openssl-s_server.1 - OpenGrok cross reference for /freebsd/secure/usr.bin/openssl/man/openssl-s

Lines Matching +full:4 +full:a
58 .TH OPENSSL-S_SERVER 1ossl 2025-09-30 3.5.4 OpenSSL
72 [\fB\-4\fR]
277 This command implements a generic SSL/TLS server which
278 listens for connections on a given port using SSL/TLS.
284 .IP \fB\-help\fR 4
286 Print out a usage message.
287 .IP "\fB\-port\fR \fI+int\fR" 4
290 .IP "\fB\-accept\fR \fIval\fR" 4
293 .IP "\fB\-unix\fR \fIval\fR" 4
296 .IP \fB\-4\fR 4
297 .IX Item "-4"
299 .IP \fB\-6\fR 4
302 .IP \fB\-unlink\fR 4
305 .IP "\fB\-context\fR \fIval\fR" 4
308 is not present a default value will be used.
309 .IP "\fB\-verify\fR \fIint\fR, \fB\-Verify\fR \fIint\fR" 4
312 client certificate chain and makes the server request a certificate from
313 the client. With the \fB\-verify\fR option a certificate is requested but the
315 must supply a certificate or an error occurs.
317 If the cipher suite cannot request a client certificate (for example an
323 .IP "\fB\-cert\fR \fIinfile\fR" 4
325 The certificate to use, most servers cipher suites require the use of a
326 certificate and some require a certificate with a certain public key type:
327 for example the DSS cipher suites require a certificate containing a DSS
328 (DSA) key. If not specified then the filename \fIserver.pem\fR will be used.
329 .IP "\fB\-cert2\fR \fIinfile\fR" 4
332 .IP "\fB\-certform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR" 4
336 .IP \fB\-cert_chain\fR 4
338 A file or URI of untrusted certificates to use when attempting to build the
343 .IP \fB\-build_chain\fR 4
347 .IP "\fB\-serverinfo\fR \fIval\fR" 4
349 A file containing one or more blocks of PEM data.  Each PEM block
350 must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
354 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
358 .IP "\fB\-key2\fR \fIfilename\fR|\fIuri\fR" 4
361 .IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
365 .IP "\fB\-pass\fR \fIval\fR" 4
370 .IP "\fB\-dcert\fR \fIinfile\fR, \fB\-dkey\fR \fIfilename\fR|\fIuri\fR" 4
375 noted above some cipher suites require a certificate containing a key of
376 a certain type. Some cipher suites need a certificate carrying an RSA key
377 and some a DSS (DSA) key. By using RSA and DSS certificates and keys
378 a server can support clients which only support RSA or DSS cipher suites
380 .IP \fB\-dcert_chain\fR 4
382 A file or URI of untrusted certificates to use when attempting to build the
383 server certificate chain when a certificate specified via the \fB\-dcert\fR option
