotiation, -no…
901 See \*(L"\s-1SUPPORTED COMMAND LINE COMMANDS\*(R"\s0 in \fBSSL_CONF_cmd\fR\|(3) for details.
902 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
903 .IX Item "-rand files, -writerand file"
905 .IP "\fB\-provider\fR \fIname\fR" 4
906 .IX Item "-provider name"
908 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
909 .IX Item "-provider-path path"
910 .IP "\fB\-propquery\fR \fIpropq\fR" 4
911 .IX Item "-propquery propq"
914 .IP "\fB\-engine\fR \fIid\fR" 4
915 .IX Item "-engine id"
918 .IP "\fB\-ssl_client_engine\fR \fIid\fR" 4
919 .IX Item "-ssl_client_engine id"
921 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
922 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
924 See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
927 proceed unless the \fB\-verify_return_error\fR option is used.
930 Rather than providing \fB\-connect\fR, the target hostname and optional port may
932 nor \fB\-connect\fR are provided, falls back to attempting to connect to
936 If a connection is established with an \s-1SSL\s0 server then any data received
939 used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR have been
945 End the current \s-1SSL\s0 connection and exit.
948 Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only).
957 This command can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL HTTP\s0
961 \& openssl s_client \-connect servername:443
965 then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET /\*(R"\s0 to retrieve a web page.
968 nothing obvious like no client certificate then the \fB\-bugs\fR,
969 \&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried
976 the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
977 requests a certificate. By using this command, the \s-1CA\s0 list can be viewed
979 after a specific \s-1URL\s0 is requested. To obtain the list in this case it
980 is necessary to use the \fB\-prexit\fR option and send an \s-1HTTP\s0 request
983 If a certificate is specified on the command line using the \fB\-cert\fR
989 \&\fB\-showcerts\fR option can be used to show all the certificates sent by the
994 accept any certificate chain (trusted or not) sent by the peer. Non-test
995 applications should \fBnot\fR do this as it makes them vulnerable to a \s-1MITM\s0
996 attack. This behaviour can be changed by with the \fB\-verify_return_error\fR
999 The \fB\-bind\fR option may be useful if the server or a firewall requires
1006 A typical \s-1SSL\s0 client program would be much simpler.
1008 The \fB\-prexit\fR option is a bit of a hack. We should really report
1013 \&\fBopenssl\-sess_id\fR\|(1),
1014 \&\fBopenssl\-s_server\fR\|(1),
1015 \&\fBopenssl\-ciphers\fR\|(1),
1020 \&\fBossl_store\-file\fR\|(7)
1023 The \fB\-no_alt_chains\fR option was added in OpenSSL 1.1.0.
1024 The \fB\-name\fR option was added in OpenSSL 1.1.1.
1026 The \fB\-certform\fR option has become obsolete in OpenSSL 3.0.0 and has no effect.
1028 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
1031 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
1035 in the file \s-1LICENSE\s0 in the source distribution or at