1S_SERVER(1)                         OpenSSL                        S_SERVER(1)
2
3
4

NAME

6       openssl-s_server, s_server - SSL/TLS server program
7

SYNOPSIS

9       openssl s_server [-help] [-port +int] [-accept val] [-unix val] [-4]
10       [-6] [-unlink] [-context val] [-verify int] [-Verify int] [-cert
11       infile] [-nameopt val] [-naccept +int] [-serverinfo val] [-certform
12       PEM|DER] [-key infile] [-keyform format] [-pass val] [-dcert infile]
13       [-dcertform PEM|DER] [-dkey infile] [-dkeyform PEM|DER] [-dpass val]
14       [-nbio_test] [-crlf] [-debug] [-msg] [-msgfile outfile] [-state]
15       [-CAfile infile] [-CApath dir] [-no-CAfile] [-no-CApath] [-nocert]
16       [-quiet] [-no_resume_ephemeral] [-www] [-WWW] [-servername]
17       [-servername_fatal] [-cert2 infile] [-key2 infile] [-tlsextdebug]
18       [-HTTP] [-id_prefix val] [-rand file...]  [-writerand file]
19       [-keymatexport val] [-keymatexportlen +int] [-CRL infile]
20       [-crl_download] [-cert_chain infile] [-dcert_chain infile]
21       [-chainCApath dir] [-verifyCApath dir] [-no_cache] [-ext_cache]
22       [-CRLform PEM|DER] [-verify_return_error] [-verify_quiet]
23       [-build_chain] [-chainCAfile infile] [-verifyCAfile infile] [-ign_eof]
24       [-no_ign_eof] [-status] [-status_verbose] [-status_timeout int]
25       [-status_url val] [-status_file infile] [-trace] [-security_debug]
26       [-security_debug_verbose] [-brief] [-rev] [-async] [-ssl_config val]
27       [-max_send_frag +int] [-split_send_frag +int] [-max_pipelines +int]
28       [-read_buf +int] [-no_ssl3] [-no_tls1] [-no_tls1_1] [-no_tls1_2]
29       [-no_tls1_3] [-bugs] [-no_comp] [-comp] [-no_ticket] [-num_tickets]
30       [-serverpref] [-legacy_renegotiation] [-no_renegotiation]
31       [-legacy_server_connect] [-no_resumption_on_reneg]
32       [-no_legacy_server_connect] [-allow_no_dhe_kex] [-prioritize_chacha]
33       [-strict] [-sigalgs val] [-client_sigalgs val] [-groups val] [-curves
34       val] [-named_curve val] [-cipher val] [-ciphersuites val] [-dhparam
35       infile] [-record_padding val] [-debug_broken_protocol] [-policy val]
36       [-purpose val] [-verify_name val] [-verify_depth int] [-auth_level int]
37       [-attime intmax] [-verify_hostname val] [-verify_email val]
38       [-verify_ip] [-ignore_critical] [-issuer_checks] [-crl_check]
39       [-crl_check_all] [-policy_check] [-explicit_policy] [-inhibit_any]
40       [-inhibit_map] [-x509_strict] [-extended_crl] [-use_deltas]
41       [-policy_print] [-check_ss_sig] [-trusted_first] [-suiteB_128_only]
42       [-suiteB_128] [-suiteB_192] [-partial_chain] [-no_alt_chains]
43       [-no_check_time] [-allow_proxy_certs] [-xkey] [-xcert] [-xchain]
44       [-xchain_build] [-xcertform PEM|DER] [-xkeyform PEM|DER] [-nbio]
45       [-psk_identity val] [-psk_hint val] [-psk val] [-psk_session file]
46       [-srpvfile infile] [-srpuserseed val] [-ssl3] [-tls1] [-tls1_1]
47       [-tls1_2] [-tls1_3] [-dtls] [-timeout] [-mtu +int] [-listen] [-dtls1]
48       [-dtls1_2] [-sctp] [-sctp_label_bug] [-no_dhe] [-nextprotoneg val]
49       [-use_srtp val] [-alpn val] [-engine val] [-keylogfile outfile]
50       [-max_early_data int] [-early_data] [-anti_replay] [-no_anti_replay]
51

