Test TLS Connection Ciphers TLS Version and Certificate with OpenSSL Command Line (2024)

Usage: s_client [options]Valid options are: -help Display this summary -host val Use -connect instead -port +int Use -connect instead -connect val TCP/IP where to connect (default is :4433) -bind val bind local address for connection -proxy val Connect to via specified proxy to the real server -unix val Connect over the specified Unix-domain socket -4 Use IPv4 only -6 Use IPv6 only -verify +int Turn on peer certificate verification -cert infile Certificate file to use, PEM format assumed -certform PEM|DER Certificate format (PEM or DER) PEM default -nameopt val Various certificate name options -key val Private key file to use, if not in -cert file -keyform PEM|DER|ENGINE Key format (PEM, DER or engine) PEM default -pass val Private key file pass phrase source -CApath dir PEM format directory of CA's -CAfile infile PEM format file of CA's -no-CAfile Do not load the default certificates file -no-CApath Do not load certificates from the default certificates directory -requestCAfile infile PEM format file of CA names to send to the server -dane_tlsa_domain val DANE TLSA base domain -dane_tlsa_rrdata val DANE TLSA rrdata presentation form -dane_ee_no_namechecks Disable name checks when matching DANE-EE(3) TLSA records -reconnect Drop and re-make the connection with the same Session-ID -showcerts Show all certificates sent by the server -debug Extra output -msg Show protocol messages -msgfile outfile File to send output of -msg or -trace, instead of stdout -nbio_test More ssl protocol testing -state Print the ssl states -crlf Convert LF from terminal into CRLF -quiet No s_client output -ign_eof Ignore input eof (default when -quiet) -no_ign_eof Don't ignore input eof -starttls val Use the appropriate STARTTLS command before starting TLS -xmpphost val Alias of -name option for "-starttls xmpp[-server]" -rand val Load the file(s) into the random number generator -writerand outfile Write random data to the specified file -sess_out outfile File to write SSL session to -sess_in infile File to read SSL session from -use_srtp val Offer SRTP key management with a colon-separated profile list -keymatexport val Export keying material using label -keymatexportlen +int Export len bytes of keying material (default 20) -maxfraglen +int Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096) -fallback_scsv Send the fallback SCSV -name val Hostname to use for "-starttls lmtp", "-starttls smtp" or "-starttls xmpp[-server]" -CRL infile CRL file to use -crl_download Download CRL from distribution points -CRLform PEM|DER CRL format (PEM or DER) PEM is default -verify_return_error Close connection on verification error -verify_quiet Restrict verify output to errors -brief Restrict output to brief summary of connection parameters -prexit Print session information when the program exits -security_debug Enable security debug messages -security_debug_verbose Output more security debug output -cert_chain infile Certificate chain file (in PEM format) -chainCApath dir Use dir as certificate store path to build CA certificate chain -verifyCApath dir Use dir as certificate store path to verify CA certificate -build_chain Build certificate chain -chainCAfile infile CA file for certificate chain (PEM format) -verifyCAfile infile CA file for certificate verification (PEM format) -nocommands Do not use interactive command letters -servername val Set TLS extension servername (SNI) in ClientHello (default) -noservername Do not send the server name (SNI) extension in the ClientHello -tlsextdebug Hex dump of all TLS extensions received -status Request certificate status from server -serverinfo val types Send empty ClientHello extensions (comma-separated numbers) -alpn val Enable ALPN extension, considering named protocols supported (comma-separated list) -async Support asynchronous operation -ssl_config val Use specified configuration file -max_send_frag +int Maximum Size of send frames -split_send_frag +int Size used to split data for encrypt pipelines -max_pipelines +int Maximum number of encrypt/decrypt pipelines to be used -read_buf +int Default read buffer size to be used for connections -no_ssl3 Just disable SSLv3 -no_tls1 Just disable TLSv1 -no_tls1_1 Just disable TLSv1.1 -no_tls1_2 Just disable TLSv1.2 -no_tls1_3 Just disable TLSv1.3 -bugs Turn on SSL bug compatibility -no_comp Disable SSL/TLS