Lines Matching +full:enable +full:- +full:ssl +full:- +full:trace
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-s_client - SSL/TLS client program
11 [B<-help>]
12 [B<-ssl_config> I<section>]
13 [B<-connect> I<host:port>]
14 [B<-host> I<hostname>]
15 [B<-port> I<port>]
16 [B<-bind> I<host:port>]
17 [B<-proxy> I<host:port>]
18 [B<-proxy_user> I<userid>]
19 [B<-proxy_pass> I<arg>]
20 [B<-unix> I<path>]
21 [B<-4>]
22 [B<-6>]
23 [B<-servername> I<name>]
24 [B<-noservername>]
25 [B<-verify> I<depth>]
26 [B<-verify_return_error>]
27 [B<-verify_quiet>]
28 [B<-verifyCAfile> I<filename>]
29 [B<-verifyCApath> I<dir>]
30 [B<-verifyCAstore> I<uri>]
31 [B<-cert> I<filename>]
32 [B<-certform> B<DER>|B<PEM>|B<P12>]
33 [B<-cert_chain> I<filename>]
34 [B<-build_chain>]
35 [B<-CRL> I<filename>]
36 [B<-CRLform> B<DER>|B<PEM>]
37 [B<-crl_download>]
38 [B<-key> I<filename>|I<uri>]
39 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
40 [B<-pass> I<arg>]
41 [B<-chainCAfile> I<filename>]
42 [B<-chainCApath> I<directory>]
43 [B<-chainCAstore> I<uri>]
44 [B<-requestCAfile> I<filename>]
45 [B<-dane_tlsa_domain> I<domain>]
46 [B<-dane_tlsa_rrdata> I<rrdata>]
47 [B<-dane_ee_no_namechecks>]
48 [B<-reconnect>]
49 [B<-showcerts>]
50 [B<-prexit>]
51 [B<-debug>]
52 [B<-trace>]
53 [B<-nocommands>]
54 [B<-security_debug>]
55 [B<-security_debug_verbose>]
56 [B<-msg>]
57 [B<-timeout>]
58 [B<-mtu> I<size>]
59 [B<-no_etm>]
60 [B<-keymatexport> I<label>]
61 [B<-keymatexportlen> I<len>]
62 [B<-msgfile> I<filename>]
63 [B<-nbio_test>]
64 [B<-state>]
65 [B<-nbio>]
66 [B<-crlf>]
67 [B<-ign_eof>]
68 [B<-no_ign_eof>]
69 [B<-psk_identity> I<identity>]
70 [B<-psk> I<key>]
71 [B<-psk_session> I<file>]
72 [B<-quiet>]
73 [B<-sctp>]
74 [B<-sctp_label_bug>]
75 [B<-fallback_scsv>]
76 [B<-async>]
77 [B<-maxfraglen> I<len>]
78 [B<-max_send_frag>]
79 [B<-split_send_frag>]
80 [B<-max_pipelines>]
81 [B<-read_buf>]
82 [B<-ignore_unexpected_eof>]
83 [B<-bugs>]
84 [B<-comp>]
85 [B<-no_comp>]
86 [B<-brief>]
87 [B<-legacy_server_connect>]
88 [B<-no_legacy_server_connect>]
89 [B<-allow_no_dhe_kex>]
90 [B<-sigalgs> I<sigalglist>]
91 [B<-curves> I<curvelist>]
92 [B<-cipher> I<cipherlist>]
93 [B<-ciphersuites> I<val>]
94 [B<-serverpref>]
95 [B<-starttls> I<protocol>]
96 [B<-name> I<hostname>]
97 [B<-xmpphost> I<hostname>]
98 [B<-name> I<hostname>]
99 [B<-tlsextdebug>]
100 [B<-no_ticket>]
101 [B<-sess_out> I<filename>]
102 [B<-serverinfo> I<types>]
103 [B<-sess_in> I<filename>]
104 [B<-serverinfo> I<types>]
105 [B<-status>]
106 [B<-alpn> I<protocols>]
107 [B<-nextprotoneg> I<protocols>]
108 [B<-ct>]
109 [B<-noct>]
110 [B<-ctlogfile>]
111 [B<-keylogfile> I<file>]
112 [B<-early_data> I<file>]
113 [B<-enable_pha>]
114 [B<-use_srtp> I<value>]
115 [B<-srpuser> I<value>]
116 [B<-srppass> I<value>]
117 [B<-srp_lateuser>]
118 [B<-srp_moregroups>]
119 [B<-srp_strength> I<number>]
120 {- $OpenSSL::safe::opt_name_synopsis -}
121 {- $OpenSSL::safe::opt_version_synopsis -}
122 {- $OpenSSL::safe::opt_x_synopsis -}
