1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-s_server - SSL/TLS server program 7 8=head1 SYNOPSIS 9 10B<openssl> B<s_server> 11[B<-help>] 12[B<-port> I<+int>] 13[B<-accept> I<val>] 14[B<-unix> I<val>] 15[B<-4>] 16[B<-6>] 17[B<-unlink>] 18[B<-context> I<val>] 19[B<-verify> I<int>] 20[B<-Verify> I<int>] 21[B<-cert> I<infile>] 22[B<-cert2> I<infile>] 23[B<-certform> B<DER>|B<PEM>|B<P12>] 24[B<-cert_chain> I<infile>] 25[B<-build_chain>] 26[B<-serverinfo> I<val>] 27[B<-key> I<filename>|I<uri>] 28[B<-key2> I<filename>|I<uri>] 29[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 30[B<-pass> I<val>] 31[B<-dcert> I<infile>] 32[B<-dcertform> B<DER>|B<PEM>|B<P12>] 33[B<-dcert_chain> I<infile>] 34[B<-dkey> I<filename>|I<uri>] 35[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 36[B<-dpass> I<val>] 37[B<-nbio_test>] 38[B<-crlf>] 39[B<-debug>] 40[B<-msg>] 41[B<-msgfile> I<outfile>] 42[B<-state>] 43[B<-nocert>] 44[B<-quiet>] 45[B<-no_resume_ephemeral>] 46[B<-www>] 47[B<-WWW>] 48[B<-http_server_binmode>] 49[B<-no_ca_names>] 50[B<-ignore_unexpected_eof>] 51[B<-servername>] 52[B<-servername_fatal>] 53[B<-tlsextdebug>] 54[B<-HTTP>] 55[B<-id_prefix> I<val>] 56[B<-keymatexport> I<val>] 57[B<-keymatexportlen> I<+int>] 58[B<-CRL> I<infile>] 59[B<-CRLform> B<DER>|B<PEM>] 60[B<-crl_download>] 61[B<-chainCAfile> I<infile>] 62[B<-chainCApath> I<dir>] 63[B<-chainCAstore> I<uri>] 64[B<-verifyCAfile> I<infile>] 65[B<-verifyCApath> I<dir>] 66[B<-verifyCAstore> I<uri>] 67[B<-no_cache>] 68[B<-ext_cache>] 69[B<-verify_return_error>] 70[B<-verify_quiet>] 71[B<-ign_eof>] 72[B<-no_ign_eof>] 73[B<-no_etm>] 74[B<-no_ems>] 75[B<-status>] 76[B<-status_verbose>] 77[B<-status_timeout> I<int>] 78[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>] 79[B<-no_proxy> I<addresses>] 80[B<-status_url> I<val>] 81[B<-status_file> I<infile>] 82[B<-ssl_config> I<val>] 83[B<-trace>] 84[B<-security_debug>] 85[B<-security_debug_verbose>] 86[B<-brief>] 87[B<-rev>] 88[B<-async>] 89[B<-max_send_frag> I<+int>] 90[B<-split_send_frag> I<+int>] 91[B<-max_pipelines> I<+int>] 92[B<-naccept> I<+int>] 93[B<-read_buf> I<+int>] 94[B<-bugs>] 95[B<-no_tx_cert_comp>] 96[B<-no_rx_cert_comp>] 97[B<-no_comp>] 98[B<-comp>] 99[B<-no_ticket>] 100[B<-serverpref>] 101[B<-legacy_renegotiation>] 102[B<-no_renegotiation>] 103[B<-no_resumption_on_reneg>] 104[B<-allow_no_dhe_kex>] 105[B<-prefer_no_dhe_kex>] 106[B<-prioritize_chacha>] 107[B<-strict>] 108[B<-sigalgs> I<val>] 109[B<-client_sigalgs> I<val>] 110[B<-groups> I<val>] 111[B<-curves> I<val>] 112[B<-named_curve> I<val>] 113[B<-cipher> I<val>] 114[B<-ciphersuites> I<val>] 115[B<-dhparam> I<infile>] 116[B<-record_padding> I<val>] 117[B<-debug_broken_protocol>] 118[B<-nbio>] 119[B<-psk_identity> I<val>] 120[B<-psk_hint> I<val>] 121[B<-psk> I<val>] 122[B<-psk_session> I<file>] 123[B<-srpvfile> I<infile>] 124[B<-srpuserseed> I<val>] 125[B<-timeout>] 126[B<-mtu> I<+int>] 127[B<-listen>] 128[B<-sctp>] 129[B<-sctp_label_bug>] 130[B<-use_srtp> I<val>] 131[B<-no_dhe>] 132[B<-nextprotoneg> I<val>] 133[B<-alpn> I<val>] 134[B<-ktls>] 135[B<-sendfile>] 136[B<-zerocopy_sendfile>] 137[B<-keylogfile> I<outfile>] 138[B<-recv_max_early_data> I<int>] 139[B<-max_early_data> I<int>] 140[B<-early_data>] 141[B<-stateless>] 142[B<-anti_replay>] 143[B<-no_anti_replay>] 144[B<-num_tickets>] 145[B<-tfo>] 146[B<-cert_comp>] 147{- $OpenSSL::safe::opt_name_synopsis -} 148{- $OpenSSL::safe::opt_version_synopsis -} 149{- $OpenSSL::safe::opt_v_synopsis -} 150{- $OpenSSL::safe::opt_s_synopsis -} 151{- $OpenSSL::safe::opt_x_synopsis -} 152{- $OpenSSL::safe::opt_trust_synopsis -} 153{- $OpenSSL::safe::opt_r_synopsis -} 154{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} 155[B<-enable_server_rpk>] 156[B<-enable_client_rpk>] 157 158=head1 DESCRIPTION 159 160This command implements a generic SSL/TLS server which 161listens for connections on a given port using SSL/TLS. 162 163=head1 OPTIONS 164 165In addition to the options below, this command also supports 166the common and server only options documented 167L<SSL_CONF_cmd(3)/Supported Command Line Commands> 168 169=over 4 170 171=item B<-help> 172 173Print out a usage message. 