1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-s_server - SSL/TLS server program 7 8=head1 SYNOPSIS 9 10B<openssl> B<s_server> 11[B<-help>] 12[B<-port> I<+int>] 13[B<-accept> I<val>] 14[B<-unix> I<val>] 15[B<-4>] 16[B<-6>] 17[B<-unlink>] 18[B<-context> I<val>] 19[B<-verify> I<int>] 20[B<-Verify> I<int>] 21[B<-cert> I<infile>] 22[B<-cert2> I<infile>] 23[B<-certform> B<DER>|B<PEM>|B<P12>] 24[B<-cert_chain> I<infile>] 25[B<-build_chain>] 26[B<-serverinfo> I<val>] 27[B<-key> I<filename>|I<uri>] 28[B<-key2> I<filename>|I<uri>] 29[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 30[B<-pass> I<val>] 31[B<-dcert> I<infile>] 32[B<-dcertform> B<DER>|B<PEM>|B<P12>] 33[B<-dcert_chain> I<infile>] 34[B<-dkey> I<filename>|I<uri>] 35[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 36[B<-dpass> I<val>] 37[B<-nbio_test>] 38[B<-crlf>] 39[B<-debug>] 40[B<-msg>] 41[B<-msgfile> I<outfile>] 42[B<-state>] 43[B<-nocert>] 44[B<-quiet>] 45[B<-no_resume_ephemeral>] 46[B<-www>] 47[B<-WWW>] 48[B<-http_server_binmode>] 49[B<-no_ca_names>] 50[B<-ignore_unexpected_eof>] 51[B<-servername>] 52[B<-servername_fatal>] 53[B<-tlsextdebug>] 54[B<-HTTP>] 55[B<-id_prefix> I<val>] 56[B<-keymatexport> I<val>] 57[B<-keymatexportlen> I<+int>] 58[B<-CRL> I<infile>] 59[B<-CRLform> B<DER>|B<PEM>] 60[B<-crl_download>] 61[B<-chainCAfile> I<infile>] 62[B<-chainCApath> I<dir>] 63[B<-chainCAstore> I<uri>] 64[B<-verifyCAfile> I<infile>] 65[B<-verifyCApath> I<dir>] 66[B<-verifyCAstore> I<uri>] 67[B<-no_cache>] 68[B<-ext_cache>] 69[B<-verify_return_error>] 70[B<-verify_quiet>] 71[B<-ign_eof>] 72[B<-no_ign_eof>] 73[B<-no_etm>] 74[B<-no_ems>] 75[B<-status>] 76[B<-status_verbose>] 77[B<-status_timeout> I<int>] 78[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>] 79[B<-no_proxy> I<addresses>] 80[B<-status_url> I<val>] 81[B<-status_file> I<infile>] 82[B<-ssl_config> I<val>] 83[B<-trace>] 84[B<-security_debug>] 85[B<-security_debug_verbose>] 86[B<-brief>] 87[B<-rev>] 88[B<-async>] 89[B<-max_send_frag> I<+int>] 90[B<-split_send_frag> I<+int>] 91[B<-max_pipelines> I<+int>] 92[B<-naccept> I<+int>] 93[B<-read_buf> I<+int>] 94[B<-bugs>] 95[B<-no_comp>] 96[B<-comp>] 97[B<-no_ticket>] 98[B<-serverpref>] 99[B<-legacy_renegotiation>] 100[B<-no_renegotiation>] 101[B<-no_resumption_on_reneg>] 102[B<-allow_no_dhe_kex>] 103[B<-prioritize_chacha>] 104[B<-strict>] 105[B<-sigalgs> I<val>] 106[B<-client_sigalgs> I<val>] 107[B<-groups> I<val>] 108[B<-curves> I<val>] 109[B<-named_curve> I<val>] 110[B<-cipher> I<val>] 111[B<-ciphersuites> I<val>] 112[B<-dhparam> I<infile>] 113[B<-record_padding> I<val>] 114[B<-debug_broken_protocol>] 115[B<-nbio>] 116[B<-psk_identity> I<val>] 117[B<-psk_hint> I<val>] 118[B<-psk> I<val>] 119[B<-psk_session> I<file>] 120[B<-srpvfile> I<infile>] 121[B<-srpuserseed> I<val>] 122[B<-timeout>] 123[B<-mtu> I<+int>] 124[B<-listen>] 125[B<-sctp>] 126[B<-sctp_label_bug>] 127[B<-use_srtp> I<val>] 128[B<-no_dhe>] 129[B<-nextprotoneg> I<val>] 130[B<-alpn> I<val>] 131[B<-ktls>] 132[B<-sendfile>] 133[B<-keylogfile> I<outfile>] 134[B<-recv_max_early_data> I<int>] 135[B<-max_early_data> I<int>] 136[B<-early_data>] 137[B<-stateless>] 138[B<-anti_replay>] 139[B<-no_anti_replay>] 140[B<-num_tickets>] 141[B<-tfo>] 142{- $OpenSSL::safe::opt_name_synopsis -} 143{- $OpenSSL::safe::opt_version_synopsis -} 144{- $OpenSSL::safe::opt_v_synopsis -} 145{- $OpenSSL::safe::opt_s_synopsis -} 146{- $OpenSSL::safe::opt_x_synopsis -} 147{- $OpenSSL::safe::opt_trust_synopsis -} 148{- $OpenSSL::safe::opt_r_synopsis -} 149{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} 150 151=head1 DESCRIPTION 152 153This command implements a generic SSL/TLS server which 154listens for connections on a given port using SSL/TLS. 155 156=head1 OPTIONS 157 158In addition to the options below, this command also supports 159the common and server only options documented 160L<SSL_CONF_cmd(3)/Supported Command Line Commands> 161 162=over 4 163 164=item B<-help> 165 166Print out a usage message. 167 168=item B<-port> I<+int> 169 170The TCP port to listen on for connections. If not specified 4433 is used. 171 172=item B<-accept> I<val> 173 174The optional TCP host and port to listen on for connections. If not specified, *:4433 is used. 175 176=item B<-unix> I<val> 177 178Unix domain socket to accept on. 179 180=item B<-4> 181 182Use IPv4 only. 183 184=item B<-6> 185 186Use IPv6 only. 187 188=item B<-unlink> 189 190For -unix, unlink any existing socket first. 