DESCRIPTION

53       The s_server command implements a generic SSL/TLS server which listens
54       for connections on a given port using SSL/TLS.
55

OPTIONS

57       In addition to the options below the s_server utility also supports the
58       common and server only options documented in the "Supported Command
59       Line Commands" section of the SSL_CONF_cmd(3) manual page.
60
61       -help
62           Print out a usage message.
63
64       -port +int
65           The TCP port to listen on for connections. If not specified 4433 is
66           used.
67
68       -accept val
69           The optional TCP host and port to listen on for connections. If not
70           specified, *:4433 is used.
71
72       -unix val
73           Unix domain socket to accept on.
74
75       -4  Use IPv4 only.
76
77       -6  Use IPv6 only.
78
79       -unlink
80           For -unix, unlink any existing socket first.
81
82       -context val
83           Sets the SSL context id. It can be given any string value. If this
84           option is not present a default value will be used.
85
86       -verify int, -Verify int
87           The verify depth to use. This specifies the maximum length of the
88           client certificate chain and makes the server request a certificate
89           from the client. With the -verify option a certificate is requested
90           but the client does not have to send one, with the -Verify option
91           the client must supply a certificate or an error occurs.
92
93           If the cipher suite cannot request a client certificate (for
94           example an anonymous cipher suite or PSK) this option has no
95           effect.
96
97       -cert infile
98           The certificate to use, most servers cipher suites require the use
99           of a certificate and some require a certificate with a certain
100           public key type: for example the DSS cipher suites require a
101           certificate containing a DSS (DSA) key. If not specified then the
102           filename "server.pem" will be used.
103
104       -cert_chain
105           A file containing trusted certificates to use when attempting to
106           build the client/server certificate chain related to the
107           certificate specified via the -cert option.
108
109       -build_chain
110           Specify whether the application should build the certificate chain
111           to be provided to the client.
112
113       -nameopt val
114           Option which determines how the subject or issuer names are
115           displayed. The val argument can be a single option or multiple
116           options separated by commas.  Alternatively the -nameopt switch may
117           be used more than once to set multiple options. See the x509(1)
118           manual page for details.
119
120       -naccept +int
121           The server will exit after receiving the specified number of
122           connections, default unlimited.
123
124       -serverinfo val
125           A file containing one or more blocks of PEM data.  Each PEM block
126           must encode a TLS ServerHello extension (2 bytes type, 2 bytes
127           length, followed by "length" bytes of extension data).  If the
128           client sends an empty TLS ClientHello extension matching the type,
129           the corresponding ServerHello extension will be returned.
130
131       -certform PEM|DER
132           The certificate format to use: DER or PEM. PEM is the default.
133
134       -key infile
135           The private key to use. If not specified then the certificate file
136           will be used.
137
138       -keyform format
139           The private format to use: DER or PEM. PEM is the default.
140
141       -pass val
142           The private key password source. For more information about the
143           format of val see the PASS PHRASE ARGUMENTS section in openssl(1).
144
145       -dcert infile, -dkey infile
146           Specify an additional certificate and private key, these behave in
147           the same manner as the -cert and -key options except there is no
148           default if they are not specified (no additional certificate and
149           key is used). As noted above some cipher suites require a
150           certificate containing a key of a certain type. Some cipher suites
151           need a certificate carrying an RSA key and some a DSS (DSA) key. By
152           using RSA and DSS certificates and keys a server can support
153           clients which only support RSA or DSS cipher suites by using an
154           appropriate certificate.
155
156       -dcert_chain
157           A file containing trusted certificates to use when attempting to
158           build the server certificate chain when a certificate specified via
159           the -dcert option is in use.
160
161       -dcertform PEM|DER, -dkeyform PEM|DER, -dpass val
162           Additional certificate and private key format and passphrase
163           respectively.
164
165       -xkey infile, -xcert infile, -xchain
166           Specify an extra certificate, private key and certificate chain.
167           These behave in the same manner as the -cert, -key and -cert_chain
168           options.  When specified, the callback returning the first valid
169           chain will be in use by the server.
170
171       -xchain_build
172           Specify whether the application should build the certificate chain
173           to be provided to the client for the extra certificates provided
174           via -xkey infile, -xcert infile, -xchain options.
175
176       -xcertform PEM|DER, -xkeyform PEM|DER
177           Extra certificate and private key format respectively.
178
179       -nbio_test
