1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-s_server - SSL/TLS server program 7 8=head1 SYNOPSIS 9 10B<openssl> B<s_server> 11[B<-help>] 12[B<-port> I<+int>] 13[B<-accept> I<val>] 14[B<-unix> I<val>] 15[B<-4>] 16[B<-6>] 17[B<-unlink>] 18[B<-context> I<val>] 19[B<-verify> I<int>] 20[B<-Verify> I<int>] 21[B<-cert> I<infile>] 22[B<-cert2> I<infile>] 23[B<-certform> B<DER>|B<PEM>|B<P12>] 24[B<-cert_chain> I<infile>] 25[B<-build_chain>] 26[B<-serverinfo> I<val>] 27[B<-key> I<filename>|I<uri>] 28[B<-key2> I<filename>|I<uri>] 29[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 30[B<-pass> I<val>] 31[B<-dcert> I<infile>] 32[B<-dcertform> B<DER>|B<PEM>|B<P12>] 33[B<-dcert_chain> I<infile>] 34[B<-dkey> I<filename>|I<uri>] 35[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 36[B<-dpass> I<val>] 37[B<-nbio_test>] 38[B<-crlf>] 39[B<-debug>] 40[B<-msg>] 41[B<-msgfile> I<outfile>] 42[B<-state>] 43[B<-nocert>] 44[B<-quiet>] 45[B<-no_resume_ephemeral>] 46[B<-www>] 47[B<-WWW>] 48[B<-http_server_binmode>] 49[B<-no_ca_names>] 50[B<-ignore_unexpected_eof>] 51[B<-servername>] 52[B<-servername_fatal>] 53[B<-tlsextdebug>] 54[B<-HTTP>] 55[B<-id_prefix> I<val>] 56[B<-keymatexport> I<val>] 57[B<-keymatexportlen> I<+int>] 58[B<-CRL> I<infile>] 59[B<-CRLform> B<DER>|B<PEM>] 60[B<-crl_download>] 61[B<-chainCAfile> I<infile>] 62[B<-chainCApath> I<dir>] 63[B<-chainCAstore> I<uri>] 64[B<-verifyCAfile> I<infile>] 65[B<-verifyCApath> I<dir>] 66[B<-verifyCAstore> I<uri>] 67[B<-no_cache>] 68[B<-ext_cache>] 69[B<-verify_return_error>] 70[B<-verify_quiet>] 71[B<-ign_eof>] 72[B<-no_ign_eof>] 73[B<-no_etm>] 74[B<-no_ems>] 75[B<-status>] 76[B<-status_verbose>] 77[B<-status_timeout> I<int>] 78[B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]>] 79[B<-no_proxy> I<addresses>] 80[B<-status_url> I<val>] 81[B<-status_file> I<infile>] 82[B<-ssl_config> I<val>] 83[B<-trace>] 84[B<-security_debug>] 85[B<-security_debug_verbose>] 86[B<-brief>] 87[B<-rev>] 88[B<-async>] 89[B<-max_send_frag> I<+int>] 90[B<-split_send_frag> I<+int>] 91[B<-max_pipelines> I<+int>] 92[B<-naccept> I<+int>] 93[B<-read_buf> I<+int>] 94[B<-bugs>] 95[B<-no_tx_cert_comp>] 96[B<-no_rx_cert_comp>] 97[B<-no_comp>] 98[B<-comp>] 99[B<-no_ticket>] 100[B<-serverpref>] 101[B<-legacy_renegotiation>] 102[B<-no_renegotiation>] 103[B<-no_resumption_on_reneg>] 104[B<-allow_no_dhe_kex>] 105[B<-prefer_no_dhe_kex>] 106[B<-prioritize_chacha>] 107[B<-strict>] 108[B<-sigalgs> I<val>] 109[B<-client_sigalgs> I<val>] 110[B<-groups> I<val>] 111[B<-curves> I<val>] 112[B<-named_curve> I<val>] 113[B<-cipher> I<val>] 114[B<-ciphersuites> I<val>] 115[B<-dhparam> I<infile>] 116[B<-record_padding> I<val>] 117[B<-debug_broken_protocol>] 118[B<-nbio>] 119[B<-psk_identity> I<val>] 120[B<-psk_hint> I<val>] 121[B<-psk> I<val>] 122[B<-psk_session> I<file>] 123[B<-srpvfile> I<infile>] 124[B<-srpuserseed> I<val>] 125[B<-timeout>] 126[B<-mtu> I<+int>] 127[B<-listen>] 128[B<-sctp>] 129[B<-sctp_label_bug>] 130[B<-use_srtp> I<val>] 131[B<-no_dhe>] 132[B<-nextprotoneg> I<val>] 133[B<-alpn> I<val>] 134[B<-ktls>] 135[B<-sendfile>] 136[B<-zerocopy_sendfile>] 137[B<-keylogfile> I<outfile>] 138[B<-recv_max_early_data> I<int>] 139[B<-max_early_data> I<int>] 140[B<-early_data>] 141[B<-stateless>] 142[B<-anti_replay>] 143[B<-no_anti_replay>] 144[B<-num_tickets>] 145[B<-tfo>] 146[B<-cert_comp>] 147{- $OpenSSL::safe::opt_name_synopsis -} 148{- $OpenSSL::safe::opt_version_synopsis -} 149{- $OpenSSL::safe::opt_v_synopsis -} 150{- $OpenSSL::safe::opt_s_synopsis -} 151{- $OpenSSL::safe::opt_x_synopsis -} 152{- $OpenSSL::safe::opt_trust_synopsis -} 153{- $OpenSSL::safe::opt_r_synopsis -} 154{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} 155[B<-enable_server_rpk>] 156[B<-enable_client_rpk>] 157 158=head1 DESCRIPTION 159 160This command implements a generic SSL/TLS server which 161listens for connections on a given port using SSL/TLS. 162 163=head1 OPTIONS 164 165In addition to the options below, this command also supports 166the common and server only options documented 167L<SSL_CONF_cmd(3)/Supported Command Line Commands> 168 169=over 4 170 171=item B<-help> 172 173Print out a usage message. 