OPENSSL-S_CLIENT(1ssl) OpenSSL OPENSSL-S_CLIENT(1ssl) openssl-s_client - SSL/TLS openssl s_client [-help] [-ssl_config ] [-connect :] [-host _] [-port ] [-bind :] [-proxy :] [-proxy_user _] [-proxy_pass ] [-unix ] [-4] [-6] [-quic] [-servername ] [-noservername] [-verify ] [-verify_return_error] [-verify_quiet] [-verifyCAfile _] [-verifyCApath ] [-verifyCAstore ] [-cert _] [-certform DER|PEM|P12] [-cert_chain _] [-build_chain] [-CRL _] [-CRLform DER|PEM] [-crl_download] [-key _|] [-keyform DER|PEM|P12|ENGINE] [-pass ] [-chainCAfile _] [-chainCApath ] [-chainCAstore ] [-requestCAfile _] [-dane_tlsa_domain ] [-dane_tlsa_rrdata _rr] [-dane_ee_no_namechecks] [-reconnect] [-showcerts] [-prexit] [-no-interactive] [-debug] [-trace] [-nocommands] [-adv] [-security_debug] [-security_debug_verbose] [-msg] [-timeout] [-mtu ] [-no_ems] [-keymatexport ] [-keymatexportlen ] [-msgfile _] [-nbio_test] [-state] [-nbio] [-crlf] [-ign_eof] [-no_ign_eof] [-psk_identity ] [-psk ] [-psk_session ] [-quiet] [-sctp] [-sctp_label_bug] [-fallback_scsv] [-async] [-maxfraglen ] [-max_send_frag] [-split_send_frag] [-max_pipelines] [-read_buf] [-ignore_unexpected_eof] [-no_tx_cert_comp] [-no_rx_cert_comp] [-brief] [-starttls ] [-xmpphost _] [-name _] [-tlsextdebug] [-sess_out _] [-sess_in _] [-serverinfo ] [-status] [-ocsp_check_leaf] [-ocsp_check_all] [-alpn ] [-nextprotoneg ] [-ct] [-noct] [-ctlogfile] [-keylogfile ] [-early_data ] [-enable_pha] [-use_srtp ] [-srpuser ] [-srppass ] [-srp_lateuser] [-srp_moregroups] [-srp_strength ] [-ktls] [-tfo] [-nameopt ] [-no_ssl3] [-no_tls1] [-no_tls1_1] [-no_tls1_2] [-no_tls1_3] [-ssl3] [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-dtls] [-dtls1] [-dtls1_2] [-xkey _] [-xcert ] [-xchain ] [-xchain_build ] [-xcertform DER|PEM]> [-xkeyform DER|PEM]> [-CAfile ] [-no-CAfile] [-CApath ] [-no-CApath] [-CAstore ] [-no-CAstore] [-bugs] [-no_comp] [-comp] [-no_ticket] [-serverpref] [-client_renegotiation] [-legacy_renegotiation] [-no_renegotiation] [-no_resumption_on_reneg] [-legacy_server_connect] [-no_legacy_server_connect] [-no_etm] [-allow_no_dhe_kex] [-prefer_no_dhe_kex] [-prioritize_chacha] [-strict] [-sigalgs ] [-client_sigalgs ] [-groups ] [-curves ] [-named_curve ] [-cipher ] [-ciphersuites 1.3] [-min_protocol _] [-max_protocol _] [-record_padding ] [-debug_broken_protocol] [-no_middlebox] [-rand ] [-writerand ] [-provider ] [-provider-path ] [-provparam [:]=] [-propquery propq] [-engine ] [-ssl_client_engine ] [-allow_proxy_certs] [-attime _] [-no_check_time] [-check_ss_sig] [-crl_check] [-crl_check_all] [-explicit_policy] [-extended_crl] [-ignore_critical] [-inhibit_any] [-inhibit_map] [-partial_chain] [-policy ] [-policy_check] [-policy_print] [-purpose ] [-suiteB_128] [-suiteB_128_only] [-suiteB_192] [-trusted_first] [-no_alt_chains] [-use_deltas] [-auth_level ] [-verify_depth ] [-verify_email ] [-verify_hostname _] [-verify_ip _ip] [-verify_name ] [-x509_strict] [-issuer_checks] [-enable_server_rpk] [-enable_client_rpk] [:] SSL/TLS SSL/TLS. SSL. " " SSL_CONF_cmd(3). -help . -ssl_config SSL_CTX. -connect : . . 4433. IPv6 "[" "]". -host _ -connect . -port -connect . -bind : / . - . IPv6 "[" "]". -proxy : -connect HTTP CONNECT . IPv6 "[" "]". -proxy_user _ -proxy (base64). : base64 TLS/SSL. / . . -proxy_pass -proxy_user. openssl-passphrase-options(1). -unix - . -4 IPv4 . -6 IPv6 . -quic QUIC. -alpn. -servername TLS SNI ( ) ClientHello . -servername TLS SNI -connect DNS. -connect SNI "localhost". OpenSSL 1.1.1. SNI DNS IP -servername DNS . -noservername. -noservername SNI ( ) ClientHello. -servername -dane_tlsa_domain. -cert _ . . -cert_chain. -certform DER|PEM|P12 . openssl-format-options(1) . -cert_chain -cert. PEM DER PKCS#12. -build_chain . -CRL _ CRL . -CRLform DER|PEM CRL . openssl-format-options(1) . -crl_download CRL . -crl_check. CRL X509_CRL_load_http(3). -key _|_ . . -keyform DER|PEM|P12|ENGINE . openssl-format-options(1) . -pass . openssl-passphrase-options(1). -verify . . -verify_return_error . . (D)TLS ("sslserver"). " " openssl-verification-options(1). -verify_return_error -verify . . -verify_quiet . -___CA _ PEM . -___CA . " " openssl-verify(1) . -___CA _ (URI) . -chainCAfile PEM . -chainCApath . " " openssl-verify(1) . -chainCAstore uri (URI) . . "file:" -chainCAfile -chainCApath . ossl_store-file(7) "file:". -__CA certificate_authorities. TLS 1.3 -_dane_tlsa DANE TLSA ( RFC6698/RFC7671) TLSA SNI . -dane_tlsa_rrdata . DANE ( 0) TLSA . TLSA "2 1 0" ( ) " TA". TLSA " TA" " EE" 0. -dane_tlsa_rrdata rrdata RRDATA DANE TLSA RRset . rrdata " " . . : $ openssl s_client -brief -starttls smtp \ -connect smtp.example.com:25 \ -dane_tlsa_domain smtp.example.com \ -dane_tlsa_rrdata "2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E 02CF362B" \ -dane_tlsa_rrdata "2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18" ... Verification: OK Verified peername: smtp.example.com DANE TLSA 2 1 1 ...ee12d2cc90180517616e8a18 matched TA certificate at depth 1 ... -dane_ee_no_namechecks TLSA DANE-EE(3). " " . . RFC7671 TLSA DANE-EE(3) . SMTP XMPP SRV MX SMTP XMPP . -reconnect 5 . -showcerts : ( ). . -prexit . . . . : . -no-interactive . -state SSL. -debug . -nocommands . -adv . -security_debug . -security_debug_verbose . -msg . -timeout / DTLS. -mtu (MTU) . -no_ems . -keymatexport . -keymatexportlen 20. . -trace . -msgfile _ -msg -trace . -nbio_test / -nbio / -crlf CR+LF . -ign_eof . -nocommands . -quiet . -ign_eof -nocommands . -no_ign_eof . -ign_eof -quiet. -psk_identity identity PSK identity PSK. "Client_identity" ( ). -psk key PSK key PSK. 0x -psk 1a2b3c4d. PSK. -psk_session SSL_SESSION pem PSK. TLSv1.3. -sctp SCTP UDP DTLS. -dtls -dtls1 -dtls1_2. OpenSSL SCTP. -sctp_label_bug OpenSSL DTLS/SCTP. . -sctp. OpenSSL SCTP. -fallback_scsv TLS_FALLBACK_SCSV ClientHello. -async . . -engine. async (dasync) ( ). -maxfraglen len 512 1024 2048 4096. -max_send_frag int . SSL_CTX_set_max_send_fragment(3) . -split_send_frag int . max_pipelines. max_pipelines 1. SSL_CTX_set_split_send_fragment(3) . -max_pipelines int / . ( dasync) . 1. SSL_CTX_set_max_pipelines(3) . -read_buf int . (pipelining) ( SSL_CTX_set_default_read_buffer_len(3) ). -ignore_unexpected_eof TLS close_notify . close_notify . close_notify . SSL_shutdown(3). -no_tx_cert_comp TLSv1.3 . -no_rx_cert_comp TLSv1.3 . -brief . -starttls protocol TLS . protocol . "smtp" "pop3" "imap" "ftp" "xmpp" "xmpp-server" "irc" "postgres" "mysql" "lmtp" "nntp" "sieve" "ldap". -xmpphost hostname "-starttls xmpp" "-starttls xmpp-server" "to" . "-connect". -name "xmpp" "xmpp-server". -name hostname -starttls. "xmpp" "xmpp-server" "smtp" "lmtp" -name . "-starttls xmpp" "-starttls xmpp-server" "to" . "-connect". "-starttls lmtp" "-starttls smtp" "LMTP LHLO" "SMTP EHLO" . "mail.example.com". -tlsextdebug TLS . -sess_out filename SSL filename. -sess_in filename SSL filename. . -serverinfo types TLS ( 0 65535). ClientHello TLS . ( ) PEM. -status ( OCSP). ( ). -ocsp_check_leaf ( ) OCSP TLS ( " OCSP") . OCSP CRL . -status. -ocsp_check_all ( CA ). -status -ocsp_check_leaf. -alpn protocols -nextprotoneg protocols (ALPN) (NPN) . ALPN IETF NPN. protocols . . ASCII "http/1.1" "spdy/3". TLS ServerHello . -nextprotoneg -tls1_3. -ct -noct (CT) (-ct) (-noct). CT (SCTs) . CT OCSP SCTs. -ctlogfile . SSL_CTX_set_ctlog_list_file(3) . -keylogfile