1 files changed, 22 insertions, 91 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index d6a5ca6601..c116d84015 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.67 2016/09/02 18:43:52 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.68 2016/09/03 13:26:55 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: September 2 2016 $
+.Dd $Mdocdate: September 3 2016 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -4067,19 +4067,15 @@ with
 .Fl verify ,
 a certificate is requested but the client does not have to send one.
 .El
-.\"
-.\" S_TIME
-.\"
 .Sh S_TIME
 .nr nS 1
 .Nm "openssl s_time"
-.Bk -words
 .Op Fl bugs
 .Op Fl CAfile Ar file
 .Op Fl CApath Ar directory
 .Op Fl cert Ar file
 .Op Fl cipher Ar cipherlist
-.Op Fl connect Ar host : Ns Ar port
+.Op Fl connect Ar host Ns Op : Ns Ar port
 .Op Fl key Ar keyfile
 .Op Fl nbio
 .Op Fl new
@@ -4088,11 +4084,10 @@ a certificate is requested but the client does not have to send one.
 .Op Fl time Ar seconds
 .Op Fl verify Ar depth
 .Op Fl www Ar page
-.Ek
 .nr nS 0
 .Pp
 The
-.Nm s_client
+.Nm s_time
 command implements a generic SSL/TLS client which connects to a
 remote host using SSL/TLS.
 It can request a page from the server and includes
@@ -4105,10 +4100,11 @@ and calculates the average time spent for one connection.
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl bugs
-There are several known bugs in SSL and TLS implementations.
+Enable various workarounds for buggy implementations.
-Adding this option enables various workarounds.
 .It Fl CAfile Ar file
-A file containing trusted certificates to use during server authentication
+A
+.Ar file
+containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
 .It Fl CApath Ar directory
 The directory to use for server certificate verification.
@@ -4121,24 +4117,22 @@ These are also used when building the client certificate chain.
 .It Fl cert Ar file
 The certificate to use, if one is requested by the server.
 The default is not to use a certificate.
-The file is in PEM format.
 .It Fl cipher Ar cipherlist
-This allows the cipher list sent by the client to be modified.
+Modify the cipher list sent by the client.
 Although the server determines which cipher suite is used,
 it should take the first supported cipher in the list sent by the client.
 See the
 .Nm ciphers
 command for more information.
-.It Fl connect Ar host : Ns Ar port
+.It Fl connect Ar host Ns Op : Ns Ar port
-This specifies the host and optional port to connect to.
+The host and port to connect to.
 .It Fl key Ar keyfile
 The private key to use.
 If not specified, the certificate file will be used.
-The file is in PEM format.
 .It Fl nbio
-Turns on non-blocking I/O.
+Turn on non-blocking I/O.
 .It Fl new
-Performs the timing test using a new session ID for each connection.
+Perform the timing test using a new session ID for each connection.
 If neither
 .Fl new
 nor
@@ -4147,11 +4141,10 @@ are specified,
 they are both on by default and executed in sequence.
 .It Fl no_shutdown
 Shut down the connection without sending a
-.Dq close notify
+.Qq close notify
 shutdown alert to the server.
 .It Fl reuse
-Performs the timing test using the same session ID;
+Perform the timing test using the same session ID for each connection.
-this can be used as a test that session caching is working.
 If neither
 .Fl new
 nor
@@ -4159,26 +4152,21 @@ nor
 are specified,
 they are both on by default and executed in sequence.
 .It Fl time Ar seconds
-Specifies how long
+Limit
-.Pq in seconds
 .Nm s_time
-should establish connections and
+benchmarks to the number of
-optionally transfer payload data from a server.
+.Ar seconds .
 The default is 30 seconds.
-Server and client performance and the link speed
-determine how many connections
-.Nm s_time
-can establish.
 .It Fl verify Ar depth
-The verify depth to use.
+Turn on server certificate verification,
-This specifies the maximum length of the server certificate chain
+with a maximum length of
-and turns on server certificate verification.
+.Ar depth .
 Currently the verify operation continues after errors, so all the problems
 with a certificate chain can be seen.
 As a side effect,
 the connection will never fail due to a server certificate verify failure.