compression (default) -comp Use SSL/TLS-level compression -no_ticket Disable use of TLS session tickets -serverpref Use server's cipher preferences -legacy_renegotiation Enable use of legacy renegotiation (dangerous) -no_renegotiation Disable all renegotiation. -legacy_server_connect Allow initial connection to servers that don't support RI -no_resumption_on_reneg Disallow session resumption on renegotiation -no_legacy_server_connect Disallow initial connection to servers that don't support RI -allow_no_dhe_kex In TLSv1.3 allow non-(ec)dhe based key exchange on resumption -prioritize_chacha Prioritize ChaCha ciphers when preferred by clients -strict Enforce strict certificate checks as per TLS standard -sigalgs val Signature algorithms to support (colon-separated list) -client_sigalgs val Signature algorithms to support for client certificate authentication (colon-separated list) -groups val Groups to advertise (colon-separated list) -curves val Groups to advertise (colon-separated list) -named_curve val Elliptic curve used for ECDHE (server-side only) -cipher val Specify TLSv1.2 and below cipher list to be used -ciphersuites val Specify TLSv1.3 ciphersuites to be used -min_protocol val Specify the minimum protocol version to be used -max_protocol val Specify the maximum protocol version to be used -record_padding val Block size to pad TLS 1.3 records to. -debug_broken_protocol Perform all sorts of protocol violations for testing purposes -no_middlebox Disable TLSv1.3 middlebox compat mode -policy val adds policy to the acceptable policy set -purpose val certificate chain purpose -verify_name val verification policy name -verify_depth int chain depth limit -auth_level int chain authentication security level -attime intmax verification epoch time -verify_hostname val expected peer hostname -verify_email val expected peer email -verify_ip val expected peer IP address -ignore_critical permit unhandled critical extensions -issuer_checks (deprecated) -crl_check check leaf certificate revocation -crl_check_all check full chain revocation -policy_check perform rfc5280 policy checks -explicit_policy set policy variable require-explicit-policy -inhibit_any set policy variable inhibit-any-policy -inhibit_map set policy variable inhibit-policy-mapping -x509_strict disable certificate compatibility work-arounds -extended_crl enable extended CRL features -use_deltas use delta CRLs -policy_print print policy processing diagnostics -check_ss_sig check root CA self-signatures -trusted_first search trust store first (default) -suiteB_128_only Suite B 128-bit-only mode -suiteB_128 Suite B 128-bit mode allowing 192-bit algorithms -suiteB_192 Suite B 192-bit-only mode -partial_chain accept chains anchored by intermediate trust-store CAs -no_alt_chains (deprecated) -no_check_time ignore certificate validity time -allow_proxy_certs allow the use of proxy certificates -xkey infile key for Extended certificates -xcert infile cert for Extended certificates -xchain infile chain for Extended certificates -xchain_build build certificate chain for the extended certificates -xcertform PEM|DER format of Extended certificate (PEM or DER) PEM default -xkeyform PEM|DER format of Extended certificate's key (PEM or DER) PEM default -tls1 Just use TLSv1 -tls1_1 Just use TLSv1.1 -tls1_2 Just use TLSv1.2 -tls1_3 Just use TLSv1.3 -dtls Use any version of DTLS -timeout Enable send/receive timeout on DTLS connections -mtu +int Set the link layer MTU -dtls1 Just use DTLSv1 -dtls1_2 Just use DTLSv1.2 -nbio Use non-blocking IO -psk_identity val PSK identity -psk val PSK in hex (without 0x) -psk_session infile File to read PSK SSL session from -srpuser val SRP authentication for 'user' -srppass val Password for 'user' -srp_lateuser SRP username into second ClientHello message -srp_moregroups Tolerate other than the known g N values. -srp_strength +int Minimal length in bits for N -nextprotoneg val Enable NPN extension, considering named protocols supported (comma-separated list) -engine val Use engine, possibly a hardware device -ssl_client_engine val Specify engine to be used for client certificate operations -ct Request and parse SCTs (also enables OCSP stapling) -noct Do not request or parse SCTs (default) -ctlogfile infile CT log list CONF file -keylogfile outfile Write TLS secrets to file -early_data infile File to send as early data -enable_pha Enable post-handshake-authentication

