Windows PowerShell command on Get-command s

Manual Pages for UNIX Operating System command usage for man s_client

OpenSSL S_CLIENT(1openssl)

NNNNAAAAMMMMEEEE

s_client - SSL/TLS client program

SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS

ooooppppeeeennnnssssssssllll ssss_cccclllliiiieeeennnntttt [---cccoooonnnnnnnneeeecccctttt hhhhoooosssstttt::::ppppoooorrrrtttt] [---vvveeeerrrriiiiffffyyyy ddddeeeepppptttthhhh] [---ccceeeerrrrtttt

ffffiiiilllleeeennnnaaaammmmeeee] [---ccceeeerrrrttttffffoooorrrrmmmm DDDDEEEERRRR||||PPPPEEEEMMMM] [---kkkeeeeyyyy ffffiiiilllleeeennnnaaaammmmeeee] [---kkkeeeeyyyyffffoooorrrrmmmm

DDDDEEEERRRR||||PPPPEEEEMMMM] [---pppaaaassssssss aaaarrrrgggg] [---CCCAAAAppppaaaatttthhhh ddddiiiirrrreeeeccccttttoooorrrryyyy] [---CCCAAAAffffiiiilllleeee ffffiiiilllleeeennnnaaaammmmeeee]

[---rrreeeeccccoooonnnnnnnneeeecccctttt] [---pppaaaauuuusssseeee] [---ssshhhhoooowwwwcccceeeerrrrttttssss] [---dddeeeebbbbuuuugggg] [---mmmssssgggg]

[---nnnbbbbiiiioooo_tttteeeesssstttt] [---sssttttaaaatttteeee] [---nnnbbbbiiiioooo] [---cccrrrrllllffff] [---iiiggggnnnn_eeeeooooffff] [---qqquuuuiiiieeeetttt]

[---sssssssllll2222] [---sssssssllll3333] [---tttllllssss1111] [---nnnoooo_ssssssssllll2222] [---nnnoooo_ssssssssllll3333] [---nnnoooo_ttttllllssss1111]

[---bbbuuuuggggssss] [---ccciiiipppphhhheeeerrrr cccciiiipppphhhheeeerrrrlllliiiisssstttt] [---sssttttaaaarrrrttttttttllllssss pppprrrroooottttooooccccoooollll] [---eeennnnggggiiiinnnneeee

iiiidddd] [---tttllllsssseeeexxxxttttddddeeeebbbbuuuugggg] [---nnnoooo_ttttiiiicccckkkkeeeetttt] [---ssseeeessssssss_oooouuuutttt ffffiiiilllleeeennnnaaaammmmeeee]

[---ssseeeessssssss_iiiinnnn ffffiiiilllleeeennnnaaaammmmeeee] [---rrraaaannnndddd ffffiiiilllleeee((((ssss))))]

DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN

The ssss_cccclllliiiieeeennnntttt command implements a generic SSL/TLS client

which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers. OOOOPPPPTTTTIIIIOOOONNNNSSSS

-ccccoooonnnnnnnneeeecccctttt hhhhoooosssstttt::::ppppoooorrrrtttt

This specifies the host and optional port to connect to. If not specified then an attempt is made to connect to the local host on port 4433.

-cccceeeerrrrtttt cccceeeerrrrttttnnnnaaaammmmeeee

The certificate to use, if one is requested by the server. The default is not to use a certificate.

-cccceeeerrrrttttffffoooorrrrmmmm ffffoooorrrrmmmmaaaatttt

The certificate format to use: DER or PEM. PEM is the default.

-kkkkeeeeyyyy kkkkeeeeyyyyffffiiiilllleeee

The private key to use. If not specified then the certificate file will be used.

-kkkkeeeeyyyyffffoooorrrrmmmm ffffoooorrrrmmmmaaaatttt

The private format to use: DER or PEM. PEM is the default.

-ppppaaaassssssss aaaarrrrgggg

the private key password source. For more information about the format of aaaarrrrgggg see the PPPPAAAASSSSSSSS PPPPHHHHRRRRAAAASSSSEEEE AAAARRRRGGGGUUUUMMMMEEEENNNNTTTTSSSS section in openssl(1).

