xref: /openssl/doc/man1/openssl-s_server.pod.in (revision a82c2bf5)
1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=head1 NAME
5
6openssl-s_server - SSL/TLS server program
7
8=head1 SYNOPSIS
9
10B<openssl> B<s_server>
11[B<-help>]
12[B<-port> I<+int>]
13[B<-accept> I<val>]
14[B<-unix> I<val>]
15[B<-4>]
16[B<-6>]
17[B<-unlink>]
18[B<-context> I<val>]
19[B<-verify> I<int>]
20[B<-Verify> I<int>]
21[B<-cert> I<infile>]
22[B<-cert2> I<infile>]
23[B<-certform> B<DER>|B<PEM>|B<P12>]
24[B<-cert_chain> I<infile>]
25[B<-build_chain>]
26[B<-serverinfo> I<val>]
27[B<-key> I<filename>|I<uri>]
28[B<-key2> I<filename>|I<uri>]
29[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
30[B<-pass> I<val>]
31[B<-dcert> I<infile>]
32[B<-dcertform> B<DER>|B<PEM>|B<P12>]
33[B<-dcert_chain> I<infile>]
34[B<-dkey> I<filename>|I<uri>]
35[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
36[B<-dpass> I<val>]
37[B<-nbio_test>]
38[B<-crlf>]
39[B<-debug>]
40[B<-msg>]
41[B<-msgfile> I<outfile>]
42[B<-state>]
43[B<-nocert>]
44[B<-quiet>]
45[B<-no_resume_ephemeral>]
46[B<-www>]
47[B<-WWW>]
48[B<-http_server_binmode>]
49[B<-no_ca_names>]
50[B<-ignore_unexpected_eof>]
51[B<-servername>]
52[B<-servername_fatal>]
53[B<-tlsextdebug>]
54[B<-HTTP>]
55[B<-id_prefix> I<val>]
56[B<-keymatexport> I<val>]
57[B<-keymatexportlen> I<+int>]
58[B<-CRL> I<infile>]
59[B<-CRLform> B<DER>|B<PEM>]
60[B<-crl_download>]
61[B<-chainCAfile> I<infile>]
62[B<-chainCApath> I<dir>]
63[B<-chainCAstore> I<uri>]
64[B<-verifyCAfile> I<infile>]
65[B<-verifyCApath> I<dir>]
66[B<-verifyCAstore> I<uri>]
67[B<-no_cache>]
68[B<-ext_cache>]
69[B<-verify_return_error>]
70[B<-verify_quiet>]
71[B<-ign_eof>]
72[B<-no_ign_eof>]
73[B<-no_etm>]
74[B<-no_ems>]
75[B<-status>]
76[B<-status_verbose>]
77[B<-status_timeout> I<int>]
78[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>]
79[B<-no_proxy> I<addresses>]
80[B<-status_url> I<val>]
81[B<-status_file> I<infile>]
82[B<-ssl_config> I<val>]
83[B<-trace>]
84[B<-security_debug>]
85[B<-security_debug_verbose>]
86[B<-brief>]
87[B<-rev>]
88[B<-async>]
89[B<-max_send_frag> I<+int>]
90[B<-split_send_frag> I<+int>]
91[B<-max_pipelines> I<+int>]
92[B<-naccept> I<+int>]
93[B<-read_buf> I<+int>]
94[B<-bugs>]
95[B<-no_tx_cert_comp>]
96[B<-no_rx_cert_comp>]
97[B<-no_comp>]
98[B<-comp>]
99[B<-no_ticket>]
100[B<-serverpref>]
101[B<-legacy_renegotiation>]
102[B<-no_renegotiation>]
103[B<-no_resumption_on_reneg>]
104[B<-allow_no_dhe_kex>]
105[B<-prefer_no_dhe_kex>]
106[B<-prioritize_chacha>]
107[B<-strict>]
108[B<-sigalgs> I<val>]
109[B<-client_sigalgs> I<val>]
110[B<-groups> I<val>]
111[B<-curves> I<val>]
112[B<-named_curve> I<val>]
113[B<-cipher> I<val>]
114[B<-ciphersuites> I<val>]
115[B<-dhparam> I<infile>]
116[B<-record_padding> I<val>]
117[B<-debug_broken_protocol>]
118[B<-nbio>]
119[B<-psk_identity> I<val>]
120[B<-psk_hint> I<val>]
121[B<-psk> I<val>]
122[B<-psk_session> I<file>]
123[B<-srpvfile> I<infile>]
124[B<-srpuserseed> I<val>]
125[B<-timeout>]
126[B<-mtu> I<+int>]
127[B<-listen>]
128[B<-sctp>]
129[B<-sctp_label_bug>]
130[B<-use_srtp> I<val>]
131[B<-no_dhe>]
132[B<-nextprotoneg> I<val>]