$ openssl s_client -connect www.google.com:443CONNECTED(00000005)depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSignverify return:1depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1verify return:1depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.comverify return:1---Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com i:/C=US/O=Google Trust Services/CN=GTS CA 1O1 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign---Server certificate-----BEGIN CERTIFICATE-----MIIFkzCCBHugAwIBAgIQUvtF6bzAHyEDAAAAAMMjOTANBgkqhkiG9w0BAQsFADBCMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMRMwEQYDVQQDEwpHVFMgQ0EgMU8xMB4XDTIwMTIxNTE0MzYxNVoXDTIxMDMwOTE0MzYxNFowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqPmkrg4JZBqxukAqXcsIyoQ7EfkoYZooKy9OGOk0FsbA662QAhRvLyScRnAaKLeT/s1plOzLIguQKCl8GkrNJRWjhhG9G95IWGOCuOxjdvRWF5RADpIPbapGAH0awFsO9hlgVzxsuZC+hHOrAVvUAI5x7tYhz6SYMjsbj0BUz2WzEnSXonY85Zy825rFBjpfJf69CGJpCx1+T4w7USP7GqsdpI8kNSHfFSbt7Z8U5mdn4LG7tvaMS/oVlcE2P5O09lDTYz1+MlxIeQnzSFt0R9S2Xrbv6oNuEdzoqKFXEHcQ+SDcf4Kb5ghpPezjiufwtotR/gwqXHrMLTZ3lzsMzQIDAQABo4ICXTCCAlkwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGfXwgDfHBsHoA7W51LPuYfBeHI0MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAYYfaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xY29yZTArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nL2dzcjIvR1RTMU8xLmNydDAZBgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTAhBgNVHSAEGjAYMAgGBmeBDAECAjAMBgorBgEEAdZ5AgUDMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwucGtpLmdvb2cvR1RTMU8xY29yZS5jcmwwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXZnC4CJAAAEAwBHMEUCIERZyIP0GBfWUDPpmMCMVYBgpSKpIQuqnsFo2MoRHDWsAiEA/+nQTy9EsKLKfzDABLRUz/P+TZGGjM7UVQjtWe/+s+sAdwBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXZnC4C7AAAEAwBIMEYCIQCPyfB8H0em1gHv8QQeF4zNHkfv47lQjNsszABWeYXfwwIhAKngHPHb1UKDE3LMF6FYEdsGOK63kdIfUuyWLX0AUYszMA0GCSqGSIb3DQEBCwUAA4IBAQAbkVw9feVP0maVCLVO/TKFBQWgcQTHtJGIk2YTSZCSwLYe7Xboae5t6inwKu0yB+bYqUC2itFpv7BCsZv4rPOH6zBHHH2CSlZB1XI40WrnPwGMr3P1aR2dsUw1gDEXFwgXdFbL/u/9WUjeUogQULSFxqJXrYB693az96FCwtoSg3+WC5IcEJElDEE0kgS8o5ZyJ4GLmLBYsWcMkbx80/pDf71ylBts63e0u5k2sQuBcNhIGaRIFmP9SHYXyTtSlaB84RwThgkhr40S3QZWDNiqht2WnM65UHURCVEiml3bIKMz+fLaOgroFKQy8uBw7tei+gzbbqqyJbicdgcSDgd3-----END CERTIFICATE-----subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.comissuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1---No client certificate CA names sentServer Temp Key: ECDH, X25519, 253 bits---SSL handshake has read 3208 bytes and written 281 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: EDF30CC8709D2A7E5930E21DF4FC95B10C0438A6BBB64D550C975936B1B2E7B7 Session-ID-ctx: Master-Key: 6C731ACB4248F67690838BE615E945E8D7CDD418794C54F5E33BF7487939EDC0C13DBED09DEC2A95F093F63713250762 TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 01 56 db 77 af 6f 79 83-c8 d1 36 2b 85 d6 e4 15 .V.w.oy...6+.... 0010 - 25 4e 56 25 b7 1b 2b 3a-18 a8 5b 4a 9d 7b 82 5b %NV%..+:..[J.{.[ 0020 - 28 73 44 7e a5 74 12 7d-63 56 39 02 7e 74 9c 11 (sD~.t.}cV9.~t.. 0030 - cf c9 d3 a2 b0 c7 42 26-1b 05 ba 70 0b f0 16 78 ......B&...p...x 0040 - d0 83 8c bd 49 3c b3 f5-e7 49 e8 21 ab 3c 46 9d ....I<...I.!.<F. 0050 - 0d 26 2e 3a 86 0b d5 ba-64 c0 59 65 0c 26 cc b6 .&.:....d.Ye.&.. 0060 - 18 3d f4 55 ad fd 82 d0-c1 b0 3e c9 45 65 71 cf .=.U......>.Eeq. 0070 - 76 c1 86 fa 85 d0 17 40-48 9f 33 03 64 ad 76 83 v......@H.3.d.v. 0080 - d5 0a cf 74 2f 71 3d 6b-4d be 55 08 9f a8 87 9b ...t/q=kM.U..... 0090 - 03 18 0e 9e 99 bc d5 d6-b8 1c 95 d4 55 27 b3 00 ............U'.. 00a0 - a8 2d 83 c2 1d ee 49 3e-06 a9 98 67 14 68 7e ac .-....I>...g.h~. 00b0 - dd 95 85 55 4e 56 b8 88-e2 71 98 8d c4 93 e9 65 ...UNV...q.....e 00c0 - 31 0e b7 9a 87 bd 90 9d-dc 8e e5 d2 6a 34 16 53 1...........j4.S 00d0 - dd 71 d3 70 62 d7 b6 43-81 96 3f b9 7b .q.pb..C..?.{ Start Time: 1610932834 Timeout : 7200 (sec) Verify return code: 0 (ok)---GET / HTTP/1.1HTTP/1.1 200 OKDate: Mon, 18 Jan 2021 01:20:39 GMT