123 {- $OpenSSL::safe::opt_trust_synopsis -}
124 {- $OpenSSL::safe::opt_s_synopsis -}
125 {- $OpenSSL::safe::opt_r_synopsis -}
126 {- $OpenSSL::safe::opt_provider_synopsis -}
127 {- $OpenSSL::safe::opt_engine_synopsis -}[B<-ssl_client_engine> I<id>]
128 {- $OpenSSL::safe::opt_v_synopsis -}
133 This command implements a generic SSL/TLS client which
134 connects to a remote host using SSL/TLS. It is a I<very> useful diagnostic
135 tool for SSL servers.
146 =item B<-help>
150 =item B<-ssl_config> I<section>
154 =item B<-connect> I<host>:I<port>
161 =item B<-host> I<hostname>
163 Host to connect to; use B<-connect> instead.
165 =item B<-port> I<port>
167 Connect to the specified port; use B<-connect> instead.
169 =item B<-bind> I<host:port>
172 connection. For Unix-domain sockets the port is ignored and the host is
175 =item B<-proxy> I<host:port>
177 When used with the B<-connect> flag, the program uses the host and port
181 =item B<-proxy_user> I<userid>
183 When used with the B<-proxy> flag, the program will attempt to authenticate
186 in easily reversible base64 encoding before any TLS/SSL session is established.
187 Therefore, these credentials are easily recovered by anyone able to sniff/trace
190 =item B<-proxy_pass> I<arg>
192 The proxy password source, used with the B<-proxy_user> flag.
194 see L<openssl-passphrase-options(1)>.
196 =item B<-unix> I<path>
198 Connect over the specified Unix-domain socket.
200 =item B<-4>
204 =item B<-6>
208 =item B<-servername> I<name>
212 If B<-servername> is not provided, the TLS SNI extension will be populated with
213 the name given to B<-connect> if it follows a DNS name format. If B<-connect> is
218 B<-servername> is provided then that name will be sent, regardless of whether
221 This option cannot be used in conjunction with B<-noservername>.
223 =item B<-noservername>
226 ClientHello message. Cannot be used in conjunction with the B<-servername> or
227 B<-dane_tlsa_domain> options.
229 =item B<-cert> I<filename>
234 The chain for the client certificate may be specified using B<-cert_chain>.
236 =item B<-certform> B<DER>|B<PEM>|B<P12>
239 See L<openssl-format-options(1)> for details.
241 =item B<-cert_chain>
244 certificate chain related to the certificate specified via the B<-cert> option.
247 =item B<-build_chain>
252 =item B<-CRL> I<filename>
256 =item B<-CRLform> B<DER>|B<PEM>
259 See L<openssl-format-options(1)> for details.
261 =item B<-crl_download>
265 =item B<-key> I<filename>|I<uri>
270 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
273 See L<openssl-format-options(1)> for details.
275 =item B<-pass> I<arg>
279 see L<openssl-passphrase-options(1)>.
281 =item B<-verify> I<depth>
289 =item B<-verify_return_error>
294 =item B<-verify_quiet>
298 =item B<-verifyCAfile> I<filename>
303 =item B<-verifyCApath> I<dir>
308 see L<openssl-verify(1)> for more information.
310 =item B<-verifyCAstore> I<uri>
315 =item B<-chainCAfile> I<file>
320 =item B<-chainCApath> I<directory>
325 see L<openssl-verify(1)> for more information.