174 175=item B<-port> I<+int> 176 177The TCP port to listen on for connections. If not specified 4433 is used. 178 179=item B<-accept> I<val> 180 181The optional TCP host and port to listen on for connections. If not specified, *:4433 is used. 182 183=item B<-unix> I<val> 184 185Unix domain socket to accept on. 186 187=item B<-4> 188 189Use IPv4 only. 190 191=item B<-6> 192 193Use IPv6 only. 194 195=item B<-unlink> 196 197For -unix, unlink any existing socket first. 198 199=item B<-context> I<val> 200 201Sets the SSL context id. It can be given any string value. If this option 202is not present a default value will be used. 203 204=item B<-verify> I<int>, B<-Verify> I<int> 205 206The verify depth to use. This specifies the maximum length of the 207client certificate chain and makes the server request a certificate from 208the client. With the B<-verify> option a certificate is requested but the 209client does not have to send one, with the B<-Verify> option the client 210must supply a certificate or an error occurs. 211 212If the cipher suite cannot request a client certificate (for example an 213anonymous cipher suite or PSK) this option has no effect. 214 215=item B<-cert> I<infile> 216 217The certificate to use, most servers cipher suites require the use of a 218certificate and some require a certificate with a certain public key type: 219for example the DSS cipher suites require a certificate containing a DSS 220(DSA) key. If not specified then the filename F<server.pem> will be used. 221 222=item B<-cert2> I<infile> 223 224The certificate file to use for servername; default is C<server2.pem>. 225 226=item B<-certform> B<DER>|B<PEM>|B<P12> 227 228The server certificate file format; unspecified by default. 229See L<openssl-format-options(1)> for details. 230 231=item B<-cert_chain> 232 233A file or URI of untrusted certificates to use when attempting to build the 234certificate chain related to the certificate specified via the B<-cert> option. 235These untrusted certificates are sent to clients and used for generating 236certificate status (aka OCSP stapling) requests. 237The input can be in PEM, DER, or PKCS#12 format. 238 239=item B<-build_chain> 240 241Specify whether the application should build the server certificate chain to be 242provided to the client. 243 244=item B<-serverinfo> I<val> 245 246A file containing one or more blocks of PEM data. Each PEM block 247must encode a TLS ServerHello extension (2 bytes type, 2 bytes length, 248followed by "length" bytes of extension data). If the client sends 249an empty TLS ClientHello extension matching the type, the corresponding 250ServerHello extension will be returned. 251 252=item B<-key> I<filename>|I<uri> 253 254The private key to use. If not specified then the certificate file will 255be used. 256 257=item B<-key2> I<filename>|I<uri> 258 259The private Key file to use for servername if not given via B<-cert2>. 260 261=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 262 263The key format; unspecified by default. 264See L<openssl-format-options(1)> for details. 265 266=item B<-pass> I<val> 267 268The private key and certificate file password source. 269For more information about the format of I<val>, 270see L<openssl-passphrase-options(1)>. 271 272=item B<-dcert> I<infile>, B<-dkey> I<filename>|I<uri> 273 274Specify an additional certificate and private key, these behave in the 275same manner as the B<-cert> and B<-key> options except there is no default 276if they are not specified (no additional certificate and key is used). As 277noted above some cipher suites require a certificate containing a key of 278a certain type. Some cipher suites need a certificate carrying an RSA key 279and some a DSS (DSA) key. By using RSA and DSS certificates and keys 280a server can support clients which only support RSA or DSS cipher suites 281by using an appropriate certificate. 282 283=item B<-dcert_chain> 284 285A file or URI of untrusted certificates to use when attempting to build the 286server certificate chain when a certificate specified via the B<-dcert> option 287is in use. 288The input can be in PEM, DER, or PKCS#12 format. 