s_client - OpenSSL

NAME. openssl-s_client, s_client - SSL/TLS client program. SYNOPSIS. openssl s_client [-connect host:port] [-servername name] [-verify depth] ... Home Blog Downloads Docs News Policies Community Support NAME openssl-s_client,s_client-SSL/TLSclientprogram SYNOPSIS openssls_client[-connecthost:port][-servernamename][-verifydepth][-verify_return_error][-certfilename][-certformDER|PEM][-keyfilename][-keyformDER|PEM][-passarg][-CApathdirectory][-CAfilefilename][-no_alt_chains][-reconnect][-pause][-showcerts][-debug][-msg][-nbio_test][-state][-nbio][-crlf][-ign_eof][-no_ign_eof][-quiet][-ssl2][-ssl3][-tls1][-no_ssl2][-no_ssl3][-no_tls1][-no_tls1_1][-no_tls1_2][-fallback_scsv][-bugs][-sigalgssigalglist][-curvescurvelist][-ciphercipherlist][-serverpref][-starttlsprotocol][-engineid][-tlsextdebug][-no_ticket][-sess_outfilename][-sess_infilename][-randfile(s)][-serverinfotypes][-status][-alpnprotocols][-nextprotonegprotocols] DESCRIPTION Thes_clientcommandimplementsagenericSSL/TLSclientwhichconnectstoaremotehostusingSSL/TLS.ItisaveryusefuldiagnostictoolforSSLservers. OPTIONS -connecthost:port Thisspecifiesthehostandoptionalporttoconnectto.Ifnotspecifiedthenanattemptismadetoconnecttothelocalhostonport4433. -servernamename SettheTLSSNI(ServerNameIndication)extensionintheClientHellomessage. -certcertname Thecertificatetouse,ifoneisrequestedbytheserver.Thedefaultisnottouseacertificate. -certformformat Thecertificateformattouse:DERorPEM.PEMisthedefault. -keykeyfile Theprivatekeytouse.Ifnotspecifiedthenthecertificatefilewillbeused. -keyformformat Theprivateformattouse:DERorPEM.PEMisthedefault. -passarg theprivatekeypasswordsource.FormoreinformationabouttheformatofargseethePASSPHRASEARGUMENTSsectioninopenssl(1). -verifydepth Theverifydepthtouse.Thisspecifiesthemaximumlengthoftheservercertificatechainandturnsonservercertificateverification.Currentlytheverifyoperationcontinuesaftererrorssoalltheproblemswithacertificatechaincanbeseen.Asasideeffecttheconnectionwillneverfailduetoaservercertificateverifyfailure. -verify_return_error Returnverificationerrorsinsteadofcontinuing.Thiswilltypicallyabortthehandshakewithafatalerror. -CApathdirectory Thedirectorytouseforservercertificateverification.Thisdirectorymustbein"hashformat",seeverifyformoreinformation.Thesearealsousedwhenbuildingtheclientcertificatechain. -CAfilefile Afilecontainingtrustedcertificatestouseduringserverauthenticationandtousewhenattemptingtobuildtheclientcertificatechain. -purpose,-ignore_critical,-issuer_checks,-crl_check,-crl_check_all,-policy_check,-extended_crl,-x509_strict,-policy-check_ss_sig-no_alt_chains Setvariouscertificatechainvaliaditionoption.Seetheverifymanualpagefordetails. -reconnect reconnectstothesameserver5timesusingthesamesessionID,thiscanbeusedasatestthatsessioncachingisworking. -pause pauses1secondbetweeneachreadandwritecall. -showcerts Displaystheservercertificatelistassentbytheserver:itonlyconsistsofcertificatestheserverhassent(intheordertheserverhassentthem).Itisnotaverifiedchain. -prexit printsessioninformationwhentheprogramexits.Thiswillalwaysattempttoprintoutinformationeveniftheconnectionfails.Normallyinformationwillonlybeprintedoutonceiftheconnectionsucceeds.ThisoptionisusefulbecausethecipherinusemayberenegotiatedortheconnectionmayfailbecauseaclientcertificateisrequiredorisrequestedonlyafteranattemptismadetoaccessacertainURL.Note:theoutputproducedbythisoptionisnotalwaysaccuratebecauseaconnectionmightneverhavebeenestablished. -state