1OPENSSL-S_TIME(1ossl) OpenSSL OPENSSL-S_TIME(1ossl)
2
6 openssl-s_time - SSL/TLS performance timing program
7
9 openssl s_time [-help] [-connect host:port] [-www page] [-cert
10 filename] [-key filename] [-reuse] [-new] [-verify depth] [-time
11 seconds] [-ssl3] [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-bugs] [-cipher
12 cipherlist] [-ciphersuites val] [-nameopt option] [-cafile file]
13 [-CAfile file] [-no-CAfile] [-CApath dir] [-no-CApath] [-CAstore uri]
14 [-no-CAstore] [-provider name] [-provider-path path] [-propquery propq]
15
17 This command implements a generic SSL/TLS client which connects to a
18 remote host using SSL/TLS. It can request a page from the server and
19 includes the time to transfer the payload data in its timing
20 measurements. It measures the number of connections within a given
21 timeframe, the amount of data transferred (if any), and calculates the
22 average time spent for one connection.
23
25 -help
26 Print out a usage message.
27 -connect host:port
29 This specifies the host and optional port to connect to.
30 -www page
32 This specifies the page to GET from the server. A value of '/' gets
33 the index.html page. If this parameter is not specified, then this
34 command will only perform the handshake to establish SSL
35 connections but not transfer any payload data.
36 -cert certname
38 The certificate to use, if one is requested by the server. The
39 default is not to use a certificate. The file is in PEM format.
40 -key keyfile
42 The private key to use. If not specified then the certificate file
43 will be used. The file is in PEM format.
44 -verify depth
46 The verify depth to use. This specifies the maximum length of the
47 server certificate chain and turns on server certificate
48 verification. Currently the verify operation continues after
49 errors so all the problems with a certificate chain can be seen. As
50 a side effect the connection will never fail due to a server
51 certificate verify failure.
52 -new
54 Performs the timing test using a new session ID for each
55 connection. If neither -new nor -reuse are specified, they are
56 both on by default and executed in sequence.
57 -reuse
59 Performs the timing test using the same session ID; this can be
60 used as a test that session caching is working. If neither -new nor
61 -reuse are specified, they are both on by default and executed in
62 sequence.
63 -bugs
65 There are several known bugs in SSL and TLS implementations. Adding
66 this option enables various workarounds.
67 -cipher cipherlist
69 This allows the TLSv1.2 and below cipher list sent by the client to
70 be modified. This list will be combined with any TLSv1.3
71 ciphersuites that have been configured. Although the server
72 determines which cipher suite is used it should take the first
73 supported cipher in the list sent by the client. See
74 openssl-ciphers(1) for more information.
75 -ciphersuites val
77 This allows the TLSv1.3 ciphersuites sent by the client to be
78 modified. This list will be combined with any TLSv1.2 and below
79 ciphersuites that have been configured. Although the server
80 determines which cipher suite is used it should take the first
81 supported cipher in the list sent by the client. See
82 openssl-ciphers(1) for more information. The format for this list
83 is a simple colon (":") separated list of TLSv1.3 ciphersuite
84 names.
85 -time length
87 Specifies how long (in seconds) this command should establish
88 connections and optionally transfer payload data from a server.
89 Server and client performance and the link speed determine how many
90 connections it can establish.
91 -nameopt option
93 This specifies how the subject or issuer names are displayed. See
94 openssl-namedisplay-options(1) for details.
95 -CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri,
97 -no-CAstore
98 See "Trusted Certificate Options" in
99 openssl-verification-options(1) for details.
100 -provider name
102 -provider-path path
103 -propquery propq
104 See "Provider Options" in openssl(1), provider(7), and property(7).
105 -cafile file
107 This is an obsolete synonym for -CAfile.
108 -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3
110 See "TLS Version Options" in openssl(1).
111
113 This command can be used to measure the performance of an SSL
114 connection. To connect to an SSL HTTP server and get the default page
115 the command
116 openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
118 would typically be used (https uses port 443). commoncipher is a cipher
120 to which both client and server can agree, see the openssl-ciphers(1)
121 command for details.
122 If the handshake fails then there are several possible causes, if it is
124 nothing obvious like no client certificate then the -bugs and -ssl3
125 options can be tried in case it is a buggy server. In particular you
126 should play with these options before submitting a bug report to an
127 OpenSSL mailing list.
128 A frequent problem when attempting to get client certificates working
130 is that a web client complains it has no certificates or gives an empty
131 list to choose from. This is normally because the server is not sending
132 the clients certificate authority in its "acceptable CA list" when it
133 requests a certificate. By using openssl-s_client(1) the CA list can be
134 viewed and checked. However, some servers only request client
135 authentication after a specific URL is requested. To obtain the list in
136 this case it is necessary to use the -prexit option of
137 openssl-s_client(1) and send an HTTP request for an appropriate page.
138 If a certificate is specified on the command line using the -cert
140 option it will not be used unless the server specifically requests a
141 client certificate. Therefore, merely including a client certificate on
142 the command line is no guarantee that the certificate works.
143
145 Because this program does not have all the options of the
146 openssl-s_client(1) program to turn protocols on and off, you may not
147 be able to measure the performance of all protocols with all servers.
148 The -verify option should really exit if the server verification fails.
150
152 The -cafile option was deprecated in OpenSSL 3.0.
153
155 openssl(1), openssl-s_client(1), openssl-s_server(1),
156 openssl-ciphers(1), ossl_store-file(7)
157
159 Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
160 Licensed under the Apache License 2.0 (the "License"). You may not use
162 this file except in compliance with the License. You can obtain a copy
163 in the file LICENSE in the source distribution or at
164 <https://www.openssl.org/source/license.html>.
1653.0.9 2023-07-27 OPENSSL-S_TIME(1ossl)