xref: /freebsd/crypto/openssl/doc/man1/openssl-s_server.pod.in (revision 7fdf597e96a02165cfe22ff357b857d5fa15ed8a)
1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=head1 NAME
5
6openssl-s_server - SSL/TLS server program
7
8=head1 SYNOPSIS
9
10B<openssl> B<s_server>
11[B<-help>]
12[B<-port> I<+int>]
13[B<-accept> I<val>]
14[B<-unix> I<val>]
15[B<-4>]
16[B<-6>]
17[B<-unlink>]
18[B<-context> I<val>]
19[B<-verify> I<int>]
20[B<-Verify> I<int>]
21[B<-cert> I<infile>]
22[B<-cert2> I<infile>]
23[B<-certform> B<DER>|B<PEM>|B<P12>]
24[B<-cert_chain> I<infile>]
25[B<-build_chain>]
26[B<-serverinfo> I<val>]
27[B<-key> I<filename>|I<uri>]
28[B<-key2> I<filename>|I<uri>]
29[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
30[B<-pass> I<val>]
31[B<-dcert> I<infile>]
32[B<-dcertform> B<DER>|B<PEM>|B<P12>]
33[B<-dcert_chain> I<infile>]
34[B<-dkey> I<filename>|I<uri>]
35[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
36[B<-dpass> I<val>]
37[B<-nbio_test>]
38[B<-crlf>]
39[B<-debug>]
40[B<-msg>]
41[B<-msgfile> I<outfile>]
42[B<-state>]
43[B<-nocert>]
44[B<-quiet>]
45[B<-no_resume_ephemeral>]
46[B<-www>]
47[B<-WWW>]
48[B<-http_server_binmode>]
49[B<-no_ca_names>]
50[B<-ignore_unexpected_eof>]
51[B<-servername>]
52[B<-servername_fatal>]
53[B<-tlsextdebug>]
54[B<-HTTP>]
55[B<-id_prefix> I<val>]
56[B<-keymatexport> I<val>]
57[B<-keymatexportlen> I<+int>]
58[B<-CRL> I<infile>]
59[B<-CRLform> B<DER>|B<PEM>]
60[B<-crl_download>]
61[B<-chainCAfile> I<infile>]
62[B<-chainCApath> I<dir>]
63[B<-chainCAstore> I<uri>]
64[B<-verifyCAfile> I<infile>]
65[B<-verifyCApath> I<dir>]
66[B<-verifyCAstore> I<uri>]
67[B<-no_cache>]
68[B<-ext_cache>]
69[B<-verify_return_error>]
70[B<-verify_quiet>]
71[B<-ign_eof>]
72[B<-no_ign_eof>]
73[B<-no_etm>]
74[B<-status>]
75[B<-status_verbose>]
76[B<-status_timeout> I<int>]
77[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>]
78[B<-no_proxy> I<addresses>]
79[B<-status_url> I<val>]
80[B<-status_file> I<infile>]
81[B<-ssl_config> I<val>]
82[B<-trace>]
83[B<-security_debug>]
84[B<-security_debug_verbose>]
85[B<-brief>]
86[B<-rev>]
87[B<-async>]
88[B<-max_send_frag> I<+int>]
89[B<-split_send_frag> I<+int>]
90[B<-max_pipelines> I<+int>]
91[B<-naccept> I<+int>]
92[B<-read_buf> I<+int>]
93[B<-bugs>]
94[B<-no_comp>]
95[B<-comp>]
96[B<-no_ticket>]
97[B<-serverpref>]
98[B<-legacy_renegotiation>]
99[B<-no_renegotiation>]
100[B<-no_resumption_on_reneg>]
101[B<-allow_no_dhe_kex>]
102[B<-prioritize_chacha>]
103[B<-strict>]
104[B<-sigalgs> I<val>]
105[B<-client_sigalgs> I<val>]
106[B<-groups> I<val>]
107[B<-curves> I<val>]
108[B<-named_curve> I<val>]
109[B<-cipher> I<val>]
110[B<-ciphersuites> I<val>]
111[B<-dhparam> I<infile>]
112[B<-record_padding> I<val>]
113[B<-debug_broken_protocol>]
114[B<-nbio>]
115[B<-psk_identity> I<val>]
116[B<-psk_hint> I<val>]
117[B<-psk> I<val>]
118[B<-psk_session> I<file>]
119[B<-srpvfile> I<infile>]
120[B<-srpuserseed> I<val>]
121[B<-timeout>]
122[B<-mtu> I<+int>]
123[B<-listen>]
124[B<-sctp>]
125[B<-sctp_label_bug>]
126[B<-use_srtp> I<val>]
127[B<-no_dhe>]
128[B<-nextprotoneg> I<val>]
129[B<-alpn> I<val>]
130[B<-sendfile>]
131[B<-keylogfile> I<outfile>]
132[B<-recv_max_early_data> I<int>]
133[B<-max_early_data> I<int>]
134[B<-early_data>]
135[B<-stateless>]
136[B<-anti_replay>]
137[B<-no_anti_replay>]
138[B<-num_tickets>]
139{- $OpenSSL::safe::opt_name_synopsis -}
140{- $OpenSSL::safe::opt_version_synopsis -}
