Test TLS Handshake

Learning Focus

By the end of this lesson you will know how to test the TLS handshake directly.

Testing from the Server

# Full TLS handshake test
openssl s_client -connect localhost:443 -servername example.com < /dev/null

# Look for:
# ✅ "Verify return code: 0 (ok)" — certificate is valid
# ✅ "Protocol: TLSv1.3" or "TLSv1.2" — modern protocol
# ✅ Certificate chain details — correct issuer
# ❌ "Connection refused" — listener not running
# ❌ "handshake failure" — cert/key mismatch

Testing from an External Machine

# Test from outside your server (replace with your domain)
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | \
  grep -E "Protocol|Cipher|Verify"

Common Handshake Errors

Error Message	Cause	Fix
`Connection refused`	No listener on 443	Enable SSL listener
`handshake failure`	Cert/key mismatch	Regenerate matching pair
`certificate verify failed`	Invalid or expired cert	Renew certificate

Key Takeaways

openssl s_client is the definitive test for TLS handshake issues.
Check protocol version, cipher, and verify return code.
Run tests from both the server and externally.

What's Next

Continue to Verify HTTPS Redirect to confirm HTTP-to-HTTPS works.

Testing from the Server​

Testing from an External Machine​

Common Handshake Errors​

Key Takeaways​

What's Next​

Testing from the Server

Testing from an External Machine

Common Handshake Errors

Key Takeaways

What's Next