X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;ds=sidebyside;f=doc%2Fapps%2Fs_server.pod;h=1de307a0ff4418294d6d4c80bb92cffd1ab1b6e7;hb=6d3d5793673b225b2347ef45b74d0d9994f3132c;hp=5b6a20221d7e94b4c0ab6b68777b10bf52e69935;hpb=dd46d58f65bd3a342bbcd8586680942be643fc7d;p=oweals%2Fopenssl.git diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 5b6a20221d..1de307a0ff 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -7,23 +7,34 @@ s_server - SSL/TLS server program =head1 SYNOPSIS -B B +B B [B<-accept port>] +[B<-naccept count>] [B<-context id>] [B<-verify depth>] [B<-Verify depth>] +[B<-crl_check>] +[B<-crl_check_all>] [B<-cert filename>] +[B<-certform DER|PEM>] [B<-key keyfile>] +[B<-keyform DER|PEM>] +[B<-pass arg>] [B<-dcert filename>] +[B<-dcertform DER|PEM>] [B<-dkey keyfile>] +[B<-dkeyform DER|PEM>] +[B<-dpass arg>] [B<-dhparam filename>] [B<-nbio>] [B<-nbio_test>] [B<-crlf>] [B<-debug>] +[B<-msg>] [B<-state>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] [B<-nocert>] [B<-cipher cipherlist>] [B<-quiet>] @@ -35,11 +46,22 @@ B B [B<-no_ssl3>] [B<-no_tls1>] [B<-no_dhe>] +[B<-no_ecdhe>] [B<-bugs>] +[B<-brief>] [B<-hack>] [B<-www>] [B<-WWW>] - +[B<-HTTP>] +[B<-engine id>] +[B<-tlsextdebug>] +[B<-no_ticket>] +[B<-id_prefix arg>] +[B<-rand file(s)>] +[B<-serverinfo file>] +[B<-auth>] +[B<-auth_require_reneg>] +[B<-no_resumption_on_reneg>] =head1 DESCRIPTION The B command implements a generic SSL/TLS server which listens @@ -47,16 +69,25 @@ for connections on a given port using SSL/TLS. =head1 OPTIONS +In addition to the options below the B utility also supports the +common and server only options documented in the +L manual +page. + =over 4 =item B<-accept port> the TCP port to listen on for connections. If not specified 4433 is used. +=item B<-naccept count> + +The server will exit after receiving B connections, default unlimited. + =item B<-context id> -sets the SSL context id. If a client certificate is being requested then -this option must be set. It can be given any string value. +sets the SSL context id. It can be given any string value. If this option +is not present a default value will be used. =item B<-cert certname> @@ -65,11 +96,24 @@ certificate and some require a certificate with a certain public key type: for example the DSS cipher suites require a certificate containing a DSS (DSA) key. If not specified then the filename "server.pem" will be used. +=item B<-certform format> + +The certificate format to use: DER or PEM. PEM is the default. + =item B<-key keyfile> The private key to use. If not specified then the certificate file will be used. +=item B<-keyform format> + +The private format to use: DER or PEM. PEM is the default. + +=item B<-pass arg> + +the private key password source. For more information about the format of B +see the B section in L. + =item B<-dcert filename>, B<-dkey keyname> specify an additional certificate and private key, these behave in the @@ -81,6 +125,10 @@ and some a DSS (DSA) key. By using RSA and DSS certificates and keys a server can support clients which only support RSA or DSS cipher suites by using an appropriate certificate. +=item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg> + +additional certificate and private key format and passphrase respectively. + =item B<-nocert> if this option is set then no certificate is used. This restricts the @@ -94,11 +142,16 @@ using a set of DH parameters. If not specified then an attempt is made to load the parameters from the server certificate file. If this fails then a static set of parameters hard coded into the s_server program will be used. -=item B<-nodhe> +=item B<-no_dhe> if this option is set then no DH parameters will be loaded effectively disabling the ephemeral DH cipher suites. +=item B<-no_ecdhe> + +if this option is set then no ECDH parameters will be loaded effectively +disabling the ephemeral ECDH cipher suites. + =item B<-no_tmp_rsa> certain export cipher suites sometimes use a temporary RSA key, this option @@ -112,6 +165,12 @@ the client. With the B<-verify> option a certificate is requested but the client does not have to send one, with the B<-Verify> option the client must supply a certificate or an error occurs. +=item B<-crl_check>, B<-crl_check_all> + +Check the peer certificate has not been revoked by its CA. +The CRL(s) are appended to the certificate file. With the B<-crl_check_all> +option all CRLs of all CAs in the chain are checked. + =item B<-CApath directory> The directory to use for client certificate verification. This directory @@ -125,6 +184,11 @@ and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested. +=item B<-trusted_first> + +Set certificate verification option. +See the L|verify(1)> manual page for details. + =item B<-state> prints out the SSL session states. @@ -133,6 +197,19 @@ prints out the SSL session states. print extensive debugging information including a hex dump of all traffic. +=item B<-msg> + +show all protocol messages with hex dump. + +=item B<-trace> + +show verbose trace output of protocol messages. OpenSSL needs to be compiled +with B for this option to work. + +=item B<-msgfile> + +file to send output of B<-msg> or B<-trace> to, default standard output. + =item B<-nbio_test> tests non blocking I/O @@ -149,6 +226,16 @@ this option translated a line feed from the terminal into CR+LF. inhibit printing of session and certificate information. +=item B<-psk_hint hint> + +Use the PSK identity hint B when using a PSK cipher suite. + +=item B<-psk key> + +Use the PSK key B when using a PSK cipher suite. The key is +given as a hexadecimal number without leading 0x, for example -psk +1a2b3c4d. + =item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> these options disable the use of certain SSL or TLS protocols. By default @@ -160,6 +247,11 @@ servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. there are several known bug in SSL and TLS implementations. Adding this option enables various workarounds. +=item B<-brief> + +only provide a brief summary of connection parameters instead of the +normal verbose output. + =item B<-hack> this option enables a further workaround for some some early Netscape @@ -167,8 +259,19 @@ SSL code (?). =item B<-cipher cipherlist> -this allows the cipher list sent by the client to be modified. See the -B command for more information. +this allows the cipher list used by the server to be modified. When +the client sends a list of supported ciphers the first client cipher +also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist irrelevant. See +the B command for more information. + +=item B<-tlsextdebug> + +print out a hex dump of any TLS extensions received from the server. + +=item B<-no_ticket> + +disable RFC4507bis session ticket support. =item B<-www> @@ -183,6 +286,63 @@ emulates a simple web server. Pages will be resolved relative to the current directory, for example if the URL https://myhost/page.html is requested the file ./page.html will be loaded. +=item B<-HTTP> + +emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the URL https://myhost/page.html is +requested the file ./page.html will be loaded. The files loaded are +assumed to contain a complete and correct HTTP response (lines that +are part of the HTTP response line and headers must end with CRLF). + +=item B<-rev> + +simple test server which just reverses the text received from the client +and sends it back to the server. Also sets B<-brief>. + +=item B<-engine id> + +specifying an engine (by its unique B string) will cause B +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + +=item B<-id_prefix arg> + +generate SSL/TLS session IDs prefixed by B. This is mostly useful +for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple +servers, when each of which might be generating a unique range of session +IDs (eg. with a certain prefix). + +=item B<-rand file(s)> + +a file or files containing random data used to seed the random number +generator, or an EGD socket (see L). +Multiple files can be specified separated by a OS-dependent character. +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for +all others. + +=item B<-serverinfo file> + +a file containing one or more blocks of PEM data. Each PEM block +must encode a TLS ServerHello extension (2 bytes type, 2 bytes length, +followed by "length" bytes of extension data). If the client sends +an empty TLS ClientHello extension matching the type, the corresponding +ServerHello extension will be returned. + +=item B<-auth> + +send RFC 5878 client and server authorization extensions in the Client Hello as well as +supplemental data if the server also sent the authorization extensions in the Server Hello. + +=item B<-auth_require_reneg> + +only send RFC 5878 client and server authorization extensions during renegotiation. + +=item B<-no_resumption_on_reneg> + +set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Required in order to receive supplemental data +during renegotiation if auth and auth_require_reneg are set. + =back =head1 CONNECTED COMMANDS @@ -191,7 +351,7 @@ If a connection request is established with an SSL client and neither the B<-www> nor the B<-WWW> option has been used then normally any data received from the client is displayed and any key presses will be sent to the client. -Certain single letter commands are also recognised which perform special +Certain single letter commands are also recognized which perform special operations: these are listed below. =over 4 @@ -257,6 +417,6 @@ unknown cipher suites a client says it supports. =head1 SEE ALSO -sess_id(1), s_client(1), ciphers(1) +L, L, L =cut