How to use the command 'openssl s_client' (with examples)
OpenSSL command to create TLS client connections.
Use case 1: Display the start and expiry dates for a domain’s certificate
This use case is helpful when you need to quickly check the start and expiry dates of a certificate for a specific domain.
Code:
openssl s_client -connect host:port 2>/dev/null | openssl x509 -noout -dates
Explanation:
openssl s_client: Command to create a TLS client connection.-connect host:port: Specifies the host and port to connect to.2>/dev/null: Redirects the standard error output to null, to suppress any verbose output.openssl x509 -noout -dates: Extracts and displays the start and expiry dates of the certificate.
Example Output:
notBefore=Apr 18 00:00:00 2022 GMT
notAfter=Apr 19 23:59:59 2023 GMT
Use case 2: Display the certificate presented by an SSL/TLS server
This use case allows you to retrieve and examine the certificate presented by an SSL/TLS server.
Code:
openssl s_client -connect host:port </dev/null
Explanation:
openssl s_client: Command to create a TLS client connection.-connect host:port: Specifies the host and port to connect to.</dev/null: Redirects the standard input from null, so no input is provided to the server.
Example Output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Signature Algorithm: ...
Issuer: ...
Validity
Not Before: Apr 18 00:00:00 2022 GMT
Not After : Apr 19 23:59:59 2023 GMT
Subject: ...
...
Use case 3: Set the Server Name Indicator (SNI) when connecting to the SSL/TLS server
Use this example to set the Server Name Indicator (SNI) when establishing a connection to an SSL/TLS server. SNI is an extension that allows multiple SSL/TLS certificates to be hosted on the same IP address.
Code:
openssl s_client -connect host:port -servername hostname
Explanation:
openssl s_client: Command to create a TLS client connection.-connect host:port: Specifies the host and port to connect to.-servername hostname: Sets the SNI to the specified hostname.
Example output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Signature Algorithm: ...
Issuer: ...
Validity
Not Before: Apr 18 00:00:00 2022 GMT
Not After : Apr 19 23:59:59 2023 GMT
Subject: ...
...
Use case 4: Display the complete certificate chain of an HTTPS server
This use case is helpful when you need to examine the complete certificate chain of an HTTPS server.
Code:
openssl s_client -connect host:443 -showcerts </dev/null
Explanation:
openssl s_client: Command to create a TLS client connection.-connect host:443: Specifies the host and port (443 for HTTPS) to connect to.-showcerts: Displays the complete certificate chain.</dev/null: Redirects the standard input from null, so no input is provided to the server.
Example output:
Certificate chain
0 s:
...
1 s:
...
...
Conclusion:
The openssl s_client command is a versatile tool for creating TLS client connections and performing various certificate-related tasks. It allows you to display certificate information, set the Server Name Indicator (SNI), and examine the certificate chain of an SSL/TLS server. By understanding and utilizing the different use cases of this command, you can more effectively manage and troubleshoot SSL/TLS connections.
