From 169394d45645bb686a187db6517aab7caeae82b0 Mon Sep 17 00:00:00 2001 From: A J Mohan Rao Date: Fri, 5 Feb 2016 11:58:45 -0500 Subject: GH628: Add -help to all apps docs. Signed-off-by: Rich Salz Reviewed-by: Matt Caswell --- doc/apps/ca.pod | 5 + doc/apps/cms.pod | 5 + doc/apps/crl.pod | 5 + doc/apps/crl2pkcs7.pod | 5 + doc/apps/dgst.pod | 5 + doc/apps/dhparam.pod | 5 + doc/apps/dsa.pod | 5 + doc/apps/dsaparam.pod | 5 + doc/apps/ec.pod | 5 + doc/apps/ecparam.pod | 5 + doc/apps/enc.pod | 5 + doc/apps/gendsa.pod | 10 + doc/apps/genpkey.pod | 9 +- doc/apps/genrsa.pod | 9 +- doc/apps/nseq.pod | 5 + doc/apps/ocsp.pod | 5 + doc/apps/passwd.pod | 5 + doc/apps/pkcs12.pod | 5 + doc/apps/pkcs7.pod | 5 + doc/apps/pkcs8.pod | 5 + doc/apps/pkey.pod | 5 + doc/apps/pkeyparam.pod | 5 + doc/apps/pkeyutl.pod | 5 + doc/apps/rand.pod | 5 + doc/apps/rehash.pod | 10 +- doc/apps/req.pod | 5 + doc/apps/rsa.pod | 5 + doc/apps/rsautl.pod | 7 +- doc/apps/s_client.pod | 5 + doc/apps/s_client.pod.orig | 495 ++++++++++++++++++++++++++++++++++++++++++ doc/apps/s_server.pod | 5 + doc/apps/s_server.pod.orig | 523 +++++++++++++++++++++++++++++++++++++++++++++ doc/apps/s_time.pod | 5 + doc/apps/sess_id.pod | 5 + doc/apps/smime.pod | 5 + doc/apps/spkac.pod | 5 + doc/apps/ts.pod | 5 + doc/apps/verify.pod | 10 +- doc/apps/version.pod | 5 + doc/apps/x509.pod | 5 + 40 files changed, 1218 insertions(+), 15 deletions(-) create mode 100644 doc/apps/s_client.pod.orig create mode 100644 doc/apps/s_server.pod.orig diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 3a3d1b6eac..73b6d22e72 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -8,6 +8,7 @@ ca - sample minimal CA application =head1 SYNOPSIS B B +[B<-help>] [B<-verbose>] [B<-config filename>] [B<-name section>] @@ -143,6 +144,10 @@ self-signed certificate. the key password source. For more information about the format of B see the B section in L. +=item B<-help> + +Print out a usage message. + =item B<-verbose> this prints extra details about the operations being performed. diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index 074765a7b7..da91c7f458 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -7,6 +7,7 @@ cms - CMS utility =head1 SYNOPSIS B B +[B<-help>] [B<-encrypt>] [B<-decrypt>] [B<-sign>] @@ -109,6 +110,10 @@ type. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-encrypt> encrypt mail for the given recipient certificates. Input file is the message diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod index 7dccbcc67f..2deecfec66 100644 --- a/doc/apps/crl.pod +++ b/doc/apps/crl.pod @@ -7,6 +7,7 @@ crl - CRL utility =head1 SYNOPSIS B B +[B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-text>] @@ -29,6 +30,10 @@ The B command processes CRL files in DER or PEM format. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the input format. B format is DER encoded CRL diff --git a/doc/apps/crl2pkcs7.pod b/doc/apps/crl2pkcs7.pod index 1a6e362c6a..bc64412678 100644 --- a/doc/apps/crl2pkcs7.pod +++ b/doc/apps/crl2pkcs7.pod @@ -7,6 +7,7 @@ crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates. =head1 SYNOPSIS B B +[B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -24,6 +25,10 @@ only" structure. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the CRL input format. B format is DER encoded CRL diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod index abcd93a291..25794c13bb 100644 --- a/doc/apps/dgst.pod +++ b/doc/apps/dgst.pod @@ -7,6 +7,7 @@ dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md4, md5 - mes =head1 SYNOPSIS B B +[B<-help>] [B<-sha|-sha1|-mdc2|-ripemd160|-sha224|-sha256|-sha384|-sha512|-md4|-md5>] [B<-c>] [B<-d>] @@ -45,6 +46,10 @@ command. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-c> print out the digest in two digit groups separated by colons, only relevant if diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod index 71c61eaf6c..5cf4d4f73f 100644 --- a/doc/apps/dhparam.pod +++ b/doc/apps/dhparam.pod @@ -7,6 +7,7 @@ dhparam - DH parameter manipulation and generation =head1 SYNOPSIS B +[B<-help>] [B<-inform DER|PEM>] [B<-outform DER|PEM>] [B<-in> I] @@ -30,6 +31,10 @@ This command is used to manipulate DH parameter files. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the input format. The B option uses an ASN1 DER encoded diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod index 4331cc379e..2d370ec5ed 100644 --- a/doc/apps/dsa.pod +++ b/doc/apps/dsa.pod @@ -7,6 +7,7 @@ dsa - DSA key processing =head1 SYNOPSIS B B +[B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -40,6 +41,10 @@ applications should use the more secure PKCS#8 format using the B =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the input format. The B option with a private key uses diff --git a/doc/apps/dsaparam.pod b/doc/apps/dsaparam.pod index 0ac560a146..1db71415e2 100644 --- a/doc/apps/dsaparam.pod +++ b/doc/apps/dsaparam.pod @@ -7,6 +7,7 @@ dsaparam - DSA parameter manipulation and generation =head1 SYNOPSIS B +[B<-help>] [B<-inform DER|PEM>] [B<-outform DER|PEM>] [B<-in filename>] @@ -27,6 +28,10 @@ This command is used to manipulate or generate DSA parameter files. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the input format. The B option uses an ASN1 DER encoded diff --git a/doc/apps/ec.pod b/doc/apps/ec.pod index b8ea645ba3..9cf579d1a2 100644 --- a/doc/apps/ec.pod +++ b/doc/apps/ec.pod @@ -7,6 +7,7 @@ ec - EC key processing =head1 SYNOPSIS B B +[B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -39,6 +40,10 @@ PKCS#8 private key format use the B command. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the input format. The B option with a private key uses diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod index 12a48ca835..767bb9ca1f 100644 --- a/doc/apps/ecparam.pod +++ b/doc/apps/ecparam.pod @@ -7,6 +7,7 @@ ecparam - EC parameter manipulation and generation =head1 SYNOPSIS B +[B<-help>] [B<-inform DER|PEM>] [B<-outform DER|PEM>] [B<-in filename>] @@ -32,6 +33,10 @@ This command is used to manipulate or generate EC parameter files. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the input format. The B option uses an ASN.1 DER encoded diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index b3c89bb4e3..8b4c858b0d 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod @@ -7,6 +7,7 @@ enc - symmetric cipher routines =head1 SYNOPSIS B +[B<-help>] [B<-in filename>] [B<-out filename>] [B<-pass arg>] @@ -42,6 +43,10 @@ either by itself or in addition to the encryption or decryption. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-in filename> the input filename, standard input by default. diff --git a/doc/apps/gendsa.pod b/doc/apps/gendsa.pod index 9a8278fdbd..3c9687b6f7 100644 --- a/doc/apps/gendsa.pod +++ b/doc/apps/gendsa.pod @@ -7,6 +7,7 @@ gendsa - generate a DSA private key from a set of parameters =head1 SYNOPSIS B B +[B<-help>] [B<-out filename>] [B<-aes128>] [B<-aes192>] @@ -30,6 +31,15 @@ The B command generates a DSA private key from a DSA parameter file =over 4 +=item B<-help> + +Print out a usage message. + +=item B<-out filename> + +Output the key to the specified file. If this argument is not specified then +standard output is used. + =item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> These options encrypt the private key with specified diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod index dee9722039..1bb8c6036a 100644 --- a/doc/apps/genpkey.pod +++ b/doc/apps/genpkey.pod @@ -7,6 +7,7 @@ genpkey - generate a private key =head1 SYNOPSIS B B +[B<-help>] [B<-out filename>] [B<-outform PEM|DER>] [B<-pass arg>] @@ -26,10 +27,14 @@ The B command generates a private key. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-out filename> -the output filename. If this argument is not specified then standard output is -used. +Output the key to the specified file. If this argument is not specified then +standard output is used. =item B<-outform DER|PEM> diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod index c817db5217..0eb8600467 100644 --- a/doc/apps/genrsa.pod +++ b/doc/apps/genrsa.pod @@ -7,6 +7,7 @@ genrsa - generate an RSA private key =head1 SYNOPSIS B B +[B<-help>] [B<-out filename>] [B<-passout arg>] [B<-aes128>] @@ -32,10 +33,14 @@ The B command generates an RSA private key. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-out filename> -the output filename. If this argument is not specified then standard output is -used. +Output the key to the specified file. If this argument is not specified then +standard output is used. =item B<-passout arg> diff --git a/doc/apps/nseq.pod b/doc/apps/nseq.pod index 989c3108fb..198e7f49d3 100644 --- a/doc/apps/nseq.pod +++ b/doc/apps/nseq.pod @@ -7,6 +7,7 @@ nseq - create or examine a netscape certificate sequence =head1 SYNOPSIS B B +[B<-help>] [B<-in filename>] [B<-out filename>] [B<-toseq>] @@ -22,6 +23,10 @@ sequence. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-in filename> This specifies the input filename to read or standard input if this diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 2399134ad3..30d133f05e 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -7,6 +7,7 @@ ocsp - Online Certificate Status Protocol utility =head1 SYNOPSIS B B +[B<-help>] [B<-out file>] [B<-issuer file>] [B<-cert file>] @@ -97,6 +98,10 @@ to an OCSP responder and behave like a mini OCSP server itself. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-out filename> specify output filename, default is standard output. diff --git a/doc/apps/passwd.pod b/doc/apps/passwd.pod index f44982549b..b784f6ccee 100644 --- a/doc/apps/passwd.pod +++ b/doc/apps/passwd.pod @@ -7,6 +7,7 @@ passwd - compute password hashes =head1 SYNOPSIS B +[B<-help>] [B<-crypt>] [B<-1>] [B<-apr1>] @@ -31,6 +32,10 @@ algorithm B<1> and its Apache variant B are available. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-crypt> Use the B algorithm (default). diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod index 811b8222be..d789714995 100644 --- a/doc/apps/pkcs12.pod +++ b/doc/apps/pkcs12.pod @@ -8,6 +8,7 @@ pkcs12 - PKCS#12 file utility =head1 SYNOPSIS B B +[B<-help>] [B<-export>] [B<-chain>] [B<-inkey filename>] @@ -59,6 +60,10 @@ file can be created by using the B<-export> option (see below). =over 4 +=item B<-help> + +Print out a usage message. + =item B<-in filename> This specifies filename of the PKCS#12 file to be parsed. Standard input is used diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod index 024175e1cb..6cb015cded 100644 --- a/doc/apps/pkcs7.pod +++ b/doc/apps/pkcs7.pod @@ -7,6 +7,7 @@ pkcs7 - PKCS#7 utility =head1 SYNOPSIS B B +[B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -24,6 +25,10 @@ The B command processes PKCS#7 files in DER or PEM format. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the input format. B format is DER encoded PKCS#7 diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod index ed8c4ade62..ec9f1d14d5 100644 --- a/doc/apps/pkcs8.pod +++ b/doc/apps/pkcs8.pod @@ -7,6 +7,7 @@ pkcs8 - PKCS#8 format private key conversion tool =head1 SYNOPSIS B B +[B<-help>] [B<-topk8>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] @@ -39,6 +40,10 @@ format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-topk8> Normally a PKCS#8 private key is expected on input and a traditional format diff --git a/doc/apps/pkey.pod b/doc/apps/pkey.pod index 68f9409991..5808390dc5 100644 --- a/doc/apps/pkey.pod +++ b/doc/apps/pkey.pod @@ -8,6 +8,7 @@ pkey - public or private key processing tool =head1 SYNOPSIS B B +[B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -31,6 +32,10 @@ between various forms and their components printed out. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the input format DER or PEM. diff --git a/doc/apps/pkeyparam.pod b/doc/apps/pkeyparam.pod index acfe9f9eea..c3c6dbbed0 100644 --- a/doc/apps/pkeyparam.pod +++ b/doc/apps/pkeyparam.pod @@ -8,6 +8,7 @@ pkeyparam - public key algorithm parameter processing tool =head1 SYNOPSIS B B +[B<-help>] [B<-in filename>] [B<-out filename>] [B<-text>] @@ -23,6 +24,10 @@ between various forms and their components printed out. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-in filename> This specifies the input filename to read parameters from or standard input if diff --git a/doc/apps/pkeyutl.pod b/doc/apps/pkeyutl.pod index d44f73aeec..bd2b6e35b0 100644 --- a/doc/apps/pkeyutl.pod +++ b/doc/apps/pkeyutl.pod @@ -7,6 +7,7 @@ pkeyutl - public key algorithm utility =head1 SYNOPSIS B B +[B<-help>] [B<-in file>] [B<-out file>] [B<-sigfile file>] @@ -38,6 +39,10 @@ any supported algorithm. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-in filename> This specifies the input filename to read data from or standard input diff --git a/doc/apps/rand.pod b/doc/apps/rand.pod index 3679e6bef0..b5752a2243 100644 --- a/doc/apps/rand.pod +++ b/doc/apps/rand.pod @@ -7,6 +7,7 @@ rand - generate pseudo-random bytes =head1 SYNOPSIS B +[B<-help>] [B<-out> I] [B<-rand> I] [B<-base64>] @@ -26,6 +27,10 @@ seeding was obtained from these sources. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-out> I Write to I instead of standard output. diff --git a/doc/apps/rehash.pod b/doc/apps/rehash.pod index 6c8c6074d0..7ec6511520 100644 --- a/doc/apps/rehash.pod +++ b/doc/apps/rehash.pod @@ -11,8 +11,8 @@ c_rehash, rehash - Create symbolic links to files named by the hash values B B +B<[-help]> B<[-old]> -B<[-h]> B<[-n]> B<[-v]> [ I...] @@ -82,16 +82,16 @@ optionally prefixed with some text and an equals sign. =over 4 +=item B<-help> + +Display a brief usage message. + =item B<-old> Use old-style hashing (MD5, as opposed to SHA-1) for generating links to be used for releases before 1.0.0. Note that current versions will not use the old style. -=item B<-h> - -Display a brief usage message. - =item B<-n> Do not remove existing links. diff --git a/doc/apps/req.pod b/doc/apps/req.pod index 880061e9db..9593dec2d5 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -8,6 +8,7 @@ req - PKCS#10 certificate request and certificate generating utility. =head1 SYNOPSIS B B +[B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] @@ -56,6 +57,10 @@ for use as root CAs for example. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the input format. The B option uses an ASN1 DER encoded diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod index 427c6c68a9..dbb3df56a3 100644 --- a/doc/apps/rsa.pod +++ b/doc/apps/rsa.pod @@ -8,6 +8,7 @@ rsa - RSA key processing tool =head1 SYNOPSIS B B +[B<-help>] [B<-inform PEM|NET|DER>] [B<-outform PEM|NET|DER>] [B<-in filename>] @@ -45,6 +46,10 @@ utility. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|NET|PEM> This specifies the input format. The B option uses an ASN1 DER encoded diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod index 92b8150cee..357b722431 100644 --- a/doc/apps/rsautl.pod +++ b/doc/apps/rsautl.pod @@ -7,6 +7,7 @@ rsautl - RSA utility =head1 SYNOPSIS B B +[B<-help>] [B<-in file>] [B<-out file>] [B<-inkey file>] @@ -32,6 +33,10 @@ data using the RSA algorithm. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-in filename> This specifies the input filename to read data from or standard input @@ -52,7 +57,7 @@ the key format PEM, DER or ENGINE. =item B<-pubin> -the input file is an RSA public key. +the input file is an RSA public key. =item B<-certin> diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index e9f3280e3e..1cd04dd169 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -8,6 +8,7 @@ s_client - SSL/TLS client program =head1 SYNOPSIS B B +[B<-help>] [B<-connect host:port>] [B<-proxy host:port>] [B<-servername name>] @@ -102,6 +103,10 @@ manual page. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-connect host:port> This specifies the host and optional port to connect to. If not specified diff --git a/doc/apps/s_client.pod.orig b/doc/apps/s_client.pod.orig new file mode 100644 index 0000000000..e9f3280e3e --- /dev/null +++ b/doc/apps/s_client.pod.orig @@ -0,0 +1,495 @@ + +=pod + +=head1 NAME + +s_client - SSL/TLS client program + +=head1 SYNOPSIS + +B B +[B<-connect host:port>] +[B<-proxy host:port>] +[B<-servername name>] +[B<-verify depth>] +[B<-verify_return_error>] +[B<-cert filename>] +[B<-certform DER|PEM>] +[B<-key filename>] +[B<-keyform DER|PEM>] +[B<-pass arg>] +[B<-CApath directory>] +[B<-CAfile filename>] +[B<-no-CAfile>] +[B<-no-CApath>] +[B<-dane_tlsa_domain domain>] +[B<-dane_tlsa_rrdata rrdata>] +[B<-attime timestamp>] +[B<-check_ss_sig>] +[B<-crl_check>] +[B<-crl_check_all>] +[B<-explicit_policy>] +[B<-extended_crl>] +[B<-ignore_critical>] +[B<-inhibit_any>] +[B<-inhibit_map>] +[B<-issuer_checks>] +[B<-partial_chain>] +[B<-policy arg>] +[B<-policy_check>] +[B<-policy_print>] +[B<-purpose purpose>] +[B<-suiteB_128>] +[B<-suiteB_128_only>] +[B<-suiteB_192>] +[B<-trusted_first>] +[B<-no_alt_chains>] +[B<-use_deltas>] +[B<-verify_depth num>] +[B<-verify_email email>] +[B<-verify_hostname hostname>] +[B<-verify_ip ip>] +[B<-verify_name name>] +[B<-x509_strict>] +[B<-reconnect>] +[B<-showcerts>] +[B<-debug>] +[B<-msg>] +[B<-nbio_test>] +[B<-state>] +[B<-nbio>] +[B<-crlf>] +[B<-ign_eof>] +[B<-no_ign_eof>] +[B<-quiet>] +[B<-ssl3>] +[B<-tls1>] +[B<-no_ssl3>] +[B<-no_tls1>] +[B<-no_tls1_1>] +[B<-no_tls1_2>] +[B<-fallback_scsv>] +[B<-async>] +[B<-bugs>] +[B<-comp>] +[B<-no_comp>] +[B<-cipher cipherlist>] +[B<-serverpref>] +[B<-starttls protocol>] +[B<-xmpphost hostname>] +[B<-engine id>] +[B<-tlsextdebug>] +[B<-no_ticket>] +[B<-sess_out filename>] +[B<-sess_in filename>] +[B<-rand file(s)>] +[B<-serverinfo types>] +[B<-status>] +[B<-nextprotoneg protocols>] + +=head1 DESCRIPTION + +The B command implements a generic SSL/TLS client which connects +to a remote host using SSL/TLS. It is a I useful diagnostic tool for +SSL servers. + +=head1 OPTIONS + +In addition to the options below the B utility also supports the +common and client only options documented in the +in the L +manual page. + +=over 4 + +=item B<-connect host:port> + +This specifies the host and optional port to connect to. If not specified +then an attempt is made to connect to the local host on port 4433. + +=item B<-proxy host:port> + +When used with the B<-connect> flag, the program uses the host and port +specified with this flag and issues an HTTP CONNECT command to connect +to the desired server. + +=item B<-servername name> + +Set the TLS SNI (Server Name Indication) extension in the ClientHello message. + +=item B<-cert certname> + +The certificate to use, if one is requested by the server. The default is +not to use a certificate. + +=item B<-certform format> + +The certificate format to use: DER or PEM. PEM is the default. + +=item B<-key keyfile> + +The private key to use. If not specified then the certificate file will +be used. + +=item B<-keyform format> + +The private format to use: DER or PEM. PEM is the default. + +=item B<-pass arg> + +the private key password source. For more information about the format of B +see the B section in L. + +=item B<-verify depth> + +The verify depth to use. This specifies the maximum length of the +server certificate chain and turns on server certificate verification. +Currently