-vvvveeeerrrriiiiffffyyyy ddddeeeepppptttthhhh

The verify depth to use. This specifies the maximum length of the server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect

23/Aug/2007 Last change: 0.9.8o 1

OpenSSL S_CLIENT(1openssl)

the connection will never fail due to a server certificate verify failure.

-CCCCAAAAppppaaaatttthhhh ddddiiiirrrreeeeccccttttoooorrrryyyy

The directory to use for server certificate verification. This directory must be in "hash format", see vvvveeeerrrriiiiffffyyyy for more information. These are also used when building the client certificate chain.

-CCCCAAAAffffiiiilllleeee ffffiiiilllleeee

A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain.

-rrrreeeeccccoooonnnnnnnneeeecccctttt

reconnects to the same server 5 times using the same session ID, this can be used as a test that session caching is working.

-ppppaaaauuuusssseeee

pauses 1 second between each read and write call.

-sssshhhhoooowwwwcccceeeerrrrttttssss

display the whole server certificate chain: normally only the server certificate itself is displayed.

-pppprrrreeeexxxxiiiitttt

print session information when the program exits. This will always attempt to print out information even if the connection fails. Normally information will only be printed out once if the connection succeeds. This option is useful because the cipher in use may be renegotiated or the connection may fail because a client certificate is required or is requested only after an attempt is made to access a certain URL. Note: the output produced by this option is not always accurate because a connection might never have been established.

-ssssttttaaaatttteeee

prints out the SSL session states.

-ddddeeeebbbbuuuugggg

print extensive debugging information including a hex dump of all traffic.

-mmmmssssgggg

show all protocol messages with hex dump.

-nnnnbbbbiiiioooo_tttteeeesssstttt

tests non-blocking I/O

23/Aug/2007 Last change: 0.9.8o 2

OpenSSL S_CLIENT(1openssl)

-nnnnbbbbiiiioooo

turns on non-blocking I/O

-ccccrrrrllllffff

this option translated a line feed from the terminal into CR+LF as required by some servers.

-iiiiggggnnnn_eeeeooooffff

inhibit shutting down the connection when end of file is reached in the input.

-qqqquuuuiiiieeeetttt

inhibit printing of session and certificate information.

This implicitly turns on ---iiiggggnnnn_eeeeooooffff as well.

-ssssssssllll2222, -ssssssssllll3333, -ttttllllssss1111, -nnnnoooo_ssssssssllll2222, -nnnnoooo_ssssssssllll3333, -nnnnoooo_ttttllllssss1111

these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. Unfortunately there are a lot of ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only work if TLS is

turned off with the ---nnnoooo_ttttllllssss option others will only

support SSL v2 and may need the ---sssssssllll2222 option.

-bbbbuuuuggggssss

there are several known bug in SSL and TLS implementations. Adding this option enables various workarounds.

-cccciiiipppphhhheeeerrrr cccciiiipppphhhheeeerrrrlllliiiisssstttt

this allows the cipher list sent by the client to be modified. Although the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the cccciiiipppphhhheeeerrrrssss command for more information.

-ssssttttaaaarrrrttttttttllllssss pppprrrroooottttooooccccoooollll

send the protocol-specific message(s) to switch to TLS

for communication. pppprrrroooottttooooccccoooollll is a keyword for the intended protocol. Currently, the only supported keywords are "smtp", "pop3", "imap", and "ftp".

-ttttllllsssseeeexxxxttttddddeeeebbbbuuuugggg

print out a hex dump of any TLS extensions received from the server. Note: this option is only available if extension support is explicitly enabled at compile time

-nnnnoooo_ttttiiiicccckkkkeeeetttt

disable RFC4507bis session ticket support. Note: this

23/Aug/2007 Last change: 0.9.8o 3

OpenSSL S_CLIENT(1openssl)

option is only available if extension support is explicitly enabled at compile time

-sssseeeessssssss_oooouuuutttt ffffiiiilllleeeennnnaaaammmmeeee

output SSL session to ffffiiiilllleeeennnnaaaammmmeeee

-sssseeeessssssss_iiiinnnn sssseeeessssssss....ppppeeeemmmm

load SSL session from ffffiiiilllleeeennnnaaaammmmeeee. The client will attempt to resume a connection from this session.

