xref: /freebsd/crypto/openssl/doc/man1/openssl-s_server.pod.in (revision 401ab69cff8fa2320a9f8ea4baa114a6da6c952b)
1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=head1 NAME
5
6openssl-s_server - SSL/TLS server program
7
8=head1 SYNOPSIS
9
10B<openssl> B<s_server>
11[B<-help>]
12[B<-port> I<+int>]
13[B<-accept> I<val>]
14[B<-unix> I<val>]
15[B<-4>]
16[B<-6>]
17[B<-unlink>]
18[B<-context> I<val>]
19[B<-verify> I<int>]
20[B<-Verify> I<int>]
21[B<-cert> I<infile>]
22[B<-cert2> I<infile>]
23[B<-certform> B<DER>|B<PEM>|B<P12>]
24[B<-cert_chain> I<infile>]
25[B<-build_chain>]
26[B<-serverinfo> I<val>]
27[B<-key> I<filename>|I<uri>]
28[B<-key2> I<filename>|I<uri>]
29[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
30[B<-pass> I<val>]
31[B<-dcert> I<infile>]
32[B<-dcertform> B<DER>|B<PEM>|B<P12>]
33[B<-dcert_chain> I<infile>]
34[B<-dkey> I<filename>|I<uri>]
35[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
36[B<-dpass> I<val>]
37[B<-nbio_test>]
38[B<-crlf>]
39[B<-debug>]
40[B<-msg>]
41[B<-msgfile> I<outfile>]
42[B<-state>]
43[B<-nocert>]
44[B<-quiet>]
45[B<-no_resume_ephemeral>]
46[B<-www>]
47[B<-WWW>]
48[B<-http_server_binmode>]
49[B<-no_ca_names>]
50[B<-ignore_unexpected_eof>]
51[B<-servername>]
52[B<-servername_fatal>]
53[B<-tlsextdebug>]
54[B<-HTTP>]
55[B<-id_prefix> I<val>]
56[B<-keymatexport> I<val>]
57[B<-keymatexportlen> I<+int>]
58[B<-CRL> I<infile>]
59[B<-CRLform> B<DER>|B<PEM>]
60[B<-crl_download>]
61[B<-chainCAfile> I<infile>]
62[B<-chainCApath> I<dir>]
63[B<-chainCAstore> I<uri>]
64[B<-verifyCAfile> I<infile>]
65[B<-verifyCApath> I<dir>]
66[B<-verifyCAstore> I<uri>]
67[B<-no_cache>]
68[B<-ext_cache>]
69[B<-verify_return_error>]
70[B<-verify_quiet>]
71[B<-ign_eof>]
72[B<-no_ign_eof>]
73[B<-no_etm>]
74[B<-status>]
75[B<-status_verbose>]
76[B<-status_timeout> I<int>]
77[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>]
78[B<-no_proxy> I<addresses>]
79[B<-status_url> I<val>]
80[B<-status_file> I<infile>]
81[B<-ssl_config> I<val>]
82[B<-trace>]
83[B<-security_debug>]
84[B<-security_debug_verbose>]
85[B<-brief>]
86[B<-rev>]
87[B<-async>]
88[B<-max_send_frag> I<+int>]
89[B<-split_send_frag> I<+int>]
90[B<-max_pipelines> I<+int>]
91[B<-naccept> I<+int>]
92[B<-read_buf> I<+int>]
93[B<-bugs>]
94[B<-no_comp>]
95[B<-comp>]
96[B<-no_ticket>]
97[B<-serverpref>]
98[B<-legacy_renegotiation>]
99[B<-no_renegotiation>]
100[B<-no_resumption_on_reneg>]
101[B<-allow_no_dhe_kex>]
102[B<-prioritize_chacha>]
103[B<-strict>]
104[B<-sigalgs> I<val>]
105[B<-client_sigalgs> I<val>]
106[B<-groups> I<val>]
107[B<-curves> I<val>]
108[B<-named_curve> I<val>]
109[B<-cipher> I<val>]
110[B<-ciphersuites> I<val>]
111[B<-dhparam> I<infile>]
112[B<-record_padding> I<val>]
113[B<-debug_broken_protocol>]
114[B<-nbio>]
115[B<-psk_identity> I<val>]
116[B<-psk_hint> I<val>]
117[B<-psk> I<val>]
118[B<-psk_session> I<file>]
119[B<-srpvfile> I<infile>]
120[B<-srpuserseed> I<val>]
121[B<-timeout>]
122[B<-mtu> I<+int>]
123[B<-listen>]
124[B<-sctp>]
125[B<-sctp_label_bug>]
126[B<-use_srtp> I<val>]
127[B<-no_dhe>]
128[B<-nextprotoneg> I<val>]
129[B<-alpn> I<val>]
130[B<-sendfile>]
131[B<-keylogfile> I<outfile>]
132[B<-recv_max_early_data> I<int>]
133[B<-max_early_data> I<int>]
134[B<-early_data>]
135[B<-stateless>]
136[B<-anti_replay>]
137[B<-no_anti_replay>]
138[B<-num_tickets>]
139{- $OpenSSL::safe::opt_name_synopsis -}