180           Tests non blocking I/O.
181
182       -crlf
183           This option translated a line feed from the terminal into CR+LF.
184
185       -debug
186           Print extensive debugging information including a hex dump of all
187           traffic.
188
189       -msg
190           Show all protocol messages with hex dump.
191
192       -msgfile outfile
193           File to send output of -msg or -trace to, default standard output.
194
195       -state
196           Prints the SSL session states.
197
198       -CAfile infile
199           A file containing trusted certificates to use during client
200           authentication and to use when attempting to build the server
201           certificate chain. The list is also used in the list of acceptable
202           client CAs passed to the client when a certificate is requested.
203
204       -CApath dir
205           The directory to use for client certificate verification. This
206           directory must be in "hash format", see verify(1) for more
207           information. These are also used when building the server
208           certificate chain.
209
210       -chainCApath dir
211           The directory to use for building the chain provided to the client.
212           This directory must be in "hash format", see verify(1) for more
213           information.
214
215       -chainCAfile file
216           A file containing trusted certificates to use when attempting to
217           build the server certificate chain.
218
219       -no-CAfile
220           Do not load the trusted CA certificates from the default file
221           location.
222
223       -no-CApath
224           Do not load the trusted CA certificates from the default directory
225           location.
226
227       -nocert
228           If this option is set then no certificate is used. This restricts
229           the cipher suites available to the anonymous ones (currently just
230           anonymous DH).
231
232       -quiet
233           Inhibit printing of session and certificate information.
234
235       -www
236           Sends a status message back to the client when it connects. This
237           includes information about the ciphers used and various session
238           parameters.  The output is in HTML format so this option will
239           normally be used with a web browser. Cannot be used in conjunction
240           with -early_data.
241
242       -WWW
243           Emulates a simple web server. Pages will be resolved relative to
244           the current directory, for example if the URL
245           https://myhost/page.html is requested the file ./page.html will be
246           loaded. Cannot be used in conjunction with -early_data.
247
248       -tlsextdebug
249           Print a hex dump of any TLS extensions received from the server.
250
251       -HTTP
252           Emulates a simple web server. Pages will be resolved relative to
253           the current directory, for example if the URL
254           https://myhost/page.html is requested the file ./page.html will be
255           loaded. The files loaded are assumed to contain a complete and
256           correct HTTP response (lines that are part of the HTTP response
257           line and headers must end with CRLF). Cannot be used in conjunction
258           with -early_data.
259
260       -id_prefix val
261           Generate SSL/TLS session IDs prefixed by val. This is mostly useful
262           for testing any SSL/TLS code (eg. proxies) that wish to deal with
263           multiple servers, when each of which might be generating a unique
264           range of session IDs (eg. with a certain prefix).
265
266       -rand file...
267           A file or files containing random data used to seed the random
268           number generator.  Multiple files can be specified separated by an
269           OS-dependent character.  The separator is ; for MS-Windows, , for
270           OpenVMS, and : for all others.
271
272       [-writerand file]
273           Writes random data to the specified file upon exit.  This can be
274           used with a subsequent -rand flag.
275
276       -verify_return_error
277           Verification errors normally just print a message but allow the
278           connection to continue, for debugging purposes.  If this option is
279           used, then verification errors close the connection.
280
281       -status
282           Enables certificate status request support (aka OCSP stapling).
283
284       -status_verbose
285           Enables certificate status request support (aka OCSP stapling) and
286           gives a verbose printout of the OCSP response.
287
288       -status_timeout int
289           Sets the timeout for OCSP response to int seconds.
290
291       -status_url val
292           Sets a fallback responder URL to use if no responder URL is present
293           in the server certificate. Without this option an error is returned
294           if the server certificate does not contain a responder address.
295
296       -status_file infile
297           Overrides any OCSP responder URLs from the certificate and always
298           provides the OCSP Response stored in the file. The file must be in
299           DER format.
300
301       -trace
302           Show verbose trace output of protocol messages. OpenSSL needs to be
303           compiled with enable-ssl-trace for this option to work.
304
305       -brief
306           Provide a brief summary of connection parameters instead of the
307           normal verbose output.
308
309       -rev
310           Simple test server which just reverses the text received from the
311           client and sends it back to the server. Also sets -brief. Cannot be
