[dragonfly.git] / secure / usr.bin / openssl / man / s_time.1

.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.el \{\
.    de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "S_TIME 1"
.TH S_TIME 1 "2012-01-04" "1.0.0f" "OpenSSL"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
s_time \- SSL/TLS performance timing program
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBs_time\fR
[\fB\-connect host:port\fR]
[\fB\-www page\fR]
[\fB\-cert filename\fR]
[\fB\-key filename\fR]
[\fB\-CApath directory\fR]
[\fB\-CAfile filename\fR]
[\fB\-reuse\fR]
[\fB\-new\fR]
[\fB\-verify depth\fR]
[\fB\-nbio\fR]
[\fB\-time seconds\fR]
[\fB\-ssl2\fR]
[\fB\-ssl3\fR]
[\fB\-bugs\fR]
[\fB\-cipher cipherlist\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects to a
remote host using \s-1SSL/TLS\s0. It can request a page from the server and includes
the time to transfer the payload data in its timing measurements. It measures
the number of connections within a given timeframe, the amount of data
transferred (if any), and calculates the average time spent for one connection.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-connect host:port\fR" 4
.IX Item "-connect host:port"
This specifies the host and optional port to connect to.
.IP "\fB\-www page\fR" 4
.IX Item "-www page"
This specifies the page to \s-1GET\s0 from the server. A value of '/' gets the
index.htm[l] page. If this parameter is not specified, then \fBs_time\fR will only
perform the handshake to establish \s-1SSL\s0 connections but not transfer any
payload data.
.IP "\fB\-cert certname\fR" 4
.IX Item "-cert certname"
The certificate to use, if one is requested by the server. The default is
not to use a certificate. The file is in \s-1PEM\s0 format.
.IP "\fB\-key keyfile\fR" 4
.IX Item "-key keyfile"
The private key to use. If not specified then the certificate file will
be used. The file is in \s-1PEM\s0 format.
.IP "\fB\-verify depth\fR" 4
.IX Item "-verify depth"
The verify depth to use. This specifies the maximum length of the
server certificate chain and turns on server certificate verification.
Currently the verify operation continues after errors so all the problems
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
.IP "\fB\-CApath directory\fR" 4
.IX Item "-CApath directory"
The directory to use for server certificate verification. This directory
must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are
also used when building the client certificate chain.
.IP "\fB\-CAfile file\fR" 4
.IX Item "-CAfile file"
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
.IP "\fB\-new\fR" 4
.IX Item "-new"
performs the timing test using a new session \s-1ID\s0 for each connection.
If neither \fB\-new\fR nor \fB\-reuse\fR are specified, they are both on by default
and executed in sequence.
.IP "\fB\-reuse\fR" 4
.IX Item "-reuse"
performs the timing test using the same session \s-1ID\s0; this can be used as a test
that session caching is working. If neither \fB\-new\fR nor \fB\-reuse\fR are
specified, they are both on by default and executed in sequence.
.IP "\fB\-nbio\fR" 4
.IX Item "-nbio"
turns on non-blocking I/O.
.IP "\fB\-ssl2\fR, \fB\-ssl3\fR" 4
.IX Item "-ssl2, -ssl3"
these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
the initial handshake uses a method which should be compatible with all
servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
The timing program is not as rich in options to turn protocols on and off as
the \fIs_client\fR\|(1) program and may not connect to all servers.
.Sp
Unfortunately there are a lot of ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only
work if \s-1TLS\s0 is turned off with the \fB\-ssl3\fR option; others
will only support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option.
.IP "\fB\-bugs\fR" 4
.IX Item "-bugs"
there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
option enables various workarounds.
.IP "\fB\-cipher cipherlist\fR" 4
.IX Item "-cipher cipherlist"
this allows the cipher list sent by the client to be modified. Although
the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client.
See the \fIciphers\fR\|(1) command for more information.
.IP "\fB\-time length\fR" 4
.IX Item "-time length"
specifies how long (in seconds) \fBs_time\fR should establish connections and
optionally transfer payload data from a server. Server and client performance
and the link speed determine how many connections \fBs_time\fR can establish.
.SH "NOTES"
.IX Header "NOTES"
\&\fBs_client\fR can be used to measure the performance of an \s-1SSL\s0 connection.