191 192=item B<-context> I<val> 193 194Sets the SSL context id. It can be given any string value. If this option 195is not present a default value will be used. 196 197=item B<-verify> I<int>, B<-Verify> I<int> 198 199The verify depth to use. This specifies the maximum length of the 200client certificate chain and makes the server request a certificate from 201the client. With the B<-verify> option a certificate is requested but the 202client does not have to send one, with the B<-Verify> option the client 203must supply a certificate or an error occurs. 204 205If the cipher suite cannot request a client certificate (for example an 206anonymous cipher suite or PSK) this option has no effect. 207 208=item B<-cert> I<infile> 209 210The certificate to use, most servers cipher suites require the use of a 211certificate and some require a certificate with a certain public key type: 212for example the DSS cipher suites require a certificate containing a DSS 213(DSA) key. If not specified then the filename F<server.pem> will be used. 214 215=item B<-cert2> I<infile> 216 217The certificate file to use for servername; default is C<server2.pem>. 218 219=item B<-certform> B<DER>|B<PEM>|B<P12> 220 221The server certificate file format; unspecified by default. 222See L<openssl-format-options(1)> for details. 223 224=item B<-cert_chain> 225 226A file or URI of untrusted certificates to use when attempting to build the 227certificate chain related to the certificate specified via the B<-cert> option. 228The input can be in PEM, DER, or PKCS#12 format. 229 230=item B<-build_chain> 231 232Specify whether the application should build the server certificate chain to be 233provided to the client. 234 235=item B<-serverinfo> I<val> 236 237A file containing one or more blocks of PEM data. Each PEM block 238must encode a TLS ServerHello extension (2 bytes type, 2 bytes length, 239followed by "length" bytes of extension data). If the client sends 240an empty TLS ClientHello extension matching the type, the corresponding 241ServerHello extension will be returned. 242 243=item B<-key> I<filename>|I<uri> 244 245The private key to use. If not specified then the certificate file will 246be used. 247 248=item B<-key2> I<filename>|I<uri> 249 250The private Key file to use for servername if not given via B<-cert2>. 251 252=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 253 254The key format; unspecified by default. 255See L<openssl-format-options(1)> for details. 256 257=item B<-pass> I<val> 258 259The private key and certificate file password source. 260For more information about the format of I<val>, 261see L<openssl-passphrase-options(1)>. 262 263=item B<-dcert> I<infile>, B<-dkey> I<filename>|I<uri> 264 265Specify an additional certificate and private key, these behave in the 266same manner as the B<-cert> and B<-key> options except there is no default 267if they are not specified (no additional certificate and key is used). As 268noted above some cipher suites require a certificate containing a key of 269a certain type. Some cipher suites need a certificate carrying an RSA key 270and some a DSS (DSA) key. By using RSA and DSS certificates and keys 271a server can support clients which only support RSA or DSS cipher suites 272by using an appropriate certificate. 273 274=item B<-dcert_chain> 275 276A file or URI of untrusted certificates to use when attempting to build the 277server certificate chain when a certificate specified via the B<-dcert> option 278is in use. 279The input can be in PEM, DER, or PKCS#12 format. 280 281=item B<-dcertform> B<DER>|B<PEM>|B<P12> 282 283The format of the additional certificate file; unspecified by default. 284See L<openssl-format-options(1)> for details. 285 286=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 287 288The format of the additional private key; unspecified by default. 289See L<openssl-format-options(1)> for details. 290 291=item B<-dpass> I<val> 292 293The passphrase for the additional private key and certificate. 294For more information about the format of I<val>, 295see L<openssl-passphrase-options(1)>. 296 297=item B<-nbio_test> 298 299Tests non blocking I/O. 300 301=item B<-crlf> 302 303This option translated a line feed from the terminal into CR+LF. 304 305=item B<-debug> 306 307Print extensive debugging information including a hex dump of all traffic. 