openssl s_server命令
2018-03-05 14:07
2046 查看
使用openssl s_server 测试搭建https-server测试,选项如下:usage: s_server [args ...]
-accept arg - port to accept on (default is 4433)
-verify_hostname host - check peer certificate matches "host"
-verify_email email - check peer certificate matches "email"
-verify_ip ipaddr - check peer certificate matches "ipaddr"
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-verify_return_error - return verification errors
-cert arg - certificate file to use
(default is server.pem)
-serverinfo arg - PEM serverinfo file for certificate
-auth - send and receive RFC 5878 TLS auth extensions and supplemental data
-auth_require_reneg - Do not send TLS auth extensions until renegotiation
-no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appened to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
-crlf - convert LF from terminal into CRLF
-debug - Print more output
-msg - Show protocol messages
-state - Print the SSL states
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-trusted_first - Use trusted CA's first when building the trust chain
-no_alt_chains - only ever use the first certificate chain found
-nocert - Don't use any certificates (Anon-DH)
-cipher arg - play with 'openssl ciphers' to see what goes here
-serverpref - Use server's cipher preferences
-quiet - No server output
-no_tmp_rsa - Do not generate a tmp RSA key
-krb5svc arg - Kerberos service name
-keytab arg - Kerberos keytab filename
-psk_hint arg - PSK identity hint to use
-psk arg - PSK in hex (without 0x)
-ssl3 - Just talk SSLv3
-tls1_2 - Just talk TLSv1.2
-tls1_1 - Just talk TLSv1.1
-tls1 - Just talk TLSv1
-dtls1 - Just talk DTLSv1
-dtls1_2 - Just talk DTLSv1.2
-timeout - Enable timeouts
-mtu - Set link layer MTU
-chain - Read a certificate chain
-no_ssl2 - No-op, SSLv2 is always disabled
-no_ssl3 - Just disable SSLv3
-no_tls1 - Just disable TLSv1
-no_tls1_1 - Just disable TLSv1.1
-no_tls1_2 - Just disable TLSv1.2
-no_dhe - Disable ephemeral DH
-no_ecdhe - Disable ephemeral ECDH
-bugs - Turn on SSL bug compatibility
-hack - workaround for early Netscape code
-www - Respond to a 'GET /' with a status page
-WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
-HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
with the assumption it contains a complete HTTP response.
-engine id - Initialise and use the specified engine
-id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'
-rand file:file:...
-servername host - servername for HostName TLS extension
-servername_fatal - on mismatch send fatal alert (default warning alert)
-cert2 arg - certificate file to use for servername
(default is server2.pem)
-key2 arg - Private Key file to use for servername, in cert file if
not specified (default is server2.pem)
-tlsextdebug - hex dump of all TLS extensions received
-no_ticket - disable use of RFC4507bis session tickets
-legacy_renegotiation - enable use of legacy renegotiation (dangerous)
-sigalgs arg - Signature algorithms to support (colon-separated list)
-client_sigalgs arg - Signature algorithms to support for client
certificate authentication (colon-separated list)
-nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)
-use_srtp profiles - Offer SRTP key management with a colon-separated profile list
-alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)
-keymatexport label - Export keying material using label
-keymatexportlen len - Export len bytes of keying material (default 20)
-status - respond to certificate status requests
-status_verbose - enable status request verbose printout
-status_timeout n - status request responder timeout
-status_url URL - status request fallback URL选项解释:
-accept arg - port的默认监听端口4433
-key arg - 私钥
-cert arg - 签发的证书【用csr签发】
简单示例
说明: 采用根证书,自签证的证书;
--------------------------------------1 单向认证
服务端:openssl s_server -key server.key -cert server.crt客户端:[root@localhost ~]# openssl s_client -connect localhost:4433 -verify_return_error
CONNECTED(00000003)
depth=0 C = CN, ST = FJ, L = xiamen, O = yl, OU = yl1, CN = yl2
verify error:num=18:self signed certificate //<--自签发
---
Certificate chain
0 s:/C=CN/ST=FJ/L=xiamen/O=yl/OU=yl1/CN=yl2
i:/C=CN/ST=FJ/L=xiamen/O=yl/OU=yl1/CN=yl2
---
Server certificate
-----BEGIN CERTIFICATE-----
2 双向认证
服务端:
-Verify 1 客户端必须发送一个证书openssl s_server -key 1.key -cert 1.crt -CAfile ../server.crt -Verify 1 客户端:openssl s_client -connect localhost:4433 -CAfile server.crt -cert 1/1.crt -key 1/1.key -showcerts openssl s_client 参数说明请点击打开链接
-accept arg - port to accept on (default is 4433)
-verify_hostname host - check peer certificate matches "host"
-verify_email email - check peer certificate matches "email"
-verify_ip ipaddr - check peer certificate matches "ipaddr"
-context arg - set session ID context
-verify arg - turn on peer certificate verification
-Verify arg - turn on peer certificate verification, must have a cert.
-verify_return_error - return verification errors
-cert arg - certificate file to use
(default is server.pem)
-serverinfo arg - PEM serverinfo file for certificate
-auth - send and receive RFC 5878 TLS auth extensions and supplemental data
-auth_require_reneg - Do not send TLS auth extensions until renegotiation
-no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag
-crl_check - check the peer certificate has not been revoked by its CA.
The CRL(s) are appended to the certificate file
-crl_check_all - check the peer certificate has not been revoked by its CA
or any other CRL in the CA chain. CRL(s) are appened to the
the certificate file.
