1 files changed, 80 insertions, 14 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 90ff100111..1cf58eb6c5 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.109 2019/07/09 11:19:05 inoguchi Exp $
+.\" $OpenBSD: openssl.1,v 1.110 2019/07/11 10:31:48 inoguchi Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: July 9 2019 $
+.Dd $Mdocdate: July 11 2019 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -3605,10 +3605,12 @@ Verify the input data and output the recovered data.
 .nr nS 1
 .Nm "openssl s_client"
 .Op Fl 4 | 6
+.Op Fl alpn Ar protocols
 .Op Fl bugs
 .Op Fl CAfile Ar file
 .Op Fl CApath Ar directory
 .Op Fl cert Ar file
+.Op Fl certform Cm der | pem
 .Op Fl check_ss_sig
 .Op Fl cipher Ar cipherlist
 .Op Fl connect Ar host Ns Op : Ns Ar port
@@ -3616,36 +3618,53 @@ Verify the input data and output the recovered data.
 .Op Fl crl_check_all
 .Op Fl crlf
 .Op Fl debug
+.Op Fl dtls1
 .Op Fl extended_crl
 .Op Fl groups
+.Op Fl host Ar host
 .Op Fl ign_eof
 .Op Fl ignore_critical
 .Op Fl issuer_checks
 .Op Fl key Ar keyfile
+.Op Fl keyform Cm der | pem
+.Op Fl keymatexport Ar label
+.Op Fl keymatexportlen Ar len
+.Op Fl legacy_server_connect
 .Op Fl msg
+.Op Fl mtu Ar mtu
 .Op Fl nbio
 .Op Fl nbio_test
+.Op Fl no_comp
+.Op Fl no_ign_eof
+.Op Fl no_legacy_server_connect
 .Op Fl no_ticket
 .Op Fl no_tls1
 .Op Fl no_tls1_1
 .Op Fl no_tls1_2
+.Op Fl pass Ar arg
 .Op Fl pause
 .Op Fl policy_check
+.Op Fl port Ar port
 .Op Fl prexit
 .Op Fl proxy Ar host : Ns Ar port
-.Op Fl psk Ar key
-.Op Fl psk_identity Ar identity
 .Op Fl quiet
 .Op Fl reconnect
 .Op Fl servername Ar name
+.Op Fl serverpref
+.Op Fl sess_in Ar file
+.Op Fl sess_out Ar file
 .Op Fl showcerts
 .Op Fl starttls Ar protocol
 .Op Fl state
+.Op Fl status
+.Op Fl timeout
 .Op Fl tls1
 .Op Fl tls1_1
 .Op Fl tls1_2
 .Op Fl tlsextdebug
+.Op Fl use_srtp Ar profiles
 .Op Fl verify Ar depth
+.Op Fl verify_return_error
 .Op Fl x509_strict
 .Op Fl xmpphost Ar host
 .nr nS 0
@@ -3674,6 +3693,11 @@ The options are as follows:
 Attempt connections using IPv4 only.
 .It Fl 6
 Attempt connections using IPv6 only.
+.It Fl alpn Ar protocols
+Enable the Application-Layer Protocol Negotiation.
+.Ar protocols
+is a comma-separated list of protocol names that the client should advertise
+support for.
 .It Fl bugs
 Enable various workarounds for buggy implementations.
 .It Fl CAfile Ar file
@@ -3694,6 +3718,10 @@ These are also used when building the client certificate chain.
 .It Fl cert Ar file
 The certificate to use, if one is requested by the server.
 The default is not to use a certificate.
+.It Fl certform Cm der | pem
+The certificate format.
+The default is
+.Cm pem .
 .It Xo
 .Fl check_ss_sig ,
 .Fl crl_check ,
@@ -3731,25 +3759,57 @@ Translate a line feed from the terminal into CR+LF,
 as required by some servers.
 .It Fl debug
 Print extensive debugging information, including a hex dump of all traffic.
+.It Fl dtls1
+Permit only DTLS1.0.
 .It Fl groups Ar ecgroups
 Specify a colon-separated list of permitted EC curve groups.
+.It Fl host Ar host
+The
+.Ar host
+to connect to.
+The default is localhost.
 .It Fl ign_eof
 Inhibit shutting down the connection when end of file is reached in the input.
 .It Fl key Ar keyfile
 The private key to use.
 If not specified, the certificate file will be used.
