7 s_server - SSL/TLS server program
11 B<openssl> B<s_server>
19 [B<-certform DER|PEM>]
24 [B<-dcertform DER|PEM>]
26 [B<-dkeyform DER|PEM>]
28 [B<-dhparam filename>]
35 [B<-CApath directory>]
39 [B<-client_sigalgs sigalglist>]
40 [B<-named_curve curve>]
41 [B<-cipher cipherlist>]
64 [B<-no_resumption_on_reneg>]
67 [B<-status_timeout nsec>]
70 [B<-nextprotoneg protocols>]
74 The B<s_server> command implements a generic SSL/TLS server which listens
75 for connections on a given port using SSL/TLS.
83 the TCP port to listen on for connections. If not specified 4433 is used.
87 sets the SSL context id. It can be given any string value. If this option
88 is not present a default value will be used.
90 =item B<-cert certname>
92 The certificate to use, most servers cipher suites require the use of a
93 certificate and some require a certificate with a certain public key type:
94 for example the DSS cipher suites require a certificate containing a DSS
95 (DSA) key. If not specified then the filename "server.pem" will be used.
97 =item B<-certform format>
99 The certificate format to use: DER or PEM. PEM is the default.
101 =item B<-key keyfile>
103 The private key to use. If not specified then the certificate file will
106 =item B<-keyform format>
108 The private format to use: DER or PEM. PEM is the default.
112 the private key password source. For more information about the format of B<arg>
113 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
115 =item B<-dcert filename>, B<-dkey keyname>
117 specify an additional certificate and private key, these behave in the
118 same manner as the B<-cert> and B<-key> options except there is no default
119 if they are not specified (no additional certificate and key is used). As
120 noted above some cipher suites require a certificate containing a key of
121 a certain type. Some cipher suites need a certificate carrying an RSA key
122 and some a DSS (DSA) key. By using RSA and DSS certificates and keys
123 a server can support clients which only support RSA or DSS cipher suites
124 by using an appropriate certificate.
126 =item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
128 additional certificate and private key format and passphrase respectively.
132 if this option is set then no certificate is used. This restricts the
133 cipher suites available to the anonymous ones (currently just anonymous
136 =item B<-dhparam filename>
138 the DH parameter file to use. The ephemeral DH cipher suites generate keys
139 using a set of DH parameters. If not specified then an attempt is made to
140 load the parameters from the server certificate file. If this fails then
141 a static set of parameters hard coded into the s_server program will be used.
145 if this option is set then no DH parameters will be loaded effectively
146 disabling the ephemeral DH cipher suites.
150 if this option is set then no ECDH parameters will be selected, effectively
151 disabling the ephemeral ECDH cipher suites.
155 certain export cipher suites sometimes use a temporary RSA key, this option
156 disables temporary RSA key generation.
158 =item B<-verify depth>, B<-Verify depth>
160 The verify depth to use. This specifies the maximum length of the
161 client certificate chain and makes the server request a certificate from
162 the client. With the B<-verify> option a certificate is requested but the
163 client does not have to send one, with the B<-Verify> option the client
164 must supply a certificate or an error occurs.
166 If the ciphersuite cannot request a client certificate (for example an
167 anonymous ciphersuite or PSK) this option has no effect.
169 =item B<-crl_check>, B<-crl_check_all>
171 Check the peer certificate has not been revoked by its CA.
172 The CRL(s) are appended to the certificate file. With the B<-crl_check_all>
173 option all CRLs of all CAs in the chain are checked.
175 =item B<-CApath directory>
177 The directory to use for client certificate verification. This directory
178 must be in "hash format", see B<verify> for more information. These are
179 also used when building the server certificate chain.
181 =item B<-CAfile file>
183 A file containing trusted certificates to use during client authentication
184 and to use when attempting to build the server certificate chain. The list
185 is also used in the list of acceptable client CAs passed to the client when
186 a certificate is requested.
188 =item B<-no_alt_chains>
190 See the L<B<verify>|verify(1)> manual page for details.
194 prints out the SSL session states.
198 print extensive debugging information including a hex dump of all traffic.
202 show all protocol messages with hex dump.
206 tests non blocking I/O
210 turns on non blocking I/O
214 this option translated a line feed from the terminal into CR+LF.
218 inhibit printing of session and certificate information.
220 =item B<-psk_hint hint>
222 Use the PSK identity hint B<hint> when using a PSK cipher suite.
226 Use the PSK key B<key> when using a PSK cipher suite. The key is
227 given as a hexadecimal number without leading 0x, for example -psk
229 This option must be provided in order to use a PSK cipher.
231 =item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
233 These options require or disable the use of the specified SSL or TLS protocols.
234 By default the initial handshake uses a I<version-flexible> method which will
235 negotiate the highest mutually supported protocol version.
239 there are several known bug in SSL and TLS implementations. Adding this
240 option enables various workarounds.