To connect to an \s-1SSL\s0 \s-1HTTP\s0 server and get the default page the command
.PP
.Vb 1
\& openssl s_time \-connect servername:443 \-www / \-CApath yourdir \-CAfile yourfile.pem \-cipher commoncipher [\-ssl3]
.Ve
.PP
would typically be used (https uses port 443). 'commoncipher' is a cipher to
which both client and server can agree, see the \fIciphers\fR\|(1) command
for details.
.PP
If the handshake fails then there are several possible causes, if it is
nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR,
\&\fB\-ssl3\fR options can be tried
in case it is a buggy server. In particular you should play with these
options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
.PP
A frequent problem when attempting to get client certificates working
is that a web client complains it has no certificates or gives an empty
list to choose from. This is normally because the server is not sending
the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
requests a certificate. By using \fIs_client\fR\|(1) the \s-1CA\s0 list can be
viewed and checked. However some servers only request client authentication
after a specific \s-1URL\s0 is requested. To obtain the list in this case it
is necessary to use the \fB\-prexit\fR option of \fIs_client\fR\|(1) and
send an \s-1HTTP\s0 request for an appropriate page.
.PP
If a certificate is specified on the command line using the \fB\-cert\fR
option it will not be used unless the server specifically requests
a client certificate. Therefor merely including a client certificate
on the command line is no guarantee that the certificate works.
.SH "BUGS"
.IX Header "BUGS"
Because this program does not have all the options of the
\&\fIs_client\fR\|(1) program to turn protocols on and off, you may not be
able to measure the performance of all protocols with all servers.
.PP
The \fB\-verify\fR option should really exit if the server verification
fails.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1)
Commit	Line	Data
e3261593	1	.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
8b0cefbb JR	2	.\"
	3	.\" Standard preamble:
	4	.\" ========================================================================
8b0cefbb	5	.de Sp \" Vertical space (when we can't use .PP)
e3cdf75b JR	6	.if t .sp .5v
	7	.if n .sp
	8	..
8b0cefbb	9	.de Vb \" Begin verbatim text
e3cdf75b JR	10	.ft CW
	11	.nf
	12	.ne \\$1
	13	..
8b0cefbb	14	.de Ve \" End verbatim text
e3cdf75b	15	.ft R
e3cdf75b JR	16	.fi
e3cdf75b JR	17	..
8b0cefbb JR	18	.\" Set up some character translations and predefined strings. \*(-- will
8b0cefbb JR	19	.\" give an unbreakable dash, \(PI will give pi, \(L" will give a left
e257b235 PA	20	.\" double quote, and \(R" will give a right double quote. \(C+ will
	21	.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
	22	.\" therefore won't be available. \(C` and \(C' expand to `' in nroff,
	23	.\" nothing in troff, for use with C<>.
	24	.tr \(*W-
8b0cefbb	25	.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
e3cdf75b	26	.ie n \{\
8b0cefbb JR	27	. ds -- \(*W-
	28	. ds PI pi
	29	. if (\n(.H=4u)&(1m=24u) .ds -- \(W\h'-12u'\(W\h'-12u'-\" diablo 10 pitch
	30	. if (\n(.H=4u)&(1m=20u) .ds -- \(W\h'-12u'\(W\h'-8u'-\" diablo 12 pitch
	31	. ds L" ""
	32	. ds R" ""
	33	. ds C` ""
	34	. ds C' ""
e3cdf75b JR	35	'br\}
e3cdf75b JR	36	.el\{\
8b0cefbb JR	37	. ds -- \\|\(em\\|
	38	. ds PI \(*p
	39	. ds L" ``
	40	. ds R" ''
e3cdf75b	41	'br\}
8b0cefbb	42	.\"
e257b235 PA	43	.\" Escape single quotes in literal strings from groff's Unicode transform.
	44	.ie \n(.g .ds Aq \(aq
	45	.el .ds Aq '
	46	.\"
8b0cefbb	47	.\" If the F register is turned on, we'll generate index entries on stderr for
01185282	48	.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
8b0cefbb JR	49	.\" entries marked with X<> in POD. Of course, you'll have to process the
8b0cefbb JR	50	.\" output yourself in some meaningful fashion.
e257b235	51	.ie \nF \{\
8b0cefbb JR	52	. de IX
8b0cefbb JR	53	. tm Index:\\$1\t\\n%\t"\\$2"
e3cdf75b	54	..
8b0cefbb JR	55	. nr % 0
8b0cefbb JR	56	. rr F
e3cdf75b	57	.\}
e257b235 PA	58	.el \{\
	59	. de IX
	60	..
	61	.\}
aac4ff6f	62	.\"
8b0cefbb JR	63	.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
	64	.\" Fear. Run. Save yourself. No user-serviceable parts.