133[B<-alpn> I<val>]
134[B<-ktls>]
135[B<-sendfile>]
136[B<-zerocopy_sendfile>]
137[B<-keylogfile> I<outfile>]
138[B<-recv_max_early_data> I<int>]
139[B<-max_early_data> I<int>]
140[B<-early_data>]
141[B<-stateless>]
142[B<-anti_replay>]
143[B<-no_anti_replay>]
144[B<-num_tickets>]
145[B<-tfo>]
146[B<-cert_comp>]
147{- $OpenSSL::safe::opt_name_synopsis -}
148{- $OpenSSL::safe::opt_version_synopsis -}
149{- $OpenSSL::safe::opt_v_synopsis -}
150{- $OpenSSL::safe::opt_s_synopsis -}
151{- $OpenSSL::safe::opt_x_synopsis -}
152{- $OpenSSL::safe::opt_trust_synopsis -}
153{- $OpenSSL::safe::opt_r_synopsis -}
154{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
155[B<-enable_server_rpk>]
156[B<-enable_client_rpk>]
157
158=head1 DESCRIPTION
159
160This command implements a generic SSL/TLS server which
161listens for connections on a given port using SSL/TLS.
162
163=head1 OPTIONS
164
165In addition to the options below, this command also supports
166the common and server only options documented
167L<SSL_CONF_cmd(3)/Supported Command Line Commands>
168
169=over 4
170
171=item B<-help>
172
173Print out a usage message.
174
175=item B<-port> I<+int>
176
177The TCP port to listen on for connections. If not specified 4433 is used.
178
179=item B<-accept> I<val>
180
181The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
182
183=item B<-unix> I<val>
184
185Unix domain socket to accept on.
186
187=item B<-4>
188
189Use IPv4 only.
190
191=item B<-6>
192
193Use IPv6 only.
194
195=item B<-unlink>
196
197For -unix, unlink any existing socket first.
198
199=item B<-context> I<val>
200
201Sets the SSL context id. It can be given any string value. If this option
202is not present a default value will be used.
203
204=item B<-verify> I<int>, B<-Verify> I<int>
205
206The verify depth to use. This specifies the maximum length of the
207client certificate chain and makes the server request a certificate from
208the client. With the B<-verify> option a certificate is requested but the
209client does not have to send one, with the B<-Verify> option the client
210must supply a certificate or an error occurs.
211
212If the cipher suite cannot request a client certificate (for example an
213anonymous cipher suite or PSK) this option has no effect.
214
215By default, validation of any supplied client certificate and its chain
216is done w.r.t. the (D)TLS Client (C<sslclient>) purpose.
217For details see L<openssl-verification-options(1)/Certificate Extensions>.
218
219=item B<-cert> I<infile>
220
221The certificate to use, most servers cipher suites require the use of a
222certificate and some require a certificate with a certain public key type:
223for example the DSS cipher suites require a certificate containing a DSS
224(DSA) key. If not specified then the filename F<server.pem> will be used.
225
226=item B<-cert2> I<infile>
227
228The certificate file to use for servername; default is C<server2.pem>.
229
230=item B<-certform> B<DER>|B<PEM>|B<P12>
231
232The server certificate file format; unspecified by default.
233See L<openssl-format-options(1)> for details.
