Lines Matching +full:trace +full:- +full:buffer +full:- +full:extension
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-S_SERVER 1ossl"
134 .TH OPENSSL-S_SERVER 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-s_server \- SSL/TLS server program
144 [\fB\-help\fR]
145 [\fB\-port\fR \fI+int\fR]
146 [\fB\-accept\fR \fIval\fR]
147 [\fB\-unix\fR \fIval\fR]
148 [\fB\-4\fR]
149 [\fB\-6\fR]
150 [\fB\-unlink\fR]
151 [\fB\-context\fR \fIval\fR]
152 [\fB\-verify\fR \fIint\fR]
153 [\fB\-Verify\fR \fIint\fR]
154 [\fB\-cert\fR \fIinfile\fR]
155 [\fB\-cert2\fR \fIinfile\fR]
156 [\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
157 [\fB\-cert_chain\fR \fIinfile\fR]
158 [\fB\-build_chain\fR]
159 [\fB\-serverinfo\fR \fIval\fR]
160 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
161 [\fB\-key2\fR \fIfilename\fR|\fIuri\fR]
162 [\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
163 [\fB\-pass\fR \fIval\fR]
164 [\fB\-dcert\fR \fIinfile\fR]
165 [\fB\-dcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
166 [\fB\-dcert_chain\fR \fIinfile\fR]
167 [\fB\-dkey\fR \fIfilename\fR|\fIuri\fR]
168 [\fB\-dkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
169 [\fB\-dpass\fR \fIval\fR]
170 [\fB\-nbio_test\fR]
171 [\fB\-crlf\fR]
172 [\fB\-debug\fR]
173 [\fB\-msg\fR]
174 [\fB\-msgfile\fR \fIoutfile\fR]
175 [\fB\-state\fR]
176 [\fB\-nocert\fR]
177 [\fB\-quiet\fR]
178 [\fB\-no_resume_ephemeral\fR]
179 [\fB\-www\fR]
180 [\fB\-WWW\fR]
181 [\fB\-http_server_binmode\fR]
182 [\fB\-no_ca_names\fR]
183 [\fB\-ignore_unexpected_eof\fR]
184 [\fB\-servername\fR]
185 [\fB\-servername_fatal\fR]
186 [\fB\-tlsextdebug\fR]
187 [\fB\-HTTP\fR]
188 [\fB\-id_prefix\fR \fIval\fR]
189 [\fB\-keymatexport\fR \fIval\fR]
190 [\fB\-keymatexportlen\fR \fI+int\fR]
191 [\fB\-CRL\fR \fIinfile\fR]
192 [\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
193 [\fB\-crl_download\fR]
194 [\fB\-chainCAfile\fR \fIinfile\fR]
195 [\fB\-chainCApath\fR \fIdir\fR]
196 [\fB\-chainCAstore\fR \fIuri\fR]
197 [\fB\-verifyCAfile\fR \fIinfile\fR]
198 [\fB\-verifyCApath\fR \fIdir\fR]
199 [\fB\-verifyCAstore\fR \fIuri\fR]
200 [\fB\-no_cache\fR]
201 [\fB\-ext_cache\fR]
202 [\fB\-verify_return_error\fR]
203 [\fB\-verify_quiet\fR]
204 [\fB\-ign_eof\fR]
205 [\fB\-no_ign_eof\fR]
206 [\fB\-no_etm\fR]
207 [\fB\-status\fR]
208 [\fB\-status_verbose\fR]
209 [\fB\-status_timeout\fR \fIint\fR]
210 [\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path]\fR]
211 [\fB\-no_proxy\fR \fIaddresses\fR]
212 [\fB\-status_url\fR \fIval\fR]
213 [\fB\-status_file\fR \fIinfile\fR]
214 [\fB\-ssl_config\fR \fIval\fR]
215 [\fB\-trace\fR]
216 [\fB\-security_debug\fR]
217 [\fB\-security_debug_verbose\fR]
218 [\fB\-brief\fR]
219 [\fB\-rev\fR]
220 [\fB\-async\fR]
221 [\fB\-max_send_frag\fR \fI+int\fR]
222 [\fB\-split_send_frag\fR \fI+int\fR]
223 [\fB\-max_pipelines\fR \fI+int\fR]
224 [\fB\-naccept\fR \fI+int\fR]
225 [\fB\-read_buf\fR \fI+int\fR]
226 [\fB\-bugs\fR]
227 [\fB\-no_comp\fR]
228 [\fB\-comp\fR]