141{- $OpenSSL::safe::opt_v_synopsis -}
142{- $OpenSSL::safe::opt_s_synopsis -}
143{- $OpenSSL::safe::opt_x_synopsis -}
144{- $OpenSSL::safe::opt_trust_synopsis -}
145{- $OpenSSL::safe::opt_r_synopsis -}
146{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
147
148=head1 DESCRIPTION
149
150This command implements a generic SSL/TLS server which
151listens for connections on a given port using SSL/TLS.
152
153=head1 OPTIONS
154
155In addition to the options below, this command also supports
156the common and server only options documented
157L<SSL_CONF_cmd(3)/Supported Command Line Commands>
158
159=over 4
160
161=item B<-help>
162
163Print out a usage message.
164
165=item B<-port> I<+int>
166
167The TCP port to listen on for connections. If not specified 4433 is used.
168
169=item B<-accept> I<val>
170
171The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
172
173=item B<-unix> I<val>
174
175Unix domain socket to accept on.
176
177=item B<-4>
178
179Use IPv4 only.
180
181=item B<-6>
182
183Use IPv6 only.
184
185=item B<-unlink>
186
187For -unix, unlink any existing socket first.
188
189=item B<-context> I<val>
190
191Sets the SSL context id. It can be given any string value. If this option
192is not present a default value will be used.
193
194=item B<-verify> I<int>, B<-Verify> I<int>
195
196The verify depth to use. This specifies the maximum length of the
197client certificate chain and makes the server request a certificate from
198the client. With the B<-verify> option a certificate is requested but the
199client does not have to send one, with the B<-Verify> option the client
200must supply a certificate or an error occurs.
201
202If the cipher suite cannot request a client certificate (for example an
203anonymous cipher suite or PSK) this option has no effect.
204
205=item B<-cert> I<infile>
206
207The certificate to use, most servers cipher suites require the use of a
208certificate and some require a certificate with a certain public key type:
209for example the DSS cipher suites require a certificate containing a DSS
210(DSA) key. If not specified then the filename F<server.pem> will be used.
211
212=item B<-cert2> I<infile>
213
214The certificate file to use for servername; default is C<server2.pem>.
215
216=item B<-certform> B<DER>|B<PEM>|B<P12>
217
218The server certificate file format; unspecified by default.
219See L<openssl-format-options(1)> for details.
220
221=item B<-cert_chain>
222
223A file or URI of untrusted certificates to use when attempting to build the
224certificate chain related to the certificate specified via the B<-cert> option.
225The input can be in PEM, DER, or PKCS#12 format.
226
227=item B<-build_chain>
228
229Specify whether the application should build the server certificate chain to be
230provided to the client.
231
232=item B<-serverinfo> I<val>
233
234A file containing one or more blocks of PEM data.  Each PEM block
235must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
236followed by "length" bytes of extension data).  If the client sends
237an empty TLS ClientHello extension matching the type, the corresponding
238ServerHello extension will be returned.
239
240=item B<-key> I<filename>|I<uri>
241
242The private key to use. If not specified then the certificate file will
243be used.
244
245=item B<-key2> I<filename>|I<uri>
246
247The private Key file to use for servername if not given via B<-cert2>.
