From 0bae19607238fa36cd5020f2c96c7bdbf17dd280 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 7 Jun 2017 11:43:03 +0100 Subject: Clean up s_server documentation List the options in the same order and in the same style as the output from "openssl s_server -help" Reviewed-by: Rich Salz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/3628) --- doc/man1/s_server.pod | 654 +++++++++++++++++++++++++++----------------------- 1 file changed, 355 insertions(+), 299 deletions(-) (limited to 'doc/man1/s_server.pod') diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod index db712f90e9..2a8cafebc9 100644 --- a/doc/man1/s_server.pod +++ b/doc/man1/s_server.pod @@ -8,116 +8,171 @@ s_server - SSL/TLS server program B B [B<-help>] -[B<-port port>] +[B<-port +int>] [B<-accept val>] -[B<-naccept count>] [B<-unix val>] -[B<-unlink>] [B<-4>] [B<-6>] -[B<-context id>] -[B<-verify depth>] -[B<-Verify depth>] -[B<-crl_check>] -[B<-crl_check_all>] -[B<-cert filename>] -[B<-certform DER|PEM>] -[B<-key keyfile>] -[B<-keyform DER|PEM>] -[B<-pass arg>] -[B<-dcert filename>] -[B<-dcertform DER|PEM>] -[B<-dkey keyfile>] -[B<-dkeyform DER|PEM>] -[B<-dpass arg>] -[B<-dhparam filename>] -[B<-nbio>] +[B<-unlink>] +[B<-context val>] +[B<-verify int>] +[B<-Verify int>] +[B<-cert infile>] +[B<-nameopt val>] +[B<-naccept +int>] +[B<-serverinfo val>] +[B<-certform PEM|DER>] +[B<-key infile>] +[B<-keyform format>] +[B<-pass val>] +[B<-dcert infile>] +[B<-dcertform PEM|DER>] +[B<-dkey infile>] +[B<-dkeyform PEM|DER>] +[B<-dpass val>] [B<-nbio_test>] [B<-crlf>] [B<-debug>] [B<-msg>] +[B<-msgfile outfile>] [B<-state>] -[B<-CApath directory>] -[B<-CAfile filename>] +[B<-CAfile infile>] +[B<-CApath dir>] [B<-no-CAfile>] [B<-no-CApath>] -[B<-attime timestamp>] -[B<-check_ss_sig>] -[B<-explicit_policy>] -[B<-extended_crl>] +[B<-nocert>] +[B<-quiet>] +[B<-no_resume_ephemeral>] +[B<-www>] +[B<-WWW>] +[B<-servername>] +[B<-servername_fatal>] +[B<-cert2 infile>] +[B<-key2 infile>] +[B<-tlsextdebug>] +[B<-HTTP>] +[B<-id_prefix val>] +[B<-rand val>] +[B<-keymatexport val>] +[B<-keymatexportlen +int>] +[B<-CRL infile>] +[B<-crl_download>] +[B<-cert_chain infile>] +[B<-dcert_chain infile>] +[B<-chainCApath dir>] +[B<-verifyCApath dir>] +[B<-no_cache>] +[B<-ext_cache>] +[B<-CRLform PEM|DER>] +[B<-verify_return_error>] +[B<-verify_quiet>] +[B<-build_chain>] +[B<-chainCAfile infile>] +[B<-verifyCAfile infile>] +[B<-ign_eof>] +[B<-no_ign_eof>] +[B<-status>] +[B<-status_verbose>] +[B<-status_timeout int>] +[B<-status_url val>] +[B<-status_file infile>] +[B<-trace>] +[B<-security_debug>] +[B<-security_debug_verbose>] +[B<-brief>] +[B<-rev>] +[B<-async>] +[B<-ssl_config val>] +[B<-max_send_frag +int>] +[B<-split_send_frag +int>] +[B<-max_pipelines +int>] +[B<-read_buf +int>] +[B<-no_ssl3>] +[B<-no_tls1>] +[B<-no_tls1_1>] +[B<-no_tls1_2>] +[B<-no_tls1_3>] +[B<-bugs>] +[B<-no_comp>] +[B<-comp>] +[B<-no_ticket>] +[B<-serverpref>] +[B<-legacy_renegotiation>] +[B<-no_renegotiation>] +[B<-legacy_server_connect>] +[B<-no_resumption_on_reneg>] +[B<-no_legacy_server_connect>] +[B<-strict>] +[B<-sigalgs val>] +[B<-client_sigalgs val>] +[B<-groups val>] +[B<-curves val>] +[B<-named_curve val>] +[B<-cipher val>] +[B<-dhparam infile>] +[B<-record_padding val>] +[B<-debug_broken_protocol>] +[B<-policy val>] +[B<-purpose val>] +[B<-verify_name val>] +[B<-verify_depth int>] +[B<-auth_level int>] +[B<-attime intmax>] +[B<-verify_hostname val>] +[B<-verify_email val>] +[B<-verify_ip>] [B<-ignore_critical>] +[B<-issuer_checks>] +[B<-crl_check>] +[B<-crl_check_all>] +[B<-policy_check>] +[B<-explicit_policy>] [B<-inhibit_any>] [B<-inhibit_map>] -[B<-no_check_time>] -[B<-partial_chain>] -[B<-policy arg>] -[B<-policy_check>] +[B<-x509_strict>] +[B<-extended_crl>] +[B<-use_deltas>] [B<-policy_print>] -[B<-purpose purpose>] -[B<-suiteB_128>] +[B<-check_ss_sig>] +[B<-trusted_first>] [B<-suiteB_128_only>] +[B<-suiteB_128>] [B<-suiteB_192>] -[B<-trusted_first>] +[B<-partial_chain>] [B<-no_alt_chains>] -[B<-use_deltas>] -[B<-auth_level