308 309=item B<-security_debug> 310 311Print output from SSL/TLS security framework. 312 313=item B<-security_debug_verbose> 314 315Print more output from SSL/TLS security framework 316 317=item B<-msg> 318 319Show all protocol messages with hex dump. 320 321=item B<-msgfile> I<outfile> 322 323File to send output of B<-msg> or B<-trace> to, default standard output. 324 325=item B<-state> 326 327Prints the SSL session states. 328 329=item B<-CRL> I<infile> 330 331The CRL file to use. 332 333=item B<-CRLform> B<DER>|B<PEM> 334 335The CRL file format; unspecified by default. 336See L<openssl-format-options(1)> for details. 337 338=item B<-crl_download> 339 340Download CRLs from distribution points given in CDP extensions of certificates 341 342=item B<-verifyCAfile> I<filename> 343 344A file in PEM format CA containing trusted certificates to use 345for verifying client certificates. 346 347=item B<-verifyCApath> I<dir> 348 349A directory containing trusted certificates to use 350for verifying client certificates. 351This directory must be in "hash format", 352see L<openssl-verify(1)> for more information. 353 354=item B<-verifyCAstore> I<uri> 355 356The URI of a store containing trusted certificates to use 357for verifying client certificates. 358 359=item B<-chainCAfile> I<file> 360 361A file in PEM format containing trusted certificates to use 362when attempting to build the server certificate chain. 363 364=item B<-chainCApath> I<dir> 365 366A directory containing trusted certificates to use 367for building the server certificate chain provided to the client. 368This directory must be in "hash format", 369see L<openssl-verify(1)> for more information. 370 371=item B<-chainCAstore> I<uri> 372 373The URI of a store containing trusted certificates to use 374for building the server certificate chain provided to the client. 375The URI may indicate a single certificate, as well as a collection of them. 376With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or 377B<-chainCApath>, depending on if the URI indicates a directory or a 378single file. 379See L<ossl_store-file(7)> for more information on the C<file:> scheme. 380 381=item B<-nocert> 382 383If this option is set then no certificate is used. This restricts the 384cipher suites available to the anonymous ones (currently just anonymous 385DH). 386 387=item B<-quiet> 388 389Inhibit printing of session and certificate information. 390 391=item B<-no_resume_ephemeral> 392 393Disable caching and tickets if ephemeral (EC)DH is used. 394 395=item B<-tlsextdebug> 396 397Print a hex dump of any TLS extensions received from the server. 398 399=item B<-www> 400 401Sends a status message back to the client when it connects. This includes 402information about the ciphers used and various session parameters. 403The output is in HTML format so this option can be used with a web browser. 404The special URL C</renegcert> turns on client cert validation, and C</reneg> 405tells the server to request renegotiation. 406The B<-early_data> option cannot be used with this option. 407 408=item B<-WWW>, B<-HTTP> 409 410Emulates a simple web server. Pages will be resolved relative to the 411current directory, for example if the URL C<https://myhost/page.html> is 412requested the file F<./page.html> will be sent. 413If the B<-HTTP> flag is used, the files are sent directly, and should contain 414any HTTP response headers (including status response line). 415If the B<-WWW> option is used, 416the response headers are generated by the server, and the file extension is 417examined to determine the B<Content-Type> header. 418Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are 419C<text/plain>. 420In addition, the special URL C</stats> will return status 421information like the B<-www> option. 422Neither of these options can be used in conjunction with B<-early_data>. 423 424=item B<-http_server_binmode> 425 426When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested 427by the client in binary mode. 428 429=item B<-no_ca_names> 430 431Disable TLS Extension CA Names. You may want to disable it for security reasons 432or for compatibility with some Windows TLS implementations crashing when this 433extension is larger than 1024 bytes. 