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private Key file to use, in cert file if
not specified (default is server.pem)
-keyform arg - key format (PEM, DER or ENGINE) PEM default
-pass arg - private key file pass phrase source
-dcert arg - second certificate file to use (usually for DSA)
-dcertform x - second certificate format (PEM or DER) PEM default
-dkey arg - second private key file to use (usually for DSA)
-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
-dpass arg - second private key file pass phrase source
-dhparam arg - DH parameter file to use, in cert file if not specified
or a default set of parameters is used
-named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.
Use "openssl ecparam -list_curves" for all names
(default is nistp256).
-nbio - Run with non-blocking IO
-nbio_test - test with the non-blocking test bio
-crlf - convert LF from terminal into CRLF
-debug - Print more output
-msg - Show protocol messages
-state - Print the SSL states
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-trusted_first - Use trusted CA's first when building the trust chain
-no_alt_chains - only ever use the first certificate chain found
-nocert - Don't use any certificates (Anon-DH)
-cipher arg - play with 'openssl ciphers' to see what goes here
-serverpref - Use server's cipher preferences
-quiet - No server output
-no_tmp_rsa - Do not generate a tmp RSA key
-krb5svc arg - Kerberos service name
-keytab arg - Kerberos keytab filename
-psk_hint arg - PSK identity hint to use
-psk arg - PSK in hex (without 0x)
-ssl3 - Just talk SSLv3
-tls1_2 - Just talk TLSv1.2
-tls1_1 - Just talk TLSv1.1
-tls1 - Just talk TLSv1
-dtls1 - Just talk DTLSv1
-dtls1_2 - Just talk DTLSv1.2
-timeout - Enable timeouts
-mtu - Set link layer MTU
-chain - Read a certificate chain
-no_ssl2 - No-op, SSLv2 is always disabled
-no_ssl3 - Just disable SSLv3
-no_tls1 - Just disable TLSv1
-no_tls1_1 - Just disable TLSv1.1
-no_tls1_2 - Just disable TLSv1.2
-no_dhe - Disable ephemeral DH
-no_ecdhe - Disable ephemeral ECDH
-bugs - Turn on SSL bug compatibility
-hack - workaround for early Netscape code
-www - Respond to a 'GET /' with a status page
-WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
-HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
with the assumption it contains a complete HTTP response.
-engine id - Initialise and use the specified engine
-id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'
-rand file:file:...
-servername host - servername for HostName TLS extension
-servername_fatal - on mismatch send fatal alert (default warning alert)
-cert2 arg - certificate file to use for servername
(default is server2.pem)
-key2 arg - Private Key file to use for servername, in cert file if
not specified (default is server2.pem)
-tlsextdebug - hex dump of all TLS extensions received
-no_ticket - disable use of RFC4507bis session tickets
-legacy_renegotiation - enable use of legacy renegotiation (dangerous)
-sigalgs arg - Signature algorithms to support (colon-separated list)
-client_sigalgs arg - Signature algorithms to support for client
certificate authentication (colon-separated list)
-nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)
-use_srtp profiles - Offer SRTP key management with a colon-separated profile list
-alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)
-keymatexport label - Export keying material using label
-keymatexportlen len - Export len bytes of keying material (default 20)
-status - respond to certificate status requests
-status_verbose - enable status request verbose printout
-status_timeout n - status request responder timeout
-status_url URL - status request fallback URL选项解释:
-accept arg - port的默认监听端口4433
-key arg - 私钥
-cert arg - 签发的证书【用csr签发】
简单示例
说明: 采用根证书,自签证的证书;
--------------------------------------1 单向认证
服务端:openssl s_server -key server.key -cert server.crt客户端:[root@localhost ~]# openssl s_client -connect localhost:4433 -verify_return_error
CONNECTED(00000003)
depth=0 C = CN, ST = FJ, L = xiamen, O = yl, OU = yl1, CN = yl2
verify error:num=18:self signed certificate //<--自签发
---
Certificate chain
0 s:/C=CN/ST=FJ/L=xiamen/O=yl/OU=yl1/CN=yl2
i:/C=CN/ST=FJ/L=xiamen/O=yl/OU=yl1/CN=yl2
---
Server certificate
-----BEGIN CERTIFICATE-----
2 双向认证
服务端:
-Verify 1 客户端必须发送一个证书openssl s_server -key 1.key -cert 1.crt -CAfile ../server.crt -Verify 1 客户端:openssl s_client -connect localhost:4433 -CAfile server.crt -cert 1/1.crt -key 1/1.key -showcerts openssl s_client 参数说明请点击打开链接
相关文章推荐
- OpenSSL命令---s_server
- Openssl s_server命令
- OpenSSL中重要的命令 —— s_server 和s_client
- OpenSSL命令---errstr
- openssl 生成CSR 命令
- Redis server命令
- OpenSSL中crypto的简单应用(命令篇)
- openssl命令用法
- OpenSSL 1.0.0生成p12、jks、crt等格式证书的命令个过程(转)
- 关于openssl命令不识别问题的解决
- 常用Openssl命令
- 实用命令:利用openssl进行BASE64编码解码、md5/sha1摘要、AES/DES3加密解密
- OpenSSL命令---req
- openssl 生成证书 server.key server.crt
- server 2008 下注册和删除服务的命令 更改服务执行的路径
- OpenSSL命令---tsget
- OpenSSL相关命令(for Linux)详细介绍
- OpenSSL命令---dgst
- tuxedo 提供buildserver命令编译服务器进程
- openssl命令