doc/man1/openssl-x509.pod
doc/man1/openssl.pod
+# Auto generated doc files
+doc/man1/openssl-ca.pod
+doc/man1/openssl-cms.pod
+doc/man1/openssl-crl.pod
+doc/man1/openssl-dgst.pod
+doc/man1/openssl-dhparam.pod
+doc/man1/openssl-dsaparam.pod
+doc/man1/openssl-ecparam.pod
+doc/man1/openssl-enc.pod
+doc/man1/openssl-gendsa.pod
+doc/man1/openssl-genrsa.pod
+doc/man1/openssl-ocsp.pod
+doc/man1/openssl-passwd.pod
+doc/man1/openssl-pkcs12.pod
+doc/man1/openssl-pkcs8.pod
+doc/man1/openssl-pkeyutl.pod
+doc/man1/openssl-rand.pod
+doc/man1/openssl-req.pod
+doc/man1/openssl-rsautl.pod
+doc/man1/openssl-s_client.pod
+doc/man1/openssl-s_server.pod
+doc/man1/openssl-s_time.pod
+doc/man1/openssl-smime.pod
+doc/man1/openssl-speed.pod
+doc/man1/openssl-srp.pod
+doc/man1/openssl-ts.pod
+doc/man1/openssl-verify.pod
+doc/man1/openssl-x509.pod
+
# error code files
/crypto/err/openssl.txt.old
/engines/e_afalg.txt.old
[B<-psk> I<key>]
[B<-psk_session> I<file>]
[B<-quiet>]
-[B<-ssl3>]
-[B<-tls1>]
-[B<-tls1_1>]
-[B<-tls1_2>]
-[B<-tls1_3>]
-[B<-no_ssl3>]
-[B<-no_tls1>]
-[B<-no_tls1_1>]
-[B<-no_tls1_2>]
-[B<-no_tls1_3>]
-[B<-dtls>]
-[B<-dtls1>]
-[B<-dtls1_2>]
[B<-sctp>]
[B<-sctp_label_bug>]
[B<-fallback_scsv>]
[B<-early_data> I<file>]
[B<-enable_pha>]
{- $OpenSSL::safe::opt_name_synopsis -}
+{- $OpenSSL::safe::opt_version_synopsis -}
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
-=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
-
-These options require or disable the use of the specified SSL or TLS protocols.
-By default, this command will negotiate the highest mutually supported protocol
-version.
-When a specific TLS version is required, only that version will be offered to
-and accepted from the server.
-Note that not all protocols and flags may be available, depending on how
-OpenSSL was built.
-
-=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
-
-These options make this command use DTLS protocols instead of TLS.
-With B<-dtls>, it will negotiate any supported DTLS protocol version,
-whilst B<-dtls1> and B<-dtls1_2> will only support DTLS1.0 and DTLS1.2
-respectively.
-
=item B<-sctp>
Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
happen whether or not a certificate has been provided via B<-cert>.
-=item I<host>:I<port>
-
-Rather than providing B<-connect>, the target hostname and optional port may
-be provided as a single positional argument after all options. If neither this
-nor B<-connect> are provided, falls back to attempting to connect to
-I<localhost> on port I<4433>.
+{- $OpenSSL::safe::opt_version_item -}
{- $OpenSSL::safe::opt_name_item -}
{- $OpenSSL::safe::opt_engine_item -}
+=item I<host>:I<port>
+
+Rather than providing B<-connect>, the target hostname and optional port may
+be provided as a single positional argument after all options. If neither this
+nor B<-connect> are provided, falls back to attempting to connect to
+I<localhost> on port I<4433>.
+
=back
=head1 CONNECTED COMMANDS
[B<-split_send_frag> I<+int>]
[B<-max_pipelines> I<+int>]
[B<-read_buf> I<+int>]
-[B<-no_ssl3>]
-[B<-no_tls1>]
-[B<-no_tls1_1>]
-[B<-no_tls1_2>]
-[B<-no_tls1_3>]
[B<-bugs>]
[B<-no_comp>]
[B<-comp>]
[B<-psk_session> I<file>]
[B<-srpvfile> I<infile>]
[B<-srpuserseed> I<val>]
-[B<-ssl3>]
-[B<-tls1>]
-[B<-tls1_1>]
-[B<-tls1_2>]
-[B<-tls1_3>]
-[B<-dtls>]
[B<-timeout>]
[B<-mtu> I<+int>]
[B<-listen>]
-[B<-dtls1>]
-[B<-dtls1_2>]
[B<-sctp>]
[B<-sctp_label_bug>]
[B<-no_dhe>]
[B<-no_anti_replay>]
[B<-http_server_binmode>]
{- $OpenSSL::safe::opt_name_synopsis -}
+{- $OpenSSL::safe::opt_version_synopsis -}
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
Emulates a simple web server. Pages will be resolved relative to the
current directory, for example if the URL https://myhost/page.html is
-requested the file F<./page.html> will be loaded. Cannot be used in conjunction
+requested the file F<./page.html> will be loaded.
+The files loaded are
+assumed to contain a complete and correct HTTP response (lines that
+are part of the HTTP response line and headers must end with CRLF). Cannot be
+used in conjunction with B<-early_data>.
+Cannot be used in conjunction
with B<-early_data>.
=item B<-tlsextdebug>
Print a hex dump of any TLS extensions received from the server.
