s_server - SSL/TLS server program
gmssl s_server [-help] [-port port] [-accept val] [-naccept count] [-unix val] [-unlink] [-4] [-6] [-context id] [-verify depth] [-Verify depth] [-crl_check] [-crl_check_all] [-cert filename] [-certform DER|PEM] [-key keyfile] [-keyform DER|PEM] [-pass arg] [-dcert filename] [-dcertform DER|PEM] [-dkey keyfile] [-dkeyform DER|PEM] [-dpass arg] [-dhparam filename] [-nbio] [-nbio_test] [-crlf] [-debug] [-msg] [-state] [-CApath directory] [-CAfile filename] [-no-CAfile] [-no-CApath] [-attime timestamp] [-check_ss_sig] [-explicit_policy] [-extended_crl] [-ignore_critical] [-inhibit_any] [-inhibit_map] [-no_check_time] [-partial_chain] [-policy arg] [-policy_check] [-policy_print] [-purpose purpose] [-suiteB_128] [-suiteB_128_only] [-suiteB_192] [-trusted_first] [-no_alt_chains] [-use_deltas] [-auth_level num] [-verify_depth num] [-verify_return_error] [-verify_email email] [-verify_hostname hostname] [-verify_ip ip] [-verify_name name] [-x509_strict] [-nocert] [-cipher cipherlist] [-serverpref] [-quiet] [-ssl3] [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-dtls] [-dtls1] [-dtls1_2] [-listen] [-async] [-split_send_frag] [-max_pipelines] [-read_buf] [-no_ssl3] [-no_tls1] [-no_tls1_1] [-no_tls1_2] [-no_tls1_3] [-no_dhe] [-bugs] [-comp] [-no_comp] [-brief] [-www] [-WWW] [-HTTP] [-engine id] [-tlsextdebug] [-no_ticket] [-id_prefix arg] [-rand file(s)] [-serverinfo file] [-no_resumption_on_reneg] [-status] [-status_verbose] [-status_timeout nsec] [-status_url url] [-alpn protocols] [-nextprotoneg protocols]
The s_server command implements a generic SSL/TLS server which listens for connections on a given port using SSL/TLS.
s_server命令实现一个通用SSL / TLS服务器,它使用SSL / TLS监听给定端口上的连接。
In addition to the options below the s_server utility also supports the common and server only options documented in the in the "Supported Command Line Commands" section of the SSL_CONF_cmd(3) manual page.
除了以下选项之外,s_server实用程序还支持SSL_CONF_cmd(3)手册页的“支持的 命令行命令”部分中记录的通用和仅服务器选项。
Print out a usage message.
打印使用信息。
The TCP port to listen on for connections. If not specified 4433 is used.
TCP端口监听连接。 如果未指定4433。
The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
可选的TCP主机和端口监听连接。 如果未指定,则使用*:4433。
The server will exit after receiving number connections, default unlimited.
收到number后,服务器将退出,默认为无限制。
Unix domain socket to accept on.
Unix域套接字接受。
For -unix, unlink existing socket first.
对于-unix,首先取消链接现有套接字。
Use IPv4 only.
只用IPv4
Use IPv6 only.
只用IPv6
Sets the SSL context id. It can be given any string value. If this option is not present a default value will be used.
设置SSL上下文id。 可以给出任何字符串值。 如果此选项不存在,将使用默认值。
The certificate to use, most servers cipher suites require the use of a certificate and some require a certificate with a certain public key type: for example the DSS cipher suites require a certificate containing a DSS (DSA) key. If not specified then the filename "server.pem" will be used.
要使用的证书,大多数服务器密码套件需要使用证书,有些需要具有某种公钥类型的证书:例如,DSS密码套件需要包含DSS(DSA)密钥的证书。 如果未指定,则将使用文件名“server.pem”。
The certificate format to use: DER or PEM. PEM is the default.
使用的证书格式:DER或PEM。 PEM是默认值。
The private key to use. If not specified then the certificate file will be used.
使用私钥。 如果未指定,则将使用证书文件。
The private format to use: DER or PEM. PEM is the default.
