diff options
author | Kinichiro Inoguchi <inoguchi@cvs.openbsd.org> | 2019-07-11 10:31:49 +0000 |
---|---|---|
committer | Kinichiro Inoguchi <inoguchi@cvs.openbsd.org> | 2019-07-11 10:31:49 +0000 |
commit | d81d363eebd0f5db5aa8f246866ba8808d8ed116 (patch) | |
tree | 5e9267cf74e4e50366d577265b3a198283d474cd /usr.bin | |
parent | 1a573569ea70e513313b755f0a0a10c614f8de81 (diff) |
Fix manual openssl(1) s_client
- Add undocumented options below.
-alpn, -certform, -dtls1, -host, -keyform, -keymatexport, -keymatexportlen,
-legacy_server_connect, -mtu, -no_ign_eof, -no_legacy_server_connect, -pass
-port, -serverpref, -sess_in, -sess_out, -status, -timeout, -use_srtp,
-verify_return_error
- Remove -psk and -psk_identity since not exist in source code.
I didn't add these 4 options since these were no-op.
-nextprotoneg, -legacy_renegotiation, -no_comp, -no_ssl2
This option was removed from manual in the past.
-no_ssl3
ok jmc@
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/openssl/openssl.1 | 94 |
1 files changed, 80 insertions, 14 deletions
diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1 index 90ff100111d..1cf58eb6c5d 100644 --- a/usr.bin/openssl/openssl.1 +++ b/usr.bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.109 2019/07/09 11:19:05 inoguchi Exp $ +.\" $OpenBSD: openssl.1,v 1.110 2019/07/11 10:31:48 inoguchi Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -110,7 +110,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: July 9 2019 $ +.Dd $Mdocdate: July 11 2019 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -3605,10 +3605,12 @@ Verify the input data and output the recovered data. .nr nS 1 .Nm "openssl s_client" .Op Fl 4 | 6 +.Op Fl alpn Ar protocols .Op Fl bugs .Op Fl CAfile Ar file .Op Fl CApath Ar directory .Op Fl cert Ar file +.Op Fl certform Cm der | pem .Op Fl check_ss_sig .Op Fl cipher Ar cipherlist .Op Fl connect Ar host Ns Op : Ns Ar port @@ -3616,36 +3618,53 @@ Verify the input data and output the recovered data. .Op Fl crl_check_all .Op Fl crlf .Op Fl debug +.Op Fl dtls1 .Op Fl extended_crl .Op Fl groups +.Op Fl host Ar host .Op Fl ign_eof .Op Fl ignore_critical .Op Fl issuer_checks .Op Fl key Ar keyfile +.Op Fl keyform Cm der | pem +.Op Fl keymatexport Ar label +.Op Fl keymatexportlen Ar len +.Op Fl legacy_server_connect .Op Fl msg +.Op Fl mtu Ar mtu .Op Fl nbio .Op Fl nbio_test +.Op Fl no_comp +.Op Fl no_ign_eof +.Op Fl no_legacy_server_connect .Op Fl no_ticket .Op Fl no_tls1 .Op Fl no_tls1_1 .Op Fl no_tls1_2 +.Op Fl pass Ar arg .Op Fl pause .Op Fl policy_check +.Op Fl port Ar port .Op Fl prexit .Op Fl proxy Ar host : Ns Ar port -.Op Fl psk Ar key -.Op Fl psk_identity Ar identity .Op Fl quiet .Op Fl reconnect .Op Fl servername Ar name +.Op Fl serverpref +.Op Fl sess_in Ar file +.Op Fl sess_out Ar file .Op Fl showcerts .Op Fl starttls Ar protocol .Op Fl state +.Op Fl status +.Op Fl timeout .Op Fl tls1 .Op Fl tls1_1 .Op Fl tls1_2 .Op Fl tlsextdebug +.Op Fl use_srtp Ar profiles .Op Fl verify Ar depth +.Op Fl verify_return_error .Op Fl x509_strict .Op Fl xmpphost Ar host .nr nS 0 @@ -3674,6 +3693,11 @@ The options are as follows: Attempt connections using IPv4 only. .It Fl 6 Attempt connections using IPv6 only. +.It Fl alpn Ar protocols +Enable the Application-Layer Protocol Negotiation. +.Ar protocols +is a comma-separated list of protocol names that the client should advertise +support for. .It Fl bugs Enable various workarounds for buggy implementations. .It Fl CAfile Ar file @@ -3694,6 +3718,10 @@ These are also used when building the client certificate chain. .It Fl cert Ar file The certificate to use, if one is requested by the server. The default is not to use a certificate. +.It Fl certform