Using OpenSSL s_client commands to test SSL connectivity

Use Cases

bundle
solution-guides
ft:publication_title
Use Cases
Product_Version_ce
category
ContentType
howtodoc
ContentType_ce
How-to

Test SSL connectivity with s_client commands to check whether the certificate is valid, trusted, and complete.

Install OpenSSL software from http://www.openssl.org/.

  1. In the command line, enter openssl s_client -connect <hostname>:<port>.
    This opens an SSL connection to the specified hostname and port and prints the SSL certificate.
  2. Check the availability of the domain from the connection results.

    The following table includes some commonly used s_client commands. For more information, see OpenSSL s_client commands man page in the OpenSSL toolkit.

    To view a complete list of s_client commands in the command line, enter openssl -?.

    Command Options Description Example
    -connect

    Tests connectivity to an HTTPS service.

    openssl s_client -connect pingfederate.<YourDomain>.com:443
    -showcerts

    Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.

    openssl s_client -connect <hostname>:<port> -showcerts
    -tls, -dtls1

    Forces TLSv1 and DTLSv1 respectively.

    openssl s_client -connect <hostname>:<port> -tls1
    -cipher

    Forces a specific cipher. This option is useful in testing enabled SSL ciphers. Use the openssl ciphers command to see a list of available ciphers for OpenSSL.

    openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA

    For troubleshooting connection and SSL handshake problems, see the following:

    • If there is a connection problem reaching the domain, the OpenSSL s_client -connect command waits until a timeout occurs and prints an error, such as connect: Operation timed out.
    • If you use the OpenSSL client to connect to a non-SSL service, the client connects but the SSL handshake doesn't happen. CONNECTED (00000003) prints as soon as a socket opens, but the client waits until a timeout occurs and prints an error message, such as 44356:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_lib.c:182:.

    After disabling a weak cipher, you can verify if it has been disabled or not with the following command.

    openssl s_client -connect google.com:443 -cipher EXP-RC4-MD5