229 [\fB\-no_ticket\fR]
230 [\fB\-serverpref\fR]
231 [\fB\-legacy_renegotiation\fR]
232 [\fB\-no_renegotiation\fR]
233 [\fB\-no_resumption_on_reneg\fR]
234 [\fB\-allow_no_dhe_kex\fR]
235 [\fB\-prioritize_chacha\fR]
236 [\fB\-strict\fR]
237 [\fB\-sigalgs\fR \fIval\fR]
238 [\fB\-client_sigalgs\fR \fIval\fR]
239 [\fB\-groups\fR \fIval\fR]
240 [\fB\-curves\fR \fIval\fR]
241 [\fB\-named_curve\fR \fIval\fR]
242 [\fB\-cipher\fR \fIval\fR]
243 [\fB\-ciphersuites\fR \fIval\fR]
244 [\fB\-dhparam\fR \fIinfile\fR]
245 [\fB\-record_padding\fR \fIval\fR]
246 [\fB\-debug_broken_protocol\fR]
247 [\fB\-nbio\fR]
248 [\fB\-psk_identity\fR \fIval\fR]
249 [\fB\-psk_hint\fR \fIval\fR]
250 [\fB\-psk\fR \fIval\fR]
251 [\fB\-psk_session\fR \fIfile\fR]
252 [\fB\-srpvfile\fR \fIinfile\fR]
253 [\fB\-srpuserseed\fR \fIval\fR]
254 [\fB\-timeout\fR]
255 [\fB\-mtu\fR \fI+int\fR]
256 [\fB\-listen\fR]
257 [\fB\-sctp\fR]
258 [\fB\-sctp_label_bug\fR]
259 [\fB\-use_srtp\fR \fIval\fR]
260 [\fB\-no_dhe\fR]
261 [\fB\-nextprotoneg\fR \fIval\fR]
262 [\fB\-alpn\fR \fIval\fR]
263 [\fB\-sendfile\fR]
264 [\fB\-keylogfile\fR \fIoutfile\fR]
265 [\fB\-recv_max_early_data\fR \fIint\fR]
266 [\fB\-max_early_data\fR \fIint\fR]
267 [\fB\-early_data\fR]
268 [\fB\-stateless\fR]
269 [\fB\-anti_replay\fR]
270 [\fB\-no_anti_replay\fR]
271 [\fB\-num_tickets\fR]
272 [\fB\-nameopt\fR \fIoption\fR]
273 [\fB\-no_ssl3\fR]
274 [\fB\-no_tls1\fR]
275 [\fB\-no_tls1_1\fR]
276 [\fB\-no_tls1_2\fR]
277 [\fB\-no_tls1_3\fR]
278 [\fB\-ssl3\fR]
279 [\fB\-tls1\fR]
280 [\fB\-tls1_1\fR]
281 [\fB\-tls1_2\fR]
282 [\fB\-tls1_3\fR]
283 [\fB\-dtls\fR]
284 [\fB\-dtls1\fR]
285 [\fB\-dtls1_2\fR]
286 [\fB\-allow_proxy_certs\fR]
287 [\fB\-attime\fR \fItimestamp\fR]
288 [\fB\-no_check_time\fR]
289 [\fB\-check_ss_sig\fR]
290 [\fB\-crl_check\fR]
291 [\fB\-crl_check_all\fR]
292 [\fB\-explicit_policy\fR]
293 [\fB\-extended_crl\fR]
294 [\fB\-ignore_critical\fR]
295 [\fB\-inhibit_any\fR]
296 [\fB\-inhibit_map\fR]
297 [\fB\-partial_chain\fR]
298 [\fB\-policy\fR \fIarg\fR]
299 [\fB\-policy_check\fR]
300 [\fB\-policy_print\fR]
301 [\fB\-purpose\fR \fIpurpose\fR]
302 [\fB\-suiteB_128\fR]
303 [\fB\-suiteB_128_only\fR]
304 [\fB\-suiteB_192\fR]
305 [\fB\-trusted_first\fR]
306 [\fB\-no_alt_chains\fR]
307 [\fB\-use_deltas\fR]
308 [\fB\-auth_level\fR \fInum\fR]
309 [\fB\-verify_depth\fR \fInum\fR]
310 [\fB\-verify_email\fR \fIemail\fR]
311 [\fB\-verify_hostname\fR \fIhostname\fR]
312 [\fB\-verify_ip\fR \fIip\fR]
313 [\fB\-verify_name\fR \fIname\fR]
314 [\fB\-x509_strict\fR]
315 [\fB\-issuer_checks\fR]
316 [\fB\-bugs\fR]
317 [\fB\-no_comp\fR]
318 [\fB\-comp\fR]
319 [\fB\-no_ticket\fR]
320 [\fB\-serverpref\fR]
321 [\fB\-client_renegotiation\fR]
322 [\fB\-legacy_renegotiation\fR]
323 [\fB\-no_renegotiation\fR]
324 [\fB\-no_resumption_on_reneg\fR]
325 [\fB\-legacy_server_connect\fR]
326 [\fB\-no_legacy_server_connect\fR]
327 [\fB\-no_etm\fR]
328 [\fB\-allow_no_dhe_kex\fR]
329 [\fB\-prioritize_chacha\fR]
330 [\fB\-strict\fR]
