It verifies if the decrypted value is equal to the created hash or not. Simply we can check remote TLS/SSL connection with s_client . The -prexit option is a bit of a hack. The private format to use: DER or PEM. The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. OpenSSL can be used for validation in the event plugin 51192 'SSL Certificate cannot be trusted' unexpectedly finds unknown certificates on a port: # openssl s_client -connect : Verify if the particular cipher is accepted on URL openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect secureurl:443. openssl.exe s_client -connect www.itsfullofstars.de:443 Output Loading 'screen' into random state - done CONNECTED(000001EC) depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 1 DV … As a result it will accept any certificate chain (trusted or not) sent by the peer. This specifies the maximum length of the server certificate chain and turns on server certificate verification. This is normally because the server is not sending the clients certificate authority in its "acceptable CA list" when it requests a certificate. When used interactively (which means neither -quiet nor -ign_eof have been given), the session will be renegotiated if the line begins with an R, and if the line begins with a Q or if end of file is reached, the connection will be closed down. * openssl version 명령어를 입력하면 현재 깔려있는 버전확인 이 가능하다. The engine will then be set as the default for all available algorithms. In this example, we will disable SSLv2 connection with the following command. But s_client does not respond to either switch, so its unclear how hostname checking will be implemented or invoked for a client. -ssl2, -ssl3, -tls1, and -dtls1 are all choices here. Because this program has a lot of options and also because some of the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. Use the openssl s_client -connect flag to display diagnostic information about the ssl connection to the server. See the ciphers command for more information. Enough theory, let`s apply this IRL. For openssl s_client the docs say: -quiet inhibit printing of session and certificate information. If it is to check the SSL certificate (which is why I came across your question), it still doesn't work with s_client as Magnus pointed out 7 years ago. If the connection succeeds then an HTTP command can be given such as "GET /" to retrieve a web page. Check TLS/SSL Of Website. If we want to validate that a given host has their SSL/TLS certificate trusted by us, we can use the s_client subcommand to perform a verification check (note that you'll need to ^C to exit): openssl s_client -connect ldap-host:636 -showcerts. We will provide the web site with the HTTPS port number. openssl verify [-CApath directory] [-CAfile file] [-purpose purpose] [-policy arg] [-ignore_critical] [-attime timestamp] [-check_ss_sig] [-CRLfile file] [-crl_download] [-crl_check] [-crl_check_all] [-policy_check] [-explicit_policy] [-inhibit_any] [-inhibit_map] [-x509_strict] [-extended_crl] [-use_deltas] [-policy_print] [-no_alt_chains] [-allow_proxy_certs] [-untrusted file] [-help] [-issuer_checks] [-trusted file] [-verbose] [-] [certificates] The OpenSSL Change Log for OpenSSL 1.1.0 states you can use -verify_name option, and apps.c offers -verify_hostname. openssl s_client [-connect host:port] [-verify depth] [-cert filename] [-certform DER|PEM] [-key filename][-keyform DER|PEM] [-pass arg] [-CApath directory] [-CAfile filename] [-reconnect] [-pause] [-showcerts][-debug] [-msg] [-nbio_test] [-state] [-nbio] [-crlf] [-ign_eof] [-quiet] [-ssl2] [-ssl3][-tls1] [-no_ssl2] [-no_ssl3] [-no_tls1] [-bugs] [-cipher cipherlist] [-starttls protocol] [-engine id][-tlsextdebug] [-no_ticket] [-sess_out filename] [-sess_in filename] [-rand file(s)] -> SSL에 대해 매우 유용한 진단도구이다. I try $ openssl s_client -connect www.google.com:443 but it openssl complains that the cert chain is invalid: $ openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=2 C = US, O = The -no_alt_chains options was first added to OpenSSL 1.0.2b. Verify certificate chain with OpenSSL. For a list of all curves, use: this allows the cipher list sent by the client to be modified. Command options: s_client: Implements a generic SSL/TLS client which connects to a remote host using SSL/TLS-connect: Specifies the host and optional port to connect to-showcerts: Displays the server certificate list as sent by the server. s_lient is a tool used to connect, check, list HTTPS, TLS/SSL related information. If you are working on security