printsouttheSSLsessionstates. -debug printextensivedebugginginformationincludingahexdumpofalltraffic. -msg showallprotocolmessageswithhexdump. -nbio_test testsnon-blockingI/O -nbio turnsonnon-blockingI/O -crlf thisoptiontranslatedalinefeedfromtheterminalintoCR+LFasrequiredbysomeservers. -ign_eof inhibitshuttingdowntheconnectionwhenendoffileisreachedintheinput. -quiet inhibitprintingofsessionandcertificateinformation.Thisimplicitlyturnson-ign_eofaswell. -no_ign_eof shutdowntheconnectionwhenendoffileisreachedintheinput.Canbeusedtooverridetheimplicit-ign_eofafter-quiet. -psk_identityidentity UsethePSKidentityidentitywhenusingaPSKciphersuite.Thedefaultvalueis"Client_identity"(withoutthequotes). -pskkey UsethePSKkeykeywhenusingaPSKciphersuite.Thekeyisgivenasahexadecimalnumberwithoutleading0x,forexample-psk1a2b3c4d.ThisoptionmustbeprovidedinordertouseaPSKcipher. -ssl2,-ssl3,-tls1,-tls1_1,-tls1_2,-no_ssl2,-no_ssl3,-no_tls1,-no_tls1_1,-no_tls1_2 TheseoptionsrequireordisabletheuseofthespecifiedSSLorTLSprotocols.Bydefaulttheinitialhandshakeusesaversion-flexiblemethodwhichwillnegotiatethehighestmutuallysupportedprotocolversion. -fallback_scsv SendTLS_FALLBACK_SCSVintheClientHello. -bugs thereareseveralknownbuginSSLandTLSimplementations.Addingthisoptionenablesvariousworkarounds. -sigalgssigalglist Specifiesthelistofsignaturealgorithmsthataresentbytheclient.Theserverselectsoneentryinthelistbasedonitspreferences.Forexamplestrings,seeSSL_CTX_set1_sigalgs(3) -curvescurvelist Specifiesthelistofsupportedcurvestobesentbytheclient.Thecurveisisultimatelyselectedbytheserver.Foralistofallcurves,use: $opensslecparam-list_curves -ciphercipherlist thisallowsthecipherlistsentbytheclienttobemodified.Althoughtheserverdetermineswhichciphersuiteisuseditshouldtakethefirstsupportedcipherinthelistsentbytheclient.Seethecipherscommandformoreinformation. -serverpref usetheserver'scipherpreferences;onlyusedforSSLV2. -starttlsprotocol sendtheprotocol-specificmessage(s)toswitchtoTLSforcommunication.protocolisakeywordfortheintendedprotocol.Currently,theonlysupportedkeywordsare"smtp","pop3","imap","ftp"and"xmpp". -tlsextdebug printoutahexdumpofanyTLSextensionsreceivedfromtheserver. -no_ticket disableRFC4507bissessionticketsupport. -sess_outfilename outputSSLsessiontofilename -sess_insess.pem loadSSLsessionfromfilename.Theclientwillattempttoresumeaconnectionfromthissession. -engineid specifyinganengine(byitsuniqueidstring)willcauses_clienttoattempttoobtainafunctionalreferencetothespecifiedengine,thusinitialisingitifneeded.Theenginewillthenbesetasthedefaultforallavailablealgorithms. -randfile(s) afileorfilescontainingrandomdatausedtoseedtherandomnumbergenerator,oranEGDsocket(seeRAND_egd(3)).MultiplefilescanbespecifiedseparatedbyaOS-dependentcharacter.Theseparatoris;forMS-Windows,,forOpenVMS,and:forallothers. -serverinfotypes alistofcomma-separatedTLSExtensionTypes(numbersbetween0and65535).EachtypewillbesentasanemptyClientHelloTLSExtension.Theserver'sresponse(ifany)willbeencodedanddisplayedasaPEMfile. -status