If you have a server which accepts SSL connections and would like to verify that server, OpenSSL has a command that implements a generic SSL/TLS client which connects to a remote host. It is a useful diagnostic utility when you don't want to use a full-featured client to test the SSL connection.
When you run the client you will see the response from the server, typically the results of the SSL handshake. Here's a typical openssl command to start a test client and the resulting response from a test server:
> openssl s_client -connect localhost:9000 -CApath /etc/grid-security/certificates CONNECTED(00000003) depth=0 /C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu i:/C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu --- Server certificate -----BEGIN CERTIFICATE----- MIIDdTCCAt6gAwIBAgIJAI+DwwKU64gxMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTENMAsG A1UEChMETkNTQTEaMBgGA1UEAxMRd3d3Lm5jc2EudWl1Yy5lZHUxJjAkBgkqhkiG 9w0BCQEWF3dlYm1hc3RlckBuY3NhLnVpdWMuZWR1MB4XDTA2MDMwNzE5MTU0NloX DTA3MDMwNzE5MTU0NlowgYQxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9p czEPMA0GA1UEBxMGVXJiYW5hMQ0wCwYDVQQKEwROQ1NBMRowGAYDVQQDExF3d3cu bmNzYS51aXVjLmVkdTEmMCQGCSqGSIb3DQEJARYXd2VibWFzdGVyQG5jc2EudWl1 Yy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANXMAH439JNT5EMs6+Jg c8wYNMjakffoRqIohYRb2jJpmaFtCBTskK/dzMcuAjc0/O74qcuSbeL1dJknNJQu 2KoK8teJC0/wnltrt6Wt3mi11Es3REnukn94YvMjPiTcLqyCdybJzIFQIwpUs+2c pSCkHPrds+5XDtm6QSeb1qzjAgMBAAGjgewwgekwHQYDVR0OBBYEFJ0f4iq9saQ1 Br+bbfj/6mO1KGpHMIG5BgNVHSMEgbEwga6AFJ0f4iq9saQ1Br+bbfj/6mO1KGpH oYGKpIGHMIGEMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzANBgNV BAcTBlVyYmFuYTENMAsGA1UEChMETkNTQTEaMBgGA1UEAxMRd3d3Lm5jc2EudWl1 Yy5lZHUxJjAkBgkqhkiG9w0BCQEWF3dlYm1hc3RlckBuY3NhLnVpdWMuZWR1ggkA j4PDApTriDEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCbdDKNLTJ4 bJvybjjAqdGzWvu7rX6RExZYm0RuJGK8XSb2CuNhaY/Y7Dp3k2Nb4P9spZlYP9qR ZDmx2lUPhL5SEKLSbTk+Grsj4GdxknkT7+8c58mNHTCnxF3XLMk016hYRc+SFiK7 VaoZ9xdS3g7vKvRO9a+kWD3C3j+ceKaf+g== -----END CERTIFICATE----- subject=/C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu issuer=/C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu --- No client certificate CA names sent --- SSL handshake has read 1325 bytes and written 276 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 8B3CE529A77AE42B854B0A4A2083BF5E75DB0BE9B8E2847479441F4F70AEA8E6 Session-ID-ctx: Master-Key: BBEDB1ABC87B9E0B7D3576FFD8FC24E4E432E809D881189A7159EA5DA12211E9329C7B422078041F67D0847498AF27DB Key-Arg : None Start Time: 1141759882 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
You can see here that the server is using a self-signed certificate. Upon successful connection, the SSL channel is typically left open. Anything you type at this point will be sent to the server. To quit the client, you can either type <CTRL>-C or the single character “Q”. There are many other options for the test client, such as using a client certificate, disabling certain SSL or TLS protocols, etc. For a full list of command line options, run man s_client.
Getting the certificate chain run:
tdd@dubex-tdd:~$ openssl s_client -showcerts -connect www.thawte.com:443 CONNECTED(00000003) depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=V1.0, Clause 5.(b)/O=Thawte Inc/serialNumber=3898261/C=US/ST=California/L=Mountain View/OU=Production Security Services/CN=www.thawte.com i:/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA -----BEGIN CERTIFICATE----- MIIFdzCCBF+gAwIBAgIQQrr6Dr8o8Ly6JILi0YxRdTANBgkqhkiG9w0BAQUFADCB izELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjE5MDcGA1UECxMw VGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzIChjKTA2 MSowKAYDVQQDEyF0aGF3dGUgRXh0ZW5kZWQgVmFsaWRhdGlvbiBTU0wgQ0EwHhcN MDkxMTExMDAwMDAwWhcNMTExMTExMjM1OTU5WjCB7jETMBEGCysGAQQBgjc8AgED EwJVUzEZMBcGCysGAQQBgjc8AgECFAhEZWxhd2FyZTEbMBkGA1UEDxMSVjEuMCwg Q2xhdXNlIDUuKGIpMRMwEQYDVQQKFApUaGF3dGUgSW5jMRAwDgYDVQQFEwczODk4 MjYxMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxQN TW91bnRhaW4gVmlldzElMCMGA1UECxQcUHJvZHVjdGlvbiBTZWN1cml0eSBTZXJ2 aWNlczEXMBUGA1UEAxQOd3d3LnRoYXd0ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQC9Fs2uUqKrVEjFv0y2fTNqOd5P4k1UWCIruSDDB9PTawI9 3SDFr9aXyPJLzzqp8H6F0Mrcr7hT2YaUD8ZzYVUginoZqpiIeDv1y0Bu94KHqm3H 1u4GJ+/5mqAPWe4YYSu3A717bhpeUdH0ssA13f0CNfgvg+EjwYsxTk0zewA6HaPY jIsYXmBOo5MaXhVmhqfLuHwitNaIReUazInjlqrRpCvx6LCSuT8aCjNmEwPy45Cd g0/VV7tG9aanggdHd7m3sd3ni2PlRJvpsfJA4H5t8I8dYQpNZLuGvcNUdRGlniGW b1NIelcOZH5OWESgyx5j7JvDo3q9UJEe21ZjlIOXAgMBAAGjggFwMIIBbDAlBgNV HREEHjAcggp0aGF3dGUuY29tgg53d3cudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAA MDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVF VkNBMjAwNi5jcmwwQgYDVR0gBDswOTA3BgtghkgBhvhFAQcwATAoMCYGCCsGAQUF BwIBFhpodHRwczovL3d3dy50aGF3dGUuY29tL2NwczAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUzTLi8l0lRwKqj3lLMu4Dmf0wSdEw dgYIKwYBBQUHAQEEajBoMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUu Y29tMEIGCCsGAQUFBzAChjZodHRwOi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9y eS9UaGF3dGVfRVZfQ0FfMjAwNi5jcnQwDQYJKoZIhvcNAQEFBQADggEBALFeAOTD BhUQbP0mTAPkmgVw3b6YFveeEkCo1wWkXI63Qg2e/Csz7lIdN4odYfCGGGDId0qw 9lXIWEJb+BzHnelM+/jlBvrsRyMb4Rv24apOsXw8IXMoVkxp+9sop4cZhvKK7ygG gEjy0DmN48Y6hU36ikdSz1RZeXRMPODFjmyBPlBm79eimsAv/u8teh8bZEZ8wvj/ Z7WwefTa6k3wjmBwcA+ZE+zDw6c2hfGNDxuAPGSSybO94nUfX+jIl7AejnPbYxzt GFM/txx1R/pkQCc5LyavnblUjIJevq8XScX46QRIJ/GzNKobu+E3WJ/5nhxtQBzQ ZHQGr0/1UrHnIW0= -----END CERTIFICATE----- 1 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com -----BEGIN CERTIFICATE----- MIIFUTCCBLqgAwIBAgIQX6a+gLaGxi8B7QyrsZahBTANBgkqhkiG9w0BAQUFADCB zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl cnZlckB0aGF3dGUuY29tMB4XDTA2MTExNzAwMDAwMFoXDTIwMTIzMDIzNTk1OVow gakxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUsIEluYy4xKDAmBgNVBAsT H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xODA2BgNVBAsTLyhjKSAy MDA2IHRoYXd0ZSwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD VQQDExZ0aGF3dGUgUHJpbWFyeSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEArKDw+4BZ1JzHpM+doVlzCRBFDA0sbmjxbFtIaElZN/wLMxnC d3/MEC2VNBzm600JpxzSuMmXNgK3idQkXwbAzESUlI0CYm/rWt0RjSiaXISQEHoN vXRmL2o4oOLVVETrHQefB7pv7un9Tgsp9T6EoAHxnKv4HH6JpOih2HFlDaNRe+68 0iJgDblbnd+6/FFbC6+Ysuku6QToYofeK8jXTsFMZB7dz4dYukpPymgHHRydSsbV L5HMfHFyHMXAZ+sy/cmSXJTahcCbv1N9Kwn0jJ2RH5dqUsveCTakd9h7h1BE1T5u