140{- $OpenSSL::safe::opt_version_synopsis -}
141{- $OpenSSL::safe::opt_v_synopsis -}
142{- $OpenSSL::safe::opt_s_synopsis -}
143{- $OpenSSL::safe::opt_x_synopsis -}
144{- $OpenSSL::safe::opt_trust_synopsis -}
145{- $OpenSSL::safe::opt_r_synopsis -}
146{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
147
148=head1 DESCRIPTION
149
150This command implements a generic SSL/TLS server which
151listens for connections on a given port using SSL/TLS.
152
153=head1 OPTIONS
154
155In addition to the options below, this command also supports
156the common and server only options documented
157L<SSL_CONF_cmd(3)/Supported Command Line Commands>
158
159=over 4
160
161=item B<-help>
162
163Print out a usage message.
164
165=item B<-port> I<+int>
166
167The TCP port to listen on for connections. If not specified 4433 is used.
168
169=item B<-accept> I<val>
170
171The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
172
173=item B<-unix> I<val>
174
175Unix domain socket to accept on.
176
177=item B<-4>
178
179Use IPv4 only.
180
181=item B<-6>
182
183Use IPv6 only.
184
185=item B<-unlink>
186
187For -unix, unlink any existing socket first.
188
189=item B<-context> I<val>
190
191Sets the SSL context id. It can be given any string value. If this option
192is not present a default value will be used.
193
194=item B<-verify> I<int>, B<-Verify> I<int>
195
196The verify depth to use. This specifies the maximum length of the
197client certificate chain and makes the server request a certificate from
198the client. With the B<-verify> option a certificate is requested but the
199client does not have to send one, with the B<-Verify> option the client
200must supply a certificate or an error occurs.
201
202If the cipher suite cannot request a client certificate (for example an
203anonymous cipher suite or PSK) this option has no effect.
204
205=item B<-cert> I<infile>
206
207The certificate to use, most servers cipher suites require the use of a
208certificate and some require a certificate with a certain public key type:
209for example the DSS cipher suites require a certificate containing a DSS
210(DSA) key. If not specified then the filename F<server.pem> will be used.
211
212=item B<-cert2> I<infile>
213
214The certificate file to use for servername; default is C<server2.pem>.
215
216=item B<-certform> B<DER>|B<PEM>|B<P12>
217
218The server certificate file format; unspecified by default.
219See L<openssl-format-options(1)> for details.
220
221=item B<-cert_chain>
222
223A file or URI of untrusted certificates to use when attempting to build the
224certificate chain related to the certificate specified via the B<-cert> option.
225The input can be in PEM, DER, or PKCS#12 format.
226
227=item B<-build_chain>
228
229Specify whether the application should build the server certificate chain to be
230provided to the client.
231
232=item B<-serverinfo> I<val>
233
234A file containing one or more blocks of PEM data.  Each PEM block
235must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
236followed by "length" bytes of extension data).  If the client sends
237an empty TLS ClientHello extension matching the type, the corresponding
238ServerHello extension will be returned.
239
240=item B<-key> I<filename>|I<uri>
241
242The private key to use. If not specified then the certificate file will
243be used.
