openssl-s_server.1 - OpenGrok cross reference for /freebsd/secure/usr.bin/openssl/man/openssl-s

Lines Matching +full:1 +full:- +full:of +full:- +full:4
18 .\" Set up some character translations and predefined strings.  \*(-- will
24 .tr \(*W-
27 .    ds -- \(*W-
29 .    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 .    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
37 .    ds -- \|\(em\|
51 .\" entries marked with X<> in POD.  Of course, you'll have to process the
62 .        tm Index:\\$1\t\\n%\t"\\$2"
71 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
81 .    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 .    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 .    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 .    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 .    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 .    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 .    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 .    \" troff and (daisy-wheel) nroff accents
123 .    ds d- d\h'-1'\(ga
124 .    ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-S_SERVER 1ossl"
134 .TH OPENSSL-S_SERVER 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-s_server \- SSL/TLS server program
144 [\fB\-help\fR]
145 [\fB\-port\fR \fI+int\fR]
146 [\fB\-accept\fR \fIval\fR]
147 [\fB\-unix\fR \fIval\fR]
148 [\fB\-4\fR]
149 [\fB\-6\fR]
150 [\fB\-unlink\fR]
151 [\fB\-context\fR \fIval\fR]
152 [\fB\-verify\fR \fIint\fR]
153 [\fB\-Verify\fR \fIint\fR]
154 [\fB\-cert\fR \fIinfile\fR]
155 [\fB\-cert2\fR \fIinfile\fR]
156 [\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
157 [\fB\-cert_chain\fR \fIinfile\fR]
158 [\fB\-build_chain\fR]
159 [\fB\-serverinfo\fR \fIval\fR]
160 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
161 [\fB\-key2\fR \fIfilename\fR|\fIuri\fR]
162 [\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
163 [\fB\-pass\fR \fIval\fR]
164 [\fB\-dcert\fR \fIinfile\fR]
165 [\fB\-dcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
166 [\fB\-dcert_chain\fR \fIinfile\fR]
167 [\fB\-dkey\fR \fIfilename\fR|\fIuri\fR]
168 [\fB\-dkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
169 [\fB\-dpass\fR \fIval\fR]
170 [\fB\-nbio_test\fR]
171 [\fB\-crlf\fR]
172 [\fB\-debug\fR]
173 [\fB\-msg\fR]
174 [\fB\-msgfile\fR \fIoutfile\fR]
175 [\fB\-state\fR]
176 [\fB\-nocert\fR]
177 [\fB\-quiet\fR]
178 [\fB\-no_resume_ephemeral\fR]
179 [\fB\-www\fR]
180 [\fB\-WWW\fR]
181 [\fB\-http_server_binmode\fR]
182 [\fB\-no_ca_names\fR]
183 [\fB\-ignore_unexpected_eof\fR]
184 [\fB\-servername\fR]
185 [\fB\-servername_fatal\fR]
186 [\fB\-tlsextdebug\fR]
187 [\fB\-HTTP\fR]
188 [\fB\-id_prefix\fR \fIval\fR]
189 [\fB\-keymatexport\fR \fIval\fR]
190 [\fB\-keymatexportlen\fR \fI+int\fR]
191 [\fB\-CRL\fR \fIinfile\fR]
192 [\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
193 [\fB\-crl_download\fR]
194 [\fB\-chainCAfile\fR \fIinfile\fR]
195 [\fB\-chainCApath\fR \fIdir\fR]
196 [\fB\-chainCAstore\fR \fIuri\fR]
197 [\fB\-verifyCAfile\fR \fIinfile\fR]
198 [\fB\-verifyCApath\fR \fIdir\fR]
199 [\fB\-verifyCAstore\fR \fIuri\fR]
200 [\fB\-no_cache\fR]
201 [\fB\-ext_cache\fR]
202 [\fB\-verify_return_error\fR]
203 [\fB\-verify_quiet\fR]
204 [\fB\-ign_eof\fR]
205 [\fB\-no_ign_eof\fR]
206 [\fB\-no_etm\fR]
207 [\fB\-status\fR]
208 [\fB\-status_verbose\fR]
