1S_CLIENT(1) OpenSSL S_CLIENT(1)
2
6 s_client - SSL/TLS client program
7
9 openssl s_client [-connect host:port] [-verify depth] [-cert filename]
10 [-certform DER|PEM] [-key filename] [-keyform DER|PEM] [-pass arg]
11 [-CApath directory] [-CAfile filename] [-trusted_first] [-krb5svc
12 service] [-keytab filename] [-reconnect] [-pause] [-showcerts] [-debug]
13 [-msg] [-nbio_test] [-state] [-nbio] [-crlf] [-ign_eof] [-no_ign_eof]
14 [-quiet] [-ssl2] [-ssl3] [-tls1] [-tls1_1] [-tls1_2] [-dtls1]
15 [-no_ssl2] [-no_ssl3] [-no_tls1] [-no_tls1_1] [-no_tls1_2]
16 [-fallback_scsv] [-bugs] [-cipher cipherlist] [-starttls protocol]
17 [-engine id] [-tlsextdebug] [-no_ticket] [-sess_out filename] [-sess_in
18 filename] [-rand file(s)] [-nextprotoneg protocols]
19
21 The s_client command implements a generic SSL/TLS client which connects
22 to a remote host using SSL/TLS. It is a very useful diagnostic tool for
23 SSL servers.
24
26 -connect host:port
27 This specifies the host and optional port to connect to. If not
28 specified then an attempt is made to connect to the local host on
29 port 4433.
30 -cert certname
32 The certificate to use, if one is requested by the server. The
33 default is not to use a certificate.
34 -certform format
36 The certificate format to use: DER or PEM. PEM is the default.
37 -key keyfile
39 The private key to use. If not specified then the certificate file
40 will be used.
41 -keyform format
43 The private format to use: DER or PEM. PEM is the default.
44 -pass arg
46 the private key password source. For more information about the
47 format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
48 -verify depth
50 The verify depth to use. This specifies the maximum length of the
51 server certificate chain and turns on server certificate
52 verification. Currently the verify operation continues after
53 errors so all the problems with a certificate chain can be seen. As
54 a side effect the connection will never fail due to a server
55 certificate verify failure.
56 -CApath directory
58 The directory to use for server certificate verification. This
59 directory must be in "hash format", see verify for more
60 information. These are also used when building the client
61 certificate chain.
62 -CAfile file
64 A file containing trusted certificates to use during server
65 authentication and to use when attempting to build the client
66 certificate chain.
67 -purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all,
69 -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig,
70 -trusted_first
71 Set various certificate chain valiadition option. See the verify
72 manual page for details.
73 -krb5svc service
75 the Kerberos service name to use (default "host"). This means
76 s_server will expect a ticket for the principal
77 service/hostname@REALM, and will need keys for that principal in
78 its keytab.
79 -keytab filename
81 the Kerberos "keytab" (key table) file, containing keys for the
82 s_server service principal (Kerberos identity; see -krb5svc).
83 -reconnect
85 reconnects to the same server 5 times using the same session ID,
86 this can be used as a test that session caching is working.
87 -pause
89 pauses 1 second between each read and write call.
90 -showcerts
92 display the whole server certificate chain: normally only the
93 server certificate itself is displayed.
94 -prexit
96 print session information when the program exits. This will always
97 attempt to print out information even if the connection fails.
98 Normally information will only be printed out once if the
99 connection succeeds. This option is useful because the cipher in
100 use may be renegotiated or the connection may fail because a client
101 certificate is required or is requested only after an attempt is
102 made to access a certain URL. Note: the output produced by this
103 option is not always accurate because a connection might never have
104 been established.
105 -state
107 prints out the SSL session states.
108 -debug
110 print extensive debugging information including a hex dump of all
111 traffic.
112 -msg
114 show all protocol messages with hex dump.
115 -nbio_test
117 tests non-blocking I/O
118 -nbio
120 turns on non-blocking I/O
121 -crlf
123 this option translated a line feed from the terminal into CR+LF as
124 required by some servers.
125 -ign_eof
127 inhibit shutting down the connection when end of file is reached in
128 the input.
129 -no_ign_eof
131 shut down the connection when end of file is reached in the input.
132 Can be used to override the implicit -ign_eof after -quiet.
133 -quiet
135 inhibit printing of session and certificate information. This
136 implicitly turns on -ign_eof as well.
137 -psk_identity identity
139 Use the PSK identity identity when using a PSK cipher suite.
140 -psk key
142 Use the PSK key key when using a PSK cipher suite. The key is given
143 as a hexadecimal number without leading 0x, for example -psk
144 1a2b3c4d.