the verify operation continues after errors so all the problems +with a certificate chain can be seen. As a side effect the connection +will never fail due to a server certificate verify failure. + +=item B<-verify_return_error> + +Return verification errors instead of continuing. This will typically +abort the handshake with a fatal error. + +=item B<-CApath directory> + +The directory to use for server certificate verification. This directory +must be in "hash format", see B for more information. These are +also used when building the client certificate chain. + +=item B<-CAfile file> + +A file containing trusted certificates to use during server authentication +and to use when attempting to build the client certificate chain. + +=item B<-no-CAfile> + +Do not load the trusted CA certificates from the default file location + +=item B<-no-CApath> + +Do not load the trusted CA certificates from the default directory location + +=item B<-dane_tlsa_domain domain> + +Enable RFC6698/RFC7671 DANE TLSA authentication and specify the +TLSA base domain which becomes the default SNI hint and the primary +reference identifier for hostname checks. This must be used in +combination with at least one instance of the B<-dane_tlsa_rrdata> +option below. + +When DANE authentication succeeds, the diagnostic output will include +the lowest (closest to 0) depth at which a TLSA record authenticated +a chain certificate. When that TLSA record is a "2 1 0" trust +anchor public key that signed (rather than matched) the top-most +certificate of the chain, the result is reported as "TA public key +verified". Otherwise, either the TLSA record "matched TA certificate" +at a positive depth or else "matched EE certificate" at depth 0. + +=item B<-dane_tlsa_rrdata rrdata> + +Use one or more times to specify the RRDATA fields of the DANE TLSA +RRset associated with the target service. The B value is +specied in "presentation form", that is four whitespace separated +fields that specify the usage, selector, matching type and associated +data, with the last of these encoded in hexadecimal. Optional +whitespace is ignored in the associated data field. For example: + + $ openssl s_client -starttls smtp -connect smtp.example.com:25 \ + -dane_tlsa_domain smtp.example.com \ + -dane_tlsa_rrdata "2 1 1 + B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E 02CF362B" \ + -dane_tlsa_rrdata "2 1 1 + 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18" + CONNECTED(00000003) + ... + DANE TLSA 2 1 1 matched TA certificate at depth 1 + Verified peername: smtp.example.com + ... + Verify return code: 0 (ok) + ... + +=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, +B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, +B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, +B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, +B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> + +Set various certificate chain validation options. See the +L manual page for details. + +=item B<-reconnect> + +reconnects to the same server 5 times using the same session ID, this can +be used as a test that session caching is working. + +=item B<-showcerts> + +display the whole server certificate chain: normally only the server +certificate itself is displayed. + +=item B<-prexit> + +print session information when the program exits. This will always attempt +to print out information even if the connection fails. Normally information +will only be printed out once if the connection succeeds. This option is useful +because the cipher in use may be renegotiated or the connection may fail +because a client certificate is required or is requested only after an +attempt is made to access a certain URL. Note: the output produced by this +option is not always accurate because a connection might never have been +established. + +=item B<-state> + +prints out the SSL session states. + +=item B<-debug> + +print extensive debugging information including a hex dump of all traffic. + +=item B<-msg> + +show all protocol messages with hex dump. + +=item B<-trace> + +show verbose trace output of protocol messages. OpenSSL needs to be compiled +with B for this option to work. + +=item B<-msgfile> + +file to send output of B<-msg> or B<-trace> to, default standard output. + +=item B<-nbio_test> + +tests non-blocking I/O + +=item B<-nbio> + +turns on non-blocking I/O + +=item B<-crlf> + +this option translated a line feed from the terminal into CR+LF as required +by some servers. + +=item B<-ign_eof> + +inhibit shutting down the connection when end of file is reached in the +input. + +=item B<-quiet> + +inhibit printing of session and certificate information. This implicitly +turns on B<-ign_eof> as well. + +=item B<-no_ign_eof> + +shut down the connection when end of file is reached in the input. +Can be used to override the implicit B<-ign_eof> after B<-quiet>. + +=item B<-psk_identity identity> + +Use the PSK identity B when using a PSK cipher suite. + +=item B<-psk key> + +Use the PSK key B when using a PSK cipher suite. The key is +given as a hexadecimal number without leading 0x, for example -psk +1a2b3c4d. + +=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> + +these options disable the use of certain SSL or TLS protocols. By default +the initial handshake uses a method which should be compatible with all +servers and permit them to use SSL v3 or TLS as appropriate. + +Unfortunately there are still ancient and broken servers in use which +cannot handle this technique and will fail to connect. Some servers only +work if TLS is turned off. + +=item B<-fallback_scsv> + +Send TLS_FALLBACK_SCSV in the ClientHello. + +=item B<-async> + +switch on asynchronous mode. Cryptographic operations will be performed +asynchronously. This will only have an effect if an asynchronous capable engine +is also used via the B<-engine> option. For test purposes the dummy async engine +(dasync) can be used (if available). + +=item B<-bugs> + +there are several known bug in SSL and TLS implementations. Adding this +option enables various workarounds. + +=item B<-comp> + +Enables support for SSL/TLS compression. +This option was introduced in OpenSSL 1.1.0. +TLS compression is not recommended and is off by default as of +OpenSSL 1.1.0. + +=item B<-no_comp> + +Disables support for SSL/TLS compression. +TLS compression is not recommended and is off by