diff options
author | markm <markm@FreeBSD.org> | 2003-01-28 22:58:14 +0000 |
---|---|---|
committer | markm <markm@FreeBSD.org> | 2003-01-28 22:58:14 +0000 |
commit | ecacd12edb99d739f012912174233320c5f8262f (patch) | |
tree | b81a83b72c76fb8541cf06d3e99d92f1c0fc0888 /secure/usr.bin/openssl/man/s_client.1 | |
parent | b159341ed957acbcab2f9bdd46c0b82ecd2e7864 (diff) | |
download | FreeBSD-src-ecacd12edb99d739f012912174233320c5f8262f.zip FreeBSD-src-ecacd12edb99d739f012912174233320c5f8262f.tar.gz |
Update for OpenSSL 0.9.7. No assembler code at the moment. This
will follow.
Diffstat (limited to 'secure/usr.bin/openssl/man/s_client.1')
-rw-r--r-- | secure/usr.bin/openssl/man/s_client.1 | 347 |
1 files changed, 347 insertions, 0 deletions
diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1 new file mode 100644 index 0000000..c0c0d0b --- /dev/null +++ b/secure/usr.bin/openssl/man/s_client.1 @@ -0,0 +1,347 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:26 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "s_client 3" +.TH s_client 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +s_client \- \s-1SSL/TLS\s0 client program +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBs_client\fR +[\fB\-connect\fR host:port>] +[\fB\-verify depth\fR] +[\fB\-cert filename\fR] +[\fB\-key filename\fR] +[\fB\-CApath directory\fR] +[\fB\-CAfile filename\fR] +[\fB\-reconnect\fR] +[\fB\-pause\fR] +[\fB\-showcerts\fR] +[\fB\-debug\fR] +[\fB\-msg\fR] +[\fB\-nbio_test\fR] +[\fB\-state\fR] +[\fB\-nbio\fR] +[\fB\-crlf\fR] +[\fB\-ign_eof\fR] +[\fB\-quiet\fR] +[\fB\-ssl2\fR] +[\fB\-ssl3\fR] +[\fB\-tls1\fR] +[\fB\-no_ssl2\fR] +[\fB\-no_ssl3\fR] +[\fB\-no_tls1\fR] +[\fB\-bugs\fR] +[\fB\-cipher cipherlist\fR] +[\fB\-engine id\fR] +[\fB\-rand \f(BIfile\fB\|(s)\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects +to a remote host using \s-1SSL/TLS\s0. It is a \fIvery\fR useful diagnostic tool for +\&\s-1SSL\s0 servers. +.SH "OPTIONS" +.IX Header "OPTIONS" +.Ip "\fB\-connect host:port\fR" 4 +.IX Item "-connect host:port" +This specifies the host and optional port to connect to. If not specified +then an attempt is made to connect to the local host on port 4433. +.Ip "\fB\-cert certname\fR" 4 +.IX Item "-cert certname" +The certificate to use, if one is requested by the server. The default is +not to use a certificate. +.Ip "\fB\-key keyfile\fR" 4 +.IX Item "-key keyfile" +The private key to use. If not specified then the certificate file will +be used. +.Ip "\fB\-verify depth\fR" 4 +.IX Item "-verify depth" +The verify depth to use. This specifies the maximum length of the +server certificate chain and turns on server certificate verification. +Currently the verify operation continues after errors so all the problems +with a certificate chain can be seen. As a side effect the connection +will never fail due to a server certificate verify failure. +.Ip "\fB\-CApath directory\fR" 4 +.IX Item "-CApath directory" +The directory to use for server certificate verification. This directory +must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are +also used when building the client certificate chain. +.Ip "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A file containing trusted certificates to use during server authentication +and to use when attempting to build the client certificate chain. +.Ip "\fB\-reconnect\fR" 4 +.IX Item "-reconnect" +reconnects to the same server 5 times using the same session \s-1ID\s0, this can +be used as a test that session caching is working. +.Ip "\fB\-pause\fR" 4 +.IX Item "-pause" +pauses 1 second between each read and write call. +.Ip "\fB\-showcerts\fR" 4 +.IX Item "-showcerts" +display the whole server certificate chain: normally only the server +certificate itself is displayed. +.Ip "\fB\-prexit\fR" 4 +.IX Item "-prexit" +print session information when the program exits. This will always attempt +to print out information even if the connection fails. Normally information +will only be printed out once if the connection succeeds. This option is useful +because the cipher in use may be renegotiated or the connection may fail +because a client certificate is required or is requested only after an +attempt is made to access a certain \s-1URL\s0. Note: the output produced by this +option is not always accurate because a connection might never have been +established. +.Ip "\fB\-state\fR" 4 +.IX Item "-state" +prints out the \s-1SSL\s0 session states. +.Ip "\fB\-debug\fR" 4 +.IX Item "-debug" +print extensive debugging information including a hex dump of all traffic. +.Ip "\fB\-msg\fR" 4 +.IX Item "-msg" +show all protocol messages with hex dump. +.Ip "\fB\-nbio_test\fR" 4 +.IX Item "-nbio_test" +tests non-blocking I/O +.Ip "\fB\-nbio\fR" 4 +.IX Item "-nbio" +turns on non-blocking I/O +.Ip "\fB\-crlf\fR" 4 +.IX Item "-crlf" +this option translated a line feed from the terminal into \s-1CR+LF\s0 as required +by some servers. +.Ip "\fB\-ign_eof\fR" 4 +.IX Item "-ign_eof" +inhibit shutting down the connection when end of file is reached in the +input. +.Ip "\fB\-quiet\fR" 4 +.IX Item "-quiet" +inhibit printing of session and certificate information. This implicitly +turns on \fB\-ign_eof\fR as well. +.Ip "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4 +.