244
245=item B<-key2> I<filename>|I<uri>
246
247The private Key file to use for servername if not given via B<-cert2>.
248
249=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
250
251The key format; unspecified by default.
252See L<openssl-format-options(1)> for details.
253
254=item B<-pass> I<val>
255
256The private key and certificate file password source.
257For more information about the format of I<val>,
258see L<openssl-passphrase-options(1)>.
259
260=item B<-dcert> I<infile>, B<-dkey> I<filename>|I<uri>
261
262Specify an additional certificate and private key, these behave in the
263same manner as the B<-cert> and B<-key> options except there is no default
264if they are not specified (no additional certificate and key is used). As
265noted above some cipher suites require a certificate containing a key of
266a certain type. Some cipher suites need a certificate carrying an RSA key
267and some a DSS (DSA) key. By using RSA and DSS certificates and keys
268a server can support clients which only support RSA or DSS cipher suites
269by using an appropriate certificate.
270
271=item B<-dcert_chain>
272
273A file or URI of untrusted certificates to use when attempting to build the
274server certificate chain when a certificate specified via the B<-dcert> option
275is in use.
276The input can be in PEM, DER, or PKCS#12 format.
277
278=item B<-dcertform> B<DER>|B<PEM>|B<P12>
279
280The format of the additional certificate file; unspecified by default.
281See L<openssl-format-options(1)> for details.
282
283=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
284
285The format of the additional private key; unspecified by default.
286See L<openssl-format-options(1)> for details.
287
288=item B<-dpass> I<val>
289
290The passphrase for the additional private key and certificate.
291For more information about the format of I<val>,
292see L<openssl-passphrase-options(1)>.
293
294=item B<-nbio_test>
295
296Tests non blocking I/O.
297
298=item B<-crlf>
299
300This option translated a line feed from the terminal into CR+LF.
301
302=item B<-debug>
303
304Print extensive debugging information including a hex dump of all traffic.
305
306=item B<-security_debug>
307
308Print output from SSL/TLS security framework.
309
310=item B<-security_debug_verbose>
311
312Print more output from SSL/TLS security framework
313
314=item B<-msg>
315
316Show all protocol messages with hex dump.
317
318=item B<-msgfile> I<outfile>
319
320File to send output of B<-msg> or B<-trace> to, default standard output.
321
322=item B<-state>
323
324Prints the SSL session states.
325
326=item B<-CRL> I<infile>
327
328The CRL file to use.
329
330=item B<-CRLform> B<DER>|B<PEM>
331
332The CRL file format; unspecified by default.
333See L<openssl-format-options(1)> for details.
334
335=item B<-crl_download>
336
337Download CRLs from distribution points given in CDP extensions of certificates
338
339=item B<-verifyCAfile> I<filename>
340
341A file in PEM format CA containing trusted certificates to use
342for verifying client certificates.
343
344=item B<-verifyCApath> I<dir>
345
346A directory containing trusted certificates to use
347for verifying client certificates.
348This directory must be in "hash format",
349see L<openssl-verify(1)> for more information.
350
351=item B<-verifyCAstore> I<uri>
352
353The URI of a store containing trusted certificates to use
354for verifying client certificates.
355
356=item B<-chainCAfile> I<file>
357
358A file in PEM format containing trusted certificates to use
359when attempting to build the server certificate chain.
360
361=item B<-chainCApath> I<dir>
362
363A directory containing trusted certificates to use
364for building the server certificate chain provided to the client.
365This directory must be in "hash format",
366see L<openssl-verify(1)> for more information.
367
368=item B<-chainCAstore> I<uri>
369
370The URI of a store containing trusted certificates to use
371for building the server certificate chain provided to the client.
372The URI may indicate a single certificate, as well as a collection of them.
373With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
374B<-chainCApath>, depending on if the URI indicates a directory or a
375single file.
376See L<ossl_store-file(7)> for more information on the C<file:> scheme.
377
378=item B<-nocert>
379
380If this option is set then no certificate is used. This restricts the
381cipher suites available to the anonymous ones (currently just anonymous
382DH).
383
384=item B<-quiet>
385
386Inhibit printing of session and certificate information.
387
388=item B<-no_resume_ephemeral>
389
390Disable caching and tickets if ephemeral (EC)DH is used.