 .It Fl www Ar page
-This specifies the page to GET from the server.
+The page to GET from the server.
 A value of
 .Sq /
 gets the index.htm[l] page.
@@ -4187,63 +4175,6 @@ If this parameter is not specified,
 will only perform the handshake to establish SSL connections
 but not transfer any payload data.
 .El
-.Sh S_TIME NOTES
-.Nm s_client
-can be used to measure the performance of an SSL connection.
-To connect to an SSL HTTP server and get the default page the command
-.Bd -literal -offset indent
-$ openssl s_time -connect servername:443 -www / -CApath yourdir \e
-        -CAfile yourfile.pem -cipher commoncipher
-.Ed
-.Pp
-would typically be used
-.Pq HTTPS uses port 443 .
-.Dq commoncipher
-is a cipher to which both client and server can agree;
-see the
-.Nm ciphers
-command for details.
-.Pp
-If the handshake fails, there are several possible causes:
-if it is nothing obvious like no client certificate, the
-.Fl bugs
-option can be tried in case it is a buggy server.
-.Pp
-A frequent problem when attempting to get client certificates working
-is that a web client complains it has no certificates or gives an empty
-list to choose from.
-This is normally because the server is not sending
-the clients certificate authority in its
-.Qq acceptable CA list
-when it requests a certificate.
-By using
-.Nm s_client ,
-the CA list can be viewed and checked.
-However some servers only request client authentication
-after a specific URL is requested.
-To obtain the list in this case, it is necessary to use the
-.Fl prexit
-option of
-.Nm s_client
-and send an HTTP request for an appropriate page.
-.Pp
-If a certificate is specified on the command line using the
-.Fl cert
-option,
-it will not be used unless the server specifically requests
-a client certificate.
-Therefore merely including a client certificate
-on the command line is no guarantee that the certificate works.
-.Sh S_TIME BUGS
-Because this program does not have all the options of the
-.Nm s_client
-program to turn protocols on and off,
-you may not be able to measure the performance
-of all protocols with all servers.
-.Pp
-The
-.Fl verify
-option should really exit if the server verification fails.
 .\"
 .\" SESS_ID
 .\"

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index d6a5ca6601..c116d84015 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.67 2016/09/02 18:43:52 jmc Exp $	1	.\" $OpenBSD: openssl.1,v 1.68 2016/09/03 13:26:55 jmc Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -112,7 +112,7 @@
112	.\"	112	.\"
113	.\" OPENSSL	113	.\" OPENSSL
114	.\"	114	.\"
115	.Dd $Mdocdate: September 2 2016 $	115	.Dd $Mdocdate: September 3 2016 $
116	.Dt OPENSSL 1	116	.Dt OPENSSL 1
117	.Os	117	.Os
118	.Sh NAME	118	.Sh NAME
@@ -4067,19 +4067,15 @@ with
4067	.Fl verify ,	4067	.Fl verify ,
4068	a certificate is requested but the client does not have to send one.	4068	a certificate is requested but the client does not have to send one.
4069	.El	4069	.El
4070	.\"
4071	.\" S_TIME
4072	.\"
4073	.Sh S_TIME	4070	.Sh S_TIME
4074	.nr nS 1	4071	.nr nS 1
4075	.Nm "openssl s_time"	4072	.Nm "openssl s_time"
4076	.Bk -words
4077	.Op Fl bugs	4073	.Op Fl bugs
4078	.Op Fl CAfile Ar file	4074	.Op Fl CAfile Ar file
4079	.Op Fl CApath Ar directory	4075	.Op Fl CApath Ar directory
4080	.Op Fl cert Ar file	4076	.Op Fl cert Ar file
4081	.Op Fl cipher Ar cipherlist	4077	.Op Fl cipher Ar cipherlist
4082	.Op Fl connect Ar host : Ns Ar port	4078	.Op Fl connect Ar host Ns Op : Ns Ar port
4083	.Op Fl key Ar keyfile	4079	.Op Fl key Ar keyfile
4084	.Op Fl nbio	4080	.Op Fl nbio
4085	.Op Fl new	4081	.Op Fl new
@@ -4088,11 +4084,10 @@ a certificate is requested but the client does not have to send one.
