Test SSL connectivity with s_client commands to check whether the certificate is valid, trusted, and complete.
Install OpenSSL software from http://www.openssl.org/.
-
In the command line, enter openssl s_client -connect
<hostname>:<port>.
This opens an SSL connection to the specified hostname and port and prints the SSL certificate.
-
Check the availability of the domain from the connection results.
The following table includes some commonly used s_client commands. For more information, see OpenSSL s_client commands man page in the OpenSSL toolkit.
To view a complete list of s_client commands in the command line, enter openssl -?.
Command Options Description Example -connect Tests connectivity to an HTTPS service.
openssl s_client -connect pingfederate.<YourDomain>.com:443
-showcerts Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.
openssl s_client -connect <hostname>:<port> -showcerts
-tls, -dtls1 Forces TLSv1 and DTLSv1 respectively.
openssl s_client -connect <hostname>:<port> -tls1
-cipher Forces a specific cipher. This option is useful in testing enabled SSL ciphers. Use the openssl ciphers command to see a list of available ciphers for OpenSSL.
openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA
For troubleshooting connection and SSL handshake problems, see the following:
- If there is a connection problem reaching the domain, the OpenSSL s_client -connect command waits until a timeout occurs and prints an error, such as connect: Operation timed out.
- If you use the OpenSSL client to connect to a non-SSL service, the client connects but the SSL handshake doesn't happen. CONNECTED (00000003) prints as soon as a socket opens, but the client waits until a timeout occurs and prints an error message, such as 44356:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_lib.c:182:.
After disabling a weak cipher, you can verify if it has been disabled or not with the following command.
openssl s_client -connect google.com:443 -cipher EXP-RC4-MD5