Table of Contents for
Network Security with OpenSSL

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Network Security with OpenSSL by Pravir Chandra Published by O'Reilly Media, Inc., 2002
  1. Cover
  2. Network Security with OpenSSL
  3. Network Security with OpenSSL
  4. Dedication
  5. A Note Regarding Supplemental Files
  6. Preface
  7. 1. Introduction
  8. 2. Command-Line Interface
  9. 3. Public Key Infrastructure (PKI)
  10. 4. Support Infrastructure
  11. 5. SSL/TLS Programming
  12. 6. Symmetric Cryptography
  13. 7. Hashes and MACs
  14. 8. Public Key Algorithms
  15. 9. OpenSSL in Other Languages
  16. 10. Advanced Programming Topics
  17. A. Command-Line Reference
  18. asn1parse
  19. ca
  20. ciphers
  21. crl
  22. crl2pkcs7
  23. dgst
  24. dhparam
  25. dsa
  26. dsaparam
  27. enc
  28. errstr
  29. gendsa
  30. genrsa
  31. nseq
  32. passwd
  33. pkcs7
  34. pkcs8
  35. pkcs12
  36. rand
  37. req
  38. rsa
  39. rsautl
  40. s_client
  41. s_server
  42. s_time
  43. sess_id
  44. smime
  45. speed
  46. spkac
  47. verify
  48. version
  49. x509
  50. Index
  51. About the Authors
  52. Colophon
  53. Copyright

Name

s_client

Synopsis

The s_client command is a basic SSL client that can be used to connect to an SSL-enabled server. It provides functionality not unlike the standard Telnet program, although it does not support the telnet protocol. The command is useful primarily as a diagnostic tool when building and setting up SSL-enabled servers.

Options

-connect host:port

Specify the host and port that should be used to establish a connection. Separate the host and port with a colon. The host may be an IP address or a hostname. The port may be a number or a service name. If this option is omitted, “127.0.0.1:443” is used.

-cert filename

Specify the name of a file that contains the certificate to use for the connection. Most servers do not require a client certificate, but if the server requests one, this certificate will be used.

-key filename

Specify the name of a file that contains the private key matching the certificate to use for the connection. If this option is not specified and a certificate is requested, the command will expect to find the private key in the same file as the certificate.

-verify depth

Specify the maximum certificate chain depth. Use of this option enables verification of the server’s certificate and causes verification to fail if more than the specified number of certificates is in the chain. Even if verification of the server’s certificate fails, the connection will be allowed to proceed.

-CAfile filename

Specify the name of a file containing one or more trusted certificates that will be used to verify the server’s certificate if the verify option is specified.

-CApath directory

Specify the name of a directory containing trusted certificates that will be used to verify the server’s certificate if the verify option is specified. Each file should contain only one certificate, and the files should be named with the certificate issuer name’s hash and an extension of “.0”.

-reconnect

Cause five connections to be made to the server using the same session ID. This option is a diagnostic tool to ensure that session caching is working properly on the server.

-pause

Cause a one-second pause between each read and write operation.

-showcerts

Cause every certificate in the server certificate’s chain to be displayed rather than just the server’s certificate.

-prexit

Cause session information to be printed when the connection is terminated. Information will be displayed even if the connection fails. If the connection fails, some of the output from this command may not be accurate.

-state

Cause SSL session states to be printed.

-debug

Cause extensive debugging information, including a hexdump of all traffic, to be printed.

-nbio_test

Cause tests of non-blocking I/O to be run.

-nbio

Cause non-blocking I/O to be enabled.

-crlf

Cause translation of bare linefeeds to be translated in carriage return and linefeed sequences, which is required by some servers.

-ign_eof

Prevent the connection from being shut down when end of file is reached on stdin.

-quiet

Cause printing of session and certificate information to be suppressed. This option also enables the ign_eof option.

-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1

Specify the version or versions of the SSL protocol that should be used to attempt a connection with the server. By default, all protocols are enabled.

-bugs

Enable workarounds for several known bugs in various server implementations of SSL and TLS.

-cipher list

Specify a list of ciphers that the client will indicate to the server that it supports. Normally, the server chooses the first cipher on the list, so you should arrange ciphers in order of preference if you supply more than a single cipher.

-rand filename

Specify the name of a file or files that will be used to seed the PRNG. This option follows the guidelines outlined in Chapter 2.

Notes

When a connection is established, any data received from the server is displayed on stdout, and any data read from stdin is sent to the server. If neither quiet nor ign_eof are specified, the client operates in interactive mode, which means that the session will be renegotiated if a line begins with the capital letter R, or the connection will be shut down if a line begins with the capital letter Q.