	65	. \" fudge factors for nroff and troff
e3cdf75b	66	.if n \{\
8b0cefbb JR	67	. ds #H 0
	68	. ds #V .8m
	69	. ds #F .3m
	70	. ds #[ \f1
	71	. ds #] \fP
e3cdf75b JR	72	.\}
e3cdf75b JR	73	.if t \{\
8b0cefbb JR	74	. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
	75	. ds #V .6m
	76	. ds #F 0
	77	. ds #[ \&
	78	. ds #] \&
e3cdf75b	79	.\}
8b0cefbb	80	. \" simple accents for nroff and troff
e3cdf75b	81	.if n \{\
8b0cefbb JR	82	. ds ' \&
	83	. ds ` \&
	84	. ds ^ \&
	85	. ds , \&
	86	. ds ~ ~
	87	. ds /
e3cdf75b JR	88	.\}
e3cdf75b JR	89	.if t \{\
8b0cefbb JR	90	. ds ' \\k:\h'-(\\n(.wu8/10-\(#H)'\'\h"\|\\n:u"
	91	. ds ` \\k:\h'-(\\n(.wu8/10-\(#H)'\`\h'\|\\n:u'
	92	. ds ^ \\k:\h'-(\\n(.wu10/11-\(#H)'^\h'\|\\n:u'
	93	. ds , \\k:\h'-(\\n(.wu*8/10)',\h'\|\\n:u'
	94	. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'\|\\n:u'
	95	. ds / \\k:\h'-(\\n(.wu8/10-\(#H)'\z\(sl\h'\|\\n:u'
e3cdf75b	96	.\}
8b0cefbb	97	. \" troff and (daisy-wheel) nroff accents
e3cdf75b JR	98	.ds : \\k:\h'-(\\n(.wu8/10-\(#H+.1m+\(#F)'\v'-\(#V'\z.\h'.2m+\(#F'.\h'\|\\n:u'\v'\(#V'
e3cdf75b JR	99	.ds 8 \h'\(#H'\(b\h'-\*(#H'
e3cdf75b JR	100	.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\(#H)/2u'\v'-.3n'\(#[\z\(de\v'.3n'\h'\|\\n:u'\*(#]
	101	.ds d- \h'\(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\(#H'
	102	.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'\|\\n:u'
	103	.ds th \(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u2/3)'\s-1o\s+1\*(#]
	104	.ds Th \(#[\s+2I\s-2\h'-\w'I'u3/5'\v'-.3m'o\v'.3m'\*(#]
	105	.ds ae a\h'-(\w'a'u*4/10)'e
	106	.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb	107	. \" corrections for vroff
e3cdf75b JR	108	.if v .ds ~ \\k:\h'-(\\n(.wu9/10-\(#H)'\s-2\u~\d\s+2\h'\|\\n:u'
e3cdf75b JR	109	.if v .ds ^ \\k:\h'-(\\n(.wu10/11-\(#H)'\v'-.4m'^\v'.4m'\h'\|\\n:u'
8b0cefbb	110	. \" for low resolution devices (crt and lpr)
e3cdf75b JR	111	.if \n(.H>23 .if \n(.V>19 \
e3cdf75b JR	112	\{\
8b0cefbb JR	113	. ds : e
	114	. ds 8 ss
	115	. ds o a
	116	. ds d- d\h'-1'\(ga
	117	. ds D- D\h'-1'\(hy
	118	. ds th \o'bp'
	119	. ds Th \o'LP'
	120	. ds ae ae
	121	. ds Ae AE
e3cdf75b JR	122	.\}
e3cdf75b JR	123	.rm #[ #] #H #V #F C
8b0cefbb JR	124	.\" ========================================================================
	125	.\"
	126	.IX Title "S_TIME 1"
e3261593	127	.TH S_TIME 1 "2012-01-04" "1.0.0f" "OpenSSL"
e257b235 PA	128	.\" For nroff, turn off justification. Always turn off hyphenation; it makes
	129	.\" way too many mistakes in technical documents.
