Openssl s_server命令

一、简介

s_server是openssl提供的一个SSL服务程序。使用此程序前，需要生成各种证书。本命令可以用来测试ssl客户端，比如各种浏览器的https协议支持

二、语法

openssl s_server [-accept port] [-context id] [-verify depth] [-Verify depth] [-crl_check] [-crl_check_all] [-cert filename] [-certform DER|PEM] [-key filename] [-keyform DER|PEM] [-pass arg] [-dcert filename] [-dcertform DER|PEM ] [-dkey keyfile] [-dkeyform DER|PEM ] [-dpass arg] [-dhparam filename] [-name_curve arg][-nbio] [-nbio_test] [-crlf] [-debug] [-msg] [-state] [-CApath directory] [-CAfile filename] [-nocert] [-cipher cipherlist] [-quiet] [-no_tmp_rsa] [-ssl2] [-ssl3] [-tls1_1] [-tls1_2] [-tls1] [-dtls1] [-timeout] [-mtu] [-chain] [-no_ssl2][-no_ssl3] [-no_tls1] [-no_tls1_1] [-no_tls1_2] [-no_dhe] [-no_ecdhe][-bugs] [-hack] [-www] [-WWW] [-HTTP][-engine id] [-tlsextdebug] [-no_ticket] [-id_prefix arg] [-rand file(s)]

选项

 -accept arg   - port to accept on (default is )
 -context arg  - set session ID context
 -verify arg   - turn on peer certificate verification
 -Verify arg   - turn on peer certificate verification, must have a cert.
 -cert arg     - certificate file to use
                 (default is server.pem)
 -crl_check    - check the peer certificate has not been revoked by its CA.
                 The CRL(s) are appended to the certificate file
 -crl_check_all - check the peer certificate has not been revoked by its CA
                 or any other CRL in the CA chain. CRL(s) are appened to the
                 the certificate file.
 -certform arg - certificate format (PEM or DER) PEM default
 -key arg      - Private Key file to use, in cert file if
                 not specified (default is server.pem)
 -keyform arg  - key format (PEM, DER or ENGINE) PEM default
 -pass arg     - private key file pass phrase source
 -dcert arg    - second certificate file to use (usually for DSA)
 -dcertform x  - second certificate format (PEM or DER) PEM default
 -dkey arg     - second private key file to use (usually for DSA)
 -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default
 -dpass arg    - second private key file pass phrase source
 -dhparam arg  - DH parameter file to use, in cert file if not specified
                 or a default set of parameters is used
 -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.
                 Use "openssl ecparam -list_curves" for all names
                 (default is nistp256).
 -nbio         - Run with non-blocking IO
 -nbio_test    - test with the non-blocking test bio
 -crlf         - convert LF from terminal into CRLF
 -debug        - Print more output
 -msg          - Show protocol messages
 -state        - Print the SSL states
 -CApath arg   - PEM format directory of CA's
 -CAfile arg   - PEM format file of CA's
 -trusted_first - Use trusted CA's first when building the trust chain
 -nocert       - Don't use any certificates (Anon-DH)
 -cipher arg   - play with 'openssl ciphers' to see what goes here
 -serverpref   - Use server's cipher preferences
 -quiet        - No server output
 -no_tmp_rsa   - Do not generate a tmp RSA key
 -psk_hint arg - PSK identity hint to use
 -psk arg      - PSK in hex (without 0x)
 -ssl2         - Just talk SSLv2
 -ssl3         - Just talk SSLv3
 -tls1_2       - Just talk TLSv1.
 -tls1_1       - Just talk TLSv1.
 -tls1         - Just talk TLSv1
 -dtls1        - Just talk DTLSv1
 -timeout      - Enable timeouts
 -mtu          - Set link layer MTU
 -chain        - Read a certificate chain
 -no_ssl2      - Just disable SSLv2
 -no_ssl3      - Just disable SSLv3
 -no_tls1      - Just disable TLSv1
 -no_tls1_1    - Just disable TLSv1.
 -no_tls1_2    - Just disable TLSv1.
 -no_dhe       - Disable ephemeral DH
 -no_ecdhe     - Disable ephemeral ECDH
 -bugs         - Turn on SSL bug compatibility
 -www          - Respond to a 'GET /' with a status page
 -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
 -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
                 with the assumption it contains a complete HTTP response.
 -engine id    - Initialise and use the specified engine
 -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'
 -rand file:file:...
 -servername host - servername for HostName TLS extension
 -servername_fatal - on mismatch send fatal alert (default warning alert)
 -cert2 arg    - certificate file to use for servername
                 (default is server2.pem)
 -key2 arg     - Private Key file to use for servername, in cert file if
                 not specified (default is server2.pem)
 -tlsextdebug  - hex dump of all TLS extensions received
 -no_ticket    - disable use of RFC4507bis session tickets
 -legacy_renegotiation - enable use of legacy renegotiation (dangerous)
 -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)
 -use_srtp profiles - Offer SRTP key management with a colon-separated profile list
 -keymatexport label   - Export keying material using label
 -keymatexportlen len  - Export len bytes of keying material (default )

三、实例

1、启动s_server服务（站点证书及私钥，证书链，协议版本，算法组合）

openssl s_server -accept 2009 -key serverprikey.pem -cert server.pem -ssl3 -cipher EXP-KRB5-RC4-MD5 -chain -debug -msg

参考：http://blog.csdn.net/as3luyuan123/article/details/16850727     http://www.tuicool.com/articles/6ny6Fv