4088	.Op Fl time Ar seconds	4084	.Op Fl time Ar seconds
4089	.Op Fl verify Ar depth	4085	.Op Fl verify Ar depth
4090	.Op Fl www Ar page	4086	.Op Fl www Ar page
4091	.Ek
4092	.nr nS 0	4087	.nr nS 0
4093	.Pp	4088	.Pp
4094	The	4089	The
4095	.Nm s_client	4090	.Nm s_time
4096	command implements a generic SSL/TLS client which connects to a	4091	command implements a generic SSL/TLS client which connects to a
4097	remote host using SSL/TLS.	4092	remote host using SSL/TLS.
4098	It can request a page from the server and includes	4093	It can request a page from the server and includes
@@ -4105,10 +4100,11 @@ and calculates the average time spent for one connection.
4105	The options are as follows:	4100	The options are as follows:
4106	.Bl -tag -width Ds	4101	.Bl -tag -width Ds
4107	.It Fl bugs	4102	.It Fl bugs
4108	There are several known bugs in SSL and TLS implementations.	4103	Enable various workarounds for buggy implementations.
4109	Adding this option enables various workarounds.
4110	.It Fl CAfile Ar file	4104	.It Fl CAfile Ar file
4111	A file containing trusted certificates to use during server authentication	4105	A
		4106	.Ar file
		4107	containing trusted certificates to use during server authentication
4112	and to use when attempting to build the client certificate chain.	4108	and to use when attempting to build the client certificate chain.
4113	.It Fl CApath Ar directory	4109	.It Fl CApath Ar directory
4114	The directory to use for server certificate verification.	4110	The directory to use for server certificate verification.
@@ -4121,24 +4117,22 @@ These are also used when building the client certificate chain.
4121	.It Fl cert Ar file	4117	.It Fl cert Ar file
4122	The certificate to use, if one is requested by the server.	4118	The certificate to use, if one is requested by the server.
4123	The default is not to use a certificate.	4119	The default is not to use a certificate.
4124	The file is in PEM format.
4125	.It Fl cipher Ar cipherlist	4120	.It Fl cipher Ar cipherlist
4126	This allows the cipher list sent by the client to be modified.	4121	Modify the cipher list sent by the client.
4127	Although the server determines which cipher suite is used,	4122	Although the server determines which cipher suite is used,
4128	it should take the first supported cipher in the list sent by the client.	4123	it should take the first supported cipher in the list sent by the client.
4129	See the	4124	See the
4130	.Nm ciphers	4125	.Nm ciphers
4131	command for more information.	4126	command for more information.
4132	.It Fl connect Ar host : Ns Ar port	4127	.It Fl connect Ar host Ns Op : Ns Ar port
4133	This specifies the host and optional port to connect to.	4128	The host and port to connect to.
4134	.It Fl key Ar keyfile	4129	.It Fl key Ar keyfile
4135	The private key to use.	4130	The private key to use.
4136	If not specified, the certificate file will be used.	4131	If not specified, the certificate file will be used.
4137	The file is in PEM format.
4138	.It Fl nbio	4132	.It Fl nbio
4139	Turns on non-blocking I/O.	4133	Turn on non-blocking I/O.
4140	.It Fl new	4134	.It Fl new
4141	Performs the timing test using a new session ID for each connection.	4135	Perform the timing test using a new session ID for each connection.
4142	If neither	4136	If neither
4143	.Fl new	4137	.Fl new
4144	nor	4138	nor
@@ -4147,11 +4141,10 @@ are specified,
4147	they are both on by default and executed in sequence.	4141	they are both on by default and executed in sequence.
4148	.It Fl no_shutdown	4142	.It Fl no_shutdown
4149	Shut down the connection without sending a	4143	Shut down the connection without sending a
4150	.Dq close notify	4144	.Qq close notify
4151	shutdown alert to the server.	4145	shutdown alert to the server.
4152	.It Fl reuse	4146	.It Fl reuse
4153	Performs the timing test using the same session ID;	4147	Perform the timing test using the same session ID for each connection.
4154	this can be used as a test that session caching is working.
