CertTools Logo
CertTools

OpenSSL s_server Commands

Create TLS test servers for debugging clients, testing certificates, and validating TLS configurations

Basic Server Setup

Start basic TLS server on port 4433

openssl s_server -accept 4433

Creates a simple TLS server with a self-signed certificate. Listens on port 4433 (default for s_server).

Server with specific certificate and key

openssl s_server -accept 4433 -cert server.crt -key server.key

Use your own certificate and private key instead of the auto-generated self-signed certificate.

Server with certificate chain

openssl s_server -accept 4433 -cert server.crt -key server.key -CAfile chain.pem

Serve complete certificate chain including intermediate certificates. Essential for proper client validation.

Server on standard HTTPS port 443

sudo openssl s_server -accept 443 -cert server.crt -key server.key

Run server on port 443 (requires root/sudo). Useful for testing with browsers that expect standard HTTPS port.

TLS Protocol Versions

TLS 1.3 only

openssl s_server -accept 4433 -tls1_3 -cert server.crt -key server.key

Accept only TLS 1.3 connections. Most secure and modern protocol version.

TLS 1.2 only

openssl s_server -accept 4433 -tls1_2 -cert server.crt -key server.key

Accept only TLS 1.2 connections. Still widely supported and secure when properly configured.

Support multiple TLS versions

openssl s_server -accept 4433 -no_tls1 -no_tls1_1 -cert server.crt -key server.key

Disable old protocols (TLS 1.0, 1.1) while allowing TLS 1.2 and 1.3. Recommended security practice.

Show supported protocol versions

openssl s_server -accept 4433 -state -cert server.crt -key server.key

Display TLS handshake state changes. Shows negotiated protocol version and cipher suite.

Client Certificate Authentication (mTLS)

Request client certificate (optional)

openssl s_server -accept 4433 -cert server.crt -key server.key -Verify 1

Request but don't require client certificate. Connection continues even if client doesn't provide one.

Require client certificate (mandatory)

openssl s_server -accept 4433 -cert server.crt -key server.key -verify 1

Require valid client certificate. Connection fails if client doesn't provide a certificate.

Verify client certificate against CA

openssl s_server -accept 4433 -cert server.crt -key server.key -verify 1 -CAfile client-ca.pem

Require client certificate signed by specific CA. Essential for mutual TLS authentication.

Show client certificate details

openssl s_server -accept 4433 -cert server.crt -key server.key -Verify 5 -showcerts

Display client certificate details during handshake. Verify up to 5 certificates in the chain.

Cipher Suite Configuration

Specify cipher suites (TLS 1.2 and below)

openssl s_server -accept 4433 -cert server.crt -key server.key -cipher 'ECDHE-RSA-AES256-GCM-SHA384'

Allow only specific cipher suite. Useful for testing client cipher support.

Specify TLS 1.3 cipher suites

openssl s_server -accept 4433 -cert server.crt -key server.key -ciphersuites 'TLS_AES_256_GCM_SHA384'

Specify TLS 1.3 cipher suites separately from older versions.

Show available cipher suites

openssl ciphers -v

List all available cipher suites with protocol versions. Use with s_server -cipher option.

High security cipher suites only

openssl s_server -accept 4433 -cert server.crt -key server.key -cipher 'HIGH:!aNULL:!MD5'

Allow only strong cipher suites, exclude anonymous and MD5-based ciphers.

SNI (Server Name Indication)

Enable SNI support

openssl s_server -accept 4433 -cert server.crt -key server.key -servername example.com

Respond to SNI requests for specific hostname. Essential for hosting multiple TLS sites on one IP.

Multiple certificates with SNI

openssl s_server -accept 4433 \
  -cert default.crt -key default.key \
  -servername example.com -cert2 example.crt -key2 example.key

Serve different certificates based on SNI hostname. Use -cert2/-key2 for alternate certificate.

Show SNI information

openssl s_server -accept 4433 -cert server.crt -key server.key -tlsextdebug

Display TLS extension debug information including SNI hostname sent by client.

Session Management and Resumption

Enable session caching

openssl s_server -accept 4433 -cert server.crt -key server.key -sess_out sessions.pem

Save TLS sessions to file. Allows testing session resumption and performance optimization.

Load cached sessions

openssl s_server -accept 4433 -cert server.crt -key server.key -sess_in sessions.pem

Load previous sessions for resumption testing. Clients can resume without full handshake.

Disable session caching

openssl s_server -accept 4433 -cert server.crt -key server.key -no_cache

Disable session caching. Forces full handshake for every connection.