434 435=item B<-ignore_unexpected_eof> 436 437Some TLS implementations do not send the mandatory close_notify alert on 438shutdown. If the application tries to wait for the close_notify alert but the 439peer closes the connection without sending it, an error is generated. When this 440option is enabled the peer does not need to send the close_notify alert and a 441closed connection will be treated as if the close_notify alert was received. 442For more information on shutting down a connection, see L<SSL_shutdown(3)>. 443 444=item B<-servername> 445 446Servername for HostName TLS extension. 447 448=item B<-servername_fatal> 449 450On servername mismatch send fatal alert (default: warning alert). 451 452=item B<-id_prefix> I<val> 453 454Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful 455for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple 456servers, when each of which might be generating a unique range of session 457IDs (e.g. with a certain prefix). 458 459=item B<-keymatexport> 460 461Export keying material using label. 462 463=item B<-keymatexportlen> 464 465Export the given number of bytes of keying material; default 20. 466 467=item B<-no_cache> 468 469Disable session cache. 470 471=item B<-ext_cache>. 472 473Disable internal cache, set up and use external cache. 474 475=item B<-verify_return_error> 476 477Verification errors normally just print a message but allow the 478connection to continue, for debugging purposes. 479If this option is used, then verification errors close the connection. 480 481=item B<-verify_quiet> 482 483No verify output except verify errors. 484 485=item B<-ign_eof> 486 487Ignore input EOF (default: when B<-quiet>). 488 489=item B<-no_ign_eof> 490 491Do not ignore input EOF. 492 493=item B<-no_etm> 494 495Disable Encrypt-then-MAC negotiation. 496 497=item B<-no_ems> 498 499Disable Extended master secret negotiation. 500 501=item B<-status> 502 503Enables certificate status request support (aka OCSP stapling). 504 505=item B<-status_verbose> 506 507Enables certificate status request support (aka OCSP stapling) and gives 508a verbose printout of the OCSP response. 509 510=item B<-status_timeout> I<int> 511 512Sets the timeout for OCSP response to I<int> seconds. 513 514=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]> 515 516The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy> 517applies, see below. 518The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that 519the optional C<http://> or C<https://> prefix is ignored, 520as well as any userinfo and path components. 521Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY> 522in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>. 523 524=item B<-no_proxy> I<addresses> 525 526List of IP addresses and/or DNS names of servers 527not to use an HTTP(S) proxy for, separated by commas and/or whitespace 528(where in the latter case the whole argument must be enclosed in "..."). 529Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>. 530 531=item B<-status_url> I<val> 532 533Sets a fallback responder URL to use if no responder URL is present in the 534server certificate. Without this option an error is returned if the server 535certificate does not contain a responder address. 536The optional userinfo and fragment URL components are ignored. 537Any given query component is handled as part of the path component. 538 539=item B<-status_file> I<infile> 540 541Overrides any OCSP responder URLs from the certificate and always provides the 542OCSP Response stored in the file. The file must be in DER format. 543 544=item B<-ssl_config> I<val> 545 546Configure SSL_CTX using the given configuration value. 547 548=item B<-trace> 549 550Show verbose trace output of protocol messages. 551 552=item B<-brief> 553 554Provide a brief summary of connection parameters instead of the normal verbose 555output. 556 557=item B<-rev> 558 559Simple echo server that sends back received text reversed. Also sets B<-brief>. 560Cannot be used in conjunction with B<-early_data>. 561 562=item B<-async> 563 564Switch on asynchronous mode. Cryptographic operations will be performed 565asynchronously. This will only have an effect if an asynchronous capable engine 566is also used via the B<-engine> option. For test purposes the dummy async engine 567(dasync) can be used (if available). 