openssl s_server [-accept port] [-context id] [-verify depth] [-Verify depth] [-crl_check] [-crl_check_all] [-cert filename] [-certform DER|PEM] [-key filename] [-keyform DER|PEM] [-pass arg] [-dcert filename] [-dcertform DER|PEM ] [-dkey keyfile] [-dkeyform DER|PEM ] [-dpass arg] [-dhparam filename] [-name_curve arg][-nbio] [-nbio_test] [-crlf] [-debug] [-msg] [-state] [-CApath directory] [-CAfile filename] [-nocert] [-cipher cipherlist] [-quiet] [-no_tmp_rsa] [-ssl2] [-ssl3] [-tls1_1] [-tls1_2] [-tls1] [-dtls1] [-timeout] [-mtu] [-chain] [-no_ssl2][-no_ssl3] [-no_tls1] [-no_tls1_1] [-no_tls1_2] [-no_dhe] [-no_ecdhe][-bugs] [-hack] [-www] [-WWW] [-HTTP][-engine id] [-tlsextdebug] [-no_ticket] [-id_prefix arg] [-rand file(s)]

 -accept arg   - port to accept on (default is 4433)-context arg  - set session ID context-verify arg   - turn on peer certificate verification-Verify arg   - turn on peer certificate verification, must have a cert.-cert arg     - certificate file to use(default is server.pem)-crl_check    - check the peer certificate has not been revoked by its CA.The CRL(s) are appended to the certificate file-crl_check_all - check the peer certificate has not been revoked by its CAor any other CRL in the CA chain. CRL(s) are appened to thethe certificate file.-certform arg - certificate format (PEM or DER) PEM default-key arg      - Private Key file to use, in cert file ifnot specified (default is server.pem)-keyform arg  - key format (PEM, DER or ENGINE) PEM default-pass arg     - private key file pass phrase source-dcert arg    - second certificate file to use (usually for DSA)-dcertform x  - second certificate format (PEM or DER) PEM default-dkey arg     - second private key file to use (usually for DSA)-dkeyform arg - second key format (PEM, DER or ENGINE) PEM default-dpass arg    - second private key file pass phrase source-dhparam arg  - DH parameter file to use, in cert file if not specifiedor a default set of parameters is used-named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.Use "openssl ecparam -list_curves" for all names(default is nistp256).-nbio         - Run with non-blocking IO-nbio_test    - test with the non-blocking test bio-crlf         - convert LF from terminal into CRLF-debug        - Print more output-msg          - Show protocol messages-state        - Print the SSL states-CApath arg   - PEM format directory of CA's-CAfile arg   - PEM format file of CA's-trusted_first - Use trusted CA's first when building the trust chain-nocert       - Don't use any certificates (Anon-DH)-cipher arg   - play with 'openssl ciphers' to see what goes here-serverpref   - Use server's cipher preferences-quiet        - No server output-no_tmp_rsa   - Do not generate a tmp RSA key-psk_hint arg - PSK identity hint to use-psk arg      - PSK in hex (without 0x)-ssl2         - Just talk SSLv2-ssl3         - Just talk SSLv3-tls1_2       - Just talk TLSv1.2-tls1_1       - Just talk TLSv1.1-tls1         - Just talk TLSv1-dtls1        - Just talk DTLSv1-timeout      - Enable timeouts-mtu          - Set link layer MTU-chain        - Read a certificate chain-no_ssl2      - Just disable SSLv2-no_ssl3      - Just disable SSLv3-no_tls1      - Just disable TLSv1-no_tls1_1    - Just disable TLSv1.1-no_tls1_2    - Just disable TLSv1.2-no_dhe       - Disable ephemeral DH-no_ecdhe     - Disable ephemeral ECDH-bugs         - Turn on SSL bug compatibility-www          - Respond to a 'GET /' with a status page-WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>-HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>with the assumption it contains a complete HTTP response.-engine id    - Initialise and use the specified engine-id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'-rand file:file:...-servername host - servername for HostName TLS extension-servername_fatal - on mismatch send fatal alert (default warning alert)-cert2 arg    - certificate file to use for servername(default is server2.pem)-key2 arg     - Private Key file to use for servername, in cert file ifnot specified (default is server2.pem)-tlsextdebug  - hex dump of all TLS extensions received-no_ticket    - disable use of RFC4507bis session tickets-legacy_renegotiation - enable use of legacy renegotiation (dangerous)-nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)-use_srtp profiles - Offer SRTP key management with a colon-separated profile list-keymatexport label   - Export keying material using label-keymatexportlen len  - Export len bytes of keying material (default 20)

openssl s_server -accept 2009 -key serverprikey.pem -cert server.pem -ssl3 -cipher EXP-KRB5-RC4-MD5 -chain -debug -msg

参考：http://blog.csdn.net/as3luyuan123/article/details/16850727     http://www.tuicool.com/articles/6ny6Fv