209 [\fB\-status_timeout\fR \fIint\fR]
210 [\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path]\fR]
211 [\fB\-no_proxy\fR \fIaddresses\fR]
212 [\fB\-status_url\fR \fIval\fR]
213 [\fB\-status_file\fR \fIinfile\fR]
214 [\fB\-ssl_config\fR \fIval\fR]
215 [\fB\-trace\fR]
216 [\fB\-security_debug\fR]
217 [\fB\-security_debug_verbose\fR]
218 [\fB\-brief\fR]
219 [\fB\-rev\fR]
220 [\fB\-async\fR]
221 [\fB\-max_send_frag\fR \fI+int\fR]
222 [\fB\-split_send_frag\fR \fI+int\fR]
223 [\fB\-max_pipelines\fR \fI+int\fR]
224 [\fB\-naccept\fR \fI+int\fR]
225 [\fB\-read_buf\fR \fI+int\fR]
226 [\fB\-bugs\fR]
227 [\fB\-no_comp\fR]
228 [\fB\-comp\fR]
229 [\fB\-no_ticket\fR]
230 [\fB\-serverpref\fR]
231 [\fB\-legacy_renegotiation\fR]
232 [\fB\-no_renegotiation\fR]
233 [\fB\-no_resumption_on_reneg\fR]
234 [\fB\-allow_no_dhe_kex\fR]
235 [\fB\-prioritize_chacha\fR]
236 [\fB\-strict\fR]
237 [\fB\-sigalgs\fR \fIval\fR]
238 [\fB\-client_sigalgs\fR \fIval\fR]
239 [\fB\-groups\fR \fIval\fR]
240 [\fB\-curves\fR \fIval\fR]
241 [\fB\-named_curve\fR \fIval\fR]
242 [\fB\-cipher\fR \fIval\fR]
243 [\fB\-ciphersuites\fR \fIval\fR]
244 [\fB\-dhparam\fR \fIinfile\fR]
245 [\fB\-record_padding\fR \fIval\fR]
246 [\fB\-debug_broken_protocol\fR]
247 [\fB\-nbio\fR]
248 [\fB\-psk_identity\fR \fIval\fR]
249 [\fB\-psk_hint\fR \fIval\fR]
250 [\fB\-psk\fR \fIval\fR]
251 [\fB\-psk_session\fR \fIfile\fR]
252 [\fB\-srpvfile\fR \fIinfile\fR]
253 [\fB\-srpuserseed\fR \fIval\fR]
254 [\fB\-timeout\fR]
255 [\fB\-mtu\fR \fI+int\fR]
256 [\fB\-listen\fR]
257 [\fB\-sctp\fR]
258 [\fB\-sctp_label_bug\fR]
259 [\fB\-use_srtp\fR \fIval\fR]
260 [\fB\-no_dhe\fR]
261 [\fB\-nextprotoneg\fR \fIval\fR]
262 [\fB\-alpn\fR \fIval\fR]
263 [\fB\-sendfile\fR]
264 [\fB\-keylogfile\fR \fIoutfile\fR]
265 [\fB\-recv_max_early_data\fR \fIint\fR]
266 [\fB\-max_early_data\fR \fIint\fR]
267 [\fB\-early_data\fR]
268 [\fB\-stateless\fR]
269 [\fB\-anti_replay\fR]
270 [\fB\-no_anti_replay\fR]
271 [\fB\-num_tickets\fR]
272 [\fB\-nameopt\fR \fIoption\fR]
273 [\fB\-no_ssl3\fR]
274 [\fB\-no_tls1\fR]
275 [\fB\-no_tls1_1\fR]
276 [\fB\-no_tls1_2\fR]
277 [\fB\-no_tls1_3\fR]
278 [\fB\-ssl3\fR]
279 [\fB\-tls1\fR]
280 [\fB\-tls1_1\fR]
281 [\fB\-tls1_2\fR]
282 [\fB\-tls1_3\fR]
283 [\fB\-dtls\fR]
284 [\fB\-dtls1\fR]
285 [\fB\-dtls1_2\fR]
286 [\fB\-allow_proxy_certs\fR]
287 [\fB\-attime\fR \fItimestamp\fR]
288 [\fB\-no_check_time\fR]
289 [\fB\-check_ss_sig\fR]
290 [\fB\-crl_check\fR]
291 [\fB\-crl_check_all\fR]
292 [\fB\-explicit_policy\fR]
293 [\fB\-extended_crl\fR]
294 [\fB\-ignore_critical\fR]
295 [\fB\-inhibit_any\fR]
296 [\fB\-inhibit_map\fR]
297 [\fB\-partial_chain\fR]
298 [\fB\-policy\fR \fIarg\fR]
299 [\fB\-policy_check\fR]
300 [\fB\-policy_print\fR]
301 [\fB\-purpose\fR \fIpurpose\fR]
302 [\fB\-suiteB_128\fR]
303 [\fB\-suiteB_128_only\fR]
304 [\fB\-suiteB_192\fR]
305 [\fB\-trusted_first\fR]
306 [\fB\-no_alt_chains\fR]
307 [\fB\-use_deltas\fR]
308 [\fB\-auth_level\fR \fInum\fR]
309 [\fB\-verify_depth\fR \fInum\fR]
310 [\fB\-verify_email\fR \fIemail\fR]
311 [\fB\-verify_hostname\fR \fIhostname\fR]
312 [\fB\-verify_ip\fR \fIip\fR]
313 [\fB\-verify_name\fR \fIname\fR]
314 [\fB\-x509_strict\fR]
315 [\fB\-issuer_checks\fR]
316 [\fB\-bugs\fR]
317 [\fB\-no_comp\fR]
318 [\fB\-comp\fR]
319 [\fB\-no_ticket\fR]
320 [\fB\-serverpref\fR]
321 [\fB\-client_renegotiation\fR]
322 [\fB\-legacy_renegotiation\fR]
