Table of Contents for
Network Security with OpenSSL

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Network Security with OpenSSL by Pravir Chandra Published by O'Reilly Media, Inc., 2002
  1. Cover
  2. Network Security with OpenSSL
  3. Network Security with OpenSSL
  4. Dedication
  5. A Note Regarding Supplemental Files
  6. Preface
  7. 1. Introduction
  8. 2. Command-Line Interface
  9. 3. Public Key Infrastructure (PKI)
  10. 4. Support Infrastructure
  11. 5. SSL/TLS Programming
  12. 6. Symmetric Cryptography
  13. 7. Hashes and MACs
  14. 8. Public Key Algorithms
  15. 9. OpenSSL in Other Languages
  16. 10. Advanced Programming Topics
  17. A. Command-Line Reference
  18. asn1parse
  19. ca
  20. ciphers
  21. crl
  22. crl2pkcs7
  23. dgst
  24. dhparam
  25. dsa
  26. dsaparam
  27. enc
  28. errstr
  29. gendsa
  30. genrsa
  31. nseq
  32. passwd
  33. pkcs7
  34. pkcs8
  35. pkcs12
  36. rand
  37. req
  38. rsa
  39. rsautl
  40. s_client
  41. s_server
  42. s_time
  43. sess_id
  44. smime
  45. speed
  46. spkac
  47. verify
  48. version
  49. x509
  50. Index
  51. About the Authors
  52. Colophon
  53. Copyright

Name

s_server

Synopsis

The s_server command is a basic SSL-enabled server that can be used as a diagnostic tool when building, setting up, and debugging SSL clients.

Options

-accept port

Specify the port on which to listen for connections. If this option is not specified, the default of 4433 is used.

-context ID

Specify any string that will be used as the SSL context ID.

-cert filename

Specify the name of a file containing the certificate to use. If this option is not specified, the command will look for a file called server.pem in the directory from which the command-line tool was started.

-key filename

Specify the name of a file containing the private key to use. The private key must match the certificate that is being used. If this option is not specified, the command will expect to find the private key in the same file as the certificate.

-dcert filename

Specify the name of a file containing an additional certificate that the server can use. This is useful for providing both RSA and DSA keys for connecting clients. There is no default if this option is not specified.

-dkey filename

Specify the name of a file containing the private key that matches the certificate specified with the dcert option. If the dcert option is specified without this one, the key should be in the same file as the certificate.

-nocert

Cause no certificate to be used. Use of this option severely restricts the ciphers that are available for use. This means that only anonymous Diffie-Hellman ciphers may be used. Operating a server without a certificate provides very little actual security.

-dhparam filename

Specify the name of a file containing Diffie-Hellman parameters. The parameters will be used by the ephemeral DH ciphers to generate keys. If this option is not specified, the command will attempt to find Diffie-Hellman parameters in the same file as the server’s certificate.

-no_dhe

Disable the use of the ephemeral DH ciphers. No Diffie-Hellman parameters will be searched for if this option is specified.

-no_tmp_rsa

Disable the use of ciphers that require the use of temporary RSA keys.

-verify depth

Cause the server to request a certificate from the client and perform verification on it. The connection will be allowed to proceed if the client does not provide a certificate. The client’s certificate chain will not be allowed to be more than the specified depth.

-Verify depth

Cause the server to demand a certificate from the client and perform verification on it. The connection will not be allowed to proceed if the client does not provide a certificate. The client’s certificate chain will not be allowed to be more than the specified depth.

-CAfile filename

Specify the name of a file containing trusted certificates that will be used to verify the client’s certificate if one is received when it’s requested.

-CApath directory

Specify the name of a directory containing trusted certificates that will be used to verify the client’s certificate if one is received when it’s requested. Each file in the directory should contain only one certificate, and the files should be named with the certificate issuer name’s hash and an extension of “.0”.

-state

Cause SSL session states to be printed.

-debug

Cause extensive debugging information, including a hexdump of all traffic, to be printed.

-nbio_test

Cause tests of non-blocking I/O to be run.

-nbio

Cause non-blocking I/O to be enabled.

-crlf

Cause translation of bare linefeeds to be translated in carriage return and linefeed sequences, as is required by some servers.

-quiet

Cause printing of session and certificate information to be suppressed.

-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1

Specify the version or versions of the SSL protocol that should be supported by the server. By default, all protocols are enabled.

-bugs

Enable workarounds for several known bugs in various server implementations of SSL and TLS.

-hack

Enable an additional workaround required by some early versions of Netscape.

-cipher list

Specify a list of ciphers that the server will indicate to the client that it supports. Normally, the server chooses the cipher to use based on the order received from the client, so the ordering of the ciphers specified with this option is ignored.

-rand filename

Specify the name of a file or files that will be used to seed the PRNG. This option follows the guidelines outlined in Chapter 2.

-www

Cause an HTML-formatted status message to be sent to the client when it connects.

-WWW

Cause the server to emulate a simple HTTP server. Requested pages will be resolved relative to the directory from which the server was started.

Notes

When a connection is established with a client and neither the www nor the WWW options are specified, the server runs in interactive mode, displays all data received from the client, and sends all data received from stdin to the client. In addition, certain commands are recognized as input from stdin, as enumerated in Table A-2. The commands are recognized only when they are entered at the start of a line.

Table A-2. Commands recognized by the server

Command

Function performed by the server

q

Terminates the current connection, but continues to accept new connections.

Q

Terminates the server.

r

Renegotiates the SSL session.

R

Renegotiates the SSL session and requests a client certificate.

P

Sends plaintext to the underlying TCP connection, which is a protocol violation and should cause the client to disconnect.

S

Displays session cache status information.