=pod =head1 NAME openssl-s_client, s_client - SSL/TLS client program =head1 SYNOPSIS B B [B<-help>] [B<-connect host:port>] [B<-bind host:port>] [B<-proxy host:port>] [B<-unix path>] [B<-4>] [B<-6>] [B<-servername name>] [B<-noservername>] [B<-verify depth>] [B<-verify_return_error>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key filename>] [B<-keyform DER|PEM>] [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] [B<-no-CAfile>] [B<-no-CApath>] [B<-requestCAfile filename>] [B<-dane_tlsa_domain domain>] [B<-dane_tlsa_rrdata rrdata>] [B<-dane_ee_no_namechecks>] [B<-attime timestamp>] [B<-check_ss_sig>] [B<-crl_check>] [B<-crl_check_all>] [B<-explicit_policy>] [B<-extended_crl>] [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] [B<-no_check_time>] [B<-partial_chain>] [B<-policy arg>] [B<-policy_check>] [B<-policy_print>] [B<-purpose purpose>] [B<-suiteB_128>] [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] [B<-no_alt_chains>] [B<-use_deltas>] [B<-auth_level num>] [B<-nameopt option>] [B<-verify_depth num>] [B<-verify_email email>] [B<-verify_hostname hostname>] [B<-verify_ip ip>] [B<-verify_name name>] [B<-x509_strict>] [B<-reconnect>] [B<-showcerts>] [B<-debug>] [B<-msg>] [B<-nbio_test>] [B<-state>] [B<-nbio>] [B<-crlf>] [B<-ign_eof>] [B<-no_ign_eof>] [B<-psk_identity identity>] [B<-psk key>] [B<-psk_session file>] [B<-quiet>] [B<-ssl3>] [B<-tls1>] [B<-tls1_1>] [B<-tls1_2>] [B<-tls1_3>] [B<-no_ssl3>] [B<-no_tls1>] [B<-no_tls1_1>] [B<-no_tls1_2>] [B<-no_tls1_3>] [B<-dtls>] [B<-dtls1>] [B<-dtls1_2>] [B<-sctp>] [B<-fallback_scsv>] [B<-async>] [B<-max_send_frag>] [B<-split_send_frag>] [B<-max_pipelines>] [B<-read_buf>] [B<-bugs>] [B<-comp>] [B<-no_comp>] [B<-allow_no_dhe_kex>] [B<-sigalgs sigalglist>] [B<-curves curvelist>] [B<-cipher cipherlist>] [B<-ciphersuites val>] [B<-serverpref>] [B<-starttls protocol>] [B<-xmpphost hostname>] [B<-name hostname>] [B<-engine id>] [B<-tlsextdebug>] [B<-no_ticket>] [B<-sess_out filename>] [B<-sess_in filename>] [B<-rand file...>] [B<-writerand file>] [B<-serverinfo types>] [B<-status>] [B<-alpn protocols>] [B<-nextprotoneg protocols>] [B<-ct>] [B<-noct>] [B<-ctlogfile>] [B<-keylogfile file>] [B<-early_data file>] [B<-force_pha>] [B] =head1 DESCRIPTION The B command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a I useful diagnostic tool for SSL servers. =head1 OPTIONS In addition to the options below the B utility also supports the common and client only options documented in the in the "Supported Command Line Commands" section of the L manual page. =over 4 =item B<-help> Print out a usage message. =item B<-connect host:port> This specifies the host and optional port to connect to. It is possible to select the host and port using the optional target positional argument instead. If neither this nor the target positional argument are specified then an attempt is made to connect to the local host on port 4433. =item B<-bind host:port>] This specifies the host address and or port to bind as the source for the connection. For Unix-domain sockets the port is ignored and the host is used as the source socket address. =item B<-proxy host:port> When used with the B<-connect> flag, the program uses the host and port specified with this flag and issues an HTTP CONNECT command to connect to the desired server. =item B<-unix path> Connect over the specified Unix-domain socket. =item B<-4> Use IPv4 only. =item B<-6> Use IPv6 only. =item B<-servername name> Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value. If both this option and the B<-noservername> are not given, the TLS SNI extension is still set to the hostname provided to the B<-connect> option, or "localhost" if B<-connect> has not been supplied. This is default since OpenSSL 1.1.1. Even though SNI name should normally be a DNS name and not an IP address, this option will not make the distinction when parsing B<-connect> and will send IP address if one passed. =item B<-noservername> Suppresses sending of the SNI (Server Name Indication) extension in the ClientHello message. Cannot be used in conjunction with the B<-servername> or <-dane_tlsa_domain> options. =item B<-cert certname> The certificate to use, if one is requested by the server. The default is not to use a certificate. =item B<-certform format> The certificate format to use: DER or PEM. PEM is the default. =item B<-key keyfile> The private key to use. If not specified then the certificate file will be used. =item B<-keyform format> The private format to use: DER or PEM. PEM is the default. =item B<-pass arg> the private key password source. For more information about the format of B see the B section in L. =item B<-verify depth> The verify depth to use. This specifies the maximum length of the server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. =item B<-verify_return_error> Return verification errors instead of continuing. This will typically abort the handshake with a fatal error. =item B<-nameopt option> Option which determines how the subject or issuer names are displayed. The B