Using OpenSSL s_client commands to test SSL connectivity

Test SSL connectivity with s_client commands to check whether the certificate is valid, trusted, and complete.

Before you begin

Install OpenSSL software from http://www.openssl.org/.

Steps

In the command line, enter openssl s_client -connect <hostname>:<port>.

Result:

This opens an SSL connection to the specified hostname and port and prints the SSL certificate.

Check the availability of the domain from the connection results.

The following table includes some commonly used s_client commands. For more information, see OpenSSL s_client commands man page in the OpenSSL toolkit.

To view a complete list of s_client commands in the command line, enter openssl -?.

Command Options Description Example

Command Options	Description	Example
`-connect`	Tests connectivity to an HTTPS service.	`openssl s_client -connect pingfederate.<YourDomain>.com:443`
`-showcerts`	Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.	`openssl s_client -connect <hostname>:<port> -showcerts`
`-tls, -dtls1`	Forces TLSv1 and DTLSv1 respectively.	`openssl s_client -connect <hostname>:<port> -tls1`
`-cipher`	Forces a specific cipher. This option is useful in testing enabled SSL ciphers. Use the `openssl ciphers` command to see a list of available ciphers for OpenSSL.	`openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA`

-connect

Tests connectivity to an HTTPS service.

openssl s_client -connect pingfederate.<YourDomain>.com:443

-showcerts

Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.

openssl s_client -connect <hostname>:<port> -showcerts

-tls, -dtls1

Forces TLSv1 and DTLSv1 respectively.

openssl s_client -connect <hostname>:<port> -tls1

-cipher

Forces a specific cipher. This option is useful in testing enabled SSL ciphers. Use the openssl ciphers command to see a list of available ciphers for OpenSSL.

openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA

Troubleshooting:

For troubleshooting connection and SSL handshake problems, see the following:
- If there is a connection problem reaching the domain, the OpenSSL s_client -connect command waits until a timeout occurs and prints an error, such as connect: Operation timed out.
- If you use the OpenSSL client to connect to a non-SSL service, the client connects but the SSL handshake doesn’t happen. CONNECTED (00000003) prints as soon as a socket opens, but the client waits until a timeout occurs and prints an error message, such as 44356:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_lib.c:182:.
  
  After disabling a weak cipher, you can verify if it has been disabled or not with the following command.
  openssl s_client -connect google.com:443 -cipher EXP-RC4-MD5

SSL Labs

Use Cases

Using OpenSSL s_client commands to test SSL connectivity

Before you begin

Steps

Result:

Related links