Enable session tickets (RFC 5077)

openssl s_server -accept 4433 -cert server.crt -key server.key -no_ticket

Disable session tickets. By default, tickets are enabled for stateless resumption.

Debugging and Verbose Output

Show TLS handshake details

openssl s_server -accept 4433 -cert server.crt -key server.key -state

Display TLS state machine transitions during handshake. Essential for debugging handshake issues.

Show protocol messages

openssl s_server -accept 4433 -cert server.crt -key server.key -msg

Display all TLS protocol messages in hexadecimal. Shows raw handshake data.

Verbose debug output

openssl s_server -accept 4433 -cert server.crt -key server.key -debug

Show detailed debugging information including certificate chains and verification.

Show server certificate chain

openssl s_server -accept 4433 -cert server.crt -key server.key -showcerts

Display complete certificate chain sent to clients. Verify intermediate certificates are included.

Combined debugging (maximum verbosity)

openssl s_server -accept 4433 -cert server.crt -key server.key -state -msg -debug -showcerts

Enable all debugging flags for comprehensive troubleshooting.

HTTP/WWW Mode

Simple HTTP server mode

openssl s_server -accept 4433 -cert server.crt -key server.key -WWW

Serve local files via HTTPS. Request /path/to/file to retrieve files from current directory.

HTTP mode with status page

openssl s_server -accept 4433 -cert server.crt -key server.key -HTTP

HTTP mode showing connection statistics. Displays SSL/TLS session info on requests.

Test with browser

openssl s_server -accept 4433 -cert server.crt -key server.key -WWW
# Visit https://localhost:4433/ in browser

Start server and test with web browser. Browser will show certificate warnings for self-signed certs.

Advanced Options

Enable OCSP stapling

openssl s_server -accept 4433 -cert server.crt -key server.key -status_file ocsp_response.der

Serve OCSP stapling response from file. Improves client certificate validation performance.

Use Diffie-Hellman parameters

openssl s_server -accept 4433 -cert server.crt -key server.key -dhparam dhparams.pem

Specify custom DH parameters for DHE cipher suites. Improves perfect forward secrecy.

Quiet mode (suppress output)

openssl s_server -accept 4433 -cert server.crt -key server.key -quiet

Suppress informational output. Shows only errors and critical messages.

Non-blocking mode

openssl s_server -accept 4433 -cert server.crt -key server.key -nbio

Use non-blocking I/O. Useful for testing client behavior with slow or unreliable connections.

Enable early data (0-RTT) for TLS 1.3

openssl s_server -accept 4433 -cert server.crt -key server.key -early_data

Accept 0-RTT data in TLS 1.3 resumption. Reduces latency but has replay attack considerations.

Practical Testing Scenarios

Test TLS client implementation

# Terminal 1: Start server
openssl s_server -accept 4433 -cert server.crt -key server.key -state

# Terminal 2: Connect with client
openssl s_client -connect localhost:4433

Test TLS client by starting server and connecting from another terminal.

Test mutual TLS (mTLS)

# Server requires client certificate
openssl s_server -accept 4433 -cert server.crt -key server.key \
  -verify 1 -CAfile client-ca.pem

# Client provides certificate
openssl s_client -connect localhost:4433 \
  -cert client.crt -key client.key

Complete mutual TLS test with both server and client authentication.

Test certificate chain validation

openssl s_server -accept 4433 \
  -cert server.crt -key server.key \
  -CAfile chain.pem -showcerts -state

Verify complete certificate chain is sent to clients and properly validated.

Test cipher suite negotiation

# Server with specific cipher
openssl s_server -accept 4433 -cert server.crt -key server.key \
  -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -state

# Client connects
openssl s_client -connect localhost:4433 -cipher 'ALL'

Test if client can negotiate specific cipher suites with the server.

Important Notes

Not for Production

s_server is a testing tool, not a production web server. Use nginx, Apache, or similar for real deployments.

Security Warnings

Self-signed certificates will trigger browser warnings. For testing with browsers, use tools like mkcert for local trusted certificates.

Port Permissions

Ports below 1024 (like 443) require root/administrator privileges. Use sudo or run on higher ports (4433, 8443).

Single Connection Mode

By default, s_server exits after one connection. Use -www, -WWW, or -HTTP flags for persistent server mode.

Protocol Support

Available protocol versions depend on OpenSSL version. Use openssl version to check TLS 1.3 support.

See Also

OpenSSL Commands
Core OpenSSL certificate operations
certbot Commands
Let's Encrypt automation tool
Certificate Inspector
Inspect and analyze certificates