Note

After GET request line and headers, you need an extra empty lines to indicate end of request,then server will send response back.

$ openssl s_client -connect dns.google:853 -showcertsCONNECTED(00000006)depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSignverify return:1depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1verify return:1depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = dns.googleverify return:1---Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.google i:/C=US/O=Google Trust Services/CN=GTS CA 1O1-----BEGIN CERTIFICATE-----MIIGIjCCBQqgAwIBAgIRAJTRUTehSoT8AwAAAADDI0EwDQYJKoZIhvcNAQELBQAwQjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczETMBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDEyMTUxNDM2MjZaFw0yMTAzMDkxNDM2MjVaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRMwEQYDVQQDEwpkbnMuZ29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv/ulxhYNFowGZ+8VIk8eIWsj/tHekcfTtmtIP9KgdhyXlmXXlntHx330XiX9UfCSfbnu3UP5Za/BM8rRm+3yVCsi0QVU+mey35hLLdBaKvdmrTQkYIdVhHDWGQN8C1f6UGq8nNPNX7HLyxxXa03vEpLvtaSzULVprYfppGlqDLvUqqVbF9loTtZp6sdtPYAM0j8O71SKDnUCdMu3WGPEhK2ImyUdk6Oq+CFueRNLbBL6Lfkd1NWLyebpbKQcMNmSbQfphZga4WXmfhXWF5Vblyn4FBxarw96O1FDX/jUdOFbKRfR0GxvhS5Qt+dPEhom52JdTth6dfLtmbvdnqPcAwIDAQABo4IC7zCCAuswDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJrgW406vF0JgE8FCJd5Cgc1/RDOMB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAYYfaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xY29yZTArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nL2dzcjIvR1RTMU8xLmNydDCBrAYDVR0RBIGkMIGhggpkbnMuZ29vZ2xlghAqLmRucy5nb29nbGUuY29tggs4ODg4Lmdvb2dsZYIOZG5zLmdvb2dsZS5jb22CEGRuczY0LmRucy5nb29nbGWHECABSGBIYAAAAAAAAAAAAGSHECABSGBIYAAAAAAAAAAAZGSHECABSGBIYAAAAAAAAAAAiESHECABSGBIYAAAAAAAAAAAiIiHBAgIBASHBAgICAgwIQYDVR0gBBowGDAIBgZngQwBAgIwDAYKKwYBBAHWeQIFAzAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnBraS5nb29nL0dUUzFPMWNvcmUuY3JsMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF2ZwuscwAABAMARjBEAiAWqt7W7bSnzvbUwayFoEbGWagFR2K+itqZCW5NF4WG2AIgJ38Z6+ZFeCnzIrOcZejKC/uj095tb1fIhhALpfNJEMIAdgCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXZnC6x9AAAEAwBHMEUCIQC/+FJmLcs2ijzNDaw8spREy5+9x53+ZzSUS55Dvun5GQIgV7cuRxpIdZ80U4d4B8zXliMiCMX2ppZ11R2Yof27/5cwDQYJKoZIhvcNAQELBQADggEBADuBZ8NVva0NDcVcBDsy571lS/05TbHvq9u4xzbqIwEjrX8LhJpEs9n/ZNcClzS63laDGSB8NtOLy1X4BIUoQXOBZ59Nhm43bJCOObwlZVOJvU8tQ3RajQeJ6vvBQEFtbTxPAphjrPWcrmt5Rn4nIToHRApd8SPgBAXoe+T9S2MKFJh7M18VcSUpi8qUphwKoc3w1AMcZnrbM2WE6xdY/7H48pVijdNgyMauVwAMTKh7a2fEs6/jAZHWbAnjtQQc3ltOWZO/h7MbG38TKbvTud8+JZQdcwCM5cS5MnwzXvYoyKQEc4sHj9scMKnXyM9Cgbqh0wGH0eaIscCNIu7ULeU=-----END CERTIFICATE----- 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign-----BEGIN CERTIFICATE-----MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEyMTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3QgU2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnvUA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRrmBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++AcxGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmKFsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7XrJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7HTgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoNFvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrzmqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wWIRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZUSpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==-----END CERTIFICATE--------Server certificatesubject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.googleissuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1---No client certificate CA names sentServer Temp Key: ECDH, X25519, 253 bits---SSL handshake has read 3351 bytes and written 281 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: 47BCFDC6F09F1C08656913CAB4851B105FC0366BBDA0469857CF32491EE2459E Session-ID-ctx: Master-Key: 709A838FB4591838009662B8444D0392728187586EF01A5308004512FA9A78D94FB6A390C136EB772E7AB4B6D5C02801 TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 01 67 b1 01 e7 5c 56 42-e2 25 d6 67 47 3f 8f af .g...\VB.%.gG?.. 0010 - 08 79 f0 be d4 87 3a 6b-3b ab f3 a8 01 15 11 ce .y....:k;....... 0020 - f5 f6 db 3f 2d 8a f3 35-28 1c b1 6a 45 7a a8 4b ...?-..5(..jEz.K 0030 - 83 94 92 80 98 93 65 6d-45 4b 67 e0 e8 b6 42 3b ......emEKg...B; 0040 - ab 67 b2 a3 4f 39 a4 8a-79 07 a5 24 ae da e5 93 .g..O9..y..$.... 0050 - 62 d6 ec 48 ef da 9b b1-4a 21 40 ac 9a 79 ba f4 b..H....J!@..y.. 0060 - 77 62 7e 6f 0b a6 df 32-21 e0 05 55 26 3e 1a 6e wb~o...2!..U&>.n 0070 - 2a 27 0f df 93 e2 4b a2-6f d6 4f c1 a5 45 2c 9e *'....K.o.O..E,. 0080 - 1e 27 70 b1 02 c7 6c a5-7c 2a eb 5d 87 80 b8 c9 .'p...l.|*.].... 0090 - 7e d0 86 f4 2a de 5a 5b-f4 85 8e db 5b 8a 27 68 ~...*.Z[....[.'h 00a0 - 4a f6 48 7a d7 d7 9d 7e-44 07 a9 46 f8 ec 38 93 J.Hz...~D..F..8. 00b0 - 23 92 b4 d0 b6 d8 2c ac-46 ad 12 4b 59 31 8e 6a #.....,.F..KY1.j 00c0 - 8e 2c 4d ad 39 2f 67 33-2b 40 46 ad 27 62 ba 25 .,M.9/g3+@F.'b.% 00d0 - 2f 52 60 a4 74 71 98 d0-f7 6d 3d db 65 /R`.tq...m=.e Start Time: 1610933223 Timeout : 7200 (sec) Verify return code: 0 (ok)---

