s_client man page on OSF1

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
OSF1 logo
[printable version]

s_client(1ssl)							s_client(1ssl)

NAME
       s_client - SSL/TLS client program

SYNOPSIS
       openssl s_client [-connect host:port>] [-verify depth] [-cert filename]
       [-key filename] [-CApath	 directory]  [-CAfile  filename]  [-reconnect]
       [-pause]	 [-showcerts]  [-debug]	 [-nbio_test] [-state] [-nbio] [-crlf]
       [-ign_eof]  [-quiet]  [-ssl2]  [-ssl3]  [-tls1]	[-no_ssl2]  [-no_ssl3]
       [-no_tls1] [-bugs] [-cipher cipherlist] [-rand filename] [-engine id]

OPTIONS
       Specifies  the  host  and optional port to connect to. If not specified
       then an attempt is made to connect to the local host on port 4433.  The
       certificate  to	use, if one is requested by the server. The default is
       not to use a certificate.  The private key to  use.  If	not  specified
       then  the certificate file will be used.	 The verify depth to use. This
       specifies the maximum length of the server certificate chain and	 turns
       on server certificate verification. Currently the verify operation con‐
       tinues after errors so all the problems with a certificate chain can be
       seen.  As  a side effect the connection will never fail due to a server
       certificate verify failure.  The directory to use for  server  certifi‐
       cate  verification.   This directory must be in hash format. See verify
       for more information. These are also used when building the client cer‐
       tificate	 chain.	  A file containing trusted certificates to use during
       server authentication and to use when attempting to  build  the	client
       certificate  chain.   Reconnects	 to  the same server 5 times using the
       same session ID. This can be used as a test  that  session  caching  is
       working.	 Pauses one second between each read and write call.  Displays
       the whole server certificate chain. Normally only the  server  certifi‐
       cate  is displayed.  Prints session information when the program exits.
       This will always attempt to print out information even if  the  connec‐
       tion  fails.  Normally information will only be printed out once if the
       connection succeeds. This option is useful because the  cipher  in  use
       may  be	renegotiated  or the connection may fail because a client cer‐
       tificate is required or is requested only after an attempt is  made  to
       access  a certain URL. The output produced by this option is not always
       accurate because	 a  connection	might  never  have  been  established.
       Prints out the SSL session states.  Prints extensive debugging informa‐
       tion including a hex dump of all traffic.  Tests non-blocking I/O Turns
       on non-blocking I/O Translates a line feed from the terminal into CR+LF
       as required by some servers.  Inhibits  shutting	 down  the  connection
       when end-of-file is reached in the input.  Inhibits printing of session
       and certificate information.  This implicitely  turns  on  -ign_eof  as
       well.   These  options disable the use of certain SSL or TLS protocols.
       By default the initial handshake uses a method which should be compati‐
       ble  with  all  servers and permit them to use SSL v3, SSL v2 or TLS as
       appropriate.

	      Unfortunately there are a lot of ancient and broken  servers  in
	      use which cannot handle this technique and will fail to connect.
	      Some servers only work if TLS is turned  off  with  the  -no_tls
	      option.  Others  will only support SSL v2 and may need the -ssl2
	      option.  There are several known bugs in SSL and TLS implementa‐
	      tions.  Adding  this option enables various workarounds.	Allows
	      the cipher list sent by the client to be modified.  Although the
	      server  determines which cipher suite is used it should take the
	      first supported cipher in the list sent by the client.  See  the
	      ciphers  command for more information.  A file or files contain‐
	      ing random data used to seed the random number generator, or  an
	      EGD  socket.  (See RAND_egd(3).) Multiple files can be specified
	      separated by an OS-dependent character. The separator is a semi‐
	      colon  (;)  for MS-Windows, a comma (,) for OpenVMS, and a colon
	      (:) for all others.  Specifying an  engine  (by  its  unique  id
	      string)  will  cause the s_client command to attempt to obtain a
	      functional reference to the specified engine, thus  initializing
	      it  if  needed.	The engine will then be set as the default for
	      all available algorithms.

   CONNECTED COMMANDS
       If a connection is  established	with  an  SSL  server  then  any  data
       received	 from the server is displayed and any key presses will be sent
       to the server.  When used interactively (which means neither -quiet nor
       -ign_eof have been given), the session will be renegotiated if the line
       begins with an R. If the line begins with a  Q  or  if  end-of-file  is
       reached, the connection will be closed down.

DESCRIPTION
       The s_client command implements a generic SSL/TLS client which connects
       to a remote host using SSL/TLS. It is a very useful diagnostic tool for
       SSL servers.

NOTES
       The  s_client  command can be used to debug SSL servers.	 To connect to
       an SSL HTTP server, the	following  command  would  typically  be  used
       (https uses port 443): openssl s_client -connect servername:443

       If  the	connection  succeeds then an HTTP command can be given such as
       "GET /" to retrieve a web page.

       If the handshake fails then there are several possible causes. If it is
       nothing	obvious, such as no client certificate, then the -bugs, -ssl2,
       -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1 options can  be  tried.  You
       should  try  these options before submitting a bug report to an OpenSSL
       mailing list.

       A frequent problem when attempting to get client	 certificates  working
       is that a web client complains it has no certificates or gives an empty
       list to choose from. This is normally because the server is not sending
       the  clients  certificate  authority  in its acceptable CA list when it
       requests a certificate.	By using s_client the CA list  can  be	viewed
       and  checked.  However, some servers only request client authentication
       after a specific URL is requested. To obtain the list in this  case  it
       is necessary to use the --prexit option and send an HTTP request for an
       appropriate page.

       If a certificate is specified on	 the  command  line  using  the	 -cert
       option  it  will	 not be used unless the server specifically requests a
       client certificate. Therefore merely including a client certificate  on
       the command line is no guarantee that the certificate works.

       If   there  are	problems  verifying  a	server	certificate  then  the
       -showcerts option can be used to show the whole chain.

RESTRICTIONS
       Because this program has a lot of options and also because some of  the
       techniques  used	 are  rather  old, the C source of s_client is hard to
       read and not a model of how things should be done. A typical SSL client
       program would be much simpler.

       The -verify option should exit if the server verification fails.

       The  -prexit  option  should  report  information whenever a session is
       renegotiated.

SEE ALSO
       Commands: sess_id(1ssl), s_server(1ssl), ciphers(1ssl)

								s_client(1ssl)
[top]
                             _         _         _ 
                            | |       | |       | |     
                            | |       | |       | |     
                         __ | | __ __ | | __ __ | | __  
                         \ \| |/ / \ \| |/ / \ \| |/ /  
                          \ \ / /   \ \ / /   \ \ / /   
                           \   /     \   /     \   /    
                            \_/       \_/       \_/ 
More information is available in HTML format for server OSF1

List of man pages available for OSF1

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net