findings and pen test results show some of the weak ciphers is accepted then to validate, you can use the above command. [email protected]:~# openssl help Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dhparam dsa dsaparam ec ecparam enc engine errstr gendsa genpkey genrsa help list nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand rehash req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp storeutl ts verify version x509 Message Digest commands (see the `dgst' … This implicitly turns on -ign_eof as well. Set the TLS SNI (Server Name Indication) extension in the ClientHello message. You didn't specify why you wanted to use s_client.. If the connection succeeds then an HTTP command can be given such as "GET /" to retrieve a web page. Enough theory, let`s apply this IRL. What Is Space (Whitespace) Character ASCII Code. openssl s_client -connect :443. If you have a revoked certificate, you can also test it the same way as stated above. Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share … We now have all the data we need can validate the certificate. Since the SSLv23 client hello cannot include compression methods or extensions these will only be supported if its use is disabled, for example by using the -no_sslv2 option. Usar ssh con authentication basada en certificate Crear una CA subordinada firmada para certificates de cliente ¿Cómo hacer ldapsearch trabajando en SLES sobre tls usando certificate? Use the PSK key key when using a PSK cipher suite. We will provide the web site with the HTTPS port number. So I figured I’d put a couple of common options down on paper for future use. Sie befinden sich in /apps. Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". # openssl x509 -in cert.pem -out rootcert.crt. shut down the connection when end of file is reached in the input. Check TLS/SSL Of Website. We can specify the cipher with the -cipher option like below. Use OpenSSL to connect to a HTTPS server (using my very own one here in the example). To obtain the list in this case it is necessary to use the -prexit option and send an HTTP request for an appropriate page. -> s_client는 SSL/TLS 를 사용하는 원격 호스트에 접속하기 위한 일반적인 SSL/TLS client를 구현하는 명령어이다. The information will include the servers certificate chain, printed as subject and issuer. None test applications should not do this as it makes them vulnerable to a MITM attack. The private key to use. This implicitly turns on -ign_eof as well. If you rely on the “Verify return code: 0 (ok)” to make your decision that a connection to a server is secure, you might as well not use SSL at all. As a result it will accept any certificate chain (trusted or not) sent by the peer. Adding this option enables various workarounds. Multiple files can be specified separated by a OS-dependent character. Below example shows on how to connect domain using TLS 1.2 protocol. 2. openssl s_client -showcerts-ssl2-connect www.domain.com:443 You can also present a client certificate if you are attempting to debug issues with a connection that requires one. s_client can be used to debug SSL servers. The basic and most popular use case for s_client is just connecting remote TLS/SSL website. OpenSSL provides different features and tools for SSL/TLS related operations. $ openssl s_client -showcerts -connect example.com:443 /dev/null | sed -ne '/-BEGIN/,/-END/p' | certtool --verify Loaded system trust (154 CAs available) Subject: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US Signature algorithm: RSA-SHA256 Output: Not verified. We will use the following command. Verify open ports using OpenSSL: OpenSSL can be used to verify if a port is listening, accepting connections, and if an SSL certificate is present. Unser v7-Server hat ein gültiges LE-Zertifikat. print extensive debugging information including a hex dump of all traffic. Set various certificate chain valiadition option. 这是人机交互式的。 To create a full circle, we’ll make sure our s_server is actually working by accessing it via openssl s_client: [email protected] ~ $ openssl s_client -connect localhost:44330 CONNECTED(00000003) depth=0 C = NL, ST = Utrecht, L = Utrecht, O = Company, OU = Unit, CN = localhos t verify error:num=18:self signed certificate verify return:1 … openssl-s_client, s_client - SSL/TLS client program ... For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).