| yuezonghe | 824eb0c | 2024-06-27 02:32:26 -0700 | [diff] [blame] | 1 | =pod |
| 2 | |
| 3 | =head1 NAME |
| 4 | |
| 5 | openssl-sess_id, |
| 6 | sess_id - SSL/TLS session handling utility |
| 7 | |
| 8 | =head1 SYNOPSIS |
| 9 | |
| 10 | B<openssl> B<sess_id> |
| 11 | [B<-help>] |
| 12 | [B<-inform PEM|DER>] |
| 13 | [B<-outform PEM|DER|NSS>] |
| 14 | [B<-in filename>] |
| 15 | [B<-out filename>] |
| 16 | [B<-text>] |
| 17 | [B<-noout>] |
| 18 | [B<-context ID>] |
| 19 | |
| 20 | =head1 DESCRIPTION |
| 21 | |
| 22 | The B<sess_id> process the encoded version of the SSL session structure |
| 23 | and optionally prints out SSL session details (for example the SSL session |
| 24 | master key) in human readable format. Since this is a diagnostic tool that |
| 25 | needs some knowledge of the SSL protocol to use properly, most users will |
| 26 | not need to use it. |
| 27 | |
| 28 | =head1 OPTIONS |
| 29 | |
| 30 | =over 4 |
| 31 | |
| 32 | =item B<-help> |
| 33 | |
| 34 | Print out a usage message. |
| 35 | |
| 36 | =item B<-inform DER|PEM> |
| 37 | |
| 38 | This specifies the input format. The B<DER> option uses an ASN1 DER encoded |
| 39 | format containing session details. The precise format can vary from one version |
| 40 | to the next. The B<PEM> form is the default format: it consists of the B<DER> |
| 41 | format base64 encoded with additional header and footer lines. |
| 42 | |
| 43 | =item B<-outform DER|PEM|NSS> |
| 44 | |
| 45 | This specifies the output format. The B<PEM> and B<DER> options have the same meaning |
| 46 | and default as the B<-inform> option. The B<NSS> option outputs the session id and |
| 47 | the master key in NSS keylog format. |
| 48 | |
| 49 | =item B<-in filename> |
| 50 | |
| 51 | This specifies the input filename to read session information from or standard |
| 52 | input by default. |
| 53 | |
| 54 | =item B<-out filename> |
| 55 | |
| 56 | This specifies the output filename to write session information to or standard |
| 57 | output if this option is not specified. |
| 58 | |
| 59 | =item B<-text> |
| 60 | |
| 61 | Prints out the various public or private key components in |
| 62 | plain text in addition to the encoded version. |
| 63 | |
| 64 | =item B<-cert> |
| 65 | |
| 66 | If a certificate is present in the session it will be output using this option, |
| 67 | if the B<-text> option is also present then it will be printed out in text form. |
| 68 | |
| 69 | =item B<-noout> |
| 70 | |
| 71 | This option prevents output of the encoded version of the session. |
| 72 | |
| 73 | =item B<-context ID> |
| 74 | |
| 75 | This option can set the session id so the output session information uses the |
| 76 | supplied ID. The ID can be any string of characters. This option won't normally |
| 77 | be used. |
| 78 | |
| 79 | =back |
| 80 | |
| 81 | =head1 OUTPUT |
| 82 | |
| 83 | Typical output: |
| 84 | |
| 85 | SSL-Session: |
| 86 | Protocol : TLSv1 |
| 87 | Cipher : 0016 |
| 88 | Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED |
| 89 | Session-ID-ctx: 01000000 |
| 90 | Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD |
| 91 | Key-Arg : None |
| 92 | Start Time: 948459261 |
| 93 | Timeout : 300 (sec) |
| 94 | Verify return code 0 (ok) |
| 95 | |
| 96 | These are described below in more detail. |
| 97 | |
| 98 | =over 4 |
| 99 | |
| 100 | =item B<Protocol> |
| 101 | |
| 102 | This is the protocol in use TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 or SSLv3. |
| 103 | |
| 104 | =item B<Cipher> |
| 105 | |
| 106 | The cipher used this is the actual raw SSL or TLS cipher code, see the SSL |
| 107 | or TLS specifications for more information. |
| 108 | |
| 109 | =item B<Session-ID> |
| 110 | |
| 111 | The SSL session ID in hex format. |
| 112 | |
| 113 | =item B<Session-ID-ctx> |
| 114 | |
| 115 | The session ID context in hex format. |
| 116 | |
| 117 | =item B<Master-Key> |
| 118 | |
| 119 | This is the SSL session master key. |
| 120 | |
| 121 | =item B<Start Time> |
| 122 | |
| 123 | This is the session start time represented as an integer in standard |
| 124 | Unix format. |
| 125 | |
| 126 | =item B<Timeout> |
| 127 | |
| 128 | The timeout in seconds. |
| 129 | |
| 130 | =item B<Verify return code> |
| 131 | |
| 132 | This is the return code when an SSL client certificate is verified. |
| 133 | |
| 134 | =back |
| 135 | |
| 136 | =head1 NOTES |
| 137 | |
| 138 | The PEM encoded session format uses the header and footer lines: |
| 139 | |
| 140 | -----BEGIN SSL SESSION PARAMETERS----- |
| 141 | -----END SSL SESSION PARAMETERS----- |
| 142 | |
| 143 | Since the SSL session output contains the master key it is |
| 144 | possible to read the contents of an encrypted session using this |
| 145 | information. Therefore, appropriate security precautions should be taken if |
| 146 | the information is being output by a "real" application. This is however |
| 147 | strongly discouraged and should only be used for debugging purposes. |
| 148 | |
| 149 | =head1 BUGS |
| 150 | |
| 151 | The cipher and start time should be printed out in human readable form. |
| 152 | |
| 153 | =head1 SEE ALSO |
| 154 | |
| 155 | L<ciphers(1)>, L<s_server(1)> |
| 156 | |
| 157 | =head1 COPYRIGHT |
| 158 | |
| 159 | Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. |
| 160 | |
| 161 | Licensed under the OpenSSL license (the "License"). You may not use |
| 162 | this file except in compliance with the License. You can obtain a copy |
| 163 | in the file LICENSE in the source distribution or at |
| 164 | L<https://www.openssl.org/source/license.html>. |
| 165 | |
| 166 | =cut |