312           used in conjunction with -early_data.
313
314       -async
315           Switch on asynchronous mode. Cryptographic operations will be
316           performed asynchronously. This will only have an effect if an
317           asynchronous capable engine is also used via the -engine option.
318           For test purposes the dummy async engine (dasync) can be used (if
319           available).
320
321       -max_send_frag +int
322           The maximum size of data fragment to send.  See
323           SSL_CTX_set_max_send_fragment(3) for further information.
324
325       -split_send_frag +int
326           The size used to split data for encrypt pipelines. If more data is
327           written in one go than this value then it will be split into
328           multiple pipelines, up to the maximum number of pipelines defined
329           by max_pipelines. This only has an effect if a suitable cipher
330           suite has been negotiated, an engine that supports pipelining has
331           been loaded, and max_pipelines is greater than 1. See
332           SSL_CTX_set_split_send_fragment(3) for further information.
333
334       -max_pipelines +int
335           The maximum number of encrypt/decrypt pipelines to be used. This
336           will only have an effect if an engine has been loaded that supports
337           pipelining (e.g. the dasync engine) and a suitable cipher suite has
338           been negotiated. The default value is 1.  See
339           SSL_CTX_set_max_pipelines(3) for further information.
340
341       -read_buf +int
342           The default read buffer size to be used for connections. This will
343           only have an effect if the buffer size is larger than the size that
344           would otherwise be used and pipelining is in use (see
345           SSL_CTX_set_default_read_buffer_len(3) for further information).
346
347       -ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl2, -no_ssl3,
348       -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3
349           These options require or disable the use of the specified SSL or
350           TLS protocols.  By default s_server will negotiate the highest
351           mutually supported protocol version.  When a specific TLS version
352           is required, only that version will be accepted from the client.
353           Note that not all protocols and flags may be available, depending
354           on how OpenSSL was built.
355
356       -bugs
357           There are several known bugs in SSL and TLS implementations. Adding
358           this option enables various workarounds.
359
360       -no_comp
361           Disable negotiation of TLS compression.  TLS compression is not
362           recommended and is off by default as of OpenSSL 1.1.0.
363
364       -comp
365           Enable negotiation of TLS compression.  This option was introduced
366           in OpenSSL 1.1.0.  TLS compression is not recommended and is off by
367           default as of OpenSSL 1.1.0.
368
369       -no_ticket
370           Disable RFC4507bis session ticket support. This option has no
371           effect if TLSv1.3 is negotiated. See -num_tickets.
372
373       -num_tickets
374           Control the number of tickets that will be sent to the client after
375           a full handshake in TLSv1.3. The default number of tickets is 2.
376           This option does not affect the number of tickets sent after a
377           resumption handshake.
378
379       -serverpref
380           Use the server's cipher preferences, rather than the client's
381           preferences.
382
383       -prioritize_chacha
384           Prioritize ChaCha ciphers when preferred by clients. Requires
385           -serverpref.
386
387       -no_resumption_on_reneg
388           Set the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION option.
389
390       -client_sigalgs val
391           Signature algorithms to support for client certificate
392           authentication (colon-separated list).
393
394       -named_curve val
395           Specifies the elliptic curve to use. NOTE: this is single curve,
396           not a list.  For a list of all possible curves, use:
397
398               $ openssl ecparam -list_curves
399
400       -cipher val
401           This allows the list of TLSv1.2 and below ciphersuites used by the
402           server to be modified. This list is combined with any TLSv1.3
403           ciphersuites that have been configured. When the client sends a
404           list of supported ciphers the first client cipher also included in
405           the server list is used. Because the client specifies the
406           preference order, the order of the server cipherlist is irrelevant.
407           See the ciphers command for more information.
408
409       -ciphersuites val
410           This allows the list of TLSv1.3 ciphersuites used by the server to
411           be modified.  This list is combined with any TLSv1.2 and below
412           ciphersuites that have been configured. When the client sends a
413           list of supported ciphers the first client cipher also included in
414           the server list is used. Because the client specifies the
415           preference order, the order of the server cipherlist is irrelevant.
416           See the ciphers command for more information. The format for this
417           list is a simple colon (":") separated list of TLSv1.3 ciphersuite
418           names.
419
420       -dhparam infile
421           The DH parameter file to use. The ephemeral DH cipher suites
422           generate keys using a set of DH parameters. If not specified then
423           an attempt is made to load the parameters from the server