default as of +OpenSSL 1.1.0. + +=item B<-brief> + +only provide a brief summary of connection parameters instead of the +normal verbose output. + +=item B<-cipher cipherlist> + +this allows the cipher list sent by the client to be modified. Although +the server determines which cipher suite is used it should take the first +supported cipher in the list sent by the client. See the B +command for more information. + +=item B<-starttls protocol> + +send the protocol-specific message(s) to switch to TLS for communication. +B is a keyword for the intended protocol. Currently, the only +supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server", +and "irc." + +=item B<-xmpphost hostname> + +This option, when used with "-starttls xmpp" or "-starttls xmpp-server", +specifies the host for the "to" attribute of the stream element. +If this option is not specified, then the host specified with "-connect" +will be used. + +=item B<-tlsextdebug> + +print out a hex dump of any TLS extensions received from the server. + +=item B<-no_ticket> + +disable RFC4507bis session ticket support. + +=item B<-sess_out filename> + +output SSL session to B + +=item B<-sess_in sess.pem> + +load SSL session from B. The client will attempt to resume a +connection from this session. + +=item B<-engine id> + +specifying an engine (by its unique B string) will cause B +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + +=item B<-rand file(s)> + +a file or files containing random data used to seed the random number +generator, or an EGD socket (see L). +Multiple files can be specified separated by a OS-dependent character. +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for +all others. + +=item B<-serverinfo types> + +a list of comma-separated TLS Extension Types (numbers between 0 and +65535). Each type will be sent as an empty ClientHello TLS Extension. +The server's response (if any) will be encoded and displayed as a PEM +file. + +=item B<-status> + +sends a certificate status request to the server (OCSP stapling). The server +response (if any) is printed out. + +=item B<-nextprotoneg protocols> + +enable Next Protocol Negotiation TLS extension and provide a list of +comma-separated protocol names that the client should advertise +support for. The list should contain most wanted protocols first. +Protocol names are printable ASCII strings, for example "http/1.1" or +"spdy/3". +Empty list of protocols is treated specially and will cause the client to +advertise support for the TLS extension but disconnect just after +receiving ServerHello with a list of server supported protocols. + +=back + +=head1 CONNECTED COMMANDS + +If a connection is established with an SSL server then any data received +from the server is displayed and any key presses will be sent to the +server. When used interactively (which means neither B<-quiet> nor B<-ign_eof> +have been given), the session will be renegotiated if the line begins with an +B, and if the line begins with a B or if end of file is reached, the +connection will be closed down. + +=head1 NOTES + +B can be used to debug SSL servers. To connect to an SSL HTTP +server the command: + + openssl s_client -connect servername:443 + +would typically be used (https uses port 443). If the connection succeeds +then an HTTP command can be given such as "GET /" to retrieve a web page. + +If the handshake fails then there are several possible causes, if it is +nothing obvious like no client certificate then the B<-bugs>, +B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried +in case it is a buggy server. In particular you should play with these +options B submitting a bug report to an OpenSSL mailing list. + +A frequent problem when attempting to get client certificates working +is that a web client complains it has no certificates or gives an empty +list to choose from. This is normally because the server is not sending +the clients certificate authority in its "acceptable CA list" when it +requests a certificate. By using B the CA list can be viewed +and checked. However some servers only request client authentication +after a specific URL is requested. To obtain the list in this case it +is necessary to use the B<-prexit> option and send an HTTP request +for an appropriate page. + +If a certificate is specified on the command line using the B<-cert> +option it will not be used unless the server specifically requests +a client certificate. Therefor merely including a client certificate +on the command line is no guarantee that the certificate works. + +If there are problems verifying a server certificate then the +B<-showcerts> option can be used to show the whole chain. + +The B utility is a test tool and is designed to continue the +handshake after any certificate verification errors. As a result it will +accept any certificate chain (trusted or not) sent by the peer. None test +applications should B do this as it makes them vulnerable to a MITM +attack. This behaviour can be changed by with the B<-verify_return_error> +option: any verify errors are then returned aborting the handshake. + +=head1 BUGS + +Because this program has a lot of options and also because some of +the techniques used are rather old, the C source of s_client is rather +hard to read and not a model of how things should be done. A typical +SSL client program would be much simpler. + +The B<-prexit> option is a bit of a hack. We should really report +information whenever a session is renegotiated. + +=head1 SEE ALSO + +L, L, L + +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.1.0. + +=cut diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index b9ef5e6864..ffccdce051 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -8,6 +8,7 @@ s_server - SSL/TLS server program =head1 SYNOPSIS B B +[B<-help>] [B<-accept port>] [B<-naccept count>] [B<-context id>] @@ -110,6 +111,10 @@ page. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-accept port> the TCP port to listen on for connections. If not specified 4433 is used. diff --git a/doc/apps/s_server.pod.orig b/doc/apps/s_server.pod.orig new file mode 100644 index 0000000000..b9ef5e6864 --- /dev/null +++ b/doc/apps/s_server.pod.orig @@ -0,0 +1,523 @@ + +=pod + +=head1 NAME + +s_server - SSL/TLS server program + +=head1 SYNOPSIS + +B B +[B<-accept port>] +[B<-naccept count>] +[B<-context id>] +[B<-verify depth>] +[B<-Verify depth>] +[B<-crl_check>] +[B<-crl_check_all>] +[B<-cert filename>] +[B<-certform DER|PEM>] +[B<-key keyfile>] +[B<-keyform DER|PEM>] +[B<-pass arg>] +[B<-dcert filename>] +[B<-dcertform DER|PEM>] +[B<-dkey keyfile>] +[B<-dkeyform DER|PEM>] +[B<-dpass arg>] +[B<-dhparam filename>] +[B<-nbio>] +[B<-nbio_test>] +[B<-crlf>] +[B<-debug>] +[B<-msg>] +[B<-state>] +[B<-CApath directory>] +[B<-CAfile filename>] +[B<-no-CAfile>] +[B<-no-CApath>] +[B<-attime timestamp>] +[B<-check_ss_sig>] +[B<-explicit_policy>] +[B<-extended_crl>] +[B<-ignore_critical>] +[B<-inhibit_any>] +[B<-inhibit_map>] +[B<-issuer_checks>] +[B<-partial_chain>] +[B<-policy arg>] +[B<-policy_check>] +[B<-policy_print>] +[B<-purpose purpose>] +[B<-suiteB_128>] +[B<-suiteB_128_only>] +[B<-suiteB_192>] +[B<-trusted_first>] +[B<-no_alt_chains>] +[B<-use_deltas>] +[B<-verify_depth num>] +[B<-verify_return_error>] +[B<-verify_email email>] +[B<-verify_hostname hostname>] +[B<-verify_ip ip>] +[B<-verify_name name>] +[B<-x509_strict>] +[B<-nocert>] +[B<-cipher cipherlist>] +[B<-serverpref>] +[B<-quiet>] +[B<-ssl3>] +[B<-tls1>] +[B<-dtls>] +[B<-dtls1>] +[B<-dtls1_2>] +[B<-listen>] +[B<-async>] +[B<-no_ssl3>] +[B<-no_tls1>] +[B<-no_dhe>] +[B<-bugs>] +[B<-comp>] +[B<-no_comp>] +[B<-brief>] +[B<-www>] +[B<-WWW>] +[B<-HTTP>] +[B<-engine id>] +[B<-tlsextdebug>] +[B<-no_ticket>] +[B<-id_prefix arg>] +[B<-rand file(s)>] +[B<-serverinfo file>] +[B<-no_resumption_on_reneg>] +[B<-status>] +[B<-status_verbose>] +[B<-status_timeout nsec>] +[B<-status_url url>] +[B<-nextprotoneg protocols>] + +=head1 DESCRIPTION + +The B command implements a generic SSL/TLS server which listens +for connections on a given port using SSL/TLS. + +=head1 OPTIONS + +In addition to the options below the B utility also supports the +common and server only options documented in the +L manual +page. + +=over 4 + +=item B<-accept port> + +the TCP port to listen on for connections. If not specified 4433 is used. + +=item B<-naccept count> + +The server will exit after receiving B connections, default unlimited. + +=item B<-context id> + +sets the SSL context id. It can be given any string value. If this option +is not present a default value will be used. + +=item B<-cert certname> + +The certificate to use, most servers cipher suites require the use of a +certificate and some require a certificate with a certain public key type: +for example the DSS cipher suites require a certificate containing a DSS +(DSA) key. If not specified then the filename "server.pem" will be used. + +=item B<-certform format> + +The certificate format to use: DER or PEM. PEM is the default. + +=item B<-key keyfile> + +The private key to use. If not specified then the certificate file will +be used. + +=item B<-keyform format> + +The private format to use: DER or PEM. PEM is the default. + +=item B<-pass arg> + +the private key password source. For more information about the format of B +see the B section in L. + +=item B<-dcert filename>, B<-dkey keyname> + +specify an additional certificate and private key, these behave in the +same manner as the B<-cert> and B<-key> options except there is no default +if they are not specified (no additional certificate and key is used). As +noted above some cipher suites require a certificate containing a key of +a certain type. Some cipher suites need a certificate carrying an RSA key +and some a DSS (DSA) key. By using RSA and DSS certificates and keys +a server can support clients which only support RSA or DSS cipher suites +by using an appropriate certificate. + +=item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg> + +additional certificate and private key format and passphrase respectively. + +=item B<-nocert> + +if this option is set then no certificate is used. This restricts the +cipher suites available to the anonymous ones (currently just anonymous +DH). + +=item B<-dhparam filename> + +the DH parameter file to use. The ephemeral DH cipher suites generate keys +using a set of DH parameters. If not specified then an attempt is made to +load the parameters from the server certificate file. If this fails then +a static set of parameters hard coded into the s_server program will be used. + +=item B<-no_dhe> + +if this option is set then no DH parameters will be loaded effectively +disabling the ephemeral DH cipher suites. + +=item B<-crl_check>, B<-crl_check_all> + +Check the peer certificate has not been revoked by its CA. +The CRL(s) are appended to the certificate file. With the B<-crl_check_all> +option all CRLs of all CAs in the chain are checked. + +=item B<-CApath directory> + +The directory to use for client certificate verification. This directory +must be in "hash format", see B for more information. These are +also used when building the server certificate chain. + +=item B<-CAfile file> + +A file containing trusted certificates to use during client authentication +and to use when attempting to build the server certificate chain. The list +is also used in the list of acceptable client CAs passed to the client when +a certificate is requested. + +=item B<-no-CAfile> + +Do not load the trusted CA certificates from the default file location + +=item B<-no-CApath> + +Do not load the trusted CA certificates from the default directory location + +=item B<-verify depth>, B<-Verify depth> + +The verify depth to use. This specifies the maximum length of the +client certificate chain and makes the server request a certificate from +the client. With the B<-verify> option a certificate is requested but the +client does not have to send one, with the B<-Verify> option the client +must supply a certificate or an error occurs. + +If the ciphersuite cannot request a client certificate (for example an +anonymous ciphersuite or PSK) this option has no effect. + +=item B<-attime>, B<-check_ss_sig>, B, B<-extended_crl>, +B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, +B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, +B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, +B<-no_alt_chains>, B<-use_deltas>, B<-verify_depth>, B<-verify_email>, +B<-verify_hostname>, B<-verify_ip>, B<-verify_name>, B<-x509_strict> + +Set different peer certificate verification options. +See the L manual page for details. + +=item B<-verify_return_error> + +Verification errors normally just print a message but allow the +connection to continue, for debugging purposes. +If