	130	.if n .ad l
	131	.nh
e3cdf75b JR	132	.SH "NAME"
	133	s_time \- SSL/TLS performance timing program
	134	.SH "SYNOPSIS"
8b0cefbb JR	135	.IX Header "SYNOPSIS"
8b0cefbb JR	136	\&\fBopenssl\fR \fBs_time\fR
e3cdf75b JR	137	[\fB\-connect host:port\fR]
	138	[\fB\-www page\fR]
	139	[\fB\-cert filename\fR]
	140	[\fB\-key filename\fR]
	141	[\fB\-CApath directory\fR]
	142	[\fB\-CAfile filename\fR]
	143	[\fB\-reuse\fR]
	144	[\fB\-new\fR]
	145	[\fB\-verify depth\fR]
	146	[\fB\-nbio\fR]
	147	[\fB\-time seconds\fR]
	148	[\fB\-ssl2\fR]
	149	[\fB\-ssl3\fR]
	150	[\fB\-bugs\fR]
	151	[\fB\-cipher cipherlist\fR]
	152	.SH "DESCRIPTION"
8b0cefbb JR	153	.IX Header "DESCRIPTION"
	154	The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects to a
	155	remote host using \s-1SSL/TLS\s0. It can request a page from the server and includes
e3cdf75b JR	156	the time to transfer the payload data in its timing measurements. It measures
	157	the number of connections within a given timeframe, the amount of data
	158	transferred (if any), and calculates the average time spent for one connection.
	159	.SH "OPTIONS"
8b0cefbb JR	160	.IX Header "OPTIONS"
	161	.IP "\fB\-connect host:port\fR" 4
	162	.IX Item "-connect host:port"
e3cdf75b	163	This specifies the host and optional port to connect to.
8b0cefbb JR	164	.IP "\fB\-www page\fR" 4
	165	.IX Item "-www page"
	166	This specifies the page to \s-1GET\s0 from the server. A value of '/' gets the
e3cdf75b JR	167	index.htm[l] page. If this parameter is not specified, then \fBs_time\fR will only
	168	perform the handshake to establish \s-1SSL\s0 connections but not transfer any
	169	payload data.
8b0cefbb JR	170	.IP "\fB\-cert certname\fR" 4
8b0cefbb JR	171	.IX Item "-cert certname"
e3cdf75b JR	172	The certificate to use, if one is requested by the server. The default is
e3cdf75b JR	173	not to use a certificate. The file is in \s-1PEM\s0 format.
8b0cefbb JR	174	.IP "\fB\-key keyfile\fR" 4
8b0cefbb JR	175	.IX Item "-key keyfile"
e3cdf75b JR	176	The private key to use. If not specified then the certificate file will
e3cdf75b JR	177	be used. The file is in \s-1PEM\s0 format.
8b0cefbb JR	178	.IP "\fB\-verify depth\fR" 4
8b0cefbb JR	179	.IX Item "-verify depth"
e3cdf75b JR	180	The verify depth to use. This specifies the maximum length of the
	181	server certificate chain and turns on server certificate verification.
	182	Currently the verify operation continues after errors so all the problems
	183	with a certificate chain can be seen. As a side effect the connection
	184	will never fail due to a server certificate verify failure.
8b0cefbb JR	185	.IP "\fB\-CApath directory\fR" 4
8b0cefbb JR	186	.IX Item "-CApath directory"
e3cdf75b JR	187	The directory to use for server certificate verification. This directory
	188	must be in \(L"hash format\(R", see \fBverify\fR for more information. These are
	189	also used when building the client certificate chain.
8b0cefbb JR	190	.IP "\fB\-CAfile file\fR" 4
8b0cefbb JR	191	.IX Item "-CAfile file"
e3cdf75b JR	192	A file containing trusted certificates to use during server authentication
e3cdf75b JR	193	and to use when attempting to build the client certificate chain.
8b0cefbb JR	194	.IP "\fB\-new\fR" 4
8b0cefbb JR	195	.IX Item "-new"
e3cdf75b JR	196	performs the timing test using a new session \s-1ID\s0 for each connection.
	197	If neither \fB\-new\fR nor \fB\-reuse\fR are specified, they are both on by default
	198	and executed in sequence.
8b0cefbb JR	199	.IP "\fB\-reuse\fR" 4
8b0cefbb JR	200	.IX Item "-reuse"
e3cdf75b JR	201	performs the timing test using the same session \s-1ID\s0; this can be used as a test
	202	that session caching is working. If neither \fB\-new\fR nor \fB\-reuse\fR are
	203	specified, they are both on by default and executed in sequence.
8b0cefbb JR	204	.IP "\fB\-nbio\fR" 4
8b0cefbb JR	205	.IX Item "-nbio"
e3cdf75b	206	turns on non-blocking I/O.