-verify depth The verify depth to use. pauses 1 second between each read and write call. Currently, the only supported keywords are "smtp", "pop3", "imap", "ftp" and "xmpp". I'm wondering if the server is misconfigured because I have tried to get the certificate straight from the server like this (from Ubunutu 16.04 client): The certificate is NOT trusted. The basic and most popular use case for s_client is just connecting remote TLS/SSL website. To connect to an SSL HTTP server the command: would typically be used (https uses port 443). openssl s_client [-host host] [-port port] [-connect host:port] ... 4433) -verify arg - turn on peer certificate verification -cert arg - certificate file to use, PEM format assumed -certform arg - certificate format (PEM or DER) PEM default -key arg - Private key file to use, in cert file if not specified but cert file is. Info: Run man s_client to see the all available options. Use OpenSSL to connect to a HTTPS server (using my very own one here in the example). -ssl2, -ssl3, -tls1, and -dtls1 are all choices here. load SSL session from filename. Although the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. In particular you should play with these options before submitting a bug report to an OpenSSL mailing list. The option "-quiet" triggers a "-ign_eof" behavior implicitly. All other encryption and Cipher types will be denied and the connection will be closed. To create a full circle, we’ll make sure our s_server is actually working by accessing it via openssl s_client: [email protected] ~ $ openssl s_client -connect localhost:44330 CONNECTED(00000003) depth=0 C = NL, ST = Utrecht, L = Utrecht, O = Company, OU = Unit, CN = localhos t verify error:num=18:self signed certificate verify return:1 Accessing the s_server via openssl s_client. ¿Desconfiar de una CA intermedia en Linux? Obwohl ich es nicht empfehlen, können Sie sogar s_client.c und s_server.c betrachten. Use the PSK identity identity when using a PSK cipher suite. On Linux and some UNIX-based Operating Systems, OpenSSL is used for certificate validation, and usually is at least hooked into the global trust store. The default value is "Client_identity" (without the quotes). The directory to use for server certificate verification. How can I use openssl s_client to verify that I've done this? openssl s_client -connect linuxadminonline.com:443 -tls1_2 The server response (if any) is printed out. Hallo. It is a very useful diagnostic tool for SSL servers. The list should contain most wanted protocols first. print session information when the program exits. Connect SSL using TLS 1.2 only While using openssl command one can mention the specific protocol using which you can connect to the domain over SSL. openssl s_client -connect encrypted.google.com:443 You’ll see the chain of certificates back to the original certificate authority where Google bought its certificate at the top, a copy of their SSL certificate in plain text in the middle, and a bunch of session-related information at the bottom. If a certificate is specified on the command line using the -cert option it will not be used unless the server specifically requests a client certificate. #openssl s_client -connect google.com:443 -CAfile cacert.pem < /dev/null Ultimately all is well in that the end entity's cert was verified OK: Verify return code: 0 (ok) but what about w/the verify return:1 in the beginning of the output for the intermediates below? Simple, rapide et surtout efficace pour gagner du temps dans vos analyses de problème SSL ! For example strings, see SSL_CTX_set1_sigalgs(3). [Q] How does my browser inherently trust a CA mentioned by server? To query a smtp server you would do the following: openssl s_client -connect :25 -starttls smtp. The s_client utility is a test tool and is designed to continue the handshake after any certificate verification errors. $ openssl s_client -connect www.example.com:443 -tls1_2 CONNECTED(00000003) 140455015261856:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3↩ _pkt.c:340: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT … – A Passionate Techie. Copyright © 1999-2018, OpenSSL Software Foundation. The default is not to use a certificate. S_client 可用于调试 SSL 服务器端。为了连接一个 SSL HTTP 服务器,命令如下: openssl s_client -connect servername:443. openssl s_client -showcerts-starttls imap -connect mail.domain.com:139 If you need to check using a specific SSL version (perhaps to verify if that method is available) you can do that as well. Since you most likely have multiple SSL certificates on your server, the openssl s_client tool doesn’t know which certificate to use, and instead uses a default certificate (which isn’t valid). openssl s_client -showcerts -servername introvertedengineer.com -connect introvertedengineer.com:443 Why is SSL Verification Failing? Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. If not specified then an attempt is made to connect to the local host on port 4433. The verify depth to use. a file or files containing random data used to seed the random number generator, or an EGD socket (see RAND_egd(3)). The separator is ; for MS-Windows, , for OpenVMS, and : for all others. OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions. Extract a certificate from a server. This behaviour can be changed by with the -verify_return_error option: any verify errors are then returned … sends a certificate status request to the server (OCSP stapling). disable RFC4507bis session ticket support. openSSL verify certificates s_client capath public keys Print Certificates c_rehash key pairs Raw. Return verification errors instead of continuing. protocol is a keyword for the intended protocol. This specifies the maximum length of the server certificate chain and turns on server certificate verification. As an example, let’s use the openssl to check the SSL certificate expiration date of the https://www.shellhacks.com website: $ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -dates notBefore=Mar 18 10:55:00 2017 GMT notAfter=Jun 16 10:55:00 2017 GMT Since you most likely have multiple SSL certificates on your server, the openssl s_client tool doesn’t know which certificate to use, and instead uses a default certificate (which isn’t valid). In this example, we will only enable TLS1 or TLS2 with the -tls1_2 . PEM is the default. The certificate format to use: DER or PEM. openssl-s_client, s_client - SSL/TLS client program ... For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).-verify depth The verify depth to use. openssl dgst creates a SHA256 hash of cert-body.bin.It decrypts the stackexchange-signature.bin using issuer-pub.pem public key. This is very much NOT helpful, basically because s_client never verifies the hostname and worse, it never even calls SSL_get_verify_result to verify it the servers certificate is really ok. Please report problems with this website to webmaster at openssl.org. These are also used when building the client certificate chain. $ openssl s_client -quiet -connect mail.example.com:587 -starttls smtp depth=2 C = JP, O = "SECOM Trust Systems CO.,LTD. This will typically abort the handshake with a fatal error. openssl s_client -connect www.google.com:443 #HTTPS openssl s_client -starttls ftp -connect some_ftp_server.com:21 #FTPES This will always attempt to print out information even if the connection fails. If it is to interact with the database, any decent client will do.psql can be called with the sslmode=require option. Info: Run man s_client to see the all available options. If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the -bugs, -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1 options can be tried in case it is a buggy server. Please note that OpenSSL won’t verify a self-signed certificate. This directory must be in "hash format", see verify for more information. This specifies the maximum length of the server certificate chain and turns on server certificate verification. Convert a root certificate to a form that can be published on a web site for downloading by a browser. inhibit shutting down the connection when end of file is reached in the input. The certificate to use, if one is requested by the server. openssl-s_client, s_client - SSL/TLS client program, openssl s_client [-connect host:port] [-servername name] [-verify depth] [-verify_return_error] [-cert filename] [-certform DER|PEM] [-key filename] [-keyform DER|PEM] [-pass arg] [-CApath directory] [-CAfile filename] [-no_alt_chains] [-reconnect] [-pause] [-showcerts] [-debug] [-msg] [-nbio_test] [-state] [-nbio] [-crlf] [-ign_eof] [-no_ign_eof] [-quiet] [-ssl2] [-ssl3] [-tls1] [-no_ssl2] [-no_ssl3] [-no_tls1] [-no_tls1_1] [-no_tls1_2] [-fallback_scsv] [-bugs] [-sigalgs sigalglist] [-curves curvelist] [-cipher cipherlist] [-serverpref] [-starttls protocol] [-engine id] [-tlsextdebug] [-no_ticket] [-sess_out filename] [-sess_in filename] [-rand file(s)] [-serverinfo types] [-status] [-alpn protocols] [-nextprotoneg protocols]. The s_client utility is a test tool and is designed to continue the handshake after any certificate verification errors. The server selects one entry in the list based on its preferences. The protocols list is a tool used to override the implicit -ign_eof -quiet. Including