289 290=item B<-dcertform> B<DER>|B<PEM>|B<P12> 291 292The format of the additional certificate file; unspecified by default. 293See L<openssl-format-options(1)> for details. 294 295=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 296 297The format of the additional private key; unspecified by default. 298See L<openssl-format-options(1)> for details. 299 300=item B<-dpass> I<val> 301 302The passphrase for the additional private key and certificate. 303For more information about the format of I<val>, 304see L<openssl-passphrase-options(1)>. 305 306=item B<-nbio_test> 307 308Tests non blocking I/O. 309 310=item B<-crlf> 311 312This option translated a line feed from the terminal into CR+LF. 313 314=item B<-debug> 315 316Print extensive debugging information including a hex dump of all traffic. 317 318=item B<-security_debug> 319 320Print output from SSL/TLS security framework. 321 322=item B<-security_debug_verbose> 323 324Print more output from SSL/TLS security framework 325 326=item B<-msg> 327 328Show all protocol messages with hex dump. 329 330=item B<-msgfile> I<outfile> 331 332File to send output of B<-msg> or B<-trace> to, default standard output. 333 334=item B<-state> 335 336Prints the SSL session states. 337 338=item B<-CRL> I<infile> 339 340The CRL file to use. 341 342=item B<-CRLform> B<DER>|B<PEM> 343 344The CRL file format; unspecified by default. 345See L<openssl-format-options(1)> for details. 346 347=item B<-crl_download> 348 349Download CRLs from distribution points given in CDP extensions of certificates 350 351=item B<-verifyCAfile> I<filename> 352 353A file in PEM format CA containing trusted certificates to use 354for verifying client certificates. 355 356=item B<-verifyCApath> I<dir> 357 358A directory containing trusted certificates to use 359for verifying client certificates. 360This directory must be in "hash format", 361see L<openssl-verify(1)> for more information. 362 363=item B<-verifyCAstore> I<uri> 364 365The URI of a store containing trusted certificates to use 366for verifying client certificates. 367 368=item B<-chainCAfile> I<file> 369 370A file in PEM format containing trusted certificates to use 371when attempting to build the server certificate chain. 372 373=item B<-chainCApath> I<dir> 374 375A directory containing trusted certificates to use 376for building the server certificate chain provided to the client. 377This directory must be in "hash format", 378see L<openssl-verify(1)> for more information. 379 380=item B<-chainCAstore> I<uri> 381 382The URI of a store containing trusted certificates to use 383for building the server certificate chain provided to the client. 384The URI may indicate a single certificate, as well as a collection of them. 385With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or 386B<-chainCApath>, depending on if the URI indicates a directory or a 387single file. 388See L<ossl_store-file(7)> for more information on the C<file:> scheme. 389 390=item B<-nocert> 391 392If this option is set then no certificate is used. This restricts the 393cipher suites available to the anonymous ones (currently just anonymous 394DH). 395 396=item B<-quiet> 397 398Inhibit printing of session and certificate information. 399 400=item B<-no_resume_ephemeral> 401 402Disable caching and tickets if ephemeral (EC)DH is used. 403 404=item B<-tlsextdebug> 405 406Print a hex dump of any TLS extensions received from the server. 407 408=item B<-www> 409 410Sends a status message back to the client when it connects. This includes 411information about the ciphers used and various session parameters. 412The output is in HTML format so this option can be used with a web browser. 413The special URL C</renegcert> turns on client cert validation, and C</reneg> 414tells the server to request renegotiation. 415The B<-early_data> option cannot be used with this option. 416 417=item B<-WWW>, B<-HTTP> 418 419Emulates a simple web server. Pages will be resolved relative to the 420current directory, for example if the URL C<https://myhost/page.html> is 421requested the file F<./page.html> will be sent. 422If the B<-HTTP> flag is used, the files are sent directly, and should contain 423any HTTP response headers (including status response line). 