RSS

Test TLS Connectivity with OpenSSL Command Line

Use OpenSSL command line to test TLS server connectivity, check server certificate.

Introduction

openssl s_client is a SSL/TLS client program can be used to test TLS server connectivity, check server certificate.

usage: s_client args

 -4            - Force IPv4
 -6            - Force IPv6
 -host host     - use -connect instead
 -port port     - use -connect instead
 -connect host:port - who to connect to (default is localhost:4433)
 -proxy host:port - connect to http proxy
 -verify arg   - turn on peer certificate verification
 -cert arg     - certificate file to use, PEM format assumed
 -certform arg - certificate format (PEM or DER) PEM default
 -key arg      - Private key file to use, in cert file if
                 not specified but cert file is.
 -keyform arg  - key format (PEM or DER) PEM default
 -pass arg     - private key file pass phrase source
 -CApath arg   - PEM format directory of CA's
 -CAfile arg   - PEM format file of CA's
 -reconnect    - Drop and re-make the connection with the same Session-ID
 -pause        - sleep(1) after each read(2) and write(2) system call
 -showcerts    - show all certificates in the chain
 -debug        - extra output
 -msg          - Show protocol messages
 -nbio_test    - more ssl protocol testing
 -state        - print the 'ssl' states
 -nbio         - Run with non-blocking IO
 -crlf         - convert LF from terminal into CRLF
 -quiet        - no s_client output
 -ign_eof      - ignore input eof (default when -quiet)
 -no_ign_eof   - don't ignore input eof
 -tls1_2       - just use TLSv1.2
 -tls1_1       - just use TLSv1.1
 -tls1         - just use TLSv1
 -dtls1        - just use DTLSv1
 -mtu          - set the link layer MTU
 -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
 -bugs         - Switch on all SSL implementation bug workarounds
 -cipher       - preferred cipher to use, use the 'openssl ciphers'
                 command to see what is available
 -starttls prot - use the STARTTLS command before starting TLS
                 for those protocols that support it, where
                 'prot' defines which one to assume.  Currently,
                 only "smtp", "lmtp", "pop3", "imap", "ftp" and "xmpp"
                 are supported.
 -xmpphost host - connect to this virtual host on the xmpp server
 -sess_out arg - file to write SSL session to
 -sess_in arg  - file to read SSL session from
 -servername host  - Set TLS extension servername in ClientHello
 -tlsextdebug      - hex dump of all TLS extensions received
 -status           - request certificate status from server
 -no_ticket        - disable use of RFC4507bis session tickets
 -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)
 -groups arg       - specify EC curve groups (colon-separated list)
 -use_srtp profiles - Offer SRTP key management with a colon-separated profile list
 -keymatexport label   - Export keying material using label
 -keymatexportlen len  - Export len bytes of keying material (default 20)

