Merge branch 'vendor/OPENSSL'
[dragonfly.git] / secure / usr.bin / openssl / man / s_client.1
CommitLineData
e257b235 1.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
8b0cefbb 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
8b0cefbb 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
8b0cefbb 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
8b0cefbb
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
28.\" double quote, and \*(R" will give a right double quote. \*(C+ will
29.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
30.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
31.\" nothing in troff, for use with C<>.
32.tr \(*W-
8b0cefbb 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
8b0cefbb
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
8b0cefbb
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
8b0cefbb 50.\"
e257b235
PA
51.\" Escape single quotes in literal strings from groff's Unicode transform.
52.ie \n(.g .ds Aq \(aq
53.el .ds Aq '
54.\"
8b0cefbb
JR
55.\" If the F register is turned on, we'll generate index entries on stderr for
56.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
57.\" entries marked with X<> in POD. Of course, you'll have to process the
58.\" output yourself in some meaningful fashion.
e257b235 59.ie \nF \{\
8b0cefbb
JR
60. de IX
61. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 62..
8b0cefbb
JR
63. nr % 0
64. rr F
984263bc 65.\}
e257b235
PA
66.el \{\
67. de IX
68..
69.\}
aac4ff6f 70.\"
8b0cefbb
JR
71.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
72.\" Fear. Run. Save yourself. No user-serviceable parts.
73. \" fudge factors for nroff and troff
984263bc 74.if n \{\
8b0cefbb
JR
75. ds #H 0
76. ds #V .8m
77. ds #F .3m
78. ds #[ \f1
79. ds #] \fP
984263bc
MD
80.\}
81.if t \{\
8b0cefbb
JR
82. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
83. ds #V .6m
84. ds #F 0
85. ds #[ \&
86. ds #] \&
984263bc 87.\}
8b0cefbb 88. \" simple accents for nroff and troff
984263bc 89.if n \{\
8b0cefbb
JR
90. ds ' \&
91. ds ` \&
92. ds ^ \&
93. ds , \&
94. ds ~ ~
95. ds /
984263bc
MD
96.\}
97.if t \{\
8b0cefbb
JR
98. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
99. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
100. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
101. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
102. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
103. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 104.\}
8b0cefbb 105. \" troff and (daisy-wheel) nroff accents
984263bc
MD
106.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
107.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
108.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
109.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
110.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
111.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
112.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
113.ds ae a\h'-(\w'a'u*4/10)'e
114.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 115. \" corrections for vroff
984263bc
MD
116.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
117.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 118. \" for low resolution devices (crt and lpr)
984263bc
MD
119.if \n(.H>23 .if \n(.V>19 \
120\{\
8b0cefbb
JR
121. ds : e
122. ds 8 ss
123. ds o a
124. ds d- d\h'-1'\(ga
125. ds D- D\h'-1'\(hy
126. ds th \o'bp'
127. ds Th \o'LP'
128. ds ae ae
129. ds Ae AE
984263bc
MD
130.\}
131.rm #[ #] #H #V #F C
8b0cefbb
JR
132.\" ========================================================================
133.\"
134.IX Title "S_CLIENT 1"
fc468453 135.TH S_CLIENT 1 "2010-02-27" "0.9.8m" "OpenSSL"
e257b235
PA
136.\" For nroff, turn off justification. Always turn off hyphenation; it makes
137.\" way too many mistakes in technical documents.