234
235=item B<-cert_chain>
236
237A file or URI of untrusted certificates to use when attempting to build the
238certificate chain related to the certificate specified via the B<-cert> option.
239These untrusted certificates are sent to clients and used for generating
240certificate status (aka OCSP stapling) requests.
241The input can be in PEM, DER, or PKCS#12 format.
242
243=item B<-build_chain>
244
245Specify whether the application should build the server certificate chain to be
246provided to the client.
247
248=item B<-serverinfo> I<val>
249
250A file containing one or more blocks of PEM data.  Each PEM block
251must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
252followed by "length" bytes of extension data).  If the client sends
253an empty TLS ClientHello extension matching the type, the corresponding
254ServerHello extension will be returned.
255
256=item B<-key> I<filename>|I<uri>
257
258The private key to use. If not specified then the certificate file will
259be used.
260
261=item B<-key2> I<filename>|I<uri>
262
263The private Key file to use for servername if not given via B<-cert2>.
264
265=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
266
267The key format; unspecified by default.
268See L<openssl-format-options(1)> for details.
269
270=item B<-pass> I<val>
271
272The private key and certificate file password source.
273For more information about the format of I<val>,
274see L<openssl-passphrase-options(1)>.
275
276=item B<-dcert> I<infile>, B<-dkey> I<filename>|I<uri>
277
278Specify an additional certificate and private key, these behave in the
279same manner as the B<-cert> and B<-key> options except there is no default
280if they are not specified (no additional certificate and key is used). As
281noted above some cipher suites require a certificate containing a key of
282a certain type. Some cipher suites need a certificate carrying an RSA key
283and some a DSS (DSA) key. By using RSA and DSS certificates and keys
284a server can support clients which only support RSA or DSS cipher suites
285by using an appropriate certificate.
286
287=item B<-dcert_chain>
288
289A file or URI of untrusted certificates to use when attempting to build the
290server certificate chain when a certificate specified via the B<-dcert> option
291is in use.
292The input can be in PEM, DER, or PKCS#12 format.
293
294=item B<-dcertform> B<DER>|B<PEM>|B<P12>
295
296The format of the additional certificate file; unspecified by default.
297See L<openssl-format-options(1)> for details.
298
299=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
300
301The format of the additional private key; unspecified by default.
302See L<openssl-format-options(1)> for details.
303
304=item B<-dpass> I<val>
305
306The passphrase for the additional private key and certificate.
307For more information about the format of I<val>,
308see L<openssl-passphrase-options(1)>.
309
310=item B<-nbio_test>
311
312Tests non blocking I/O.
313
314=item B<-crlf>
315
316This option translated a line feed from the terminal into CR+LF.
317
318=item B<-debug>
319
320Print extensive debugging information including a hex dump of all traffic.
321
322=item B<-security_debug>
323
324Print output from SSL/TLS security framework.
325
326=item B<-security_debug_verbose>
327
328Print more output from SSL/TLS security framework
329
330=item B<-msg>
331
332Show all protocol messages with hex dump.
333
334=item B<-msgfile> I<outfile>
335
336File to send output of B<-msg> or B<-trace> to, default standard output.
337
338=item B<-state>
339
340Prints the SSL session states.
341
342=item B<-CRL> I<infile>
343
344The CRL file to use.
345
346=item B<-CRLform> B<DER>|B<PEM>
347
348The CRL file format; unspecified by default.
349See L<openssl-format-options(1)> for details.
350
351=item B<-crl_download>
352
353Download CRLs from distribution points given in CDP extensions of certificates
354
355=item B<-verifyCAfile> I<filename>
356
357A file in PEM format CA containing trusted certificates to use
358for verifying client certificates.
359
360=item B<-verifyCApath> I<dir>
361
362A directory containing trusted certificates to use
363for verifying client certificates.
364This directory must be in "hash format",
365see L<openssl-verify(1)> for more information.
366
367=item B<-verifyCAstore> I<uri>
368
369The URI of a store containing trusted certificates to use
370for verifying client certificates.
371
372=item B<-chainCAfile> I<file>
373
374A file in PEM format containing trusted certificates to use
375when attempting to build the server certificate chain.
