Test SSL connectivity with s_client commands to check whether the certificate is valid, trusted, and complete.
Install OpenSSL software from http://www.openssl.org/.
In the command line, enter openssl s_client -connect
This opens an SSL connection to the specified hostname and port and prints the SSL certificate.
Check the availability of the domain from the connection results.
The following table includes some commonly used s_client commands. For more information, see OpenSSL s_client commands man page in the OpenSSL toolkit.
To view a complete list of s_client commands in the command line, enter openssl -?.
Command Options Description Example -connect
Tests connectivity to an HTTPS service.
openssl s_client -connect pingfederate.<YourDomain>.com:443
Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.
openssl s_client -connect <hostname>:<port> -showcerts
Forces TLSv1 and DTLSv1 respectively.
openssl s_client -connect <hostname>:<port> -tls1
Forces a specific cipher. This option is useful in testing enabled SSL ciphers. Use the openssl ciphers command to see a list of available ciphers for OpenSSL.
openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA
For troubleshooting connection and SSL handshake problems, see the following:
- If there is a connection problem reaching the domain, the OpenSSL s_client -connect command waits until a timeout occurs and prints an error, such as connect: Operation timed out.
- If you use the OpenSSL client to connect to a non-SSL service, the client connects but the SSL handshake doesn't happen. CONNECTED (00000003) prints as soon as a socket opens, but the client waits until a timeout occurs and prints an error message, such as 44356:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_lib.c:182:.
After disabling a weak cipher, you can verify if it has been disabled or not with the following command.
openssl s_client -connect google.com:443 -cipher EXP-RC4-MD5