424If the B<-WWW> option is used, 425the response headers are generated by the server, and the file extension is 426examined to determine the B<Content-Type> header. 427Extensions of C<html>, C<htm>, and C<php> are C<text/html> and all others are 428C<text/plain>. 429In addition, the special URL C</stats> will return status 430information like the B<-www> option. 431Neither of these options can be used in conjunction with B<-early_data>. 432 433=item B<-http_server_binmode> 434 435When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested 436by the client in binary mode. 437 438=item B<-no_ca_names> 439 440Disable TLS Extension CA Names. You may want to disable it for security reasons 441or for compatibility with some Windows TLS implementations crashing when this 442extension is larger than 1024 bytes. 443 444=item B<-ignore_unexpected_eof> 445 446Some TLS implementations do not send the mandatory close_notify alert on 447shutdown. If the application tries to wait for the close_notify alert but the 448peer closes the connection without sending it, an error is generated. When this 449option is enabled the peer does not need to send the close_notify alert and a 450closed connection will be treated as if the close_notify alert was received. 451For more information on shutting down a connection, see L<SSL_shutdown(3)>. 452 453=item B<-servername> 454 455Servername for HostName TLS extension. 456 457=item B<-servername_fatal> 458 459On servername mismatch send fatal alert (default: warning alert). 460 461=item B<-id_prefix> I<val> 462 463Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful 464for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple 465servers, when each of which might be generating a unique range of session 466IDs (e.g. with a certain prefix). 467 468=item B<-keymatexport> 469 470Export keying material using label. 471 472=item B<-keymatexportlen> 473 474Export the given number of bytes of keying material; default 20. 475 476=item B<-no_cache> 477 478Disable session cache. 479 480=item B<-ext_cache>. 481 482Disable internal cache, set up and use external cache. 483 484=item B<-verify_return_error> 485 486Verification errors normally just print a message but allow the 487connection to continue, for debugging purposes. 488If this option is used, then verification errors close the connection. 489 490=item B<-verify_quiet> 491 492No verify output except verify errors. 493 494=item B<-ign_eof> 495 496Ignore input EOF (default: when B<-quiet>). 497 498=item B<-no_ign_eof> 499 500Do not ignore input EOF. 501 502=item B<-no_etm> 503 504Disable Encrypt-then-MAC negotiation. 505 506=item B<-no_ems> 507 508Disable Extended master secret negotiation. 509 510=item B<-status> 511 512Enables certificate status request support (aka OCSP stapling). 513 514=item B<-status_verbose> 515 516Enables certificate status request support (aka OCSP stapling) and gives 517a verbose printout of the OCSP response. 518Use the B<-cert_chain> option to specify the certificate of the server's 519certificate signer that is required for certificate status requests. 520 521=item B<-status_timeout> I<int> 522 523Sets the timeout for OCSP response to I<int> seconds. 524 525=item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path]> 526 527The HTTP(S) proxy server to use for reaching the OCSP server unless B<-no_proxy> 528applies, see below. 529The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that 530the optional C<http://> or C<https://> prefix is ignored, 531as well as any userinfo and path components. 532Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY> 533in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>. 534 535=item B<-no_proxy> I<addresses> 536 537List of IP addresses and/or DNS names of servers 538not to use an HTTP(S) proxy for, separated by commas and/or whitespace 539(where in the latter case the whole argument must be enclosed in "..."). 540Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>. 