174 175=item B<-port> I<+int> 176 177The TCP port to listen on for connections. If not specified 4433 is used. 178 179=item B<-accept> I<val> 180 181The optional TCP host and port to listen on for connections. If not specified, *:4433 is used. 182 183=item B<-unix> I<val> 184 185Unix domain socket to accept on. 186 187=item B<-4> 188 189Use IPv4 only. 190 191=item B<-6> 192 193Use IPv6 only. 194 195=item B<-unlink> 196 197For -unix, unlink any existing socket first. 198 199=item B<-context> I<val> 200 201Sets the SSL context id. It can be given any string value. If this option 202is not present a default value will be used. 203 204=item B<-verify> I<int>, B<-Verify> I<int> 205 206The verify depth to use. This specifies the maximum length of the 207client certificate chain and makes the server request a certificate from 208the client. With the B<-verify> option a certificate is requested but the 209client does not have to send one, with the B<-Verify> option the client 210must supply a certificate or an error occurs. 211 212If the cipher suite cannot request a client certificate (for example an 213anonymous cipher suite or PSK) this option has no effect. 214 215By default, validation of any supplied client certificate and its chain 216is done w.r.t. the (D)TLS Client (C<sslclient>) purpose. 217For details see L<openssl-verification-options(1)/Certificate Extensions>. 218 219=item B<-cert> I<infile> 220 221The certificate to use, most servers cipher suites require the use of a 222certificate and some require a certificate with a certain public key type: 223for example the DSS cipher suites require a certificate containing a DSS 224(DSA) key. If not specified then the filename F<server.pem> will be used. 225 226=item B<-cert2> I<infile> 227 228The certificate file to use for servername; default is C<server2.pem>. 229 230=item B<-certform> B<DER>|B<PEM>|B<P12> 231 232The server certificate file format; unspecified by default. 233See L<openssl-format-options(1)> for details. 234 235=item B<-cert_chain> 236 237A file or URI of untrusted certificates to use when attempting to build the 238certificate chain related to the certificate specified via the B<-cert> option. 239These untrusted certificates are sent to clients and used for generating 240certificate status (aka OCSP stapling) requests. 241The input can be in PEM, DER, or PKCS#12 format. 242 243=item B<-build_chain> 244 245Specify whether the application should build the server certificate chain to be 246provided to the client. 247 248=item B<-serverinfo> I<val> 249 250A file containing one or more blocks of PEM data. Each PEM block 251must encode a TLS ServerHello extension (2 bytes type, 2 bytes length, 252followed by "length" bytes of extension data). If the client sends 253an empty TLS ClientHello extension matching the type, the corresponding 254ServerHello extension will be returned. 255 256=item B<-key> I<filename>|I<uri> 257 258The private key to use. If not specified then the certificate file will 259be used. 260 261=item B<-key2> I<filename>|I<uri> 262 263The private Key file to use for servername if not given via B<-cert2>. 264 265=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 266 267The key format; unspecified by default. 268See L<openssl-format-options(1)> for details. 269 270=item B<-pass> I<val> 271 272The private key and certificate file password source. 273For more information about the format of I<val>, 274see L<openssl-passphrase-options(1)>. 275 276=item B<-dcert> I<infile>, B<-dkey> I<filename>|I<uri> 277 278Specify an additional certificate and private key, these behave in the 279same manner as the B<-cert> and B<-key> options except there is no default 280if they are not specified (no additional certificate and key is used). As 281noted above some cipher suites require a certificate containing a key of 282a certain type. Some cipher suites need a certificate carrying an RSA key 283and some a DSS (DSA) key. By using RSA and DSS certificates and keys 284a server can support clients which only support RSA or DSS cipher suites 285by using an appropriate certificate. 