376
377=item B<-chainCApath> I<dir>
378
379A directory containing trusted certificates to use
380for building the server certificate chain provided to the client.
381This directory must be in "hash format",
382see L<openssl-verify(1)> for more information.
383
384=item B<-chainCAstore> I<uri>
385
386The URI of a store containing trusted certificates to use
387for building the server certificate chain provided to the client.
388The URI may indicate a single certificate, as well as a collection of them.
389With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
390B<-chainCApath>, depending on if the URI indicates a directory or a
391single file.
392See L<ossl_store-file(7)> for more information on the C<file:> scheme.
393
394=item B<-nocert>
395
396If this option is set then no certificate is used. This restricts the
397cipher suites available to the anonymous ones (currently just anonymous
398DH).
399
400=item B<-quiet>
401
402Inhibit printing of session and certificate information.
403
404=item B<-no_resume_ephemeral>
405
406Disable caching and tickets if ephemeral (EC)DH is used.
407
408=item B<-tlsextdebug>
409
410Print a hex dump of any TLS extensions received from the server.
411
412=item B<-www>
413
414Sends a status message back to the client when it connects. This includes
415information about the ciphers used and various session parameters.
416The output is in HTML format so this option can be used with a web browser.
417The special URL C</renegcert> turns on client cert validation, and C</reneg>
418tells the server to request renegotiation.
419
420=item B<-WWW>, B<-HTTP>
421
422Emulates a simple web server. Pages will be resolved relative to the
423current directory, for example if the URL C<https://myhost/page.html> is
424requested the file F<./page.html> will be sent.
425If the B<-HTTP> flag is used, the files are sent directly, and should contain
426any HTTP response headers (including status response line).
427If the B<-WWW> option is used,
428the response headers are generated by the server, and the file extension is
429examined to determine the B<Content-Type> header.
430Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are
431C<text/plain>.
432In addition, the special URL C</stats> will return status
433information like the B<-www> option.
434
435=item B<-http_server_binmode>
436
437When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
438by the client in binary mode.
439
440=item B<-no_ca_names>
441
442Disable TLS Extension CA Names. You may want to disable it for security reasons
443or for compatibility with some Windows TLS implementations crashing when this
444extension is larger than 1024 bytes.
445
446=item B<-ignore_unexpected_eof>
447
448Some TLS implementations do not send the mandatory close_notify alert on
449shutdown. If the application tries to wait for the close_notify alert but the
450peer closes the connection without sending it, an error is generated. When this
451option is enabled the peer does not need to send the close_notify alert and a
452closed connection will be treated as if the close_notify alert was received.
453For more information on shutting down a connection, see L<SSL_shutdown(3)>.
454
455=item B<-servername>
456
457Servername for HostName TLS extension.
458
459=item B<-servername_fatal>
460
461On servername mismatch send fatal alert (default: warning alert).
462
463=item B<-id_prefix> I<val>
464
465Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
466for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple
467servers, when each of which might be generating a unique range of session
468IDs (e.g. with a certain prefix).
469
470=item B<-keymatexport>
471
472Export keying material using label.
473
474=item B<-keymatexportlen>
475
476Export the given number of bytes of keying material; default 20.
477
478=item B<-no_cache>
479
480Disable session cache.
481
482=item B<-ext_cache>.
483
484Disable internal cache, set up and use external cache.
485
486=item B<-verify_return_error>
487
488Verification errors normally just print a message but allow the
489connection to continue, for debugging purposes.
490If this option is used, then verification errors close the connection.
491
492=item B<-verify_quiet>
493
494No verify output except verify errors.
495
496=item B<-ign_eof>
497
498Ignore input EOF (default: when B<-quiet>).
499
500=item B<-no_ign_eof>
501
502Do not ignore input EOF.
503
504=item B<-no_etm>
505
506Disable Encrypt-then-MAC negotiation.
507
508=item B<-no_ems>
509
510Disable Extended master secret negotiation.
511
512=item B<-status>
513
514Enables certificate status request support (aka OCSP stapling).
