Exploring SSL Connection with OpenSSL S_client Command

Updated: Aug 25

SSL (Secure Sockets Layer) connection is a connection that provides secure communications on the Internet for such things as web browsing, e-mail, instant messaging, and other data transfers.


Although SSL was replaced by an updated protocol called TLS (Transport Layer Security) some time ago, "SSL" is still a commonly used term for this technology.




How an SSL connection is established


  • The client sends a request to the server for a secure session. The server responds by sending its X.509 digital certificate to the client.

  • The client receives the server's X.509 digital certificate.

  • The client authenticates the server, using a list of known certificate authorities.

  • The client generates a random symmetric key and encrypts it using server's public key.

  • The client and server now both know the symmetric key and can use the SSL encryption process to encrypt and decrypt the information contained in the client request and the server response.



What is an SSL certificate?

An SSL certificate is a file installed on a website's origin server. It's simply a data file containing the public key and the identity of the website owner, along with other information. Without an SSL certificate, a website's traffic can't be encrypted with TLS.


Technically, any website owner can create their own SSL certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.



Using OpenSSL s_client commands to test SSL connection

In the command line, enter openssl s_client -connect <hostname>:<port>.


This opens an SSL connection to the specified hostname and port and prints the SSL certificate.


Check the availability of the domain from the connection results.


To view a complete list of s_client commands in the command line, enter openssl -?.



OpenSSL Command Example to verify SSL connection

  • openssl s_client -connect <YourDomain>.com:443 -showcerts

Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.


  • openssl s_client -connect <hostname>:<port> -showcerts -tls, -dtls1

Forces TLSv1 and DTLSv1 respectively.


  • openssl s_client -connect <hostname>:<port> -tls1 -cipher

Forces a specific cipher. This option is useful in testing enabled SSL ciphers. Use the openssl ciphers command to see a list of available ciphers for OpenSSL. openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA



Troubleshooting SSL connection

For troubleshooting connection and SSL handshake problems, see the following:


If there is a connection problem reaching the domain, the OpenSSL s_client -connect command waits until a timeout occurs and prints an error, such as connect: Operation timed out.


If we use the OpenSSL client to connect to a non-SSL service, the client connects but the SSL handshake doesn't happen. CONNECTED (00000003) prints as soon as a socket opens, but the client waits until a timeout occurs and prints an error message, such as 44356:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_lib.c:182:.



Related:




100 views
屏幕快照 2021-08-08 下午5.16.32.png