$ openssl s_client -connect 93.184.216.34:443 -servername example.comCONNECTED(00000003)depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CAverify return:1depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1verify return:1depth=0 C = US, ST = California, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.orgverify return:1write W BLOCK---Certificate chain 0 s:/C=US/ST=California/L=Los Angeles/O=Internet\xC2\xA0Corporation\xC2\xA0for\xC2\xA0Assigned\xC2\xA0Names\xC2\xA0and\xC2\xA0Numbers/CN=www.example.org i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 1 s:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA---Server certificate-----BEGIN CERTIFICATE-----MIIHSjCCBjKgAwIBAgIQDB/LGEUYx+OGZ0EjbWtz8TANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQQDEyBEaWdpQ2VydCBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTAeFw0yMzAxMTMwMDAwMDBaFw0yNDAyMTMyMzU5NTlaMIGWMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxQjBABgNVBAoMOUludGVybmV0wqBDb3Jwb3JhdGlvbsKgZm9ywqBBc3NpZ25lZMKgTmFtZXPCoGFuZMKgTnVtYmVyczEYMBYGA1UEAxMPd3d3LmV4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwoB3iVm4RW+6StkR+nutx1fQevu2+t0Fu6KBcbvhfyHSXy7w0nJOdTT4jWLjStpRkNQBPZwMwHH35i+21gdnJtDe/xfO8IX9McFmyodlBUcqX8CruIzDv9AXf2OjXPBG+4aq+03XKl5/muATl32++301Vw1dXoGYNeoWQqLTsHT3WS3tOOf+ehuzNuZ+rj+ephaD3lMBToEArrtC9R91KTTN6YSAOK48NxTA8CfOMFK5itxfIqB5+E9OSQTidXyqLyoeA+xxTKMqYfxvypEek1oueAhY9u67NCBdmuavxtfyvwp7+o6Sd+NsewxAhmRKFexw13KOYzDhC+9aMJcuJQIDAQABo4ID2DCCA9QwHwYDVR0jBBgwFoAUt2ui6qiqhIx56rTaD5iyxZV2ufQwHQYDVR0OBBYEFLCTP+gXgv1ssrYXh8vjgP6CmwGeMIGBBgNVHREEejB4gg93d3cuZXhhbXBsZS5vcmeCC2V4YW1wbGUubmV0ggtleGFtcGxlLmVkdYILZXhhbXBsZS5jb22CC2V4YW1wbGUub3Jngg93d3cuZXhhbXBsZS5jb22CD3d3dy5leGFtcGxlLmVkdYIPd3d3LmV4YW1wbGUubmV0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgY8GA1UdHwSBhzCBhDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTUlNBU0hBMjU2MjAyMENBMS00LmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VExTUlNBU0hBMjU2MjAyMENBMS00LmNybDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwfwYIKwYBBQUHAQEEczBxMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wSQYIKwYBBQUHMAKGPWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU1JTQVNIQTI1NjIwMjBDQTEtMS5jcnQwCQYDVR0TBAIwADCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGFq0gFIwAABAMARzBFAiEAqt+fK6jFdGA6tv0EWt9rax0WYBV4re9jgZgq0zi42QUCIEBh1yKpPvgX1BreE0wBUmriOVUhJS77KgF193fT2877AHcAc9meiRtMlnigIH1HneayxhzQUV5xGSqMa4AQesF3crUAAAGFq0gFnwAABAMASDBGAiEA12SUFK5rgLqRzvgcr7ZzV4nl+Zt9lloAzRLfPc7vSPACIQCXPbwScx1rE+BjFawZlVjLj/1PsM0KQQcsfHDZJUTLwAB2AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABhatIBV4AAAQDAEcwRQIhAN5bhHthoyWMJ3CQB/1iYFEhMgUVkFhHDM/nlE9ThCwhAiAPvPJXyp7a2kzwJX3P7fqH5Xko3rPhCzRoXYd6W+QkCjANBgkqhkiG9w0BAQsFAAOCAQEAWeRK2KmCuppK8WMMbXYmdbM8dL7F9z2nkZL4zwYtWBDt87jW/Gz/E5YyzU/phySFC3SiwvYP9afYfXaKrunJWCtuAG+5zSTuxELFTBaFnTRhOSO/xo6VyYSpsuVBD0R415W5z9l0v1hP5xb/fEAwxGxOIk3Lg2c6k78rxcWcGvJDoSU7hPb3U26oha7eFHSRMAYN8gf*ckAi6Q2TF4j/arMVBr6Q36EJ2dPcTu0p9NlmBm8dE34lzuTNC6GDCTWFdEloQ9u//M4kUUOjWn8a5XCs1263t3Ta2JfKViqxpP5r+GvgVKG3qGFrC0mIYr0B4tfpeCY9T+cz4I6GDMSP0xg==-----END CERTIFICATE-----subject=/C=US/ST=California/L=Los Angeles/O=Internet\xC2\xA0Corporation\xC2\xA0for\xC2\xA0Assigned\xC2\xA0Names\xC2\xA0and\xC2\xA0Numbers/CN=www.example.orgissuer=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1---No client certificate CA names sentServer Temp Key: ECDH, P-256, 256 bits---SSL handshake has read 3775 bytes and written 727 bytes---New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384Server public key is 2048 bitSecure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.3 Cipher : AEAD-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1680325042 Timeout : 7200 (sec) Verify return code: 0 (ok)

Bonus: use curl to connect specific IP for https hostname

You may also use curl to resolve hostname to a specific IP. This is very useful when you want to connect HTTPS hostname with specific IP.

--resolve <[+]host:port:addr[,addr]...> Provide a custom address for a specific host and port pair. Using this, you can make the curl requests(s) use a specified address and prevent the otherwise normally resolved address to be used. Consider it a sort of /etc/hosts alternative provided on the command line. The port number should be the number used for the specific protocol the host will be used for. It means you need several entries if you want to provide address for the same host but different ports.
 By specifying &#39;*&#39; as host you can tell curl to resolve any host and specific port pair to the specified address. Wildcard is resolved last so any --resolve with a specific host and port will be used first. The provided address set by this option will be used even if --ipv4 or --ipv6 is set to make curl use another IP version. By prefixing the host with a &#39;+&#39; you can make the entry time out after curl&#39;s default timeout (1 minute). Note that this will only make sense for long running parallel transfers with a lot of files. In such cases, if this option is used curl will try to resolve the host as it normally would once the timeout has expired. This option can be used many times to add many host names to resolve. --resolve can be used several times in a command line Example: curl --resolve example.com:443:127.0.0.1 https://example.com

curl –resolve Example:

curl -v https://www.example.com --resolve www.example.com:443:93.184.216.34* Added www.example.com:443:93.184.216.34 to DNS cache* Hostname www.example.com was found in DNS cache* Trying 93.184.216.34:443...* Connected to www.example.com (93.184.216.34) port 443 (#0)...

