diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/s_server.1')
| -rw-r--r-- | secure/usr.bin/openssl/man/s_server.1 | 486 |
1 files changed, 486 insertions, 0 deletions
diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1 new file mode 100644 index 0000000..94dfd5f --- /dev/null +++ b/secure/usr.bin/openssl/man/s_server.1 @@ -0,0 +1,486 @@ +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.30) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "S_SERVER 1" +.TH S_SERVER 1 "2016-03-01" "1.0.2g" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +s_server \- SSL/TLS server program +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBs_server\fR +[\fB\-accept port\fR] +[\fB\-context id\fR] +[\fB\-verify depth\fR] +[\fB\-Verify depth\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-cert filename\fR] +[\fB\-certform DER|PEM\fR] +[\fB\-key keyfile\fR] +[\fB\-keyform DER|PEM\fR] +[\fB\-pass arg\fR] +[\fB\-dcert filename\fR] +[\fB\-dcertform DER|PEM\fR] +[\fB\-dkey keyfile\fR] +[\fB\-dkeyform DER|PEM\fR] +[\fB\-dpass arg\fR] +[\fB\-dhparam filename\fR] +[\fB\-nbio\fR] +[\fB\-nbio_test\fR] +[\fB\-crlf\fR] +[\fB\-debug\fR] +[\fB\-msg\fR] +[\fB\-state\fR] +[\fB\-CApath directory\fR] +[\fB\-CAfile filename\fR] +[\fB\-no_alt_chains\fR] +[\fB\-nocert\fR] +[\fB\-cipher cipherlist\fR] +[\fB\-serverpref\fR] +[\fB\-quiet\fR] +[\fB\-no_tmp_rsa\fR] +[\fB\-ssl2\fR] +[\fB\-ssl3\fR] +[\fB\-tls1\fR] +[\fB\-no_ssl2\fR] +[\fB\-no_ssl3\fR] +[\fB\-no_tls1\fR] +[\fB\-no_dhe\fR] +[\fB\-bugs\fR] +[\fB\-hack\fR] +[\fB\-www\fR] +[\fB\-WWW\fR] +[\fB\-HTTP\fR] +[\fB\-engine id\fR] +[\fB\-tlsextdebug\fR] +[\fB\-no_ticket\fR] +[\fB\-id_prefix arg\fR] +[\fB\-rand file(s)\fR] +[\fB\-serverinfo file\fR] +[\fB\-no_resumption_on_reneg\fR] +[\fB\-status\fR] +[\fB\-status_verbose\fR] +[\fB\-status_timeout nsec\fR] +[\fB\-status_url url\fR] +[\fB\-nextprotoneg protocols\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens +for connections on a given port using \s-1SSL/TLS.\s0 +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-accept port\fR" 4 +.IX Item "-accept port" +the \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used. +.IP "\fB\-context id\fR" 4 +.IX Item "-context id" +sets the \s-1SSL\s0 context id. It can be given any string value. If this option +is not present a default value will be used. +.IP "\fB\-cert certname\fR" 4 +.IX Item "-cert certname" +The certificate to use, most servers cipher suites require the use of a +certificate and some require a certificate with a certain public key type: +for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS +\&\s0(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used. +.IP "\fB\-certform format\fR" 4 +.IX Item "-certform format" +The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. +.IP "\fB\-key keyfile\fR" 4 +.IX Item "-key keyfile" +The private key to use. If not specified then the certificate file will +be used. +.IP "\fB\-keyform format\fR" 4 +.IX Item "-keyform format" +The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. +.IP "\fB\-pass arg\fR" 4 +.IX Item "-pass arg" +the private key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-dcert filename\fR, \fB\-dkey keyname\fR" 4 +.IX Item "-dcert filename, -dkey keyname" +specify an additional certificate and private key, these behave in the +same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default +if they are not specified (no additional certificate and key is used). As +noted above some cipher suites require a certificate containing a key of +a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key +and some a \s-1DSS \s0(\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys +a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites +by using an appropriate certificate. +.IP "\fB\-dcertform format\fR, \fB\-dkeyform format\fR, \fB\-dpass arg\fR" 4 +.IX Item "-dcertform format, -dkeyform format, -dpass arg" +additional certificate and private key format and passphrase respectively. +.IP "\fB\-nocert\fR" 4 +.IX Item "-nocert" +if this option is set then no certificate is used. This restricts the +cipher suites available to the anonymous ones (currently just anonymous +\&\s-1DH\s0). +.IP "\fB\-dhparam filename\fR" 4 +.IX Item "-dhparam filename" +the \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys +using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to +load the parameters from the server certificate file. If this fails then +a static set of parameters hard coded into the s_server program will be used. +.IP "\fB\-no_dhe\fR" 4 +.IX Item "-no_dhe" +if this option is set then no \s-1DH\s0 parameters will be loaded effectively +disabling the ephemeral \s-1DH\s0 cipher suites. +.IP "\fB\-no_tmp_rsa\fR" 4 +.IX Item "-no_tmp_rsa" +certain export cipher suites sometimes use a temporary \s-1RSA\s0 key, this option +disables temporary \s-1RSA\s0 key generation. +.IP "\fB\-verify depth\fR, \fB\-Verify depth\fR" 4 +.IX Item "-verify depth, -Verify depth" +The verify depth to use. This specifies the maximum length of the +client certificate chain and makes the server request a certificate from +the client. With the \fB\-verify\fR option a certificate is requested but the +client does not have to send one, with the \fB\-Verify\fR option the client +must supply a certificate or an error occurs. +.Sp +If the ciphersuite cannot request a client certificate (for example an +anonymous ciphersuite or \s-1PSK\s0) this option has no effect. +.IP "\fB\-crl_check\fR, \fB\-crl_check_all\fR" 4 +.IX Item "-crl_check, -crl_check_all" +Check the peer certificate has not been revoked by its \s-1CA.\s0 +The \s-1CRL\s0(s) are appended to the certificate file. With the \fB\-crl_check_all\fR +option all CRLs of all CAs in the chain are checked. +.IP "\fB\-CApath directory\fR" 4 +.IX Item "-CApath directory" +The directory to use for client certificate verification. This directory +must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are +also used when building the server certificate chain. +.IP "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A file containing trusted certificates to use during client authentication +and to use when attempting to build the server certificate chain. The list +is also used in the list of acceptable client CAs passed to the client when +a certificate is requested. +.IP "\fB\-no_alt_chains\fR" 4 +.IX Item "-no_alt_chains" +See the \fBverify\fR manual page for details. +.IP "\fB\-state\fR" 4 +.IX Item "-state" +prints out the \s-1SSL\s0 session states. +.IP "\fB\-debug\fR" 4 +.IX Item "-debug" +print extensive debugging information including a hex dump of all traffic. +.IP "\fB\-msg\fR" 4 +.IX Item "-msg" +show all protocol messages with hex dump. +.IP "\fB\-nbio_test\fR" 4 +.IX Item "-nbio_test" +tests non blocking I/O +.IP "\fB\-nbio\fR" 4 +.IX Item "-nbio" +turns on non blocking I/O +.IP "\fB\-crlf\fR" 4 +.IX Item "-crlf" +this option translated a line feed from the terminal into \s-1CR+LF.\s0 +.IP "\fB\-quiet\fR" 4 +.IX Item "-quiet" +inhibit printing of session and certificate information. +.IP "\fB\-psk_hint hint\fR" 4 +.IX Item "-psk_hint hint" +Use the \s-1PSK\s0 identity hint \fBhint\fR when using a \s-1PSK\s0 cipher suite. +.IP "\fB\-psk key\fR" 4 +.IX Item "-psk key" +Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is +given as a hexadecimal number without leading 0x, for example \-psk +1a2b3c4d. +.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4 +.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2" +These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols. +By default the initial handshake uses a \fIversion-flexible\fR method which will +negotiate the highest mutually supported protocol version. +.IP "\fB\-bugs\fR" 4 +.IX Item "-bugs" +there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this +option enables various workarounds. +.IP "\fB\-hack\fR" 4 +.IX Item "-hack" +this option enables a further workaround for some some early Netscape +\&\s-1SSL\s0 code (?). +.IP "\fB\-cipher cipherlist\fR" 4 +.IX Item "-cipher cipherlist" +this allows the cipher list used by the server to be modified. When +the client sends a list of supported ciphers the first client cipher +also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist irrelevant. See +the \fBciphers\fR command for more information. +.IP "\fB\-serverpref\fR" 4 +.IX Item "-serverpref" +use the server's cipher preferences, rather than the client's preferences. +.IP "\fB\-tlsextdebug\fR" 4 +.IX Item "-tlsextdebug" +print out a hex dump of any \s-1TLS\s0 extensions received from the server. +.IP "\fB\-no_ticket\fR" 4 +.IX Item "-no_ticket" +disable RFC4507bis session ticket support. +.IP "\fB\-www\fR" 4 +.IX Item "-www" +sends a status message back to the client when it connects. This includes +lots of information about the ciphers used and various session parameters. +The output is in \s-1HTML\s0 format so this option will normally be used with a +web browser. +.IP "\fB\-WWW\fR" 4 +.IX Item "-WWW" +emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the \s-1URL\s0 https://myhost/page.html is +requested the file ./page.html will be loaded. +.IP "\fB\-HTTP\fR" 4 +.IX Item "-HTTP" +emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the \s-1URL\s0 https://myhost/page.html is +requested the file ./page.html will be loaded. The files loaded are +assumed to contain a complete and correct \s-1HTTP\s0 response (lines