323 [\fB\-no_renegotiation\fR]
324 [\fB\-no_resumption_on_reneg\fR]
325 [\fB\-legacy_server_connect\fR]
326 [\fB\-no_legacy_server_connect\fR]
327 [\fB\-no_etm\fR]
328 [\fB\-allow_no_dhe_kex\fR]
329 [\fB\-prioritize_chacha\fR]
330 [\fB\-strict\fR]
331 [\fB\-sigalgs\fR \fIalgs\fR]
332 [\fB\-client_sigalgs\fR \fIalgs\fR]
333 [\fB\-groups\fR \fIgroups\fR]
334 [\fB\-curves\fR \fIcurves\fR]
335 [\fB\-named_curve\fR \fIcurve\fR]
336 [\fB\-cipher\fR \fIciphers\fR]
337 [\fB\-ciphersuites\fR \fI1.3ciphers\fR]
338 [\fB\-min_protocol\fR \fIminprot\fR]
339 [\fB\-max_protocol\fR \fImaxprot\fR]
340 [\fB\-record_padding\fR \fIpadding\fR]
341 [\fB\-debug_broken_protocol\fR]
342 [\fB\-no_middlebox\fR]
343 [\fB\-xkey\fR \fIinfile\fR]
344 [\fB\-xcert\fR \fIfile\fR]
345 [\fB\-xchain\fR \fIfile\fR]
346 [\fB\-xchain_build\fR \fIfile\fR]
347 [\fB\-xcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
348 [\fB\-xkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
349 [\fB\-CAfile\fR \fIfile\fR]
350 [\fB\-no\-CAfile\fR]
351 [\fB\-CApath\fR \fIdir\fR]
352 [\fB\-no\-CApath\fR]
353 [\fB\-CAstore\fR \fIuri\fR]
354 [\fB\-no\-CAstore\fR]
355 [\fB\-rand\fR \fIfiles\fR]
356 [\fB\-writerand\fR \fIfile\fR]
357 [\fB\-engine\fR \fIid\fR]
358 [\fB\-provider\fR \fIname\fR]
359 [\fB\-provider\-path\fR \fIpath\fR]
360 [\fB\-propquery\fR \fIpropq\fR]
363 This command implements a generic \s-1SSL/TLS\s0 server which
364 listens for connections on a given port using \s-1SSL/TLS.\s0
370 .IP "\fB\-help\fR" 4
371 .IX Item "-help"
373 .IP "\fB\-port\fR \fI+int\fR" 4
374 .IX Item "-port +int"
375 The \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used.
376 .IP "\fB\-accept\fR \fIval\fR" 4
377 .IX Item "-accept val"
378 The optional \s-1TCP\s0 host and port to listen on for connections. If not specified, *:4433 is use…
379 .IP "\fB\-unix\fR \fIval\fR" 4
380 .IX Item "-unix val"
382 .IP "\fB\-4\fR" 4
383 .IX Item "-4"
385 .IP "\fB\-6\fR" 4
386 .IX Item "-6"
388 .IP "\fB\-unlink\fR" 4
389 .IX Item "-unlink"
390 For \-unix, unlink any existing socket first.
391 .IP "\fB\-context\fR \fIval\fR" 4
392 .IX Item "-context val"
393 Sets the \s-1SSL\s0 context id. It can be given any string value. If this option
395 .IP "\fB\-verify\fR \fIint\fR, \fB\-Verify\fR \fIint\fR" 4
396 .IX Item "-verify int, -Verify int"
397 The verify depth to use. This specifies the maximum length of the
399 the client. With the \fB\-verify\fR option a certificate is requested but the
400 client does not have to send one, with the \fB\-Verify\fR option the client
404 anonymous cipher suite or \s-1PSK\s0) this option has no effect.
405 .IP "\fB\-cert\fR \fIinfile\fR" 4
406 .IX Item "-cert infile"
407 The certificate to use, most servers cipher suites require the use of a
409 for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0
410 (\s-1DSA\s0) key. If not specified then the filename \fIserver.pem\fR will be used.
411 .IP "\fB\-cert2\fR \fIinfile\fR" 4
412 .IX Item "-cert2 infile"
414 .IP "\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
415 .IX Item "-certform DER|PEM|P12"
417 See \fBopenssl\-format\-options\fR\|(1) for details.
418 .IP "\fB\-cert_chain\fR" 4
419 .IX Item "-cert_chain"
420 A file or \s-1URI\s0 of untrusted certificates to use when attempting to build the
421 certificate chain related to the certificate specified via the \fB\-cert\fR option.
