---
title: Using OpenSSL s_client commands to test SSL connectivity
description: Use OpenSSL s_client commands to evaluate and troubleshoot certificates and secure connections.
component: solution-guides
page_id: solution-guides:standards_and_protocols_use_cases:htg_use_openssl_to_test_ssl_connectivity
canonical_url: https://docs.pingidentity.com/solution-guides/standards_and_protocols_use_cases/htg_use_openssl_to_test_ssl_connectivity.html
revdate: April 8, 2025
section_ids:
  before-you-begin: Before you begin
  steps: Steps
  result: Result:
  related-links: Related links
---

# Using OpenSSL s\_client commands to test SSL connectivity

Test SSL connectivity with `s_client` commands to check whether the certificate is valid, trusted, and complete.

## Before you begin

Install OpenSSL software from <http://www.openssl.org/>.

## Steps

1. In the command line, enter `openssl s_client -connect` *\<hostname>*`:<port>`.

   ### Result:

   This opens an SSL connection to the specified hostname and port and prints the SSL certificate.

2. Check the availability of the domain from the connection results.

   The following table includes some commonly used `s_client` commands. For more information, see [OpenSSL s\_client commands man page](https://docs.openssl.org/master/man1/openssl-cmds/) in the OpenSSL toolkit.

   To view a complete list of `s_client` commands in the command line, enter `openssl -?`.

   | Command Options | Description                                                                                                                                                       | Example                                                                  |
   | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
   | `-connect`      | Tests connectivity to an HTTPS service.                                                                                                                           | `openssl s_client -connect pingfederate.<YourDomain>.com:443`            |
   | `-showcerts`    | Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.            | `openssl s_client -connect <hostname>:<port> -showcerts`                 |
   | `-tls, -dtls1`  | Forces TLSv1 and DTLSv1 respectively.                                                                                                                             | `openssl s_client -connect <hostname>:<port> -tls1`                      |
   | `-cipher`       | Forces a specific cipher. This option is useful in testing enabled SSL ciphers. Use the `openssl ciphers` command to see a list of available ciphers for OpenSSL. | `openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA` |

3. Troubleshooting:

   For troubleshooting connection and SSL handshake problems, see the following:

   * If there is a connection problem reaching the domain, the OpenSSL `s_client -connect` command waits until a timeout occurs and prints an error, such as `connect: Operation timed out`.

   * If you use the OpenSSL client to connect to a non-SSL service, the client connects but the SSL handshake doesn't happen. `CONNECTED (00000003)` prints as soon as a socket opens, but the client waits until a timeout occurs and prints an error message, such as `44356:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_lib.c:182:`.

     After disabling a weak cipher, you can verify if it has been disabled or not with the following command.

     ```shell
     openssl s_client -connect google.com:443 -cipher EXP-RC4-MD5
     ```

## Related links

* [SSL Labs](https://www.ssllabs.com/ssltest/)