138.if n .ad l
139.nh
984263bc 140.SH "NAME"
e3cdf75b 141s_client \- SSL/TLS client program
984263bc 142.SH "SYNOPSIS"
8b0cefbb
JR
143.IX Header "SYNOPSIS"
144\&\fBopenssl\fR \fBs_client\fR
e3cdf75b 145[\fB\-connect host:port\fR]
984263bc
MD
146[\fB\-verify depth\fR]
147[\fB\-cert filename\fR]
a561f9ff 148[\fB\-certform DER|PEM\fR]
984263bc 149[\fB\-key filename\fR]
a561f9ff
SS
150[\fB\-keyform DER|PEM\fR]
151[\fB\-pass arg\fR]
984263bc
MD
152[\fB\-CApath directory\fR]
153[\fB\-CAfile filename\fR]
154[\fB\-reconnect\fR]
155[\fB\-pause\fR]
156[\fB\-showcerts\fR]
157[\fB\-debug\fR]
158[\fB\-msg\fR]
159[\fB\-nbio_test\fR]
160[\fB\-state\fR]
161[\fB\-nbio\fR]
162[\fB\-crlf\fR]
163[\fB\-ign_eof\fR]
164[\fB\-quiet\fR]
165[\fB\-ssl2\fR]
166[\fB\-ssl3\fR]
167[\fB\-tls1\fR]
168[\fB\-no_ssl2\fR]
169[\fB\-no_ssl3\fR]
170[\fB\-no_tls1\fR]
171[\fB\-bugs\fR]
172[\fB\-cipher cipherlist\fR]
e3cdf75b 173[\fB\-starttls protocol\fR]
984263bc 174[\fB\-engine id\fR]
2c0715f4
PA
175[\fB\-tlsextdebug\fR]
176[\fB\-no_ticket\fR]
177[\fB\-sess_out filename\fR]
178[\fB\-sess_in filename\fR]
e3cdf75b 179[\fB\-rand file(s)\fR]
984263bc 180.SH "DESCRIPTION"
8b0cefbb
JR
181.IX Header "DESCRIPTION"
182The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects
183to a remote host using \s-1SSL/TLS\s0. It is a \fIvery\fR useful diagnostic tool for
184\&\s-1SSL\s0 servers.
984263bc 185.SH "OPTIONS"
8b0cefbb
JR
186.IX Header "OPTIONS"
187.IP "\fB\-connect host:port\fR" 4
188.IX Item "-connect host:port"
984263bc
MD
189This specifies the host and optional port to connect to. If not specified
190then an attempt is made to connect to the local host on port 4433.
8b0cefbb
JR
191.IP "\fB\-cert certname\fR" 4
192.IX Item "-cert certname"
984263bc
MD
193The certificate to use, if one is requested by the server. The default is
194not to use a certificate.
a561f9ff
SS
195.IP "\fB\-certform format\fR" 4
196.IX Item "-certform format"
197The certificate format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default.
8b0cefbb
JR
198.IP "\fB\-key keyfile\fR" 4
199.IX Item "-key keyfile"
984263bc
MD
200The private key to use. If not specified then the certificate file will
201be used.
a561f9ff
SS
202.IP "\fB\-keyform format\fR" 4
203.IX Item "-keyform format"
204The private format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default.
205.IP "\fB\-pass arg\fR" 4
206.IX Item "-pass arg"
207the private key password source. For more information about the format of \fBarg\fR
208see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
8b0cefbb
JR
209.IP "\fB\-verify depth\fR" 4
210.IX Item "-verify depth"
984263bc
MD
211The verify depth to use. This specifies the maximum length of the
212server certificate chain and turns on server certificate verification.
213Currently the verify operation continues after errors so all the problems
214with a certificate chain can be seen. As a side effect the connection
215will never fail due to a server certificate verify failure.
8b0cefbb
JR
216.IP "\fB\-CApath directory\fR" 4
217.IX Item "-CApath directory"
984263bc
MD
218The directory to use for server certificate verification. This directory
219must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are
220also used when building the client certificate chain.
8b0cefbb
JR
221.IP "\fB\-CAfile file\fR" 4
222.IX Item "-CAfile file"
984263bc
MD
223A file containing trusted certificates to use during server authentication
224and to use when attempting to build the client certificate chain.
8b0cefbb
JR
225.IP "\fB\-reconnect\fR" 4
226.IX Item "-reconnect"
984263bc
MD
227reconnects to the same server 5 times using the same session \s-1ID\s0, this can
228be used as a test that session caching is working.
8b0cefbb
JR
229.IP "\fB\-pause\fR" 4
230.IX Item "-pause"
984263bc 231pauses 1 second between each read and write call.