+.It Fl keyform Cm der | pem
+The private key format.
+The default is
+.Cm pem .
+.It Fl keymatexport Ar label
+Export keying material using label.
+.It Fl keymatexportlen Ar len
+Export len bytes of keying material (default 20).
+.It Fl legacy_server_connect , no_legacy_server_connect
+Allow or disallow initial connection to servers that don't support RI.
 .It Fl msg
 Show all protocol messages with hex dump.
+.It Fl mtu Ar mtu
+Set the link layer MTU.
 .It Fl nbio
 Turn on non-blocking I/O.
 .It Fl nbio_test
 Test non-blocking I/O.
+.It Fl no_ign_eof
+Shut down the connection when end of file is reached in the input.
+Can be used to override the implicit
+.Fl ign_eof
+after
+.Fl quiet .
 .It Fl no_tls1 | no_tls1_1 | no_tls1_2
 Disable the use of TLS1.0, 1.1, and 1.2, respectively.
 .It Fl no_ticket
 Disable RFC 4507 session ticket support.
+.It Fl pass Ar arg
+The private key password source.
 .It Fl pause
 Pause 1 second between each read and write call.
+.It Fl port Ar port
+The
+.Ar port
+to connect to.
+The default is 4433.
 .It Fl prexit
 Print session information when the program exits.
 This will always attempt
@@ -3771,16 +3831,6 @@ argument is given to the proxy.
 If not specified, localhost is used as final destination.
 After that, switch the connection through the proxy to the destination
 to TLS.
-.It Fl psk Ar key
-Use the PSK key
-.Ar key
-when using a PSK cipher suite.
-The key is given as a hexadecimal number without the leading 0x,
-for example -psk 1a2b3c4d.
-.It Fl psk_identity Ar identity
-Use the PSK
-.Ar identity
-when using a PSK cipher suite.
 .It Fl quiet
 Inhibit printing of session and certificate information.
 This implicitly turns on
@@ -3796,6 +3846,13 @@ message, using the specified server
 .It Fl showcerts
 Display the whole server certificate chain: normally only the server
 certificate itself is displayed.
+.It Fl serverpref
+Use the server's cipher preferences.
+.It Fl sess_in Ar file
+Load TLS session from file.
+The client will attempt to resume a connection from this session.
+.It Fl sess_out Ar file
+Output TLS session to file.
 .It Fl starttls Ar protocol
 Send the protocol-specific messages to switch to TLS for communication.
 .Ar protocol
@@ -3809,10 +3866,17 @@ and
 .Qq xmpp .
 .It Fl state
 Print the SSL session states.
+.It Fl status
+Send a certificate status request to the server (OCSP stapling).
+The server response (if any) is printed out.
+.It Fl timeout
+Enable send/receive timeout on DTLS connections.
 .It Fl tls1 | tls1_1 | tls1_2
 Permit only TLS1.0, 1.1, or 1.2, respectively.
 .It Fl tlsextdebug
 Print a hex dump of any TLS extensions received from the server.
+.It Fl use_srtp Ar profiles
+Offer SRTP key management with a colon-separated profile list.
 .It Fl verify Ar depth
 Turn on server certificate verification,
 with a maximum length of
@@ -3821,6 +3885,8 @@ Currently the verify operation continues after errors so all the problems
 with a certificate chain can be seen.
 As a side effect the connection will never fail due to a server
 certificate verify failure.
+.It Fl verify_return_error
+Return verification error.
 .It Fl xmpphost Ar hostname
 When used with
 .Fl starttls Ar xmpp ,

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index 90ff100111..1cf58eb6c5 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.109 2019/07/09 11:19:05 inoguchi Exp $	1	.\" $OpenBSD: openssl.1,v 1.110 2019/07/11 10:31:48 inoguchi Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -110,7 +110,7 @@
110	.\" copied and put under another distribution licence	110	.\" copied and put under another distribution licence
111	.\" [including the GNU Public Licence.]	111	.\" [including the GNU Public Licence.]
112	.\"	112	.\"
113	.Dd $Mdocdate: July 9 2019 $	113	.Dd $Mdocdate: July 11 2019 $
114	.Dt OPENSSL 1	114	.Dt OPENSSL 1
115	.Os	115	.Os
116	.Sh NAME	116	.Sh NAME
@@ -3605,10 +3605,12 @@ Verify the input data and output the recovered data.