391
392=item B<-tlsextdebug>
393
394Print a hex dump of any TLS extensions received from the server.
395
396=item B<-www>
397
398Sends a status message back to the client when it connects. This includes
399information about the ciphers used and various session parameters.
400The output is in HTML format so this option can be used with a web browser.
401The special URL C</renegcert> turns on client cert validation, and C</reneg>
402tells the server to request renegotiation.
403The B<-early_data> option cannot be used with this option.
404
405=item B<-WWW>, B<-HTTP>
406
407Emulates a simple web server. Pages will be resolved relative to the
408current directory, for example if the URL C<https://myhost/page.html> is
409requested the file F<./page.html> will be sent.
410If the B<-HTTP> flag is used, the files are sent directly, and should contain
411any HTTP response headers (including status response line).
412If the B<-WWW> option is used,
413the response headers are generated by the server, and the file extension is
414examined to determine the B<Content-Type> header.
415Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are
416C<text/plain>.
417In addition, the special URL C</stats> will return status
418information like the B<-www> option.
419Neither of these options can be used in conjunction with B<-early_data>.
420
421=item B<-http_server_binmode>
422
423When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
424by the client in binary mode.
425
426=item B<-no_ca_names>
427
428Disable TLS Extension CA Names. You may want to disable it for security reasons
429or for compatibility with some Windows TLS implementations crashing when this
430extension is larger than 1024 bytes.
431
432=item B<-ignore_unexpected_eof>
433
434Some TLS implementations do not send the mandatory close_notify alert on
435shutdown. If the application tries to wait for the close_notify alert but the
436peer closes the connection without sending it, an error is generated. When this
437option is enabled the peer does not need to send the close_notify alert and a
438closed connection will be treated as if the close_notify alert was received.
439For more information on shutting down a connection, see L<SSL_shutdown(3)>.
440
441=item B<-servername>
442
443Servername for HostName TLS extension.
444
445=item B<-servername_fatal>
446
447On servername mismatch send fatal alert (default: warning alert).
448
449=item B<-id_prefix> I<val>
450
451Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
452for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple
453servers, when each of which might be generating a unique range of session
454IDs (e.g. with a certain prefix).
455
456=item B<-keymatexport>
457
458Export keying material using label.
459
460=item B<-keymatexportlen>
461
462Export the given number of bytes of keying material; default 20.
463
464=item B<-no_cache>
465
466Disable session cache.
467
468=item B<-ext_cache>.
469
470Disable internal cache, set up and use external cache.
471
472=item B<-verify_return_error>
473
474Verification errors normally just print a message but allow the
475connection to continue, for debugging purposes.
476If this option is used, then verification errors close the connection.
477
478=item B<-verify_quiet>
479
480No verify output except verify errors.
481
482=item B<-ign_eof>
483
484Ignore input EOF (default: when B<-quiet>).
485
486=item B<-no_ign_eof>
487
488Do not ignore input EOF.
489
490=item B<-no_etm>
491
492Disable Encrypt-then-MAC negotiation.
493
494=item B<-status>
495
496Enables certificate status request support (aka OCSP stapling).
497
498=item B<-status_verbose>
499
500Enables certificate status request support (aka OCSP stapling) and gives
501a verbose printout of the OCSP response.
502
503=item B<-status_timeout> I<int>
504
505Sets the timeout for OCSP response to I<int> seconds.
506
507=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>
508
509The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy>
510applies, see below.
511The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
512the optional C<http://> or C<https://> prefix is ignored,
513as well as any userinfo and path components.
514Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
515in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
516
517=item B<-no_proxy> I<addresses>
518
519List of IP addresses and/or DNS names of servers
520not to use an HTTP(S) proxy for, separated by commas and/or whitespace
521(where in the latter case the whole argument must be enclosed in "...").
522Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>.
523
524=item B<-status_url> I<val>
525
526Sets a fallback responder URL to use if no responder URL is present in the
527server certificate. Without this option an error is returned if the server
528certificate does not contain a responder address.
529The optional userinfo and fragment URL components are ignored.
530Any given query component is handled as part of the path component.