286 287=item B<-dcert_chain> 288 289A file or URI of untrusted certificates to use when attempting to build the 290server certificate chain when a certificate specified via the B<-dcert> option 291is in use. 292The input can be in PEM, DER, or PKCS#12 format. 293 294=item B<-dcertform> B<DER>|B<PEM>|B<P12> 295 296The format of the additional certificate file; unspecified by default. 297See L<openssl-format-options(1)> for details. 298 299=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 300 301The format of the additional private key; unspecified by default. 302See L<openssl-format-options(1)> for details. 303 304=item B<-dpass> I<val> 305 306The passphrase for the additional private key and certificate. 307For more information about the format of I<val>, 308see L<openssl-passphrase-options(1)>. 309 310=item B<-nbio_test> 311 312Tests non blocking I/O. 313 314=item B<-crlf> 315 316This option translated a line feed from the terminal into CR+LF. 317 318=item B<-debug> 319 320Print extensive debugging information including a hex dump of all traffic. 321 322=item B<-security_debug> 323 324Print output from SSL/TLS security framework. 325 326=item B<-security_debug_verbose> 327 328Print more output from SSL/TLS security framework 329 330=item B<-msg> 331 332Show all protocol messages with hex dump. 333 334=item B<-msgfile> I<outfile> 335 336File to send output of B<-msg> or B<-trace> to, default standard output. 337 338=item B<-state> 339 340Prints the SSL session states. 341 342=item B<-CRL> I<infile> 343 344The CRL file to use. 345 346=item B<-CRLform> B<DER>|B<PEM> 347 348The CRL file format; unspecified by default. 349See L<openssl-format-options(1)> for details. 350 351=item B<-crl_download> 352 353Download CRLs from distribution points given in CDP extensions of certificates 354 355=item B<-verifyCAfile> I<filename> 356 357A file in PEM format CA containing trusted certificates to use 358for verifying client certificates. 359 360=item B<-verifyCApath> I<dir> 361 362A directory containing trusted certificates to use 363for verifying client certificates. 364This directory must be in "hash format", 365see L<openssl-verify(1)> for more information. 366 367=item B<-verifyCAstore> I<uri> 368 369The URI of a store containing trusted certificates to use 370for verifying client certificates. 371 372=item B<-chainCAfile> I<file> 373 374A file in PEM format containing trusted certificates to use 375when attempting to build the server certificate chain. 376 377=item B<-chainCApath> I<dir> 378 379A directory containing trusted certificates to use 380for building the server certificate chain provided to the client. 381This directory must be in "hash format", 382see L<openssl-verify(1)> for more information. 383 384=item B<-chainCAstore> I<uri> 385 386The URI of a store containing trusted certificates to use 387for building the server certificate chain provided to the client. 388The URI may indicate a single certificate, as well as a collection of them. 389With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or 390B<-chainCApath>, depending on if the URI indicates a directory or a 391single file. 392See L<ossl_store-file(7)> for more information on the C<file:> scheme. 393 394=item B<-nocert> 395 396If this option is set then no certificate is used. This restricts the 397cipher suites available to the anonymous ones (currently just anonymous 398DH). 399 400=item B<-quiet> 401 402Inhibit printing of session and certificate information. 403 404=item B<-no_resume_ephemeral> 405 406Disable caching and tickets if ephemeral (EC)DH is used. 407 408=item B<-tlsextdebug> 409 410Print a hex dump of any TLS extensions received from the server. 411 412=item B<-www> 413 414Sends a status message back to the client when it connects. This includes 415information about the ciphers used and various session parameters. 416The output is in HTML format so this option can be used with a web browser. 417The special URL C</renegcert> turns on client cert validation, and C</reneg> 418tells the server to request renegotiation. 419 420=item B<-WWW>, B<-HTTP> 421 422Emulates a simple web server. Pages will be resolved relative to the 423current directory, for example if the URL C<https://myhost/page.html> is 424requested the file F<./page.html> will be sent. 425If the B<-HTTP> flag is used, the files are sent directly, and should contain 426any HTTP response headers (including status response line). 