422 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
423 .IP "\fB\-build_chain\fR" 4
424 .IX Item "-build_chain"
427 .IP "\fB\-serverinfo\fR \fIval\fR" 4
428 .IX Item "-serverinfo val"
429 A file containing one or more blocks of \s-1PEM\s0 data.  Each \s-1PEM\s0 block
430 must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length,
431 followed by \*(L"length\*(R" bytes of extension data).  If the client sends
432 an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding
434 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
435 .IX Item "-key filename|uri"
438 .IP "\fB\-key2\fR \fIfilename\fR|\fIuri\fR" 4
439 .IX Item "-key2 filename|uri"
440 The private Key file to use for servername if not given via \fB\-cert2\fR.
441 .IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
442 .IX Item "-keyform DER|PEM|P12|ENGINE"
444 See \fBopenssl\-format\-options\fR\|(1) for details.
445 .IP "\fB\-pass\fR \fIval\fR" 4
446 .IX Item "-pass val"
448 For more information about the format of \fIval\fR,
449 see \fBopenssl\-passphrase\-options\fR\|(1).
450 .IP "\fB\-dcert\fR \fIinfile\fR, \fB\-dkey\fR \fIfilename\fR|\fIuri\fR" 4
451 .IX Item "-dcert infile, -dkey filename|uri"
453 same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default
455 noted above some cipher suites require a certificate containing a key of
456 a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key
457 and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
458 a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites
460 .IP "\fB\-dcert_chain\fR" 4
461 .IX Item "-dcert_chain"
462 A file or \s-1URI\s0 of untrusted certificates to use when attempting to build the
463 server certificate chain when a certificate specified via the \fB\-dcert\fR option
465 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
466 .IP "\fB\-dcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
467 .IX Item "-dcertform DER|PEM|P12"
468 The format of the additional certificate file; unspecified by default.
469 See \fBopenssl\-format\-options\fR\|(1) for details.
470 .IP "\fB\-dkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
471 .IX Item "-dkeyform DER|PEM|P12|ENGINE"
472 The format of the additional private key; unspecified by default.
473 See \fBopenssl\-format\-options\fR\|(1) for details.
474 .IP "\fB\-dpass\fR \fIval\fR" 4
475 .IX Item "-dpass val"
477 For more information about the format of \fIval\fR,
478 see \fBopenssl\-passphrase\-options\fR\|(1).
479 .IP "\fB\-nbio_test\fR" 4
480 .IX Item "-nbio_test"
482 .IP "\fB\-crlf\fR" 4
483 .IX Item "-crlf"
484 This option translated a line feed from the terminal into \s-1CR+LF.\s0
485 .IP "\fB\-debug\fR" 4
486 .IX Item "-debug"
487 Print extensive debugging information including a hex dump of all traffic.
488 .IP "\fB\-security_debug\fR" 4
489 .IX Item "-security_debug"
490 Print output from \s-1SSL/TLS\s0 security framework.
491 .IP "\fB\-security_debug_verbose\fR" 4
492 .IX Item "-security_debug_verbose"
493 Print more output from \s-1SSL/TLS\s0 security framework
494 .IP "\fB\-msg\fR" 4
495 .IX Item "-msg"
497 .IP "\fB\-msgfile\fR \fIoutfile\fR" 4
498 .IX Item "-msgfile outfile"
499 File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
500 .IP "\fB\-state\fR" 4
501 .IX Item "-state"
502 Prints the \s-1SSL\s0 session states.
503 .IP "\fB\-CRL\fR \fIinfile\fR" 4
504 .IX Item "-CRL infile"
505 The \s-1CRL\s0 file to use.
506 .IP "\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
507 .IX Item "-CRLform DER|PEM"
508 The \s-1CRL\s0 file format; unspecified by default.
509 See \fBopenssl\-format\-options\fR\|(1) for details.
510 .IP "\fB\-crl_download\fR" 4
511 .IX Item "-crl_download"
512 Download CRLs from distribution points given in \s-1CDP\s0 extensions of certificates
513 .IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4
514 .IX Item "-verifyCAfile filename"
515 A file in \s-1PEM\s0 format \s-1CA\s0 containing trusted certificates to use
517 .IP "\fB\-verifyCApath\fR \fIdir\fR" 4
518 .IX Item "-verifyCApath dir"
522 see \fBopenssl\-verify\fR\|(1) for more information.
523 .IP "\fB\-verifyCAstore\fR \fIuri\fR" 4
524 .IX Item "-verifyCAstore uri"
525 The \s-1URI\s0 of a store containing trusted certificates to use
527 .IP "\fB\-chainCAfile\fR \fIfile\fR" 4
528 .IX Item "-chainCAfile file"
529 A file in \s-1PEM\s0 format containing trusted certificates to use
531 .IP "\fB\-chainCApath\fR \fIdir\fR" 4
532 .IX Item "-chainCApath dir"
536 see \fBopenssl\-verify\fR\|(1) for more information.
537 .IP "\fB\-chainCAstore\fR \fIuri\fR" 4
538 .IX Item "-chainCAstore uri"
539 The \s-1URI\s0 of a store containing trusted certificates to use
541 The \s-1URI\s0 may indicate a single certificate, as well as a collection of them.
542 With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-chainCAfile\fR or
543 \&\fB\-chainCApath\fR, depending on if the \s-1URI\s0 indicates a directory or a
545 See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme.
546 .IP "\fB\-nocert\fR" 4
547 .IX Item "-nocert"
550 \&\s-1DH\s0).