515
516=item B<-status_verbose>
517
518Enables certificate status request support (aka OCSP stapling) and gives
519a verbose printout of the OCSP response.
520Use the B<-cert_chain> option to specify the certificate of the server's
521certificate signer that is required for certificate status requests.
522
523=item B<-status_timeout> I<int>
524
525Sets the timeout for OCSP response to I<int> seconds.
526
527=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>
528
529The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy>
530applies, see below.
531If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>.
532The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
533the optional C<http://> or C<https://> prefix is ignored,
534as well as any userinfo, path, query, and fragment components.
535Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
536in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
537
538=item B<-no_proxy> I<addresses>
539
540List of IP addresses and/or DNS names of servers
541not to use an HTTP(S) proxy for, separated by commas and/or whitespace
542(where in the latter case the whole argument must be enclosed in "...").
543Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>.
544
545=item B<-status_url> I<val>
546
547Sets a fallback responder URL to use if no responder URL is present in the
548server certificate. Without this option an error is returned if the server
549certificate does not contain a responder address.
550The optional userinfo and fragment URL components are ignored.
551Any given query component is handled as part of the path component.
552
553=item B<-status_file> I<infile>
554
555Overrides any OCSP responder URLs from the certificate and always provides the
556OCSP Response stored in the file. The file must be in DER format.
557
558=item B<-ssl_config> I<val>
559
560Configure SSL_CTX using the given configuration value.
561
562=item B<-trace>
563
564Show verbose trace output of protocol messages.
565
566=item B<-brief>
567
568Provide a brief summary of connection parameters instead of the normal verbose
569output.
570
571=item B<-rev>
572
573Simple echo server that sends back received text reversed. Also sets B<-brief>.
574Cannot be used in conjunction with B<-early_data>.
575
576=item B<-async>
577
578Switch on asynchronous mode. Cryptographic operations will be performed
579asynchronously. This will only have an effect if an asynchronous capable engine
580is also used via the B<-engine> option. For test purposes the dummy async engine
581(dasync) can be used (if available).
582
583=item B<-max_send_frag> I<+int>
584
585The maximum size of data fragment to send.
586See L<SSL_CTX_set_max_send_fragment(3)> for further information.
587
588=item B<-split_send_frag> I<+int>
589
590The size used to split data for encrypt pipelines. If more data is written in
591one go than this value then it will be split into multiple pipelines, up to the
592maximum number of pipelines defined by max_pipelines. This only has an effect if
593a suitable cipher suite has been negotiated, an engine that supports pipelining
594has been loaded, and max_pipelines is greater than 1. See
595L<SSL_CTX_set_split_send_fragment(3)> for further information.
596
597=item B<-max_pipelines> I<+int>
598
599The maximum number of encrypt/decrypt pipelines to be used. This will only have
600an effect if an engine has been loaded that supports pipelining (e.g. the dasync
601engine) and a suitable cipher suite has been negotiated. The default value is 1.
602See L<SSL_CTX_set_max_pipelines(3)> for further information.
603
604=item B<-naccept> I<+int>
605
606The server will exit after receiving the specified number of connections,
607default unlimited.
608
609=item B<-read_buf> I<+int>
610
611The default read buffer size to be used for connections. This will only have an
612effect if the buffer size is larger than the size that would otherwise be used
613and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
614further information).
615
616=item B<-bugs>
617
618There are several known bugs in SSL and TLS implementations. Adding this
619option enables various workarounds.
620
621=item B<-no_tx_cert_comp>
622
623Disables support for sending TLSv1.3 compressed certificates.
624
625=item B<-no_rx_cert_comp>
626
627Disables support for receiving TLSv1.3 compressed certificates.
628
629=item B<-no_comp>
630
631Disable negotiation of TLS compression.
632TLS compression is not recommended and is off by default as of
633OpenSSL 1.1.0.
634
635=item B<-comp>
636
637Enables support for SSL/TLS compression.
638This option was introduced in OpenSSL 1.1.0.
