How to use the command 'openssl s_client' (with examples)
OpenSSL is a robust, full-featured open-source toolkit implemented mainly in C programming language. It is widely used for the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, and is designed to provide secure communications over a computer network. One of the common use cases of OpenSSL is to establish client connections to SSL/TLS servers using the command openssl s_client. This command enables users to assess various properties and diagnostics related to secure connections.
Use case 1: Display the start and expiry dates for a domain’s certificate
Code:
openssl s_client -connect host:port 2>/dev/null | openssl x509 -noout -dates
Motivation for using this example:
The motivation behind using this command is to determine the validity period of a domain’s SSL certificate, ensuring it’s neither expired nor due for renewal. Understanding these dates is essential for maintaining uninterrupted SSL/TLS security, as an expired certificate could lead to browsers or applications rejecting the connection due to trust issues.
Explanation for every argument given in the command:
openssl s_clientinitiates a connection to the specified host and port using SSL/TLS.-connect host:portindicates the host and port to connect to. Replacehostwith the domain, andportwith the service’s port (usually 443 for HTTPS).2>/dev/nullredirects standard error output to null, effectively silencing any error messages that might appear during connection.|pipes the output fromopenssl s_clientinto the next command.openssl x509processes the SSL certificate from the connection.-nooutprevents the command from outputting the contents of the certificate, ensuring only the required information is displayed.-datesextracts and displays only the certificate’s start and expiration dates.
Example output:
notBefore=Jun 1 00:00:00 2023 GMT
notAfter=Aug 1 23:59:59 2024 GMT
Use case 2: Display the certificate presented by an SSL/TLS server
Code:
openssl s_client -connect host:port </dev/null
Motivation for using this example:
Being able to see the certificate presented by an SSL/TLS server is crucial for verifying the identity of the server. This is particularly important for administering servers or debugging connectivity issues. By examining the certificate, you can assess its issuer, validity, the public key used, and other critical information.
Explanation for every argument given in the command:
openssl s_clientas explained before, establishes connectivity.-connect host:portspecifies where the command should connect. Again, substitutehostwith the domain name andporttypically with 443.</dev/nullfeeds no input to the command, allowing it to proceed with its default behavior.
Example output:
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIF... (certificate content)
-----END CERTIFICATE-----
Use case 3: Set the Server Name Indicator (SNI) when connecting to the SSL/TLS server
Code:
openssl s_client -connect host:port -servername hostname
Motivation for using this example:
Server Name Indication (SNI) allows a client to specify which hostname it’s trying to connect to at the start of the SSL/TLS handshake process. This enables a server hosting multiple domains to present the correct SSL certificate. This use case is essential when dealing with virtual hosts on a single IP address or troubleshooting issues related to incorrect certificate presentation.
Explanation for every argument given in the command:
openssl s_clientcommands the utility to connect as described.-connect host:portspecifies the target for connection.-servername hostnamesets the hostname for SNI, ensuring the server returns the correct certificate associated with that hostname.
Example output:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, CN = DigiCert Global Root CA
verify return:1
(depth, etc.)...
Use case 4: Display the complete certificate chain of an HTTPS server
Code:
openssl s_client -connect host:443 -showcerts </dev/null
Motivation for using this example:
In some situations, it’s crucial to analyze the entire path of certificates from the server’s SSL certificate up to the trusted root certificate. Examining the full certificate chain is vital for diagnosing issues in authenticity or trust, especially in complex certification hierarchies often used by HTTPS servers.
Explanation for every argument given in the command:
openssl s_clientto establish the SSL/TLS connection.-connect host:443directs the tool to connect to HTTPS on the given host.-showcertsreveals all certificates in the chain rather than just the server certificate.</dev/nullas previously explained, provides no input from the standard input.
Example output:
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIF... (server certificate)
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIO... (intermediate certificate)
-----END CERTIFICATE-----
Conclusion:
Using openssl s_client, users can establish secure connections to servers and glean a wealth of information critical for SSL/TLS diagnostics, management, and security assessments. The specific arguments and options provided offer tailored outputs to suit various needs—from checking certificate expiry to analyzing complete certificate chains. Understanding these functionalities allows administrators and security practitioners to ensure secure and reliable operations in their digital communications infrastructure.
