LinuxCommandLibrary

s_client.1s

Test TLS/SSL connections to servers

SYNOPSIS

openssl s_client [options]

PARAMETERS

-host hostname
    The hostname or IP address to connect to.

-port port
    The port number to connect to (default: 443).

-cert filename
    Specifies the client certificate to use.

-key filename
    Specifies the client private key to use.

-CAfile filename
    Specifies a file containing trusted CA certificates.

-CApath directory
    Specifies a directory containing trusted CA certificates.

-cipher cipherlist
    Specifies the cipher suites to use.

-ssl2
    Uses SSLv2 protocol (deprecated and insecure).

-ssl3
    Uses SSLv3 protocol (deprecated and insecure).

-tls1
    Uses TLSv1.0 protocol (deprecated).

-tls1_1
    Uses TLSv1.1 protocol (deprecated).

-tls1_2
    Uses TLSv1.2 protocol.

-tls1_3
    Uses TLSv1.3 protocol.

-dtls1
    Uses DTLSv1.0 protocol.

-dtls1_2
    Uses DTLSv1.2 protocol.

-servername name
    Specifies the server name to use for SNI (Server Name Indication).

-showcerts
    Displays all certificates in the chain.

-verify depth
    Sets the certificate verification depth. 0 means only the root CA is checked. The default is 0 if -CAfile/-CApath are specified, and 9 otherwise.

-brief
    Provide brief output (only useful for automation)

-connect host:port
    An alternative way to specify the host and port.

-starttls protocol
    Starts a TLS session over an existing connection, where protocol is e.g. smtp, pop3, imap, ldap, xmpp. This is for protocols using STARTTLS.

DESCRIPTION

The s_client command is a diagnostic tool provided with OpenSSL. It establishes a Transport Layer Security (TLS) or Secure Sockets Layer (SSL) connection to a remote host.
It's primarily used for testing and debugging SSL/TLS configurations on servers. It allows a user to act as a basic SSL/TLS client, negotiating ciphers, verifying certificates, and sending/receiving data.
s_client can be useful for checking if a server is properly configured, testing certificate chains, verifying ciphers suites, or troubleshooting connection problems. Data can be sent interactively through the terminal or using other OpenSSL utility commands as well.
The tool provides verbose output on the connection setup process, including certificate information, cipher suites negotiated, and protocol versions. Note: s_client is a powerful tool for diagnosing TLS/SSL problems but doesn't replace the proper security analysis from qualified security experts.

CAVEATS

The s_client command should not be used in production systems as a client. It's purely for diagnostics and testing purposes. Security aspects of the command usage depends on the given command options, be sure to use TLSv1.2 or TLSv1.3 and secure ciphers to provide an encrypted connection.

SENDING DATA

After the SSL/TLS connection is established, you can type data into the terminal and press Enter to send it to the server. The server's response (if any) will be displayed in the terminal. To exit the connection, enter 'Q', 'q' or Ctrl+D.

ERROR HANDLING

s_client provides a lot of debugging information to help troubleshooting. If errors occur during the SSL/TLS handshake, s_client prints diagnostic messages to the standard error stream. These messages often indicate problems with certificates, cipher suites, or protocol versions. For certificate related errors, check that the CAfile or CApath is correctly configured.

SEE ALSO

openssl(1), openssl-verify(1), openssl-ciphers(1)

Copied to clipboard