X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=doc%2Fapps%2Fs_client.pod;h=52881f8d3e30e9dc57675b8969f8a9b0cdd6f06c;hb=623acb90cc7fdd5bd51a850ee6acc45b661daa83;hp=f99f5ac45635a9e5025be296e3e00145bb9121a2;hpb=3d11b8f89617edc81d01329dbb5bf134fcda3303;p=oweals%2Fopenssl.git diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index f99f5ac456..52881f8d3e 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -9,7 +9,9 @@ s_client - SSL/TLS client program B B [B<-connect host:port>] +[B<-servername name>] [B<-verify depth>] +[B<-verify_return_error>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key filename>] @@ -27,6 +29,7 @@ B B [B<-nbio>] [B<-crlf>] [B<-ign_eof>] +[B<-no_ign_eof>] [B<-quiet>] [B<-ssl2>] [B<-ssl3>] @@ -36,6 +39,7 @@ B B [B<-no_tls1>] [B<-bugs>] [B<-cipher cipherlist>] +[B<-serverpref>] [B<-starttls protocol>] [B<-engine id>] [B<-tlsextdebug>] @@ -43,6 +47,7 @@ B B [B<-sess_out filename>] [B<-sess_in filename>] [B<-rand file(s)>] +[B<-serverinfo types>] =head1 DESCRIPTION @@ -59,6 +64,10 @@ SSL servers. This specifies the host and optional port to connect to. If not specified then an attempt is made to connect to the local host on port 4433. +=item B<-servername name> + +Set the TLS SNI (Server Name Indication) extension in the ClientHello message. + =item B<-cert certname> The certificate to use, if one is requested by the server. The default is @@ -90,6 +99,11 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. +=item B<-verify_return_error> + +Return verification errors instead of continuing. This will typically +abort the handshake with a fatal error. + =item B<-CApath directory> The directory to use for server certificate verification. This directory @@ -101,6 +115,11 @@ also used when building the client certificate chain. A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> + +Set various certificate chain valiadition option. See the +L|verify(1)> manual page for details. + =item B<-reconnect> reconnects to the same server 5 times using the same session ID, this can @@ -161,6 +180,11 @@ input. inhibit printing of session and certificate information. This implicitly turns on B<-ign_eof> as well. +=item B<-no_ign_eof> + +shut down the connection when end of file is reached in the input. +Can be used to override the implicit B<-ign_eof> after B<-quiet>. + =item B<-psk_identity identity> Use the PSK identity B when using a PSK cipher suite. @@ -194,6 +218,10 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B command for more information. +=item B<-serverpref> + +use the server's cipher preferences; only used for SSLV2. + =item B<-starttls protocol> send the protocol-specific message(s) to switch to TLS for communication. @@ -219,7 +247,7 @@ connection from this session. =item B<-engine id> -specifying an engine (by it's unique B string) will cause B +specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -232,6 +260,13 @@ Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. +=item B<-serverinfo types> + +a list of comma-separated TLS Extension Types (numbers between 0 and +65535). Each type will be sent as an empty ClientHello TLS Extension. +The server's response (if any) will be encoded and displayed as a PEM +file. + =back =head1 CONNECTED COMMANDS @@ -281,6 +316,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions these will only be supported if its use is disabled, for example by using the B<-no_sslv2> option. +The B utility is a test tool and is designed to continue the +handshake after any certificate verification errors. As a result it will +accept any certificate chain (trusted or not) sent by the peer. None test +applications should B do this as it makes them vulnerable to a MITM +attack. This behaviour can be changed by with the B<-verify_return_error> +option: any verify errors are then returned aborting the handshake. + =head1 BUGS Because this program has a lot of options and also because some of @@ -288,9 +330,6 @@ the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. A typical SSL client program would be much simpler. -The B<-verify> option should really exit if the server verification -fails. - The B<-prexit> option is a bit of a hack. We should really report information whenever a session is renegotiated.