331 [\fB\-sigalgs\fR \fIalgs\fR]
332 [\fB\-client_sigalgs\fR \fIalgs\fR]
333 [\fB\-groups\fR \fIgroups\fR]
334 [\fB\-curves\fR \fIcurves\fR]
335 [\fB\-named_curve\fR \fIcurve\fR]
336 [\fB\-cipher\fR \fIciphers\fR]
337 [\fB\-ciphersuites\fR \fI1.3ciphers\fR]
338 [\fB\-min_protocol\fR \fIminprot\fR]
339 [\fB\-max_protocol\fR \fImaxprot\fR]
340 [\fB\-record_padding\fR \fIpadding\fR]
341 [\fB\-debug_broken_protocol\fR]
342 [\fB\-no_middlebox\fR]
343 [\fB\-xkey\fR \fIinfile\fR]
344 [\fB\-xcert\fR \fIfile\fR]
345 [\fB\-xchain\fR \fIfile\fR]
346 [\fB\-xchain_build\fR \fIfile\fR]
347 [\fB\-xcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
348 [\fB\-xkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]>
349 [\fB\-CAfile\fR \fIfile\fR]
350 [\fB\-no\-CAfile\fR]
351 [\fB\-CApath\fR \fIdir\fR]
352 [\fB\-no\-CApath\fR]
353 [\fB\-CAstore\fR \fIuri\fR]
354 [\fB\-no\-CAstore\fR]
355 [\fB\-rand\fR \fIfiles\fR]
356 [\fB\-writerand\fR \fIfile\fR]
357 [\fB\-engine\fR \fIid\fR]
358 [\fB\-provider\fR \fIname\fR]
359 [\fB\-provider\-path\fR \fIpath\fR]
360 [\fB\-propquery\fR \fIpropq\fR]
363 This command implements a generic \s-1SSL/TLS\s0 server which
364 listens for connections on a given port using \s-1SSL/TLS.\s0
370 .IP "\fB\-help\fR" 4
371 .IX Item "-help"
373 .IP "\fB\-port\fR \fI+int\fR" 4
374 .IX Item "-port +int"
375 The \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used.
376 .IP "\fB\-accept\fR \fIval\fR" 4
377 .IX Item "-accept val"
378 The optional \s-1TCP\s0 host and port to listen on for connections. If not specified, *:4433 is use…
379 .IP "\fB\-unix\fR \fIval\fR" 4
380 .IX Item "-unix val"
382 .IP "\fB\-4\fR" 4
383 .IX Item "-4"
385 .IP "\fB\-6\fR" 4
386 .IX Item "-6"
388 .IP "\fB\-unlink\fR" 4
389 .IX Item "-unlink"
390 For \-unix, unlink any existing socket first.
391 .IP "\fB\-context\fR \fIval\fR" 4
392 .IX Item "-context val"
393 Sets the \s-1SSL\s0 context id. It can be given any string value. If this option
395 .IP "\fB\-verify\fR \fIint\fR, \fB\-Verify\fR \fIint\fR" 4
396 .IX Item "-verify int, -Verify int"
399 the client. With the \fB\-verify\fR option a certificate is requested but the
400 client does not have to send one, with the \fB\-Verify\fR option the client
404 anonymous cipher suite or \s-1PSK\s0) this option has no effect.
405 .IP "\fB\-cert\fR \fIinfile\fR" 4
406 .IX Item "-cert infile"
409 for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0
410 (\s-1DSA\s0) key. If not specified then the filename \fIserver.pem\fR will be used.
411 .IP "\fB\-cert2\fR \fIinfile\fR" 4
412 .IX Item "-cert2 infile"
414 .IP "\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
415 .IX Item "-certform DER|PEM|P12"
417 See \fBopenssl\-format\-options\fR\|(1) for details.
418 .IP "\fB\-cert_chain\fR" 4
419 .IX Item "-cert_chain"
420 A file or \s-1URI\s0 of untrusted certificates to use when attempting to build the
421 certificate chain related to the certificate specified via the \fB\-cert\fR option.