424           certificate file.  If this fails then a static set of parameters
425           hard coded into the s_server program will be used.
426
427       -attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy,
428       -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map,
429       -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check,
430       -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192,
431       -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email,
432       -verify_hostname, -verify_ip, -verify_name, -x509_strict
433           Set different peer certificate verification options.  See the
434           verify(1) manual page for details.
435
436       -crl_check, -crl_check_all
437           Check the peer certificate has not been revoked by its CA.  The
438           CRL(s) are appended to the certificate file. With the
439           -crl_check_all option all CRLs of all CAs in the chain are checked.
440
441       -nbio
442           Turns on non blocking I/O.
443
444       -psk_identity val
445           Expect the client to send PSK identity val when using a PSK cipher
446           suite, and warn if they do not.  By default, the expected PSK
447           identity is the string "Client_identity".
448
449       -psk_hint val
450           Use the PSK identity hint val when using a PSK cipher suite.
451
452       -psk val
453           Use the PSK key val when using a PSK cipher suite. The key is given
454           as a hexadecimal number without leading 0x, for example -psk
455           1a2b3c4d.  This option must be provided in order to use a PSK
456           cipher.
457
458       -psk_session file
459           Use the pem encoded SSL_SESSION data stored in file as the basis of
460           a PSK.  Note that this will only work if TLSv1.3 is negotiated.
461
462       -listen
463           This option can only be used in conjunction with one of the DTLS
464           options above.  With this option s_server will listen on a UDP port
465           for incoming connections.  Any ClientHellos that arrive will be
466           checked to see if they have a cookie in them or not.  Any without a
467           cookie will be responded to with a HelloVerifyRequest.  If a
468           ClientHello with a cookie is received then s_server will connect to
469           that peer and complete the handshake.
470
471       -dtls, -dtls1, -dtls1_2
472           These options make s_server use DTLS protocols instead of TLS.
473           With -dtls, s_server will negotiate any supported DTLS protocol
474           version, whilst -dtls1 and -dtls1_2 will only support DTLSv1.0 and
475           DTLSv1.2 respectively.
476
477       -sctp
478           Use SCTP for the transport protocol instead of UDP in DTLS. Must be
479           used in conjunction with -dtls, -dtls1 or -dtls1_2. This option is
480           only available where OpenSSL has support for SCTP enabled.
481
482       -sctp_label_bug
483           Use the incorrect behaviour of older OpenSSL implementations when
484           computing endpoint-pair shared secrets for DTLS/SCTP. This allows
485           communication with older broken implementations but breaks
486           interoperability with correct implementations. Must be used in
487           conjunction with -sctp. This option is only available where OpenSSL
488           has support for SCTP enabled.
489
490       -no_dhe
491           If this option is set then no DH parameters will be loaded
492           effectively disabling the ephemeral DH cipher suites.
493
494       -alpn val, -nextprotoneg val
495           These flags enable the Enable the Application-Layer Protocol
496           Negotiation or Next Protocol Negotiation (NPN) extension,
497           respectively. ALPN is the IETF standard and replaces NPN.  The val
498           list is a comma-separated list of supported protocol names.  The
499           list should contain the most desirable protocols first.  Protocol
500           names are printable ASCII strings, for example "http/1.1" or
501           "spdy/3".  The flag -nextprotoneg cannot be specified if -tls1_3 is
502           used.
503
504       -engine val
505           Specifying an engine (by its unique id string in val) will cause
506           s_server to attempt to obtain a functional reference to the
507           specified engine, thus initialising it if needed. The engine will
508           then be set as the default for all available algorithms.
509
510       -keylogfile outfile
511           Appends TLS secrets to the specified keylog file such that external
512           programs (like Wireshark) can decrypt TLS connections.
513
514       -max_early_data int
515           Change the default maximum early data bytes that are specified for
516           new sessions and any incoming early data (when used in conjunction
517           with the -early_data flag). The default value is approximately 16k.
518           The argument must be an integer greater than or equal to 0.
519
520       -early_data
521           Accept early data where possible. Cannot be used in conjunction
522           with -www, -WWW, -HTTP or -rev.
523
524       -anti_replay, -no_anti_replay
525           Switches replay protection on or off, respectively. Replay
526           protection is on by default unless overridden by a configuration
527           file. When it is on, OpenSSL will automatically detect if a session
528           ticket has been used more than once, TLSv1.3 has been negotiated,
529           and early data is enabled on the server. A full handshake is forced
530           if a session ticket is used a second or subsequent time. Any early
531           data that was sent will be rejected.
532

