How to test OpenSSL(SSL/TLS) connection to a server

• Check OpenSSL version
  To test OpenSSL version must test on server.

$ openssl version

• Read crt file

$ openssl x509 -in <cert>.crt -text -noout

• Decode CSR File

$ openssl req -text -in <cert>.csr
$ openssl req -in <cert>.csr -noout -text

• Test TLS/SSL from my host to neighbor host.
  To specify version, add -tls1_2, -tls1_1, or -tls1.

$ openssl s_client -host <localhost> -port 443
$ openssl s_client -host sanook.com -port 443 -tls1

• Test TLS/SSL from my host to neighbor host in short term.

$ openssl s_client -host <localhost> -port 443 -quiet
$ openssl s_client -host sanook.com -port 443 -quiet

• Test TLS/SSL from my host to neighbor host show all certs in chain.

$ openssl s_client -showcerts -connect <localhost>:<port>
$ openssl s_client -showcerts -connect sanook.com:443

• Test TLS/SSL from my host to neighbor host for verify error.

$ openssl s_client -verify_return_error -connect <localhost>:<port>
$ openssl s_client -verify_return_error -connect sanook.com:443

• Test TLS/SSL from my host to neighbor host for show expire date of certs.

$ openssl s_client -connect <localhost>:<port>| openssl x509 -noout -dates
$ openssl s_client -connect sanook.com:443 |openssl x509 -noout -dates

• Test supported protocols and cipher suites

$ openssl s_client -connect <localhost>:<port> -cipher 'ALL:COMPLEMENTOFALL'
$ openssl s_client -connect sanook.com:443 -cipher 'ALL:COMPLEMENTOFALL'

ref: https://www.cyberciti.biz/faq/find-check-tls-ssl-certificate-expiry-date-from-linux-unix/