Troubleshooting SSL Connections with the OpenSSL Program
OpenSSL is an open-source toolkit that implements the SSL and TLS protocols. It includes useful utilities such as the openssl command-line program, which helps you test and troubleshoot secure connections to remote servers.
About OpenSSL
The openssl program is ideal for diagnosing SSL or TLS connectivity issues. It can test basic network connections and send protocol-specific commands for in-depth analysis.
Tip: To test non-secure connections, use the telnet program instead.
Installing the OpenSSL Program
-
Linux and macOS: OpenSSL comes preinstalled.
-
Windows: You’ll need to download and install it manually:
-
Select OpenSSL for Windows (Pre-compiled Win32/64 libraries without external dependencies).
-
Download the version that matches your system:
-
32-bit: Choose a file ending with
win32.zip. -
64-bit: Choose a file ending with
win64.zip.
-
-
Extract the ZIP file to any folder.
-
Open Command Prompt, navigate to that folder with
cd, and typeopensslto launch the program.
Using OpenSSL to Troubleshoot Connections
Before you begin, you need:
-
The domain name or IP address of the remote server.
-
The port number for the service you want to test.
Establishing a Connection
To test a secure connection, use this command (replace ruachost.com and port with your actual values):
bash
openssl s_client -connect ruachost.com:port
Tip: For a list of port numbers, see List of TCP and UDP port numbers on Wikipedia.
When you run the command:
-
If the server accepts the connection, OpenSSL shows connection details and waits for your input.
-
If the server rejects it, you’ll see an error like
connect: Connection timed out. Verify the server name and port number.
Troubleshooting SSL Certificates
You can inspect and verify SSL certificates with OpenSSL:
bash
openssl s_client -connect ruachost.com:443 -servername ruachost.com -showcerts | openssl x509 -text -noout
This command reveals details such as:
-
Certificate Authority (CA) information
-
Expiration date
-
Encryption algorithm
-
Whether it’s self-signed or valid
Tip: Use port 443 for HTTPS or the relevant port for other services like IMAP (993) or POP (995).
If the certificate is self-signed, you’ll see messages like:
lua
verify error:num=18:self signed certificate
verify return:1
Troubleshooting HTTPS Connections
To test a secure web server connection:
bash
openssl s_client -connect ruachost.com:443
After connection, you can manually send HTTP commands such as:
makefile
HEAD / HTTP/1.1
Host: ruachost.com
You should receive an HTTP response confirming that the web server is active and responding.
Testing Other Secure Protocols
You can also test:
-
IMAP over SSL (port 993)
-
POP3 over SSL (port 995)
For example, to test IMAP:
bash
openssl s_client -connect ruachost.com:993
If successful, the response will show the SSL handshake details and a line like:
arduino
* OK [CAPABILITY IMAP4rev1 ...] Dovecot ready.
This indicates the IMAP server is running and ready to accept commands.
By using these OpenSSL tests, you can quickly verify SSL configuration, diagnose certificate problems, and ensure that your secure connections to ruachost.com (or any domain) are functioning properly.