551 .IP "\fB\-quiet\fR" 4
552 .IX Item "-quiet"
553 Inhibit printing of session and certificate information.
554 .IP "\fB\-no_resume_ephemeral\fR" 4
555 .IX Item "-no_resume_ephemeral"
556 Disable caching and tickets if ephemeral (\s-1EC\s0)DH is used.
557 .IP "\fB\-tlsextdebug\fR" 4
558 .IX Item "-tlsextdebug"
559 Print a hex dump of any \s-1TLS\s0 extensions received from the server.
560 .IP "\fB\-www\fR" 4
561 .IX Item "-www"
564 The output is in \s-1HTML\s0 format so this option can be used with a web browser.
565 The special \s-1URL\s0 \f(CW\*(C`/renegcert\*(C'\fR turns on client cert validation, and \f(CW\*(C`…
567 The \fB\-early_data\fR option cannot be used with this option.
568 .IP "\fB\-WWW\fR, \fB\-HTTP\fR" 4
569 .IX Item "-WWW, -HTTP"
571 current directory, for example if the \s-1URL\s0 \f(CW\*(C`https://myhost/page.html\*(C'\fR is
573 If the \fB\-HTTP\fR flag is used, the files are sent directly, and should contain
574 any \s-1HTTP\s0 response headers (including status response line).
575 If the \fB\-WWW\fR option is used,
577 examined to determine the \fBContent-Type\fR header.
578 Extensions of \f(CW\*(C`html\*(C'\fR, \f(CW\*(C`htm\*(C'\fR, and \f(CW\*(C`php\*(C'\fR are \f(CW\*(…
580 In addition, the special \s-1URL\s0 \f(CW\*(C`/stats\*(C'\fR will return status
581 information like the \fB\-www\fR option.
582 Neither of these options can be used in conjunction with \fB\-early_data\fR.
583 .IP "\fB\-http_server_binmode\fR" 4
584 .IX Item "-http_server_binmode"
585 When acting as web-server (using option \fB\-WWW\fR or \fB\-HTTP\fR) open files requested
587 .IP "\fB\-no_ca_names\fR" 4
588 .IX Item "-no_ca_names"
589 Disable \s-1TLS\s0 Extension \s-1CA\s0 Names. You may want to disable it for security reasons
590 or for compatibility with some Windows \s-1TLS\s0 implementations crashing when this
592 .IP "\fB\-ignore_unexpected_eof\fR" 4
593 .IX Item "-ignore_unexpected_eof"
594 Some \s-1TLS\s0 implementations do not send the mandatory close_notify alert on
600 .IP "\fB\-servername\fR" 4
601 .IX Item "-servername"
602 Servername for HostName \s-1TLS\s0 extension.
603 .IP "\fB\-servername_fatal\fR" 4
604 .IX Item "-servername_fatal"
606 .IP "\fB\-id_prefix\fR \fIval\fR" 4
607 .IX Item "-id_prefix val"
608 Generate \s-1SSL/TLS\s0 session IDs prefixed by \fIval\fR. This is mostly useful
609 for testing any \s-1SSL/TLS\s0 code (e.g. proxies) that wish to deal with multiple
610 servers, when each of which might be generating a unique range of session
612 .IP "\fB\-keymatexport\fR" 4
613 .IX Item "-keymatexport"
615 .IP "\fB\-keymatexportlen\fR" 4
616 .IX Item "-keymatexportlen"
617 Export the given number of bytes of keying material; default 20.
618 .IP "\fB\-no_cache\fR" 4
619 .IX Item "-no_cache"
621 .IP "\fB\-ext_cache\fR." 4
622 .IX Item "-ext_cache."
624 .IP "\fB\-verify_return_error\fR" 4
625 .IX Item "-verify_return_error"
629 .IP "\fB\-verify_quiet\fR" 4
630 .IX Item "-verify_quiet"
632 .IP "\fB\-ign_eof\fR" 4
633 .IX Item "-ign_eof"
634 Ignore input \s-1EOF\s0 (default: when \fB\-quiet\fR).
635 .IP "\fB\-no_ign_eof\fR" 4
636 .IX Item "-no_ign_eof"
637 Do not ignore input \s-1EOF.\s0
638 .IP "\fB\-no_etm\fR" 4
639 .IX Item "-no_etm"
640 Disable Encrypt-then-MAC negotiation.
641 .IP "\fB\-status\fR" 4
642 .IX Item "-status"
643 Enables certificate status request support (aka \s-1OCSP\s0 stapling).
644 .IP "\fB\-status_verbose\fR" 4
645 .IX Item "-status_verbose"
646 Enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives
647 a verbose printout of the \s-1OCSP\s0 response.
