Drop redundant and outdated __CYGWIN32__ tests.

[oweals/openssl.git] / doc / apps / s_server.pod

diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 3f657c94909d5707de5ae0f5db475f49b97336f5..1cc965f3e91f503414577277d55e76ddafee9fae 100644 (file)
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -53,6 +53,7 @@ B<openssl> B<s_server>
 [B<-trusted_first>]
 [B<-use_deltas>]
 [B<-verify_depth num>]
+[B<-verify_return_error>]
 [B<-verify_email email>]
 [B<-verify_hostname hostname>]
 [B<-verify_ip ip>]
@@ -63,10 +64,8 @@ B<openssl> B<s_server>
 [B<-serverpref>]
 [B<-quiet>]
 [B<-no_tmp_rsa>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
-[B<-no_ssl2>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_dhe>]
@@ -185,14 +184,6 @@ disabling the ephemeral ECDH cipher suites.
 certain export cipher suites sometimes use a temporary RSA key, this option
 disables temporary RSA key generation.
 
-=item B<-verify depth>, B<-Verify depth>
-
-The verify depth to use. This specifies the maximum length of the
-client certificate chain and makes the server request a certificate from
-the client. With the B<-verify> option a certificate is requested but the
-client does not have to send one, with the B<-Verify> option the client
-must supply a certificate or an error occurs.
-
 =item B<-crl_check>, B<-crl_check_all>
 
 Check the peer certificate has not been revoked by its CA.
@@ -212,6 +203,17 @@ and to use when attempting to build the server certificate chain. The list
 is also used in the list of acceptable client CAs passed to the client when
 a certificate is requested.
 
+=item B<-verify depth>, B<-Verify depth>
+
+The verify depth to use. This specifies the maximum length of the
+client certificate chain and makes the server request a certificate from
+the client. With the B<-verify> option a certificate is requested but the
+client does not have to send one, with the B<-Verify> option the client
+must supply a certificate or an error occurs.
+
+If the ciphersuite cannot request a client certificate (for example an
+anonymous ciphersuite or PSK) this option has no effect.
+
 =item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>,
 B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,
 B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
@@ -222,6 +224,12 @@ B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 Set different peer certificate verification options.
 See the L<B<verify>|verify(1)> manual page for details.
 
+=item B<-verify_return_error>
+
+Verification errors normally just print a message but allow the
+connection to continue, for debugging purposes.
+If this option is used, then verification errors close the connection.
+
 =item B<-state>
 
 prints out the SSL session states.
@@ -269,11 +277,11 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
 
 these options disable the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+servers and permit them to use SSL v3 or TLS as appropriate.
 
 =item B<-bugs>