openssl s_server: A Throwaway TLS Server
openssl s_server runs a tiny TLS server, handy for testing clients without standing up a real service.
Pair s_server with a self-signed cert to give an integration test a real TLS endpoint to talk to, then kill it when the test ends.
What it does
openssl s_server listens on a port and terminates TLS using the certificate and key you provide. With -www it answers HTTP requests with a status page, enough for a client to complete a real handshake.
Common usage
openssl req -x509 -newkey rsa:2048 -nodes \
-keyout key.pem -out cert.pem -days 1 -subj "/CN=localhost"
openssl s_server -accept 8443 -cert cert.pem -key key.pem -wwwOptions
| Flag | What it does |
|---|---|
| -accept <port> | Port to listen on |
| -cert <file> | Server certificate |
| -key <file> | Server private key |
| -www | Respond to HTTP requests with a status page |
| -tls1_2 / -tls1_3 | Restrict the protocol version |
In CI
Start s_server in the background (append & or run as a job), wait for the port, run the client test, then kill the process. Generate the cert with -days 1 since it only needs to live for the job.
Common errors in CI
"Error setting up acceptor socket ... Address already in use" means the port is taken; pick another or kill the prior server. "unable to load Private Key" means -key points at the wrong file or an encrypted key. "No certificate set" appears if -cert is missing.