648 .IP "\fB\-status_timeout\fR \fIint\fR" 4
649 .IX Item "-status_timeout int"
650 Sets the timeout for \s-1OCSP\s0 response to \fIint\fR seconds.
651 .IP "\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path]\fR" 4
652 .IX Item "-proxy [http[s]://][userinfo@]host[:port][/path]"
653 The \s-1HTTP\s0(S) proxy server to use for reaching the \s-1OCSP\s0 server unless \fB\-no_proxy\fR
659 in case no \s-1TLS\s0 is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS…
660 .IP "\fB\-no_proxy\fR \fIaddresses\fR" 4
661 .IX Item "-no_proxy addresses"
662 List of \s-1IP\s0 addresses and/or \s-1DNS\s0 names of servers
663 not to use an \s-1HTTP\s0(S) proxy for, separated by commas and/or whitespace
666 .IP "\fB\-status_url\fR \fIval\fR" 4
667 .IX Item "-status_url val"
668 Sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the
671 The optional userinfo and fragment \s-1URL\s0 components are ignored.
672 Any given query component is handled as part of the path component.
673 .IP "\fB\-status_file\fR \fIinfile\fR" 4
674 .IX Item "-status_file infile"
675 Overrides any \s-1OCSP\s0 responder URLs from the certificate and always provides the
676 \&\s-1OCSP\s0 Response stored in the file. The file must be in \s-1DER\s0 format.
677 .IP "\fB\-ssl_config\fR \fIval\fR" 4
678 .IX Item "-ssl_config val"
679 Configure \s-1SSL_CTX\s0 using the given configuration value.
680 .IP "\fB\-trace\fR" 4
681 .IX Item "-trace"
682 Show verbose trace output of protocol messages.
683 .IP "\fB\-brief\fR" 4
684 .IX Item "-brief"
685 Provide a brief summary of connection parameters instead of the normal verbose
687 .IP "\fB\-rev\fR" 4
688 .IX Item "-rev"
689 Simple echo server that sends back received text reversed. Also sets \fB\-brief\fR.
690 Cannot be used in conjunction with \fB\-early_data\fR.
691 .IP "\fB\-async\fR" 4
692 .IX Item "-async"
695 is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
697 .IP "\fB\-max_send_frag\fR \fI+int\fR" 4
698 .IX Item "-max_send_frag +int"
699 The maximum size of data fragment to send.
701 .IP "\fB\-split_send_frag\fR \fI+int\fR" 4
702 .IX Item "-split_send_frag +int"
705 maximum number of pipelines defined by max_pipelines. This only has an effect if
707 has been loaded, and max_pipelines is greater than 1. See
709 .IP "\fB\-max_pipelines\fR \fI+int\fR" 4
710 .IX Item "-max_pipelines +int"
711 The maximum number of encrypt/decrypt pipelines to be used. This will only have
713 engine) and a suitable cipher suite has been negotiated. The default value is 1.
715 .IP "\fB\-naccept\fR \fI+int\fR" 4
716 .IX Item "-naccept +int"
717 The server will exit after receiving the specified number of connections,
719 .IP "\fB\-read_buf\fR \fI+int\fR" 4
720 .IX Item "-read_buf +int"
725 .IP "\fB\-bugs\fR" 4
726 .IX Item "-bugs"
727 There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
729 .IP "\fB\-no_comp\fR" 4
730 .IX Item "-no_comp"
731 Disable negotiation of \s-1TLS\s0 compression.
732 \&\s-1TLS\s0 compression is not recommended and is off by default as of
734 .IP "\fB\-comp\fR" 4
735 .IX Item "-comp"
736 Enable negotiation of \s-1TLS\s0 compression.
738 \&\s-1TLS\s0 compression is not recommended and is off by default as of
740 .IP "\fB\-no_ticket\fR" 4
741 .IX Item "-no_ticket"
743 is negotiated. See \fB\-num_tickets\fR.
744 .IP "\fB\-num_tickets\fR" 4
745 .IX Item "-num_tickets"
746 Control the number of tickets that will be sent to the client after a full
747 handshake in TLSv1.3. The default number of tickets is 2. This option does not
748 affect the number of tickets sent after a resumption handshake.
749 .IP "\fB\-serverpref\fR" 4
750 .IX Item "-serverpref"
752 .IP "\fB\-prioritize_chacha\fR" 4
753 .IX Item "-prioritize_chacha"
754 Prioritize ChaCha ciphers when preferred by clients. Requires \fB\-serverpref\fR.
755 .IP "\fB\-no_resumption_on_reneg\fR" 4
756 .IX Item "-no_resumption_on_reneg"
757 Set the \fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR option.
758 .IP "\fB\-client_sigalgs\fR \fIval\fR" 4
759 .IX Item "-client_sigalgs val"
761 (colon-separated list).
