diff options
author | Jung-uk Kim <jkim@FreeBSD.org> | 2019-02-26 19:31:33 +0000 |
---|---|---|
committer | Jung-uk Kim <jkim@FreeBSD.org> | 2019-02-26 19:31:33 +0000 |
commit | 6935a639f0f999de98b970a3cf26b0dc80b1798b (patch) | |
tree | 4549bd7ef0d8a5d43b6278ae71c08e155435c33f /secure/usr.bin/openssl/man/s_server.1 | |
parent | 50792eb553bf2cebaea3ddaea066100ab9e51f2d (diff) | |
parent | 851f7386fd78b9787f4f6669ad271886a2a003f1 (diff) | |
download | src-6935a639f0f999de98b970a3cf26b0dc80b1798b.tar.gz src-6935a639f0f999de98b970a3cf26b0dc80b1798b.zip |
Merge OpenSSL 1.1.1b.
Notes
Notes:
svn path=/head/; revision=344602
Diffstat (limited to 'secure/usr.bin/openssl/man/s_server.1')
-rw-r--r-- | secure/usr.bin/openssl/man/s_server.1 | 75 |
1 files changed, 47 insertions, 28 deletions
diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1 index f3fa8ae0e466..c6c1fe82e1a0 100644 --- a/secure/usr.bin/openssl/man/s_server.1 +++ b/secure/usr.bin/openssl/man/s_server.1 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" Automatically generated by Pod::Man 4.10 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== @@ -54,16 +54,20 @@ .\" Avoid warning from groff about undefined register 'F'. .de IX .. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{\ +. if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} . \} .\} +.rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -129,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "S_SERVER 1" -.TH S_SERVER 1 "2018-11-20" "1.1.1a" "OpenSSL" +.TH S_SERVER 1 "2019-02-26" "1.1.1b" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -229,6 +233,7 @@ openssl\-s_server, s_server \- SSL/TLS server program [\fB\-no_comp\fR] [\fB\-comp\fR] [\fB\-no_ticket\fR] +[\fB\-num_tickets\fR] [\fB\-serverpref\fR] [\fB\-legacy_renegotiation\fR] [\fB\-no_renegotiation\fR] @@ -303,6 +308,7 @@ openssl\-s_server, s_server \- SSL/TLS server program [\fB\-dtls1\fR] [\fB\-dtls1_2\fR] [\fB\-sctp\fR] +[\fB\-sctp_label_bug\fR] [\fB\-no_dhe\fR] [\fB\-nextprotoneg val\fR] [\fB\-use_srtp val\fR] @@ -321,7 +327,7 @@ for connections on a given port using \s-1SSL/TLS.\s0 .IX Header "OPTIONS" In addition to the options below the \fBs_server\fR utility also supports the common and server only options documented in the -in the \*(L"Supported Command Line Commands\*(R" section of the \fISSL_CONF_cmd\fR\|(3) +in the \*(L"Supported Command Line Commands\*(R" section of the \fBSSL_CONF_cmd\fR\|(3) manual page. .IP "\fB\-help\fR" 4 .IX Item "-help" @@ -378,7 +384,7 @@ provided to the client. Option which determines how the subject or issuer names are displayed. The \&\fBval\fR argument can be a single option or multiple options separated by commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to -set multiple options. See the \fIx509\fR\|(1) manual page for details. +set multiple options. See the \fBx509\fR\|(1) manual page for details. .IP "\fB\-naccept +int\fR" 4 .IX Item "-naccept +int" The server will exit after receiving the specified number of connections, @@ -403,7 +409,7 @@ The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. .IP "\fB\-pass val\fR" 4 .IX Item "-pass val" The private key password source. For more information about the format of \fBval\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fBopenssl\fR\|(1). .IP "\fB\-dcert infile\fR, \fB\-dkey infile\fR" 4 .IX Item "-dcert infile, -dkey infile" Specify an additional certificate and private key, these behave in the @@ -463,12 +469,12 @@ a certificate is requested. .IP "\fB\-CApath dir\fR" 4 .IX Item "-CApath dir" The directory to use for client certificate verification. This directory -must be in \*(L"hash format\*(R", see \fIverify\fR\|(1) for more information. These are +must be in \*(L"hash format\*(R", see \fBverify\fR\|(1) for more information. These are also used when building the server certificate chain. .IP "\fB\-chainCApath dir\fR" 4 .IX Item "-chainCApath dir" The directory to use for building the chain provided to the client. This -directory must be in \*(L"hash format\*(R", see \fIverify\fR\|(1) for more information. +directory must be in \*(L"hash format\*(R", see \fBverify\fR\|(1) for more information. .IP "\fB\-chainCAfile file\fR" 4 .IX Item "-chainCAfile file" A file containing trusted certificates to use when attempting to build the @@ -573,7 +579,7 @@ is also used via the \fB\-engine\fR option. For test purposes the dummy async en .IP "\fB\-max_send_frag +int\fR" 4 .IX Item "-max_send_frag +int" The maximum size of data fragment to send. -See \fISSL_CTX_set_max_send_fragment\fR\|(3) for