Documentation for missing s_client/s_server options

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6209)

2 files changed, 95 insertions, 2 deletions

diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index 373b2d760c..69bae9429d 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -23,9 +23,19 @@ B<openssl> B<s_client>
 [B<-certform DER|PEM>]
 [B<-key filename>]
 [B<-keyform DER|PEM>]
+[B<-cert_chain filename>]
+[B<-build_chain>]
+[B<-xkey>]
+[B<-xcert>]
+[B<-xchain>]
+[B<-xchain_build>]
+[B<-xcertform PEM|DER>]
+[B<-xkeyform PEM|DER>]
 [B<-pass arg>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-chainCApath directory>]
+[B<-chainCAfile filename>]
 [B<-no-CAfile>]
 [B<-no-CApath>]
 [B<-requestCAfile filename>]
@@ -60,6 +70,7 @@ B<openssl> B<s_client>
 [B<-verify_hostname hostname>]
 [B<-verify_ip ip>]
 [B<-verify_name name>]
+[B<-build_chain>]
 [B<-x509_strict>]
 [B<-reconnect>]
 [B<-showcerts>]
@@ -212,6 +223,34 @@ be used.
 
 The private format to use: DER or PEM. PEM is the default.
 
+=item B<-cert_chain>
+
+A file containing trusted certificates to use when attempting to build the
+client/server certificate chain related to the certificate specified via the
+B<-cert> option.
+
+=item B<-build_chain>
+
+Specify whether the application should build the certificate chain to be
+provided to the server.
+
+=item B<-xkey infile>, B<-xcert infile>, B<-xchain>
+
+Specify an extra certificate, private key and certificate chain. These behave
+in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options.  When
+specified, the callback returning the first valid chain will be in use by the
+client.
+
+=item B<-xchain_build>
+
+Specify whether the application should build the certificate chain to be
+provided to the server for the extra certificates provided via B<-xkey infile>,
+B<-xcert infile>, B<-xchain> options.
+
+=item B<-xcertform PEM|DER>, B<-xkeyform PEM|DER>
+
+Extra certificate and private key format respectively.
+
 =item B<-pass arg>
 
 the private key password source. For more information about the format of B<arg>
@@ -240,7 +279,7 @@ set multiple options. See the L<x509(1)> manual page for details.
 =item B<-CApath directory>
 
 The directory to use for server certificate verification. This directory
-must be in "hash format", see B<verify> for more information. These are
+must be in "hash format", see L<verify(1)> for more information. These are
 also used when building the client certificate chain.
 
 =item B<-CAfile file>
@@ -248,6 +287,16 @@ also used when building the client certificate chain.
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
 
+=item B<-chainCApath directory>
+
+The directory to use for building the chain provided to the server. This
+directory must be in "hash format", see L<verify(1)> for more information.
+
+=item B<-chainCAfile file>
+
+A file containing trusted certificates to use when attempting to build the
+client certificate chain.
+
 =item B<-no-CAfile>
 
 Do not load the trusted CA certificates from the default file location
diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod
index f89d4de6cf..2b7db637b1 100644
--- a/doc/man1/s_server.pod
+++ b/doc/man1/s_server.pod
@@ -246,6 +246,17 @@ certificate and some require a certificate with a certain public key type:
 for example the DSS cipher suites require a certificate containing a DSS
 (DSA) key. If not specified then the filename "server.pem" will be used.
 
+=item B<-cert_chain>
+
+A file containing trusted certificates to use when attempting to build the
+client/server certificate chain related to the certificate specified via the
+B<-cert> option.
+
+=item B<-build_chain>
+
+Specify whether the application should build the certificate chain to be
+provided to the client.
+
 =item B<-nameopt val>
 
 Option which determines how the subject or issuer names are displayed. The
@@ -295,10 +306,33 @@ and some a DSS (DSA) key. By using RSA and DSS certificates and keys
 a server can support clients which only support RSA or DSS cipher suites
 by using an appropriate certificate.
 
+=item B<-dcert_chain>
+
+A file containing trusted certificates to use when attempting to build the
+server certificate chain when a certificate specified via the B<-dcert> option
+is in use.
+
 =item B<-dcertform PEM|DER>, B<-dkeyform PEM|DER>, B<-dpass val>
 
 Additional certificate and private key format and passphrase respectively.
 
+=item B<-xkey infile>, B<-xcert infile>, B<-xchain>
+
+Specify an extra certificate, private key and certificate chain. These behave
+in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options.  When
+specified, the callback returning the first valid chain will be in use by
+the server.
+
+=item B<-xchain_build>
+
+Specify whether the application should build the certificate chain to be
+provided to the client for the extra certificates provided via B<-xkey infile>,
+B<-xcert infile>, B<-xchain> options.
+
+=item B<-xcertform PEM|DER>, B<-xkeyform PEM|DER>
+
+Extra certificate and private key format respectively.
+
 =item B<-nbio_test>
 
 Tests non blocking I/O.
@@ -333,9 +367,19 @@ a certificate is requested.
 =item B<-CApath dir>
 
 The directory to use for client certificate verification. This directory
-must be in "hash format", see B<verify> for more information. These are
+must be in "hash format", see L<verify(1)> for more information. These are
 also used when building the server certificate chain.
 
+=item B<-chainCApath dir>
+
+The directory to use for building the chain provided to the client. This
+directory must be in "hash format", see L<verify(1)> for more information.
+
+=item B<-chainCAfile file>
+
+A file containing trusted certificates to use when attempting to build the
+server certificate chain.
+
 =item B<-no-CAfile>
 
 Do not load the trusted CA certificates from the default file location.