531
532=item B<-status_file> I<infile>
533
534Overrides any OCSP responder URLs from the certificate and always provides the
535OCSP Response stored in the file. The file must be in DER format.
536
537=item B<-ssl_config> I<val>
538
539Configure SSL_CTX using the given configuration value.
540
541=item B<-trace>
542
543Show verbose trace output of protocol messages.
544
545=item B<-brief>
546
547Provide a brief summary of connection parameters instead of the normal verbose
548output.
549
550=item B<-rev>
551
552Simple echo server that sends back received text reversed. Also sets B<-brief>.
553Cannot be used in conjunction with B<-early_data>.
554
555=item B<-async>
556
557Switch on asynchronous mode. Cryptographic operations will be performed
558asynchronously. This will only have an effect if an asynchronous capable engine
559is also used via the B<-engine> option. For test purposes the dummy async engine
560(dasync) can be used (if available).
561
562=item B<-max_send_frag> I<+int>
563
564The maximum size of data fragment to send.
565See L<SSL_CTX_set_max_send_fragment(3)> for further information.
566
567=item B<-split_send_frag> I<+int>
568
569The size used to split data for encrypt pipelines. If more data is written in
570one go than this value then it will be split into multiple pipelines, up to the
571maximum number of pipelines defined by max_pipelines. This only has an effect if
572a suitable cipher suite has been negotiated, an engine that supports pipelining
573has been loaded, and max_pipelines is greater than 1. See
574L<SSL_CTX_set_split_send_fragment(3)> for further information.
575
576=item B<-max_pipelines> I<+int>
577
578The maximum number of encrypt/decrypt pipelines to be used. This will only have
579an effect if an engine has been loaded that supports pipelining (e.g. the dasync
580engine) and a suitable cipher suite has been negotiated. The default value is 1.
581See L<SSL_CTX_set_max_pipelines(3)> for further information.
582
583=item B<-naccept> I<+int>
584
585The server will exit after receiving the specified number of connections,
586default unlimited.
587
588=item B<-read_buf> I<+int>
589
590The default read buffer size to be used for connections. This will only have an
591effect if the buffer size is larger than the size that would otherwise be used
592and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
593further information).
594
595=item B<-bugs>
596
597There are several known bugs in SSL and TLS implementations. Adding this
598option enables various workarounds.
599
600=item B<-no_comp>
601
602Disable negotiation of TLS compression.
603TLS compression is not recommended and is off by default as of
604OpenSSL 1.1.0.
605
606=item B<-comp>
607
608Enable negotiation of TLS compression.
609This option was introduced in OpenSSL 1.1.0.
610TLS compression is not recommended and is off by default as of
611OpenSSL 1.1.0.
612
613=item B<-no_ticket>
614
615Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
616is negotiated. See B<-num_tickets>.
617
618=item B<-num_tickets>
619
620Control the number of tickets that will be sent to the client after a full
621handshake in TLSv1.3. The default number of tickets is 2. This option does not
622affect the number of tickets sent after a resumption handshake.
623
624=item B<-serverpref>
625
626Use the server's cipher preferences, rather than the client's preferences.
627
628=item B<-prioritize_chacha>
629
630Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.
631
632=item B<-no_resumption_on_reneg>
633
634Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
635
636=item B<-client_sigalgs> I<val>
637
638Signature algorithms to support for client certificate authentication
639(colon-separated list).
640
641=item B<-named_curve> I<val>
642
643Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
644For a list of all possible curves, use:
645
646    $ openssl ecparam -list_curves
647
648=item B<-cipher> I<val>
649
650This allows the list of TLSv1.2 and below ciphersuites used by the server to be
651modified. This list is combined with any TLSv1.3 ciphersuites that have been
652configured. When the client sends a list of supported ciphers the first client
653cipher also included in the server list is used. Because the client specifies
654the preference order, the order of the server cipherlist is irrelevant. See
655L<openssl-ciphers(1)> for more information.
656
657=item B<-ciphersuites> I<val>
658
659This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
660This list is combined with any TLSv1.2 and below ciphersuites that have been
661configured. When the client sends a list of supported ciphers the first client
662cipher also included in the server list is used. Because the client specifies
663the preference order, the order of the server cipherlist is irrelevant. See
664L<openssl-ciphers(1)> command for more information. The format for this list is
665a simple colon (":") separated list of TLSv1.3 ciphersuite names.
