OpenSSL is a useful tool which has commands for various different cryptography applications. Most people use it for generating certificates and private keys but in this post we will explore another feature that OpenSSL has to offer. OpenSSL has a command called s_client which simulates an SSL/TLS client. It can be used to test SSL/TLS endpoints.

Testing SSL/TLS endpoints with s_client:

Basic test:

This test shows basic information about the remote server including basic certificate chain details as well as negotiated TLS and cipher versions.

$ openssl s_client -connect www.google.com:443

Basic test with certificates:

This test expands on the previous one showing the full PEM formatted certificate chain. Useful for checking which certs are in use for a given endpoint.

$ openssl s_client -connect www.google.com:443 -showcerts

Testing SSL/TLS version support:

Going deeper we can check which versions of TLS are supported for negotiation. Each of these tests checks if a server supports individual TLS versions ( TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3 ).

$ openssl s_client -connect www.google.com:443 -tls1

$ openssl s_client -connect www.google.com:443 -tls1_1

$ openssl s_client -connect www.google.com:443 -tls1_2

$ openssl s_client -connect www.google.com:443 -tls1_3

Testing SSL/TLS cipher support:

It’s also possible to see if a server supports individual ciphers and specifically if it supports old insecure ciphers that should be removed. These are all TLS 1.3 ciphers.

$ openssl s_client -connect www.google.com:443 -ciphersuites TLS_AES_128_GCM_SHA256

$ openssl s_client -connect www.google.com:443 -ciphersuites TLS_AES_256_GCM_SHA384

$ openssl s_client -connect www.google.com:443 -ciphersuites TLS_CHACHA20_POLY1305_SHA256

$ openssl s_client -connect www.google.com:443 -ciphersuites TLS_AES_128_CCM_SHA256

$ openssl s_client -connect www.google.com:443 -ciphersuites TLS_AES_128_CCM_8_SHA256

Using OpenSSL s_client tracing:

Using -trace can show extensive information including the ClentHello message. You can also see here what ciphers your version of openssl supports when connecting.

$ openssl s_client -connect www.google.com:443 -trace

Viewing remote server TLS extensions:

Adding -tlsextdebug shows at the top of the output the TLS extensions supported by this endpoint.

$ openssl s_client -connect www.google.com:443 -tlsextdebug