Sample Usage

Use -connect <host>:<port> to connect to a TLS server

$ openssl s_client -connect www.google.com:443
CONNECTED(00000005)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
   i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFkzCCBHugAwIBAgIQUvtF6bzAHyEDAAAAAMMjOTANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMRMw
EQYDVQQDEwpHVFMgQ0EgMU8xMB4XDTIwMTIxNTE0MzYxNVoXDTIxMDMwOTE0MzYx
NFowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
DU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFzAVBgNVBAMTDnd3
dy5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqPmk
rg4JZBqxukAqXcsIyoQ7EfkoYZooKy9OGOk0FsbA662QAhRvLyScRnAaKLeT/s1p
lOzLIguQKCl8GkrNJRWjhhG9G95IWGOCuOxjdvRWF5RADpIPbapGAH0awFsO9hlg
VzxsuZC+hHOrAVvUAI5x7tYhz6SYMjsbj0BUz2WzEnSXonY85Zy825rFBjpfJf69
CGJpCx1+T4w7USP7GqsdpI8kNSHfFSbt7Z8U5mdn4LG7tvaMS/oVlcE2P5O09lDT
Yz1+MlxIeQnzSFt0R9S2Xrbv6oNuEdzoqKFXEHcQ+SDcf4Kb5ghpPezjiufwtotR
/gwqXHrMLTZ3lzsMzQIDAQABo4ICXTCCAlkwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGfXwgDfHBsH
oA7W51LPuYfBeHI0MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGgG
CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAYYfaHR0cDovL29jc3AucGtpLmdvb2cv
Z3RzMW8xY29yZTArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nL2dzcjIvR1RT
MU8xLmNydDAZBgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTAhBgNVHSAEGjAYMAgG
BmeBDAECAjAMBgorBgEEAdZ5AgUDMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9j
cmwucGtpLmdvb2cvR1RTMU8xY29yZS5jcmwwggEFBgorBgEEAdZ5AgQCBIH2BIHz
APEAdgD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXZnC4CJAAAE
AwBHMEUCIERZyIP0GBfWUDPpmMCMVYBgpSKpIQuqnsFo2MoRHDWsAiEA/+nQTy9E
sKLKfzDABLRUz/P+TZGGjM7UVQjtWe/+s+sAdwBc3EOS/uarRUSxXprUVuYQN/vV
+kfcoXOUsl7m9scOygAAAXZnC4C7AAAEAwBIMEYCIQCPyfB8H0em1gHv8QQeF4zN
Hkfv47lQjNsszABWeYXfwwIhAKngHPHb1UKDE3LMF6FYEdsGOK63kdIfUuyWLX0A
UYszMA0GCSqGSIb3DQEBCwUAA4IBAQAbkVw9feVP0maVCLVO/TKFBQWgcQTHtJGI
k2YTSZCSwLYe7Xboae5t6inwKu0yB+bYqUC2itFpv7BCsZv4rPOH6zBHHH2CSlZB
1XI40WrnPwGMr3P1aR2dsUw1gDEXFwgXdFbL/u/9WUjeUogQULSFxqJXrYB693az
96FCwtoSg3+WC5IcEJElDEE0kgS8o5ZyJ4GLmLBYsWcMkbx80/pDf71ylBts63e0
u5k2sQuBcNhIGaRIFmP9SHYXyTtSlaB84RwThgkhr40S3QZWDNiqht2WnM65UHUR
CVEiml3bIKMz+fLaOgroFKQy8uBw7tei+gzbbqqyJbicdgcSDgd3
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3208 bytes and written 281 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: EDF30CC8709D2A7E5930E21DF4FC95B10C0438A6BBB64D550C975936B1B2E7B7
    Session-ID-ctx:
    Master-Key: 6C731ACB4248F67690838BE615E945E8D7CDD418794C54F5E33BF7487939EDC0C13DBED09DEC2A95F093F63713250762
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 01 56 db 77 af 6f 79 83-c8 d1 36 2b 85 d6 e4 15   .V.w.oy...6+....
    0010 - 25 4e 56 25 b7 1b 2b 3a-18 a8 5b 4a 9d 7b 82 5b   %NV%..+:..[J.{.[
    0020 - 28 73 44 7e a5 74 12 7d-63 56 39 02 7e 74 9c 11   (sD~.t.}cV9.~t..
    0030 - cf c9 d3 a2 b0 c7 42 26-1b 05 ba 70 0b f0 16 78   ......B&...p...x
    0040 - d0 83 8c bd 49 3c b3 f5-e7 49 e8 21 ab 3c 46 9d   ....I<...I.!.<F.
    0050 - 0d 26 2e 3a 86 0b d5 ba-64 c0 59 65 0c 26 cc b6   .&.:....d.Ye.&..
    0060 - 18 3d f4 55 ad fd 82 d0-c1 b0 3e c9 45 65 71 cf   .=.U......>.Eeq.
    0070 - 76 c1 86 fa 85 d0 17 40-48 9f 33 03 64 ad 76 83   [email protected]
    0080 - d5 0a cf 74 2f 71 3d 6b-4d be 55 08 9f a8 87 9b   ...t/q=kM.U.....
    0090 - 03 18 0e 9e 99 bc d5 d6-b8 1c 95 d4 55 27 b3 00   ............U'..
    00a0 - a8 2d 83 c2 1d ee 49 3e-06 a9 98 67 14 68 7e ac   .-....I>...g.h~.
    00b0 - dd 95 85 55 4e 56 b8 88-e2 71 98 8d c4 93 e9 65   ...UNV...q.....e
    00c0 - 31 0e b7 9a 87 bd 90 9d-dc 8e e5 d2 6a 34 16 53   1...........j4.S
    00d0 - dd 71 d3 70 62 d7 b6 43-81 96 3f b9 7b            .q.pb..C..?.{

    Start Time: 1610932834
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
GET / HTTP/1.1

HTTP/1.1 200 OK
Date: Mon, 18 Jan 2021 01:20:39 GMT

Use -showcerts to show all certificates in the chain:

