diff options
| -rw-r--r-- | apps/s_client.c | 2 | ||||
| -rw-r--r-- | apps/s_server.c | 2 | ||||
| -rw-r--r-- | doc/apps/s_client.pod | 31 | ||||
| -rw-r--r-- | doc/apps/s_server.pod | 13 |
4 files changed, 48 insertions, 0 deletions
diff --git a/apps/s_client.c b/apps/s_client.c index 602275ba09..4f502158ab 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -236,6 +236,8 @@ static void sc_usage(void) BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); #ifndef OPENSSL_NO_TLSEXT BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n"); + BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); + BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); #endif } diff --git a/apps/s_server.c b/apps/s_server.c index 343a05cefc..7c5775f81c 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -395,6 +395,8 @@ static void sv_usage(void) BIO_printf(bio_err," (default is %s)\n",TEST_CERT2); BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n"); BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); + BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); + BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); #endif } diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index c17a83a225..c44d357cf7 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -38,6 +38,10 @@ B<openssl> B<s_client> [B<-cipher cipherlist>] [B<-starttls protocol>] [B<-engine id>] +[B<-tlsextdebug>] +[B<-no_ticket>] +[B<-sess_out filename>] +[B<-sess_in filename>] [B<-rand file(s)>] =head1 DESCRIPTION @@ -186,6 +190,26 @@ send the protocol-specific message(s) to switch to TLS for communication. B<protocol> is a keyword for the intended protocol. Currently, the only supported keywords are "smtp", "pop3", "imap", and "ftp". +=item B<-tlsextdebug> + +print out a hex dump of any TLS extensions received from the server. Note: this +option is only available if extension support is explicitly enabled at compile +time + +=item B<-no_ticket> + +disable RFC4507bis session ticket support. Note: this option is only available +if extension support is explicitly enabled at compile time + +=item B<-sess_out filename> + +output SSL session to B<filename> + +=item B<-sess_in sess.pem> + +load SSL session from B<filename>. The client will attempt to resume a +connection from this session. + =item B<-engine id> specifying an engine (by it's unique B<id> string) will cause B<s_client> @@ -246,6 +270,13 @@ on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then the B<-showcerts> option can be used to show the whole chain. +Since the SSLv23 client hello cannot include compression methods or extensions +these will only be supported if its use is disabled, for example by using the +B<-no_sslv2> option. + +TLS extensions are only supported in OpenSSL 0.9.8 if they are explictly +enabled at compile time using for example the B<enable-tlsext> switch. + =head1 BUGS Because this program has a lot of options and also because some of diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 7c1a9581d9..57c2adfb9f 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -48,6 +48,8 @@ B<openssl> B<s_server> [B<-WWW>] [B<-HTTP>] [B<-engine id>] +[B<-tlsextdebug>] +[B<-no_ticket>] [B<-id_prefix arg>] [B<-rand file(s)>] @@ -205,6 +207,14 @@ also included in the server list is used. Because the client specifies the preference order, the order of the server cipherlist irrelevant. See the B<ciphers> command for more information. +=item B<-tlsextdebug> + +print out a hex dump of any TLS extensions received from the server. + +=item B<-no_ticket> + +disable RFC4507bis session ticket support. + =item B<-www> sends a status message back to the client when it connects. This includes @@ -307,6 +317,9 @@ mean any CA is acceptable. This is useful for debugging purposes. The session parameters can printed out using the B<sess_id> program. +TLS extensions are only supported in OpenSSL 0.9.8 if they are explictly +enabled at compile time using for example the B<enable-tlsext> switch. + =head1 BUGS Because this program has a lot of options and also because some of |