B<openssl> B<s_client>
[B<-connect host:port>]
+[B<-servername name>]
[B<-verify depth>]
+[B<-verify_return_error>]
[B<-cert filename>]
[B<-certform DER|PEM>]
[B<-key filename>]
[B<-nbio>]
[B<-crlf>]
[B<-ign_eof>]
+[B<-no_ign_eof>]
[B<-quiet>]
[B<-ssl2>]
[B<-ssl3>]
[B<-no_tls1>]
[B<-bugs>]
[B<-cipher cipherlist>]
+[B<-serverpref>]
[B<-starttls protocol>]
[B<-engine id>]
[B<-tlsextdebug>]
[B<-sess_out filename>]
[B<-sess_in filename>]
[B<-rand file(s)>]
+[B<-serverinfo types>]
=head1 DESCRIPTION
This specifies the host and optional port to connect to. If not specified
then an attempt is made to connect to the local host on port 4433.
+=item B<-servername name>
+
+Set the TLS SNI (Server Name Indication) extension in the ClientHello message.
+
=item B<-cert certname>
The certificate to use, if one is requested by the server. The default is
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
+=item B<-verify_return_error>
+
+Return verification errors instead of continuing. This will typically
+abort the handshake with a fatal error.
+
=item B<-CApath directory>
The directory to use for server certificate verification. This directory
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
+
+Set various certificate chain valiadition option. See the
+L<B<verify>|verify(1)> manual page for details.
+
=item B<-reconnect>
reconnects to the same server 5 times using the same session ID, this can
inhibit printing of session and certificate information. This implicitly
turns on B<-ign_eof> as well.
+=item B<-no_ign_eof>
+
+shut down the connection when end of file is reached in the input.
+Can be used to override the implicit B<-ign_eof> after B<-quiet>.
+
=item B<-psk_identity identity>
Use the PSK identity B<identity> when using a PSK cipher suite.
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.
+=item B<-serverpref>
+
+use the server's cipher preferences; only used for SSLV2.
+
=item B<-starttls protocol>
send the protocol-specific message(s) to switch to TLS for communication.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
+=item B<-serverinfo types>
+
+a list of comma-separated TLS Extension Types (numbers between 0 and
+65535). Each type will be sent as an empty ClientHello TLS Extension.
+The server's response (if any) will be encoded and displayed as a PEM
+file.
+
=back
=head1 CONNECTED COMMANDS
these will only be supported if its use is disabled, for example by using the
B<-no_sslv2> option.
+The B<s_client> utility is a test tool and is designed to continue the
+handshake after any certificate verification errors. As a result it will
+accept any certificate chain (trusted or not) sent by the peer. None test
+applications should B<not> do this as it makes them vulnerable to a MITM
+attack. This behaviour can be changed by with the B<-verify_return_error>
+option: any verify errors are then returned aborting the handshake.
+
=head1 BUGS
Because this program has a lot of options and also because some of
hard to read and not a model of how things should be done. A typical
SSL client program would be much simpler.
-The B<-verify> option should really exit if the server verification
-fails.
-
The B<-prexit> option is a bit of a hack. We should really report
information whenever a session is renegotiated.
projects / oweals / openssl.git / blobdiff