762 .IP "\fB\-named_curve\fR \fIval\fR" 4
763 .IX Item "-named_curve val"
764 Specifies the elliptic curve to use. \s-1NOTE:\s0 this is single curve, not a list.
765 For a list of all possible curves, use:
767 .Vb 1
768 \&    $ openssl ecparam \-list_curves
770 .IP "\fB\-cipher\fR \fIval\fR" 4
771 .IX Item "-cipher val"
772 This allows the list of TLSv1.2 and below ciphersuites used by the server to be
774 configured. When the client sends a list of supported ciphers the first client
776 the preference order, the order of the server cipherlist is irrelevant. See
777 \&\fBopenssl\-ciphers\fR\|(1) for more information.
778 .IP "\fB\-ciphersuites\fR \fIval\fR" 4
779 .IX Item "-ciphersuites val"
780 This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
782 configured. When the client sends a list of supported ciphers the first client
784 the preference order, the order of the server cipherlist is irrelevant. See
785 \&\fBopenssl\-ciphers\fR\|(1) command for more information. The format for this list is
786 a simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
787 .IP "\fB\-dhparam\fR \fIinfile\fR" 4
788 .IX Item "-dhparam infile"
789 The \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys
790 using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to
792 If this fails then a static set of parameters hard coded into this command
794 .IP "\fB\-nbio\fR" 4
795 .IX Item "-nbio"
797 .IP "\fB\-timeout\fR" 4
798 .IX Item "-timeout"
800 .IP "\fB\-mtu\fR" 4
801 .IX Item "-mtu"
802 Set link-layer \s-1MTU.\s0
803 .IP "\fB\-psk_identity\fR \fIval\fR" 4
804 .IX Item "-psk_identity val"
805 Expect the client to send \s-1PSK\s0 identity \fIval\fR when using a \s-1PSK\s0
806 cipher suite, and warn if they do not.  By default, the expected \s-1PSK\s0
808 .IP "\fB\-psk_hint\fR \fIval\fR" 4
809 .IX Item "-psk_hint val"
810 Use the \s-1PSK\s0 identity hint \fIval\fR when using a \s-1PSK\s0 cipher suite.
811 .IP "\fB\-psk\fR \fIval\fR" 4
812 .IX Item "-psk val"
813 Use the \s-1PSK\s0 key \fIval\fR when using a \s-1PSK\s0 cipher suite. The key is
814 given as a hexadecimal number without leading 0x, for example \-psk
816 This option must be provided in order to use a \s-1PSK\s0 cipher.
817 .IP "\fB\-psk_session\fR \fIfile\fR" 4
818 .IX Item "-psk_session file"
819 Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fIfile\fR as the basis of a \s-1PSK.\s0
821 .IP "\fB\-srpvfile\fR" 4
822 .IX Item "-srpvfile"
823 The verifier file for \s-1SRP.\s0
825 .IP "\fB\-srpuserseed\fR" 4
826 .IX Item "-srpuserseed"
829 .IP "\fB\-listen\fR" 4
830 .IX Item "-listen"
831 This option can only be used in conjunction with one of the \s-1DTLS\s0 options above.
832 With this option, this command will listen on a \s-1UDP\s0 port for incoming
839 .IP "\fB\-sctp\fR" 4
840 .IX Item "-sctp"
841 Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in
842 conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only
843 available where OpenSSL has support for \s-1SCTP\s0 enabled.
844 .IP "\fB\-sctp_label_bug\fR" 4
845 .IX Item "-sctp_label_bug"
846 Use the incorrect behaviour of older OpenSSL implementations when computing
847 endpoint-pair shared secrets for \s-1DTLS/SCTP.\s0 This allows communication with
849 implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only
850 available where OpenSSL has support for \s-1SCTP\s0 enabled.
851 .IP "\fB\-use_srtp\fR" 4
852 .IX Item "-use_srtp"
853 Offer \s-1SRTP\s0 key management with a colon-separated profile list.
854 .IP "\fB\-no_dhe\fR" 4
855 .IX Item "-no_dhe"
856 If this option is set then no \s-1DH\s0 parameters will be loaded effectively
857 disabling the ephemeral \s-1DH\s0 cipher suites.
858 .IP "\fB\-alpn\fR \fIval\fR, \fB\-nextprotoneg\fR \fIval\fR" 4
859 .IX Item "-alpn val, -nextprotoneg val"
860 These flags enable the Application-Layer Protocol Negotiation
861 or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the
862 \&\s-1IETF\s0 standard and replaces \s-1NPN.\s0
863 The \fIval\fR list is a comma-separated list of supported protocol
865 Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or
867 The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used.
868 .IP "\fB\-sendfile\fR" 4
869 .IX Item "-sendfile"
870 If this option is set and \s-1KTLS\s0 is enabled, \fBSSL_sendfile()\fR will be used
871 instead of \fBBIO_write()\fR to send the \s-1HTTP\s0 response requested by a client.
872 This option is only valid if \fB\-WWW\fR or \fB\-HTTP\fR is specified.
873 .IP "\fB\-keylogfile\fR \fIoutfile\fR" 4
874 .IX Item "-keylogfile outfile"
875 Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs
876 (like Wireshark) can decrypt \s-1TLS\s0 connections.