248
249=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
250
251The key format; unspecified by default.
252See L<openssl-format-options(1)> for details.
253
254=item B<-pass> I<val>
255
256The private key and certificate file password source.
257For more information about the format of I<val>,
258see L<openssl-passphrase-options(1)>.
259
260=item B<-dcert> I<infile>, B<-dkey> I<filename>|I<uri>
261
262Specify an additional certificate and private key, these behave in the
263same manner as the B<-cert> and B<-key> options except there is no default
264if they are not specified (no additional certificate and key is used). As
265noted above some cipher suites require a certificate containing a key of
266a certain type. Some cipher suites need a certificate carrying an RSA key
267and some a DSS (DSA) key. By using RSA and DSS certificates and keys
268a server can support clients which only support RSA or DSS cipher suites
269by using an appropriate certificate.
270
271=item B<-dcert_chain>
272
273A file or URI of untrusted certificates to use when attempting to build the
274server certificate chain when a certificate specified via the B<-dcert> option
275is in use.
276The input can be in PEM, DER, or PKCS#12 format.
277
278=item B<-dcertform> B<DER>|B<PEM>|B<P12>
279
280The format of the additional certificate file; unspecified by default.
281See L<openssl-format-options(1)> for details.
282
283=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
284
285The format of the additional private key; unspecified by default.
286See L<openssl-format-options(1)> for details.
287
288=item B<-dpass> I<val>
289
290The passphrase for the additional private key and certificate.
291For more information about the format of I<val>,
292see L<openssl-passphrase-options(1)>.
293
294=item B<-nbio_test>
295
296Tests non blocking I/O.
297
298=item B<-crlf>
299
300This option translated a line feed from the terminal into CR+LF.
301
302=item B<-debug>
303
304Print extensive debugging information including a hex dump of all traffic.
305
306=item B<-security_debug>
307
308Print output from SSL/TLS security framework.
309
310=item B<-security_debug_verbose>
311
312Print more output from SSL/TLS security framework
313
314=item B<-msg>
315
316Show all protocol messages with hex dump.
317
318=item B<-msgfile> I<outfile>
319
320File to send output of B<-msg> or B<-trace> to, default standard output.
321
322=item B<-state>
323
324Prints the SSL session states.
325
326=item B<-CRL> I<infile>
327
328The CRL file to use.
329
330=item B<-CRLform> B<DER>|B<PEM>
331
332The CRL file format; unspecified by default.
333See L<openssl-format-options(1)> for details.
334
335=item B<-crl_download>
336
337Download CRLs from distribution points given in CDP extensions of certificates
338
339=item B<-verifyCAfile> I<filename>
340
341A file in PEM format CA containing trusted certificates to use
342for verifying client certificates.
343
344=item B<-verifyCApath> I<dir>
345
346A directory containing trusted certificates to use
347for verifying client certificates.
348This directory must be in "hash format",
349see L<openssl-verify(1)> for more information.
350
351=item B<-verifyCAstore> I<uri>
352
353The URI of a store containing trusted certificates to use
354for verifying client certificates.
355
356=item B<-chainCAfile> I<file>
357
358A file in PEM format containing trusted certificates to use
359when attempting to build the server certificate chain.
360
361=item B<-chainCApath> I<dir>
362
363A directory containing trusted certificates to use
364for building the server certificate chain provided to the client.
365This directory must be in "hash format",
366see L<openssl-verify(1)> for more information.
367
368=item B<-chainCAstore> I<uri>
369
370The URI of a store containing trusted certificates to use
371for building the server certificate chain provided to the client.
372The URI may indicate a single certificate, as well as a collection of them.
373With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
374B<-chainCApath>, depending on if the URI indicates a directory or a
375single file.
376See L<ossl_store-file(7)> for more information on the C<file:> scheme.
377
378=item B<-nocert>
379
380If this option is set then no certificate is used. This restricts the
381cipher suites available to the anonymous ones (currently just anonymous
382DH).
383
384=item B<-quiet>
385
386Inhibit printing of session and certificate information.
387
388=item B<-no_resume_ephemeral>
389
390Disable caching and tickets if ephemeral (EC)DH is used.