666
667=item B<-dhparam> I<infile>
668
669The DH parameter file to use. The ephemeral DH cipher suites generate keys
670using a set of DH parameters. If not specified then an attempt is made to
671load the parameters from the server certificate file.
672If this fails then a static set of parameters hard coded into this command
673will be used.
674
675=item B<-nbio>
676
677Turns on non blocking I/O.
678
679=item B<-timeout>
680
681Enable timeouts.
682
683=item B<-mtu>
684
685Set link-layer MTU.
686
687=item B<-psk_identity> I<val>
688
689Expect the client to send PSK identity I<val> when using a PSK
690cipher suite, and warn if they do not.  By default, the expected PSK
691identity is the string "Client_identity".
692
693=item B<-psk_hint> I<val>
694
695Use the PSK identity hint I<val> when using a PSK cipher suite.
696
697=item B<-psk> I<val>
698
699Use the PSK key I<val> when using a PSK cipher suite. The key is
700given as a hexadecimal number without leading 0x, for example -psk
7011a2b3c4d.
702This option must be provided in order to use a PSK cipher.
703
704=item B<-psk_session> I<file>
705
706Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
707Note that this will only work if TLSv1.3 is negotiated.
708
709=item B<-srpvfile>
710
711The verifier file for SRP.
712This option is deprecated.
713
714=item B<-srpuserseed>
715
716A seed string for a default user salt.
717This option is deprecated.
718
719=item B<-listen>
720
721This option can only be used in conjunction with one of the DTLS options above.
722With this option, this command will listen on a UDP port for incoming
723connections.
724Any ClientHellos that arrive will be checked to see if they have a cookie in
725them or not.
726Any without a cookie will be responded to with a HelloVerifyRequest.
727If a ClientHello with a cookie is received then this command will
728connect to that peer and complete the handshake.
729
730=item B<-sctp>
731
732Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
733conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
734available where OpenSSL has support for SCTP enabled.
735
736=item B<-sctp_label_bug>
737
738Use the incorrect behaviour of older OpenSSL implementations when computing
739endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
740older broken implementations but breaks interoperability with correct
741implementations. Must be used in conjunction with B<-sctp>. This option is only
742available where OpenSSL has support for SCTP enabled.
743
744=item B<-use_srtp>
745
746Offer SRTP key management with a colon-separated profile list.
747
748=item B<-no_dhe>
749
750If this option is set then no DH parameters will be loaded effectively
751disabling the ephemeral DH cipher suites.
752
753=item B<-alpn> I<val>, B<-nextprotoneg> I<val>
754
755These flags enable the Application-Layer Protocol Negotiation
756or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
757IETF standard and replaces NPN.
758The I<val> list is a comma-separated list of supported protocol
759names.  The list should contain the most desirable protocols first.
760Protocol names are printable ASCII strings, for example "http/1.1" or
761"spdy/3".
762The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
763
764=item B<-sendfile>
765
766If this option is set and KTLS is enabled, SSL_sendfile() will be used
767instead of BIO_write() to send the HTTP response requested by a client.
768This option is only valid if B<-WWW> or B<-HTTP> is specified.
769
770=item B<-keylogfile> I<outfile>
771
772Appends TLS secrets to the specified keylog file such that external programs
773(like Wireshark) can decrypt TLS connections.
774
775=item B<-max_early_data> I<int>
776
777Change the default maximum early data bytes that are specified for new sessions
778and any incoming early data (when used in conjunction with the B<-early_data>
779flag). The default value is approximately 16k. The argument must be an integer
780greater than or equal to 0.
781
782=item B<-recv_max_early_data> I<int>
783
784Specify the hard limit on the maximum number of early data bytes that will
785be accepted.
786
787=item B<-early_data>
788
789Accept early data where possible. Cannot be used in conjunction with B<-www>,
790B<-WWW>, B<-HTTP> or B<-rev>.
791
792=item B<-stateless>
793
794Require TLSv1.3 cookies.
