OpenSSL is an open-source software library that provides cryptographic functions and tools for secure communication over computer networks. It supports implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, essential for encrypting data transmitted over the Internet and ensuring confidentiality, integrity, and authentication. OpenSSL comes preinstalled on almost all Linux distributions. In this tutorial, you will learn how to use the OpenSSL s_client tool to test SSL/TLS connections — using OpenSSL s_client to test SSL connections.
Test SSL connection with OpenSSL s_client command
OpenSSL s_client is a diagnostic tool provided by OpenSSL. It allows users to connect to a remote server over SSL/TLS and includes detailed information about the connection, including the server’s certificate and cipher suite used.
You can use the s_client tool in the following manner:
$ openssl s_client -connect <URL>:<port>For example, let’s check the SSL connection to https://google.com. You can do this by using the command:
$ openssl s_client -connect google.com:443And you should get a similar output:
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WR2
verify return:1
depth=0 CN = *.google.com
verify return:1
Certificate chain
0 s:CN = *.google.com
i:C = US, O = Google Trust Services, CN = WR2
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 9 08:36:18 2024 GMT; NotAfter: Mar 3 08:36:17 2025 GMT
1 s:C = US, O = Google Trust Services, CN = WR2
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
Server certificate
-----BEGIN CERTIFICATE-----
MIIOCjCCDPKgAwIBAgIRANERcBmQhxEWCf0Wha+2dDQwDQYJKoZIhvcNAQELBQAw
…
v6UcZPB82aISNkLMOnYM/13lklT3rQfSxiarKoFrunjLpmqXLm8OfgJ9XwkZ+i9e
7ACEhRhCjV8aYBkZ7lkeXbtDbpN6em2O6XqavyQKfDM7S5w7PEJbKosliVRKeCSB
DrRUt75eDiWKq4X2C+CUWFiTaaEttI2r3G4GmqIwVuDl60STgMxTOuZKGbJDAQ==
-----END CERTIFICATE-----
subject=CN = *.google.com
issuer=C = US, O = Google Trust Services, CN = WR2
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
SSL handshake has read 6590 bytes and written 392 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 7E47DEC5B5929FD153E9D4E21BAA9B44D67E1FD936B451AD7440066780AF9CD6
Session-ID-ctx:
Resumption PSK: 294249B6752F0A655E26B1E4A21FC364223CBBEFCFE083FD811DD445E9A8B16D067DB419E5C729778EB04FEE18FCF9D0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 172799 (seconds)
TLS session ticket:
0000 - 02 45 a2 d3 29 fd 46 90-9e d1 42 c7 28 76 6c cb .E..).F…B.(vl.
0010 - 93 4d 50 f3 ac 62 67 38-5d 42 8c 90 0e 71 81 3c .MP..bg8]B…q.<
0020 - 55 13 3b 30 8f 98 3f 82-48 58 9b 95 08 91 8e 2d U.;0..?.HX…..-
0030 - 1d 47 2a 09 84 43 5b c3-ce e4 17 61 3b e6 f3 6c .G..C[….a;..l 0040 - 84 af c7 ab 50 0b 37 e6-4e a8 7b ef d2 11 54 3c ….P.7.N.{…T< 0050 - 27 95 0c 2e 29 4a 5c 9e-59 0c 0d fe 67 33 b1 a8 '…)J.Y…g3.. 0060 - 4a 8b 6e 3b e3 fe 81 b6-e2 46 8d d2 61 1d a7 eb J.n;…..F..a… 0070 - ff bb a6 ff 0f 6f 43 ac-28 85 d7 1b 4d ce 7a b8 …..oC.(…M.z. 0080 - 06 55 ab cd ad 6e 2a e0-8f a5 10 0a 91 84 61 0b .U…n…….a.
0090 - 80 88 9a 13 fa 1e 4d 18-56 2e dd be f0 30 12 9a ……M.V….0..
00a0 - 47 56 9a ad 90 02 4b 46-44 7c 73 81 e6 cc a3 26 GV….KFD|s….&
00b0 - 6e 08 81 c5 3c 0a 33 cc-87 0b 4f 29 07 b2 b7 2a n…<.3…O)…*
00c0 - 52 75 1c 32 7b 0e 38 80-44 87 21 aa 15 5c 8a a3 Ru.2{.8.D.!....
00d0 - d1 d3 ca 1f ef 2e 82 84-ba 80 02 73 4d 40 98 f5 ………..sM@..
00e0 - a1 48 a0 62 4c 94 8f cc-8e da 4f 52 44 0d 50 36 .H.bL…..ORD.P6
00f0 - c0 93 88 80 51 ….Q
Start Time: 1736859994
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 14336
read R BLOCK
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: B2ACD78F3B5148DB3EB8886262F6B2835261A762E5188035F10F002711953E02
Session-ID-ctx:
Resumption PSK: 4E8A3D784F9B4382ADF7B05C2ADE50DBF61E70DA6DE2E13CC9321D13C4A4AAE5C85655143E7988BCF0C748C8F9756CCD
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 172799 (seconds)
TLS session ticket:
0000 - 02 45 a2 d3 29 fd 46 90-9e d1 42 c7 28 76 6c cb .E..).F…B.(vl.
0010 - 64 85 26 2b 8c fe a5 02-af 47 10 41 70 c0 9a 80 d.&+…..G.Ap…
0020 - ef 84 a6 37 98 bb d4 93-a5 dd 05 7a 1a 4f 18 14 …7…….z.O..
0030 - 19 92 db bb fc 0c cd d3-d7 d9 85 c4 07 ec 4c 0d …………..L.