$ openssl s_client -connect dns.google:853 -tls1_2CONNECTED(00000006)depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSignverify return:1depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1verify return:1depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = dns.googleverify return:1---Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.google i:/C=US/O=Google Trust Services/CN=GTS CA 1O1 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign---Server certificate-----BEGIN CERTIFICATE-----MIIGIjCCBQqgAwIBAgIRAJTRUTehSoT8AwAAAADDI0EwDQYJKoZIhvcNAQELBQAw...MnwzXvYoyKQEc4sHj9scMKnXyM9Cgbqh0wGH0eaIscCNIu7ULeU=-----END CERTIFICATE-----subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.googleissuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1---No client certificate CA names sentServer Temp Key: ECDH, X25519, 253 bits---SSL handshake has read 3351 bytes and written 281 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: CC4A9A166E0DCF512A3206AC219AEFEB0496CBF05FB2EED933CB0AA942DACDD5 Session-ID-ctx: Master-Key: D930863734390E930804BC6818721FFD2416246EA08F7EF4060D2D45FAD6B66640BC2579B56EA3E3C9033DE556FC123E TLS session ticket lifetime hint: 100799 (seconds) TLS session ticket: 0000 - 01 56 db 77 af 6f 79 83-c8 d1 36 2b 85 d6 e4 15 .V.w.oy...6+.... 0010 - 33 3f 32 e0 90 c3 24 14-82 99 16 4f 2a 5e f9 e7 3?2...$....O*^.. 0020 - d0 30 fb 52 60 0c 16 f3-5b 72 7e ca 82 f3 66 2b .0.R`...[r~...f+ 0030 - 4e 4d 18 ed 2c ed 96 39-47 61 7f 24 df 17 5c 32 NM..,..9Ga.$..\2 0040 - 92 f5 07 2b ed 9b 19 67-05 c0 c2 e8 89 51 18 dc ...+...g.....Q.. 0050 - f4 2e 67 68 64 18 b2 cb-cf 20 ca 0c 1a 3b 96 60 ..ghd.... ...;.` 0060 - 39 4d 51 b7 90 ba 6e 4d-6e 36 34 d5 a6 fe 5e 56 9MQ...nMn64...^V 0070 - 2f 7d bf 12 c6 22 59 6a-7c 91 79 a6 6a 25 59 dd /}..."Yj|.y.j%Y. 0080 - ce b1 43 25 e2 dc ca 90-f4 99 47 07 0b eb fb d8 ..C%......G..... 0090 - 7e 3a 2a 3d 77 fd 9a d1-c1 a8 3e 7d 6a 67 78 1e ~:*=w.....>}jgx. 00a0 - dc d9 ef 52 20 7b e9 10-a9 ab 66 c6 c1 a2 de dd ...R {....f..... 00b0 - 53 67 0d 56 17 1b d8 6f-20 2c cf e8 b9 77 26 f5 Sg.V...o ,...w&. 00c0 - 52 ce 7d d5 71 87 60 4e-b8 76 cb 3c 47 1e 71 b0 R.}.q.`N.v.<G.q. 00d0 - fc 1a c9 c3 75 a4 95 f7-8d 33 b5 2f e0 ....u....3./. Start Time: 1610933457 Timeout : 7200 (sec) Verify return code: 0 (ok)---

$ docker run --rm alpine/openssl s_client -connect cloudflare.com:443 -tls1_3CONNECTED(00000003)depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Rootverify return:1depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3verify return:1depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.comverify return:1DONE---Certificate chain 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.com i:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3 1 s:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3 i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root---Server certificate-----BEGIN CERTIFICATE-----MIIFYTCCBQigAwIBAgIQBsL7pLsusHbY3MmUQqCsHjAKBggqhkjOPQQDAjBKMQsw...pu8FAiABVTdpTcSCEnk6WOA1UyiCotlMtX7NDPh8uJcfg1+bgg==-----END CERTIFICATE-----subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.comissuer=C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3---No client certificate CA names sentPeer signing digest: SHA256Peer signature type: ECDSAServer Temp Key: X25519, 253 bits---SSL handshake has read 2671 bytes and written 318 bytesVerification: OK---New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Server public key is 256 bitSecure Renegotiation IS NOT supportedNo ALPN negotiatedEarly data was not sentVerify return code: 0 (ok)---

$ openssl ciphers -vTLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEADTLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEADTLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEADECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEADECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEADDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEADECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEADDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEADECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEADDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEADECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(256) Mac=AEADDHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(256) Mac=AEADRSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEADDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEADAES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEADPSK-AES256-GCM-SHA384 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(256) Mac=AEADPSK-CHACHA20-POLY1305 TLSv1.2 Kx=PSK Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEADRSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK Au=RSA Enc=AESGCM(128) Mac=AEADDHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK Au=PSK Enc=AESGCM(128) Mac=AEADAES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEADPSK-AES128-GCM-SHA256 TLSv1.2 Kx=PSK Au=PSK Enc=AESGCM(128) Mac=AEADAES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA384ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(256) Mac=SHA1SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(256) Mac=SHA1RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA384DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA384RSA-PSK-AES256-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA1DHE-PSK-AES256-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(256) Mac=SHA1AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1PSK-AES256-CBC-SHA384 TLSv1 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA384PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA256ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK Enc=AES(128) Mac=SHA1SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=SRP Enc=AES(128) Mac=SHA1RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA256DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA256RSA-PSK-AES128-CBC-SHA SSLv3 Kx=RSAPSK Au=RSA Enc=AES(128) Mac=SHA1DHE-PSK-AES128-CBC-SHA SSLv3 Kx=DHEPSK Au=PSK Enc=AES(128) Mac=SHA1AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1PSK-AES128-CBC-SHA256 TLSv1 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA256PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1

$ openssl ciphers -v | grep v1.3TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEADTLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEADTLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD

Note for TLSv1.3

A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 cipher suiteand SHOULD implement the TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 cipher suites.see also RFC8439: ChaCha20 and Poly1305 for IETF Protocols.