541 542=item B<-status_url> I<val> 543 544Sets a fallback responder URL to use if no responder URL is present in the 545server certificate. Without this option an error is returned if the server 546certificate does not contain a responder address. 547The optional userinfo and fragment URL components are ignored. 548Any given query component is handled as part of the path component. 549 550=item B<-status_file> I<infile> 551 552Overrides any OCSP responder URLs from the certificate and always provides the 553OCSP Response stored in the file. The file must be in DER format. 554 555=item B<-ssl_config> I<val> 556 557Configure SSL_CTX using the given configuration value. 558 559=item B<-trace> 560 561Show verbose trace output of protocol messages. 562 563=item B<-brief> 564 565Provide a brief summary of connection parameters instead of the normal verbose 566output. 567 568=item B<-rev> 569 570Simple echo server that sends back received text reversed. Also sets B<-brief>. 571Cannot be used in conjunction with B<-early_data>. 572 573=item B<-async> 574 575Switch on asynchronous mode. Cryptographic operations will be performed 576asynchronously. This will only have an effect if an asynchronous capable engine 577is also used via the B<-engine> option. For test purposes the dummy async engine 578(dasync) can be used (if available). 579 580=item B<-max_send_frag> I<+int> 581 582The maximum size of data fragment to send. 583See L<SSL_CTX_set_max_send_fragment(3)> for further information. 584 585=item B<-split_send_frag> I<+int> 586 587The size used to split data for encrypt pipelines. If more data is written in 588one go than this value then it will be split into multiple pipelines, up to the 589maximum number of pipelines defined by max_pipelines. This only has an effect if 590a suitable cipher suite has been negotiated, an engine that supports pipelining 591has been loaded, and max_pipelines is greater than 1. See 592L<SSL_CTX_set_split_send_fragment(3)> for further information. 593 594=item B<-max_pipelines> I<+int> 595 596The maximum number of encrypt/decrypt pipelines to be used. This will only have 597an effect if an engine has been loaded that supports pipelining (e.g. the dasync 598engine) and a suitable cipher suite has been negotiated. The default value is 1. 599See L<SSL_CTX_set_max_pipelines(3)> for further information. 600 601=item B<-naccept> I<+int> 602 603The server will exit after receiving the specified number of connections, 604default unlimited. 605 606=item B<-read_buf> I<+int> 607 608The default read buffer size to be used for connections. This will only have an 609effect if the buffer size is larger than the size that would otherwise be used 610and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for 611further information). 612 613=item B<-bugs> 614 615There are several known bugs in SSL and TLS implementations. Adding this 616option enables various workarounds. 617 618=item B<-no_tx_cert_comp> 619 620Disables support for sending TLSv1.3 compressed certificates. 621 622=item B<-no_rx_cert_comp> 623 624Disables support for receiving TLSv1.3 compressed certificates. 625 626=item B<-no_comp> 627 628Disable negotiation of TLS compression. 629TLS compression is not recommended and is off by default as of 630OpenSSL 1.1.0. 631 632=item B<-comp> 633 634Enables support for SSL/TLS compression. 635This option was introduced in OpenSSL 1.1.0. 636TLS compression is not recommended and is off by default as of 637OpenSSL 1.1.0. TLS compression can only be used in security level 1 or 638lower. From OpenSSL 3.2.0 and above the default security level is 2, so this 639option will have no effect without also changing the security level. Use the 640B<-cipher> option to change the security level. See L<openssl-ciphers(1)> for 641more information. 642 643=item B<-no_ticket> 644 645Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3 646is negotiated. See B<-num_tickets>. 647 648=item B<-num_tickets> 649 650Control the number of tickets that will be sent to the client after a full 651handshake in TLSv1.3. The default number of tickets is 2. This option does not 652affect the number of tickets sent after a resumption handshake. 