further information. +See \fBSSL_CTX_set_max_send_fragment\fR\|(3) for further information. .IP "\fB\-split_send_frag +int\fR" 4 .IX Item "-split_send_frag +int" The size used to split data for encrypt pipelines. If more data is written in @@ -581,18 +587,18 @@ one go than this value then it will be split into multiple pipelines, up to the maximum number of pipelines defined by max_pipelines. This only has an effect if a suitable cipher suite has been negotiated, an engine that supports pipelining has been loaded, and max_pipelines is greater than 1. See -\&\fISSL_CTX_set_split_send_fragment\fR\|(3) for further information. +\&\fBSSL_CTX_set_split_send_fragment\fR\|(3) for further information. .IP "\fB\-max_pipelines +int\fR" 4 .IX Item "-max_pipelines +int" The maximum number of encrypt/decrypt pipelines to be used. This will only have an effect if an engine has been loaded that supports pipelining (e.g. the dasync engine) and a suitable cipher suite has been negotiated. The default value is 1. -See \fISSL_CTX_set_max_pipelines\fR\|(3) for further information. +See \fBSSL_CTX_set_max_pipelines\fR\|(3) for further information. .IP "\fB\-read_buf +int\fR" 4 .IX Item "-read_buf +int" The default read buffer size to be used for connections. This will only have an effect if the buffer size is larger than the size that would otherwise be used -and pipelining is in use (see \fISSL_CTX_set_default_read_buffer_len\fR\|(3) for +and pipelining is in use (see \fBSSL_CTX_set_default_read_buffer_len\fR\|(3) for further information). .IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4 .IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3" @@ -620,7 +626,13 @@ This option was introduced in OpenSSL 1.1.0. OpenSSL 1.1.0. .IP "\fB\-no_ticket\fR" 4 .IX Item "-no_ticket" -Disable RFC4507bis session ticket support. +Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3 +is negotiated. See \fB\-num_tickets\fR. +.IP "\fB\-num_tickets\fR" 4 +.IX Item "-num_tickets" +Control the number of tickets that will be sent to the client after a full +handshake in TLSv1.3. The default number of tickets is 2. This option does not +affect the number of tickets sent after a resumption handshake. .IP "\fB\-serverpref\fR" 4 .IX Item "-serverpref" Use the server's cipher preferences, rather than the client's preferences. @@ -669,7 +681,7 @@ program will be used. .IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 .IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" Set different peer certificate verification options. -See the \fIverify\fR\|(1) manual page for details. +See the \fBverify\fR\|(1) manual page for details. .IP "\fB\-crl_check\fR, \fB\-crl_check_all\fR" 4 .IX Item "-crl_check, -crl_check_all" Check the peer certificate has not been revoked by its \s-1CA.\s0 @@ -716,6 +728,13 @@ respectively. Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only available where OpenSSL has support for \s-1SCTP\s0 enabled. +.IP "\fB\-sctp_label_bug\fR" 4 +.IX Item "-sctp_label_bug" +Use the incorrect behaviour of older OpenSSL implementations when computing +endpoint-pair shared secrets for \s-1DTLS/SCTP.\s0 This allows communication with +older broken implementations but breaks interoperability with correct +implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only +available where OpenSSL has support for \s-1SCTP\s0 enabled. .IP "\fB\-no_dhe\fR" 4 .IX Item "-no_dhe" If this option is set then no \s-1DH\s0 parameters will be loaded effectively @@ -829,19 +848,19 @@ There should be a way for the \fBs_server\fR program to print out details of any unknown cipher suites a client says it supports. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fISSL_CONF_cmd\fR\|(3), \fIsess_id\fR\|(1), \fIs_client\fR\|(1), \fIciphers\fR\|(1) -\&\fISSL_CTX_set_max_send_fragment\fR\|(3), -\&\fISSL_CTX_set_split_send_fragment\fR\|(3), -\&\fISSL_CTX_set_max_pipelines\fR\|(3) +\&\fBSSL_CONF_cmd\fR\|(3), \fBsess_id\fR\|(1), \fBs_client\fR\|(1), \fBciphers\fR\|(1) +\&\fBSSL_CTX_set_max_send_fragment\fR\|(3), +\&\fBSSL_CTX_set_split_send_fragment\fR\|(3), +\&\fBSSL_CTX_set_max_pipelines\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -The \-no_alt_chains option was first added to OpenSSL 1.1.0. +The \-no_alt_chains option was added in OpenSSL 1.1.0. .PP -The \-allow\-no\-dhe\-kex and \-prioritize_chacha options were first added to -OpenSSL 1.1.1. +The +\&\-allow\-no\-dhe\-kex and \-prioritize_chacha options were added in OpenSSL 1.1.1. .SH "COPYRIGHT" .IX Header "COPYRIGHT" -Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy |