How-to guide

Test SSL/TLS connections with OpenSSL on Windows

openssl s_client is the most useful tool for diagnosing TLS issues on Windows. Connect to any server, inspect certificates, test specific TLS versions and cipher suites, and debug handshake failures — all from the command line.

Basic connection

Connect to an HTTPS server

cmd.exe
# Basic HTTPS connection:
C:\> openssl s_client -connect example.com:443
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
depth=1 C=US, O=Let's Encrypt, CN=R10
depth=0 CN=example.com
Verify return code: 0 (ok)
---
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384

Press Ctrl+C to close the connection, or type Q and Enter.

Certificate checks

Inspect server certificates

cmd.exe
# Show certificate details (suppress connection noise):
C:\> openssl s_client -connect example.com:443 2>nul | openssl x509 -noout -text
# Check expiry date:
C:\> openssl s_client -connect example.com:443 2>nul | openssl x509 -noout -dates
notBefore=Apr 1 00:00:00 2026 GMT
notAfter=Jun 30 23:59:59 2026 GMT
# Subject and issuer:
C:\> openssl s_client -connect example.com:443 2>nul | openssl x509 -noout -subject -issuer
# Save server cert to file:
C:\> openssl s_client -connect example.com:443 2>nul | openssl x509 -out server.pem
# Show full certificate chain:
C:\> openssl s_client -connect example.com:443 -showcerts 2>nul
In PowerShell, replace 2>nul with 2>$null.
TLS versions & ciphers

Test specific TLS versions and ciphers

cmd.exe
# Force TLS 1.3:
C:\> openssl s_client -connect example.com:443 -tls1_3
# Force TLS 1.2:
C:\> openssl s_client -connect example.com:443 -tls1_2
# Test a specific cipher suite:
C:\> openssl s_client -connect example.com:443 -cipher "ECDHE-RSA-AES256-GCM-SHA384"
# List ciphers the server supports (use nmap or sslyze for comprehensive scan):
C:\> openssl s_client -connect example.com:443 2>nul | findstr "Cipher"
Cipher : TLS_AES_256_GCM_SHA384
SNI & virtual hosts

Server Name Indication (SNI)

For servers hosting multiple certificates (virtual hosting), always include -servername to send the SNI extension — otherwise you may get the wrong certificate:

cmd.exe
C:\> openssl s_client -connect example.com:443 -servername example.com 2>nul | openssl x509 -noout -subject
subject=CN=example.com
Other ports & protocols

SMTP, IMAP and other TLS protocols

cmd.exe
# SMTP with STARTTLS:
C:\> openssl s_client -connect mail.example.com:587 -starttls smtp
# IMAP with STARTTLS:
C:\> openssl s_client -connect mail.example.com:143 -starttls imap
# IMAPS (implicit TLS):
C:\> openssl s_client -connect mail.example.com:993
# LDAPS:
C:\> openssl s_client -connect ldap.example.com:636
Common errors

Troubleshoot handshake failures

Verify return code: 20 (unable to get local issuer certificate)
The server's certificate chain is incomplete, or your system CA bundle is missing the intermediate certificate. Try adding -showcerts to see the full chain, and check if the intermediate cert is present.
Verify return code: 10 (certificate has expired)
The server's certificate has expired. Check the dates with openssl x509 -noout -dates. The server admin needs to renew the certificate.
SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
TLS version mismatch. The server may not support the TLS version you are negotiating. Try -tls1_2 or -tls1_3 explicitly. Also check if the server requires SNI with -servername.
Connection refused or timeout
The server is not listening on that port, a firewall is blocking the connection, or the hostname is wrong. Verify with Test-NetConnection -ComputerName example.com -Port 443 in PowerShell.

Need to inspect certificates in files?

Use openssl x509 commands to check PEM, DER and PFX files.

Check certificate guide →

Related guides

Check certificate →
inspect PEM files
Commands cheat sheet →
s_client reference
PowerShell guide →
PowerShell syntax