要使用的私有格式:DER或PEM。 PEM是默认值。
The private key password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in gmssl(1).
私钥密码源。 有关arg格式的更多信息,请参阅gmssl(1)中的PASS PHRASE ARGUMENTS部分。
Specify an additional certificate and private key, these behave in the same manner as the -cert and -key options except there is no default if they are not specified (no additional certificate and key is used). As noted above some cipher suites require a certificate containing a key of a certain type. Some cipher suites need a certificate carrying an RSA key and some a DSS (DSA) key. By using RSA and DSS certificates and keys a server can support clients which only support RSA or DSS cipher suites by using an appropriate certificate.
指定一个额外的证书和私钥,它们的行为方式与-cert和-key选项相同,除非没有指定默认值(不使用其他证书和密钥)。 如上所述,一些密码套件需要包含特定类型的密钥的证书。 一些密码套件需要携带RSA密钥的证书和一些DSS密钥。 通过使用RSA和DSS证书和密钥,服务器可以通过使用适当的证书来支持只支持RSA或DSS密码套件的客户端。
Additional certificate and private key format and passphrase respectively.
分别附加证书和私钥格式和密码。
If this option is set then no certificate is used. This restricts the cipher suites available to the anonymous ones (currently just anonymous DH).
如果设置了此选项,则不会使用任何证书。 这限制了匿名的密码套件(目前只是匿名的DH)。
The DH parameter file to use. The ephemeral DH cipher suites generate keys using a set of DH parameters. If not specified then an attempt is made to load the parameters from the server certificate file. If this fails then a static set of parameters hard coded into the s_server program will be used.
要使用的DH参数文件。 短时DH密码套件使用一组DH参数生成密钥。 如果未指定,则尝试从服务器证书文件加载参数。 如果失败,则将使用硬编码到s_server程序中的一组静态参数。
If this option is set then no DH parameters will be loaded effectively disabling the ephemeral DH cipher suites.
如果设置了此选项,则不会有效地加载DH参数,禁用临时DH密码套件。
Check the peer certificate has not been revoked by its CA. The CRL(s) are appended to the certificate file. With the -crl_check_all option all CRLs of all CAs in the chain are checked.
检查对等证书尚未被其CA撤销。 证书文件附加CRL。 使用-crl_check_all选项,将检查链中所有CA的所有CRL。
The directory to use for client certificate verification. This directory must be in "hash format", see verify for more information. These are also used when building the server certificate chain.
用于客户端证书验证的目录。 此目录必须为“哈希格式”,请参阅验证更多信息。 这些也在构建服务器证书链时使用
A file containing trusted certificates to use during client authentication and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested.
包含在客户端身份验证期间使用并在尝试构建服务器证书链时使用的可信证书的文件。 该列表也用于在请求证书时传递给客户端的可接受的客户端CA列表。
Do not load the trusted CA certificates from the default file location
不要从默认文件位置加载受信任的CA证书
Do not load the trusted CA certificates from the default directory location
不要从默认目录位置加载受信任的CA证书
The verify depth to use. This specifies the maximum length of the client certificate chain and makes the server request a certificate from the client. With the -verify option a certificate is requested but the client does not have to send one, with the -Verify option the client must supply a certificate or an error occurs.
If the ciphersuite cannot request a client certificate (for example an anonymous ciphersuite or PSK) this option has no effect.
验证使用深度。 这指定客户端证书链的最大长度,并使服务器从客户端请求证书。 使用-verify选项,请求证书,但客户端不必发送一个,使用-Verify选项,客户端必须提供证书或发生错误。
如果密码不能请求客户端证书(例如匿名密码套件或PSK),则此选项不起作用。
Set different peer certificate verification options. See the verify(1) manual page for details.
设置不同的对等证书验证选项。 有关详细信息,请参阅verify(1)手册页。
Verification errors normally just print a message but allow the connection to continue, for debugging purposes. If this option is used, then verification errors close the connection.
验证错误通常只是打印一条消息,但允许连接继续进行调试。 如果使用此选项,则验证错误会关闭连接。
Prints the SSL session states.