653 654=item B<-serverpref> 655 656Use the server's cipher preferences, rather than the client's preferences. 657 658=item B<-prioritize_chacha> 659 660Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>. 661 662=item B<-no_resumption_on_reneg> 663 664Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option. 665 666=item B<-client_sigalgs> I<val> 667 668Signature algorithms to support for client certificate authentication 669(colon-separated list). 670 671=item B<-named_curve> I<val> 672 673Specifies the elliptic curve to use. NOTE: this is single curve, not a list. 674For a list of all possible curves, use: 675 676 $ openssl ecparam -list_curves 677 678=item B<-cipher> I<val> 679 680This allows the list of TLSv1.2 and below ciphersuites used by the server to be 681modified. This list is combined with any TLSv1.3 ciphersuites that have been 682configured. When the client sends a list of supported ciphers the first client 683cipher also included in the server list is used. Because the client specifies 684the preference order, the order of the server cipherlist is irrelevant. See 685L<openssl-ciphers(1)> for more information. 686 687=item B<-ciphersuites> I<val> 688 689This allows the list of TLSv1.3 ciphersuites used by the server to be modified. 690This list is combined with any TLSv1.2 and below ciphersuites that have been 691configured. When the client sends a list of supported ciphers the first client 692cipher also included in the server list is used. Because the client specifies 693the preference order, the order of the server cipherlist is irrelevant. See 694L<openssl-ciphers(1)> command for more information. The format for this list is 695a simple colon (":") separated list of TLSv1.3 ciphersuite names. 696 697=item B<-dhparam> I<infile> 698 699The DH parameter file to use. The ephemeral DH cipher suites generate keys 700using a set of DH parameters. If not specified then an attempt is made to 701load the parameters from the server certificate file. 702If this fails then a static set of parameters hard coded into this command 703will be used. 704 705=item B<-nbio> 706 707Turns on non blocking I/O. 708 709=item B<-timeout> 710 711Enable timeouts. 712 713=item B<-mtu> 714 715Set link-layer MTU. 716 717=item B<-psk_identity> I<val> 718 719Expect the client to send PSK identity I<val> when using a PSK 720cipher suite, and warn if they do not. By default, the expected PSK 721identity is the string "Client_identity". 722 723=item B<-psk_hint> I<val> 724 725Use the PSK identity hint I<val> when using a PSK cipher suite. 726 727=item B<-psk> I<val> 728 729Use the PSK key I<val> when using a PSK cipher suite. The key is 730given as a hexadecimal number without leading 0x, for example -psk 7311a2b3c4d. 732This option must be provided in order to use a PSK cipher. 733 734=item B<-psk_session> I<file> 735 736Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK. 737Note that this will only work if TLSv1.3 is negotiated. 738 739=item B<-srpvfile> 740 741The verifier file for SRP. 742This option is deprecated. 743 744=item B<-srpuserseed> 745 746A seed string for a default user salt. 747This option is deprecated. 748 749=item B<-listen> 750 751This option can only be used in conjunction with one of the DTLS options above. 752With this option, this command will listen on a UDP port for incoming 753connections. 754Any ClientHellos that arrive will be checked to see if they have a cookie in 755them or not. 756Any without a cookie will be responded to with a HelloVerifyRequest. 757If a ClientHello with a cookie is received then this command will 758connect to that peer and complete the handshake. 759 760=item B<-sctp> 761 762Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in 763conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only 764available where OpenSSL has support for SCTP enabled. 765 766=item B<-sctp_label_bug> 767 768Use the incorrect behaviour of older OpenSSL implementations when computing 769endpoint-pair shared secrets for DTLS/SCTP. This allows communication with 770older broken implementations but breaks interoperability with correct 771implementations. Must be used in conjunction with B<-sctp>. This option is only 772available where OpenSSL has support for SCTP enabled. 