"\n"
"    -cipher_suite options\n"
"      TLS_SM4_GCM_SM3         TLS 1.3\n"
"      TLS_AES_128_GCM_SHA256  TLS 1.3\n"
"      TLS_ECC_SM4_CBC_SM3     TLCP\n"
"      TLS_ECDHE_SM4_CBC_SM3   TLCP TLS 1.2\n"
"      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS 1.2\n"
"\n"
"    -supported_group options\n"
"      sm2p256v1\n"
"      prime256v1\n"
"\n"
"    -sig_alg options\n"
"      sm2sig_sm3\n"
"      ecdsa_secp256r1_sha256\n"
"\n"
"Generate SM2 certificates\n"
"\n"
"    gmssl sm2keygen -pass 1234 -out sm2rootcakey.pem\n"
"    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
"            -key sm2rootcakey.pem -pass 1234 -out sm2rootcacert.pem \\\n"
"            -key_usage keyCertSign -key_usage cRLSign -ca\n"
"\n"
"    gmssl sm2keygen -pass 1234 -out sm2cakey.pem\n"
"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" \\\n"
"            -key sm2cakey.pem -pass 1234 -out sm2careq.pem\n"
"    gmssl reqsign -in sm2careq.pem -days 365 -key_usage keyCertSign \\\n"
"            -cacert sm2rootcacert.pem -key sm2rootcakey.pem -pass 1234 \\\n"
"            -ca -path_len_constraint 0 \\\n"
"            -out sm2cacert.pem\n"
"\n"
"    gmssl sm2keygen -pass 1234 -out sm2signkey.pem\n"
"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost \\\n"
"           -key sm2signkey.pem -pass 1234 -out sm2signreq.pem\n"
"    gmssl reqsign -in sm2signreq.pem -days 365 -key_usage digitalSignature \\\n"
"           -cacert sm2cacert.pem -key sm2cakey.pem -pass 1234 \\\n"
"           -out sm2signcert.pem\n"
"\n"
"    cat sm2signcert.pem > sm2certs.pem\n"
"    cat sm2cacert.pem >> sm2certs.pem\n"
"\n"
"TLS 1.3 with TLS_SM4_GCM_SM3 cipher suite\n"
"\n"
"    gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert sm2rootcacert.pem \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"
"\n"
"Generate P-256 certificates\n"
"\n"
"    gmssl p256keygen -pass 1234 -out p256rootcakey.pem -export p256rootcakey.exp\n"
"    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN P256ROOTCA -days 3650 \\\n"
"            -key p256rootcakey.pem -pass 1234 -out p256rootcacert.pem \\\n"
"            -key_usage keyCertSign -key_usage cRLSign -ca\n"
"\n"
"    gmssl p256keygen -pass 1234 -out p256cakey.pem -export p256cakey.exp\n"
"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"P256 Sub CA\" \\\n"
"            -key p256cakey.pem -pass 1234 -out p256careq.pem\n"
"    gmssl reqsign -in p256careq.pem -days 365 -key_usage keyCertSign \\\n"
"            -cacert p256rootcacert.pem -key p256rootcakey.pem -pass 1234 \\\n"
"            -ca -path_len_constraint 0 \\\n"
"            -out p256cacert.pem\n"
"\n"
"    gmssl p256keygen -pass 1234 -out p256signkey.pem -export p256signkey.exp\n"
"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN 127.0.0.1 \\\n"
"           -key p256signkey.pem -pass 1234 -out p256signreq.pem\n"
"    gmssl reqsign -in p256signreq.pem -days 365 -key_usage digitalSignature \\\n"
"           -cacert p256cacert.pem -key p256cakey.pem -pass 1234 \\\n"
"           -subject_dns_name 127.0.0.1 \\\n"
"           -out p256signcert.pem\n"
"\n"
"    cat p256signcert.pem > p256certs.pem\n"
"    cat p256cacert.pem >> p256certs.pem\n"
"\n"
"    cat sm2rootcacert.pem > rootcacerts.pem\n"
"    cat p256rootcacert.pem >> rootcacerts.pem\n"
"\n"
"TLS 1.3 with TLS_AES_128_GCM_SHA256\n"
"    gmssl tls13_server -port 4430 \\\n"
"       -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n"
"       -cert p256certs.pem -key p256signkey.pem -pass 1234\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
"       -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n"
"\n"
"    add `SSL_CTX_clear_options(ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);` to openssl apps/s_server.c\n"
"    add `SSL_CTX_clear_options(ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);` to openssl apps/s_client.c\n"
"\n"
"    /usr/local/bin/openssl s_server -accept 4430 -cert p256signcert.pem -cert_chain p256cacert.pem -key p256signkey.exp \\\n"
"       -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -named_curve prime256v1 \\\n"