num>] -[B<-nameopt option>] -[B<-verify_depth num>] -[B<-verify_return_error>] -[B<-verify_email email>] -[B<-verify_hostname hostname>] -[B<-verify_ip ip>] -[B<-verify_name name>] -[B<-x509_strict>] -[B<-nocert>] -[B<-client_sigalgs sigalglist>] -[B<-named_curve curve>] -[B<-cipher cipherlist>] -[B<-serverpref>] -[B<-quiet>] +[B<-no_check_time>] +[B<-allow_proxy_certs>] +[B<-xkey>] +[B<-xcert>] +[B<-xchain>] +[B<-xchain_build>] +[B<-xcertform PEM|DER>] +[B<-xkeyform PEM|DER>] +[B<-nbio>] +[B<-psk_identity val>] +[B<-psk_hint val>] +[B<-psk val>] +[B<-srpvfile infile>] +[B<-srpuserseed val>] [B<-ssl3>] [B<-tls1>] [B<-tls1_1>] [B<-tls1_2>] [B<-tls1_3>] [B<-dtls>] +[B<-timeout>] +[B<-mtu +int>] +[B<-listen>] [B<-dtls1>] [B<-dtls1_2>] [B<-sctp>] -[B<-listen>] -[B<-async>] -[B<-max_send_frag>] -[B<-split_send_frag>] -[B<-max_pipelines>] -[B<-read_buf>] -[B<-no_ssl3>] -[B<-no_tls1>] -[B<-no_tls1_1>] -[B<-no_tls1_2>] -[B<-no_tls1_3>] [B<-no_dhe>] -[B<-bugs>] -[B<-comp>] -[B<-no_comp>] -[B<-brief>] -[B<-www>] -[B<-WWW>] -[B<-HTTP>] -[B<-engine id>] -[B<-tlsextdebug>] -[B<-no_ticket>] -[B<-id_prefix arg>] -[B<-rand file(s)>] -[B<-serverinfo file>] -[B<-no_resumption_on_reneg>] -[B<-status>] -[B<-status_verbose>] -[B<-status_timeout nsec>] -[B<-status_url url>] -[B<-status_file file>] -[B<-alpn protocols>] -[B<-nextprotoneg protocols>] -[B<-max_early_data>] +[B<-nextprotoneg val>] +[B<-use_srtp val>] +[B<-alpn val>] +[B<-engine val>] +[B<-keylogfile outfile>] +[B<-max_early_data int>] [B<-early_data>] =head1 DESCRIPTION @@ -138,7 +193,7 @@ manual page. Print out a usage message. -=item B<-port port> +=item B<-port +int> The TCP port to listen on for connections. If not specified 4433 is used. @@ -146,18 +201,10 @@ The TCP port to listen on for connections. If not specified 4433 is used. The optional TCP host and port to listen on for connections. If not specified, *:4433 is used. -=item B<-naccept count> - -The server will exit after receiving B connections, default unlimited. - =item B<-unix val> Unix domain socket to accept on. -=item B<-unlink> - -For -unix, unlink existing socket first. - =item B<-4> Use IPv4 only. @@ -166,23 +213,58 @@ Use IPv4 only. Use IPv6 only. -=item B<-context id> +=item B<-unlink> + +For -unix, unlink any existing socket first. + +=item B<-context val> Sets the SSL context id. It can be given any string value. If this option is not present a default value will be used. -=item B<-cert certname> +=item B<-verify int>, B<-Verify int> + +The verify depth to use. This specifies the maximum length of the +client certificate chain and makes the server request a certificate from +the client. With the B<-verify> option a certificate is requested but the +client does not have to send one, with the B<-Verify> option the client +must supply a certificate or an error occurs. + +If the cipher suite cannot request a client certificate (for example an +anonymous cipher suite or PSK) this option has no effect. + +=item B<-cert infile> The certificate to use, most servers cipher suites require the use of a certificate and some require a certificate with a certain public key type: for example the DSS cipher suites require a certificate containing a DSS (DSA) key. If not specified then the filename "server.pem" will be used. -=item B<-certform format> +=item B<-nameopt val> + +Option which determines how the subject or issuer names are displayed. The +B argument can be a single option or multiple options separated by +commas. Alternatively the B<-nameopt> switch may be used more than once to +set multiple options. See the L manual page for details. + +=item B<-naccept +int> + +The server will exit after receiving the specified number of connections, +default unlimited. + +=item B<-serverinfo val> + +A file containing one or more blocks of PEM data. Each PEM block +must encode a TLS ServerHello extension (2 bytes type, 2 bytes length, +followed by "length" bytes of extension data). If the client sends +an empty TLS ClientHello extension matching the