422 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
423 .IP "\fB\-build_chain\fR" 4
424 .IX Item "-build_chain"
427 .IP "\fB\-serverinfo\fR \fIval\fR" 4
428 .IX Item "-serverinfo val"
429 A file containing one or more blocks of \s-1PEM\s0 data. Each \s-1PEM\s0 block
430 must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length,
431 followed by \*(L"length\*(R" bytes of extension data). If the client sends
432 an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding
433 ServerHello extension will be returned.
434 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
435 .IX Item "-key filename|uri"
438 .IP "\fB\-key2\fR \fIfilename\fR|\fIuri\fR" 4
439 .IX Item "-key2 filename|uri"
440 The private Key file to use for servername if not given via \fB\-cert2\fR.
441 .IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
442 .IX Item "-keyform DER|PEM|P12|ENGINE"
444 See \fBopenssl\-format\-options\fR\|(1) for details.
445 .IP "\fB\-pass\fR \fIval\fR" 4
446 .IX Item "-pass val"
449 see \fBopenssl\-passphrase\-options\fR\|(1).
450 .IP "\fB\-dcert\fR \fIinfile\fR, \fB\-dkey\fR \fIfilename\fR|\fIuri\fR" 4
451 .IX Item "-dcert infile, -dkey filename|uri"
453 same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default
456 a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key
457 and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
458 a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites
460 .IP "\fB\-dcert_chain\fR" 4
461 .IX Item "-dcert_chain"
462 A file or \s-1URI\s0 of untrusted certificates to use when attempting to build the
463 server certificate chain when a certificate specified via the \fB\-dcert\fR option
465 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
466 .IP "\fB\-dcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
467 .IX Item "-dcertform DER|PEM|P12"
469 See \fBopenssl\-format\-options\fR\|(1) for details.
470 .IP "\fB\-dkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
471 .IX Item "-dkeyform DER|PEM|P12|ENGINE"
473 See \fBopenssl\-format\-options\fR\|(1) for details.
474 .IP "\fB\-dpass\fR \fIval\fR" 4
475 .IX Item "-dpass val"
478 see \fBopenssl\-passphrase\-options\fR\|(1).
479 .IP "\fB\-nbio_test\fR" 4
480 .IX Item "-nbio_test"
482 .IP "\fB\-crlf\fR" 4
483 .IX Item "-crlf"
484 This option translated a line feed from the terminal into \s-1CR+LF.\s0
485 .IP "\fB\-debug\fR" 4
486 .IX Item "-debug"
488 .IP "\fB\-security_debug\fR" 4
489 .IX Item "-security_debug"
490 Print output from \s-1SSL/TLS\s0 security framework.
491 .IP "\fB\-security_debug_verbose\fR" 4
492 .IX Item "-security_debug_verbose"
493 Print more output from \s-1SSL/TLS\s0 security framework
494 .IP "\fB\-msg\fR" 4
495 .IX Item "-msg"
497 .IP "\fB\-msgfile\fR \fIoutfile\fR" 4
498 .IX Item "-msgfile outfile"
499 File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
500 .IP "\fB\-state\fR" 4
501 .IX Item "-state"
502 Prints the \s-1SSL\s0 session states.
503 .IP "\fB\-CRL\fR \fIinfile\fR" 4
504 .IX Item "-CRL infile"
505 The \s-1CRL\s0 file to use.
506 .IP "\fB\-CRLform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
507 .IX Item "-CRLform DER|PEM"
508 The \s-1CRL\s0 file format; unspecified by default.
509 See \fBopenssl\-format\-options\fR\|(1) for details.
510 .IP "\fB\-crl_download\fR" 4
511 .IX Item "-crl_download"
512 Download CRLs from distribution points given in \s-1CDP\s0 extensions of certificates
513 .IP "\fB\-verifyCAfile\fR \fIfilename\fR" 4
514 .IX Item "-verifyCAfile filename"
515 A file in \s-1PEM\s0 format \s-1CA\s0 containing trusted certificates to use
517 .IP "\fB\-verifyCApath\fR \fIdir\fR" 4
518 .IX Item "-verifyCApath dir"
522 see \fBopenssl\-verify\fR\|(1) for more information.