145 -ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -dtls1, -no_ssl2, -no_ssl3,
147 -no_tls1, -no_tls1_1, -no_tls1_2
148 these options disable the use of certain SSL or TLS protocols. By
149 default the initial handshake uses a method which should be
150 compatible with all servers and permit them to use SSL v3, SSL v2
151 or TLS as appropriate.
152 Unfortunately there are a lot of ancient and broken servers in use
154 which cannot handle this technique and will fail to connect. Some
155 servers only work if TLS is turned off with the -no_tls option
156 others will only support SSL v2 and may need the -ssl2 option.
157 -fallback_scsv
159 Send TLS_FALLBACK_SCSV in the ClientHello.
160 -bugs
162 there are several known bug in SSL and TLS implementations. Adding
163 this option enables various workarounds.
164 -cipher cipherlist
166 this allows the cipher list sent by the client to be modified.
167 Although the server determines which cipher suite is used it should
168 take the first supported cipher in the list sent by the client. See
169 the ciphers command for more information.
170 -starttls protocol
172 send the protocol-specific message(s) to switch to TLS for
173 communication. protocol is a keyword for the intended protocol.
174 Currently, the only supported keywords are "smtp", "pop3", "imap",
175 and "ftp".
176 -tlsextdebug
178 print out a hex dump of any TLS extensions received from the
179 server.
180 -no_ticket
182 disable RFC4507bis session ticket support.
183 -sess_out filename
185 output SSL session to filename
186 -sess_in sess.pem
188 load SSL session from filename. The client will attempt to resume a
189 connection from this session.
190 -engine id
192 specifying an engine (by its unique id string) will cause s_client
193 to attempt to obtain a functional reference to the specified
194 engine, thus initialising it if needed. The engine will then be set
195 as the default for all available algorithms.
196 -rand file(s)
198 a file or files containing random data used to seed the random
199 number generator, or an EGD socket (see RAND_egd(3)). Multiple
200 files can be specified separated by a OS-dependent character. The
201 separator is ; for MS-Windows, , for OpenVMS, and : for all others.
202 -nextprotoneg protocols
204 enable Next Protocol Negotiation TLS extension and provide a list
205 of comma-separated protocol names that the client should advertise
206 support for. The list should contain most wanted protocols first.
207 Protocol names are printable ASCII strings, for example "http/1.1"
208 or "spdy/3". Empty list of protocols is treated specially and will
209 cause the client to advertise support for the TLS extension but
210 disconnect just after reciving ServerHello with a list of server
211 supported protocols.
212
214 If a connection is established with an SSL server then any data
215 received from the server is displayed and any key presses will be sent
216 to the server. When used interactively (which means neither -quiet nor
217 -ign_eof have been given), the session will be renegotiated if the line
218 begins with an R, and if the line begins with a Q or if end of file is
219 reached, the connection will be closed down.
220
222 s_client can be used to debug SSL servers. To connect to an SSL HTTP
223 server the command:
224 openssl s_client -connect servername:443
226 would typically be used (https uses port 443). If the connection
228 succeeds then an HTTP command can be given such as "GET /" to retrieve
229 a web page.
230 If the handshake fails then there are several possible causes, if it is
232 nothing obvious like no client certificate then the -bugs, -ssl2,
233 -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1 options can be tried in case
234 it is a buggy server. In particular you should play with these options
235 before submitting a bug report to an OpenSSL mailing list.
236 A frequent problem when attempting to get client certificates working
238 is that a web client complains it has no certificates or gives an empty
239 list to choose from. This is normally because the server is not sending
240 the clients certificate authority in its "acceptable CA list" when it
241 requests a certificate. By using s_client the CA list can be viewed and
242 checked. However some servers only request client authentication after
243 a specific URL is requested. To obtain the list in this case it is
244 necessary to use the -prexit option and send an HTTP request for an
245 appropriate page.
246 If a certificate is specified on the command line using the -cert
248 option it will not be used unless the server specifically requests a
249 client certificate. Therefor merely including a client certificate on
250 the command line is no guarantee that the certificate works.
251 If there are problems verifying a server certificate then the
253 -showcerts option can be used to show the whole chain.
254 Since the SSLv23 client hello cannot include compression methods or
256 extensions these will only be supported if its use is disabled, for
257 example by using the -no_sslv2 option.
258
260 Because this program has a lot of options and also because some of the
261 techniques used are rather old, the C source of s_client is rather hard
262 to read and not a model of how things should be done. A typical SSL
263 client program would be much simpler.
264 The -verify option should really exit if the server verification fails.
266 The -prexit option is a bit of a hack. We should really report
268 information whenever a session is renegotiated.
269
271 sess_id(1), s_server(1), ciphers(1)
2721.0.1e 2017-03-22 S_CLIENT(1)