The OpenSSL s_client command is a helpful test client for troubleshooting remote SSL or TLS connections.
This post covers various examples of testing SSL connections with different ciphers, TLS versions, and SSL server certificate analysis.
Table of Contents
OpenSSL s_client connect
openssl s_client -connect example.com:443
Use the openssl s_client -connect flag to display diagnostic information about the SSL connection to the server. The information will include the server’s certificate chain, printed as subject and issuer. The end entity server certificate will be the only certificate printed in PEM format.
Details about the SSL handshake, its verification, and the TLS version and cipher will be returned. The server’s public key bit length is also returned.
To specify the TLS version in the connection for testing various protocols, add the appropriate TLS/SSL flag to the command.
For example, to test TLS 1.3 with openssl s_client, run the following:
openssl s_client -connect example.com:443 -tls1_3
Other supported SSL and TLS version flags include -tls1_2, tls1_1, tls1, ssl2 , and ssl3.
Alternatively, to disable the use of a specific SSL/TLS protocol version, the following flags are supported: -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, and -no_tls1_3.
For the case of example.com, TLSv1.3 is supported. To disable TLSv1.3, use the -no_tls1_3 flag:
openssl s_client -connect example.com:443 -no_tls1_3
To verify the protocol, view the SSL-Session section of the console output.
SSL-Session:
Protocol : TLSv1.3
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 2BFA471935218231CFC481C6AD4E720A4B923D04A36
Session-ID-ctx:
Master-Key: 935153C4FD38007F942A934B7FC860A5DC484C393
If the specified protocol is not supported on the server, we will receive an error similar to: “SSL routines:tls_construct_client_hello:no protocols available“
To debug the SSL/TLS connection with openssl s_client connect, append the -tlsextdebug flag onto our command:
openssl s_client -connect example.com:443 -tlsextdebug
Additional information is included and can be used to verify the ssl configuration of the server.
openssl s_client showcerts
openssl s_client -connect example.com:443 -showcerts
The showcerts flag appended onto the openssl s_client connect command prints out and will show the entire certificate chain in PEM format, whereas leaving off showcerts only prints out and shows the end entity certificate in PEM format.
Other than that one difference, the output is the same. The returned list of certificates by the server when using the showcerts flag is not a verified chain and is returned in the same order the server sent them.
While most examples we find test port 443, this will work with other ports as well.
For example, testing SSL configuration on an ldap host works the same, just specify the port, commonly 636. To show the server certificates on the ldap server, run the following command:
openssl s_client -connect ldap-host:636 -showcerts
After showing the certificates returned by openssl s_client connect, decode the certificates for more information about each section of the certificate with our Certificate Decoder tool.
openssl s_client -starttls
Adding the -starttls flag to our openssl s_client -connect command will send the protocol specific message for switching to SSL/TLS communication.
Supported protocols include smtp, pop3, imap, ftp, xmpp, xmpp-server, irc, postgres, mysql, lmtp, nntp, sieve and ldap.
For the ldap example:
openssl s_client -connect ldap-host:389 -starttls ldap
openssl s_client sni
openssl s_client -connect example.com:443 -servername example.com
SNI is a TLS extension that supports one host or IP address to serve multiple hostnames so that host and IP no longer have to be one to one.
Use the -servername switch to enable SNI in s_client. If the certificates are not the same when using the -servername flag vs without it, we will know that SNI is required.
Appending the noservername flag onto the openssl s_client command will not send the SNI (Server Name Indication). Note that this cannot be used in the same command with the servername flag. For example:
openssl s_client -connect example.com:443 -noservername
openssl s_client get certificate
To get a certificate in a file from a server with openssl s_client, run the following command:
To print or show the entire certificate chain to a file, remember to use the -showcerts option.
echo | openssl s_client -connect example.com:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > example.com.pem
OpenSSL s_client verify
To verify the SSL connection to the server, run the following command:
openssl s_client -verify_return_error -connect example.com:443
If the server returns any errors then the SSL Handshake will fail and the connection will be aborted.
OpenSSL s_client ciphers
We can pass a cipher to the openssl s_client command with the -ciphersuites flag. This flag is useful for the TLSv1.3 cipher list to be modified by the client. While the server ultimately determines which cipher is used in the SSL connection, generally speaking it should take the first supported cipher in the list sent by the client. If we have a preferred cipher or list of ciphers, it can be sent along with this flag.
For example:
echo | openssl s_client -connect www.example.com:443 -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 2>/dev/null | grep New
Will output the following:
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
The server should accept and use the provided cipher in the connection. If we want to provide a list of ciphers, they can be delimitered with a colon (:).
If modifying or specifying the cipher list for a TLSv1.2 connection, the -cipher flag is used instead of the -ciphersuites flag.
For example:
echo | openssl s_client -connect www.example.com:443 -tls1_2 -cipher AES128-GCM-SHA256 2>/dev/null | grep New
Will output the following:
New, TLSv1.2, Cipher is AES128-GCM-SHA256
TLS Client Auth with openssl s_client
openssl s_client also provides the capability to test TLS client auth. There are a couple of ways to do this by using both the -cert and -key options. This example makes use of only the -cert option, by combining both the certificate and private key used for authentication in the same file.
openssl s_client -connect example.com:443 -cert
Check who has issued the SSL certificate:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let's Encrypt/CN=R3
Check whom the SSL certificate is issued to:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.howtouselinux.com
Check for what dates the SSL certificate is valid:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT
Show the all above information about the SSL certificate
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let’s Encrypt/CN=R3
subject= /CN=www.howtouselinux.com
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT
Show the SHA1 fingerprint of the SSL certificate:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=52:DA:6A:D5:81:A8:6C:20:6A:16:EE:2E:A2:19:7A:C6:E7:A2:3E:87
Extract all information from the SSL certificate (decoded)
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:03:86:f4:63:3d:34:50:a8:47:cc:f7:99:10:1f:79:1c:21:c8
Signature Algorithm: sha256WithRSAEncryption
[…]
Show the SSL certificate itself (encoded)
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509
—–BEGIN CERTIFICATE—–
MIIFGDCCBACgAwIBAgISA4b0Yz00UKhHzPeZEB95HCHIMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMTgxMDU1MDBaFw0x
[…]
Check SSL Certificate expiration date
- openssl s_client -servername SERVER_NAME -connect SERVER_NAME:PORT| openssl x509 -noout -dates
- echo | openssl s_client -servername SERVER_NAME -connect SERVER_NAME:PORT | openssl x509 -noout -dates
- openssl x509 -enddate -noout -in /path/to/my/my.pem
Example:
openssl x509 -dates -noout -in hydssl.cer
notBefore=Dec 12 16:56:15 2019 GMT
notAfter=Dec 12 16:56:15 2029 GMT
Related:
- Exploring SSL Certificate Chain with Examples
- Understanding X509 Certificate with Openssl Command
- OpenSSL Command to Generate View Check Certificate
- Converting CER CRT DER PEM PFX Certificate with Openssl
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSH Key RSA DSA ECDSA ED25519
- Understanding server certificates with Examples
SSL vs TLS and how to check TLS version in Linux - howtouselinux
Saturday 29th of July 2023
[…] This article covers more examples about how to use openssl s_client comannd. […]