523 .IP "\fB\-verifyCAstore\fR \fIuri\fR" 4
524 .IX Item "-verifyCAstore uri"
525 The \s-1URI\s0 of a store containing trusted certificates to use
527 .IP "\fB\-chainCAfile\fR \fIfile\fR" 4
528 .IX Item "-chainCAfile file"
529 A file in \s-1PEM\s0 format containing trusted certificates to use
531 .IP "\fB\-chainCApath\fR \fIdir\fR" 4
532 .IX Item "-chainCApath dir"
536 see \fBopenssl\-verify\fR\|(1) for more information.
537 .IP "\fB\-chainCAstore\fR \fIuri\fR" 4
538 .IX Item "-chainCAstore uri"
539 The \s-1URI\s0 of a store containing trusted certificates to use
541 The \s-1URI\s0 may indicate a single certificate, as well as a collection of them.
542 With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-chainCAfile\fR or
543 \&\fB\-chainCApath\fR, depending on if the \s-1URI\s0 indicates a directory or a
545 See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme.
546 .IP "\fB\-nocert\fR" 4
547 .IX Item "-nocert"
550 \&\s-1DH\s0).
551 .IP "\fB\-quiet\fR" 4
552 .IX Item "-quiet"
554 .IP "\fB\-no_resume_ephemeral\fR" 4
555 .IX Item "-no_resume_ephemeral"
556 Disable caching and tickets if ephemeral (\s-1EC\s0)DH is used.
557 .IP "\fB\-tlsextdebug\fR" 4
558 .IX Item "-tlsextdebug"
559 Print a hex dump of any \s-1TLS\s0 extensions received from the server.
560 .IP "\fB\-www\fR" 4
561 .IX Item "-www"
564 The output is in \s-1HTML\s0 format so this option can be used with a web browser.
565 The special \s-1URL\s0 \f(CW\*(C`/renegcert\*(C'\fR turns on client cert validation, and \f(CW\*(C`…
567 The \fB\-early_data\fR option cannot be used with this option.
568 .IP "\fB\-WWW\fR, \fB\-HTTP\fR" 4
569 .IX Item "-WWW, -HTTP"
571 current directory, for example if the \s-1URL\s0 \f(CW\*(C`https://myhost/page.html\*(C'\fR is
573 If the \fB\-HTTP\fR flag is used, the files are sent directly, and should contain
574 any \s-1HTTP\s0 response headers (including status response line).
575 If the \fB\-WWW\fR option is used,
576 the response headers are generated by the server, and the file extension is
577 examined to determine the \fBContent-Type\fR header.
580 In addition, the special \s-1URL\s0 \f(CW\*(C`/stats\*(C'\fR will return status
581 information like the \fB\-www\fR option.
582 Neither of these options can be used in conjunction with \fB\-early_data\fR.
583 .IP "\fB\-http_server_binmode\fR" 4
584 .IX Item "-http_server_binmode"
585 When acting as web-server (using option \fB\-WWW\fR or \fB\-HTTP\fR) open files requested
587 .IP "\fB\-no_ca_names\fR" 4
588 .IX Item "-no_ca_names"
589 Disable \s-1TLS\s0 Extension \s-1CA\s0 Names. You may want to disable it for security reasons
590 or for compatibility with some Windows \s-1TLS\s0 implementations crashing when this
591 extension is larger than 1024 bytes.
592 .IP "\fB\-ignore_unexpected_eof\fR" 4
593 .IX Item "-ignore_unexpected_eof"
594 Some \s-1TLS\s0 implementations do not send the mandatory close_notify alert on
600 .IP "\fB\-servername\fR" 4
601 .IX Item "-servername"
602 Servername for HostName \s-1TLS\s0 extension.
603 .IP "\fB\-servername_fatal\fR" 4
604 .IX Item "-servername_fatal"
606 .IP "\fB\-id_prefix\fR \fIval\fR" 4
607 .IX Item "-id_prefix val"
608 Generate \s-1SSL/TLS\s0 session IDs prefixed by \fIval\fR. This is mostly useful
609 for testing any \s-1SSL/TLS\s0 code (e.g. proxies) that wish to deal with multiple
612 .IP "\fB\-keymatexport\fR" 4
613 .IX Item "-keymatexport"
615 .IP "\fB\-keymatexportlen\fR" 4
616 .IX Item "-keymatexportlen"
618 .IP "\fB\-no_cache\fR" 4
619 .IX Item "-no_cache"
621 .IP "\fB\-ext_cache\fR." 4
622 .IX Item "-ext_cache."