391
392=item B<-tlsextdebug>
393
394Print a hex dump of any TLS extensions received from the server.
395
396=item B<-www>
397
398Sends a status message back to the client when it connects. This includes
399information about the ciphers used and various session parameters.
400The output is in HTML format so this option can be used with a web browser.
401The special URL C</renegcert> turns on client cert validation, and C</reneg>
402tells the server to request renegotiation.
403The B<-early_data> option cannot be used with this option.
404
405=item B<-WWW>, B<-HTTP>
406
407Emulates a simple web server. Pages will be resolved relative to the
408current directory, for example if the URL C<https://myhost/page.html> is
409requested the file F<./page.html> will be sent.
410If the B<-HTTP> flag is used, the files are sent directly, and should contain
411any HTTP response headers (including status response line).
412If the B<-WWW> option is used,
413the response headers are generated by the server, and the file extension is
414examined to determine the B<Content-Type> header.
415Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are
416C<text/plain>.
417In addition, the special URL C</stats> will return status
418information like the B<-www> option.
419Neither of these options can be used in conjunction with B<-early_data>.
420
421=item B<-http_server_binmode>
422
423When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
424by the client in binary mode.
425
426=item B<-no_ca_names>
427
428Disable TLS Extension CA Names. You may want to disable it for security reasons
429or for compatibility with some Windows TLS implementations crashing when this
430extension is larger than 1024 bytes.
431
432=item B<-ignore_unexpected_eof>
433
434Some TLS implementations do not send the mandatory close_notify alert on
435shutdown. If the application tries to wait for the close_notify alert but the
436peer closes the connection without sending it, an error is generated. When this
437option is enabled the peer does not need to send the close_notify alert and a
438closed connection will be treated as if the close_notify alert was received.
439For more information on shutting down a connection, see L<SSL_shutdown(3)>.
440
441=item B<-servername>
442
443Servername for HostName TLS extension.
444
445=item B<-servername_fatal>
446
447On servername mismatch send fatal alert (default: warning alert).
448
449=item B<-id_prefix> I<val>
450
451Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
452for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple
453servers, when each of which might be generating a unique range of session
454IDs (e.g. with a certain prefix).
455
456=item B<-keymatexport>
457
458Export keying material using label.
459
460=item B<-keymatexportlen>
461
462Export the given number of bytes of keying material; default 20.
463
464=item B<-no_cache>
465
466Disable session cache.
467
468=item B<-ext_cache>.
469
470Disable internal cache, set up and use external cache.
471
472=item B<-verify_return_error>
473
474Verification errors normally just print a message but allow the
475connection to continue, for debugging purposes.
476If this option is used, then verification errors close the connection.
477
478=item B<-verify_quiet>
479
480No verify output except verify errors.
481
482=item B<-ign_eof>
483
484Ignore input EOF (default: when B<-quiet>).
485
486=item B<-no_ign_eof>
487
488Do not ignore input EOF.
489
490=item B<-no_etm>
491
492Disable Encrypt-then-MAC negotiation.
493
494=item B<-status>
495
496Enables certificate status request support (aka OCSP stapling).
497
498=item B<-status_verbose>
499
500Enables certificate status request support (aka OCSP stapling) and gives
501a verbose printout of the OCSP response.
502
503=item B<-status_timeout> I<int>
504
505Sets the timeout for OCSP response to I<int> seconds.
506
507=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>
508
509The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy>
510applies, see below.
511The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
512the optional C<http://> or C<https://> prefix is ignored,
513as well as any userinfo and path components.
514Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
515in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
516
517=item B<-no_proxy> I<addresses>
518
519List of IP addresses and/or DNS names of servers
520not to use an HTTP(S) proxy for, separated by commas and/or whitespace
521(where in the latter case the whole argument must be enclosed in "...").
522Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>.
523
524=item B<-status_url> I<val>
525
526Sets a fallback responder URL to use if no responder URL is present in the
527server certificate. Without this option an error is returned if the server
528certificate does not contain a responder address.
529The optional userinfo and fragment URL components are ignored.
530Any given query component is handled as part of the path component.
531
532=item B<-status_file> I<infile>
533
534Overrides any OCSP responder URLs from the certificate and always provides the
535OCSP Response stored in the file. The file must be in DER format.