打印SSL会话状态。
Print extensive debugging information including a hex dump of all traffic.
打印广泛的调试信息,包括所有流量的十六进制转储。
Show all protocol messages with hex dump.
使用十六进制转储显示所有协议消息。
Show verbose trace output of protocol messages. GmSSL needs to be compiled with enable-ssl-trace for this option to work.
显示协议消息的详细跟踪输出。 需要使用enable-ssl-trace编译GmSSL才能使此选项生效。
File to send output of -msg or -trace to, default standard output.
文件将-msg或-trace的输出发送到,默认标准输出。
Tests non blocking I/O
测试非阻塞I / O
Turns on non blocking I/O
打开非阻塞I / O
This option translated a line feed from the terminal into CR+LF.
此选项将换行符从终端转换为CR + LF。
Inhibit printing of session and certificate information.
禁止打印会话和证书信息。
Use the PSK identity hint hint when using a PSK cipher suite.
使用PSK密码套件时,请使用PSK身份提示提示。
Use the PSK key key when using a PSK cipher suite. The key is given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d.
使用PSK密码套件时,请使用PSK密钥。 密钥以十六进制数字的形式给出,不带前缀0x,例如-psk 1a2b3c4d。
These options require or disable the use of the specified SSL or TLS protocols. By default s_server will negotiate the highest mutually supported protocol version. When a specific TLS version is required, only that version will be accepted from the client.
这些选项需要或禁止使用指定的SSL或TLS协议。 默认情况下,s_server将协商最高相互支持的协议版本。 当需要特定的TLS版本时,只有客户端才接受该版本。
These options make s_server use DTLS protocols instead of TLS. With -dtls, s_server will negotiate any supported DTLS protocol version, whilst -dtls1 and -dtls1_2 will only support DTLSv1.0 and DTLSv1.2 respectively.
这些选项使s_server使用DTLS协议而不是TLS。 使用-dtls,s_server将协商任何支持的DTLS协议版本,而-dtls1和-dtls1_2将分别仅支持DTLSv1.0和DTLSv1.2。
This option can only be used in conjunction with one of the DTLS options above. With this option s_server will listen on a UDP port for incoming connections. Any ClientHellos that arrive will be checked to see if they have a cookie in them or not. Any without a cookie will be responded to with a HelloVerifyRequest. If a ClientHello with a cookie is received then s_server will connect to that peer and complete the handshake.
此选项只能与上述DTLS选项结合使用。 使用此选项,s_server将在UDP端口上侦听传入连接。 任何到达的ClientHellos将被检查,看看他们是否有cookie。 任何没有cookie的人都会通过一个HelloVerifyRequest进行回复。 如果接收到具有cookie的ClientHello,则s_server将连接到该对等体并完成握手。
Switch on asynchronous mode. Cryptographic operations will be performed asynchronously. This will only have an effect if an asynchronous capable engine is also used via the -engine option. For test purposes the dummy async engine (dasync) can be used (if available).
打开异步模式。 加密操作将被异步执行。 只有通过-engine选项也可以使用异步的引擎,这只会产生影响。 为了测试目的,可以使用虚拟异步引擎(dasync)(如果可用)。
The size used to split data for encrypt pipelines. If more data is written in one go than this value then it will be split into multiple pipelines, up to the maximum number of pipelines defined by max_pipelines. This only has an effect if a suitable ciphersuite has been negotiated, an engine that supports pipelining has been loaded, and max_pipelines is greater than 1. See SSL_CTX_set_split_send_fragment(3) for further information.
用于分割加密管道数据的大小。 如果一次写入的数据多于此值,那么它将被分割成多个管道,直到max_pipelines定义的最大管道数。 如果已经协商了合适的密码套件,则支持流水线的引擎已被加载,并且max_pipelines大于1.请参阅SSL_CTX_set_split_send_fragment(3)以获取更多信息。
The maximum number of encrypt/decrypt pipelines to be used. This will only have an effect if an engine has been loaded that supports pipelining (e.g. the dasync engine) and a suitable ciphersuite has been negotiated. The default value is 1. See SSL_CTX_set_max_pipelines(3) for further information.