624 .IP "\fB\-verify_return_error\fR" 4
625 .IX Item "-verify_return_error"
629 .IP "\fB\-verify_quiet\fR" 4
630 .IX Item "-verify_quiet"
632 .IP "\fB\-ign_eof\fR" 4
633 .IX Item "-ign_eof"
634 Ignore input \s-1EOF\s0 (default: when \fB\-quiet\fR).
635 .IP "\fB\-no_ign_eof\fR" 4
636 .IX Item "-no_ign_eof"
637 Do not ignore input \s-1EOF.\s0
638 .IP "\fB\-no_etm\fR" 4
639 .IX Item "-no_etm"
640 Disable Encrypt-then-MAC negotiation.
641 .IP "\fB\-status\fR" 4
642 .IX Item "-status"
643 Enables certificate status request support (aka \s-1OCSP\s0 stapling).
644 .IP "\fB\-status_verbose\fR" 4
645 .IX Item "-status_verbose"
646 Enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives
647 a verbose printout of the \s-1OCSP\s0 response.
648 .IP "\fB\-status_timeout\fR \fIint\fR" 4
649 .IX Item "-status_timeout int"
650 Sets the timeout for \s-1OCSP\s0 response to \fIint\fR seconds.
651 .IP "\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path]\fR" 4
652 .IX Item "-proxy [http[s]://][userinfo@]host[:port][/path]"
653 The \s-1HTTP\s0(S) proxy server to use for reaching the \s-1OCSP\s0 server unless \fB\-no_proxy\fR
659 in case no \s-1TLS\s0 is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS…
660 .IP "\fB\-no_proxy\fR \fIaddresses\fR" 4
661 .IX Item "-no_proxy addresses"
662 List of \s-1IP\s0 addresses and/or \s-1DNS\s0 names of servers
663 not to use an \s-1HTTP\s0(S) proxy for, separated by commas and/or whitespace
666 .IP "\fB\-status_url\fR \fIval\fR" 4
667 .IX Item "-status_url val"
668 Sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the
671 The optional userinfo and fragment \s-1URL\s0 components are ignored.
673 .IP "\fB\-status_file\fR \fIinfile\fR" 4
674 .IX Item "-status_file infile"
675 Overrides any \s-1OCSP\s0 responder URLs from the certificate and always provides the
676 \&\s-1OCSP\s0 Response stored in the file. The file must be in \s-1DER\s0 format.
677 .IP "\fB\-ssl_config\fR \fIval\fR" 4
678 .IX Item "-ssl_config val"
679 Configure \s-1SSL_CTX\s0 using the given configuration value.
680 .IP "\fB\-trace\fR" 4
681 .IX Item "-trace"
682 Show verbose trace output of protocol messages.
683 .IP "\fB\-brief\fR" 4
684 .IX Item "-brief"
687 .IP "\fB\-rev\fR" 4
688 .IX Item "-rev"
689 Simple echo server that sends back received text reversed. Also sets \fB\-brief\fR.
690 Cannot be used in conjunction with \fB\-early_data\fR.
691 .IP "\fB\-async\fR" 4
692 .IX Item "-async"
695 is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
697 .IP "\fB\-max_send_frag\fR \fI+int\fR" 4
698 .IX Item "-max_send_frag +int"
701 .IP "\fB\-split_send_frag\fR \fI+int\fR" 4
702 .IX Item "-split_send_frag +int"
709 .IP "\fB\-max_pipelines\fR \fI+int\fR" 4
710 .IX Item "-max_pipelines +int"
715 .IP "\fB\-naccept\fR \fI+int\fR" 4
716 .IX Item "-naccept +int"
719 .IP "\fB\-read_buf\fR \fI+int\fR" 4
720 .IX Item "-read_buf +int"
721 The default read buffer size to be used for connections. This will only have an
722 effect if the buffer size is larger than the size that would otherwise be used
725 .IP "\fB\-bugs\fR" 4
726 .IX Item "-bugs"
727 There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
729 .IP "\fB\-no_comp\fR" 4
730 .IX Item "-no_comp"
731 Disable negotiation of \s-1TLS\s0 compression.
732 \&\s-1TLS\s0 compression is not recommended and is off by default as of
734 .IP "\fB\-comp\fR" 4
735 .IX Item "-comp"
736 Enable negotiation of \s-1TLS\s0 compression.
738 \&\s-1TLS\s0 compression is not recommended and is off by default as of
740 .IP "\fB\-no_ticket\fR" 4
741 .IX Item "-no_ticket"
743 is negotiated. See \fB\-num_tickets\fR.