this option is used, then verification errors close the connection. + +=item B<-state> + +prints out the SSL session states. + +=item B<-debug> + +print extensive debugging information including a hex dump of all traffic. + +=item B<-msg> + +show all protocol messages with hex dump. + +=item B<-trace> + +show verbose trace output of protocol messages. OpenSSL needs to be compiled +with B for this option to work. + +=item B<-msgfile> + +file to send output of B<-msg> or B<-trace> to, default standard output. + +=item B<-nbio_test> + +tests non blocking I/O + +=item B<-nbio> + +turns on non blocking I/O + +=item B<-crlf> + +this option translated a line feed from the terminal into CR+LF. + +=item B<-quiet> + +inhibit printing of session and certificate information. + +=item B<-psk_hint hint> + +Use the PSK identity hint B when using a PSK cipher suite. + +=item B<-psk key> + +Use the PSK key B when using a PSK cipher suite. The key is +given as a hexadecimal number without leading 0x, for example -psk +1a2b3c4d. + +=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> + +these options disable the use of certain SSL or TLS protocols. By default +the initial handshake uses a method which should be compatible with all +servers and permit them to use SSL v3 or TLS as appropriate. + +=item B<-dtls>, B<-dtls1>, B<-dtls1_2> + +these options make s_server use DTLS protocols instead of TLS. With B<-dtls> +s_server will negotiate any supported DTLS protcol version, whilst B<-dtls1> and +B<-dtls1_2> will only support DTLS1.0 and DTLS1.2 respectively. + +=item B<-listen> + +this option can only be used in conjunction with one of the DTLS options above. +With this option s_server will listen on a UDP port for incoming connections. +Any ClientHellos that arrive will be checked to see if they have a cookie in +them or not. Any without a cookie will be responded to with a +HelloVerifyRequest. If a ClientHello with a cookie is received then s_server +will connect to that peer and complete the handshake. + +=item B<-async> + +switch on asynchronous mode. Cryptographic operations will be performed +asynchronously. This will only have an effect if an asynchronous capable engine +is also used via the B<-engine> option. For test purposes the dummy async engine +(dasync) can be used (if available). + +=item B<-bugs> + +there are several known bug in SSL and TLS implementations. Adding this +option enables various workarounds. + +=item B<-comp> + +Enable negotiation of TLS compression. +This option was introduced in OpenSSL 1.1.0. +TLS compression is not recommended and is off by default as of +OpenSSL 1.1.0. + +=item B<-no_comp> + +Disable negotiation of TLS compression. +TLS compression is not recommended and is off by default as of +OpenSSL 1.1.0. + +=item B<-brief> + +only provide a brief summary of connection parameters instead of the +normal verbose output. + +=item B<-cipher cipherlist> + +this allows the cipher list used by the server to be modified. When +the client sends a list of supported ciphers the first client cipher +also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist irrelevant. See +the B command for more information. + +=item B<-serverpref> + +use the server's cipher preferences, rather than the client's preferences. + +=item B<-tlsextdebug> + +print out a hex dump of any TLS extensions received from the server. + +=item B<-no_ticket> + +disable RFC4507bis session ticket support. + +=item B<-www> + +sends a status message back to the client when it connects. This includes +lots of information about the ciphers used and various session parameters. +The output is in HTML format so this option will normally be used with a +web browser. + +=item B<-WWW> + +emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the URL https://myhost/page.html is +requested the file ./page.html will be loaded. + +=item B<-HTTP> + +emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the URL https://myhost/page.html is +requested the file ./page.html will be loaded. The files loaded are +assumed to contain a complete and correct HTTP response (lines that +are part of the HTTP response line and headers must end with CRLF). + +=item B<-rev> + +simple test server which just reverses the text received from the client +and sends it back to the server. Also sets B<-brief>. + +=item B<-engine id> + +specifying an engine (by its unique B string) will cause B +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + +=item B<-id_prefix arg> + +generate SSL/TLS session IDs prefixed by B. This is mostly useful +for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple +servers, when each of which might be generating a unique range of session +IDs (eg. with a certain prefix). + +=item B<-rand file(s)> + +a file or files containing random data used to seed the random number +generator, or an EGD socket (see L). +Multiple files can be specified separated by a OS-dependent character. +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for +all others. + +=item B<-serverinfo file> + +a file containing one or more blocks of PEM data. Each PEM block +must encode a TLS ServerHello extension (2 bytes type, 2 bytes length, +followed by "length" bytes of extension data). If the client sends +an empty TLS ClientHello extension matching the type, the corresponding +ServerHello extension will be returned. + +=item B<-no_resumption_on_reneg> + +set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. + +=item B<-status> + +enables certificate status request support (aka OCSP stapling). + +=item B<-status_verbose> + +enables certificate status request support (aka OCSP stapling) and gives +a verbose printout of the OCSP response. + +=item B<-status_timeout nsec> + +sets the timeout for OCSP response to B seconds. + +=item B<-status_url url> + +sets a fallback responder URL to use if no responder URL is present in the +server certificate. Without this option an error is returned if the server +certificate does not contain a responder address. + +=item B<-nextprotoneg protocols> + +enable Next Protocol Negotiation TLS extension and provide a +comma-separated list of supported protocol names. +The list should contain most wanted protocols first. +Protocol names are printable ASCII strings, for example "http/1.1" or +"spdy/3". + +=back + +=head1 CONNECTED COMMANDS + +If a connection request is established with an SSL client and neither the +B<-www> nor the B<-WWW> option has been used then normally any data received +from the client is displayed and any key presses will be sent to the client. + +Certain single letter commands are also recognized which perform special +operations: these are listed below. + +=over 4 + +=item B + +end the current SSL connection but still accept new connections. + +=item B + +end the current SSL connection and exit. + +=item B + +renegotiate the SSL session. + +=item B + +renegotiate the SSL session and request a client certificate. + +=item B

