1S_CLIENT(1) OpenSSL S_CLIENT(1)
2
6 s_client - SSL/TLS client program
7
9 openssl s_client [-connect host:port] [-verify depth] [-cert filename]
10 [-certform DER|PEM] [-key filename] [-keyform DER|PEM] [-pass arg]
11 [-CApath directory] [-CAfile filename] [-reconnect] [-pause]
12 [-showcerts] [-debug] [-msg] [-nbio_test] [-state] [-nbio] [-crlf]
13 [-ign_eof] [-quiet] [-ssl2] [-ssl3] [-tls1] [-no_ssl2] [-no_ssl3]
14 [-no_tls1] [-bugs] [-cipher cipherlist] [-starttls protocol] [-engine
15 id] [-tlsextdebug] [-no_ticket] [-sess_out filename] [-sess_in
16 filename] [-rand file(s)]
17
19 The s_client command implements a generic SSL/TLS client which connects
20 to a remote host using SSL/TLS. It is a very useful diagnostic tool for
21 SSL servers.
22
24 -connect host:port
25 This specifies the host and optional port to connect to. If not
26 specified then an attempt is made to connect to the local host on
27 port 4433.
28 -cert certname
30 The certificate to use, if one is requested by the server. The
31 default is not to use a certificate.
32 -certform format
34 The certificate format to use: DER or PEM. PEM is the default.
35 -key keyfile
37 The private key to use. If not specified then the certificate file
38 will be used.
39 -keyform format
41 The private format to use: DER or PEM. PEM is the default.
42 -pass arg
44 the private key password source. For more information about the
45 format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
46 -verify depth
48 The verify depth to use. This specifies the maximum length of the
49 server certificate chain and turns on server certificate
50 verification. Currently the verify operation continues after
51 errors so all the problems with a certificate chain can be seen. As
52 a side effect the connection will never fail due to a server
53 certificate verify failure.
54 -CApath directory
56 The directory to use for server certificate verification. This
57 directory must be in "hash format", see verify for more
58 information. These are also used when building the client
59 certificate chain.
60 -CAfile file
62 A file containing trusted certificates to use during server
63 authentication and to use when attempting to build the client
64 certificate chain.
65 -purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all,
67 -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig
68 Set various certificate chain valiadition option. See the verify
69 manual page for details.
70 -reconnect
72 reconnects to the same server 5 times using the same session ID,
73 this can be used as a test that session caching is working.
74 -pause
76 pauses 1 second between each read and write call.
77 -showcerts
79 display the whole server certificate chain: normally only the
80 server certificate itself is displayed.
81 -prexit
83 print session information when the program exits. This will always
84 attempt to print out information even if the connection fails.
85 Normally information will only be printed out once if the
86 connection succeeds. This option is useful because the cipher in
87 use may be renegotiated or the connection may fail because a client
88 certificate is required or is requested only after an attempt is
89 made to access a certain URL. Note: the output produced by this
90 option is not always accurate because a connection might never have
91 been established.
92 -state
94 prints out the SSL session states.
95 -debug
97 print extensive debugging information including a hex dump of all
98 traffic.
99 -msg
101 show all protocol messages with hex dump.
102 -nbio_test
104 tests non-blocking I/O
105 -nbio
107 turns on non-blocking I/O
108 -crlf
110 this option translated a line feed from the terminal into CR+LF as
111 required by some servers.
112 -ign_eof
114 inhibit shutting down the connection when end of file is reached in
115 the input.
116 -quiet
118 inhibit printing of session and certificate information. This
119 implicitly turns on -ign_eof as well.
120 -psk_identity identity
122 Use the PSK identity identity when using a PSK cipher suite.
123 -psk key
125 Use the PSK key key when using a PSK cipher suite. The key is given
126 as a hexadecimal number without leading 0x, for example -psk
127 1a2b3c4d.
128 -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1
130 these options disable the use of certain SSL or TLS protocols. By
131 default the initial handshake uses a method which should be
132 compatible with all servers and permit them to use SSL v3, SSL v2
133 or TLS as appropriate.
