Lines Matching +full:- +full:b

5 openssl-s_client,
6 s_client - SSL/TLS client program
10 B<openssl> B<s_client>
11 [B<-help>]
12 [B<-connect host:port>]
13 [B<-bind host:port>]
14 [B<-proxy host:port>]
15 [B<-unix path>]
16 [B<-4>]
17 [B<-6>]
18 [B<-servername name>]
19 [B<-noservername>]
20 [B<-verify depth>]
21 [B<-verify_return_error>]
22 [B<-cert filename>]
23 [B<-certform DER|PEM>]
24 [B<-key filename>]
25 [B<-keyform DER|PEM>]
26 [B<-cert_chain filename>]
27 [B<-build_chain>]
28 [B<-xkey>]
29 [B<-xcert>]
30 [B<-xchain>]
31 [B<-xchain_build>]
32 [B<-xcertform PEM|DER>]
33 [B<-xkeyform PEM|DER>]
34 [B<-pass arg>]
35 [B<-CApath directory>]
36 [B<-CAfile filename>]
37 [B<-chainCApath directory>]
38 [B<-chainCAfile filename>]
39 [B<-no-CAfile>]
40 [B<-no-CApath>]
41 [B<-requestCAfile filename>]
42 [B<-dane_tlsa_domain domain>]
43 [B<-dane_tlsa_rrdata rrdata>]
44 [B<-dane_ee_no_namechecks>]
45 [B<-attime timestamp>]
46 [B<-check_ss_sig>]
47 [B<-crl_check>]
48 [B<-crl_check_all>]
49 [B<-explicit_policy>]
50 [B<-extended_crl>]
51 [B<-ignore_critical>]
52 [B<-inhibit_any>]
53 [B<-inhibit_map>]
54 [B<-no_check_time>]
55 [B<-partial_chain>]
56 [B<-policy arg>]
57 [B<-policy_check>]
58 [B<-policy_print>]
59 [B<-purpose purpose>]
60 [B<-suiteB_128>]
61 [B<-suiteB_128_only>]
62 [B<-suiteB_192>]
63 [B<-trusted_first>]
64 [B<-no_alt_chains>]
65 [B<-use_deltas>]
66 [B<-auth_level num>]
67 [B<-nameopt option>]
68 [B<-verify_depth num>]
69 [B<-verify_email email>]
70 [B<-verify_hostname hostname>]
71 [B<-verify_ip ip>]
72 [B<-verify_name name>]
73 [B<-build_chain>]
74 [B<-x509_strict>]
75 [B<-reconnect>]
76 [B<-showcerts>]
77 [B<-debug>]
78 [B<-msg>]
79 [B<-nbio_test>]
80 [B<-state>]
81 [B<-nbio>]
82 [B<-crlf>]
83 [B<-ign_eof>]
84 [B<-no_ign_eof>]
85 [B<-psk_identity identity>]
86 [B<-psk key>]
87 [B<-psk_session file>]
88 [B<-quiet>]
89 [B<-ssl3>]
90 [B<-tls1>]
91 [B<-tls1_1>]
92 [B<-tls1_2>]
93 [B<-tls1_3>]
94 [B<-no_ssl3>]
95 [B<-no_tls1>]
96 [B<-no_tls1_1>]
97 [B<-no_tls1_2>]
98 [B<-no_tls1_3>]
99 [B<-dtls>]
100 [B<-dtls1>]
101 [B<-dtls1_2>]
102 [B<-sctp>]
103 [B<-sctp_label_bug>]
104 [B<-fallback_scsv>]
105 [B<-async>]
106 [B<-max_send_frag>]
107 [B<-split_send_frag>]
108 [B<-max_pipelines>]
109 [B<-read_buf>]
110 [B<-bugs>]
111 [B<-comp>]
112 [B<-no_comp>]
113 [B<-allow_no_dhe_kex>]
114 [B<-sigalgs sigalglist>]
115 [B<-curves curvelist>]
116 [B<-cipher cipherlist>]
117 [B<-ciphersuites val>]
118 [B<-serverpref>]
119 [B<-starttls protocol>]
120 [B<-xmpphost hostname>]
121 [B<-name hostname>]
122 [B<-engine id>]
123 [B<-tlsextdebug>]
124 [B<-no_ticket>]
125 [B<-sess_out filename>]
126 [B<-sess_in filename>]
127 [B<-rand file...>]
128 [B<-writerand file>]
129 [B<-serverinfo types>]
130 [B<-status>]
131 [B<-alpn protocols>]
132 [B<-nextprotoneg protocols>]
133 [B<-ct>]
134 [B<-noct>]
135 [B<-ctlogfile>]
136 [B<-keylogfile file>]
137 [B<-early_data file>]
138 [B<-enable_pha>]
139 [B<target>]
143 The B<s_client> command implements a generic SSL/TLS client which connects
149 In addition to the options below the B<s_client> utility also supports the
156 =item B<-help>
160 =item B<-connect host:port>
167 =item B<-bind host:port>]