3605	.nr nS 1	3605	.nr nS 1
3606	.Nm "openssl s_client"	3606	.Nm "openssl s_client"
3607	.Op Fl 4 \| 6	3607	.Op Fl 4 \| 6
		3608	.Op Fl alpn Ar protocols
3608	.Op Fl bugs	3609	.Op Fl bugs
3609	.Op Fl CAfile Ar file	3610	.Op Fl CAfile Ar file
3610	.Op Fl CApath Ar directory	3611	.Op Fl CApath Ar directory
3611	.Op Fl cert Ar file	3612	.Op Fl cert Ar file
		3613	.Op Fl certform Cm der \| pem
3612	.Op Fl check_ss_sig	3614	.Op Fl check_ss_sig
3613	.Op Fl cipher Ar cipherlist	3615	.Op Fl cipher Ar cipherlist
3614	.Op Fl connect Ar host Ns Op : Ns Ar port	3616	.Op Fl connect Ar host Ns Op : Ns Ar port
@@ -3616,36 +3618,53 @@ Verify the input data and output the recovered data.
3616	.Op Fl crl_check_all	3618	.Op Fl crl_check_all
3617	.Op Fl crlf	3619	.Op Fl crlf
3618	.Op Fl debug	3620	.Op Fl debug
		3621	.Op Fl dtls1
3619	.Op Fl extended_crl	3622	.Op Fl extended_crl
3620	.Op Fl groups	3623	.Op Fl groups
		3624	.Op Fl host Ar host
3621	.Op Fl ign_eof	3625	.Op Fl ign_eof
3622	.Op Fl ignore_critical	3626	.Op Fl ignore_critical
3623	.Op Fl issuer_checks	3627	.Op Fl issuer_checks
3624	.Op Fl key Ar keyfile	3628	.Op Fl key Ar keyfile
		3629	.Op Fl keyform Cm der \| pem
		3630	.Op Fl keymatexport Ar label
		3631	.Op Fl keymatexportlen Ar len
		3632	.Op Fl legacy_server_connect
3625	.Op Fl msg	3633	.Op Fl msg
		3634	.Op Fl mtu Ar mtu
3626	.Op Fl nbio	3635	.Op Fl nbio
3627	.Op Fl nbio_test	3636	.Op Fl nbio_test
		3637	.Op Fl no_comp
		3638	.Op Fl no_ign_eof
		3639	.Op Fl no_legacy_server_connect
3628	.Op Fl no_ticket	3640	.Op Fl no_ticket
3629	.Op Fl no_tls1	3641	.Op Fl no_tls1
3630	.Op Fl no_tls1_1	3642	.Op Fl no_tls1_1
3631	.Op Fl no_tls1_2	3643	.Op Fl no_tls1_2
		3644	.Op Fl pass Ar arg
3632	.Op Fl pause	3645	.Op Fl pause
3633	.Op Fl policy_check	3646	.Op Fl policy_check
		3647	.Op Fl port Ar port
3634	.Op Fl prexit	3648	.Op Fl prexit
3635	.Op Fl proxy Ar host : Ns Ar port	3649	.Op Fl proxy Ar host : Ns Ar port
3636	.Op Fl psk Ar key
3637	.Op Fl psk_identity Ar identity
3638	.Op Fl quiet	3650	.Op Fl quiet
3639	.Op Fl reconnect	3651	.Op Fl reconnect
3640	.Op Fl servername Ar name	3652	.Op Fl servername Ar name
		3653	.Op Fl serverpref
		3654	.Op Fl sess_in Ar file
		3655	.Op Fl sess_out Ar file
3641	.Op Fl showcerts	3656	.Op Fl showcerts
3642	.Op Fl starttls Ar protocol	3657	.Op Fl starttls Ar protocol
3643	.Op Fl state	3658	.Op Fl state
		3659	.Op Fl status
		3660	.Op Fl timeout
3644	.Op Fl tls1	3661	.Op Fl tls1
3645	.Op Fl tls1_1	3662	.Op Fl tls1_1
3646	.Op Fl tls1_2	3663	.Op Fl tls1_2
3647	.Op Fl tlsextdebug	3664	.Op Fl tlsextdebug
		3665	.Op Fl use_srtp Ar profiles
3648	.Op Fl verify Ar depth	3666	.Op Fl verify Ar depth
		3667	.Op Fl verify_return_error
3649	.Op Fl x509_strict	3668	.Op Fl x509_strict
3650	.Op Fl xmpphost Ar host	3669	.Op Fl xmpphost Ar host
3651	.nr nS 0	3670	.nr nS 0
@@ -3674,6 +3693,11 @@ The options are as follows:
