openssl s_client [-host host] [-port port] [-connect host:port] [-verify depth] [-cert filename] [-certform DER|PEM] [-key filename] [-keyform DER|PEM] [-pass arg] [-CApath directory] [-CAfile filename] [-reconnect][-pause] [-showcerts] [-debug] [-msg] [-state] [-nbio_test] [-nbio][-crlf] [-ign_eof] [-no_ign_eof] [-quiet] [-ssl2] [-ssl3] [-tls1_1] [-tls1_2] [-tls1] [-dtls1] [-no_ssl2][-no_ssl3] [-no_tls1] [-no_tls1_1] [-no_tls1_2] [-bugs] [-cipher cipherlist] [-starttls protocol] [-engine id] [-tlsextdebug] [-no_ticket] [-sess_out filename] [-sess_in filename] [-rand file(s)]

-host host     - use -connect instead

 -port port     - use -connect instead

 -connect host:port - who to connect to (default is localhost:)

 -verify arg   - turn on peer certificate verification

 -cert arg     - certificate file to use, PEM format assumed

 -certform arg - certificate format (PEM or DER) PEM default

 -key arg      - Private key file to use, in cert file if

                 not specified but cert file is.

 -keyform arg  - key format (PEM or DER) PEM default

 -pass arg     - private key file pass phrase source

 -CApath arg   - PEM format directory of CA's

 -CAfile arg   - PEM format file of CA's

 -trusted_first - Use trusted CA's first when building the trust chain

 -reconnect    - Drop and re-make the connection with the same Session-ID

 -pause        - sleep() after each read() and write() system call

 -showcerts    - show all certificates in the chain

 -debug        - extra output

 -msg          - Show protocol messages

 -nbio_test    - more ssl protocol testing

 -state        - print the 'ssl' states

 -nbio         - Run with non-blocking IO

 -crlf         - convert LF from terminal into CRLF

 -quiet        - no s_client output

 -ign_eof      - ignore input eof (default when -quiet)

 -no_ign_eof   - don't ignore input eof

 -psk_identity arg - PSK identity

 -psk arg      - PSK in hex (without 0x)

 -ssl2         - just use SSLv2

 -ssl3         - just use SSLv3

 -tls1_2       - just use TLSv1.

 -tls1_1       - just use TLSv1.

 -tls1         - just use TLSv1

 -dtls1        - just use DTLSv1

 -mtu          - set the link layer MTU

 -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol

 -bugs         - Switch on all SSL implementation bug workarounds

 -serverpref   - Use server's cipher preferences (only SSLv2)

 -cipher       - preferred cipher to use, use the 'openssl ciphers'

                 command to see what is available

 -starttls prot - use the STARTTLS command before starting TLS

                 for those protocols that support it, where

                 'prot' defines which one to assume.  Currently,

                 only "smtp", "pop3", "imap", "ftp" and "xmpp"

                 are supported.

 -engine id    - Initialise and use the specified engine

 -rand file:file:...

 -sess_out arg - file to write SSL session to

 -sess_in arg  - file to read SSL session from

 -servername host  - Set TLS extension servername in ClientHello

 -tlsextdebug      - hex dump of all TLS extensions received

 -status           - request certificate status from server

 -no_ticket        - disable use of RFC4507bis session tickets

 -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)

 -legacy_renegotiation - enable use of legacy renegotiation (dangerous)

 -use_srtp profiles - Offer SRTP key management with a colon-separated profile list

 -keymatexport label   - Export keying material using label

 -keymatexportlen len  - Export len bytes of keying material (default )

openssl s_client -connect localhost: -key clientprikey.pem -cert client.pem -ssl3 -cipher EXP-KRB5-RC4-MD5 -msg -debug

参考 ：http://blog.csdn.net/as3luyuan123/article/details/16812071      http://www.tuicool.com/articles/6ny6Fv