744 .IP "\fB\-num_tickets\fR" 4
745 .IX Item "-num_tickets"
749 .IP "\fB\-serverpref\fR" 4
750 .IX Item "-serverpref"
752 .IP "\fB\-prioritize_chacha\fR" 4
753 .IX Item "-prioritize_chacha"
754 Prioritize ChaCha ciphers when preferred by clients. Requires \fB\-serverpref\fR.
755 .IP "\fB\-no_resumption_on_reneg\fR" 4
756 .IX Item "-no_resumption_on_reneg"
757 Set the \fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR option.
758 .IP "\fB\-client_sigalgs\fR \fIval\fR" 4
759 .IX Item "-client_sigalgs val"
761 (colon-separated list).
762 .IP "\fB\-named_curve\fR \fIval\fR" 4
763 .IX Item "-named_curve val"
764 Specifies the elliptic curve to use. \s-1NOTE:\s0 this is single curve, not a list.
768 \& $ openssl ecparam \-list_curves
770 .IP "\fB\-cipher\fR \fIval\fR" 4
771 .IX Item "-cipher val"
777 \&\fBopenssl\-ciphers\fR\|(1) for more information.
778 .IP "\fB\-ciphersuites\fR \fIval\fR" 4
779 .IX Item "-ciphersuites val"
785 \&\fBopenssl\-ciphers\fR\|(1) command for more information. The format for this list is
787 .IP "\fB\-dhparam\fR \fIinfile\fR" 4
788 .IX Item "-dhparam infile"
789 The \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys
790 using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to
794 .IP "\fB\-nbio\fR" 4
795 .IX Item "-nbio"
797 .IP "\fB\-timeout\fR" 4
798 .IX Item "-timeout"
800 .IP "\fB\-mtu\fR" 4
801 .IX Item "-mtu"
802 Set link-layer \s-1MTU.\s0
803 .IP "\fB\-psk_identity\fR \fIval\fR" 4
804 .IX Item "-psk_identity val"
805 Expect the client to send \s-1PSK\s0 identity \fIval\fR when using a \s-1PSK\s0
806 cipher suite, and warn if they do not. By default, the expected \s-1PSK\s0
808 .IP "\fB\-psk_hint\fR \fIval\fR" 4
809 .IX Item "-psk_hint val"
810 Use the \s-1PSK\s0 identity hint \fIval\fR when using a \s-1PSK\s0 cipher suite.
811 .IP "\fB\-psk\fR \fIval\fR" 4
812 .IX Item "-psk val"
813 Use the \s-1PSK\s0 key \fIval\fR when using a \s-1PSK\s0 cipher suite. The key is
814 given as a hexadecimal number without leading 0x, for example \-psk
816 This option must be provided in order to use a \s-1PSK\s0 cipher.
817 .IP "\fB\-psk_session\fR \fIfile\fR" 4
818 .IX Item "-psk_session file"
819 Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fIfile\fR as the basis of a \s-1PSK.\s0
821 .IP "\fB\-srpvfile\fR" 4
822 .IX Item "-srpvfile"
823 The verifier file for \s-1SRP.\s0
825 .IP "\fB\-srpuserseed\fR" 4
826 .IX Item "-srpuserseed"
829 .IP "\fB\-listen\fR" 4
830 .IX Item "-listen"
831 This option can only be used in conjunction with one of the \s-1DTLS\s0 options above.
832 With this option, this command will listen on a \s-1UDP\s0 port for incoming
839 .IP "\fB\-sctp\fR" 4
840 .IX Item "-sctp"
841 Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in
842 conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only
843 available where OpenSSL has support for \s-1SCTP\s0 enabled.
844 .IP "\fB\-sctp_label_bug\fR" 4
845 .IX Item "-sctp_label_bug"
847 endpoint-pair shared secrets for \s-1DTLS/SCTP.\s0 This allows communication with
849 implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only
850 available where OpenSSL has support for \s-1SCTP\s0 enabled.
851 .IP "\fB\-use_srtp\fR" 4
852 .IX Item "-use_srtp"
853 Offer \s-1SRTP\s0 key management with a colon-separated profile list.
854 .IP "\fB\-no_dhe\fR" 4
855 .IX Item "-no_dhe"
856 If this option is set then no \s-1DH\s0 parameters will be loaded effectively
857 disabling the ephemeral \s-1DH\s0 cipher suites.
858 .IP "\fB\-alpn\fR \fIval\fR, \fB\-nextprotoneg\fR \fIval\fR" 4
859 .IX Item "-alpn val, -nextprotoneg val"
860 These flags enable the Application-Layer Protocol Negotiation
861 or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the
862 \&\s-1IETF\s0 standard and replaces \s-1NPN.\s0
863 The \fIval\fR list is a comma-separated list of supported protocol
865 Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or
867 The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used.
868 .IP "\fB\-sendfile\fR" 4
869 .IX Item "-sendfile"
870 If this option is set and \s-1KTLS\s0 is enabled, \fBSSL_sendfile()\fR will be used
871 instead of \fBBIO_write()\fR to send the \s-1HTTP\s0 response requested by a client.
