Openssl s_client command line: connect and diagnose an https server

OpenSSL's s_client utility allows one to connect to secure servers that are using SSL/TLS encryption protocols.

Connecting and diagnosting an https server by command line using openssl: openssl s_client -connect yourserver.com:443 -ssl3

Code:

# openssl s_client -connect ivorde.ro:443 -ssl3
CONNECTED(00000003)
depth=0 /C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
   i:/C=RO/ST=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDFTCCAn6gAwIBAgIJAMi0v9PxvYDdMA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD
VQQGEwJSTzESMBAGA1UECBMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZJdm9yZGUxDTAL
BgNVBAsTBE1haWwxFzAVBgNVBAMTDm1haWwuaXZvcmRlLnJvMScwJQYJKoZIhvcN
AQkBFhhhbmRyZWkubWFuZXNjdUBpdm9yZGUucm8wHhcNMDkwNjAxMjAwMTI5WhcN
MTAwNjAxMjAwMTI5WjCBlzELMAkGA1UEBhMCUk8xEjAQBgNVBAgTCUJ1Y2hhcmVz
dDESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZJdm9yZGUxDTALBgNVBAsT
BE1haWwxFzAVBgNVBAMTDm1haWwuaXZvcmRlLnJvMScwJQYJKoZIhvcNAQkBFhhh
bmRyZWkubWFuZXNjdUBpdm9yZGUucm8wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALg85CF05u7QvedCdb4oy0+J5/hm8B+PFMgoTPq8cjrfah3zDbsnJaNQqKpY
CR8y2j9lHGvj5bpWCp3WA2h+S4xpzuxk9Thu1dA+DOY24MUXYZyVVJJxAg1CUB/D
ejMFA0oI2X4dyBwotPdp7KdTdgimJtvtrGFK8qRw7tNivL/rAgMBAAGjezB5MAkG
A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
ZmljYXRlMB0GA1UdDgQWBBQrnZWcLivne1c6dDhPPkcx4q6amDAfBgNVHSMEGDAW
gBRaCBD20l86o/ix/t3gDarAE36CEDANBgkqhkiG9w0BAQUFAAOBgQB3JEcQ7ugS
C26cVYVcEZiKRcCEoebWlThzOabLW0a+mrv6mHlo+P4fbQILD+bhVET319sXVcQQ
DgcRs7rkPgemrGVuVbkq7KV+kgtKTlJ2K1pgyWLQYgre9Cwi2RspR+NE9WC4n3jR
fNW1eB45wT92ipmmpR8LFfXcB4CSWayc4g==
-----END CERTIFICATE-----
subject=/C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
issuer=/C=RO/ST=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
---
No client certificate CA names sent
---
SSL handshake has read 1341 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: 672CD285300737D3D5C684ED125684415D7023119E4B2C6EF3A7CE2570F20E1E03CB600E09F66DE5A49A85635BD90849
    Key-Arg   : None
    Start Time: 1251270723
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Now that the HTTPS connection is established with your server, you can issue normal HTTP commands (as if you were in telnet) to diagnose your https server's problems.

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Tutorials applicable on more than one Unix/Linux OS and shell scripts: ssh / openssl / protocols.

Openssl s_client command line: connect and diagnose an https server

Openssl s_client command line: connect and diagnose an https server