327 =item B<-chainCAstore> I<uri>
332 With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
333 B<-chainCApath>, depending on if the URI indicates a directory or a
335 See L<ossl_store-file(7)> for more information on the C<file:> scheme.
337 =item B<-requestCAfile> I<file>
343 =item B<-dane_tlsa_domain> I<domain>
345 Enable RFC6698/RFC7671 DANE TLSA authentication and specify the
348 combination with at least one instance of the B<-dane_tlsa_rrdata>
354 anchor public key that signed (rather than matched) the top-most
359 =item B<-dane_tlsa_rrdata> I<rrdata>
368 $ openssl s_client -brief -starttls smtp \
369 -connect smtp.example.com:25 \
370 -dane_tlsa_domain smtp.example.com \
371 -dane_tlsa_rrdata "2 1 1
373 -dane_tlsa_rrdata "2 1 1
381 =item B<-dane_ee_no_namechecks>
383 This disables server name checks when authenticating via DANE-EE(3) TLSA
389 The malicious server may then be able to violate cross-origin scripting
392 DANE-EE(3) TLSA records, and can be disabled in applications where it is safe
399 =item B<-reconnect>
404 =item B<-showcerts>
410 =item B<-prexit>
421 =item B<-state>
423 Prints out the SSL session states.
425 =item B<-debug>
429 =item B<-nocommands>
433 =item B<-security_debug>
435 Enable security debug messages.
437 =item B<-security_debug_verbose>
441 =item B<-msg>
445 =item B<-timeout>
447 Enable send/receive timeout on DTLS connections.
449 =item B<-mtu> I<size>
453 =item B<-no_etm>
455 Disable Encrypt-then-MAC negotiation.
457 =item B<-keymatexport> I<label>
461 =item B<-keymatexportlen> I<len>
467 =item B<-trace>
469 Show verbose trace output of protocol messages.
471 =item B<-msgfile> I<filename>
473 File to send output of B<-msg> or B<-trace> to, default standard output.
475 =item B<-nbio_test>
479 =item B<-nbio>
483 =item B<-crlf>
488 =item B<-ign_eof>
493 =item B<-quiet>
496 turns on B<-ign_eof> as well.
498 =item B<-no_ign_eof>
501 Can be used to override the implicit B<-ign_eof> after B<-quiet>.
503 =item B<-psk_identity> I<identity>
508 =item B<-psk> I<key>
511 given as a hexadecimal number without leading 0x, for example -psk
515 =item B<-psk_session> I<file>
520 =item B<-sctp>
523 conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
526 =item B<-sctp_label_bug>
529 endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
531 implementations. Must be used in conjunction with B<-sctp>. This option is only
534 =item B<-fallback_scsv>
538 =item B<-async>
542 is also used via the B<-engine> option. For test purposes the dummy async engine
545 =item B<-maxfraglen> I<len>
547 Enable Maximum Fragment Length Negotiation; allowed values are
550 =item B<-max_send_frag> I<int>
555 =item B<-split_send_frag> I<int>
564 =item B<-max_pipelines> I<int>
571 =item B<-read_buf> I<int>
578 =item B<-ignore_unexpected_eof>
587 =item B<-bugs>
589 There are several known bugs in SSL and TLS implementations. Adding this
592 =item B<-comp>
594 Enables support for SSL/TLS compression.
599 =item B<-no_comp>
601 Disables support for SSL/TLS compression.
605 =item B<-brief>
610 =item B<-sigalgs> I<sigalglist>
616 =item B<-curves> I<curvelist>
621 $ openssl ecparam -list_curves
623 =item B<-cipher> I<cipherlist>
629 L<openssl-ciphers(1)> for more information.
631 =item B<-ciphersuites> I<val>
637 L<openssl-ciphers(1)> for more information. The format for this list is a simple
640 =item B<-starttls> I<protocol>
642 Send the protocol-specific message(s) to switch to TLS for communication.
644 supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
647 =item B<-xmpphost> I<hostname>
649 This option, when used with "-starttls xmpp" or "-starttls xmpp-server",
651 If this option is not specified, then the host specified with "-connect"
654 This option is an alias of the B<-name> option for "xmpp" and "xmpp-server".
656 =item B<-name> I<hostname>
659 used with B<-starttls> option. Currently only "xmpp", "xmpp-server",
660 "smtp" and "lmtp" can utilize this B<-name> option.
