<?php echo $pageTitle; ?>

# Test TLS connectivity using commandline

Published on 27 October 2021

Testing connectivity with openssl cli using s_client. We are making a TCP connection.

Prerequisite
You need to have openssl installed on your machine.

Testing TLS connection of google.com:

openssl s_client -connect google.com:443

CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
---
Certificate chain
 0 s:CN = *.google.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<truncated certificate content>
-----END CERTIFICATE-----
subject=CN = *.google.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6661 bytes and written 384 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Common mistakes:

1. Putting a https:// in the front will give you this error

openssl s_client -connect https://google.com
140505260148544:error:2008F002:BIO routines:BIO_lookup_ex:system lib:crypto/bio/b_addr.c:730:Servname not supported for ai_socktype
connect:errno=0

The reason for that is because you want to make a TLS handshake and not initiating a https:// call.

2. Forgetting the port number:
When making a TCP connection, you must provide a valid hostname or ip adress including the port number. You can't initiate a connection without a port number.
If you would do `openssl s_client -connect google.com`, it will hang forever.

The mistake that is been made is that you might get confused with HTTP protocol which hides common port numbers.

So http://google.com is actually http://google.com:80.
and
https://google.nl is translated to https://google.com:443

Tags: Linux