568 569=item B<-max_send_frag> I<+int> 570 571The maximum size of data fragment to send. 572See L<SSL_CTX_set_max_send_fragment(3)> for further information. 573 574=item B<-split_send_frag> I<+int> 575 576The size used to split data for encrypt pipelines. If more data is written in 577one go than this value then it will be split into multiple pipelines, up to the 578maximum number of pipelines defined by max_pipelines. This only has an effect if 579a suitable cipher suite has been negotiated, an engine that supports pipelining 580has been loaded, and max_pipelines is greater than 1. See 581L<SSL_CTX_set_split_send_fragment(3)> for further information. 582 583=item B<-max_pipelines> I<+int> 584 585The maximum number of encrypt/decrypt pipelines to be used. This will only have 586an effect if an engine has been loaded that supports pipelining (e.g. the dasync 587engine) and a suitable cipher suite has been negotiated. The default value is 1. 588See L<SSL_CTX_set_max_pipelines(3)> for further information. 589 590=item B<-naccept> I<+int> 591 592The server will exit after receiving the specified number of connections, 593default unlimited. 594 595=item B<-read_buf> I<+int> 596 597The default read buffer size to be used for connections. This will only have an 598effect if the buffer size is larger than the size that would otherwise be used 599and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for 600further information). 601 602=item B<-bugs> 603 604There are several known bugs in SSL and TLS implementations. Adding this 605option enables various workarounds. 606 607=item B<-no_comp> 608 609Disable negotiation of TLS compression. 610TLS compression is not recommended and is off by default as of 611OpenSSL 1.1.0. 612 613=item B<-comp> 614 615Enable negotiation of TLS compression. 616This option was introduced in OpenSSL 1.1.0. 617TLS compression is not recommended and is off by default as of 618OpenSSL 1.1.0. 619 620=item B<-no_ticket> 621 622Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3 623is negotiated. See B<-num_tickets>. 624 625=item B<-num_tickets> 626 627Control the number of tickets that will be sent to the client after a full 628handshake in TLSv1.3. The default number of tickets is 2. This option does not 629affect the number of tickets sent after a resumption handshake. 630 631=item B<-serverpref> 632 633Use the server's cipher preferences, rather than the client's preferences. 634 635=item B<-prioritize_chacha> 636 637Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>. 638 639=item B<-no_resumption_on_reneg> 640 641Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option. 642 643=item B<-client_sigalgs> I<val> 644 645Signature algorithms to support for client certificate authentication 646(colon-separated list). 647 648=item B<-named_curve> I<val> 649 650Specifies the elliptic curve to use. NOTE: this is single curve, not a list. 651For a list of all possible curves, use: 652 653 $ openssl ecparam -list_curves 654 655=item B<-cipher> I<val> 656 657This allows the list of TLSv1.2 and below ciphersuites used by the server to be 658modified. This list is combined with any TLSv1.3 ciphersuites that have been 659configured. When the client sends a list of supported ciphers the first client 660cipher also included in the server list is used. Because the client specifies 661the preference order, the order of the server cipherlist is irrelevant. See 662L<openssl-ciphers(1)> for more information. 663 664=item B<-ciphersuites> I<val> 665 666This allows the list of TLSv1.3 ciphersuites used by the server to be modified. 667This list is combined with any TLSv1.2 and below ciphersuites that have been 668configured. When the client sends a list of supported ciphers the first client 669cipher also included in the server list is used. Because the client specifies 670the preference order, the order of the server cipherlist is irrelevant. See 671L<openssl-ciphers(1)> command for more information. The format for this list is 672a simple colon (":") separated list of TLSv1.3 ciphersuite names. 673 674=item B<-dhparam> I<infile> 675 676The DH parameter file to use. The ephemeral DH cipher suites generate keys 677using a set of DH parameters. If not specified then an attempt is made to 678load the parameters from the server certificate file. 679If this fails then a static set of parameters hard coded into this command 680will be used. 681 682=item B<-nbio> 683 684Turns on non blocking I/O. 685 686=item B<-timeout> 687 688Enable timeouts. 