API tools faq
paste
Advertisement
Guest User

s_client(1) SunOS man 5.10

a guest
Mar 13th, 2018
100
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.01 KB | None | 0 0
raw download clone embed print report
  1.  
  2. OpenSSL S_CLIENT(1)
  3.  
  4. NAME
  5. s_client - SSL/TLS client program
  6.  
  7. SYNOPSIS
  8. openssl s_client [-connect host:port>] [-verify depth]
  9. [-cert filename] [-key filename] [-CApath directory]
  10. [-CAfile filename] [-reconnect] [-pause] [-showcerts]
  11. [-debug] [-msg] [-nbio_test] [-state] [-nbio] [-crlf]
  12. [-ign_eof] [-quiet] [-ssl2] [-ssl3] [-tls1] [-no_ssl2]
  13. [-no_ssl3] [-no_tls1] [-bugs] [-cipher cipherlist]
  14. [-starttls protocol] [-engine id] [-rand file(s)]
  15.  
  16. DESCRIPTION
  17. The s_client command implements a generic SSL/TLS client
  18. which connects to a remote host using SSL/TLS. It is a very
  19. useful diagnostic tool for SSL servers.
  20.  
  21. OPTIONS
  22. -connect host:port
  23. This specifies the host and optional port to connect to.
  24. If not specified then an attempt is made to connect to
  25. the local host on port 4433.
  26.  
  27. -cert certname
  28. The certificate to use, if one is requested by the
  29. server. The default is not to use a certificate.
  30.  
  31. -key keyfile
  32. The private key to use. If not specified then the
  33. certificate file will be used.
  34.  
  35. -verify depth
  36. The verify depth to use. This specifies the maximum
  37. length of the server certificate chain and turns on
  38. server certificate verification. Currently the verify
  39. operation continues after errors so all the problems
  40. with a certificate chain can be seen. As a side effect
  41. the connection will never fail due to a server
  42. certificate verify failure.
  43.  
  44. -CApath directory
  45. The directory to use for server certificate
  46. verification. This directory must be in "hash format",
  47. see verify for more information. These are also used
  48. when building the client certificate chain.
  49.  
  50. -CAfile file
  51. A file containing trusted certificates to use during
  52. server authentication and to use when attempting to
  53. build the client certificate chain.
  54.  
  55. 20/Mar/2003 Last change: 0.9.7b 1
  56.  
  57. OpenSSL S_CLIENT(1)
  58.  
  59. -reconnect
  60. reconnects to the same server 5 times using the same
  61. session ID, this can be used as a test that session
  62. caching is working.
  63.  
  64. -pause
  65. pauses 1 second between each read and write call.
  66.  
  67. -showcerts
  68. display the whole server certificate chain: normally
  69. only the server certificate itself is displayed.
  70.  
  71. -prexit
  72. print session information when the program exits. This
  73. will always attempt to print out information even if the
  74. connection fails. Normally information will only be
  75. printed out once if the connection succeeds. This option
  76. is useful because the cipher in use may be renegotiated
  77. or the connection may fail because a client certificate
  78. is required or is requested only after an attempt is
  79. made to access a certain URL. Note: the output produced
  80. by this option is not always accurate because a
  81. connection might never have been established.
  82.  
  83. -state
  84. prints out the SSL session states.
  85.  
  86. -debug
  87. print extensive debugging information including a hex
  88. dump of all traffic.
  89.  
  90. -msg
  91. show all protocol messages with hex dump.
  92.  
  93. -nbio_test
  94. tests non-blocking I/O
  95.  
  96. -nbio
  97. turns on non-blocking I/O
  98.  
  99. -crlf
  100. this option translated a line feed from the terminal
  101. into CR+LF as required by some servers.
  102.  
  103. -ign_eof
  104. inhibit shutting down the connection when end of file is
  105. reached in the input.
  106.  
  107. -quiet
  108. inhibit printing of session and certificate information.
  109. This implicitly turns on -ign_eof as well.
  110.  
  111. 20/Mar/2003 Last change: 0.9.7b 2
  112.  
  113. OpenSSL S_CLIENT(1)
  114.  
  115. -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1
  116. these options disable the use of certain SSL or TLS
  117. protocols. By default the initial handshake uses a
  118. method which should be compatible with all servers and
  119. permit them to use SSL v3, SSL v2 or TLS as appropriate.