536
537=item B<-ssl_config> I<val>
538
539Configure SSL_CTX using the given configuration value.
540
541=item B<-trace>
542
543Show verbose trace output of protocol messages.
544
545=item B<-brief>
546
547Provide a brief summary of connection parameters instead of the normal verbose
548output.
549
550=item B<-rev>
551
552Simple echo server that sends back received text reversed. Also sets B<-brief>.
553Cannot be used in conjunction with B<-early_data>.
554
555=item B<-async>
556
557Switch on asynchronous mode. Cryptographic operations will be performed
558asynchronously. This will only have an effect if an asynchronous capable engine
559is also used via the B<-engine> option. For test purposes the dummy async engine
560(dasync) can be used (if available).
561
562=item B<-max_send_frag> I<+int>
563
564The maximum size of data fragment to send.
565See L<SSL_CTX_set_max_send_fragment(3)> for further information.
566
567=item B<-split_send_frag> I<+int>
568
569The size used to split data for encrypt pipelines. If more data is written in
570one go than this value then it will be split into multiple pipelines, up to the
571maximum number of pipelines defined by max_pipelines. This only has an effect if
572a suitable cipher suite has been negotiated, an engine that supports pipelining
573has been loaded, and max_pipelines is greater than 1. See
574L<SSL_CTX_set_split_send_fragment(3)> for further information.
575
576=item B<-max_pipelines> I<+int>
577
578The maximum number of encrypt/decrypt pipelines to be used. This will only have
579an effect if an engine has been loaded that supports pipelining (e.g. the dasync
580engine) and a suitable cipher suite has been negotiated. The default value is 1.
581See L<SSL_CTX_set_max_pipelines(3)> for further information.
582
583=item B<-naccept> I<+int>
584
585The server will exit after receiving the specified number of connections,
586default unlimited.
587
588=item B<-read_buf> I<+int>
589
590The default read buffer size to be used for connections. This will only have an
591effect if the buffer size is larger than the size that would otherwise be used
592and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
593further information).
594
595=item B<-bugs>
596
597There are several known bugs in SSL and TLS implementations. Adding this
598option enables various workarounds.
599
600=item B<-no_comp>
601
602Disable negotiation of TLS compression.
603TLS compression is not recommended and is off by default as of
604OpenSSL 1.1.0.
605
606=item B<-comp>
607
608Enable negotiation of TLS compression.
609This option was introduced in OpenSSL 1.1.0.
610TLS compression is not recommended and is off by default as of
611OpenSSL 1.1.0.
612
613=item B<-no_ticket>
614
615Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
616is negotiated. See B<-num_tickets>.
617
618=item B<-num_tickets>
619
620Control the number of tickets that will be sent to the client after a full
621handshake in TLSv1.3. The default number of tickets is 2. This option does not
622affect the number of tickets sent after a resumption handshake.
623
624=item B<-serverpref>
625
626Use the server's cipher preferences, rather than the client's preferences.
627
628=item B<-prioritize_chacha>
629
630Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.
631
632=item B<-no_resumption_on_reneg>
633
634Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
635
636=item B<-client_sigalgs> I<val>
637
638Signature algorithms to support for client certificate authentication
639(colon-separated list).
640
641=item B<-named_curve> I<val>
642
643Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
644
645The list of all supported groups includes named EC parameters as well as X25519
646and X448 or FFDHE groups, and may also include groups implemented in 3rd-party
647providers. For a list of named EC parameters, use:
648
649    $ openssl ecparam -list_curves
650
651=item B<-cipher> I<val>
652
653This allows the list of TLSv1.2 and below ciphersuites used by the server to be
654modified. This list is combined with any TLSv1.3 ciphersuites that have been
655configured. When the client sends a list of supported ciphers the first client
656cipher also included in the server list is used. Because the client specifies
657the preference order, the order of the server cipherlist is irrelevant. See
658L<openssl-ciphers(1)> for more information.
659
660=item B<-ciphersuites> I<val>
661
662This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
663This list is combined with any TLSv1.2 and below ciphersuites that have been
664configured. When the client sends a list of supported ciphers the first client
665cipher also included in the server list is used. Because the client specifies
666the preference order, the order of the server cipherlist is irrelevant. See
667L<openssl-ciphers(1)> command for more information. The format for this list is
668a simple colon (":") separated list of TLSv1.3 ciphersuite names.