427If the B<-WWW> option is used, 428the response headers are generated by the server, and the file extension is 429examined to determine the B<Content-Type> header. 430Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are 431C<text/plain>. 432In addition, the special URL C</stats> will return status 433information like the B<-www> option. 434 435=item B<-http_server_binmode> 436 437When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested 438by the client in binary mode. 439 440=item B<-no_ca_names> 441 442Disable TLS Extension CA Names. You may want to disable it for security reasons 443or for compatibility with some Windows TLS implementations crashing when this 444extension is larger than 1024 bytes. 445 446=item B<-ignore_unexpected_eof> 447 448Some TLS implementations do not send the mandatory close_notify alert on 449shutdown. If the application tries to wait for the close_notify alert but the 450peer closes the connection without sending it, an error is generated. When this 451option is enabled the peer does not need to send the close_notify alert and a 452closed connection will be treated as if the close_notify alert was received. 453For more information on shutting down a connection, see L<SSL_shutdown(3)>. 454 455=item B<-servername> 456 457Servername for HostName TLS extension. 458 459=item B<-servername_fatal> 460 461On servername mismatch send fatal alert (default: warning alert). 462 463=item B<-id_prefix> I<val> 464 465Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful 466for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple 467servers, when each of which might be generating a unique range of session 468IDs (e.g. with a certain prefix). 469 470=item B<-keymatexport> 471 472Export keying material using label. 473 474=item B<-keymatexportlen> 475 476Export the given number of bytes of keying material; default 20. 477 478=item B<-no_cache> 479 480Disable session cache. 481 482=item B<-ext_cache>. 483 484Disable internal cache, set up and use external cache. 485 486=item B<-verify_return_error> 487 488Verification errors normally just print a message but allow the 489connection to continue, for debugging purposes. 490If this option is used, then verification errors close the connection. 491 492=item B<-verify_quiet> 493 494No verify output except verify errors. 495 496=item B<-ign_eof> 497 498Ignore input EOF (default: when B<-quiet>). 499 500=item B<-no_ign_eof> 501 502Do not ignore input EOF. 503 504=item B<-no_etm> 505 506Disable Encrypt-then-MAC negotiation. 507 508=item B<-no_ems> 509 510Disable Extended master secret negotiation. 511 512=item B<-status> 513 514Enables certificate status request support (aka OCSP stapling). 515 516=item B<-status_verbose> 517 518Enables certificate status request support (aka OCSP stapling) and gives 519a verbose printout of the OCSP response. 520Use the B<-cert_chain> option to specify the certificate of the server's 521certificate signer that is required for certificate status requests. 522 523=item B<-status_timeout> I<int> 524 525Sets the timeout for OCSP response to I<int> seconds. 526 527=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]> 528 529The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy> 530applies, see below. 531If the host string is an IPv6 address, it must be enclosed in C<[> and C<]>. 532The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that 533the optional C<http://> or C<https://> prefix is ignored, 534as well as any userinfo, path, query, and fragment components. 535Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY> 536in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>. 537 538=item B<-no_proxy> I<addresses> 539 540List of IP addresses and/or DNS names of servers 541not to use an HTTP(S) proxy for, separated by commas and/or whitespace 542(where in the latter case the whole argument must be enclosed in "..."). 543Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>. 