877 .IP "\fB\-max_early_data\fR \fIint\fR" 4
878 .IX Item "-max_early_data int"
880 and any incoming early data (when used in conjunction with the \fB\-early_data\fR
883 .IP "\fB\-recv_max_early_data\fR \fIint\fR" 4
884 .IX Item "-recv_max_early_data int"
885 Specify the hard limit on the maximum number of early data bytes that will
887 .IP "\fB\-early_data\fR" 4
888 .IX Item "-early_data"
889 Accept early data where possible. Cannot be used in conjunction with \fB\-www\fR,
890 \&\fB\-WWW\fR, \fB\-HTTP\fR or \fB\-rev\fR.
891 .IP "\fB\-stateless\fR" 4
892 .IX Item "-stateless"
894 .IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4
895 .IX Item "-anti_replay, -no_anti_replay"
902 .IP "\fB\-nameopt\fR \fIoption\fR" 4
903 .IX Item "-nameopt option"
905 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
906 …-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR, \fB\-ssl3\f…
907 .IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3, -ssl3, -tls1, -tls1_1, -tls1_2, -…
908 See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
909 .IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
910 .IX Item "-dtls, -dtls1, -dtls1_2"
911 These specify the use of \s-1DTLS\s0 instead of \s-1TLS.\s0
912 See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
913 …-bugs\fR, \fB\-comp\fR, \fB\-no_comp\fR, \fB\-no_ticket\fR, \fB\-serverpref\fR, \fB\-client_renego…
914 …-bugs, -comp, -no_comp, -no_ticket, -serverpref, -client_renegotiation, -legacy_renegotiation, -no…
915 See \*(L"\s-1SUPPORTED COMMAND LINE COMMANDS\*(R"\s0 in \fBSSL_CONF_cmd\fR\|(3) for details.
916 …-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIfile\fR, \fB\-xchain\fR \fIfile\fR, \fB\-xchain_build\fR \…
917 .IX Item "-xkey infile, -xcert file, -xchain file, -xchain_build file, -xcertform DER|PEM, -xkeyfor…
919 See \*(L"Extended Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for detail…
920 …P "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \f…
921 .IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
922 See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
923 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
924 .IX Item "-rand files, -writerand file"
925 See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
926 .IP "\fB\-engine\fR \fIid\fR" 4
927 .IX Item "-engine id"
928 See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
930 .IP "\fB\-provider\fR \fIname\fR" 4
931 .IX Item "-provider name"
933 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
934 .IX Item "-provider-path path"
935 .IP "\fB\-propquery\fR \fIpropq\fR" 4
936 .IX Item "-propquery propq"
938 See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
939 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
940 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
941 Set various options of certificate chain verification.
942 See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
946 proceed unless the \fB\-verify_return_error\fR option is used.
949 If a connection request is established with an \s-1SSL\s0 client and neither the
950 \&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received
954 commands are a letter which must appear at the start of a line. They are listed
956 .IP "\fBq\fR" 4
958 End the current \s-1SSL\s0 connection but still accept new connections.
959 .IP "\fBQ\fR" 4
961 End the current \s-1SSL\s0 connection and exit.
962 .IP "\fBr\fR" 4
964 Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only).
965 .IP "\fBR\fR" 4
967 Renegotiate the \s-1SSL\s0 session and request a client certificate (TLSv1.2 and below
969 .IP "\fBP\fR" 4
971 Send some plain text down the underlying \s-1TCP\s0 connection: this should
973 .IP "\fBS\fR" 4
976 .IP "\fBk\fR" 4
979 .IP "\fBK\fR" 4
982 .IP "\fBc\fR" 4
987 This command can be used to debug \s-1SSL\s0 clients. To accept connections
990 .Vb 1
991 \& openssl s_server \-accept 443 \-www
996 Although specifying an empty list of CAs when requesting a client certificate
997 is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to
998 mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes.
1000 The session parameters can printed out using the \fBopenssl\-sess_id\fR\|(1) command.
1003 Because this program has a lot of options and also because some of the
1005 hard to read and not a model of how things should be done.
1006 A typical \s-1SSL\s0 server program would be much simpler.
1008 The output of common ciphers is wrong: it just gives the list of ciphers that
1015 \&\fBopenssl\fR\|(1),
1016 \&\fBopenssl\-sess_id\fR\|(1),
1017 \&\fBopenssl\-s_client\fR\|(1),
1018 \&\fBopenssl\-ciphers\fR\|(1),
1023 \&\fBossl_store\-file\fR\|(7)
1026 The \-no_alt_chains option was added in OpenSSL 1.1.0.
1029 \&\-allow\-no\-dhe\-kex and \-prioritize_chacha options were added in OpenSSL 1.1.1.
1031 The \fB\-srpvfile\fR, \fB\-srpuserseed\fR, and \fB\-engine\fR
1035 Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
1039 in the file \s-1LICENSE\s0 in the source distribution or at