244 this option enables a further workaround for some some early Netscape
247 =item B<-client_sigalgs sigalglist>
249 Signature algorithms to support for client certificate authentication
250 (colon-separated list)
252 =item B<-named_curve curve>
254 Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
255 For a list of all possible curves, use:
257 $ openssl ecparam -list_curves
259 =item B<-cipher cipherlist>
261 this allows the cipher list used by the server to be modified. When
262 the client sends a list of supported ciphers the first client cipher
263 also included in the server list is used. Because the client specifies
264 the preference order, the order of the server cipherlist irrelevant. See
265 the B<ciphers> command for more information.
269 use the server's cipher preferences, rather than the client's preferences.
271 =item B<-tlsextdebug>
273 print out a hex dump of any TLS extensions received from the server.
277 disable RFC4507bis session ticket support.
281 sends a status message back to the client when it connects. This includes
282 lots of information about the ciphers used and various session parameters.
283 The output is in HTML format so this option will normally be used with a
288 emulates a simple web server. Pages will be resolved relative to the
289 current directory, for example if the URL https://myhost/page.html is
290 requested the file ./page.html will be loaded.
294 emulates a simple web server. Pages will be resolved relative to the
295 current directory, for example if the URL https://myhost/page.html is
296 requested the file ./page.html will be loaded. The files loaded are
297 assumed to contain a complete and correct HTTP response (lines that
298 are part of the HTTP response line and headers must end with CRLF).
302 specifying an engine (by its unique B<id> string) will cause B<s_server>
303 to attempt to obtain a functional reference to the specified engine,
304 thus initialising it if needed. The engine will then be set as the default
305 for all available algorithms.
307 =item B<-id_prefix arg>
309 generate SSL/TLS session IDs prefixed by B<arg>. This is mostly useful
310 for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
311 servers, when each of which might be generating a unique range of session
312 IDs (eg. with a certain prefix).
314 =item B<-rand file(s)>
316 a file or files containing random data used to seed the random number
317 generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
318 Multiple files can be specified separated by a OS-dependent character.
319 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
322 =item B<-serverinfo file>
324 a file containing one or more blocks of PEM data. Each PEM block
325 must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
326 followed by "length" bytes of extension data). If the client sends
327 an empty TLS ClientHello extension matching the type, the corresponding
328 ServerHello extension will be returned.
330 =item B<-no_resumption_on_reneg>
332 set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag.
336 enables certificate status request support (aka OCSP stapling).
338 =item B<-status_verbose>
340 enables certificate status request support (aka OCSP stapling) and gives
341 a verbose printout of the OCSP response.
343 =item B<-status_timeout nsec>
345 sets the timeout for OCSP response to B<nsec> seconds.
347 =item B<-status_url url>
349 sets a fallback responder URL to use if no responder URL is present in the
350 server certificate. Without this option an error is returned if the server
351 certificate does not contain a responder address.
353 =item B<-alpn protocols>, B<-nextprotoneg protocols>
355 these flags enable the
356 Enable the Application-Layer Protocol Negotiation or Next Protocol
357 Negotiation extension, respectively. ALPN is the IETF standard and
359 The B<protocols> list is a
360 comma-separated list of supported protocol names.
361 The list should contain most wanted protocols first.
362 Protocol names are printable ASCII strings, for example "http/1.1" or
367 =head1 CONNECTED COMMANDS
369 If a connection request is established with an SSL client and neither the
370 B<-www> nor the B<-WWW> option has been used then normally any data received
371 from the client is displayed and any key presses will be sent to the client.
373 Certain single letter commands are also recognized which perform special
374 operations: these are listed below.
380 end the current SSL connection but still accept new connections.
384 end the current SSL connection and exit.
388 renegotiate the SSL session.
392 renegotiate the SSL session and request a client certificate.
396 send some plain text down the underlying TCP connection: this should
397 cause the client to disconnect due to a protocol violation.
401 print out some session cache status information.
407 B<s_server> can be used to debug SSL clients. To accept connections from
408 a web browser the command:
410 openssl s_server -accept 443 -www
412 can be used for example.
414 Although specifying an empty list of CAs when requesting a client certificate
415 is strictly speaking a protocol violation, some SSL clients interpret this to
416 mean any CA is acceptable. This is useful for debugging purposes.
418 The session parameters can printed out using the B<sess_id> program.
422 Because this program has a lot of options and also because some of
423 the techniques used are rather old, the C source of s_server is rather
424 hard to read and not a model of how things should be done. A typical
425 SSL server program would be much simpler.
427 The output of common ciphers is wrong: it just gives the list of ciphers that
428 OpenSSL recognizes and the client supports.
430 There should be a way for the B<s_server> program to print out details of any
431 unknown cipher suites a client says it supports.
435 L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
439 The -no_alt_chains options was first added to OpenSSL 1.0.2b.