773 774=item B<-use_srtp> 775 776Offer SRTP key management with a colon-separated profile list. 777 778=item B<-no_dhe> 779 780If this option is set then no DH parameters will be loaded effectively 781disabling the ephemeral DH cipher suites. 782 783=item B<-alpn> I<val>, B<-nextprotoneg> I<val> 784 785These flags enable the Application-Layer Protocol Negotiation 786or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the 787IETF standard and replaces NPN. 788The I<val> list is a comma-separated list of supported protocol 789names. The list should contain the most desirable protocols first. 790Protocol names are printable ASCII strings, for example "http/1.1" or 791"spdy/3". 792The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. 793 794=item B<-ktls> 795 796Enable Kernel TLS for sending and receiving. 797This option was introduced in OpenSSL 3.2.0. 798Kernel TLS is off by default as of OpenSSL 3.2.0. 799 800=item B<-sendfile> 801 802If this option is set and KTLS is enabled, SSL_sendfile() will be used 803instead of BIO_write() to send the HTTP response requested by a client. 804This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP> 805are specified. 806 807=item B<-zerocopy_sendfile> 808 809If this option is set, SSL_sendfile() will use the zerocopy TX mode, which gives 810a performance boost when used with KTLS hardware offload. Note that invalid 811TLS records might be transmitted if the file is changed while being sent. 812This option depends on B<-sendfile>; when used alone, B<-sendfile> is implied, 813and a warning is shown. Note that KTLS sendfile on FreeBSD always runs in the 814zerocopy mode. 815 816=item B<-keylogfile> I<outfile> 817 818Appends TLS secrets to the specified keylog file such that external programs 819(like Wireshark) can decrypt TLS connections. 820 821=item B<-max_early_data> I<int> 822 823Change the default maximum early data bytes that are specified for new sessions 824and any incoming early data (when used in conjunction with the B<-early_data> 825flag). The default value is approximately 16k. The argument must be an integer 826greater than or equal to 0. 827 828=item B<-recv_max_early_data> I<int> 829 830Specify the hard limit on the maximum number of early data bytes that will 831be accepted. 832 833=item B<-early_data> 834 835Accept early data where possible. Cannot be used in conjunction with B<-www>, 836B<-WWW>, B<-HTTP> or B<-rev>. 837 838=item B<-stateless> 839 840Require TLSv1.3 cookies. 841 842=item B<-anti_replay>, B<-no_anti_replay> 843 844Switches replay protection on or off, respectively. Replay protection is on by 845default unless overridden by a configuration file. When it is on, OpenSSL will 846automatically detect if a session ticket has been used more than once, TLSv1.3 847has been negotiated, and early data is enabled on the server. A full handshake 848is forced if a session ticket is used a second or subsequent time. Any early 849data that was sent will be rejected. 850 851=item B<-tfo> 852 853Enable acceptance of TCP Fast Open (RFC7413) connections. 854 855=item B<-cert_comp> 856 857Pre-compresses certificates (RFC8879) that will be sent during the handshake. 858 859{- $OpenSSL::safe::opt_name_item -} 860 861{- $OpenSSL::safe::opt_version_item -} 862 863{- $OpenSSL::safe::opt_s_item -} 864 865{- $OpenSSL::safe::opt_x_item -} 866 867{- $OpenSSL::safe::opt_trust_item -} 868 869{- $OpenSSL::safe::opt_r_item -} 870 871{- $OpenSSL::safe::opt_engine_item -} 872 873{- $OpenSSL::safe::opt_provider_item -} 874 875{- $OpenSSL::safe::opt_v_item -} 876 877If the server requests a client certificate, then 878verification errors are displayed, for debugging, but the command will 879proceed unless the B<-verify_return_error> option is used. 880 881=item B<-enable_server_rpk> 882 883Enable support for sending raw public keys (RFC7250) to the client. 884A raw public key will be sent by the server, if solicited by the client, 885provided a suitable key and public certificate pair is configured. 