3674	Attempt connections using IPv4 only.	3693	Attempt connections using IPv4 only.
3675	.It Fl 6	3694	.It Fl 6
3676	Attempt connections using IPv6 only.	3695	Attempt connections using IPv6 only.
		3696	.It Fl alpn Ar protocols
		3697	Enable the Application-Layer Protocol Negotiation.
		3698	.Ar protocols
		3699	is a comma-separated list of protocol names that the client should advertise
		3700	support for.
3677	.It Fl bugs	3701	.It Fl bugs
3678	Enable various workarounds for buggy implementations.	3702	Enable various workarounds for buggy implementations.
3679	.It Fl CAfile Ar file	3703	.It Fl CAfile Ar file
@@ -3694,6 +3718,10 @@ These are also used when building the client certificate chain.
3694	.It Fl cert Ar file	3718	.It Fl cert Ar file
3695	The certificate to use, if one is requested by the server.	3719	The certificate to use, if one is requested by the server.
3696	The default is not to use a certificate.	3720	The default is not to use a certificate.
		3721	.It Fl certform Cm der \| pem
		3722	The certificate format.
		3723	The default is
		3724	.Cm pem .
3697	.It Xo	3725	.It Xo
3698	.Fl check_ss_sig ,	3726	.Fl check_ss_sig ,
3699	.Fl crl_check ,	3727	.Fl crl_check ,
@@ -3731,25 +3759,57 @@ Translate a line feed from the terminal into CR+LF,
3731	as required by some servers.	3759	as required by some servers.
3732	.It Fl debug	3760	.It Fl debug
3733	Print extensive debugging information, including a hex dump of all traffic.	3761	Print extensive debugging information, including a hex dump of all traffic.
		3762	.It Fl dtls1
		3763	Permit only DTLS1.0.
3734	.It Fl groups Ar ecgroups	3764	.It Fl groups Ar ecgroups
3735	Specify a colon-separated list of permitted EC curve groups.	3765	Specify a colon-separated list of permitted EC curve groups.
		3766	.It Fl host Ar host
		3767	The
		3768	.Ar host
		3769	to connect to.
		3770	The default is localhost.
3736	.It Fl ign_eof	3771	.It Fl ign_eof
3737	Inhibit shutting down the connection when end of file is reached in the input.	3772	Inhibit shutting down the connection when end of file is reached in the input.
3738	.It Fl key Ar keyfile	3773	.It Fl key Ar keyfile
3739	The private key to use.	3774	The private key to use.
3740	If not specified, the certificate file will be used.	3775	If not specified, the certificate file will be used.
		3776	.It Fl keyform Cm der \| pem
		3777	The private key format.
		3778	The default is
		3779	.Cm pem .
		3780	.It Fl keymatexport Ar label
		3781	Export keying material using label.
		3782	.It Fl keymatexportlen Ar len
		3783	Export len bytes of keying material (default 20).
		3784	.It Fl legacy_server_connect , no_legacy_server_connect
		3785	Allow or disallow initial connection to servers that don't support RI.
3741	.It Fl msg	3786	.It Fl msg
3742	Show all protocol messages with hex dump.	3787	Show all protocol messages with hex dump.
		3788	.It Fl mtu Ar mtu
		3789	Set the link layer MTU.
3743	.It Fl nbio	3790	.It Fl nbio
3744	Turn on non-blocking I/O.	3791	Turn on non-blocking I/O.
3745	.It Fl nbio_test	3792	.It Fl nbio_test
3746	Test non-blocking I/O.	3793	Test non-blocking I/O.
		3794	.It Fl no_ign_eof
		3795	Shut down the connection when end of file is reached in the input.
		3796	Can be used to override the implicit
		3797	.Fl ign_eof
		3798	after
		3799	.Fl quiet .