639TLS compression is not recommended and is off by default as of
640OpenSSL 1.1.0. TLS compression can only be used in security level 1 or
641lower. From OpenSSL 3.2.0 and above the default security level is 2, so this
642option will have no effect without also changing the security level. Use the
643B<-cipher> option to change the security level. See L<openssl-ciphers(1)> for
644more information.
645
646=item B<-no_ticket>
647
648Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
649is negotiated. See B<-num_tickets>.
650
651=item B<-num_tickets>
652
653Control the number of tickets that will be sent to the client after a full
654handshake in TLSv1.3. The default number of tickets is 2. This option does not
655affect the number of tickets sent after a resumption handshake.
656
657=item B<-serverpref>
658
659Use the server's cipher preferences, rather than the client's preferences.
660
661=item B<-prioritize_chacha>
662
663Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.
664
665=item B<-no_resumption_on_reneg>
666
667Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
668
669=item B<-client_sigalgs> I<val>
670
671Signature algorithms to support for client certificate authentication
672(colon-separated list).
673
674=item B<-named_curve> I<val>
675
676Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
677
678The list of all supported groups includes named EC parameters as well as X25519
679and X448 or FFDHE groups, and may also include groups implemented in 3rd-party
680providers. For a list of named EC parameters, use:
681
682    $ openssl ecparam -list_curves
683
684=item B<-cipher> I<val>
685
686This allows the list of TLSv1.2 and below ciphersuites used by the server to be
687modified. This list is combined with any TLSv1.3 ciphersuites that have been
688configured. When the client sends a list of supported ciphers the first client
689cipher also included in the server list is used. Because the client specifies
690the preference order, the order of the server cipherlist is irrelevant. See
691L<openssl-ciphers(1)> for more information.
692
693=item B<-ciphersuites> I<val>
694
695This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
696This list is combined with any TLSv1.2 and below ciphersuites that have been
697configured. When the client sends a list of supported ciphers the first client
698cipher also included in the server list is used. Because the client specifies
699the preference order, the order of the server cipherlist is irrelevant. See
700L<openssl-ciphers(1)> command for more information. The format for this list is
701a simple colon (":") separated list of TLSv1.3 ciphersuite names.
702
703=item B<-dhparam> I<infile>
704
705The DH parameter file to use. The ephemeral DH cipher suites generate keys
706using a set of DH parameters. If not specified then an attempt is made to
707load the parameters from the server certificate file.
708If this fails then a static set of parameters hard coded into this command
709will be used.
710
711=item B<-nbio>
712
713Turns on non blocking I/O.
714
715=item B<-timeout>
716
717Enable timeouts.
718
719=item B<-mtu>
720
721Set link-layer MTU.
722
723=item B<-psk_identity> I<val>
724
725Expect the client to send PSK identity I<val> when using a PSK
726cipher suite, and warn if they do not.  By default, the expected PSK
727identity is the string "Client_identity".
728
729=item B<-psk_hint> I<val>
730
731Use the PSK identity hint I<val> when using a PSK cipher suite.
732
733=item B<-psk> I<val>
734
735Use the PSK key I<val> when using a PSK cipher suite. The key is
736given as a hexadecimal number without leading 0x, for example -psk
7371a2b3c4d.
738This option must be provided in order to use a PSK cipher.
739
740=item B<-psk_session> I<file>
741
742Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
743Note that this will only work if TLSv1.3 is negotiated.
744
745=item B<-srpvfile>
746
747The verifier file for SRP.
748This option is deprecated.
749
750=item B<-srpuserseed>
751
752A seed string for a default user salt.
753This option is deprecated.
754
755=item B<-listen>
756
757This option can only be used in conjunction with one of the DTLS options above.
758With this option, this command will listen on a UDP port for incoming
759connections.
760Any ClientHellos that arrive will be checked to see if they have a cookie in
761them or not.
762Any without a cookie will be responded to with a HelloVerifyRequest.
763If a ClientHello with a cookie is received then this command will
764connect to that peer and complete the handshake.
765
766=item B<-sctp>
767
768Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
769conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
770available where OpenSSL has support for SCTP enabled.