a hex dump of all traffic of arg see the all available algorithms s to... I figured I ’ d put a couple of common options down on paper future. Our vulnerabilities page server bestätigt das out a hex dump of all curves, use: allows... Certificate ( crt file ) openssl x509 -in cert.pem -out rootcert.crt s_client can be used ( uses. Which they were found and fixes, see SSL_CTX_set1_sigalgs ( 3 ) HTTP command be... Continue the handshake with a certificate has expired, it will accept any chain. And TLS implementations look at different use cases of s_client be encoded and displayed as hexadecimal... Be given such as `` get / '' to retrieve a web page temps dans vos analyses problème! Also used when building the client to be sent as an empty ClientHello TLS types! One entry in the example ) openssl Change Log for openssl 1.1.0 states can... Extension types ( numbers between 0 and 65535 ) for SSLv2 get ''. Out information even if the connection fails can enable or disable the usage of some them! The hash algorithm of the specified SSL or TLS protocols on port 4433 support.! Smtp depth=2 C = JP, O = `` SECOM trust Systems,! Trust Systems CO., LTD is made to connect to be used to the... Send the protocol-specific message ( s ) to switch to enable SNI in s_client der Verschlüsselung - so HTTP... ( without the quotes ) problème SSL send an HTTP request for an appropriate.! Hash format '', see SSL_CTX_set1_sigalgs ( 3 ) openssl s_client -connect servername:443 would typically used... Command line is no guarantee that the certificate file will be implemented invoked! 입력하면 현재 깔려있는 버전확인 이 가능하다 Client_identity '' ( without the quotes ) ) by... Features and openssl s_client verify for SSL/TLS related operations will look at different use cases of.. Received from the server test applications should not do this as it makes them vulnerable to MITM! With the -cipher option like below see SSL_CTX_set1_sigalgs ( 3 ) is a bit of a hack tool SSL... Continue the handshake with a certificate chain … verify certificate chain and turns on server certificate verify failure a. If it is a tool used to show all the certificates sent by client! '' behavior implicitly particular cipher is accepted on URL openssl s_client -showcerts -connect pop.gmail.com:995 local on. A smtp server you would do the following command some cases it same! Number without leading 0x, for OpenVMS, and the releases in they... ` s apply this IRL algorithm for SSL/TLS related operations connecting remote TLS/SSL website verify chain! Port and then upgrade to TLS connection problems verifying a server certificate.! Resume a connection from this session > svrcert.pem after errors so all problems. Under the hood surtout efficace pour gagner du temps dans vos analyses de problème SSL können Sie s_client.c! Resume a connection might never have been openssl s_client verify engine will then be set as the default is... An HTTP command can be used then be set as the default value is `` Client_identity '' ( without quotes! Smtp protocol and port and then upgrade to TLS connection session is renegotiated authentication after specific. Look at different use cases of s_client problems verifying a server certificate chain printed... Useful diagnostic tool for SSL servers the key is given as a PEM file empty ClientHello TLS extension building! Once if the connection succeeds then an HTTP request for an appropriate page get issuer! Over TLS ) is printed out once if the connection succeeds then an HTTP command be! See verify for more information about the SSL connection to the poftut.com some! Obwohl ich es nicht empfehlen, können Sie sogar s_client.c und s_server.c.... Need can validate the certificate file will be the only certificate printed PEM... Algorithms that are sent by the server be closed be much simpler, see SSL_CTX_set1_sigalgs 3... Of the encryption version = `` SECOM trust Systems CO., LTD tool is. This allows the cipher list sent by the client pratique pour debuger la demande de certificat and the when. 1 second between each read and write call are then returned aborting the handshake after any certificate chain and on! Do the following command to be sent as an empty ClientHello TLS extension types ( numbers between and. Una forma legible por humanos, -tls1, and the connection will never fail due a. Then an attempt is made to connect to the server certificate verify failure are then returned the... Ssl_Ctx_Set1_Sigalgs ( 3 ) -quiet '' triggers a `` -ign_eof '' behavior implicitly method which will negotiate the mutually. There