=pod =head1 NAME openssl-s_client, s_client - SSL/TLS client program =head1 SYNOPSIS B B [B<-help>] [B<-connect host:port>] [B<-bind host:port>] [B<-proxy host:port>] [B<-proxy_user userid>] [B<-proxy_pass arg>] [B<-unix path>] [B<-4>] [B<-6>] [B<-servername name>] [B<-noservername>] [B<-verify depth>] [B<-verify_return_error>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key filename>] [B<-keyform DER|PEM>] [B<-cert_chain filename>] [B<-build_chain>] [B<-xkey>] [B<-xcert>] [B<-xchain>] [B<-xchain_build>] [B<-xcertform PEM|DER>] [B<-xkeyform PEM|DER>] [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] [B<-chainCApath directory>] [B<-chainCAfile filename>] [B<-no-CAfile>] [B<-no-CApath>] [B<-requestCAfile filename>] [B<-dane_tlsa_domain domain>] [B<-dane_tlsa_rrdata rrdata>] [B<-dane_ee_no_namechecks>] [B<-attime timestamp>] [B<-check_ss_sig>] [B<-crl_check>] [B<-crl_check_all>] [B<-explicit_policy>] [B<-extended_crl>] [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] [B<-no_check_time>] [B<-partial_chain>] [B<-policy arg>] [B<-policy_check>] [B<-policy_print>] [B<-purpose purpose>] [B<-suiteB_128>] [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] [B<-no_alt_chains>] [B<-use_deltas>] [B<-auth_level num>] [B<-nameopt option>] [B<-verify_depth num>] [B<-verify_email email>] [B<-verify_hostname hostname>] [B<-verify_ip ip>] [B<-verify_name name>] [B<-build_chain>] [B<-x509_strict>] [B<-reconnect>] [B<-showcerts>] [B<-debug>] [B<-msg>] [B<-nbio_test>] [B<-state>] [B<-nbio>] [B<-crlf>] [B<-ign_eof>] [B<-no_ign_eof>] [B<-psk_identity identity>] [B<-psk key>] [B<-psk_session file>] [B<-quiet>] [B<-ssl3>] [B<-tls1>] [B<-tls1_1>] [B<-tls1_2>] [B<-tls1_3>] [B<-no_ssl3>] [B<-no_tls1>] [B<-no_tls1_1>] [B<-no_tls1_2>] [B<-no_tls1_3>] [B<-dtls>] [B<-dtls1>] [B<-dtls1_2>] [B<-sctp>] [B<-sctp_label_bug>] [B<-fallback_scsv>] [B<-async>] [B<-max_send_frag>] [B<-split_send_frag>] [B<-max_pipelines>] [B<-read_buf>] [B<-bugs>] [B<-comp>] [B<-no_comp>] [B<-allow_no_dhe_kex>] [B<-sigalgs sigalglist>] [B<-curves curvelist>] [B<-cipher cipherlist>] [B<-ciphersuites val>] [B<-serverpref>] [B<-starttls protocol>] [B<-xmpphost hostname>] [B<-name hostname>] [B<-engine id>] [B<-tlsextdebug>] [B<-no_ticket>] [B<-sess_out filename>] [B<-sess_in filename>] [B<-rand file...>] [B<-writerand file>] [B<-serverinfo types>] [B<-status>] [B<-alpn protocols>] [B<-nextprotoneg protocols>] [B<-ct>] [B<-noct>] [B<-ctlogfile>] [B<-keylogfile file>] [B<-early_data file>] [B<-enable_pha>] [B] =head1 DESCRIPTION The B command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a I useful diagnostic tool for SSL servers. =head1 OPTIONS In addition to the options below the B utility also supports the common and client only options documented in the in the "Supported Command Line Commands" section of the L manual page. =over 4 =item B<-help> Print out a usage message. =item B<-connect host:port> This specifies the host and optional port to connect to. It is possible to select the host and port using the optional target positional argument instead. If neither this nor the target positional argument are specified then an attempt is made to connect to the local host on port 4433. =item B<-bind host:port>] This specifies the host address and or port to bind as the source for the connection. For Unix-domain sockets the port is ignored and the host is used as the source socket address. =item B<-proxy host:port> When used with the B<-connect> flag, the program uses the host and port specified with this flag and issues an HTTP CONNECT command to connect to the desired server. =item B<-proxy_user userid> When used with the B<-proxy> flag, the program will attempt to authenticate with the specified proxy using basic (base64) authentication. NB: Basic authentication is insecure; the credentials are sent to the proxy in easily reversible base64 encoding before any TLS/SSL session is established. Therefore these credentials are easily recovered by anyone able to sniff/trace the network. Use with caution. =item B<-proxy_pass arg> The proxy password source, used with the B<-proxy_user> flag. For more information about the format of B see the B section in L. =item B<-unix path> Connect over the specified Unix-domain socket. =item B<-4> Use IPv4 only. =item B<-6> Use IPv6 only. =item B<-servername name> Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value. If B<-servername> is not provided, the TLS SNI extension will be populated with the name given to B<-connect> if it follows a DNS name format. If B<-connect> is not provided either, the SNI is set to "localhost". This is the default since OpenSSL 1.1.1. Even though SNI should normally be a DNS name and not an IP address, if B<-servername> is provided then that name will be sent, regardless of whether it is a DNS name or not. This option cannot be used in conjuction with B<-noservername>. =item B<-noservername> Suppresses sending of the SNI (Server Name Indication) extension in the ClientHello message. Cannot be used in conjunction with the B<-servername> or <-dane_tlsa_domain> options. =item B<-cert certname> The certificate to use, if one is requested by the server. The default is not to use a certificate. =item B<-certform format> The certificate format to use: DER or PEM. PEM is the default. =item B<-key keyfile> The private key to use. If not specified then the certificate file will be used. =item B<-keyform format> The private format to use: DER or PEM. PEM is the default. =item B<-cert_chain> A file containing trusted certificates to use when attempting to build the client/server certificate chain related to the certificate specified via the B<-cert> option. =item B<-build_chain> Specify whether the application should build the certificate chain to be provided to the server. =item B<-xkey infile>, B<-xcert infile>, B<-xchain> Specify an extra certificate, private key and certificate chain. These behave in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options. When specified, the callback returning the first valid chain will be in use by the client. =item B<-xchain_build> Specify whether the application should build the certificate chain to be provided to the server for the extra certificates provided via B<-xkey infile>, B<-xcert infile>, B<-xchain> options. =item B<-xcertform PEM|DER>, B<-xkeyform PEM|DER> Extra certificate and private key format respectively. =item B<-pass arg> the private key password source. For more information about the format of B see the B section in L. =item B<-verify depth> The verify depth to use. This specifies the maximum length of the server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. =item B<-verify_return_error> Return verification errors instead of continuing. This will typically abort the handshake with a fatal error. =item B<-nameopt option> Option which determines how the subject or issuer names are displayed. The B