KWn7OUkmHgmlgHtALevoJ4XJ/mH9fuZ8lx3VnQIDAQABo4IBzTCCAckwDwYDVR0T AQH/BAUwAwEB/zA7BgNVHSAENDAyMDAGBFUdIAAwKDAmBggrBgEFBQcCARYaaHR0 cHM6Ly93d3cudGhhd3RlLmNvbS9jcHMwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQW BBR7W0XPr87Lev0xkhpqtvNG61dIUDBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8v Y3JsLnRoYXd0ZS5jb20vVGhhd3RlUHJlbWl1bVNlcnZlckNBLmNybDAgBgNVHSUE GTAXBglghkgBhvhCBAEGCmCGSAGG+EUBCAEwgeUGA1UdIwSB3TCB2qGB1KSB0TCB zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl cnZlckB0aGF3dGUuY29tggEBMA0GCSqGSIb3DQEBBQUAA4GBACvKEsnd18xjHJsx NUrd5Lf2ndGk+x74R/muB44NWBL72u21zDPll2hHYULVZqluHke/hdt9WNF3WsyQ YZiaKfWdsc+43PN7gEdI0X30aIzEQcu06f3wI+Cxm3YqbShWo4zN6ewhAHHwX91Q pWlCG4MRXYQo0yeu7CqrL2BCxcR4 -----END CERTIFICATE----- 2 s:/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA -----BEGIN CERTIFICATE----- MIIFCjCCA/KgAwIBAgIQexFV63iakIW1jJL/Qrf+VjANBgkqhkiG9w0BAQUFADCB qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMTYx MTE2MjM1OTU5WjCBizELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j LjE5MDcGA1UECxMwVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnRoYXd0ZS5j b20vY3BzIChjKTA2MSowKAYDVQQDEyF0aGF3dGUgRXh0ZW5kZWQgVmFsaWRhdGlv biBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1jUf3sEh2 m737qcu/BDGiPZp+MCnTKLj+aM7P6TBqU5UOUGWAJsmYv/IU/wZ8anvcUAfimPrf zzBdyqi5ipstLX5Zixr3s8nDaYAPiRkId7JSVa14g51ruYfkUyQ3LPwZDot5FE2+ gJ60m3N0MfI47IqvKjaOZM4xJhQDVFOO+4QIwX5HMj1x4Lq6jIJYlk1oQ1Ya80Za MpmVsGBv6UGKSMwWDURosYrd3Rc9pJt4fy4pBvDc1dITP8A2Bf3HtbmAG4pGdC/x q3mel274pRNa8/y118iWGTfuBrzGJxSBBRQzOBafS+IP2zi78wHvNS7er/Hkb2/3 lgBWXo9glB0vAgMBAAGjggFIMIIBRDA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUH MAGGH2h0dHA6Ly9FVlNlY3VyZS1vY3NwLnRoYXd0ZS5jb20wEgYDVR0TAQH/BAgw BgEB/wIBADA7BgNVHSAENDAyMDAGBFUdIAAwKDAmBggrBgEFBQcCARYaaHR0cHM6 Ly93d3cudGhhd3RlLmNvbS9jcHMwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2Ny bC50aGF3dGUuY29tL1RoYXd0ZVBDQS5jcmwwDgYDVR0PAQH/BAQDAgEGMC4GA1Ud EQQnMCWkIzAhMR8wHQYDVQQDExZQcml2YXRlTGFiZWwzLTIwNDgtMjM0MB0GA1Ud DgQWBBTNMuLyXSVHAqqPeUsy7gOZ/TBJ0TAfBgNVHSMEGDAWgBR7W0XPr87Lev0x khpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAC7SWzgMM0Z2vy+M5Vg3GIqDJ cX3qZZUx8dy2HvKNMV1hs1SEE8wrPwJcxx8VAYKQHjElBuMyDIfww76axABB9saR 5Ww+kl2j5D0fMi0xHlDBAiG0I+MHdZpSRVH60x39AW9gbSXZv0Oxp0NsrYy7vPeZ QevWlc8gXH5vxCraS00bW8KfsJTUv0eX/Z1JeWCOrpYZobDr6N9CxyJ0YQwlo3+P RdJ+50puHU9Iu8LaGn5KWYH6HOP7FHNBA6F3+psG/HwzvUY9DAYXhXsqe+M26IPf +qrLMgx5qoZ0bERU9tgHns2Y9CMFCS+iU7XbCoHMXyPLeRHFEVuFaycBifMOuw== -----END CERTIFICATE----- --- Server certificate subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=V1.0, Clause 5.(b)/O=Thawte Inc/serialNumber=3898261/C=US/ST=California/L=Mountain View/OU=Production Security Services/CN=www.thawte.com issuer=/C=US/O=thawte, Inc./OU=Terms of use at https://www.thawte.com/cps (c)06/CN=thawte Extended Validation SSL CA --- No client certificate CA names sent --- SSL handshake has read 4767 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 6274CB4BED481258C9380422F7DEF7BBA84A450C09FFC5B07DA46054B7E932B7 Session-ID-ctx: Master-Key: 6EA318E95767665AA3D479F2EFD9ADC81E3D9A8D4757885C4E7E3A4133BABDBED74CF4D633B4F962CF86D7A35D63A442 Key-Arg : None Start Time: 1284117752 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---