544 545=item B<-status_url> I<val> 546 547Sets a fallback responder URL to use if no responder URL is present in the 548server certificate. Without this option an error is returned if the server 549certificate does not contain a responder address. 550The optional userinfo and fragment URL components are ignored. 551Any given query component is handled as part of the path component. 552 553=item B<-status_file> I<infile> 554 555Overrides any OCSP responder URLs from the certificate and always provides the 556OCSP Response stored in the file. The file must be in DER format. 557 558=item B<-ssl_config> I<val> 559 560Configure SSL_CTX using the given configuration value. 561 562=item B<-trace> 563 564Show verbose trace output of protocol messages. 565 566=item B<-brief> 567 568Provide a brief summary of connection parameters instead of the normal verbose 569output. 570 571=item B<-rev> 572 573Simple echo server that sends back received text reversed. Also sets B<-brief>. 574Cannot be used in conjunction with B<-early_data>. 575 576=item B<-async> 577 578Switch on asynchronous mode. Cryptographic operations will be performed 579asynchronously. This will only have an effect if an asynchronous capable engine 580is also used via the B<-engine> option. For test purposes the dummy async engine 581(dasync) can be used (if available). 582 583=item B<-max_send_frag> I<+int> 584 585The maximum size of data fragment to send. 586See L<SSL_CTX_set_max_send_fragment(3)> for further information. 587 588=item B<-split_send_frag> I<+int> 589 590The size used to split data for encrypt pipelines. If more data is written in 591one go than this value then it will be split into multiple pipelines, up to the 592maximum number of pipelines defined by max_pipelines. This only has an effect if 593a suitable cipher suite has been negotiated, an engine that supports pipelining 594has been loaded, and max_pipelines is greater than 1. See 595L<SSL_CTX_set_split_send_fragment(3)> for further information. 596 597=item B<-max_pipelines> I<+int> 598 599The maximum number of encrypt/decrypt pipelines to be used. This will only have 600an effect if an engine has been loaded that supports pipelining (e.g. the dasync 601engine) and a suitable cipher suite has been negotiated. The default value is 1. 602See L<SSL_CTX_set_max_pipelines(3)> for further information. 603 604=item B<-naccept> I<+int> 605 606The server will exit after receiving the specified number of connections, 607default unlimited. 608 609=item B<-read_buf> I<+int> 610 611The default read buffer size to be used for connections. This will only have an 612effect if the buffer size is larger than the size that would otherwise be used 613and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for 614further information). 615 616=item B<-bugs> 617 618There are several known bugs in SSL and TLS implementations. Adding this 619option enables various workarounds. 620 621=item B<-no_tx_cert_comp> 622 623Disables support for sending TLSv1.3 compressed certificates. 624 625=item B<-no_rx_cert_comp> 626 627Disables support for receiving TLSv1.3 compressed certificates. 628 629=item B<-no_comp> 630 631Disable negotiation of TLS compression. 632TLS compression is not recommended and is off by default as of 633OpenSSL 1.1.0. 634 635=item B<-comp> 636 637Enables support for SSL/TLS compression. 638This option was introduced in OpenSSL 1.1.0. 639TLS compression is not recommended and is off by default as of 640OpenSSL 1.1.0. TLS compression can only be used in security level 1 or 641lower. From OpenSSL 3.2.0 and above the default security level is 2, so this 642option will have no effect without also changing the security level. Use the 643B<-cipher> option to change the security level. See L<openssl-ciphers(1)> for 644more information. 645 646=item B<-no_ticket> 647 648Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3 649is negotiated. See B<-num_tickets>. 650 651=item B<-num_tickets> 652 653Control the number of tickets that will be sent to the client after a full 654handshake in TLSv1.3. The default number of tickets is 2. This option does not 655affect the number of tickets sent after a resumption handshake. 656 657=item B<-serverpref> 658 659Use the server's cipher preferences, rather than the client's preferences. 