Toll Free Numbers
  • Last 5 Forum Topics
    Last post

The Web Only This Site



  • MARC

    Mailing list ARChives
    - Search by -


    Computing Dictionary

  • Text Link Ads
  • LINUX man pages
  • Linux Man Page Viewer

    The following form allows you to view linux man pages.





           openssl s_client [-connect host:port] [-verify depth] [-cert filename]
           [-certform DER|PEM] [-key filename] [-keyform DER|PEM] [-pass arg]
           [-CApath directory] [-CAfile filename] [-trusted_first] [-krb5svc
           service] [-keytab filename] [-reconnect] [-pause] [-showcerts] [-debug]
           [-msg] [-nbio_test] [-state] [-nbio] [-crlf] [-ign_eof] [-no_ign_eof]
           [-quiet] [-ssl2] [-ssl3] [-tls1] [-tls1_1] [-tls1_2] [-dtls1]
           [-no_ssl2] [-no_ssl3] [-no_tls1] [-no_tls1_1] [-no_tls1_2]
           [-fallback_scsv] [-bugs] [-cipher cipherlist] [-starttls protocol]
           [-engine id] [-tlsextdebug] [-no_ticket] [-sess_out filename] [-sess_in
           filename] [-rand file(s)] [-nextprotoneg protocols]


           The s_client command implements a generic SSL/TLS client which connects
           to a remote host using SSL/TLS. It is a very useful diagnostic tool for
           SSL servers.


           -connect host:port
               This specifies the host and optional port to connect to. If not
               specified then an attempt is made to connect to the local host on
               port 4433.
           -cert certname
               The certificate to use, if one is requested by the server. The
               default is not to use a certificate.
           -certform format
               The certificate format to use: DER or PEM. PEM is the default.
           -key keyfile
               The private key to use. If not specified then the certificate file
               will be used.
           -keyform format
               The private format to use: DER or PEM. PEM is the default.
           -pass arg
               the private key password source. For more information about the
               format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
           -verify depth
               The verify depth to use. This specifies the maximum length of the
               server certificate chain and turns on server certificate
               verification.  Currently the verify operation continues after
               errors so all the problems with a certificate chain can be seen. As
               a side effect the connection will never fail due to a server
               certificate verify failure.
           -CApath directory
               The directory to use for server certificate verification. This
               directory must be in "hash format", see verify for more
           -krb5svc service
               the Kerberos service name to use (default "host"). This means
               s_server will expect a ticket for the principal
               service/hostname@REALM, and will need keys for that principal in
               its keytab.
           -keytab filename
               the Kerberos "keytab" (key table) file, containing keys for the
               s_server service principal (Kerberos identity; see -krb5svc).
               reconnects to the same server 5 times using the same session ID,
               this can be used as a test that session caching is working.
               pauses 1 second between each read and write call.
               display the whole server certificate chain: normally only the
               server certificate itself is displayed.
               print session information when the program exits. This will always
               attempt to print out information even if the connection fails.
               Normally information will only be printed out once if the
               connection succeeds. This option is useful because the cipher in
               use may be renegotiated or the connection may fail because a client
               certificate is required or is requested only after an attempt is
               made to access a certain URL. Note: the output produced by this
               option is not always accurate because a connection might never have
               been established.
               prints out the SSL session states.
               print extensive debugging information including a hex dump of all
               show all protocol messages with hex dump.
               tests non-blocking I/O
               turns on non-blocking I/O
               this option translated a line feed from the terminal into CR+LF as
               required by some servers.
           -psk key
               Use the PSK key key when using a PSK cipher suite. The key is given
               as a hexadecimal number without leading 0x, for example -psk
           -ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -dtls1, -no_ssl2, -no_ssl3,
           -no_tls1, -no_tls1_1, -no_tls1_2
               these options disable the use of certain SSL or TLS protocols. By
               default the initial handshake uses a method which should be
               compatible with all servers and permit them to use SSL v3, SSL v2
               or TLS as appropriate.
               Unfortunately there are a lot of ancient and broken servers in use
               which cannot handle this technique and will fail to connect. Some
               servers only work if TLS is turned off with the -no_tls option
               others will only support SSL v2 and may need the -ssl2 option.
               Send TLS_FALLBACK_SCSV in the ClientHello.
               there are several known bug in SSL and TLS implementations. Adding
               this option enables various workarounds.
           -cipher cipherlist
               this allows the cipher list sent by the client to be modified.
               Although the server determines which cipher suite is used it should
               take the first supported cipher in the list sent by the client. See
               the ciphers command for more information.
           -starttls protocol
               send the protocol-specific message(s) to switch to TLS for
               communication.  protocol is a keyword for the intended protocol.
               Currently, the only supported keywords are "smtp", "pop3", "imap",
               and "ftp".
               print out a hex dump of any TLS extensions received from the
               disable RFC4507bis session ticket support.
           -sess_out filename
               output SSL session to filename
           -sess_in sess.pem
               load SSL session from filename. The client will attempt to resume a
               connection from this session.
           -engine id
               support for. The list should contain most wanted protocols first.
               Protocol names are printable ASCII strings, for example "http/1.1"
               or "spdy/3".  Empty list of protocols is treated specially and will
               cause the client to advertise support for the TLS extension but
               disconnect just after reciving ServerHello with a list of server
               supported protocols.


           If a connection is established with an SSL server then any data
           received from the server is displayed and any key presses will be sent
           to the server. When used interactively (which means neither -quiet nor
           -ign_eof have been given), the session will be renegotiated if the line
           begins with an R, and if the line begins with a Q or if end of file is
           reached, the connection will be closed down.


           s_client can be used to debug SSL servers. To connect to an SSL HTTP
           server the command:
            openssl s_client -connect servername:443
           would typically be used (https uses port 443). If the connection
           succeeds then an HTTP command can be given such as "GET /" to retrieve
           a web page.
           If the handshake fails then there are several possible causes, if it is
           nothing obvious like no client certificate then the -bugs, -ssl2,
           -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1 options can be tried in case
           it is a buggy server. In particular you should play with these options
           before submitting a bug report to an OpenSSL mailing list.
           A frequent problem when attempting to get client certificates working
           is that a web client complains it has no certificates or gives an empty
           list to choose from. This is normally because the server is not sending
           the clients certificate authority in its "acceptable CA list" when it
           requests a certificate. By using s_client the CA list can be viewed and
           checked. However some servers only request client authentication after
           a specific URL is requested. To obtain the list in this case it is
           necessary to use the -prexit option and send an HTTP request for an
           appropriate page.
           If a certificate is specified on the command line using the -cert
           option it will not be used unless the server specifically requests a
           client certificate. Therefor merely including a client certificate on
           the command line is no guarantee that the certificate works.
           If there are problems verifying a server certificate then the
           -showcerts option can be used to show the whole chain.
           Since the SSLv23 client hello cannot include compression methods or
           extensions these will only be supported if its use is disabled, for
           example by using the -no_sslv2 option.

    1.0.1e 2017-03-22 S_CLIENT(1)


  • Linux

    The Distributions


    The Software


    The News


  • Toll Free

Toll Free Numbers
Copyright © 1999 - 2016 by LinuxGuruz