要使用的加密/解密管道的最大数量。 如果已经加载支持流水线的引擎(例如,dasync引擎)并且已经协商了合适的密码套件,则这将仅起作用。 默认值为1.有关更多信息,请参阅SSL_CTX_set_max_pipelines(3)。
The default read buffer size to be used for connections. This will only have an effect if the buffer size is larger than the size that would otherwise be used and pipelining is in use (see SSL_CTX_set_default_read_buffer_len(3) for further information).
用于连接的默认读缓冲区大小。 如果缓冲区大小大于使用的流水线大小(如果需要进一步的信息,请参阅SSL_CTX_set_default_read_buffer_len(3)),这只会产生影响。
There are several known bug in SSL and TLS implementations. Adding this option enables various workarounds.
SSL和TLS实现中有几个已知的错误。 添加此选项可以启用各种解决方法。
Enable negotiation of TLS compression. This option was introduced in GmSSL 1.1.0. TLS compression is not recommended and is off by default as of GmSSL 1.1.0.
启用TLS压缩协商。 此选项在GmSSL 1.1.0中引入。 不推荐使用TLS压缩,默认情况下,GmSSL 1.1.0关闭。
Disable negotiation of TLS compression. TLS compression is not recommended and is off by default as of GmSSL 1.1.0.
禁用TLS压缩协商。 不推荐使用TLS压缩,默认情况下,GmSSL 1.1.0关闭。
Provide a brief summary of connection parameters instead of the normal verbose output.
提供连接参数的简要摘要,而不是正常的详细输出。
This allows the cipher list used by the server to be modified. When the client sends a list of supported ciphers the first client cipher also included in the server list is used. Because the client specifies the preference order, the order of the server cipherlist irrelevant. See the ciphers command for more information.
这样可以修改服务器使用的密码列表。 当客户端发送支持的密码列表时,也使用包含在服务器列表中的第一个客户端密码。 因为客户端指定了优先级顺序,所以服务器密码列表的顺序不相关。 有关详细信息,请参阅ciphers命令。
Use the server's cipher preferences, rather than the client's preferences.
使用服务器的密码首选项,而不是客户端的首选项。
Print a hex dump of any TLS extensions received from the server.
打印从服务器接收的任何TLS扩展的十六进制转储。
Disable RFC4507bis session ticket support.
禁用RFC4507bis会话票证支持。
Sends a status message back to the client when it connects. This includes information about the ciphers used and various session parameters. The output is in HTML format so this option will normally be used with a web browser.
当连接时,向客户端发送状态消息。 这包括有关使用的密码和各种会话参数的信息。 输出是HTML格式,因此这个选项通常与网络浏览器一起使用。
Emulates a simple web server. Pages will be resolved relative to the current directory, for example if the URL https://myhost/page.html is requested the file ./page.html will be loaded.
模拟一个简单的Web服务器。 页面将相对于当前目录进行解析,例如,如果URL https://myhost/page.html被请求,将加载./page.html文件。
Emulates a simple web server. Pages will be resolved relative to the current directory, for example if the URL https://myhost/page.html is requested the file ./page.html will be loaded. The files loaded are assumed to contain a complete and correct HTTP response (lines that are part of the HTTP response line and headers must end with CRLF).
模拟一个简单的Web服务器。 页面将相对于当前目录进行解析,例如,如果URL https://myhost/page.html被请求,将加载./page.html文件。 假设加载的文件包含完整且正确的HTTP响应(作为HTTP响应行的一部分的行,头必须以CRLF结尾)。
Simple test server which just reverses the text received from the client and sends it back to the server. Also sets -brief.
简单的测试服务器,只是反转从客户端收到的文本并将其发送回服务器。 还设置-brief。
Specifying an engine (by its unique id string) will cause s_server to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
指定引擎(通过其唯一的id字符串)将导致s_server尝试获取对指定引擎的功能引用,从而在需要时对其进行初始化。 然后,引擎将被设置为所有可用算法的默认值。
Generate SSL/TLS session IDs prefixed by arg. This is mostly useful for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple servers, when each of which might be generating a unique range of session IDs (eg. with a certain prefix).
