s_client.1s
Test TLS/SSL connections to servers
SYNOPSIS
openssl s_client [options]
PARAMETERS
-host hostname
The hostname or IP address to connect to.
-port port
The port number to connect to (default: 443).
-cert filename
Specifies the client certificate to use.
-key filename
Specifies the client private key to use.
-CAfile filename
Specifies a file containing trusted CA certificates.
-CApath directory
Specifies a directory containing trusted CA certificates.
-cipher cipherlist
Specifies the cipher suites to use.
-ssl2
Uses SSLv2 protocol (deprecated and insecure).
-ssl3
Uses SSLv3 protocol (deprecated and insecure).
-tls1
Uses TLSv1.0 protocol (deprecated).
-tls1_1
Uses TLSv1.1 protocol (deprecated).
-tls1_2
Uses TLSv1.2 protocol.
-tls1_3
Uses TLSv1.3 protocol.
-dtls1
Uses DTLSv1.0 protocol.
-dtls1_2
Uses DTLSv1.2 protocol.
-servername name
Specifies the server name to use for SNI (Server Name Indication).
-showcerts
Displays all certificates in the chain.
-verify depth
Sets the certificate verification depth. 0 means only the root CA is checked. The default is 0 if -CAfile/-CApath are specified, and 9 otherwise.
-brief
Provide brief output (only useful for automation)
-connect host:port
An alternative way to specify the host and port.
-starttls protocol
Starts a TLS session over an existing connection, where protocol is e.g. smtp, pop3, imap, ldap, xmpp. This is for protocols using STARTTLS.
DESCRIPTION
The s_client command is a diagnostic tool provided with OpenSSL. It establishes a Transport Layer Security (TLS) or Secure Sockets Layer (SSL) connection to a remote host.
It's primarily used for testing and debugging SSL/TLS configurations on servers. It allows a user to act as a basic SSL/TLS client, negotiating ciphers, verifying certificates, and sending/receiving data.
s_client can be useful for checking if a server is properly configured, testing certificate chains, verifying ciphers suites, or troubleshooting connection problems. Data can be sent interactively through the terminal or using other OpenSSL utility commands as well.
The tool provides verbose output on the connection setup process, including certificate information, cipher suites negotiated, and protocol versions. Note: s_client is a powerful tool for diagnosing TLS/SSL problems but doesn't replace the proper security analysis from qualified security experts.
CAVEATS
The s_client command should not be used in production systems as a client. It's purely for diagnostics and testing purposes. Security aspects of the command usage depends on the given command options, be sure to use TLSv1.2 or TLSv1.3 and secure ciphers to provide an encrypted connection.
SENDING DATA
After the SSL/TLS connection is established, you can type data into the terminal and press Enter to send it to the server. The server's response (if any) will be displayed in the terminal. To exit the connection, enter 'Q', 'q' or Ctrl+D.
ERROR HANDLING
s_client provides a lot of debugging information to help troubleshooting. If errors occur during the SSL/TLS handshake, s_client prints diagnostic messages to the standard error stream. These messages often indicate problems with certificates, cipher suites, or protocol versions. For certificate related errors, check that the CAfile or CApath is correctly configured.
SEE ALSO
openssl(1), openssl-verify(1), openssl-ciphers(1)