+ +send some plain text down the underlying TCP connection: this should +cause the client to disconnect due to a protocol violation. + +=item B + +print out some session cache status information. + +=back + +=head1 NOTES + +B can be used to debug SSL clients. To accept connections from +a web browser the command: + + openssl s_server -accept 443 -www + +can be used for example. + +Most web browsers (in particular Netscape and MSIE) only support RSA cipher +suites, so they cannot connect to servers which don't use a certificate +carrying an RSA key or a version of OpenSSL with RSA disabled. + +Although specifying an empty list of CAs when requesting a client certificate +is strictly speaking a protocol violation, some SSL clients interpret this to +mean any CA is acceptable. This is useful for debugging purposes. + +The session parameters can printed out using the B program. + +=head1 BUGS + +Because this program has a lot of options and also because some of +the techniques used are rather old, the C source of s_server is rather +hard to read and not a model of how things should be done. A typical +SSL server program would be much simpler. + +The output of common ciphers is wrong: it just gives the list of ciphers that +OpenSSL recognizes and the client supports. + +There should be a way for the B program to print out details of any +unknown cipher suites a client says it supports. + +=head1 SEE ALSO + +L, L, L + +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.1.0. + +=cut diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod index 06e3b1ea1a..b9a7dd9078 100644 --- a/doc/apps/s_time.pod +++ b/doc/apps/s_time.pod @@ -8,6 +8,7 @@ s_time - SSL/TLS performance timing program =head1 SYNOPSIS B B +[B<-help>] [B<-connect host:port>] [B<-www page>] [B<-cert filename>] @@ -37,6 +38,10 @@ transferred (if any), and calculates the average time spent for one connection. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-connect host:port> This specifies the host and optional port to connect to. diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod index 391405787b..1407dfab7d 100644 --- a/doc/apps/sess_id.pod +++ b/doc/apps/sess_id.pod @@ -8,6 +8,7 @@ sess_id - SSL/TLS session handling utility =head1 SYNOPSIS B B +[B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER|NSS>] [B<-in filename>] @@ -26,6 +27,10 @@ not need to use it. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM> This specifies the input format. The B option uses an ASN1 DER encoded diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index c9d3601948..0f4d3853c2 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -7,6 +7,7 @@ smime - S/MIME utility =head1 SYNOPSIS B B +[B<-help>] [B<-encrypt>] [B<-decrypt>] [B<-sign>] @@ -78,6 +79,10 @@ The meaning of the other options varies according to the operation type. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-encrypt> encrypt mail for the given recipient certificates. Input file is the message diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod index 553fd2d9e6..f5ce8a6afe 100644 --- a/doc/apps/spkac.pod +++ b/doc/apps/spkac.pod @@ -7,6 +7,7 @@ spkac - SPKAC printing and generating utility =head1 SYNOPSIS B B +[B<-help>] [B<-in filename>] [B<-out filename>] [B<-key keyfile>] @@ -29,6 +30,10 @@ produce its own SPKACs from a supplied private key. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-in filename> This specifies the input filename to read from or standard input if this diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod index 82b9e559c4..c6adf521eb 100644 --- a/doc/apps/ts.pod +++ b/doc/apps/ts.pod @@ -8,6 +8,7 @@ ts - Time Stamping Authority tool (client/server) B B B<-query> +[B<-help>] [B<-rand> file:file...] [B<-config> configfile] [B<-data> file_to_hash] @@ -99,6 +100,10 @@ request with the following options: =over 4 +=item B<-help> + +Print out a usage message. + =item B<-rand> file:file... The files containing random data for seeding the random number diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 6d54592687..cd87b848ea 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -7,6 +7,7 @@ verify - Utility to verify certificates. =head1 SYNOPSIS B B +[B<-help>] [B<-CAfile file>] [B<-CApath directory>] [B<-no-CAfile>] @@ -20,7 +21,6 @@ B B [B<-engine id>] [B<-explicit_policy>] [B<-extended_crl>] -[B<-help>] [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] @@ -58,6 +58,10 @@ The B command verifies certificate chains. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-CAfile file> A B of trusted certificates. @@ -130,10 +134,6 @@ Set policy variable require-explicit-policy (see RFC5280). Enable extended CRL features such as indirect CRLs and alternate CRL signing keys. -=item B<-help> - -Print out a usage message. - =item B<-ignore_critical> Normally if an unhandled critical extension is present which is not diff --git a/doc/apps/version.pod b/doc/apps/version.pod index 61a364bf9f..8ab51dda0c 100644 --- a/doc/apps/version.pod +++ b/doc/apps/version.pod @@ -7,6 +7,7 @@ version - print OpenSSL version information =head1 SYNOPSIS B +[B<-help>] [B<-a>] [B<-v>] [B<-b>] @@ -23,6 +24,10 @@ This command is used to print out version information about OpenSSL. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-a> all information, this is the same as setting all the other flags. diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index 637eedc947..e4bcb4ae45 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -8,6 +8,7 @@ x509 - Certificate display and signing utility =head1 SYNOPSIS B B +[B<-help>] [B<-inform DER|PEM|NET>] [B<-outform DER|PEM|NET>] [B<-keyform DER|PEM>] @@ -77,6 +78,10 @@ various sections. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-inform DER|PEM|NET> This specifies the input format normally the command will expect an X509 -- cgit v1.2.3