3747	.It Fl no_tls1 \| no_tls1_1 \| no_tls1_2	3800	.It Fl no_tls1 \| no_tls1_1 \| no_tls1_2
3748	Disable the use of TLS1.0, 1.1, and 1.2, respectively.	3801	Disable the use of TLS1.0, 1.1, and 1.2, respectively.
3749	.It Fl no_ticket	3802	.It Fl no_ticket
3750	Disable RFC 4507 session ticket support.	3803	Disable RFC 4507 session ticket support.
		3804	.It Fl pass Ar arg
		3805	The private key password source.
3751	.It Fl pause	3806	.It Fl pause
3752	Pause 1 second between each read and write call.	3807	Pause 1 second between each read and write call.
		3808	.It Fl port Ar port
		3809	The
		3810	.Ar port
		3811	to connect to.
		3812	The default is 4433.
3753	.It Fl prexit	3813	.It Fl prexit
3754	Print session information when the program exits.	3814	Print session information when the program exits.
3755	This will always attempt	3815	This will always attempt
@@ -3771,16 +3831,6 @@ argument is given to the proxy.
3771	If not specified, localhost is used as final destination.	3831	If not specified, localhost is used as final destination.
3772	After that, switch the connection through the proxy to the destination	3832	After that, switch the connection through the proxy to the destination
3773	to TLS.	3833	to TLS.
3774	.It Fl psk Ar key
3775	Use the PSK key
3776	.Ar key
3777	when using a PSK cipher suite.
3778	The key is given as a hexadecimal number without the leading 0x,
3779	for example -psk 1a2b3c4d.
3780	.It Fl psk_identity Ar identity
3781	Use the PSK
3782	.Ar identity
3783	when using a PSK cipher suite.
3784	.It Fl quiet	3834	.It Fl quiet
3785	Inhibit printing of session and certificate information.	3835	Inhibit printing of session and certificate information.
3786	This implicitly turns on	3836	This implicitly turns on
@@ -3796,6 +3846,13 @@ message, using the specified server
3796	.It Fl showcerts	3846	.It Fl showcerts
3797	Display the whole server certificate chain: normally only the server	3847	Display the whole server certificate chain: normally only the server
3798	certificate itself is displayed.	3848	certificate itself is displayed.
		3849	.It Fl serverpref
		3850	Use the server's cipher preferences.
		3851	.It Fl sess_in Ar file
		3852	Load TLS session from file.
		3853	The client will attempt to resume a connection from this session.
		3854	.It Fl sess_out Ar file
		3855	Output TLS session to file.
3799	.It Fl starttls Ar protocol	3856	.It Fl starttls Ar protocol
3800	Send the protocol-specific messages to switch to TLS for communication.	3857	Send the protocol-specific messages to switch to TLS for communication.
3801	.Ar protocol	3858	.Ar protocol
@@ -3809,10 +3866,17 @@ and
3809	.Qq xmpp .	3866	.Qq xmpp .
3810	.It Fl state	3867	.It Fl state
3811	Print the SSL session states.	3868	Print the SSL session states.
		3869	.It Fl status
		3870	Send a certificate status request to the server (OCSP stapling).
		3871	The server response (if any) is printed out.
		3872	.It Fl timeout
		3873	Enable send/receive timeout on DTLS connections.
3812	.It Fl tls1 \| tls1_1 \| tls1_2	3874	.It Fl tls1 \| tls1_1 \| tls1_2
3813	Permit only TLS1.0, 1.1, or 1.2, respectively.	3875	Permit only TLS1.0, 1.1, or 1.2, respectively.
3814	.It Fl tlsextdebug	3876	.It Fl tlsextdebug
3815	Print a hex dump of any TLS extensions received from the server.	3877	Print a hex dump of any TLS extensions received from the server.
		3878	.It Fl use_srtp Ar profiles
		3879	Offer SRTP key management with a colon-separated profile list.
3816	.It Fl verify Ar depth	3880	.It Fl verify Ar depth
3817	Turn on server certificate verification,	3881	Turn on server certificate verification,
3818	with a maximum length of	3882	with a maximum length of
@@ -3821,6 +3885,8 @@ Currently the verify operation continues after errors so all the problems
3821	with a certificate chain can be seen.	3885	with a certificate chain can be seen.
3822	As a side effect the connection will never fail due to a server	3886	As a side effect the connection will never fail due to a server
3823	certificate verify failure.	3887	certificate verify failure.
		3888	.It Fl verify_return_error
		3889	Return verification error.
3824	.It Fl xmpphost Ar hostname	3890	.It Fl xmpphost Ar hostname
3825	When used with	3891	When used with
3826	.Fl starttls Ar xmpp ,	3892	.Fl starttls Ar xmpp ,