sendsacertificatestatusrequesttotheserver(OCSPstapling).Theserverresponse(ifany)isprintedout. -alpnprotocols,-nextprotonegprotocols theseflagsenabletheEnabletheApplication-LayerProtocolNegotiationorNextProtocolNegotiationextension,respectively.ALPNistheIETFstandardandreplacesNPN.Theprotocolslistisacomma-separatedprotocolnamesthattheclientshouldadvertisesupportfor.Thelistshouldcontainmostwantedprotocolsfirst.ProtocolnamesareprintableASCIIstrings,forexample"http/1.1"or"spdy/3".EmptylistofprotocolsistreatedspeciallyandwillcausetheclienttoadvertisesupportfortheTLSextensionbutdisconnectjustafterrecivingServerHellowithalistofserversupportedprotocols. CONNECTEDCOMMANDS IfaconnectionisestablishedwithanSSLserverthenanydatareceivedfromtheserverisdisplayedandanykeypresseswillbesenttotheserver.Whenusedinteractively(whichmeansneither-quietnor-ign_eofhavebeengiven),thesessionwillberenegotiatedifthelinebeginswithanR,andifthelinebeginswithaQorifendoffileisreached,theconnectionwillbecloseddown. NOTES s_clientcanbeusedtodebugSSLservers.ToconnecttoanSSLHTTPserverthecommand: openssls_client-connectservername:443 wouldtypicallybeused(httpsusesport443).IftheconnectionsucceedsthenanHTTPcommandcanbegivensuchas"GET/"toretrieveawebpage. Ifthehandshakefailsthenthereareseveralpossiblecauses,ifitisnothingobviouslikenoclientcertificatethenthe-bugs,-ssl2,-ssl3,-tls1,-no_ssl2,-no_ssl3,-no_tls1optionscanbetriedincaseitisabuggyserver.InparticularyoushouldplaywiththeseoptionsbeforesubmittingabugreporttoanOpenSSLmailinglist. Afrequentproblemwhenattemptingtogetclientcertificatesworkingisthatawebclientcomplainsithasnocertificatesorgivesanemptylisttochoosefrom.Thisisnormallybecausetheserverisnotsendingtheclientscertificateauthorityinits"acceptableCAlist"whenitrequestsacertificate.Byusings_clienttheCAlistcanbeviewedandchecked.HoweversomeserversonlyrequestclientauthenticationafteraspecificURLisrequested.Toobtainthelistinthiscaseitisnecessarytousethe-prexitoptionandsendanHTTPrequestforanappropriatepage. Ifacertificateisspecifiedonthecommandlineusingthe-certoptionitwillnotbeusedunlesstheserverspecificallyrequestsaclientcertificate.Thereformerelyincludingaclientcertificateonthecommandlineisnoguaranteethatthecertificateworks. Ifthereareproblemsverifyingaservercertificatethenthe-showcertsoptioncanbeusedtoshowallthecertificatessentbytheserver. SincetheSSLv23clienthellocannotincludecompressionmethodsorextensionsthesewillonlybesupportedifitsuseisdisabled,forexamplebyusingthe-no_sslv2option. Thes_clientutilityisatesttoolandisdesignedtocontinuethehandshakeafteranycertificateverificationerrors.Asaresultitwillacceptanycertificatechain(trustedornot)sentbythepeer.NonetestapplicationsshouldnotdothisasitmakesthemvulnerabletoaMITMattack.Thisbehaviourcanbechangedbywiththe-verify_return_erroroption:anyverifyerrorsarethenreturnedabortingthehandshake. BUGS Becausethisprogramhasalotofoptionsandalsobecausesomeofthetechniquesusedareratherold,theCsourceofs_clientisratherhardtoreadandnotamodelofhowthingsshouldbedone.AtypicalSSLclientprogramwouldbemuchsimpler. The-prexitoptionisabitofahack.Weshouldreallyreportinformationwheneverasessionisrenegotiated. SEEALSO sess_id(1),s_server(1),ciphers(1) HISTORY The-no_alt_chainsoptionswasfirstaddedtoOpenSSL1.0.2b. 1.0.2manpages Commands Libraries FileFormats Overviews Thismanpage 1.1.1version