8b0cefbb
JR
232.IP "\fB\-showcerts\fR" 4
233.IX Item "-showcerts"
984263bc
MD
234display the whole server certificate chain: normally only the server
235certificate itself is displayed.
8b0cefbb
JR
236.IP "\fB\-prexit\fR" 4
237.IX Item "-prexit"
984263bc
MD
238print session information when the program exits. This will always attempt
239to print out information even if the connection fails. Normally information
240will only be printed out once if the connection succeeds. This option is useful
241because the cipher in use may be renegotiated or the connection may fail
242because a client certificate is required or is requested only after an
243attempt is made to access a certain \s-1URL\s0. Note: the output produced by this
244option is not always accurate because a connection might never have been
245established.
8b0cefbb
JR
246.IP "\fB\-state\fR" 4
247.IX Item "-state"
984263bc 248prints out the \s-1SSL\s0 session states.
8b0cefbb
JR
249.IP "\fB\-debug\fR" 4
250.IX Item "-debug"
984263bc 251print extensive debugging information including a hex dump of all traffic.
8b0cefbb
JR
252.IP "\fB\-msg\fR" 4
253.IX Item "-msg"
984263bc 254show all protocol messages with hex dump.
8b0cefbb
JR
255.IP "\fB\-nbio_test\fR" 4
256.IX Item "-nbio_test"
984263bc 257tests non-blocking I/O
8b0cefbb
JR
258.IP "\fB\-nbio\fR" 4
259.IX Item "-nbio"
984263bc 260turns on non-blocking I/O
8b0cefbb
JR
261.IP "\fB\-crlf\fR" 4
262.IX Item "-crlf"
984263bc
MD
263this option translated a line feed from the terminal into \s-1CR+LF\s0 as required
264by some servers.
8b0cefbb
JR
265.IP "\fB\-ign_eof\fR" 4
266.IX Item "-ign_eof"
984263bc
MD
267inhibit shutting down the connection when end of file is reached in the
268input.
8b0cefbb
JR
269.IP "\fB\-quiet\fR" 4
270.IX Item "-quiet"
984263bc
MD
271inhibit printing of session and certificate information. This implicitly
272turns on \fB\-ign_eof\fR as well.
8b0cefbb
JR
273.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
274.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
984263bc
MD
275these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
276the initial handshake uses a method which should be compatible with all
277servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
278.Sp
279Unfortunately there are a lot of ancient and broken servers in use which
280cannot handle this technique and will fail to connect. Some servers only
281work if \s-1TLS\s0 is turned off with the \fB\-no_tls\fR option others will only
282support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option.
8b0cefbb
JR
283.IP "\fB\-bugs\fR" 4
284.IX Item "-bugs"
984263bc
MD
285there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
286option enables various workarounds.
8b0cefbb
JR
287.IP "\fB\-cipher cipherlist\fR" 4
288.IX Item "-cipher cipherlist"
984263bc
MD
289this allows the cipher list sent by the client to be modified. Although
290the server determines which cipher suite is used it should take the first
291supported cipher in the list sent by the client. See the \fBciphers\fR
292command for more information.
8b0cefbb
JR
293.IP "\fB\-starttls protocol\fR" 4
294.IX Item "-starttls protocol"
295send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication.
296\&\fBprotocol\fR is a keyword for the intended protocol. Currently, the only
edae4a78 297supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", and \*(L"ftp\*(R".
2c0715f4
PA
298.IP "\fB\-tlsextdebug\fR" 4
299.IX Item "-tlsextdebug"
300print out a hex dump of any \s-1TLS\s0 extensions received from the server. Note: this
301option is only available if extension support is explicitly enabled at compile
302time
303.IP "\fB\-no_ticket\fR" 4
304.IX Item "-no_ticket"
305disable RFC4507bis session ticket support. Note: this option is only available
306if extension support is explicitly enabled at compile time
307.IP "\fB\-sess_out filename\fR" 4
308.IX Item "-sess_out filename"
309output \s-1SSL\s0 session to \fBfilename\fR
310.IP "\fB\-sess_in sess.pem\fR" 4
311.IX Item "-sess_in sess.pem"
312load \s-1SSL\s0 session from \fBfilename\fR. The client will attempt to resume a
313connection from this session.
