If you have a server which accepts SSL connections and would like to verify that server, OpenSSL has a command that implements a generic SSL/TLS client which connects to a remote host. It is a useful diagnostic utility when you don't want to use a full-featured client to test the SSL connection.
When you run the client you will see the response from the server, typically the results of the SSL handshake. Here's a typical openssl command to start a test client and the resulting response from a test server:
> openssl s_client -connect localhost:9000 -CApath /etc/grid-security/certificates
CONNECTED(00000003)
depth=0 /C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu
i:/C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDdTCCAt6gAwIBAgIJAI+DwwKU64gxMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD
VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTENMAsG
A1UEChMETkNTQTEaMBgGA1UEAxMRd3d3Lm5jc2EudWl1Yy5lZHUxJjAkBgkqhkiG
9w0BCQEWF3dlYm1hc3RlckBuY3NhLnVpdWMuZWR1MB4XDTA2MDMwNzE5MTU0NloX
DTA3MDMwNzE5MTU0NlowgYQxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9p
czEPMA0GA1UEBxMGVXJiYW5hMQ0wCwYDVQQKEwROQ1NBMRowGAYDVQQDExF3d3cu
bmNzYS51aXVjLmVkdTEmMCQGCSqGSIb3DQEJARYXd2VibWFzdGVyQG5jc2EudWl1
Yy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANXMAH439JNT5EMs6+Jg
c8wYNMjakffoRqIohYRb2jJpmaFtCBTskK/dzMcuAjc0/O74qcuSbeL1dJknNJQu
2KoK8teJC0/wnltrt6Wt3mi11Es3REnukn94YvMjPiTcLqyCdybJzIFQIwpUs+2c
pSCkHPrds+5XDtm6QSeb1qzjAgMBAAGjgewwgekwHQYDVR0OBBYEFJ0f4iq9saQ1
Br+bbfj/6mO1KGpHMIG5BgNVHSMEgbEwga6AFJ0f4iq9saQ1Br+bbfj/6mO1KGpH
oYGKpIGHMIGEMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzANBgNV
BAcTBlVyYmFuYTENMAsGA1UEChMETkNTQTEaMBgGA1UEAxMRd3d3Lm5jc2EudWl1
Yy5lZHUxJjAkBgkqhkiG9w0BCQEWF3dlYm1hc3RlckBuY3NhLnVpdWMuZWR1ggkA
j4PDApTriDEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCbdDKNLTJ4
bJvybjjAqdGzWvu7rX6RExZYm0RuJGK8XSb2CuNhaY/Y7Dp3k2Nb4P9spZlYP9qR
ZDmx2lUPhL5SEKLSbTk+Grsj4GdxknkT7+8c58mNHTCnxF3XLMk016hYRc+SFiK7
VaoZ9xdS3g7vKvRO9a+kWD3C3j+ceKaf+g==
-----END CERTIFICATE-----
subject=/C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu
issuer=/C=US/ST=Illinois/L=Urbana/O=NCSA/CN=www.ncsa.uiuc.edu/emailAddress=webmaster@ncsa.uiuc.edu
---
No client certificate CA names sent
---
SSL handshake has read 1325 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 8B3CE529A77AE42B854B0A4A2083BF5E75DB0BE9B8E2847479441F4F70AEA8E6
Session-ID-ctx:
Master-Key: BBEDB1ABC87B9E0B7D3576FFD8FC24E4E432E809D881189A7159EA5DA12211E9329C7B422078041F67D0847498AF27DB
Key-Arg : None
Start Time: 1141759882
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
You can see here that the server is using a self-signed certificate. Upon successful connection, the SSL channel is typically left open. Anything you type at this point will be sent to the server. To quit the client, you can either type <CTRL>-C or the single character “Q”. There are many other options for the test client, such as using a client certificate, disabling certain SSL or TLS protocols, etc. For a full list of command line options, run man s_client.