660 661=item B<-prioritize_chacha> 662 663Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>. 664 665=item B<-no_resumption_on_reneg> 666 667Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option. 668 669=item B<-client_sigalgs> I<val> 670 671Signature algorithms to support for client certificate authentication 672(colon-separated list). 673 674=item B<-named_curve> I<val> 675 676Specifies the elliptic curve to use. NOTE: this is single curve, not a list. 677 678The list of all supported groups includes named EC parameters as well as X25519 679and X448 or FFDHE groups, and may also include groups implemented in 3rd-party 680providers. For a list of named EC parameters, use: 681 682 $ openssl ecparam -list_curves 683 684=item B<-cipher> I<val> 685 686This allows the list of TLSv1.2 and below ciphersuites used by the server to be 687modified. This list is combined with any TLSv1.3 ciphersuites that have been 688configured. When the client sends a list of supported ciphers the first client 689cipher also included in the server list is used. Because the client specifies 690the preference order, the order of the server cipherlist is irrelevant. See 691L<openssl-ciphers(1)> for more information. 692 693=item B<-ciphersuites> I<val> 694 695This allows the list of TLSv1.3 ciphersuites used by the server to be modified. 696This list is combined with any TLSv1.2 and below ciphersuites that have been 697configured. When the client sends a list of supported ciphers the first client 698cipher also included in the server list is used. Because the client specifies 699the preference order, the order of the server cipherlist is irrelevant. See 700L<openssl-ciphers(1)> command for more information. The format for this list is 701a simple colon (":") separated list of TLSv1.3 ciphersuite names. 702 703=item B<-dhparam> I<infile> 704 705The DH parameter file to use. The ephemeral DH cipher suites generate keys 706using a set of DH parameters. If not specified then an attempt is made to 707load the parameters from the server certificate file. 708If this fails then a static set of parameters hard coded into this command 709will be used. 710 711=item B<-nbio> 712 713Turns on non blocking I/O. 714 715=item B<-timeout> 716 717Enable timeouts. 718 719=item B<-mtu> 720 721Set link-layer MTU. 722 723=item B<-psk_identity> I<val> 724 725Expect the client to send PSK identity I<val> when using a PSK 726cipher suite, and warn if they do not. By default, the expected PSK 727identity is the string "Client_identity". 728 729=item B<-psk_hint> I<val> 730 731Use the PSK identity hint I<val> when using a PSK cipher suite. 732 733=item B<-psk> I<val> 734 735Use the PSK key I<val> when using a PSK cipher suite. The key is 736given as a hexadecimal number without leading 0x, for example -psk 7371a2b3c4d. 738This option must be provided in order to use a PSK cipher. 739 740=item B<-psk_session> I<file> 741 742Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK. 743Note that this will only work if TLSv1.3 is negotiated. 744 745=item B<-srpvfile> 746 747The verifier file for SRP. 748This option is deprecated. 749 750=item B<-srpuserseed> 751 752A seed string for a default user salt. 753This option is deprecated. 754 755=item B<-listen> 756 757This option can only be used in conjunction with one of the DTLS options above. 758With this option, this command will listen on a UDP port for incoming 759connections. 760Any ClientHellos that arrive will be checked to see if they have a cookie in 761them or not. 762Any without a cookie will be responded to with a HelloVerifyRequest. 763If a ClientHello with a cookie is received then this command will 764connect to that peer and complete the handshake. 765 766=item B<-sctp> 767 768Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in 769conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only 770available where OpenSSL has support for SCTP enabled. 771 772=item B<-sctp_label_bug> 773 774Use the incorrect behaviour of older OpenSSL implementations when computing 775endpoint-pair shared secrets for DTLS/SCTP. This allows communication with 776older broken implementations but breaks interoperability with correct 777implementations. Must be used in conjunction with B<-sctp>. This option is only 778available where OpenSSL has support for SCTP enabled. 