771
772=item B<-sctp_label_bug>
773
774Use the incorrect behaviour of older OpenSSL implementations when computing
775endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
776older broken implementations but breaks interoperability with correct
777implementations. Must be used in conjunction with B<-sctp>. This option is only
778available where OpenSSL has support for SCTP enabled.
779
780=item B<-use_srtp>
781
782Offer SRTP key management with a colon-separated profile list.
783
784=item B<-no_dhe>
785
786If this option is set then no DH parameters will be loaded effectively
787disabling the ephemeral DH cipher suites.
788
789=item B<-alpn> I<val>, B<-nextprotoneg> I<val>
790
791These flags enable the Application-Layer Protocol Negotiation
792or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
793IETF standard and replaces NPN.
794The I<val> list is a comma-separated list of supported protocol
795names.  The list should contain the most desirable protocols first.
796Protocol names are printable ASCII strings, for example "http/1.1" or
797"spdy/3".
798The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
799
800=item B<-ktls>
801
802Enable Kernel TLS for sending and receiving.
803This option was introduced in OpenSSL 3.2.0.
804Kernel TLS is off by default as of OpenSSL 3.2.0.
805
806=item B<-sendfile>
807
808If this option is set and KTLS is enabled, SSL_sendfile() will be used
809instead of BIO_write() to send the HTTP response requested by a client.
810This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP>
811are specified.
812
813=item B<-zerocopy_sendfile>
814
815If this option is set, SSL_sendfile() will use the zerocopy TX mode, which gives
816a performance boost when used with KTLS hardware offload. Note that invalid
817TLS records might be transmitted if the file is changed while being sent.
818This option depends on B<-sendfile>; when used alone, B<-sendfile> is implied,
819and a warning is shown. Note that KTLS sendfile on FreeBSD always runs in the
820zerocopy mode.
821
822=item B<-keylogfile> I<outfile>
823
824Appends TLS secrets to the specified keylog file such that external programs
825(like Wireshark) can decrypt TLS connections.
826
827=item B<-max_early_data> I<int>
828
829Change the default maximum early data bytes that are specified for new sessions
830and any incoming early data (when used in conjunction with the B<-early_data>
831flag). The default value is approximately 16k. The argument must be an integer
832greater than or equal to 0.
833
834=item B<-recv_max_early_data> I<int>
835
836Specify the hard limit on the maximum number of early data bytes that will
837be accepted.
838
839=item B<-early_data>
840
841Accept early data where possible. Cannot be used in conjunction with B<-www>,
842B<-WWW>, B<-HTTP> or B<-rev>.
843
844=item B<-stateless>
845
846Require TLSv1.3 cookies.
847
848=item B<-anti_replay>, B<-no_anti_replay>
849
850Switches replay protection on or off, respectively. Replay protection is on by
851default unless overridden by a configuration file. When it is on, OpenSSL will
852automatically detect if a session ticket has been used more than once, TLSv1.3
853has been negotiated, and early data is enabled on the server. A full handshake
854is forced if a session ticket is used a second or subsequent time. Any early
855data that was sent will be rejected.
856
857=item B<-tfo>
858
859Enable acceptance of TCP Fast Open (RFC7413) connections.
860
861=item B<-cert_comp>
862
863Pre-compresses certificates (RFC8879) that will be sent during the handshake.
864
865{- $OpenSSL::safe::opt_name_item -}
866
867{- $OpenSSL::safe::opt_version_item -}
868
869{- $OpenSSL::safe::opt_s_item -}
870
871{- $OpenSSL::safe::opt_x_item -}
872
873{- $OpenSSL::safe::opt_trust_item -}
874
875{- $OpenSSL::safe::opt_r_item -}
876
877{- $OpenSSL::safe::opt_engine_item -}
878
879{- $OpenSSL::safe::opt_provider_item -}
880
881{- $OpenSSL::safe::opt_v_item -}
882
883If the server requests a client certificate, then
884verification errors are displayed, for debugging, but the command will
885proceed unless the B<-verify_return_error> option is used.
886
887=item B<-enable_server_rpk>
888
889Enable support for sending raw public keys (RFC7250) to the client.
