Openssl s_server命令

一、简介

s_server是openssl提供的一个SSL服务程序。使用此程序前，需要生成各种证书。本命令可以用来测试ssl客户端，比如各种浏览器的https协议支持

二、语法

openssl s_server [-accept port] [-context id] [-verify depth] [-Verify depth] [-crl_check] [-crl_check_all] [-cert filename] [-certform DER|PEM] [-key filename] [-keyform DER|PEM] [-pass arg] [-dcert filename] [-dcertform DER|PEM ] [-dkey keyfile] [-dkeyform DER|PEM ] [-dpass arg] [-dhparam filename] [-name_curve arg][-nbio] [-nbio_test] [-crlf] [-debug] [-msg] [-state] [-CApath directory] [-CAfile filename] [-nocert] [-cipher cipherlist] [-quiet] [-no_tmp_rsa] [-ssl2] [-ssl3] [-tls1_1] [-tls1_2] [-tls1] [-dtls1] [-timeout] [-mtu] [-chain] [-no_ssl2][-no_ssl3] [-no_tls1] [-no_tls1_1] [-no_tls1_2] [-no_dhe] [-no_ecdhe][-bugs] [-hack] [-www] [-WWW] [-HTTP][-engine id] [-tlsextdebug] [-no_ticket] [-id_prefix arg] [-rand file(s)]

选项

-accept arg   - port to accept on (default is 4433)
-context arg  - set session ID context
-verify arg   - turn on peer certificate verification
-Verify arg   - turn on peer certificate verification, must have a cert.
-cert arg     - certificate file to use
(default is server.pem)
-crl_check    - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appened to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg      - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg  - key format (PEM, DER or ENGINE) PEM default
-pass arg     - private key file pass phrase source
-dcert arg    - second certificate file to use (usually for DSA)
-dcertform x  - second certificate format (PEM or DER) PEM default
-dkey arg     - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg    - second private key file pass phrase source
-dhparam arg  - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio         - Run with non-blocking IO
-nbio_test    - test with the non-blocking test bio
-crlf         - convert LF from terminal into CRLF
-debug        - Print more output
-msg          - Show protocol messages
-state        - Print the SSL states
-CApath arg   - PEM format directory of CA's
-CAfile arg   - PEM format file of CA's
-trusted_first - Use trusted CA's first when building the trust chain
-nocert       - Don't use any certificates (Anon-DH)
-cipher arg   - play with 'openssl ciphers' to see what goes here
-serverpref   - Use server's cipher preferences
-quiet        - No server output
-no_tmp_rsa   - Do not generate a tmp RSA key
-psk_hint arg - PSK identity hint to use
-psk arg      - PSK in hex (without 0x)
-ssl2         - Just talk SSLv2
-ssl3         - Just talk SSLv3
-tls1_2       - Just talk TLSv1.2
-tls1_1       - Just talk TLSv1.1
-tls1         - Just talk TLSv1
-dtls1        - Just talk DTLSv1
-timeout      - Enable timeouts
-mtu          - Set link layer MTU
-chain        - Read a certificate chain
-no_ssl2      - Just disable SSLv2
-no_ssl3      - Just disable SSLv3
-no_tls1      - Just disable TLSv1
-no_tls1_1    - Just disable TLSv1.1
-no_tls1_2    - Just disable TLSv1.2
-no_dhe       - Disable ephemeral DH
-no_ecdhe     - Disable ephemeral ECDH
-bugs         - Turn on SSL bug compatibility
-www          - Respond to a 'GET /' with a status page
-WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
-HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
with the assumption it contains a complete HTTP response.
-engine id    - Initialise and use the specified engine
-id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'
-rand file:file:...
-servername host - servername for HostName TLS extension
-servername_fatal - on mismatch send fatal alert (default warning alert)
-cert2 arg    - certificate file to use for servername
(default is server2.pem)
-key2 arg     - Private Key file to use for servername, in cert file if
not specified (default is server2.pem)
-tlsextdebug  - hex dump of all TLS extensions received
-no_ticket    - disable use of RFC4507bis session tickets
-legacy_renegotiation - enable use of legacy renegotiation (dangerous)
-nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)
-use_srtp profiles - Offer SRTP key management with a colon-separated profile list
-keymatexport label   - Export keying material using label
-keymatexportlen len  - Export len bytes of keying material (default 20)

三、实例

1、启动s_server服务（站点证书及私钥，证书链，协议版本，算法组合）

openssl s_server -accept 2009 -key serverprikey.pem -cert server.pem -ssl3 -cipher EXP-KRB5-RC4-MD5 -chain -debug -msg

参考：http://blog.csdn.net/as3luyuan123/article/details/16850727
http://www.tuicool.com/articles/6ny6Fv