$ openssl s_client -connect dns.google:853 -showcerts
CONNECTED(00000006)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = dns.google
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.google
   i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
-----BEGIN CERTIFICATE-----
MIIGIjCCBQqgAwIBAgIRAJTRUTehSoT8AwAAAADDI0EwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDEyMTUxNDM2MjZaFw0yMTAzMDkxNDM2
MjVaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRMwEQYDVQQDEwpk
bnMuZ29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv/ulxhYN
FowGZ+8VIk8eIWsj/tHekcfTtmtIP9KgdhyXlmXXlntHx330XiX9UfCSfbnu3UP5
Za/BM8rRm+3yVCsi0QVU+mey35hLLdBaKvdmrTQkYIdVhHDWGQN8C1f6UGq8nNPN
X7HLyxxXa03vEpLvtaSzULVprYfppGlqDLvUqqVbF9loTtZp6sdtPYAM0j8O71SK
DnUCdMu3WGPEhK2ImyUdk6Oq+CFueRNLbBL6Lfkd1NWLyebpbKQcMNmSbQfphZga
4WXmfhXWF5Vblyn4FBxarw96O1FDX/jUdOFbKRfR0GxvhS5Qt+dPEhom52JdTth6
dfLtmbvdnqPcAwIDAQABo4IC7zCCAuswDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJrgW406vF0JgE8F
CJd5Cgc1/RDOMB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGgGCCsG
AQUFBwEBBFwwWjArBggrBgEFBQcwAYYfaHR0cDovL29jc3AucGtpLmdvb2cvZ3Rz
MW8xY29yZTArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nL2dzcjIvR1RTMU8x
LmNydDCBrAYDVR0RBIGkMIGhggpkbnMuZ29vZ2xlghAqLmRucy5nb29nbGUuY29t
ggs4ODg4Lmdvb2dsZYIOZG5zLmdvb2dsZS5jb22CEGRuczY0LmRucy5nb29nbGWH
ECABSGBIYAAAAAAAAAAAAGSHECABSGBIYAAAAAAAAAAAZGSHECABSGBIYAAAAAAA
AAAAiESHECABSGBIYAAAAAAAAAAAiIiHBAgIBASHBAgICAgwIQYDVR0gBBowGDAI
BgZngQwBAgIwDAYKKwYBBAHWeQIFAzAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8v
Y3JsLnBraS5nb29nL0dUUzFPMWNvcmUuY3JsMIIBAwYKKwYBBAHWeQIEAgSB9ASB
8QDvAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF2ZwuscwAA
BAMARjBEAiAWqt7W7bSnzvbUwayFoEbGWagFR2K+itqZCW5NF4WG2AIgJ38Z6+ZF
eCnzIrOcZejKC/uj095tb1fIhhALpfNJEMIAdgCUILwejtWNbIhzH4KLIiwN0dpN
XmxPlD1h204vWE2iwgAAAXZnC6x9AAAEAwBHMEUCIQC/+FJmLcs2ijzNDaw8spRE
y5+9x53+ZzSUS55Dvun5GQIgV7cuRxpIdZ80U4d4B8zXliMiCMX2ppZ11R2Yof27
/5cwDQYJKoZIhvcNAQELBQADggEBADuBZ8NVva0NDcVcBDsy571lS/05TbHvq9u4
xzbqIwEjrX8LhJpEs9n/ZNcClzS63laDGSB8NtOLy1X4BIUoQXOBZ59Nhm43bJCO
ObwlZVOJvU8tQ3RajQeJ6vvBQEFtbTxPAphjrPWcrmt5Rn4nIToHRApd8SPgBAXo
e+T9S2MKFJh7M18VcSUpi8qUphwKoc3w1AMcZnrbM2WE6xdY/7H48pVijdNgyMau
VwAMTKh7a2fEs6/jAZHWbAnjtQQc3ltOWZO/h7MbG38TKbvTud8+JZQdcwCM5cS5
MnwzXvYoyKQEc4sHj9scMKnXyM9Cgbqh0wGH0eaIscCNIu7ULeU=
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
-----BEGIN CERTIFICATE-----
MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy
MTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg
U2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnv
UA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRr
mBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++Ac
xGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmK
FsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7X
rJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNV
HQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8G
A1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAl
BggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzAp
MCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0g
BDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9y
ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7H
TgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoN
FvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrz
mqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wW
IRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZ
USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.google
issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3351 bytes and written 281 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 47BCFDC6F09F1C08656913CAB4851B105FC0366BBDA0469857CF32491EE2459E
    Session-ID-ctx:
    Master-Key: 709A838FB4591838009662B8444D0392728187586EF01A5308004512FA9A78D94FB6A390C136EB772E7AB4B6D5C02801
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 01 67 b1 01 e7 5c 56 42-e2 25 d6 67 47 3f 8f af   .g...\VB.%.gG?..
    0010 - 08 79 f0 be d4 87 3a 6b-3b ab f3 a8 01 15 11 ce   .y....:k;.......
    0020 - f5 f6 db 3f 2d 8a f3 35-28 1c b1 6a 45 7a a8 4b   ...?-..5(..jEz.K
    0030 - 83 94 92 80 98 93 65 6d-45 4b 67 e0 e8 b6 42 3b   ......emEKg...B;
    0040 - ab 67 b2 a3 4f 39 a4 8a-79 07 a5 24 ae da e5 93   .g..O9..y..$....
    0050 - 62 d6 ec 48 ef da 9b b1-4a 21 40 ac 9a 79 ba f4   [email protected]
    0060 - 77 62 7e 6f 0b a6 df 32-21 e0 05 55 26 3e 1a 6e   wb~o...2!..U&>.n
    0070 - 2a 27 0f df 93 e2 4b a2-6f d6 4f c1 a5 45 2c 9e   *'....K.o.O..E,.
    0080 - 1e 27 70 b1 02 c7 6c a5-7c 2a eb 5d 87 80 b8 c9   .'p...l.|*.]....
    0090 - 7e d0 86 f4 2a de 5a 5b-f4 85 8e db 5b 8a 27 68   ~...*.Z[....[.'h
    00a0 - 4a f6 48 7a d7 d7 9d 7e-44 07 a9 46 f8 ec 38 93   J.Hz...~D..F..8.
    00b0 - 23 92 b4 d0 b6 d8 2c ac-46 ad 12 4b 59 31 8e 6a   #.....,.F..KY1.j
    00c0 - 8e 2c 4d ad 39 2f 67 33-2b 40 46 ad 27 62 ba 25   .,M.9/[email protected]'b.%
    00d0 - 2f 52 60 a4 74 71 98 d0-f7 6d 3d db 65            /R`.tq...m=.e