662 If this option is used with "-starttls xmpp" or "-starttls xmpp-server",
664 option is not specified, then the host specified with "-connect" will be used.
666 If this option is used with "-starttls lmtp" or "-starttls smtp", it specifies
670 =item B<-tlsextdebug>
674 =item B<-no_ticket>
678 =item B<-sess_out> I<filename>
680 Output SSL session to I<filename>.
682 =item B<-sess_in> I<filename>
684 Load SSL session from I<filename>. The client will attempt to resume a
687 =item B<-serverinfo> I<types>
689 A list of comma-separated TLS Extension Types (numbers between 0 and
694 =item B<-status>
699 =item B<-alpn> I<protocols>, B<-nextprotoneg> I<protocols>
701 These flags enable the Enable the Application-Layer Protocol Negotiation
704 The I<protocols> list is a comma-separated list of protocol names that
711 The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
713 =item B<-ct>, B<-noct>
716 is enabled (B<-ct>) or disabled (B<-noct>).
723 =item B<-ctlogfile>
728 =item B<-keylogfile> I<file>
733 =item B<-early_data> I<file>
739 =item B<-enable_pha>
741 For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
742 happen whether or not a certificate has been provided via B<-cert>.
744 =item B<-use_srtp> I<value>
746 Offer SRTP key management, where B<value> is a colon-separated profile list.
748 =item B<-srpuser> I<value>
752 =item B<-srppass> I<value>
756 =item B<-srp_lateuser>
760 =item B<-srp_moregroups> This option is deprecated.
764 =item B<-srp_strength> I<number>
769 {- $OpenSSL::safe::opt_version_item -}
771 {- $OpenSSL::safe::opt_name_item -}
773 {- $OpenSSL::safe::opt_x_item -}
775 {- $OpenSSL::safe::opt_trust_item -}
777 {- $OpenSSL::safe::opt_s_item -}
779 {- $OpenSSL::safe::opt_r_item -}
781 {- $OpenSSL::safe::opt_provider_item -}
783 {- $OpenSSL::safe::opt_engine_item -}
785 {- output_off() if $disabled{"deprecated-3.0"}; "" -}
786 =item B<-ssl_client_engine> I<id>
789 {- output_on() if $disabled{"deprecated-3.0"}; "" -}
791 {- $OpenSSL::safe::opt_v_item -}
794 proceed unless the B<-verify_return_error> option is used.
798 Rather than providing B<-connect>, the target hostname and optional port may
800 nor B<-connect> are provided, falls back to attempting to connect to
807 If a connection is established with an SSL server then any data received
810 used interactively (which means neither B<-quiet> nor B<-ign_eof> have been
819 End the current SSL connection and exit.
823 Renegotiate the SSL session (TLSv1.2 and below only).
837 This command can be used to debug SSL servers. To connect to an SSL HTTP
840 openssl s_client -connect servername:443
846 nothing obvious like no client certificate then the B<-bugs>,
847 B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
858 is necessary to use the B<-prexit> option and send an HTTP request
861 If a certificate is specified on the command line using the B<-cert>
867 B<-showcerts> option can be used to show all the certificates sent by the
872 accept any certificate chain (trusted or not) sent by the peer. Non-test
874 attack. This behaviour can be changed by with the B<-verify_return_error>
877 The B<-bind> option may be useful if the server or a firewall requires
885 A typical SSL client program would be much simpler.
887 The B<-prexit> option is a bit of a hack. We should really report
893 L<openssl-sess_id(1)>,
894 L<openssl-s_server(1)>,
895 L<openssl-ciphers(1)>,
900 L<ossl_store-file(7)>
904 The B<-no_alt_chains> option was added in OpenSSL 1.1.0.
905 The B<-name> option was added in OpenSSL 1.1.1.
907 The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
909 The B<-engine> option was deprecated in OpenSSL 3.0.
913 Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.