that +are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0). +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by its unique \fBid\fR string) will cause \fBs_server\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-id_prefix arg\fR" 4 +.IX Item "-id_prefix arg" +generate \s-1SSL/TLS\s0 session IDs prefixed by \fBarg\fR. This is mostly useful +for testing any \s-1SSL/TLS\s0 code (eg. proxies) that wish to deal with multiple +servers, when each of which might be generating a unique range of session +IDs (eg. with a certain prefix). +.IP "\fB\-rand file(s)\fR" 4 +.IX Item "-rand file(s)" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "\fB\-serverinfo file\fR" 4 +.IX Item "-serverinfo file" +a file containing one or more blocks of \s-1PEM\s0 data. Each \s-1PEM\s0 block +must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length, +followed by \*(L"length\*(R" bytes of extension data). If the client sends +an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding +ServerHello extension will be returned. +.IP "\fB\-no_resumption_on_reneg\fR" 4 +.IX Item "-no_resumption_on_reneg" +set \s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0 flag. +.IP "\fB\-status\fR" 4 +.IX Item "-status" +enables certificate status request support (aka \s-1OCSP\s0 stapling). +.IP "\fB\-status_verbose\fR" 4 +.IX Item "-status_verbose" +enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives +a verbose printout of the \s-1OCSP\s0 response. +.IP "\fB\-status_timeout nsec\fR" 4 +.IX Item "-status_timeout nsec" +sets the timeout for \s-1OCSP\s0 response to \fBnsec\fR seconds. +.IP "\fB\-status_url url\fR" 4 +.IX Item "-status_url url" +sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the +server certificate. Without this option an error is returned if the server +certificate does not contain a responder address. +.IP "\fB\-nextprotoneg protocols\fR" 4 +.IX Item "-nextprotoneg protocols" +enable Next Protocol Negotiation \s-1TLS\s0 extension and provide a +comma-separated list of supported protocol names. +The list should contain most wanted protocols first. +Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or +\&\*(L"spdy/3\*(R". +.SH "CONNECTED COMMANDS" +.IX Header "CONNECTED COMMANDS" +If a connection request is established with an \s-1SSL\s0 client and neither the +\&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received +from the client is displayed and any key presses will be sent to the client. +.PP +Certain single letter commands are also recognized which perform special +operations: these are listed below. +.IP "\fBq\fR" 4 +.IX Item "q" +end the current \s-1SSL\s0 connection but still accept new connections. +.IP "\fBQ\fR" 4 +.IX Item "Q" +end the current \s-1SSL\s0 connection and exit. +.IP "\fBr\fR" 4 +.IX Item "r" +renegotiate the \s-1SSL\s0 session. +.IP "\fBR\fR" 4 +.IX Item "R" +renegotiate the \s-1SSL\s0 session and request a client certificate. +.IP "\fBP\fR" 4 +.IX Item "P" +send some plain text down the underlying \s-1TCP\s0 connection: this should +cause the client to disconnect due to a protocol violation. +.IP "\fBS\fR" 4 +.IX Item "S" +print out some session cache status information. +.SH "NOTES" +.IX Header "NOTES" +\&\fBs_server\fR can be used to debug \s-1SSL\s0 clients. To accept connections from +a web browser the command: +.PP +.Vb 1 +\& openssl s_server \-accept 443 \-www +.Ve +.PP +can be used for example. +.PP +Most web browsers (in particular Netscape and \s-1MSIE\s0) only support \s-1RSA\s0 cipher +suites, so they cannot connect to servers which don't use a certificate +carrying an \s-1RSA\s0 key or a version of OpenSSL with \s-1RSA\s0 disabled. +.PP +Although specifying an empty list of CAs when requesting a client certificate +is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to +mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes. +.PP +The session parameters can printed out using the \fBsess_id\fR program. +.SH "BUGS" +.IX Header "BUGS" +Because this program has a lot of options and also because some of +the techniques used are rather old, the C source of s_server is rather +hard to read and not a model of how things should be done. A typical +\&\s-1SSL\s0 server program would be much simpler. +.PP +The output of common ciphers is wrong: it just gives the list of ciphers that +OpenSSL recognizes and the client supports. +.PP +There should be a way for the \fBs_server\fR program to print out details of any +unknown cipher suites a client says it supports. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIsess_id\fR\|(1), \fIs_client\fR\|(1), \fIciphers\fR\|(1) +.SH "HISTORY" +.IX Header "HISTORY" +The \-no_alt_chains options was first added to OpenSSL 1.0.2b. |