    Start Time: 1610933223
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Use -tls1_2 TLS 1.2 only:

$ openssl s_client -connect dns.google:853 -tls1_2
CONNECTED(00000006)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = dns.google
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.google
   i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGIjCCBQqgAwIBAgIRAJTRUTehSoT8AwAAAADDI0EwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDEyMTUxNDM2MjZaFw0yMTAzMDkxNDM2
MjVaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRMwEQYDVQQDEwpk
bnMuZ29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv/ulxhYN
FowGZ+8VIk8eIWsj/tHekcfTtmtIP9KgdhyXlmXXlntHx330XiX9UfCSfbnu3UP5
Za/BM8rRm+3yVCsi0QVU+mey35hLLdBaKvdmrTQkYIdVhHDWGQN8C1f6UGq8nNPN
X7HLyxxXa03vEpLvtaSzULVprYfppGlqDLvUqqVbF9loTtZp6sdtPYAM0j8O71SK
DnUCdMu3WGPEhK2ImyUdk6Oq+CFueRNLbBL6Lfkd1NWLyebpbKQcMNmSbQfphZga
4WXmfhXWF5Vblyn4FBxarw96O1FDX/jUdOFbKRfR0GxvhS5Qt+dPEhom52JdTth6
dfLtmbvdnqPcAwIDAQABo4IC7zCCAuswDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJrgW406vF0JgE8F
CJd5Cgc1/RDOMB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGgGCCsG
AQUFBwEBBFwwWjArBggrBgEFBQcwAYYfaHR0cDovL29jc3AucGtpLmdvb2cvZ3Rz
MW8xY29yZTArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nL2dzcjIvR1RTMU8x
LmNydDCBrAYDVR0RBIGkMIGhggpkbnMuZ29vZ2xlghAqLmRucy5nb29nbGUuY29t
ggs4ODg4Lmdvb2dsZYIOZG5zLmdvb2dsZS5jb22CEGRuczY0LmRucy5nb29nbGWH
ECABSGBIYAAAAAAAAAAAAGSHECABSGBIYAAAAAAAAAAAZGSHECABSGBIYAAAAAAA
AAAAiESHECABSGBIYAAAAAAAAAAAiIiHBAgIBASHBAgICAgwIQYDVR0gBBowGDAI
BgZngQwBAgIwDAYKKwYBBAHWeQIFAzAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8v
Y3JsLnBraS5nb29nL0dUUzFPMWNvcmUuY3JsMIIBAwYKKwYBBAHWeQIEAgSB9ASB
8QDvAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF2ZwuscwAA
BAMARjBEAiAWqt7W7bSnzvbUwayFoEbGWagFR2K+itqZCW5NF4WG2AIgJ38Z6+ZF
eCnzIrOcZejKC/uj095tb1fIhhALpfNJEMIAdgCUILwejtWNbIhzH4KLIiwN0dpN
XmxPlD1h204vWE2iwgAAAXZnC6x9AAAEAwBHMEUCIQC/+FJmLcs2ijzNDaw8spRE
y5+9x53+ZzSUS55Dvun5GQIgV7cuRxpIdZ80U4d4B8zXliMiCMX2ppZ11R2Yof27
/5cwDQYJKoZIhvcNAQELBQADggEBADuBZ8NVva0NDcVcBDsy571lS/05TbHvq9u4
xzbqIwEjrX8LhJpEs9n/ZNcClzS63laDGSB8NtOLy1X4BIUoQXOBZ59Nhm43bJCO
ObwlZVOJvU8tQ3RajQeJ6vvBQEFtbTxPAphjrPWcrmt5Rn4nIToHRApd8SPgBAXo
e+T9S2MKFJh7M18VcSUpi8qUphwKoc3w1AMcZnrbM2WE6xdY/7H48pVijdNgyMau
VwAMTKh7a2fEs6/jAZHWbAnjtQQc3ltOWZO/h7MbG38TKbvTud8+JZQdcwCM5cS5