0040 - b1 74 6e 2e 21 7c 96 38-0c 87 06 59 71 d3 58 b7 .tn.!|.8…Yq.X.
0050 - c8 61 38 29 fb 89 44 60-2f 6a c7 ec a8 b7 fb 9a .a8)..D/j...... 0060 - be 30 c7 12 05 2d f2 52-86 cc f9 be df d6 40 cb .0...-.R......@. 0070 - 74 1e 0c 95 ac ba c6 91-8a eb 45 71 01 10 0a 5a t.........Eq...Z 0080 - fa 44 f4 6e f9 9f 79 91-4a 05 2a 7a 89 80 d1 86 .D.n..y.J.*z.... 0090 - fd 2b 95 7d 7d e6 a4 e1-26 54 fd 81 08 3d 79 cd .+.}}...&T...=y. 00a0 - 29 b0 ed ff 64 8a 6f e5-cc 02 03 5a 66 23 b4 d5 )...d.o....Zf#.. 00b0 - 33 5f 5d 91 2a ad 1a 02-44 c7 cf 92 47 65 c1 9d 3_].*...D...Ge.. 00c0 - 05 aa 76 55 99 db 20 f6-69 48 1a aa 0e 69 34 8f ..vU.. .iH...i4. 00d0 - 17 25 9f 9a fa 1b de db-74 c2 4a 93 83 68 fe 0d .%......t.J..h.. 00e0 - 60 64 64 2f a2 28 bd 3f-ef ba 4f 52 44 34 75 57dd/.(.?..ORD4uW
00f0 - 0c 7a 3d 27 e9 .z='.
Start Time: 1736859994
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 14336
read R BLOCK
HTTP/1.0 400 Bad Request
Content-Length: 54
Content-Type: text/h
tml; charset=UTF-8
Date: Tue, 14 Jan 2025 13:06:34 GMT
As you can notice there is detailed information about the SSL certificate, TLS version, ciphers, and even the SSL handshake between the client and the server.
From the output we can see that, we connected successfullyCONNECTED(00000003)You will find more details about the certificates, such as if the certificate is valid
v:NotBefore: Dec 9 08:36:18 2024 GMT; NotAfter: Mar 3 08:36:17 2025 GMTThen, which cipher does the server support or requires:
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Also, you will find the SSL certificate.
Server certificate
—–BEGIN CERTIFICATE—–
MIIOCjCCDPKgAwIBAgIRANERcBmQhxEWCf0Wha+2dDQwDQYJKoZIhvcNAQELBQAw…
…
To check the SSL certificate chain, you can also use the command:
openssl s_client -connect google.com:443 -showcertsSpecifying TLS version
Let’s now try to connect by specifying the TLS version in the command. For this example, let’s use TLS version 1.0.
$ openssl s_client -tls1 -connect google.com:443And you should receive a similar output:
CONNECTED(00000003)
40E79564507F0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
You can notice the lines
40E79564507F0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
SSL handshake has read 0 bytes and written 7 bytes
The TLS 1 protocol is not available and the SSL handshake was unsuccesfull, which is expected because the TLS version 1 and 1.1 are depricate. Now if you try to use TLS 1.2 or TLS 1.3 version the connection will be succesfull:
openssl s_client -tls1_3 -connect google.com:443 -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = *.google.com
Hash used: SHA256
Signature type: ECDSA
Verification: OK
Server Temp Key: X25519, 253 bitsYou can also use the -brief flag for shorter output when using the OpenSSL s_client command.
Unable to establish SSL connection.
If you are trying to connect to a URL that doesn’t have an SSL certificate installed, you will receive this output:
4097247D5C7F0000:error:8000006E:system library:BIO_connect:Connection timed out:../crypto/bio/bio_sock2.c:125:calling connect()
4097247D5C7F0000:error:10000067:BIO routines:BIO_connect:connect error:../crypto/bio/bio_sock2.c:127:
connect:errno=110Test IMAP, POP3, and SMTP connections with OpenSSL
You can also use the OpenSSL s_client to test the connections to the mail server for IMAP, POP3, and SMTP.
For SMTP, you should include the -starttls option, a command to inform the email server to upgrade from an insecure connection to a secure one. You will also include the -crlf option and specify the TLS version and SMTP port 587.
$ openssl s_client -tls1_2 -crlf -connect outlook.office365.com:587 -starttls smtp -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Peer certificate: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
Hash used: SHA256
Signature type: RSA-PSS
Verification: OK
Server Temp Key: ECDH, secp384r1, 384 bits
250 SMTPUTF8For example, to check the POP3 connection with implicit port 995, you can use the command:
$ openssl s_client -connect outlook.office365.com:993 -crlf -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
Hash used: SHA256
Signature type: RSA-PSS
Verification: OK
Server Temp Key: ECDH, secp384r1, 384 bits
OK The Microsoft Exchange IMAP4 service is ready. [QwBIADUAUAAyADIAMgBDAEEAMAAwADIAMwAuAE4AQQBNAFAAMgAyADIALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]Conclusion
OpenSSL’s s_client is a versatile tool for testing SSL/TLS connectivity, verifying certificates, and debugging secure connections. It can help you diagnose your website SSL connection or your mail server, verify protocol support, or check for proper certificate configuration.
If you have an active server management service with us, you can log in to the client area and submit a ticket to request testing and troubleshooting SSL connections. Our experienced administrators are available 24×7 and will take care of your request immediately.
If you enjoyed this article and found it helpful, please comment or share this post with your friends.