  120.  
  121. Unfortunately there are a lot of ancient and broken
  122. servers in use which cannot handle this technique and
  123. will fail to connect. Some servers only work if TLS is
  124. turned off with the -no_tls option others will only
  125. support SSL v2 and may need the -ssl2 option.
  126.  
  127. -bugs
  128. there are several known bug in SSL and TLS
  129. implementations. Adding this option enables various
  130. workarounds.
  131.  
  132. -cipher cipherlist
  133. this allows the cipher list sent by the client to be
  134. modified. Although the server determines which cipher
  135. suite is used it should take the first supported cipher
  136. in the list sent by the client. See the ciphers command
  137. for more information.
  138.  
  139. -starttls protocol
  140. send the protocol-specific message(s) to switch to TLS
  141. for communication. protocol is a keyword for the
  142. intended protocol. Currently, the only supported
  143. keyword is "smtp".
  144.  
  145. -engine id
  146. specifying an engine (by it's unique id string) will
  147. cause s_client to attempt to obtain a functional
  148. reference to the specified engine, thus initialising it
  149. if needed. The engine will then be set as the default
  150. for all available algorithms.
  151.  
  152. -rand file(s)
  153. a file or files containing random data used to seed the
  154. random number generator, or an EGD socket (see
  155. RAND_egd(3)). Multiple files can be specified separated
  156. by a OS-dependent character. The separator is ; for
  157. MS-Windows, , for OpenVMS, and : for all others.
  158.  
  159. CONNECTED COMMANDS
  160. If a connection is established with an SSL server then any
  161. data received from the server is displayed and any key
  162. presses will be sent to the server. When used interactively
  163. (which means neither -quiet nor -ign_eof have been given),
  164. the session will be renegotiated if the line begins with an
  165. R, and if the line begins with a Q or if end of file is
  166. reached, the connection will be closed down.
  167.  
  168. 20/Mar/2003 Last change: 0.9.7b 3
  169.  
  170. OpenSSL S_CLIENT(1)
  171.  
  172. NOTES
  173. s_client can be used to debug SSL servers. To connect to an
  174. SSL HTTP server the command:
  175.  
  176. openssl s_client -connect servername:443
  177.  
  178. would typically be used (https uses port 443). If the
  179. connection succeeds then an HTTP command can be given such
  180. as "GET /" to retrieve a web page.
  181.  
  182. If the handshake fails then there are several possible
  183. causes, if it is nothing obvious like no client certificate
  184. then the -bugs, -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3,
  185. -no_tls1 can be tried in case it is a buggy server. In
  186. particular you should play with these options before
  187. submitting a bug report to an OpenSSL mailing list.
  188.  
  189. A frequent problem when attempting to get client
  190. certificates working is that a web client complains it has
  191. no certificates or gives an empty list to choose from. This
  192. is normally because the server is not sending the clients
  193. certificate authority in its "acceptable CA list" when it
  194. requests a certificate. By using s_client the CA list can be
  195. viewed and checked. However some servers only request client
  196. authentication after a specific URL is requested. To obtain
  197. the list in this case it is necessary to use the -prexit
  198. command and send an HTTP request for an appropriate page.
  199.  
  200. If a certificate is specified on the command line using the
  201. -cert option it will not be used unless the server
  202. specifically requests a client certificate. Therefor merely
  203. including a client certificate on the command line is no
  204. guarantee that the certificate works.
  205.  
  206. If there are problems verifying a server certificate then
  207. the -showcerts option can be used to show the whole chain.
  208.  
  209. BUGS
  210. Because this program has a lot of options and also because
  211. some of the techniques used are rather old, the C source of
  212. s_client is rather hard to read and not a model of how
  213. things should be done. A typical SSL client program would be
  214. much simpler.
  215.  
  216. The -verify option should really exit if the server
  217. verification fails.
  218.  
  219. The -prexit option is a bit of a hack. We should really
  220. report information whenever a session is renegotiated.
  221.  
  222. SEE ALSO
  223. sess_id(1), s_server(1), ciphers(1)
  224.  
  225. 20/Mar/2003 Last change: 0.9.7b 4
  226.  
  227. OpenSSL S_CLIENT(1)
  228.  
  229. 20/Mar/2003 Last change: 0.9.7b 5
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!