170 connection.  For Unix-domain sockets the port is ignored and the host is
173 =item B<-proxy host:port>
175 When used with the B<-connect> flag, the program uses the host and port
179 =item B<-unix path>
181 Connect over the specified Unix-domain socket.
183 =item B<-4>
187 =item B<-6>
191 =item B<-servername name>
195 If B<-servername> is not provided, the TLS SNI extension will be populated with 
196 the name given to B<-connect> if it follows a DNS name format. If B<-connect> is 
201 B<-servername> is provided then that name will be sent, regardless of whether 
204 This option cannot be used in conjunction with B<-noservername>.
206 =item B<-noservername>
209 ClientHello message. Cannot be used in conjunction with the B<-servername> or
210 <-dane_tlsa_domain> options.
212 =item B<-cert certname>
217 =item B<-certform format>
221 =item B<-key keyfile>
226 =item B<-keyform format>
230 =item B<-cert_chain>
234 B<-cert> option.
236 =item B<-build_chain>
241 =item B<-xkey infile>, B<-xcert infile>, B<-xchain>
244 in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options.  When
248 =item B<-xchain_build>
251 provided to the server for the extra certificates provided via B<-xkey infile>,
252 B<-xcert infile>, B<-xchain> options.
254 =item B<-xcertform PEM|DER>, B<-xkeyform PEM|DER>
258 =item B<-pass arg>
260 the private key password source. For more information about the format of B<arg>
263 =item B<-verify depth>
271 =item B<-verify_return_error>
276 =item B<-nameopt option>
279 B<option> argument can be a single option or multiple options separated by
280 commas.  Alternatively the B<-nameopt> switch may be used more than once to
283 =item B<-CApath directory>
289 =item B<-CAfile file>
294 =item B<-chainCApath directory>
299 =item B<-chainCAfile file>
304 =item B<-no-CAfile>
308 =item B<-no-CApath>
312 =item B<-requestCAfile file>
315 to the server in the B<certificate_authorities> extension. Only supported
318 =item B<-dane_tlsa_domain domain>
323 combination with at least one instance of the B<-dane_tlsa_rrdata>
329 anchor public key that signed (rather than matched) the top-most
334 =item B<-dane_tlsa_rrdata rrdata>
337 RRset associated with the target service.  The B<rrdata> value is
343   $ openssl s_client -brief -starttls smtp \
344     -connect smtp.example.com:25 \
345     -dane_tlsa_domain smtp.example.com \
346     -dane_tlsa_rrdata "2 1 1
348     -dane_tlsa_rrdata "2 1 1
356 =item B<-dane_ee_no_namechecks>
358 This disables server name checks when authenticating via DANE-EE(3) TLSA
364 The malicious server may then be able to violate cross-origin scripting
367 DANE-EE(3) TLSA records, and can be disabled in applications where it is safe
374 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
375 B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
376 B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>,
377 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
378 B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
379 B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
380 B<-verify_ip>, B<-verify_name>, B<-x509_strict>
385 =item B<-reconnect>
390 =item B<-showcerts>
394 B<not> a verified chain.
396 =item B<-prexit>
407 =item B<-state>
411 =item B<-debug>
415 =item B<-msg>
419 =item B<-trace>
422 with B<enable-ssl-trace> for this option to work.
424 =item B<-msgfile>
426 File to send output of B<-msg> or B<-trace> to, default standard output.
428 =item B<-nbio_test>
432 =item B<-nbio>
436 =item B<-crlf>
441 =item B<-ign_eof>
446 =item B<-quiet>
449 turns on B<-ign_eof> as well.