type, the corresponding +ServerHello extension will be returned. + +=item B<-certform PEM|DER> The certificate format to use: DER or PEM. PEM is the default. -=item B<-key keyfile> +=item B<-key infile> The private key to use. If not specified then the certificate file will be used. @@ -191,12 +273,12 @@ be used. The private format to use: DER or PEM. PEM is the default. -=item B<-pass arg> +=item B<-pass val> -The private key password source. For more information about the format of B +The private key password source. For more information about the format of B see the B section in L. -=item B<-dcert filename>, B<-dkey keyname> +=item B<-dcert infile>, B<-dkey infile> Specify an additional certificate and private key, these behave in the same manner as the B<-cert> and B<-key> options except there is no default @@ -207,48 +289,47 @@ and some a DSS (DSA) key. By using RSA and DSS certificates and keys a server can support clients which only support RSA or DSS cipher suites by using an appropriate certificate. -=item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg> +=item B<-dcertform PEM|DER>, B<-dkeyform PEM|DER>, B<-dpass val> Additional certificate and private key format and passphrase respectively. -=item B<-nocert> +=item B<-nbio_test> -If this option is set then no certificate is used. This restricts the -cipher suites available to the anonymous ones (currently just anonymous -DH). +Tests non blocking I/O. -=item B<-dhparam filename> +=item B<-crlf> -The DH parameter file to use. The ephemeral DH cipher suites generate keys -using a set of DH parameters. If not specified then an attempt is made to -load the parameters from the server certificate file. -If this fails then a static set of parameters hard coded into the B -program will be used. +This option translated a line feed from the terminal into CR+LF. -=item B<-no_dhe> +=item B<-debug> -If this option is set then no DH parameters will be loaded effectively -disabling the ephemeral DH cipher suites. +Print extensive debugging information including a hex dump of all traffic. -=item B<-crl_check>, B<-crl_check_all> +=item B<-msg> -Check the peer certificate has not been revoked by its CA. -The CRL(s) are appended to the certificate file. With the B<-crl_check_all> -option all CRLs of all CAs in the chain are checked. +Show all protocol messages with hex dump. -=item B<-CApath directory> +=item B<-msgfile outfile> -The directory to use for client certificate verification. This directory -must be in "hash format", see B for more information. These are -also used when building the server certificate chain. +File to send output of B<-msg> or B<-trace> to, default standard output. -=item B<-CAfile file> +=item B<-state> + +Prints the SSL session states. + +=item B<-CAfile infile> A file containing trusted certificates to use during client authentication and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested. +=item B<-CApath dir> + +The directory to use for client certificate verification. This directory +must be in "hash format", see B for more information. These are +also used when building the server certificate chain. + =item B<-no-CAfile> Do not load the trusted CA certificates from the default file location. @@ -257,125 +338,100 @@ Do not load the trusted CA certificates from the default file location. Do not load the trusted CA certificates from the default directory location. -=item B<-verify depth>, B<-Verify depth> - -The verify depth to use. This specifies the maximum length of the -client certificate chain and makes the server request a certificate from -the client. With the B<-verify> option a certificate is requested but the -client does not have to send one, with the B<-Verify> option the client -must supply a certificate or an error occurs. - -If the cipher suite cannot request a client certificate (for example an -anonymous cipher suite or PSK) this option has no effect. - -=item B<-nameopt option> - -Option which determines how the subject or issuer names are displayed. The -B