669
670=item B<-dhparam> I<infile>
671
672The DH parameter file to use. The ephemeral DH cipher suites generate keys
673using a set of DH parameters. If not specified then an attempt is made to
674load the parameters from the server certificate file.
675If this fails then a static set of parameters hard coded into this command
676will be used.
677
678=item B<-nbio>
679
680Turns on non blocking I/O.
681
682=item B<-timeout>
683
684Enable timeouts.
685
686=item B<-mtu>
687
688Set link-layer MTU.
689
690=item B<-psk_identity> I<val>
691
692Expect the client to send PSK identity I<val> when using a PSK
693cipher suite, and warn if they do not.  By default, the expected PSK
694identity is the string "Client_identity".
695
696=item B<-psk_hint> I<val>
697
698Use the PSK identity hint I<val> when using a PSK cipher suite.
699
700=item B<-psk> I<val>
701
702Use the PSK key I<val> when using a PSK cipher suite. The key is
703given as a hexadecimal number without leading 0x, for example -psk
7041a2b3c4d.
705This option must be provided in order to use a PSK cipher.
706
707=item B<-psk_session> I<file>
708
709Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
710Note that this will only work if TLSv1.3 is negotiated.
711
712=item B<-srpvfile>
713
714The verifier file for SRP.
715This option is deprecated.
716
717=item B<-srpuserseed>
718
719A seed string for a default user salt.
720This option is deprecated.
721
722=item B<-listen>
723
724This option can only be used in conjunction with one of the DTLS options above.
725With this option, this command will listen on a UDP port for incoming
726connections.
727Any ClientHellos that arrive will be checked to see if they have a cookie in
728them or not.
729Any without a cookie will be responded to with a HelloVerifyRequest.
730If a ClientHello with a cookie is received then this command will
731connect to that peer and complete the handshake.
732
733=item B<-sctp>
734
735Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
736conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
737available where OpenSSL has support for SCTP enabled.
738
739=item B<-sctp_label_bug>
740
741Use the incorrect behaviour of older OpenSSL implementations when computing
742endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
743older broken implementations but breaks interoperability with correct
744implementations. Must be used in conjunction with B<-sctp>. This option is only
745available where OpenSSL has support for SCTP enabled.
746
747=item B<-use_srtp>
748
749Offer SRTP key management with a colon-separated profile list.
750
751=item B<-no_dhe>
752
753If this option is set then no DH parameters will be loaded effectively
754disabling the ephemeral DH cipher suites.
755
756=item B<-alpn> I<val>, B<-nextprotoneg> I<val>
757
758These flags enable the Application-Layer Protocol Negotiation
759or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
760IETF standard and replaces NPN.
761The I<val> list is a comma-separated list of supported protocol
762names.  The list should contain the most desirable protocols first.
763Protocol names are printable ASCII strings, for example "http/1.1" or
764"spdy/3".
765The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
766
767=item B<-sendfile>
768
769If this option is set and KTLS is enabled, SSL_sendfile() will be used
770instead of BIO_write() to send the HTTP response requested by a client.
771This option is only valid if B<-WWW> or B<-HTTP> is specified.
772
773=item B<-keylogfile> I<outfile>
774
775Appends TLS secrets to the specified keylog file such that external programs
776(like Wireshark) can decrypt TLS connections.
777
778=item B<-max_early_data> I<int>
779
780Change the default maximum early data bytes that are specified for new sessions
781and any incoming early data (when used in conjunction with the B<-early_data>
782flag). The default value is approximately 16k. The argument must be an integer
783greater than or equal to 0.
784
785=item B<-recv_max_early_data> I<int>
786
787Specify the hard limit on the maximum number of early data bytes that will
788be accepted.
789
790=item B<-early_data>
791
792Accept early data where possible. Cannot be used in conjunction with B<-www>,
793B<-WWW>, B<-HTTP> or B<-rev>.
794
795=item B<-stateless>
796
797Require TLSv1.3 cookies.
