How to check and verify SSL using openssl s_client command

Check SSL on particular domain: 

You can use openssl command to connect over secure port on the domain to check the if you can connect securely or not. Use below command to check the connectivity.

openssl s_client -connect

Check SSL on particular service:

To check the SSL installed on the particular service or port you can use openssl command to connect over particular port of that service. Below command will show on how to check the SSL installed on SNMP service

openssl s_client -connect

View complete certificate chain:

Using openssl command you can view the complete certificate trust chain for particular service or domain. You can use below command to see all the certificate involved in particular certificate trust chain. Use option showcerts and it will display all the associated certificates with the SSL

openssl s_client -connect -showcerts

Connect SSL using TLS 1.2 only 

While using openssl command one can mention the specific protocol using which you can connect to the domain over SSL. Below example shows on how to connect domain using TLS 1.2 protocol

openssl s_client -connect -tls1_2

Connect SSL with particular protocol disabled

To ensure that deprecated protocol such as SSLv2 and SSLv3 are not supported by particular URL you can try connecting to specific URL by disabling such deprecated protocols

Check if SSLv2 is disabled

openssl s_client -connect -no_ssl2

Check if SSLv3 is disabled

openssl s_client -connect -no_ssl2

Obtain the certificate from URL 

You can obtain the certificate in the crt file using below one liner command

openssl s_client -connect hostname:636 <<<'' | openssl x509 -out /etc/pki/ca-trust/source/anchors/ad01.crt

Debug the SSL connection

To debug the SSL connection using openssl command you can pass the parameter called -tlsextdebug with the command. This will print extra information while connecting to the SSL certificate and will provide debug information for you

openssl s_client -connect -tlsextdebug
openssl s_client -debug -connect

Leave a Comment