s_client.1s

openssl s_client [options]

-connect host:port
    Specifies the remote host and port to connect to. This is typically the first and most essential option.

-cert filename
    Specifies the client certificate file to use for client authentication.

-key filename
    Specifies the private key file corresponding to the client certificate.

-CAfile filename
    A file containing trusted CA certificates in PEM format. Used to verify the server's certificate.

-CApath directory
    A directory containing trusted CA certificates in PEM format, hashed by subject. Used to verify the server's certificate.

-verify depth
    Sets the verification depth for the server's certificate chain. A depth of 0 means only the leaf certificate is checked.

-showcerts
    Displays the entire server certificate chain received during the handshake, including intermediate CAs.

-debug
    Provides verbose debugging output, showing detailed information about the SSL/TLS handshake process.

-state
    Prints the SSL/TLS handshake state as it progresses.

-crlf
    Translates CR to CRLF for input, useful when interacting with protocols that expect CRLF line endings.

-quiet
    Suppresses non-essential output, showing only the handshake results and connection info.

-servername name
    Specifies the hostname for Server Name Indication (SNI), allowing the client to request a specific certificate from servers hosting multiple domains.

-alpn protocols
    Specifies a comma-separated list of Application-Layer Protocol Negotiation (ALPN) protocols to offer the server (e.g., 'h2,http/1.1').

-sess_out file
    Writes the negotiated session data to a file for later resumption.

-sess_in file
    Reads session data from a file to attempt session resumption.

-reconnect
    Attempts to reconnect to the server after the initial handshake, useful for testing session resumption.

-starttls protocol
    Initiates a plain text connection and then upgrades it to SSL/TLS using the specified protocol (e.g., 'smtp', 'ftp', 'pop3', 'imap', 'xmpp', 'ldap').

-msg
    Shows all SSL/TLS messages that are sent and received.

-cipher list
    Specifies a list of acceptable OpenSSL ciphers for SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 protocols.

-cipher_suites list
    Specifies a list of acceptable TLSv1.3 cipher suites. This option is distinct from -cipher.

-min_protocol protocol
    Sets the minimum acceptable SSL/TLS protocol version (e.g., TLSv1.2).
Supported protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3.

-max_protocol protocol
    Sets the maximum acceptable SSL/TLS protocol version (e.g., TLSv1.3).
Supported protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3.

-no_ssl3
    Disables SSLv3.

-no_tls1
    Disables TLSv1.0.

-no_tls1_1
    Disables TLSv1.1.

-no_tls1_2
    Disables TLSv1.2.

-no_tls1_3
    Disables TLSv1.3.

The openssl s_client command is a versatile utility within the OpenSSL toolkit designed for establishing and analyzing SSL/TLS connections to remote hosts. It acts as a client, allowing users to interact with SSL/TLS servers, test server configurations, debug handshake issues, and inspect certificate chains. This tool is invaluable for administrators and developers to verify that a server's SSL/TLS setup is correct, to check if specific protocols or ciphers are supported, and to troubleshoot connectivity problems. It can display detailed information about the connection, including the negotiated protocol and cipher suite, the server's certificate, and the entire certificate chain received. Users can also provide client certificates for mutual authentication or load pre-existing session tickets for session resumption testing. Its interactive nature after a successful handshake makes it a powerful debugger for encrypted communication.

Using openssl s_client requires careful attention to its output, especially when diagnosing complex SSL/TLS issues.
Firewalls can block connections to specific ports, leading to connection timeouts or failures, even if the server is correctly configured.
Certificate verification failures are common and can be due to untrusted CAs, expired certificates, hostname mismatches, or incomplete certificate chains.
The command often requires full paths to certificate and key files, and incorrect permissions can lead to errors.
Protocols and cipher suites specified must be supported by both the client (OpenSSL version) and the server, otherwise handshakes will fail.
Some options, like -cipher and -cipher_suites, apply to different TLS versions and using the wrong one might not have the intended effect.

1. Verify Server Certificate and Chain: Use -showcerts and -verify to inspect the server's certificate and ensure its chain is valid and trusted.
2. Test Specific Protocols/Ciphers: Use -min_protocol, -max_protocol, -cipher, or -cipher_suites to check if a server supports particular security configurations.
3. Debug SNI Issues: Use -servername to ensure that the correct certificate is presented when a server hosts multiple domains.
4. Check Mutual Authentication: Use -cert and -key to test client certificate-based authentication.
5. Test STARTTLS: Use -starttls with specific protocol names (e.g., smtp, imap) to test services that upgrade from plain text to SSL/TLS.

After a successful SSL/TLS handshake, openssl s_client enters an interactive mode. Any input typed on the console is sent over the encrypted connection to the server, and any data received from the server is printed to the console. This allows for direct, secure interaction with the server, making it possible to send application-layer commands (like HTTP GET requests) and see the encrypted responses, which is highly valuable for debugging application-level protocols over TLS.

The s_client utility is an integral part of the OpenSSL project, which originated in 1998 as a successor to the SSLeay library. Its development has closely tracked the evolution of the SSL/TLS protocols themselves, from the early SSLv2/v3 versions to the modern TLS 1.3. As new protocol features, cipher suites, and security enhancements (like SNI and ALPN) have been introduced, s_client has been updated to support them, making it an indispensable tool for anyone working with secure network communications. Its command-line interface has remained largely consistent, reflecting its long-standing utility and widespread adoption across Unix-like operating systems.

openssl(1), openssl s_server(1), openssl x509(1), openssl verify(1)