451 =item B<-no_ign_eof>
454 Can be used to override the implicit B<-ign_eof> after B<-quiet>.
456 =item B<-psk_identity identity>
458 Use the PSK identity B<identity> when using a PSK cipher suite.
461 =item B<-psk key>
463 Use the PSK key B<key> when using a PSK cipher suite. The key is
464 given as a hexadecimal number without leading 0x, for example -psk
468 =item B<-psk_session file>
470 Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
473 =item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_…
476 By default B<s_client> will negotiate the highest mutually supported protocol
483 =item B<-dtls>, B<-dtls1>, B<-dtls1_2>
485 These options make B<s_client> use DTLS protocols instead of TLS.
486 With B<-dtls>, B<s_client> will negotiate any supported DTLS protocol version,
487 whilst B<-dtls1> and B<-dtls1_2> will only support DTLS1.0 and DTLS1.2
490 =item B<-sctp>
493 conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
496 =item B<-sctp_label_bug>
499 endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
501 implementations. Must be used in conjunction with B<-sctp>. This option is only
504 =item B<-fallback_scsv>
508 =item B<-async>
512 is also used via the B<-engine> option. For test purposes the dummy async engine
515 =item B<-max_send_frag int>
520 =item B<-split_send_frag int>
529 =item B<-max_pipelines int>
536 =item B<-read_buf int>
543 =item B<-bugs>
548 =item B<-comp>
555 =item B<-no_comp>
561 =item B<-brief>
566 =item B<-sigalgs sigalglist>
572 =item B<-curves curvelist>
577     $ openssl ecparam -list_curves
579 =item B<-cipher cipherlist>
585 B<ciphers> command for more information.
587 =item B<-ciphersuites val>
593 B<ciphers> command for more information. The format for this list is a simple
596 =item B<-starttls protocol>
598 Send the protocol-specific message(s) to switch to TLS for communication.
599 B<protocol> is a keyword for the intended protocol.  Currently, the only
600 supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
603 =item B<-xmpphost hostname>
605 This option, when used with "-starttls xmpp" or "-starttls xmpp-server",
607 If this option is not specified, then the host specified with "-connect"
610 This option is an alias of the B<-name> option for "xmpp" and "xmpp-server".
612 =item B<-name hostname>
615 used with B<-starttls> option. Currently only "xmpp", "xmpp-server",
616 "smtp" and "lmtp" can utilize this B<-name> option.
618 If this option is used with "-starttls xmpp" or "-starttls xmpp-server",
620 option is not specified, then the host specified with "-connect" will be used.
622 If this option is used with "-starttls lmtp" or "-starttls smtp", it specifies
626 =item B<-tlsextdebug>
630 =item B<-no_ticket>
634 =item B<-sess_out filename>
636 Output SSL session to B<filename>.
638 =item B<-sess_in sess.pem>
640 Load SSL session from B<filename>. The client will attempt to resume a
643 =item B<-engine id>
645 Specifying an engine (by its unique B<id> string) will cause B<s_client>
650 =item B<-rand file...>
654 Multiple files can be specified separated by an OS-dependent character.
655 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
658 =item [B<-writerand file>]
661 This can be used with a subsequent B<-rand> flag.
663 =item B<-serverinfo types>
665 A list of comma-separated TLS Extension Types (numbers between 0 and
670 =item B<-status>
675 =item B<-alpn protocols>, B<-nextprotoneg protocols>
677 These flags enable the Enable the Application-Layer Protocol Negotiation
680 The B<protocols> list is a comma-separated list of protocol names that
687 The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
689 =item B<-ct>, B<-noct>
692 is enabled (B<-ct>) or disabled (B<-noct>).
699 =item B<-ctlogfile>
704 =item B<-keylogfile file>
709 =item B<-early_data file>
715 =item B<-enable_pha>
717 For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
718 happen whether or not a certificate has been provided via B<-cert>.
720 =item B<[target]>
722 Rather than providing B<-connect>, the target hostname and optional port may
724 nor B<-connect> are provided, falls back to attempting to connect to localhost
734 used interactively (which means neither B<-quiet> nor B<-ign_eof> have been
741 =item B<Q>
745 =item B<R>
749 =item B<B>
753 =item B<k>
757 =item B<K>
765 B<s_client> can be used to debug SSL servers. To connect to an SSL HTTP
768  openssl s_client -connect servername:443
774 nothing obvious like no client certificate then the B<-bugs>,
775 B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
777 options B<before> submitting a bug report to an OpenSSL mailing list.
783 requests a certificate. By using B<s_client> the CA list can be viewed
786 is necessary to use the B<-prexit> option and send an HTTP request
789 If a certificate is specified on the command line using the B<-cert>
795 B<-showcerts> option can be used to show all the certificates sent by the
798 The B<s_client> utility is a test tool and is designed to continue the
800 accept any certificate chain (trusted or not) sent by the peer. Non-test
801 applications should B<not> do this as it makes them vulnerable to a MITM
802 attack. This behaviour can be changed by with the B<-verify_return_error>
805 The B<-bind> option may be useful if the server or a firewall requires
811 techniques used are rather old, the C source of B<s_client> is rather hard to
815 The B<-prexit> option is a bit of a hack. We should really report
826 The B<-no_alt_chains> option was added in OpenSSL 1.1.0.
827 The B<-name> option was added in OpenSSL 1.1.1.
831 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.