OpenSSL s_client
Inspect a server's TLS handshake: version, cipher, ALPN, full cert chain.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What does the TLS Handshake Inspector show?
It performs a TLS handshake and reports: negotiated TLS version, cipher suite, ALPN protocol (e.g. h2, http/1.1), and the full certificate chain — subject, issuer, validity dates, SANs, and fingerprints for each certificate. This is the server-side view equivalent of openssl s_client -connect host:443.
What is the certificate chain and why does it matter?
A TLS certificate chain consists of: your domain's leaf certificate, one or more intermediate CA certificates, and the root CA certificate (trusted by browsers). Browsers verify the chain from root to leaf. A missing intermediate certificate is a common misconfiguration that causes 'certificate not trusted' errors in some clients even though the certificate itself is valid.
What is ALPN and which protocols appear here?
ALPN (Application-Layer Protocol Negotiation) is a TLS extension that selects the application protocol during the handshake. Common values: h2 (HTTP/2), http/1.1 (HTTP/1.1), acme-tls/1 (Let's Encrypt validation). The absence of h2 means the server doesn't support HTTP/2, or that it requires HTTP/2 negotiation separately.
How is this different from TLS Quick Scan?
TLS Quick Scan probes all supported TLS versions and ciphers systematically. This tool performs a single handshake exactly as a client would, showing what version and cipher are actually negotiated — useful for verifying your server's preference order, checking SNI behaviour, and inspecting the full cert chain.