8b0cefbb
JR
314.IP "\fB\-engine id\fR" 4
315.IX Item "-engine id"
984263bc
MD
316specifying an engine (by it's unique \fBid\fR string) will cause \fBs_client\fR
317to attempt to obtain a functional reference to the specified engine,
318thus initialising it if needed. The engine will then be set as the default
319for all available algorithms.
8b0cefbb
JR
320.IP "\fB\-rand file(s)\fR" 4
321.IX Item "-rand file(s)"
984263bc 322a file or files containing random data used to seed the random number
8b0cefbb
JR
323generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
324Multiple files can be specified separated by a OS-dependent character.
e257b235 325The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
984263bc
MD
326all others.
327.SH "CONNECTED COMMANDS"
8b0cefbb
JR
328.IX Header "CONNECTED COMMANDS"
329If a connection is established with an \s-1SSL\s0 server then any data received
984263bc
MD
330from the server is displayed and any key presses will be sent to the
331server. When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR
332have been given), the session will be renegotiated if the line begins with an
8b0cefbb 333\&\fBR\fR, and if the line begins with a \fBQ\fR or if end of file is reached, the
984263bc
MD
334connection will be closed down.
335.SH "NOTES"
8b0cefbb
JR
336.IX Header "NOTES"
337\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL\s0 \s-1HTTP\s0
984263bc
MD
338server the command:
339.PP
340.Vb 1
e257b235 341\& openssl s_client \-connect servername:443
984263bc 342.Ve
8b0cefbb 343.PP
984263bc 344would typically be used (https uses port 443). If the connection succeeds
8b0cefbb 345then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET\s0 /\*(R" to retrieve a web page.
984263bc
MD
346.PP
347If the handshake fails then there are several possible causes, if it is
348nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR,
8b0cefbb 349\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried
984263bc
MD
350in case it is a buggy server. In particular you should play with these
351options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
352.PP
353A frequent problem when attempting to get client certificates working
354is that a web client complains it has no certificates or gives an empty
355list to choose from. This is normally because the server is not sending
8b0cefbb
JR
356the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
357requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed
984263bc 358and checked. However some servers only request client authentication
8b0cefbb
JR
359after a specific \s-1URL\s0 is requested. To obtain the list in this case it
360is necessary to use the \fB\-prexit\fR option and send an \s-1HTTP\s0 request
984263bc
MD
361for an appropriate page.
362.PP
363If a certificate is specified on the command line using the \fB\-cert\fR
364option it will not be used unless the server specifically requests
365a client certificate. Therefor merely including a client certificate
366on the command line is no guarantee that the certificate works.
367.PP
368If there are problems verifying a server certificate then the
8b0cefbb 369\&\fB\-showcerts\fR option can be used to show the whole chain.
2c0715f4
PA
370.PP
371Since the SSLv23 client hello cannot include compression methods or extensions
372these will only be supported if its use is disabled, for example by using the
373\&\fB\-no_sslv2\fR option.
374.PP
375\&\s-1TLS\s0 extensions are only supported in OpenSSL 0.9.8 if they are explictly
376enabled at compile time using for example the \fBenable-tlsext\fR switch.
984263bc 377.SH "BUGS"
8b0cefbb 378.IX Header "BUGS"
984263bc
MD
379Because this program has a lot of options and also because some of
380the techniques used are rather old, the C source of s_client is rather
381hard to read and not a model of how things should be done. A typical
8b0cefbb 382\&\s-1SSL\s0 client program would be much simpler.
984263bc
MD
383.PP
384The \fB\-verify\fR option should really exit if the server verification
385fails.
386.PP
387The \fB\-prexit\fR option is a bit of a hack. We should really report
388information whenever a session is renegotiated.
389.SH "SEE ALSO"
e3cdf75b 390.IX Header "SEE ALSO"
8b0cefbb 391\&\fIsess_id\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1)