798
799=item B<-anti_replay>, B<-no_anti_replay>
800
801Switches replay protection on or off, respectively. Replay protection is on by
802default unless overridden by a configuration file. When it is on, OpenSSL will
803automatically detect if a session ticket has been used more than once, TLSv1.3
804has been negotiated, and early data is enabled on the server. A full handshake
805is forced if a session ticket is used a second or subsequent time. Any early
806data that was sent will be rejected.
807
808{- $OpenSSL::safe::opt_name_item -}
809
810{- $OpenSSL::safe::opt_version_item -}
811
812{- $OpenSSL::safe::opt_s_item -}
813
814{- $OpenSSL::safe::opt_x_item -}
815
816{- $OpenSSL::safe::opt_trust_item -}
817
818{- $OpenSSL::safe::opt_r_item -}
819
820{- $OpenSSL::safe::opt_engine_item -}
821
822{- $OpenSSL::safe::opt_provider_item -}
823
824{- $OpenSSL::safe::opt_v_item -}
825
826If the server requests a client certificate, then
827verification errors are displayed, for debugging, but the command will
828proceed unless the B<-verify_return_error> option is used.
829
830=back
831
832=head1 CONNECTED COMMANDS
833
834If a connection request is established with an SSL client and neither the
835B<-www> nor the B<-WWW> option has been used then normally any data received
836from the client is displayed and any key presses will be sent to the client.
837
838Certain commands are also recognized which perform special operations. These
839commands are a letter which must appear at the start of a line. They are listed
840below.
841
842=over 4
843
844=item B<q>
845
846End the current SSL connection but still accept new connections.
847
848=item B<Q>
849
850End the current SSL connection and exit.
851
852=item B<r>
853
854Renegotiate the SSL session (TLSv1.2 and below only).
855
856=item B<R>
857
858Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
859only).
860
861=item B<P>
862
863Send some plain text down the underlying TCP connection: this should
864cause the client to disconnect due to a protocol violation.
865
866=item B<S>
867
868Print out some session cache status information.
869
870=item B<k>
871
872Send a key update message to the client (TLSv1.3 only)
873
874=item B<K>
875
876Send a key update message to the client and request one back (TLSv1.3 only)
877
878=item B<c>
879
880Send a certificate request to the client (TLSv1.3 only)
881
882=back
883
884=head1 NOTES
885
886This command can be used to debug SSL clients. To accept connections
887from a web browser the command:
888
889 openssl s_server -accept 443 -www
890
891can be used for example.
892
893Although specifying an empty list of CAs when requesting a client certificate
894is strictly speaking a protocol violation, some SSL clients interpret this to
895mean any CA is acceptable. This is useful for debugging purposes.
896
897The session parameters can printed out using the L<openssl-sess_id(1)> command.
898
899=head1 BUGS
900
901Because this program has a lot of options and also because some of the
902techniques used are rather old, the C source for this command is rather
903hard to read and not a model of how things should be done.
904A typical SSL server program would be much simpler.
905
906The output of common ciphers is wrong: it just gives the list of ciphers that
907OpenSSL recognizes and the client supports.
908
909There should be a way for this command to print out details
910of any unknown cipher suites a client says it supports.
911
912=head1 SEE ALSO
913
914L<openssl(1)>,
915L<openssl-sess_id(1)>,
916L<openssl-s_client(1)>,
917L<openssl-ciphers(1)>,
918L<SSL_CONF_cmd(3)>,
919L<SSL_CTX_set_max_send_fragment(3)>,
920L<SSL_CTX_set_split_send_fragment(3)>,
921L<SSL_CTX_set_max_pipelines(3)>,
922L<ossl_store-file(7)>
923
924=head1 HISTORY
925
926The -no_alt_chains option was added in OpenSSL 1.1.0.
927
928The
929-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
930
931The B<-srpvfile>, B<-srpuserseed>, and B<-engine>
932option were deprecated in OpenSSL 3.0.
933
934=head1 COPYRIGHT
935
936Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
937
938Licensed under the Apache License 2.0 (the "License").  You may not use
939this file except in compliance with the License.  You can obtain a copy
940in the file LICENSE in the source distribution or at
941L<https://www.openssl.org/source/license.html>.
942
943=cut
944