生成以arg为前缀的SSL / TLS会话ID。 这主要用于测试希望处理多个服务器的任何SSL / TLS代码(例如代理),当每个服务器可能会生成唯一的会话ID范围(例如,具有特定前缀)时。
A file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)). Multiple files can be specified separated by an OS-dependent character. The separator is ; for MS-Windows, , for OpenVMS, and : for all others.
包含用于种子随机数生成器或EGD套接字的随机数据的文件或文件(参见RAND_egd(3))。 多个文件可以由与操作系统相关的字符分隔。 分离器是 对于MS-Windows,对于OpenVMS,以及:对于所有其他。
A file containing one or more blocks of PEM data. Each PEM block must encode a TLS ServerHello extension (2 bytes type, 2 bytes length, followed by "length" bytes of extension data). If the client sends an empty TLS ClientHello extension matching the type, the corresponding ServerHello extension will be returned.
包含一个或多个PEM数据块的文件。 每个PEM块必须编码TLS ServerHello扩展(2字节类型,2字节长度,后跟扩展数据的“长度”字节)。 如果客户端发送与该类型相匹配的空TLS ClientHello扩展名,则将返回相应的ServerHello扩展名。
Set the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION option.
设置SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION选项。
Enables certificate status request support (aka OCSP stapling).
启用证书状态请求支持(也称为OCSP装订)。
Enables certificate status request support (aka OCSP stapling) and gives a verbose printout of the OCSP response.
启用证书状态请求支持(也称为OCSP装订),并给出OCSP响应的详细打印输出。
Sets the timeout for OCSP response to nsec seconds.
将OCSP响应的超时设置为nsec秒。
Sets a fallback responder URL to use if no responder URL is present in the server certificate. Without this option an error is returned if the server certificate does not contain a responder address.
如果服务器证书中没有响应者URL,则设置要使用的回退应答器URL。 没有此选项,如果服务器证书不包含响应者地址,则会返回错误。
these flags enable the Enable the Application-Layer Protocol Negotiation or Next Protocol Negotiation extension, respectively. ALPN is the IETF standard and replaces NPN. The protocols list is a comma-separated list of supported protocol names. The list should contain most wanted protocols first. Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3".
这些标志分别启用启用应用层协议协商协议或下一协议协议扩展。 ALPN是IETF标准,替代NPN。 协议列表是支持的协议名称的逗号分隔列表。 该列表应该包含最需要的协议。 协议名称是可打印的ASCII字符串,例如“http / 1.1”或“spdy / 3”。
If a connection request is established with an SSL client and neither the -www nor the -WWW option has been used then normally any data received from the client is displayed and any key presses will be sent to the client.
Certain single letter commands are also recognized which perform special operations: these are listed below.
end the current SSL connection but still accept new connections.
end the current SSL connection and exit.
renegotiate the SSL session.
renegotiate the SSL session and request a client certificate.
send some plain text down the underlying TCP connection: this should cause the client to disconnect due to a protocol violation.
print out some session cache status information.
s_server can be used to debug SSL clients. To accept connections from a web browser the command:
gmssl s_server -accept 443 -www
can be used for example.
Most web browsers (in particular Netscape and MSIE) only support RSA cipher suites, so they cannot connect to servers which don't use a certificate carrying an RSA key or a version of GmSSL with RSA disabled.
Although specifying an empty list of CAs when requesting a client certificate is strictly speaking a protocol violation, some SSL clients interpret this to mean any CA is acceptable. This is useful for debugging purposes.
The session parameters can printed out using the sess_id program.
Because this program has a lot of options and also because some of the techniques used are rather old, the C source of s_server is rather hard to read and not a model of how things should be done. A typical SSL server program would be much simpler.
The output of common ciphers is wrong: it just gives the list of ciphers that GmSSL recognizes and the client supports.
There should be a way for the s_server program to print out details of any unknown cipher suites a client says it supports.
SSL_CONF_cmd(3), sess_id(1), s_client(1), ciphers(1)
The -no_alt_chains options was first added to GmSSL 1.1.0.
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.