890A raw public key will be sent by the server, if solicited by the client,
891provided a suitable key and public certificate pair is configured.
892Clients that don't support raw public keys or prefer to use X.509
893certificates can still elect to receive X.509 certificates as usual.
894
895Raw public keys are extracted from the configured certificate/private key.
896
897=item B<-enable_client_rpk>
898
899Enable support for receiving raw public keys (RFC7250) from the client.
900Use of X.509 certificates by the client becomes optional, and clients that
901support raw public keys may elect to use them.
902Clients that don't support raw public keys or prefer to use X.509
903certificates can still elect to send X.509 certificates as usual.
904
905Raw public keys are extracted from the configured certificate/private key.
906
907=back
908
909=head1 CONNECTED COMMANDS
910
911If a connection request is established with an SSL client and neither the
912B<-www> nor the B<-WWW> option has been used then normally any data received
913from the client is displayed and any key presses will be sent to the client.
914
915Certain commands are also recognized which perform special operations. These
916commands are a letter which must appear at the start of a line. They are listed
917below.
918
919=over 4
920
921=item B<q>
922
923End the current SSL connection but still accept new connections.
924
925=item B<Q>
926
927End the current SSL connection and exit.
928
929=item B<r>
930
931Renegotiate the SSL session (TLSv1.2 and below only).
932
933=item B<R>
934
935Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
936only).
937
938=item B<P>
939
940Send some plain text down the underlying TCP connection: this should
941cause the client to disconnect due to a protocol violation.
942
943=item B<S>
944
945Print out some session cache status information.
946
947=item B<k>
948
949Send a key update message to the client (TLSv1.3 only)
950
951=item B<K>
952
953Send a key update message to the client and request one back (TLSv1.3 only)
954
955=item B<c>
956
957Send a certificate request to the client (TLSv1.3 only)
958
959=back
960
961=head1 NOTES
962
963This command can be used to debug SSL clients. To accept connections
964from a web browser the command:
965
966 openssl s_server -accept 443 -www
967
968can be used for example.
969
970Although specifying an empty list of CAs when requesting a client certificate
971is strictly speaking a protocol violation, some SSL clients interpret this to
972mean any CA is acceptable. This is useful for debugging purposes.
973
974The session parameters can printed out using the L<openssl-sess_id(1)> command.
975
976=head1 BUGS
977
978Because this program has a lot of options and also because some of the
979techniques used are rather old, the C source for this command is rather
980hard to read and not a model of how things should be done.
981A typical SSL server program would be much simpler.
982
983The output of common ciphers is wrong: it just gives the list of ciphers that
984OpenSSL recognizes and the client supports.
985
986There should be a way for this command to print out details
987of any unknown cipher suites a client says it supports.
988
989=head1 SEE ALSO
990
991L<openssl(1)>,
992L<openssl-sess_id(1)>,
993L<openssl-s_client(1)>,
994L<openssl-ciphers(1)>,
995L<SSL_CONF_cmd(3)>,
996L<SSL_CTX_set_max_send_fragment(3)>,
997L<SSL_CTX_set_split_send_fragment(3)>,
998L<SSL_CTX_set_max_pipelines(3)>,
999L<ossl_store-file(7)>
1000
1001=head1 HISTORY
1002
1003The -no_alt_chains option was added in OpenSSL 1.1.0.
1004
1005The
1006-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
1007
1008The B<-srpvfile>, B<-srpuserseed>, and B<-engine>
1009option were deprecated in OpenSSL 3.0.
1010
1011The
1012B<-enable_client_rpk>,
1013B<-enable_server_rpk>,
1014B<-no_rx_cert_comp>,
1015B<-no_tx_cert_comp>,
1016and B<-tfo>
1017options were added in OpenSSL 3.2.
1018
1019=head1 COPYRIGHT
1020
1021Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
1022
1023Licensed under the Apache License 2.0 (the "License").  You may not use
1024this file except in compliance with the License.  You can obtain a copy
1025in the file LICENSE in the source distribution or at
1026L<https://www.openssl.org/source/license.html>.
1027
1028=cut
1029