689 690=item B<-mtu> 691 692Set link-layer MTU. 693 694=item B<-psk_identity> I<val> 695 696Expect the client to send PSK identity I<val> when using a PSK 697cipher suite, and warn if they do not. By default, the expected PSK 698identity is the string "Client_identity". 699 700=item B<-psk_hint> I<val> 701 702Use the PSK identity hint I<val> when using a PSK cipher suite. 703 704=item B<-psk> I<val> 705 706Use the PSK key I<val> when using a PSK cipher suite. The key is 707given as a hexadecimal number without leading 0x, for example -psk 7081a2b3c4d. 709This option must be provided in order to use a PSK cipher. 710 711=item B<-psk_session> I<file> 712 713Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK. 714Note that this will only work if TLSv1.3 is negotiated. 715 716=item B<-srpvfile> 717 718The verifier file for SRP. 719This option is deprecated. 720 721=item B<-srpuserseed> 722 723A seed string for a default user salt. 724This option is deprecated. 725 726=item B<-listen> 727 728This option can only be used in conjunction with one of the DTLS options above. 729With this option, this command will listen on a UDP port for incoming 730connections. 731Any ClientHellos that arrive will be checked to see if they have a cookie in 732them or not. 733Any without a cookie will be responded to with a HelloVerifyRequest. 734If a ClientHello with a cookie is received then this command will 735connect to that peer and complete the handshake. 736 737=item B<-sctp> 738 739Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in 740conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only 741available where OpenSSL has support for SCTP enabled. 742 743=item B<-sctp_label_bug> 744 745Use the incorrect behaviour of older OpenSSL implementations when computing 746endpoint-pair shared secrets for DTLS/SCTP. This allows communication with 747older broken implementations but breaks interoperability with correct 748implementations. Must be used in conjunction with B<-sctp>. This option is only 749available where OpenSSL has support for SCTP enabled. 750 751=item B<-use_srtp> 752 753Offer SRTP key management with a colon-separated profile list. 754 755=item B<-no_dhe> 756 757If this option is set then no DH parameters will be loaded effectively 758disabling the ephemeral DH cipher suites. 759 760=item B<-alpn> I<val>, B<-nextprotoneg> I<val> 761 762These flags enable the Application-Layer Protocol Negotiation 763or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the 764IETF standard and replaces NPN. 765The I<val> list is a comma-separated list of supported protocol 766names. The list should contain the most desirable protocols first. 767Protocol names are printable ASCII strings, for example "http/1.1" or 768"spdy/3". 769The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. 770 771=item B<-ktls> 772 773Enable Kernel TLS for sending and receiving. 774This option was introduced in OpenSSL 3.1.0. 775Kernel TLS is off by default as of OpenSSL 3.1.0. 776 777=item B<-sendfile> 778 779If this option is set and KTLS is enabled, SSL_sendfile() will be used 780instead of BIO_write() to send the HTTP response requested by a client. 781This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP> 782are specified. 783 784=item B<-keylogfile> I<outfile> 785 786Appends TLS secrets to the specified keylog file such that external programs 787(like Wireshark) can decrypt TLS connections. 788 789=item B<-max_early_data> I<int> 790 791Change the default maximum early data bytes that are specified for new sessions 792and any incoming early data (when used in conjunction with the B<-early_data> 793flag). The default value is approximately 16k. The argument must be an integer 794greater than or equal to 0. 795 796=item B<-recv_max_early_data> I<int> 797 798Specify the hard limit on the maximum number of early data bytes that will 799be accepted. 800 801=item B<-early_data> 802 803Accept early data where possible. Cannot be used in conjunction with B<-www>, 804B<-WWW>, B<-HTTP> or B<-rev>. 805 806=item B<-stateless> 807 808Require TLSv1.3 cookies. 