OpenSSL provides different features and tools for SSL/TLS related operations. s_lient is a tool used to connect, check, list HTTPS, TLS/SSL related information. Simply we can check remote TLS/SSL connection with s_client . In these tutorials, we will look at different use cases of s_client .
Check TLS/SSL Of Website
The basic and most popular use case for s_client is just connecting remote TLS/SSL website. We will provide the web site with the HTTPS port number. In this example we will connect to the poftut.com .
$ openssl s_client -connect poftut.com:443
Check TLS/SSL Of Website with Specifying Certificate Authority
If the web site certificates are created in house or the web browsers or Global Certificate Authorities do not sign the certificate of the remote site we can provide the signing certificate or Certificate authority. We will use -CAfile by providing the Certificate Authority File.
$ openssl s_client -connect poftut.com:443 -CAfile /etc/ssl/CA.crtConnect Smtp and Upgrade To TLS
We can use s_client to test SMTP protocol and port and then upgrade to TLS connection. We will use -starttls smtp command. We will use the following command.
$ openssl s_client -connect smtp.poftut.com:25 -starttls smtpConnect HTTPS Site Disabling SSL2
HTTPS or SSL/TLS have different subversions. We can enable or disable the usage of some of them. In this example, we will disable SSLv2 connection with the following command.
$ openssl s_client -connect poftut.com:443 -no_ssl2Connect HTTPS Only TLS1 or TLS2
Like the previous example, we can specify the encryption version. In this example, we will only enable TLS1 or TLS2 with the -tls1_2 .
$ openssl s_client -connect poftut.com:443 -tls1_2Specify Cipher or Encryption Type
We can specify the cipher with the -cipher option like below.
$ openssl s_client -connect poftut.com:443 -cipher RC4-SHAConnect HTTPS Only RC4-SHA
We can also specify the hash algorithm of the encryption protocol. In this example, we will only enable RC4-SHA hash algorithm for SSL/TLS connection. We will use -cipher RC4-SHA . All other encryption and Cipher types will be denied and the connection will be closed.
$ openssl s_client -connect poftut.com:443 -cipher RC4-SHADebug SSL/TLS To The HTTPS
While a SSL/TLS connection is made there is a lot of operation under the hood. If we have some problems or we need detailed information about the SSL/TLS initialization we can use -tlsextdebug option like below.
$ openssl s_client -connect poftut.com:443 -tlsextdebug
great site! thanks!