$ docker run --rm alpine/openssl s_client -connect www.cloudflare.com:443 -tls1_3 -ciphersuites 'TLS_AES_256_GCM_SHA384'CONNECTED(00000003)depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Rootverify return:1depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3verify return:1depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.comverify return:1DONE---Certificate chain 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.com i:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3 1 s:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3 i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root---Server certificate-----BEGIN CERTIFICATE-----MIIFYTCCBQigAwIBAgIQBsL7pLsusHbY3MmUQqCsHjAKBggqhkjOPQQDAjBKMQsw...pu8FAiABVTdpTcSCEnk6WOA1UyiCotlMtX7NDPh8uJcfg1+bgg==-----END CERTIFICATE-----subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare.comissuer=C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3---No client certificate CA names sentPeer signing digest: SHA256Peer signature type: ECDSAServer Temp Key: X25519, 253 bits---SSL handshake has read 2672 bytes and written 320 bytesVerification: OK---New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Server public key is 256 bitSecure Renegotiation IS NOT supportedNo ALPN negotiatedEarly data was not sentVerify return code: 0 (ok)---

Note

TLS 1.3 Key differences with TLS1.2 and below

TLSv1.3 is a major rewrite of the specification. There was some debate as to whether it should really be called TLSv2.0 - but TLSv1.3 it is. There are major changes and some things work very differently. A brief, incomplete, summary of some things that you are likely to notice follows:

• There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections.
• The new ciphersuites are defined differently and do not specify the certificate type (e.g. RSA, DSA, ECDSA) or the key exchange mechanism (e.g. DHE or ECHDE). This has implications for ciphersuite configuration.
• Clients provide a “key_share” in the ClientHello. This has consequences for “group” configuration.
• Sessions are not established until after the main handshake has been completed. There may be a gap between the end of the handshake and the establishment of a session (or, in theory, a session may not be established at all). This could have impacts on session resumption code.
• Renegotiation is not possible in a TLSv1.3 connection
• More of the handshake is now encrypted.
• More types of messages can now have extensions (this has an impact on the custom extension APIs and Certificate Transparency)
• DSA certificates are no longer allowed in TLSv1.3 connections

Source: https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/

$ echo -n | openssl s_client -connect www.example.com:443 -servername www.example.com | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem$ cat cert.pem-----BEGIN CERTIFICATE-----MIIG1TCCBb2gAwIBAgIQD74IsIVNBXOKsMzhya/uyTANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQ...vUzLnF7QYsJhvYtaYrZ2MLxGD+NFI8BkXw==-----END CERTIFICATE-----

$ openssl x509 -in cert.pem -text -nooutCertificate: Data: Version: 3 (0x2) Serial Number: 02:52:16:e1:c4:99:8e:26:32:aa:5d:1d:a9:85:b4:3c Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 Validity Not Before: Dec 10 00:00:00 2021 GMT Not After : Dec 9 23:59:59 2022 GMT Subject: C=US, ST=California, L=Los Angeles, O=Verizon Digital Media Services, Inc., CN=www.example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a0:30:42:56:d7:0b:a1:11:b9:f3:0b:ec:cc:f2: 4c:b0:6f:13:02:6b:cf:07:f3:85:f0:42:8f:c5:54: 98:81:6e:7a:93:38:b6:fa:46:42:b3:5c:e6:c9:3b: 59:93:61:24:43:20:f5:7a:89:c9:77:ad:ff:87:c8: 08:db:86:f5:dc:61:75:96:5f:dc:f0:08:ca:3a:b9: 5e:0f:fa:37:7c:65:6a:ca:08:27:1e:9d:d8:0a:3f: 9e:10:db:45:25:9a:03:72:ba:f5:27:d9:b0:eb:36: d4:93:39:8c:11:6c:5f:33:14:58:e5:c0:88:c5:1f: 7a:21:14:cc:d2:a7:5f:1c:73:1f:d9:03:20:6e:7a: 08:ef:17:4e:e3:be:28:c0:4f:e0:71:63:21:04:77: 8f:8f:4b:2b:e8:0b:a2:be:97:7e:50:6f:b8:3b:37: 63:7f:a4:0c:99:ff:96:a2:c3:7f:ca:7c:21:ba:fd: 90:d1:3f:05:a4:34:70:d6:84:8e:a5:00:dc:29:7c: fd:96:cb:43:ae:39:8f:2d:c6:ad:d8:c2:1d:9b:e4: 5f:9c:51:9c:8b:fe:6d:49:62:5b:c7:cd:1e:18:96: ce:c6:2a:07:b7:71:80:60:72:ac:57:12:00:90:43: 0f:23:be:a9:70:71:d6:e5:7b:85:a3:4d:05:88:21: c7:23 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4 X509v3 Subject Key Identifier: 6D:E0:FA:A4:C8:6F:2B:37:0E:0D:4D:C8:12:9A:D1:07:81:68:60:44 X509v3 Subject Alternative Name: DNS:www.example.org, DNS:example.net, DNS:example.edu, DNS:example.com, DNS:example.org, DNS:www.example.com, DNS:www.example.edu, DNS:www.example.net X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl Full Name: URI:http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt X509v3 Basic Constraints: critical CA:FALSE 1.3.6.1.4.1.11129.2.4.2: ...i.g.v.F.U.u.. 0...i..}.,At..I.....p.mG...}...p.....G0E.!...(..Q1k.. ......../C.H..u....... CG .r..7|...S.rIyo.[.......G.....u.A...."FJ...:.B.^N1.....K.h..b......}...<.....F0D. {3No^.}..Dl........E..8..;U.8.... .....F...B.^y.f.|3..4....."..5.%.v...^.h.O.l..._N>Z.....j^.;.. D\*s...}...v.....G0E.!....:.V.3....3..Q..vsC.c;.%w.HM.... Signature Algorithm: sha256WithRSAEncryption a5:54:34:69:fe:fb:03:6b:f1:a8:1d:5a:36:79:59:8f:5c:62: a2:63:99:04:d0:63:78:39:56:44:0c:35:a2:62:5c:88:af:7a: 10:d4:4d:c1:4f:aa:d7:e2:99:39:55:95:5a:df:2c:6c:58:44: 03:99:af:39:06:a1:08:d4:7f:df:48:28:95:b8:65:43:90:d1: 60:ec:2a:86:a8:c1:4d:6a:7f:3a:46:4f:06:eb:8f:39:9e:77: 61:db:2e:54:cf:f0:d8:d0:a5:83:cc:10:82:22:45:05:02:d6: 25:0a:fb:49:5f:d1:43:aa:e6:62:c9:dc:2a:b7:c8:bf:54:6c: ec:a1:61:35:fd:85:ad:39:73:9f:e7:64:7b:e1:c0:23:6f:ca: 27:b9:45:3e:a3:58:b7:0c:1f:af:61:3d:2d:83:1a:25:6b:f0: 71:b8:89:5d:56:d4:5d:ff:5f:e1:de:04:eb:04:a3:56:32:62: 52:08:48:21:c1:ef:60:a2:8e:48:b6:42:20:07:cc:fa:b2:ef: 51:fd:30:3b:7d:8c:7d:a3:6d:82:95:44:80:d1:27:6d:1e:17: 66:35:fa:b9:3b:a9:08:f0:2e:80:4c:e3:80:1f:5b:d3:7b:9f: a7:84:ba:fd:87:11:69:da:54:1c:a6:a1:48:c7:69:21:33:63: 27:73:54:e8

