Red Hat DocumentationFuse ESBToggle FramesPrintFeedback

The s_client Utility

Purpose of the s_client utility

You can use the s_client utility to debug an SSL/TLS server. Using the s_client utility, you can negotiate an SSL/TLS handshake under controlled conditions, accompanied by extensive logging and error reporting.


The options supported by the openssl s_client utility are as follows:

-connect host[:port]

- Specify the host and (optionally) port to connect to. Default is local host and port 4433.

-cert certname

- Specifies the certificate to use, if one is requested by the server.

-certform format

- The certificate format, which can be either PEM or DER. Default is PEM.

-key keyfile

- File containing the client’s private key. Default is to extract the key from the client certificate.

-keyform format

- The private key format, which can be either PEM or DER. Default is PEM.

-pass arg

- The private key password.

-verify depth

- Maximum server certificate chain length.

-CApath directory

- Directory to use for server certificate verification.

-CAfile file

- File containing trusted CA certificates.


- Reconnects to the same server five times using the same session ID.


- Pauses for one second between each read and write call.


- Display the whole server certificate chain.


- Print session information when the program exits.


- Prints out the SSL session states.


- Log debug data, including hex dump of messages.


- Show all protocol messages with hex dump.


- Tests non-blocking I/O.


- Turns on non-blocking I/O.


- Translates a line feed (LF) from the terminal into CR+LF, as required by some servers.


- Inhibits shutting down the connection when end of file is reached in the input.


- Inhibits printing of session and certificate information; implicitly turns on -ign_eof as well.

-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1

- These options enable/disable the use of certain SSL or TLS protocols.


- Enables workarounds to several known bugs in SSL and TLS implementations.

-cipher cipherlist

- Specifies the cipher list sent by the client. The server should use the first supported cipher from the list sent by the client.

-starttls protocol

- Send the protocol-specific message(s) to switch to TLS for communication, where the protocol can be either smtp or pop3.

-engine id

- Specifies an engine, by it's unique id string.

-rand file(s)

- A file or files containing random data used to seed the random number generator, or an EGD socket. The file separator is ; for MS-Windows, , for OpenVMS, and : for all other platforms.

Using the s_client utility

Before running the s_client utility, there must be an active SSL/TLS server to connect to. For example, you can have an s_server test server running on the local host, listening on port 9000. To run the s_client test client, open a command prompt and enter the following:

openssl s_client -connect localhost:9000 -ssl3 -cert clientcert.pem

Where clientcert.pem is a file containing the client’s X.509 certificate in PEM format. When you enter the command, you are prompted to enter the pass phrase for the clientcert.pem file.

Comments powered by Disqus