Using OpenSSL s_client commands to test SSL connectivity
Test SSL connectivity with s_client
commands to check whether the certificate is valid, trusted, and complete.
Before you begin
Install OpenSSL software from http://www.openssl.org/.
Steps
-
In the command line, enter
openssl s_client -connect
<hostname>:<port>
.Result:
This opens an SSL connection to the specified hostname and port and prints the SSL certificate.
-
Check the availability of the domain from the connection results.
The following table includes some commonly used
s_client
commands. For more information, see OpenSSL s_client commands man page in the OpenSSL toolkit.To view a complete list of
s_client
commands in the command line, enteropenssl -?
.Command Options Description Example -connect
Tests connectivity to an HTTPS service.
openssl s_client -connect pingfederate.<YourDomain>.com:443
-showcerts
Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.
openssl s_client -connect <hostname>:<port> -showcerts
-tls, -dtls1
Forces TLSv1 and DTLSv1 respectively.
openssl s_client -connect <hostname>:<port> -tls1
-cipher
Forces a specific cipher. This option is useful in testing enabled SSL ciphers. Use the
openssl ciphers
command to see a list of available ciphers for OpenSSL.openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA
-
Troubleshooting:
For troubleshooting connection and SSL handshake problems, see the following:
-
If there is a connection problem reaching the domain, the OpenSSL
s_client -connect
command waits until a timeout occurs and prints an error, such asconnect: Operation timed out
. -
If you use the OpenSSL client to connect to a non-SSL service, the client connects but the SSL handshake doesn’t happen.
CONNECTED (00000003)
prints as soon as a socket opens, but the client waits until a timeout occurs and prints an error message, such as44356:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_lib.c:182:
.After disabling a weak cipher, you can verify if it has been disabled or not with the following command.
openssl s_client -connect google.com:443 -cipher EXP-RC4-MD5
-