TLS ( Wireshark) TLS. -early_data . . -enable_pha TLSv1.3 . -cert . -use_srtp SRTP value . -srpuser SRP . . -srppass SRP . . -srp_lateuser SRP ClientHello . . -srp_moregroups . g N . -srp_strength N. . -ktls TLS . OpenSSL 3.2.0. TLS OpenSSL 3.2.0. -tfo TCP (RFC7413). -no_ssl3 -no_tls1 -no_tls1_1 -no_tls1_2 -no_tls1_3 -ssl3 -tls1 -tls1_1 -tls1_2 -tls1_3 " TLS" openssl(1). -dtls -dtls1 -dtls1_2 DTLS TLS. " TLS" openssl(1). -nameopt . openssl-namedisplay-options(1) . -xkey _ -xcert -xchain -xchain_build -xcertform DER|PEM -xkeyform DER|PEM . "Extended Verification Options" openssl-verification-options(1) . -CAfile -no-CAfile -CApath -no-CApath -CAstore _ -no-CAstore "Trusted Certificate Options" openssl-verification-options(1) . -bugs -comp -no_comp -no_ticket -serverpref -client_renegotiation -legacy_renegotiation -no_renegotiation -no_resumption_on_reneg -legacy_server_connect -no_legacy_server_connect -no_etm -allow_no_dhe_kex -prefer_no_dhe_kex -prioritize_chacha -strict -sigalgs algs -client_sigalgs algs -groups groups -curves curves -named_curve curve -cipher ciphers -ciphersuites 1.3ciphers -min_protocol minprot -max_protocol maxprot -record_padding padding -debug_broken_protocol -no_middlebox "SUPPORTED COMMAND LINE COMMANDS" SSL_CONF_cmd(3) . -rand -writerand " " openssl(1) . -provider -provider-path -provparam [:]= -propquery propq " " openssl(1) provider(7) property(7). -engine " " openssl(1). . -ssl_client_engine . -allow_proxy_certs -attime -no_check_time -check_ss_sig -crl_check -crl_check_all -explicit_policy -extended_crl -ignore_critical -inhibit_any -inhibit_map -no_alt_chains -partial_chain -policy -policy_check -policy_print -purpose -suiteB_128 -suiteB_128_only -suiteB_192 -trusted_first -use_deltas -auth_level -verify_depth -verify_email -verify_hostname -verify_ip -verify_name -x509_strict -issuer_checks . " " openssl-verification-options(1) . -verify_return_error. -enable_server_rpk (RFC7250) . X.509 . X.509 X.509 . -enable_client_rpk (RFC7250) . . . : -connect . -connect localhost 4433. IPv6 "[" "]". () SSL/TLS . . ( -quiet -ign_eof) -adv -nocommands "". . . . . Q SSL . R SSL (TLSv1.2 ). C . k (TLSv1.3 ) K ( TLSv1.3 ) () -adv <<>>. SSL/TLS . . "{help}" "{quit}". s_client . ":" "{keyup:req}". . s_client . . . help . quit reconnect keyup . TLSv1.3 . . "req" . "noreq" . "req". reneg . (D)TLSv1.2 . fin FIN . QUIC . FIN . SSL. SSL HTTP : openssl s_client -connect servername:443 ( https 443). HTTP "GET /" . -bugs -ssl3 -tls1 -no_ssl3 -no_tls1 . OpenSSL. . << >> . . URL . -prexit HTTP . -cert . . -showcerts . . ( ) . (MITM). -verify_return_error: . -bind . s_client ( cron stdin ) TLS 1.3. -ign_eof s_client (EOF) stdin. : openssl s_client -connect :443 -tls1_3 -sess_out /path/to/tls_session_params_file -ign_eof -ign_eof . . . SMTP QUIT : $ openssl s_client -brief -ign_eof -starttls smtp -connect :25 . SMTP QUIT: printf 'QUIT\r\n' | openssl s_client -connect :25 -starttls smtp -brief -ign_eof HTTP/1.1 `Connection: close` : printf 'GET / HTTP/1.1\r\nHost: \r\nConnection: close\r\n\r\n' | openssl s_client -connect :443 -brief . C . SSL . -prexit . . openssl(1), openssl-sess_id(1), openssl-s_server(1), openssl-ciphers(1), SSL_CONF_cmd(3), SSL_CTX_set_max_send_fragment(3), SSL_CTX_set_split_send_fragment(3), SSL_CTX_set_max_pipelines(3), ossl_store-file(7) -no_alt_chains 1.1.0 OpenSSL. -name 1.1.1 OpenSSL. -certform 3.0.0 OpenSSL . -engine OpenSSL 3.0. -enable_client_rpk -enable_server_rpk -no_rx_cert_comp -no_tx_cert_comp -tfo OpenSSL 3.2. <-ocsp_check_leaf> -ocsp_check_all OpenSSL 3.6. 2000-2025 OpenSSL. . Apache 2.0 ( ""). . LICENSE . 3 . . : . 3.6.2 7 2026 OPENSSL-S_CLIENT(1ssl)