no-CAfileĭo not load the trusted CA certificates from the default file location -no-CApathĭo not load the trusted CA certificates from the default directory location -requestCAfile fileĪ file containing a list of certificates whose subject names will be sent to the server in the certificate_authorities extension. chainCAfile fileĪ file containing trusted certificates to use when attempting to build the client certificate chain. This directory must be in "hash format", see verify(1) for more information. The directory to use for building the chain provided to the server. CAfile fileĪ file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. These are also used when building the client certificate chain. The directory to use for server certificate verification. Alternatively the -nameopt switch may be used more than once to set multiple options. The option argument can be a single option or multiple options separated by commas. Option which determines how the subject or issuer names are displayed. This will typically abort the handshake with a fatal error. Return verification errors instead of continuing. As a side effect the connection will never fail due to a server certificate verify failure. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. This specifies the maximum length of the server certificate chain and turns on server certificate verification. For more information about the format of arg see "Pass Phrase Options" in openssl(1). xcertform PEM|DER, -xkeyform PEM|DERĮxtra certificate and private key format respectively. Specify whether the application should build the certificate chain to be provided to the server for the extra certificates provided via -xkey infile, -xcert infile, -xchain options. When specified, the callback returning the first valid chain will be in use by the client. These behave in the same manner as the -cert, -key and -cert_chain options. Specify an extra certificate, private key and certificate chain. Specify whether the application should build the certificate chain to be provided to the server. cert_chainĪ file containing trusted certificates to use when attempting to build the client/server certificate chain related to the certificate specified via the -cert option. If not specified then the certificate file will be used. The certificate format to use: DER or PEM. The certificate to use, if one is requested by the server. Cannot be used in conjunction with the -servername or options. Suppresses sending of the SNI (Server Name Indication) extension in the ClientHello message. This option cannot be used in conjunction with -noservername. This is the default since OpenSSL 1.1.1.Įven though SNI should normally be a DNS name and not an IP address, if -servername is provided then that name will be sent, regardless of whether it is a DNS name or not. If -connect is not provided either, the SNI is set to "localhost". If -servername is not provided, the TLS SNI extension will be populated with the name given to -connect if it follows a DNS name format. Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value. unix pathĬonnect over the specified Unix-domain socket. When used with the -connect flag, the program uses the host and port specified with this flag and issues an HTTP CONNECT command to connect to the desired server. For Unix-domain sockets the port is ignored and the host is used as the source socket address. This specifies the host address and or port to bind as the source for the connection. If neither this nor the target positional argument are specified then an attempt is made to connect to the local host on port 4433. It is possible to select the host and port using the optional target positional argument instead. This specifies the host and optional port to connect to. In addition to the options below the s_client utility also supports the common and client only options documented in the "Supported Command Line Commands" section of the SSL_CONF_cmd(3) manual page. It is a very useful diagnostic tool for SSL servers. The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. Openssl-s_client, s_client - SSL/TLS client program SYNOPSIS
0 Comments
Leave a Reply. |