872 This option is only valid if \fB\-WWW\fR or \fB\-HTTP\fR is specified.
873 .IP "\fB\-keylogfile\fR \fIoutfile\fR" 4
874 .IX Item "-keylogfile outfile"
875 Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs
876 (like Wireshark) can decrypt \s-1TLS\s0 connections.
877 .IP "\fB\-max_early_data\fR \fIint\fR" 4
878 .IX Item "-max_early_data int"
880 and any incoming early data (when used in conjunction with the \fB\-early_data\fR
883 .IP "\fB\-recv_max_early_data\fR \fIint\fR" 4
884 .IX Item "-recv_max_early_data int"
887 .IP "\fB\-early_data\fR" 4
888 .IX Item "-early_data"
889 Accept early data where possible. Cannot be used in conjunction with \fB\-www\fR,
890 \&\fB\-WWW\fR, \fB\-HTTP\fR or \fB\-rev\fR.
891 .IP "\fB\-stateless\fR" 4
892 .IX Item "-stateless"
894 .IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4
895 .IX Item "-anti_replay, -no_anti_replay"
902 .IP "\fB\-nameopt\fR \fIoption\fR" 4
903 .IX Item "-nameopt option"
905 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
906 …-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR, \fB\-ssl3\f…
907 .IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3, -ssl3, -tls1, -tls1_1, -tls1_2, -…
908 See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
909 .IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
910 .IX Item "-dtls, -dtls1, -dtls1_2"
911 These specify the use of \s-1DTLS\s0 instead of \s-1TLS.\s0
912 See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
913 …-bugs\fR, \fB\-comp\fR, \fB\-no_comp\fR, \fB\-no_ticket\fR, \fB\-serverpref\fR, \fB\-client_renego…
914 …-bugs, -comp, -no_comp, -no_ticket, -serverpref, -client_renegotiation, -legacy_renegotiation, -no…
915 See \*(L"\s-1SUPPORTED COMMAND LINE COMMANDS\*(R"\s0 in \fBSSL_CONF_cmd\fR\|(3) for details.
916 …-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIfile\fR, \fB\-xchain\fR \fIfile\fR, \fB\-xchain_build\fR \…
917 .IX Item "-xkey infile, -xcert file, -xchain file, -xchain_build file, -xcertform DER|PEM, -xkeyfor…
919 See \*(L"Extended Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for detail…
920 .IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \…
921 .IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
922 See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
923 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
924 .IX Item "-rand files, -writerand file"
926 .IP "\fB\-engine\fR \fIid\fR" 4
927 .IX Item "-engine id"
930 .IP "\fB\-provider\fR \fIname\fR" 4
931 .IX Item "-provider name"
933 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
934 .IX Item "-provider-path path"
935 .IP "\fB\-propquery\fR \fIpropq\fR" 4
936 .IX Item "-propquery propq"
939 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
940 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
942 See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
946 proceed unless the \fB\-verify_return_error\fR option is used.
949 If a connection request is established with an \s-1SSL\s0 client and neither the
950 \&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received
958 End the current \s-1SSL\s0 connection but still accept new connections.
961 End the current \s-1SSL\s0 connection and exit.
964 Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only).
967 Renegotiate the \s-1SSL\s0 session and request a client certificate (TLSv1.2 and below
971 Send some plain text down the underlying \s-1TCP\s0 connection: this should
987 This command can be used to debug \s-1SSL\s0 clients. To accept connections
991 \& openssl s_server \-accept 443 \-www
997 is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to
998 mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes.
1000 The session parameters can printed out using the \fBopenssl\-sess_id\fR\|(1) command.
1006 A typical \s-1SSL\s0 server program would be much simpler.
1016 \&\fBopenssl\-sess_id\fR\|(1),
1017 \&\fBopenssl\-s_client\fR\|(1),
1018 \&\fBopenssl\-ciphers\fR\|(1),
1023 \&\fBossl_store\-file\fR\|(7)
1026 The \-no_alt_chains option was added in OpenSSL 1.1.0.
1029 \&\-allow\-no\-dhe\-kex and \-prioritize_chacha options were added in OpenSSL 1.1.1.
1031 The \fB\-srpvfile\fR, \fB\-srpuserseed\fR, and \fB\-engine\fR
1035 Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
1039 in the file \s-1LICENSE\s0 in the source distribution or at