8b0cefbb JR	207	.IP "\fB\-ssl2\fR, \fB\-ssl3\fR" 4
8b0cefbb JR	208	.IX Item "-ssl2, -ssl3"
e3cdf75b JR	209	these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
	210	the initial handshake uses a method which should be compatible with all
	211	servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
	212	The timing program is not as rich in options to turn protocols on and off as
8b0cefbb	213	the \fIs_client\fR\\|(1) program and may not connect to all servers.
e3cdf75b JR	214	.Sp
	215	Unfortunately there are a lot of ancient and broken servers in use which
	216	cannot handle this technique and will fail to connect. Some servers only
	217	work if \s-1TLS\s0 is turned off with the \fB\-ssl3\fR option; others
	218	will only support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option.
8b0cefbb JR	219	.IP "\fB\-bugs\fR" 4
8b0cefbb JR	220	.IX Item "-bugs"
e3cdf75b JR	221	there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
e3cdf75b JR	222	option enables various workarounds.
8b0cefbb JR	223	.IP "\fB\-cipher cipherlist\fR" 4
8b0cefbb JR	224	.IX Item "-cipher cipherlist"
e3cdf75b JR	225	this allows the cipher list sent by the client to be modified. Although
	226	the server determines which cipher suite is used it should take the first
	227	supported cipher in the list sent by the client.
8b0cefbb JR	228	See the \fIciphers\fR\\|(1) command for more information.
	229	.IP "\fB\-time length\fR" 4
	230	.IX Item "-time length"
e3cdf75b JR	231	specifies how long (in seconds) \fBs_time\fR should establish connections and
	232	optionally transfer payload data from a server. Server and client performance
	233	and the link speed determine how many connections \fBs_time\fR can establish.
	234	.SH "NOTES"
8b0cefbb JR	235	.IX Header "NOTES"
	236	\&\fBs_client\fR can be used to measure the performance of an \s-1SSL\s0 connection.
	237	To connect to an \s-1SSL\s0 \s-1HTTP\s0 server and get the default page the command
e3cdf75b JR	238	.PP
e3cdf75b JR	239	.Vb 1
e257b235	240	\& openssl s_time \-connect servername:443 \-www / \-CApath yourdir \-CAfile yourfile.pem \-cipher commoncipher [\-ssl3]
e3cdf75b	241	.Ve
8b0cefbb JR	242	.PP
	243	would typically be used (https uses port 443). 'commoncipher' is a cipher to
	244	which both client and server can agree, see the \fIciphers\fR\\|(1) command
e3cdf75b JR	245	for details.
	246	.PP
	247	If the handshake fails then there are several possible causes, if it is
	248	nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR,
8b0cefbb	249	\&\fB\-ssl3\fR options can be tried
e3cdf75b JR	250	in case it is a buggy server. In particular you should play with these
	251	options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
	252	.PP
	253	A frequent problem when attempting to get client certificates working
	254	is that a web client complains it has no certificates or gives an empty
	255	list to choose from. This is normally because the server is not sending
8b0cefbb JR	256	the clients certificate authority in its \(L"acceptable \s-1CA\s0 list\(R" when it
8b0cefbb JR	257	requests a certificate. By using \fIs_client\fR\\|(1) the \s-1CA\s0 list can be
e3cdf75b	258	viewed and checked. However some servers only request client authentication
8b0cefbb JR	259	after a specific \s-1URL\s0 is requested. To obtain the list in this case it
	260	is necessary to use the \fB\-prexit\fR option of \fIs_client\fR\\|(1) and
	261	send an \s-1HTTP\s0 request for an appropriate page.
e3cdf75b JR	262	.PP
	263	If a certificate is specified on the command line using the \fB\-cert\fR
	264	option it will not be used unless the server specifically requests
	265	a client certificate. Therefor merely including a client certificate
	266	on the command line is no guarantee that the certificate works.
	267	.SH "BUGS"
8b0cefbb	268	.IX Header "BUGS"
e3cdf75b	269	Because this program does not have all the options of the
8b0cefbb	270	\&\fIs_client\fR\\|(1) program to turn protocols on and off, you may not be
e3cdf75b JR	271	able to measure the performance of all protocols with all servers.
	272	.PP
	273	The \fB\-verify\fR option should really exit if the server verification
	274	fails.
	275	.SH "SEE ALSO"
e3cdf75b	276	.IX Header "SEE ALSO"
8b0cefbb	277	\&\fIs_client\fR\\|(1), \fIs_server\fR\\|(1), \fIciphers\fR\\|(1)