How To Use OpenSSL s_client To Check and Verify SSL/TLS Of HTTPS Webserver?


OpenSSL provides different features and tools for SSL/TLS related operations. s_lient is a tool used to connect, check, list HTTPS, TLS/SSL related information. Simply we can check remote TLS/SSL connection with s_client . In these tutorials, we will look at different use cases of s_client .

Check TLS/SSL Of Website

The basic and most popular use case for s_client is just connecting remote TLS/SSL website. We will provide the web site with the HTTPS port number. In this example we will connect to the poftut.com .

$ openssl s_client -connect poftut.com:443
Check TLS/SSL Of Website
Check TLS/SSL Of Website

Check TLS/SSL Of Website with Specifying Certificate Authority

If the web site certificates are created in house or the web browsers or Global Certificate Authorities do not sign the certificate of the remote site we can provide the signing certificate or Certificate authority. We will use -CAfile by providing the Certificate Authority File.

$ openssl s_client -connect poftut.com:443 -CAfile /etc/ssl/CA.crt

Connect Smtp and Upgrade To TLS

We can use s_client to test SMTP protocol and port and then upgrade to TLS connection. We will use -starttls smtp command. We will use the following command.

$ openssl s_client -connect smtp.poftut.com:25 -starttls smtp

Connect HTTPS Site Disabling SSL2

HTTPS or SSL/TLS have different subversions. We can enable or disable the usage of some of them. In this example, we will disable SSLv2 connection with the following command.

$ openssl s_client -connect poftut.com:443 -no_ssl2

Connect HTTPS Only TLS1 or TLS2

Like the previous example, we can specify the encryption version. In this example, we will only enable TLS1 or TLS2 with the -tls1_2 .

$ openssl s_client -connect poftut.com:443 -tls1_2

Specify Cipher or Encryption Type

We can specify the cipher with the -cipher option like below.

$ openssl s_client -connect poftut.com:443 -cipher RC4-SHA

Connect HTTPS Only RC4-SHA

We can also specify the hash algorithm of the encryption protocol. In this example, we will only enable RC4-SHA hash algorithm for SSL/TLS connection. We will use -cipher RC4-SHA . All other encryption and Cipher types will be denied and the connection will be closed.

$ openssl s_client -connect poftut.com:443 -cipher RC4-SHA

Debug SSL/TLS To The HTTPS

While a SSL/TLS connection is made there is a lot of operation under the hood. If we have some problems or we need detailed information about the SSL/TLS initialization we can use -tlsextdebug option like below.

$ openssl s_client -connect poftut.com:443 -tlsextdebug
Debug SSL/TLS To The HTTPS
Debug SSL/TLS To The HTTPS

LEARN MORE  Linux mail and mailx Commands Tutorial With Examples and Send Email From Command Line

2 thoughts on “How To Use OpenSSL s_client To Check and Verify SSL/TLS Of HTTPS Webserver?”

Leave a Comment