386 .IP "\fB\-dcertform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR" 4
390 .IP "\fB\-dkeyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
394 .IP "\fB\-dpass\fR \fIval\fR" 4
399 .IP \fB\-nbio_test\fR 4
402 .IP \fB\-crlf\fR 4
404 This option translated a line feed from the terminal into CR+LF.
405 .IP \fB\-debug\fR 4
407 Print extensive debugging information including a hex dump of all traffic.
408 .IP \fB\-security_debug\fR 4
411 .IP \fB\-security_debug_verbose\fR 4
414 .IP \fB\-msg\fR 4
417 .IP "\fB\-msgfile\fR \fIoutfile\fR" 4
420 .IP \fB\-state\fR 4
423 .IP "\fB\-CRL\fR \fIinfile\fR" 4
426 .IP "\fB\-CRLform\fR \fBDER\fR|\fBPEM\fR" 4
430 .IP \fB\-crl_download\fR 4
433 .IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4
435 A file in PEM format CA containing trusted certificates to use
437 .IP "\fB\-verifyCApath\fR \fIdir\fR" 4
439 A directory containing trusted certificates to use
443 .IP "\fB\-verifyCAstore\fR \fIuri\fR" 4
445 The URI of a store containing trusted certificates to use
447 .IP "\fB\-chainCAfile\fR \fIfile\fR" 4
449 A file in PEM format containing trusted certificates to use
451 .IP "\fB\-chainCApath\fR \fIdir\fR" 4
453 A directory containing trusted certificates to use
457 .IP "\fB\-chainCAstore\fR \fIuri\fR" 4
459 The URI of a store containing trusted certificates to use
461 The URI may indicate a single certificate, as well as a collection of them.
463 \&\fB\-chainCApath\fR, depending on if the URI indicates a directory or a
466 .IP \fB\-nocert\fR 4
471 .IP \fB\-quiet\fR 4
474 .IP \fB\-no_resume_ephemeral\fR 4
477 .IP \fB\-tlsextdebug\fR 4
479 Print a hex dump of any TLS extensions received from the server.
480 .IP \fB\-www\fR 4
482 Sends a status message back to the client when it connects. This includes
484 The output is in HTML format so this option can be used with a web browser.
487 .IP "\fB\-WWW\fR, \fB\-HTTP\fR" 4
489 Emulates a simple web server. Pages will be resolved relative to the
501 .IP \fB\-http_server_binmode\fR 4
505 .IP \fB\-no_ca_names\fR 4
510 .IP \fB\-ignore_unexpected_eof\fR 4
515 option is enabled the peer does not need to send the close_notify alert and a
517 For more information on shutting down a connection, see \fBSSL_shutdown\fR\|(3).
518 .IP \fB\-servername\fR 4
521 .IP \fB\-servername_fatal\fR 4
524 .IP "\fB\-id_prefix\fR \fIval\fR" 4
528 servers, when each of which might be generating a unique range of session
529 IDs (e.g. with a certain prefix).
530 .IP \fB\-keymatexport\fR 4
533 .IP \fB\-keymatexportlen\fR 4
536 .IP \fB\-no_cache\fR 4
539 .IP \fB\-ext_cache\fR. 4
542 .IP \fB\-verify_return_error\fR 4
544 Verification errors normally just print a message but allow the
547 .IP \fB\-verify_quiet\fR 4
550 .IP \fB\-ign_eof\fR 4
553 .IP \fB\-no_ign_eof\fR 4
556 .IP \fB\-no_ems\fR 4
559 .IP \fB\-status\fR 4
562 .IP \fB\-status_verbose\fR 4
565 a verbose printout of the OCSP response.
568 .IP "\fB\-status_timeout\fR \fIint\fR" 4
571 .IP "\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
581 .IP "\fB\-no_proxy\fR \fIaddresses\fR" 4
587 .IP "\fB\-status_url\fR \fIval\fR" 4
589 Sets a fallback responder URL to use if no responder URL is present in the
591 certificate does not contain a responder address.
594 .IP "\fB\-status_file\fR \fIinfile\fR" 4
598 .IP "\fB\-ssl_config\fR \fIval\fR" 4
601 .IP \fB\-trace\fR 4
604 .IP \fB\-brief\fR 4
606 Provide a brief summary of connection parameters instead of the normal verbose
608 .IP \fB\-rev\fR 4
612 .IP \fB\-async\fR 4
618 .IP "\fB\-max_send_frag\fR \fI+int\fR" 4
622 .IP "\fB\-split_send_frag\fR \fI+int\fR" 4
627 a suitable cipher suite has been negotiated, an engine that supports pipelining
630 .IP "\fB\-max_pipelines\fR \fI+int\fR" 4
634 engine) and a suitable cipher suite has been negotiated. The default value is 1.
636 .IP "\fB\-naccept\fR \fI+int\fR" 4
640 .IP "\fB\-read_buf\fR \fI+int\fR" 4
646 .IP \fB\-no_tx_cert_comp\fR 4
649 .IP \fB\-no_rx_cert_comp\fR 4
652 .IP \fB\-no_comp\fR 4
657 .IP \fB\-num_tickets\fR 4
659 Control the number of tickets that will be sent to the client after a full
661 affect the number of tickets sent after a resumption handshake.
