Openssl s_client command line: connect and diagnose an https server

OpenSSL's s_client utility allows one to connect to secure servers that are using SSL/TLS encryption protocols.

Connecting and diagnosting an https server by command line using openssl: openssl s_client -connect yourserver.com:443 -ssl3

Code:

# openssl s_client -connect ivorde.ro:443 -ssl3
CONNECTED(00000003)
depth=0 /C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
   i:/C=RO/ST=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDFTCCAn6gAwIBAgIJAMi0v9PxvYDdMA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD
VQQGEwJSTzESMBAGA1UECBMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZJdm9yZGUxDTAL
BgNVBAsTBE1haWwxFzAVBgNVBAMTDm1haWwuaXZvcmRlLnJvMScwJQYJKoZIhvcN
AQkBFhhhbmRyZWkubWFuZXNjdUBpdm9yZGUucm8wHhcNMDkwNjAxMjAwMTI5WhcN
MTAwNjAxMjAwMTI5WjCBlzELMAkGA1UEBhMCUk8xEjAQBgNVBAgTCUJ1Y2hhcmVz
dDESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZJdm9yZGUxDTALBgNVBAsT
BE1haWwxFzAVBgNVBAMTDm1haWwuaXZvcmRlLnJvMScwJQYJKoZIhvcNAQkBFhhh
bmRyZWkubWFuZXNjdUBpdm9yZGUucm8wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALg85CF05u7QvedCdb4oy0+J5/hm8B+PFMgoTPq8cjrfah3zDbsnJaNQqKpY
CR8y2j9lHGvj5bpWCp3WA2h+S4xpzuxk9Thu1dA+DOY24MUXYZyVVJJxAg1CUB/D
ejMFA0oI2X4dyBwotPdp7KdTdgimJtvtrGFK8qRw7tNivL/rAgMBAAGjezB5MAkG
A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
ZmljYXRlMB0GA1UdDgQWBBQrnZWcLivne1c6dDhPPkcx4q6amDAfBgNVHSMEGDAW
gBRaCBD20l86o/ix/t3gDarAE36CEDANBgkqhkiG9w0BAQUFAAOBgQB3JEcQ7ugS
C26cVYVcEZiKRcCEoebWlThzOabLW0a+mrv6mHlo+P4fbQILD+bhVET319sXVcQQ
DgcRs7rkPgemrGVuVbkq7KV+kgtKTlJ2K1pgyWLQYgre9Cwi2RspR+NE9WC4n3jR
fNW1eB45wT92ipmmpR8LFfXcB4CSWayc4g==
-----END CERTIFICATE-----
subject=/C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
issuer=/C=RO/ST=Bucharest/O=Ivorde/OU=test/CN=test.ivorde.ro/emailAddress=spam_pool@ivorde.ro
---
No client certificate CA names sent
---
SSL handshake has read 1341 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: 672CD285300737D3D5C684ED125684415D7023119E4B2C6EF3A7CE2570F20E1E03CB600E09F66DE5A49A85635BD90849
    Key-Arg   : None
    Start Time: 1251270723
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Now that the HTTPS connection is established with your server, you can issue normal HTTP commands (as if you were in telnet) to diagnose your https server's problems.

Ivorde Unix/Linux/Database/Web/Mail Forum

Tutorials applicable on more than one Unix/Linux OS and shell scripts: ssh / openssl / protocols.