MnwzXvYoyKQEc4sHj9scMKnXyM9Cgbqh0wGH0eaIscCNIu7ULeU=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.google
issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3351 bytes and written 281 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: CC4A9A166E0DCF512A3206AC219AEFEB0496CBF05FB2EED933CB0AA942DACDD5
    Session-ID-ctx:
    Master-Key: D930863734390E930804BC6818721FFD2416246EA08F7EF4060D2D45FAD6B66640BC2579B56EA3E3C9033DE556FC123E
    TLS session ticket lifetime hint: 100799 (seconds)
    TLS session ticket:
    0000 - 01 56 db 77 af 6f 79 83-c8 d1 36 2b 85 d6 e4 15   .V.w.oy...6+....
    0010 - 33 3f 32 e0 90 c3 24 14-82 99 16 4f 2a 5e f9 e7   3?2...$....O*^..
    0020 - d0 30 fb 52 60 0c 16 f3-5b 72 7e ca 82 f3 66 2b   .0.R`...[r~...f+
    0030 - 4e 4d 18 ed 2c ed 96 39-47 61 7f 24 df 17 5c 32   NM..,..9Ga.$..\2
    0040 - 92 f5 07 2b ed 9b 19 67-05 c0 c2 e8 89 51 18 dc   ...+...g.....Q..
    0050 - f4 2e 67 68 64 18 b2 cb-cf 20 ca 0c 1a 3b 96 60   ..ghd.... ...;.`
    0060 - 39 4d 51 b7 90 ba 6e 4d-6e 36 34 d5 a6 fe 5e 56   9MQ...nMn64...^V
    0070 - 2f 7d bf 12 c6 22 59 6a-7c 91 79 a6 6a 25 59 dd   /}..."Yj|.y.j%Y.
    0080 - ce b1 43 25 e2 dc ca 90-f4 99 47 07 0b eb fb d8   ..C%......G.....
    0090 - 7e 3a 2a 3d 77 fd 9a d1-c1 a8 3e 7d 6a 67 78 1e   ~:*=w.....>}jgx.
    00a0 - dc d9 ef 52 20 7b e9 10-a9 ab 66 c6 c1 a2 de dd   ...R {....f.....
    00b0 - 53 67 0d 56 17 1b d8 6f-20 2c cf e8 b9 77 26 f5   Sg.V...o ,...w&.
    00c0 - 52 ce 7d d5 71 87 60 4e-b8 76 cb 3c 47 1e 71 b0   R.}.q.`N.v.<G.q.
    00d0 - fc 1a c9 c3 75 a4 95 f7-8d 33 b5 2f e0            ....u....3./.

    Start Time: 1610933457
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Extract server certificate

$ echo -n | openssl s_client -connect www.example.com:443    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

$ cat cert.pem
-----BEGIN CERTIFICATE-----
MIIG1TCCBb2gAwIBAgIQD74IsIVNBXOKsMzhya/uyTANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSkwJwYDVQ...
vUzLnF7QYsJhvYtaYrZ2MLxGD+NFI8BkXw==
-----END CERTIFICATE-----

Sample error when connect to non-TLS server

$ openssl s_client -connect google.com:80
CONNECTED(00000005)
4436717228:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:386:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1610933751
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

References