-eeeennnnggggiiiinnnneeee iiiidddd

specifying an engine (by it's unique iiiidddd string) will

cause ssss_cccclllliiiieeeennnntttt to attempt to obtain a functional

reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.

-rrrraaaannnndddd ffffiiiilllleeee((((ssss))))

a file or files containing random data used to seed the random number generator, or an EGD socket (see

RAND_egd(3)). Multiple files can be specified separated

by a OS-dependent character. The separator is ;;;; for

MS-Windows, ,,,, for OpenVMS, and :::: for all others.

CCCCOOOONNNNNNNNEEEECCCCTTTTEEEEDDDD CCCCOOOOMMMMMMMMAAAANNNNDDDDSSSS If a connection is established with an SSL server then any data received from the server is displayed and any key presses will be sent to the server. When used interactively

(which means neither ---qqquuuuiiiieeeetttt nor ---iiiggggnnnn_eeeeooooffff have been given),

the session will be renegotiated if the line begins with an RRRR, and if the line begins with a QQQQ or if end of file is reached, the connection will be closed down. NNNNOOOOTTTTEEEESSSS

ssss_cccclllliiiieeeennnntttt can be used to debug SSL servers. To connect to an

SSL HTTP server the command:

openssl s_client -connect servername:443

would typically be used (https uses port 443). If the connection succeeds then an HTTP command can be given such as "GET /" to retrieve a web page. If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate

then the ---bbbuuuuggggssss, ---sssssssllll2222, ---sssssssllll3333, ---tttllllssss1111, ---nnnoooo_ssssssssllll2222, ---nnnoooo_ssssssssllll3333,

---nnnoooo_ttttllllssss1111 options can be tried in case it is a buggy server.

In particular you should play with these options bbbbeeeeffffoooorrrreeee submitting a bug report to an OpenSSL mailing list. A frequent problem when attempting to get client certificates working is that a web client complains it has

23/Aug/2007 Last change: 0.9.8o 4

OpenSSL S_CLIENT(1openssl)

no certificates or gives an empty list to choose from. This is normally because the server is not sending the clients certificate authority in its "acceptable CA list" when it

requests a certificate. By using ssss_cccclllliiiieeeennnntttt the CA list can be

viewed and checked. However some servers only request client authentication after a specific URL is requested. To obtain

the list in this case it is necessary to use the ---ppprrrreeeexxxxiiiitttt

option and send an HTTP request for an appropriate page. If a certificate is specified on the command line using the

---ccceeeerrrrtttt option it will not be used unless the server

specifically requests a client certificate. Therefor merely including a client certificate on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then

the ---ssshhhhoooowwwwcccceeeerrrrttttssss option can be used to show the whole chain.

Since the SSLv23 client hello cannot include compression methods or extensions these will only be supported if its

use is disabled, for example by using the ---nnnoooo_ssssssssllllvvvv2222 option.

TLS extensions are only supported in OpenSSL 0.9.8 if they are explictly enabled at compile time using for example the

eeeennnnaaaabbbblllleeee---tttllllsssseeeexxxxtttt switch.

BBBBUUUUGGGGSSSS Because this program has a lot of options and also because some of the techniques used are rather old, the C source of

s_client is rather hard to read and not a model of how

things should be done. A typical SSL client program would be much simpler.

The ---vvveeeerrrriiiiffffyyyy option should really exit if the server

verification fails.

The ---ppprrrreeeexxxxiiiitttt option is a bit of a hack. We should really

report information whenever a session is renegotiated. SSSSEEEEEEEE AAAALLLLSSSSOOOO

sess_id(1), s_server(1), ciphers(1)

23/Aug/2007 Last change: 0.9.8o 5

OpenSSL S_CLIENT(1openssl)

23/Aug/2007 Last change: 0.9.8o 6