"       -trace\n"
"\n"
"    /usr/local/bin/openssl s_client -connect 127.0.0.1:4430 -tls1_3 -CAfile p256rootcacert.pem -groups prime256v1 -trace\n"
"\n"
"TLS 1.3 SNI\n"
"\n"
"    gmssl tls13_server -port 4430 \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
"       -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
"       -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n"
"       -cert p256certs.pem -key p256signkey.pem -pass 1234 \\\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
"       -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n"
"       -server_name\n"
"\n"
"HelloRetryRequest\n"
"\n"
"    gmssl tls13_server -port 4430 \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
"       -cert sm2certs.pem -key sm2signkey.pem -pass 1234\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
"       -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256 \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
"       -max_key_exchanges 1 # or -max_key_exchanges 0 \n"
"\n"
"ClientHello with OCSP request, CT, and other extensions\n"
"\n"
"    gmssl tls13_server -port 4430 \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \\\n"
"       -supported_group sm2p256v1 -supported_group prime256v1 \\\n"
"       -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n"
"       -cert sm2certs.pem -key sm2signkey.pem -pass 1234\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -cipher_suite TLS_AES_128_GCM_SHA256 \\\n"
"       -supported_group sm2p256v1 -supported_group prime256v1 \\\n"
"       -sig_alg sm2sig_sm3 -sig_alg ecdsa_secp256r1_sha256 \\\n"
"       -max_key_exchanges 2 \\\n"
"       -server_name \\\n"
"       -signature_algorithms_cert \\\n"
"       -status_request \\\n"
"       -post_handshake_auth \\\n"
"       -ct\n"
"\n"
"NewSessionTicket\n"
"\n"
"    TICKET_KEY=11223344556677881122334455667788\n"
"\n"
"    gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
"       -new_session_ticket 2 -ticket_key $TICKET_KEY\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
"       -sess_out session.bin\n"
"\n"
"PSK-DHE from session ticket\n"
"\n"
"    gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 \\\n"
"       -psk_dhe_ke -ticket_key $TICKET_KEY\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 \\\n"
"       -psk_dhe_ke -sess_in session.bin\n"
"\n"
"PSK-DHE/PSK from external\n"
"\n"
"    PSK=1122334455667788112233445566778811223344556677881122334455667788\n"
"\n"
"    gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
"       -supported_group sm2p256v1 -psk_dhe_ke \\\n"
"       -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
"       -supported_group sm2p256v1 -psk_dhe_ke \\\n"
"       -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n"
"\n"
"    gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
"       -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
"       -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK\n"
"\n"
"EarlyData (0-RTT)\n"
"\n"
"    gmssl tls13_server -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
"       -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK \\\n"
"       -early_data\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cipher_suite TLS_SM4_GCM_SM3 \\\n"
"       -psk_ke -psk_identity 001 -psk_cipher_suite TLS_SM4_GCM_SM3 -psk_key $PSK \\\n"
"       -early_data early_data.txt\n"
"\n"
"CertificateRequest\n"
"\n"
"    gmssl tls13_server -port 4430 -cert sm2certs.pem -key sm2signkey.pem -pass 1234 \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
"       -cert_request -cacert sm2rootcacert.pem\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert sm2rootcacert.pem \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3 \\\n"
"       -cert sm2certs.pem -key sm2signkey.pem -pass 1234\n"
"\n"
"CertificateRequest without CertificateVerify\n"
"\n"
"    gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert sm2rootcacert.pem \\\n"
"       -cipher_suite TLS_SM4_GCM_SM3 -supported_group sm2p256v1 -sig_alg sm2sig_sm3\n"