886Clients that don't support raw public keys or prefer to use X.509 887certificates can still elect to receive X.509 certificates as usual. 888 889Raw public keys are extracted from the configured certificate/private key. 890 891=item B<-enable_client_rpk> 892 893Enable support for receiving raw public keys (RFC7250) from the client. 894Use of X.509 certificates by the client becomes optional, and clients that 895support raw public keys may elect to use them. 896Clients that don't support raw public keys or prefer to use X.509 897certificates can still elect to send X.509 certificates as usual. 898 899Raw public keys are extracted from the configured certificate/private key. 900 901=back 902 903=head1 CONNECTED COMMANDS 904 905If a connection request is established with an SSL client and neither the 906B<-www> nor the B<-WWW> option has been used then normally any data received 907from the client is displayed and any key presses will be sent to the client. 908 909Certain commands are also recognized which perform special operations. These 910commands are a letter which must appear at the start of a line. They are listed 911below. 912 913=over 4 914 915=item B<q> 916 917End the current SSL connection but still accept new connections. 918 919=item B<Q> 920 921End the current SSL connection and exit. 922 923=item B<r> 924 925Renegotiate the SSL session (TLSv1.2 and below only). 926 927=item B<R> 928 929Renegotiate the SSL session and request a client certificate (TLSv1.2 and below 930only). 931 932=item B<P> 933 934Send some plain text down the underlying TCP connection: this should 935cause the client to disconnect due to a protocol violation. 936 937=item B<S> 938 939Print out some session cache status information. 940 941=item B<k> 942 943Send a key update message to the client (TLSv1.3 only) 944 945=item B<K> 946 947Send a key update message to the client and request one back (TLSv1.3 only) 948 949=item B<c> 950 951Send a certificate request to the client (TLSv1.3 only) 952 953=back 954 955=head1 NOTES 956 957This command can be used to debug SSL clients. To accept connections 958from a web browser the command: 959 960 openssl s_server -accept 443 -www 961 962can be used for example. 963 964Although specifying an empty list of CAs when requesting a client certificate 965is strictly speaking a protocol violation, some SSL clients interpret this to 966mean any CA is acceptable. This is useful for debugging purposes. 967 968The session parameters can printed out using the L<openssl-sess_id(1)> command. 969 970=head1 BUGS 971 972Because this program has a lot of options and also because some of the 973techniques used are rather old, the C source for this command is rather 974hard to read and not a model of how things should be done. 975A typical SSL server program would be much simpler. 976 977The output of common ciphers is wrong: it just gives the list of ciphers that 978OpenSSL recognizes and the client supports. 979 980There should be a way for this command to print out details 981of any unknown cipher suites a client says it supports. 982 983=head1 SEE ALSO 984 985L<openssl(1)>, 986L<openssl-sess_id(1)>, 987L<openssl-s_client(1)>, 988L<openssl-ciphers(1)>, 989L<SSL_CONF_cmd(3)>, 990L<SSL_CTX_set_max_send_fragment(3)>, 991L<SSL_CTX_set_split_send_fragment(3)>, 992L<SSL_CTX_set_max_pipelines(3)>, 993L<ossl_store-file(7)> 994 995=head1 HISTORY 996 997The -no_alt_chains option was added in OpenSSL 1.1.0. 998 999The 1000-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1. 1001 1002The B<-srpvfile>, B<-srpuserseed>, and B<-engine> 1003option were deprecated in OpenSSL 3.0. 1004 1005The 1006B<-enable_client_rpk>, 1007B<-enable_server_rpk>, 1008B<-no_rx_cert_comp>, 1009B<-no_tx_cert_comp>, 1010and B<-tfo> 1011options were added in OpenSSL 3.2. 1012 1013=head1 COPYRIGHT 1014 1015Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. 1016 1017Licensed under the Apache License 2.0 (the "License"). You may not use 1018this file except in compliance with the License. You can obtain a copy 1019in the file LICENSE in the source distribution or at 1020L<https://www.openssl.org/source/license.html>. 1021 1022=cut 1023