779 780=item B<-use_srtp> 781 782Offer SRTP key management with a colon-separated profile list. 783 784=item B<-no_dhe> 785 786If this option is set then no DH parameters will be loaded effectively 787disabling the ephemeral DH cipher suites. 788 789=item B<-alpn> I<val>, B<-nextprotoneg> I<val> 790 791These flags enable the Application-Layer Protocol Negotiation 792or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the 793IETF standard and replaces NPN. 794The I<val> list is a comma-separated list of supported protocol 795names. The list should contain the most desirable protocols first. 796Protocol names are printable ASCII strings, for example "http/1.1" or 797"spdy/3". 798The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. 799 800=item B<-ktls> 801 802Enable Kernel TLS for sending and receiving. 803This option was introduced in OpenSSL 3.2.0. 804Kernel TLS is off by default as of OpenSSL 3.2.0. 805 806=item B<-sendfile> 807 808If this option is set and KTLS is enabled, SSL_sendfile() will be used 809instead of BIO_write() to send the HTTP response requested by a client. 810This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP> 811are specified. 812 813=item B<-zerocopy_sendfile> 814 815If this option is set, SSL_sendfile() will use the zerocopy TX mode, which gives 816a performance boost when used with KTLS hardware offload. Note that invalid 817TLS records might be transmitted if the file is changed while being sent. 818This option depends on B<-sendfile>; when used alone, B<-sendfile> is implied, 819and a warning is shown. Note that KTLS sendfile on FreeBSD always runs in the 820zerocopy mode. 821 822=item B<-keylogfile> I<outfile> 823 824Appends TLS secrets to the specified keylog file such that external programs 825(like Wireshark) can decrypt TLS connections. 826 827=item B<-max_early_data> I<int> 828 829Change the default maximum early data bytes that are specified for new sessions 830and any incoming early data (when used in conjunction with the B<-early_data> 831flag). The default value is approximately 16k. The argument must be an integer 832greater than or equal to 0. 833 834=item B<-recv_max_early_data> I<int> 835 836Specify the hard limit on the maximum number of early data bytes that will 837be accepted. 838 839=item B<-early_data> 840 841Accept early data where possible. Cannot be used in conjunction with B<-www>, 842B<-WWW>, B<-HTTP> or B<-rev>. 843 844=item B<-stateless> 845 846Require TLSv1.3 cookies. 847 848=item B<-anti_replay>, B<-no_anti_replay> 849 850Switches replay protection on or off, respectively. Replay protection is on by 851default unless overridden by a configuration file. When it is on, OpenSSL will 852automatically detect if a session ticket has been used more than once, TLSv1.3 853has been negotiated, and early data is enabled on the server. A full handshake 854is forced if a session ticket is used a second or subsequent time. Any early 855data that was sent will be rejected. 856 857=item B<-tfo> 858 859Enable acceptance of TCP Fast Open (RFC7413) connections. 860 861=item B<-cert_comp> 862 863Pre-compresses certificates (RFC8879) that will be sent during the handshake. 864 865{- $OpenSSL::safe::opt_name_item -} 866 867{- $OpenSSL::safe::opt_version_item -} 868 869{- $OpenSSL::safe::opt_s_item -} 870 871{- $OpenSSL::safe::opt_x_item -} 872 873{- $OpenSSL::safe::opt_trust_item -} 874 875{- $OpenSSL::safe::opt_r_item -} 876 877{- $OpenSSL::safe::opt_engine_item -} 878 879{- $OpenSSL::safe::opt_provider_item -} 880 881{- $OpenSSL::safe::opt_v_item -} 882 883If the server requests a client certificate, then 884verification errors are displayed, for debugging, but the command will 885proceed unless the B<-verify_return_error> option is used. 886 887=item B<-enable_server_rpk> 888 889Enable support for sending raw public keys (RFC7250) to the client. 890A raw public key will be sent by the server, if solicited by the client, 891provided a suitable key and public certificate pair is configured. 