662 .IP "\fB\-dhparam\fR \fIinfile\fR" 4
665 using a set of DH parameters. If not specified then an attempt is made to
667 If this fails then a static set of parameters hard coded into this command
669 .IP \fB\-nbio\fR 4
672 .IP \fB\-timeout\fR 4
675 .IP \fB\-mtu\fR 4
678 .IP "\fB\-psk_identity\fR \fIval\fR" 4
680 Expect the client to send PSK identity \fIval\fR when using a PSK
683 .IP "\fB\-psk_hint\fR \fIval\fR" 4
685 Use the PSK identity hint \fIval\fR when using a PSK cipher suite.
686 .IP "\fB\-psk\fR \fIval\fR" 4
688 Use the PSK key \fIval\fR when using a PSK cipher suite. The key is
689 given as a hexadecimal number without leading 0x, for example \-psk
691 This option must be provided in order to use a PSK cipher.
692 .IP "\fB\-psk_session\fR \fIfile\fR" 4
694 Use the pem encoded SSL_SESSION data stored in \fIfile\fR as the basis of a PSK.
696 .IP \fB\-srpvfile\fR 4
700 .IP \fB\-srpuserseed\fR 4
702 A seed string for a default user salt.
704 .IP \fB\-listen\fR 4
707 With this option, this command will listen on a UDP port for incoming
709 Any ClientHellos that arrive will be checked to see if they have a cookie in
711 Any without a cookie will be responded to with a HelloVerifyRequest.
712 If a ClientHello with a cookie is received then this command will
714 .IP \fB\-sctp\fR 4
719 .IP \fB\-sctp_label_bug\fR 4
726 .IP \fB\-use_srtp\fR 4
728 Offer SRTP key management with a colon-separated profile list.
729 .IP \fB\-no_dhe\fR 4
733 .IP "\fB\-alpn\fR \fIval\fR, \fB\-nextprotoneg\fR \fIval\fR" 4
738 The \fIval\fR list is a comma-separated list of supported protocol
743 .IP \fB\-ktls\fR 4
748 .IP \fB\-sendfile\fR 4
751 instead of \fBBIO_write()\fR to send the HTTP response requested by a client.
754 .IP \fB\-zerocopy_sendfile\fR 4
757 a performance boost when used with KTLS hardware offload. Note that invalid
760 and a warning is shown. Note that KTLS sendfile on FreeBSD always runs in the
762 .IP "\fB\-keylogfile\fR \fIoutfile\fR" 4
766 .IP "\fB\-max_early_data\fR \fIint\fR" 4
772 .IP "\fB\-recv_max_early_data\fR \fIint\fR" 4
776 .IP \fB\-early_data\fR 4
780 .IP \fB\-stateless\fR 4
783 .IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4
786 default unless overridden by a configuration file. When it is on, OpenSSL will
787 automatically detect if a session ticket has been used more than once, TLSv1.3
788 has been negotiated, and early data is enabled on the server. A full handshake
789 is forced if a session ticket is used a second or subsequent time. Any early
791 .IP \fB\-tfo\fR 4
794 .IP \fB\-cert_comp\fR 4
797 .IP "\fB\-nameopt\fR \fIoption\fR" 4
801 …R, \fB\-no_tls1_3\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR" 4
804 .IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
808 …ot\fR, \fB\-record_padding\fR \fIpadding\fR, \fB\-debug_broken_protocol\fR, \fB\-no_middlebox\fR" 4
811 …build\fR \fIfile\fR, \fB\-xcertform\fR \fBDER\fR|\fBPEM\fR, \fB\-xkeyform\fR \fBDER\fR|\fBPEM\fR" 4
815 …fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
818 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
821 .IP "\fB\-engine\fR \fIid\fR" 4
825 .IP "\fB\-provider\fR \fIname\fR" 4
828 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
830 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
832 .IP "\fB\-propquery\fR \fIpropq\fR" 4
836 …y_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
841 If the server requests a client certificate, then
844 .IP \fB\-enable_server_rpk\fR 4
847 A raw public key will be sent by the server, if solicited by the client,
848 provided a suitable key and public certificate pair is configured.
853 .IP \fB\-enable_client_rpk\fR 4
864 If a connection request is established with an SSL client and neither the
869 commands are a letter which must appear at the start of a line. They are listed
871 .IP \fBq\fR 4
874 .IP \fBQ\fR 4
877 .IP \fBr\fR 4
880 .IP \fBR\fR 4
882 Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
884 .IP \fBP\fR 4
887 cause the client to disconnect due to a protocol violation.
888 .IP \fBS\fR 4
891 .IP \fBk\fR 4
893 Send a key update message to the client (TLSv1.3 only)
894 .IP \fBK\fR 4
896 Send a key update message to the client and request one back (TLSv1.3 only)
897 .IP \fBc\fR 4
899 Send a certificate request to the client (TLSv1.3 only)
903 from a web browser the command:
911 Although specifying an empty list of CAs when requesting a client certificate
912 is strictly speaking a protocol violation, some SSL clients interpret this to
918 Because this program has a lot of options and also because some of the
920 hard to read and not a model of how things should be done.
921 A typical SSL server program would be much simpler.
926 There should be a way for this command to print out details
927 of any unknown cipher suites a client says it supports.
961 this file except in compliance with the License.  You can obtain a copy