CONNECTED COMMANDS

534       If a connection request is established with an SSL client and neither
535       the -www nor the -WWW option has been used then normally any data
536       received from the client is displayed and any key presses will be sent
537       to the client.
538
539       Certain commands are also recognized which perform special operations.
540       These commands are a letter which must appear at the start of a line.
541       They are listed below.
542
543       q   End the current SSL connection but still accept new connections.
544
545       Q   End the current SSL connection and exit.
546
547       r   Renegotiate the SSL session (TLSv1.2 and below only).
548
549       R   Renegotiate the SSL session and request a client certificate
550           (TLSv1.2 and below only).
551
552       P   Send some plain text down the underlying TCP connection: this
553           should cause the client to disconnect due to a protocol violation.
554
555       S   Print out some session cache status information.
556
557       B   Send a heartbeat message to the client (DTLS only)
558
559       k   Send a key update message to the client (TLSv1.3 only)
560
561       K   Send a key update message to the client and request one back
562           (TLSv1.3 only)
563
564       c   Send a certificate request to the client (TLSv1.3 only)
565

NOTES

567       s_server can be used to debug SSL clients. To accept connections from a
568       web browser the command:
569
570        openssl s_server -accept 443 -www
571
572       can be used for example.
573
574       Although specifying an empty list of CAs when requesting a client
575       certificate is strictly speaking a protocol violation, some SSL clients
576       interpret this to mean any CA is acceptable. This is useful for
577       debugging purposes.
578
579       The session parameters can printed out using the sess_id program.
580

BUGS

582       Because this program has a lot of options and also because some of the
583       techniques used are rather old, the C source of s_server is rather hard
584       to read and not a model of how things should be done.  A typical SSL
585       server program would be much simpler.
586
587       The output of common ciphers is wrong: it just gives the list of
588       ciphers that OpenSSL recognizes and the client supports.
589
590       There should be a way for the s_server program to print out details of
591       any unknown cipher suites a client says it supports.
592

SEE ALSO

594       SSL_CONF_cmd(3), sess_id(1), s_client(1), ciphers(1)
595       SSL_CTX_set_max_send_fragment(3), SSL_CTX_set_split_send_fragment(3),
596       SSL_CTX_set_max_pipelines(3)
597

HISTORY

599       The -no_alt_chains option was added in OpenSSL 1.1.0.
600
601       The -allow-no-dhe-kex and -prioritize_chacha options were added in
602       OpenSSL 1.1.1.
603
605       Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
606
607       Licensed under the OpenSSL license (the "License").  You may not use
608       this file except in compliance with the License.  You can obtain a copy
609       in the file LICENSE in the source distribution or at
610       <https://www.openssl.org/source/license.html>.
611
612
613
6141.1.1g                            2020-04-23                       S_SERVER(1)
Impressum