892Clients that don't support raw public keys or prefer to use X.509 893certificates can still elect to receive X.509 certificates as usual. 894 895Raw public keys are extracted from the configured certificate/private key. 896 897=item B<-enable_client_rpk> 898 899Enable support for receiving raw public keys (RFC7250) from the client. 900Use of X.509 certificates by the client becomes optional, and clients that 901support raw public keys may elect to use them. 902Clients that don't support raw public keys or prefer to use X.509 903certificates can still elect to send X.509 certificates as usual. 904 905Raw public keys are extracted from the configured certificate/private key. 906 907=back 908 909=head1 CONNECTED COMMANDS 910 911If a connection request is established with an SSL client and neither the 912B<-www> nor the B<-WWW> option has been used then normally any data received 913from the client is displayed and any key presses will be sent to the client. 914 915Certain commands are also recognized which perform special operations. These 916commands are a letter which must appear at the start of a line. They are listed 917below. 918 919=over 4 920 921=item B<q> 922 923End the current SSL connection but still accept new connections. 924 925=item B<Q> 926 927End the current SSL connection and exit. 928 929=item B<r> 930 931Renegotiate the SSL session (TLSv1.2 and below only). 932 933=item B<R> 934 935Renegotiate the SSL session and request a client certificate (TLSv1.2 and below 936only). 937 938=item B<P> 939 940Send some plain text down the underlying TCP connection: this should 941cause the client to disconnect due to a protocol violation. 942 943=item B<S> 944 945Print out some session cache status information. 946 947=item B<k> 948 949Send a key update message to the client (TLSv1.3 only) 950 951=item B<K> 952 953Send a key update message to the client and request one back (TLSv1.3 only) 954 955=item B<c> 956 957Send a certificate request to the client (TLSv1.3 only) 958 959=back 960 961=head1 NOTES 962 963This command can be used to debug SSL clients. To accept connections 964from a web browser the command: 965 966 openssl s_server -accept 443 -www 967 968can be used for example. 969 970Although specifying an empty list of CAs when requesting a client certificate 971is strictly speaking a protocol violation, some SSL clients interpret this to 972mean any CA is acceptable. This is useful for debugging purposes. 973 974The session parameters can printed out using the L<openssl-sess_id(1)> command. 975 976=head1 BUGS 977 978Because this program has a lot of options and also because some of the 979techniques used are rather old, the C source for this command is rather 980hard to read and not a model of how things should be done. 981A typical SSL server program would be much simpler. 982 983The output of common ciphers is wrong: it just gives the list of ciphers that 984OpenSSL recognizes and the client supports. 985 986There should be a way for this command to print out details 987of any unknown cipher suites a client says it supports. 988 989=head1 SEE ALSO 990 991L<openssl(1)>, 992L<openssl-sess_id(1)>, 993L<openssl-s_client(1)>, 994L<openssl-ciphers(1)>, 995L<SSL_CONF_cmd(3)>, 996L<SSL_CTX_set_max_send_fragment(3)>, 997L<SSL_CTX_set_split_send_fragment(3)>, 998L<SSL_CTX_set_max_pipelines(3)>, 999L<ossl_store-file(7)> 1000 1001=head1 HISTORY 1002 1003The -no_alt_chains option was added in OpenSSL 1.1.0. 1004 1005The 1006-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1. 1007 1008The B<-srpvfile>, B<-srpuserseed>, and B<-engine> 1009option were deprecated in OpenSSL 3.0. 1010 1011The 1012B<-enable_client_rpk>, 1013B<-enable_server_rpk>, 1014B<-no_rx_cert_comp>, 1015B<-no_tx_cert_comp>, 1016and B<-tfo> 1017options were added in OpenSSL 3.2. 1018 1019=head1 COPYRIGHT 1020 1021Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. 1022 1023Licensed under the Apache License 2.0 (the "License"). You may not use 1024this file except in compliance with the License. You can obtain a copy 1025in the file LICENSE in the source distribution or at 1026L<https://www.openssl.org/source/license.html>. 1027 1028=cut 1029