Note

PEM certificate should start with “—–BEGIN CERTIFICATE—–” and end with “—–END CERTIFICATE—–”

 -starttls prot - use the STARTTLS command before starting TLS for those protocols that support it, where 'prot' defines which one to assume. Currently, only "smtp", "lmtp", "pop3", "imap", "ftp" and "xmpp" are supported.

$ openssl s_client -connect smtp.gmail.com:587 -starttls smtpCONNECTED(00000005)depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CAverify return:1depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1verify return:1depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3verify return:1depth=0 CN = smtp.gmail.comverify return:1---Certificate chain 0 s:/CN=smtp.gmail.com i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3 i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA---Server certificate-----BEGIN CERTIFICATE-----MIIEiTCCA3GgAwIBAgIRAPNAL8G1pyR+CgAAAAEl/6IwDQYJKoZIhvcNAQELBQAw...dos6Ztuq+2pId4qBas9cdxN8m+eW28cp+XLXNqwwQADdpdZ2Frl627dE3V5wU0GVtE07IhnSNQlCqCIOUg==-----END CERTIFICATE-----subject=/CN=smtp.gmail.comissuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3---No client certificate CA names sentServer Temp Key: ECDH, X25519, 253 bits---SSL handshake has read 4726 bytes and written 316 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305Server public key is 256 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-CHACHA20-POLY1305 Session-ID: BF8E5684C0E47150A48E865BBB2412E732D0F9F5C615BE9F287124744E57CFF5 Session-ID-ctx: Master-Key: A1685E5E75EF0B2C4104F524B2BEDD81A230687F667150AE14EBFE0AAE72A17B8D4F2FCF93EB096E268F9D0EA658216C TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 01 6e 80 8a c5 3f 5e fa-a6 a6 9f 24 68 5d f4 61 .n...?^....$h].a 0010 - bf ff 54 8e 26 a4 ac 05-54 28 3c 88 39 be 08 db ..T.&...T(<.9... 0020 - 37 3b 5c 7f 49 3e d7 06-19 3a b5 0f 1a 1e 2c 38 7;\.I>...:....,8 0030 - 28 92 3f c5 dd dc ea 63-d1 27 76 30 46 a4 39 99 (.?....c.'v0F.9. 0040 - a0 87 cd 64 d6 1b f8 31-81 79 e7 de 8e ed 00 40 ...d...1.y.....@ 0050 - 5b aa 68 2e 1d 1e 28 de-76 94 dc 78 f3 12 db 81 [.h...(.v..x.... 0060 - 04 81 2d 81 7a a8 43 0d-2a 68 fe 4c 82 de 6c 3c ..-.z.C.*h.L..l< 0070 - e0 8b 9e 67 d7 65 ce c5-3b 39 52 18 a3 d3 8b 82 ...g.e..;9R..... 0080 - ec 6f 7b a0 e7 ae 15 e0-bb 9c 2b 02 f1 e3 55 b8 .o{.......+...U. 0090 - b4 6d 5a 18 ad a7 04 dd-38 70 d3 6a 09 91 34 1c .mZ.....8p.j..4. 00a0 - 5c 64 1c 96 3f 5c 7d 78-9f 03 e9 52 bc 43 8f 32 \d..?\}x...R.C.2 00b0 - 1b 91 1f dc a9 16 7b cd-72 a5 d9 58 49 d4 02 ca ......{.r..XI... 00c0 - d2 f1 45 9c ae ab e6 d0-7b 2d 9e a0 94 04 e1 f8 ..E.....{-...... 00d0 - ea e8 9b 0a 21 d4 57 5a-6b df db b4 48 ....!.WZk...H Start Time: 1639810577 Timeout : 7200 (sec) Verify return code: 0 (ok)---250 SMTPUTF8HELO smtp.gmail.com250 smtp.gmail.com at your service

$ openssl s_client -connect example.com:80Connecting to 93.184.215.14CONNECTED(00000005)006112F701000000:error:0A0000C6:SSL routines:tls_get_more_records:packet length too long:ssl/record/methods/tls_common.c:655:006112F701000000:error:0A000139:SSL routines::record layer failure:ssl/record/rec_layer_s3.c:692:---no peer certificate available---No client certificate CA names sent---SSL handshake has read 5 bytes and written 326 bytesVerification: OK---New, (NONE), Cipher is (NONE)This TLS version forbids renegotiation.Compression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 0 (ok)---

Ad