809 810=item B<-anti_replay>, B<-no_anti_replay> 811 812Switches replay protection on or off, respectively. Replay protection is on by 813default unless overridden by a configuration file. When it is on, OpenSSL will 814automatically detect if a session ticket has been used more than once, TLSv1.3 815has been negotiated, and early data is enabled on the server. A full handshake 816is forced if a session ticket is used a second or subsequent time. Any early 817data that was sent will be rejected. 818 819=item B<-tfo> 820 821Enable acceptance of TCP Fast Open (RFC7413) connections. 822 823 824{- $OpenSSL::safe::opt_name_item -} 825 826{- $OpenSSL::safe::opt_version_item -} 827 828{- $OpenSSL::safe::opt_s_item -} 829 830{- $OpenSSL::safe::opt_x_item -} 831 832{- $OpenSSL::safe::opt_trust_item -} 833 834{- $OpenSSL::safe::opt_r_item -} 835 836{- $OpenSSL::safe::opt_engine_item -} 837 838{- $OpenSSL::safe::opt_provider_item -} 839 840{- $OpenSSL::safe::opt_v_item -} 841 842If the server requests a client certificate, then 843verification errors are displayed, for debugging, but the command will 844proceed unless the B<-verify_return_error> option is used. 845 846=back 847 848=head1 CONNECTED COMMANDS 849 850If a connection request is established with an SSL client and neither the 851B<-www> nor the B<-WWW> option has been used then normally any data received 852from the client is displayed and any key presses will be sent to the client. 853 854Certain commands are also recognized which perform special operations. These 855commands are a letter which must appear at the start of a line. They are listed 856below. 857 858=over 4 859 860=item B<q> 861 862End the current SSL connection but still accept new connections. 863 864=item B<Q> 865 866End the current SSL connection and exit. 867 868=item B<r> 869 870Renegotiate the SSL session (TLSv1.2 and below only). 871 872=item B<R> 873 874Renegotiate the SSL session and request a client certificate (TLSv1.2 and below 875only). 876 877=item B<P> 878 879Send some plain text down the underlying TCP connection: this should 880cause the client to disconnect due to a protocol violation. 881 882=item B<S> 883 884Print out some session cache status information. 885 886=item B<k> 887 888Send a key update message to the client (TLSv1.3 only) 889 890=item B<K> 891 892Send a key update message to the client and request one back (TLSv1.3 only) 893 894=item B<c> 895 896Send a certificate request to the client (TLSv1.3 only) 897 898=back 899 900=head1 NOTES 901 902This command can be used to debug SSL clients. To accept connections 903from a web browser the command: 904 905 openssl s_server -accept 443 -www 906 907can be used for example. 908 909Although specifying an empty list of CAs when requesting a client certificate 910is strictly speaking a protocol violation, some SSL clients interpret this to 911mean any CA is acceptable. This is useful for debugging purposes. 912 913The session parameters can printed out using the L<openssl-sess_id(1)> command. 914 915=head1 BUGS 916 917Because this program has a lot of options and also because some of the 918techniques used are rather old, the C source for this command is rather 919hard to read and not a model of how things should be done. 920A typical SSL server program would be much simpler. 921 922The output of common ciphers is wrong: it just gives the list of ciphers that 923OpenSSL recognizes and the client supports. 924 925There should be a way for this command to print out details 926of any unknown cipher suites a client says it supports. 927 928=head1 SEE ALSO 929 930L<openssl(1)>, 931L<openssl-sess_id(1)>, 932L<openssl-s_client(1)>, 933L<openssl-ciphers(1)>, 934L<SSL_CONF_cmd(3)>, 935L<SSL_CTX_set_max_send_fragment(3)>, 936L<SSL_CTX_set_split_send_fragment(3)>, 937L<SSL_CTX_set_max_pipelines(3)>, 938L<ossl_store-file(7)> 939 940=head1 HISTORY 941 942The -no_alt_chains option was added in OpenSSL 1.1.0. 943 944The 945-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1. 946 947The B<-srpvfile>, B<-srpuserseed>, and B<-engine> 948option were deprecated in OpenSSL 3.0. 949 950The -tfo option was added in OpenSSL 3.1. 951 952=head1 COPYRIGHT 953 954Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. 955 956Licensed under the Apache License 2.0 (the "License"). You may not use 957this file except in compliance with the License. You can obtain a copy 958in the file LICENSE in the source distribution or at 959L<https://www.openssl.org/source/license.html>. 960 961=cut 962