Red Hat DocumentationFuse ESBToggle FramesPrintFeedback

The s_server Utility

Purpose of the s_server utility

You can use the s_server utility to debug an SSL/TLS client. By entering openssl s_server at the command line, you can run a simple SSL/TLS server that listens for incoming SSL/TLS connections on a specified port. The server can be configured to provide extensive logging and error reporting.


The options supported by the openssl s_server utility are as follows:

-accept port

- Specifies the IP port to listen for incoming connections. Default is port 4433.

-context id

- Sets the SSL context id (any string value).

-cert certname

- Specifies the certificate to use for the server.

-certform format

- The certificate format, which can be either PEM or DER. Default is PEM.

-key keyfile

- File containing the server’s private key. Default is to extract the key from the server certificate.

-keyform format

- The private key format, which can be either PEM or DER. Default is PEM.

-pass arg

- The private key password.

-dcert filename, -dkey keyname

- Specifies an additional certificate and private key, enabling the server to have multiple credentials.

-dcertform format, -dkeyform format, -dpass arg

- Specifies additional certificate format, private key format, and passphrase respectively.


- If this option is set, no certificate is used.

-dhparam filename

- The DH parameter file to use.


- If this option is set, no DH parameters will be loaded, effectively disabling the ephemeral DH cipher suites.


- Certain export cipher suites sometimes use a temporary RSA key. This option disables temporary RSA key generation.

-verify depth, -Verify depth

- Maximum client certificate chain length. With the -Verify option, the client must supply a certificate or an error occurs.

-CApath directory

- Directory to use for client certificate verification.

-CAfile file

- File containing trusted CA certificates.


- Prints out the SSL session states.


- Log debug data, including hex dump of messages.


- Show all protocol messages with hex dump.


- Tests non-blocking I/O.


- Turns on non-blocking I/O.


- Translates a line feed (LF) from the terminal into CR+LF, as required by some servers.


- Inhibits printing of session and certificate information; implicitly turns on -ign_eof as well.

-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1

- These options enable/disable the use of certain SSL or TLS protocols.


- Enables workarounds to several known bugs in SSL and TLS implementations.


- Enables a further workaround for some some early Netscape SSL code.

-cipher cipherlist

- Specifies the cipher list sent by the client. The server should use the first supported cipher from the list sent by the client.


- Sends a status message back to the client when it connects. The status message is in HTML format.


- Emulates a simple web server, where pages are resolved relative to the current directory.


- Emulates a simple web server, where pages are resolved relative to the current directory.

-engine id

- Specifies an engine, by it's unique id string.


- Generate SSL/TLS session IDs prefixed by arg.

-rand file(s)

- A file or files containing random data used to seed the random number generator, or an EGD socket. The file separator is ; for MS-Windows, , for OpenVMS, and : for all other platforms.

Connected commands

When an SSL client is connected to the test server, you can enter any of the following single letter commands on the server side:


End the current SSL connection but still accept new connections.


End the current SSL connection and exit.


Renegotiate the SSL session.


Renegotiate the SSL session and request a client certificate.


Send some plain text down the underlying TCP connection. This should cause the client to disconnect due to a protocol violation.


Print out some session cache status information.

Using the s_server utility

To use the s_server utility to debug SSL clients, start the test server with the following command:

openssl s_server -accept 9000 -cert servercert.pem

Where the test server listens on the IP port 9000 and servercert.pem is a file containing the server’s X.509 certificate in PEM format.

The s_server utility also provides a convenient way to test a secure Web browser. If you start the s_server utility with the -WWW switch, the test server functions as a simple Web server, serving up pages from the current directory; for example:

openssl s_server -accept 9000 -cert servercert.pem -WWW
Comments powered by Disqus