4155	If neither	4148	If neither
4156	.Fl new	4149	.Fl new
4157	nor	4150	nor
@@ -4159,26 +4152,21 @@ nor
4159	are specified,	4152	are specified,
4160	they are both on by default and executed in sequence.	4153	they are both on by default and executed in sequence.
4161	.It Fl time Ar seconds	4154	.It Fl time Ar seconds
4162	Specifies how long	4155	Limit
4163	.Pq in seconds
4164	.Nm s_time	4156	.Nm s_time
4165	should establish connections and	4157	benchmarks to the number of
4166	optionally transfer payload data from a server.	4158	.Ar seconds .
4167	The default is 30 seconds.	4159	The default is 30 seconds.
4168	Server and client performance and the link speed
4169	determine how many connections
4170	.Nm s_time
4171	can establish.
4172	.It Fl verify Ar depth	4160	.It Fl verify Ar depth
4173	The verify depth to use.	4161	Turn on server certificate verification,
4174	This specifies the maximum length of the server certificate chain	4162	with a maximum length of
4175	and turns on server certificate verification.	4163	.Ar depth .
4176	Currently the verify operation continues after errors, so all the problems	4164	Currently the verify operation continues after errors, so all the problems
4177	with a certificate chain can be seen.	4165	with a certificate chain can be seen.
4178	As a side effect,	4166	As a side effect,
4179	the connection will never fail due to a server certificate verify failure.	4167	the connection will never fail due to a server certificate verify failure.
4180	.It Fl www Ar page	4168	.It Fl www Ar page
4181	This specifies the page to GET from the server.	4169	The page to GET from the server.
4182	A value of	4170	A value of
4183	.Sq /	4171	.Sq /
4184	gets the index.htm[l] page.	4172	gets the index.htm[l] page.
@@ -4187,63 +4175,6 @@ If this parameter is not specified,
4187	will only perform the handshake to establish SSL connections	4175	will only perform the handshake to establish SSL connections
4188	but not transfer any payload data.	4176	but not transfer any payload data.
4189	.El	4177	.El
4190	.Sh S_TIME NOTES
4191	.Nm s_client
4192	can be used to measure the performance of an SSL connection.
4193	To connect to an SSL HTTP server and get the default page the command
4194	.Bd -literal -offset indent
4195	$ openssl s_time -connect servername:443 -www / -CApath yourdir \e
4196	-CAfile yourfile.pem -cipher commoncipher
4197	.Ed
4198	.Pp
4199	would typically be used
4200	.Pq HTTPS uses port 443 .
4201	.Dq commoncipher
4202	is a cipher to which both client and server can agree;
4203	see the
4204	.Nm ciphers
4205	command for details.
4206	.Pp
4207	If the handshake fails, there are several possible causes:
4208	if it is nothing obvious like no client certificate, the
4209	.Fl bugs
4210	option can be tried in case it is a buggy server.
4211	.Pp
4212	A frequent problem when attempting to get client certificates working
4213	is that a web client complains it has no certificates or gives an empty
4214	list to choose from.
4215	This is normally because the server is not sending
4216	the clients certificate authority in its
4217	.Qq acceptable CA list
4218	when it requests a certificate.
4219	By using
4220	.Nm s_client ,
4221	the CA list can be viewed and checked.
4222	However some servers only request client authentication
4223	after a specific URL is requested.
4224	To obtain the list in this case, it is necessary to use the
4225	.Fl prexit
4226	option of
4227	.Nm s_client
4228	and send an HTTP request for an appropriate page.
4229	.Pp
4230	If a certificate is specified on the command line using the
4231	.Fl cert
4232	option,
4233	it will not be used unless the server specifically requests
4234	a client certificate.
4235	Therefore merely including a client certificate
4236	on the command line is no guarantee that the certificate works.
4237	.Sh S_TIME BUGS
4238	Because this program does not have all the options of the
4239	.Nm s_client
4240	program to turn protocols on and off,
4241	you may not be able to measure the performance
4242	of all protocols with all servers.
4243	.Pp
4244	The
4245	.Fl verify
4246	option should really exit if the server verification fails.
4247	.\"	4178	.\"
4248	.\" SESS_ID	4179	.\" SESS_ID
4249	.\"	4180	.\"