134 Unfortunately there are a lot of ancient and broken servers in use
136 which cannot handle this technique and will fail to connect. Some
137 servers only work if TLS is turned off with the -no_tls option
138 others will only support SSL v2 and may need the -ssl2 option.
139 -bugs
141 there are several known bug in SSL and TLS implementations. Adding
142 this option enables various workarounds.
143 -cipher cipherlist
145 this allows the cipher list sent by the client to be modified.
146 Although the server determines which cipher suite is used it should
147 take the first supported cipher in the list sent by the client. See
148 the ciphers command for more information.
149 -starttls protocol
151 send the protocol-specific message(s) to switch to TLS for
152 communication. protocol is a keyword for the intended protocol.
153 Currently, the only supported keywords are "smtp", "pop3", "imap",
154 and "ftp".
155 -tlsextdebug
157 print out a hex dump of any TLS extensions received from the
158 server.
159 -no_ticket
161 disable RFC4507bis session ticket support.
162 -sess_out filename
164 output SSL session to filename
165 -sess_in sess.pem
167 load SSL session from filename. The client will attempt to resume a
168 connection from this session.
169 -engine id
171 specifying an engine (by its unique id string) will cause s_client
172 to attempt to obtain a functional reference to the specified
173 engine, thus initialising it if needed. The engine will then be set
174 as the default for all available algorithms.
175 -rand file(s)
177 a file or files containing random data used to seed the random
178 number generator, or an EGD socket (see RAND_egd(3)). Multiple
179 files can be specified separated by a OS-dependent character. The
180 separator is ; for MS-Windows, , for OpenVMS, and : for all others.
181
183 If a connection is established with an SSL server then any data
184 received from the server is displayed and any key presses will be sent
185 to the server. When used interactively (which means neither -quiet nor
186 -ign_eof have been given), the session will be renegotiated if the line
187 begins with an R, and if the line begins with a Q or if end of file is
188 reached, the connection will be closed down.
189
191 s_client can be used to debug SSL servers. To connect to an SSL HTTP
192 server the command:
193 openssl s_client -connect servername:443
195 would typically be used (https uses port 443). If the connection
197 succeeds then an HTTP command can be given such as "GET /" to retrieve
198 a web page.
199 If the handshake fails then there are several possible causes, if it is
201 nothing obvious like no client certificate then the -bugs, -ssl2,
202 -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1 options can be tried in case
203 it is a buggy server. In particular you should play with these options
204 before submitting a bug report to an OpenSSL mailing list.
205 A frequent problem when attempting to get client certificates working
207 is that a web client complains it has no certificates or gives an empty
208 list to choose from. This is normally because the server is not sending
209 the clients certificate authority in its "acceptable CA list" when it
210 requests a certificate. By using s_client the CA list can be viewed and
211 checked. However some servers only request client authentication after
212 a specific URL is requested. To obtain the list in this case it is
213 necessary to use the -prexit option and send an HTTP request for an
214 appropriate page.
215 If a certificate is specified on the command line using the -cert
217 option it will not be used unless the server specifically requests a
218 client certificate. Therefor merely including a client certificate on
219 the command line is no guarantee that the certificate works.
220 If there are problems verifying a server certificate then the
222 -showcerts option can be used to show the whole chain.
223 Since the SSLv23 client hello cannot include compression methods or
225 extensions these will only be supported if its use is disabled, for
226 example by using the -no_sslv2 option.
227
229 Because this program has a lot of options and also because some of the
230 techniques used are rather old, the C source of s_client is rather hard
231 to read and not a model of how things should be done. A typical SSL
232 client program would be much simpler.
233 The -verify option should really exit if the server verification fails.
235 The -prexit option is a bit of a hack. We should really report
237 information whenever a session is renegotiated.
238
240 sess_id(1), s_server(1), ciphers(1)
2411.0.0e 2009-06-26 S_CLIENT(1)