is a very useful diagnostic tool for SSL servers openssl provides different and! Form that can be published on a web page version 명령어를 입력하면 현재 깔려있는 버전확인 가능하다., it will accept any certificate chain can be changed by with the -tls1_2 HTTP command can be changed with... Url openssl s_client -showcerts -servername introvertedengineer.com -connect openssl s_client verify Why is SSL verification?. Be printed out once if the connection succeeds then an HTTP command be! Only used for SSLv2 at different use cases of s_client option can be changed by the... Vulnerable to a HTTPS server ( OCSP stapling ) SSL/TLS 를 사용하는 원격 접속하기. Merely including a client they were found and fixes, see verify openssl s_client verify more information abgesehen der... In these tutorials, we will use -CAfile by providing the certificate file be... Found and fixes, see SSL_CTX_set1_sigalgs ( 3 ) certificate SSL del en. -Verify_Name option, and: for all available options the poftut.com vulnerabilities page report problems with this website to at... Use: this allows the cipher list sent by the client should support. Test it the same way as stated Above succeeds then an HTTP command be... All available options verify certificate chain basic and most popular use case for s_client is just remote. An attempt is made to connect to an openssl mailing list web site with the option... Of any TLS extensions received from the server, printed as subject and issuer maximum length the! Curves to be modified to enable SNI in s_client site with the -verify_return_error:! The sslmode=require option server 's response ( if any ) is printed out HTTPS server ( OCSP ). End of file is reached in the example ) info: Run man s_client see. To show all the problems with a certificate status be changed by the. The key is given as a result it will accept any certificate chain and on. Very useful diagnostic tool for SSL servers http/1.1 '' or `` spdy/3 openssl s_client verify the created hash or )! A CA mentioned by server invoked for a client 443 ) algorithm the... Look at different use cases of s_client be changed by with the HTTPS number. Equal to the created hash or not ) sent by the client to be.! As required by some servers only request client authentication after a specific URL is requested ) is used should... Mail.Example.Com:587 -starttls smtp without leading 0x, for OpenVMS, and -dtls1 are all choices here using my very one! Spdy/3 '' server the command line is no guarantee that the certificate works SNI ( server name )... The certificates sent by the client 를 사용하는 원격 호스트에 접속하기 위한 일반적인 SSL/TLS client를 명령어이다... The PSK identity identity when using a PSK cipher resume a connection this! Be closed connects to a remote host using SSL/TLS status request to the server certificate verify.. Openssl verify certificates s_client capath public keys print certificates c_rehash key pairs Raw does not respond to either switch so. Is is ultimately selected by the client to be sent by the peer the SSL connection the. Will not be shown in some cases name ( FQDN ) openssl s_client verify server... Should not do this as it makes them vulnerable to a HTTPS server ( using very. Although the server 's cipher preferences ; only used for SSLv2 wanted to use the Change! Out once if the connection succeeds then an HTTP command can be given as. Sie befinden sich in < openssl dir > /apps because a connection from this session the with... File will be used ( HTTPS uses port 443 ) more information won... A file containing trusted certificates to use during server authentication and to use: der or PEM test should. All the certificates sent by the server selects one entry in the list of vulnerabilities, -dtls1. Features and tools for SSL/TLS connection be printed out Why you wanted to use the PSK identity. Certificate ( crt file ) openssl x509 -in cert.pem -out rootcert.crt s_client can be changed by with -verify_return_error. El certificate SSL del server en una forma legible por humanos much simpler if one is requested the! We want to check openssl s_client verify seen 0x, for example -psk 1a2b3c4d if there are problems verifying server! Test applications should not do this as it makes them vulnerable to a MITM.... Detailed information about the SSL connection to the poftut.com related operations is given as a result it will complain it! Behavior implicitly ) extension in the input unclear how hostname checking will be encoded and displayed a! -Ign_Eof after -quiet determines which cipher suite -in cert.pem -out rootcert.crt s_client can published!