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1" +these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default +the initial handshake uses a method which should be compatible with all +servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate. +.Sp +Unfortunately there are a lot of ancient and broken servers in use which +cannot handle this technique and will fail to connect. Some servers only +work if \s-1TLS\s0 is turned off with the \fB\-no_tls\fR option others will only +support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option. +.Ip "\fB\-bugs\fR" 4 +.IX Item "-bugs" +there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this +option enables various workarounds. +.Ip "\fB\-cipher cipherlist\fR" 4 +.IX Item "-cipher cipherlist" +this allows the cipher list sent by the client to be modified. Although +the server determines which cipher suite is used it should take the first +supported cipher in the list sent by the client. See the \fBciphers\fR +command for more information. +.Ip "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by it's unique \fBid\fR string) will cause \fBs_client\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 +.IX Item "-rand file" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.SH "CONNECTED COMMANDS" +.IX Header "CONNECTED COMMANDS" +If a connection is established with an \s-1SSL\s0 server then any data received +from the server is displayed and any key presses will be sent to the +server. When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR +have been given), the session will be renegotiated if the line begins with an +\&\fBR\fR, and if the line begins with a \fBQ\fR or if end of file is reached, the +connection will be closed down. +.SH "NOTES" +.IX Header "NOTES" +\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL\s0 \s-1HTTP\s0 +server the command: +.PP +.Vb 1 +\& openssl s_client -connect servername:443 +.Ve +would typically be used (https uses port 443). If the connection succeeds +then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET\s0 /\*(R" to retrieve a web page. +.PP +If the handshake fails then there are several possible causes, if it is +nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR, +\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR can be tried +in case it is a buggy server. In particular you should play with these +options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. +.PP +A frequent problem when attempting to get client certificates working +is that a web client complains it has no certificates or gives an empty +list to choose from. This is normally because the server is not sending +the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it +requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed +and checked. However some servers only request client authentication +after a specific \s-1URL\s0 is requested. To obtain the list in this case it +is necessary to use the \fB\-prexit\fR command and send an \s-1HTTP\s0 request +for an appropriate page. +.PP +If a certificate is specified on the command line using the \fB\-cert\fR +option it will not be used unless the server specifically requests +a client certificate. Therefor merely including a client certificate +on the command line is no guarantee that the certificate works. +.PP +If there are problems verifying a server certificate then the +\&\fB\-showcerts\fR option can be used to show the whole chain. +.SH "BUGS" +.IX Header "BUGS" +Because this program has a lot of options and also because some of +the techniques used are rather old, the C source of s_client is rather +hard to read and not a model of how things should be done. A typical +\&\s-1SSL\s0 client program would be much simpler. +.PP +The \fB\-verify\fR option should really exit if the server verification +fails. +.PP +The \fB\-prexit\fR option is a bit of a hack. We should really report +information whenever a session is renegotiated. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +sess_id(1), s_server(1), ciphers(1) |