Cm der | pem +The certificate format. +The default is +.Cm pem . .It Xo .Fl check_ss_sig , .Fl crl_check , @@ -3731,25 +3759,57 @@ Translate a line feed from the terminal into CR+LF, as required by some servers. .It Fl debug Print extensive debugging information, including a hex dump of all traffic. +.It Fl dtls1 +Permit only DTLS1.0. .It Fl groups Ar ecgroups Specify a colon-separated list of permitted EC curve groups. +.It Fl host Ar host +The +.Ar host +to connect to. +The default is localhost. .It Fl ign_eof Inhibit shutting down the connection when end of file is reached in the input. .It Fl key Ar keyfile The private key to use. If not specified, the certificate file will be used. +.It Fl keyform Cm der | pem +The private key format. +The default is +.Cm pem . +.It Fl keymatexport Ar label +Export keying material using label. +.It Fl keymatexportlen Ar len +Export len bytes of keying material (default 20). +.It Fl legacy_server_connect , no_legacy_server_connect +Allow or disallow initial connection to servers that don't support RI. .It Fl msg Show all protocol messages with hex dump. +.It Fl mtu Ar mtu +Set the link layer MTU. .It Fl nbio Turn on non-blocking I/O. .It Fl nbio_test Test non-blocking I/O. +.It Fl no_ign_eof +Shut down the connection when end of file is reached in the input. +Can be used to override the implicit +.Fl ign_eof +after +.Fl quiet . .It Fl no_tls1 | no_tls1_1 | no_tls1_2 Disable the use of TLS1.0, 1.1, and 1.2, respectively. .It Fl no_ticket Disable RFC 4507 session ticket support. +.It Fl pass Ar arg +The private key password source. .It Fl pause Pause 1 second between each read and write call. +.It Fl port Ar port +The +.Ar port +to connect to. +The default is 4433. .It Fl prexit Print session information when the program exits. This will always attempt @@ -3771,16 +3831,6 @@ argument is given to the proxy. If not specified, localhost is used as final destination. After that, switch the connection through the proxy to the destination to TLS. -.It Fl psk Ar key -Use the PSK key -.Ar key -when using a PSK cipher suite. -The key is given as a hexadecimal number without the leading 0x, -for example -psk 1a2b3c4d. -.It Fl psk_identity Ar identity -Use the PSK -.Ar identity -when using a PSK cipher suite. .It Fl quiet Inhibit printing of session and certificate information. This implicitly turns on @@ -3796,6 +3846,13 @@ message, using the specified server .It Fl showcerts Display the whole server certificate chain: normally only the server certificate itself is displayed. +.It Fl serverpref +Use the server's cipher preferences. +.It Fl sess_in Ar file +Load TLS session from file. +The client will attempt to resume a connection from this session. +.It Fl sess_out Ar file +Output TLS session to file. .It Fl starttls Ar protocol Send the protocol-specific messages to switch to TLS for communication. .Ar protocol @@ -3809,10 +3866,17 @@ and .Qq xmpp . .It Fl state Print the SSL session states. +.It Fl status +Send a certificate status request to the server (OCSP stapling). +The server response (if any) is printed out. +.It Fl timeout +Enable send/receive timeout on DTLS connections. .It Fl tls1 | tls1_1 | tls1_2 Permit only TLS1.0, 1.1, or 1.2, respectively. .It Fl tlsextdebug Print a hex dump of any TLS extensions received from the server. +.It Fl use_srtp Ar profiles +Offer SRTP key management with a colon-separated profile list. .It Fl verify Ar depth Turn on server certificate verification, with a maximum length of @@ -3821,6 +3885,8 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. +.It Fl verify_return_error +Return verification error. .It Fl xmpphost Ar hostname When used with .Fl starttls Ar xmpp , |