795
796=item B<-anti_replay>, B<-no_anti_replay>
797
798Switches replay protection on or off, respectively. Replay protection is on by
799default unless overridden by a configuration file. When it is on, OpenSSL will
800automatically detect if a session ticket has been used more than once, TLSv1.3
801has been negotiated, and early data is enabled on the server. A full handshake
802is forced if a session ticket is used a second or subsequent time. Any early
803data that was sent will be rejected.
804
805{- $OpenSSL::safe::opt_name_item -}
806
807{- $OpenSSL::safe::opt_version_item -}
808
809{- $OpenSSL::safe::opt_s_item -}
810
811{- $OpenSSL::safe::opt_x_item -}
812
813{- $OpenSSL::safe::opt_trust_item -}
814
815{- $OpenSSL::safe::opt_r_item -}
816
817{- $OpenSSL::safe::opt_engine_item -}
818
819{- $OpenSSL::safe::opt_provider_item -}
820
821{- $OpenSSL::safe::opt_v_item -}
822
823If the server requests a client certificate, then
824verification errors are displayed, for debugging, but the command will
825proceed unless the B<-verify_return_error> option is used.
826
827=back
828
829=head1 CONNECTED COMMANDS
830
831If a connection request is established with an SSL client and neither the
832B<-www> nor the B<-WWW> option has been used then normally any data received
833from the client is displayed and any key presses will be sent to the client.
834
835Certain commands are also recognized which perform special operations. These
836commands are a letter which must appear at the start of a line. They are listed
837below.
838
839=over 4
840
841=item B<q>
842
843End the current SSL connection but still accept new connections.
844
845=item B<Q>
846
847End the current SSL connection and exit.
848
849=item B<r>
850
851Renegotiate the SSL session (TLSv1.2 and below only).
852
853=item B<R>
854
855Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
856only).
857
858=item B<P>
859
860Send some plain text down the underlying TCP connection: this should
861cause the client to disconnect due to a protocol violation.
862
863=item B<S>
864
865Print out some session cache status information.
866
867=item B<k>
868
869Send a key update message to the client (TLSv1.3 only)
870
871=item B<K>
872
873Send a key update message to the client and request one back (TLSv1.3 only)
874
875=item B<c>
876
877Send a certificate request to the client (TLSv1.3 only)
878
879=back
880
881=head1 NOTES
882
883This command can be used to debug SSL clients. To accept connections
884from a web browser the command:
885
886 openssl s_server -accept 443 -www
887
888can be used for example.
889
890Although specifying an empty list of CAs when requesting a client certificate
891is strictly speaking a protocol violation, some SSL clients interpret this to
892mean any CA is acceptable. This is useful for debugging purposes.
893
894The session parameters can printed out using the L<openssl-sess_id(1)> command.
895
896=head1 BUGS
897
898Because this program has a lot of options and also because some of the
899techniques used are rather old, the C source for this command is rather
900hard to read and not a model of how things should be done.
901A typical SSL server program would be much simpler.
902
903The output of common ciphers is wrong: it just gives the list of ciphers that
904OpenSSL recognizes and the client supports.
905
906There should be a way for this command to print out details
907of any unknown cipher suites a client says it supports.
908
909=head1 SEE ALSO
910
911L<openssl(1)>,
912L<openssl-sess_id(1)>,
913L<openssl-s_client(1)>,
914L<openssl-ciphers(1)>,
915L<SSL_CONF_cmd(3)>,
916L<SSL_CTX_set_max_send_fragment(3)>,
917L<SSL_CTX_set_split_send_fragment(3)>,
918L<SSL_CTX_set_max_pipelines(3)>,
919L<ossl_store-file(7)>
920
921=head1 HISTORY
922
923The -no_alt_chains option was added in OpenSSL 1.1.0.
924
925The
926-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
927
928The B<-srpvfile>, B<-srpuserseed>, and B<-engine>
929option were deprecated in OpenSSL 3.0.
930
931=head1 COPYRIGHT
932
933Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
934
935Licensed under the Apache License 2.0 (the "License").  You may not use
936this file except in compliance with the License.  You can obtain a copy
937in the file LICENSE in the source distribution or at
938L<https://www.openssl.org/source/license.html>.
939
940=cut
941