OpenSSL s_client

Inspect a server's TLS handshake: version, cipher, ALPN, full cert chain.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What does the TLS Handshake Inspector show?

It performs a TLS handshake and reports: negotiated TLS version, cipher suite, ALPN protocol (e.g. h2, http/1.1), and the full certificate chain — subject, issuer, validity dates, SANs, and fingerprints for each certificate. This is the server-side view equivalent of openssl s_client -connect host:443.

What is the certificate chain and why does it matter?

A TLS certificate chain consists of: your domain's leaf certificate, one or more intermediate CA certificates, and the root CA certificate (trusted by browsers). Browsers verify the chain from root to leaf. A missing intermediate certificate is a common misconfiguration that causes 'certificate not trusted' errors in some clients even though the certificate itself is valid.

What is ALPN and which protocols appear here?

ALPN (Application-Layer Protocol Negotiation) is a TLS extension that selects the application protocol during the handshake. Common values: h2 (HTTP/2), http/1.1 (HTTP/1.1), acme-tls/1 (Let's Encrypt validation). The absence of h2 means the server doesn't support HTTP/2, or that it requires HTTP/2 negotiation separately.

How is this different from TLS Quick Scan?

TLS Quick Scan probes all supported TLS versions and ciphers systematically. This tool performs a single handshake exactly as a client would, showing what version and cipher are actually negotiated — useful for verifying your server's preference order, checking SNI behaviour, and inspecting the full cert chain.