-=item B<-HTTP>
-
-Emulates a simple web server. Pages will be resolved relative to the
-current directory, for example if the URL https://myhost/page.html is
-requested the file F<./page.html> will be loaded. The files loaded are
-assumed to contain a complete and correct HTTP response (lines that
-are part of the HTTP response line and headers must end with CRLF). Cannot be
-used in conjunction with B<-early_data>.
-
=item B<-id_prefix> I<val>
Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
further information).
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
-
-These options require or disable the use of the specified SSL or TLS protocols.
-By default, this command will negotiate the highest mutually supported
-protocol version.
-When a specific TLS version is required, only that version will be accepted
-from the client.
-Note that not all protocols and flags may be available, depending on how
-OpenSSL was built.
-
=item B<-bugs>
There are several known bugs in SSL and TLS implementations. Adding this
If a ClientHello with a cookie is received then this command will
connect to that peer and complete the handshake.
-=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
-
-These options make this command use DTLS protocols instead of TLS.
-With B<-dtls>, it will negotiate any supported DTLS protocol
-version, whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and
-DTLSv1.2 respectively.
-
=item B<-sctp>
Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
{- $OpenSSL::safe::opt_name_item -}
+{- $OpenSSL::safe::opt_version_item -}
+
{- $OpenSSL::safe::opt_x_item -}
{- $OpenSSL::safe::opt_trust_item -}
[B<-new>]
[B<-verify> I<depth>]
[B<-time> I<seconds>]
-[B<-ssl3>]
-[B<-tls1>]
-[B<-tls1_1>]
-[B<-tls1_2>]
-[B<-tls1_3>]
+{- $OpenSSL::safe::opt_versiontls_synopsis -}
[B<-bugs>]
[B<-cipher> I<cipherlist>]
[B<-ciphersuites> I<val>]
that session caching is working. If neither B<-new> nor B<-reuse> are
specified, they are both on by default and executed in sequence.
-=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>
-
-These options enable specific SSL or TLS protocol versions for the handshake
-initiated by this command.
-By default, it negotiates the highest mutually supported protocol
-version.
-Note that not all protocols and flags may be available, depending on how
-OpenSSL was built.
-
=item B<-bugs>
There are several known bugs in SSL and TLS implementations. Adding this
{- $OpenSSL::safe::opt_trust_item -}
+{- $OpenSSL::safe::opt_versiontls_item -}
+
=back
=head1 NOTES
Places spaces round the equal sign, C<=>, character which follows the field
name.
+=head2 TLS Version Options
+
+Several commands use SSL, TLS, or DTLS. By default, the commands use TLS and
+clients will offer the lowest and highest protocol version they support,
+and servers will pick the highest version that the client offers that is also
+supported by the server.
+
+The options below can be used to limit which protocol versions are used,
+and whether TCP (SSL and TLS) or UDP (DTLS) is used.
+Note that not all protocols and flags may be available, depending on how
+OpenSSL was built.
+
+=over 4
+
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
+
+These options require or disable the use of the specified SSL or TLS protocols.
+When a specific TLS version is required, only that version will be offered or
+accepted.
+Only one specific protocol can be given and it cannot be combined with any of
+the B<no_> options.
+
+=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
+
+These options specify to use DTLS instead of DLTS.
+With B<-dtls>, clients will negotiate any supported DTLS protocol version.
+Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2,
+respectively.
+
=back
=head2 Engine Options
. "\n"
. "See L<openssl(1)/Trusted Certificate Options> for details.";
+# TLS Version Options
+$OpenSSL::safe::opt_versiontls_synopsis = ""
+. "[B<-no_ssl3>]\n"
+. "[B<-no_tls1>]\n"
+. "[B<-no_tls1_1>]\n"
+. "[B<-no_tls1_2>]\n"
+. "[B<-no_tls1_3>]\n"
+. "[B<-ssl3>]\n"
+. "[B<-tls1>]\n"
+. "[B<-tls1_1>]\n"
+. "[B<-tls1_2>]\n"
+. "[B<-tls1_3>]";
+$OpenSSL::safe::opt_versiontls_item = ""
+. "=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>,\n"
+. "B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>\n"
+. "\n"
+. "See L<openssl(1)/TLS Version Options>.";
+
+# TLS/DTLS Version Options
+$OpenSSL::safe::opt_version_synopsis = ""
+. "$OpenSSL::safe::opt_versiontls_synopsis\n"
+. "[B<-dtls>]\n"
+. "[B<-dtls1>]\n"
+. "[B<-dtls1_2>]";
+$OpenSSL::safe::opt_version_item = "\n"
+. "$OpenSSL::safe::opt_versiontls_item\n"
+. "\n"
+. "=item B<-dtls>, B<-dtls1>, B<-dtls1_2>\n"
+. "\n"
+. "These specify the use of DTLS instead of TLS.\n"
+. "See L<openssl(1)/TLS Version Options>.";
+
# SSL connection options.
# TODO(3.0) Not currently used. The refactoring needs to be done, and
# the options will probably be re-ordered.
. (scalar(@ARGV) > 0 ? " from " .join(", ", @ARGV) : "")
);
+if (defined($opts{s})) {
+ local $/ = undef;
+ open VARS, $opts{s} or die "Couldn't open $opts{s}, $!";
+ my $contents = <VARS>;
+ close VARS;
+ eval $contents;
+ die $@ if $@;
+}
die "Must have input files"
if defined($opts{i}) and scalar(@ARGV) == 0;