TLS handshake is slow, how to investigate with openssl s_client?

Question

I'm troubleshooting a performance issue where the initial TLS handshake to our web server is consistently taking over 500ms. The server itself is responding quickly once connected. I want to use openssl s_client to pinpoint where the delay is happening. I've run a basic connect command like openssl s_client -connect example.com:443 and I can see a pause, but I'm not sure what flags to use to get more detailed timing information. What are the best openssl s_client options to break down the handshake into stages and identify the bottleneck? Should I be looking at the server's certificate chain or something else?

admin · Accepted Answer

Use `openssl s_client` with the `-trace` flag and `time` command to get detailed, millisecond-level timing of each TLS handshake stage. The `-trace` option shows the complete protocol exchange with timestamps, revealing whether delays occur during TCP connection, certificate transmission, or key exchange. For even more granular timing, prefix the command with `time` to measure DNS resolution, TCP connect, and TLS handshake separately.

Run this command to see each handshake message with timing:
openssl s_client -connect example.com:443 -trace

For comprehensive timing breakdown:
time openssl s_client -connect example.com:443 < /dev/null

Slow handshakes often stem from inefficient certificate chain configuration (missing intermediate certificates), expensive key exchange parameters, or network latency. The `-trace` output will show pauses between specific messages like ServerHello and Certificate, indicating whether certificate transmission is the bottleneck. If the delay is before ServerHello, investigate TCP connection latency or server-side processing delays.

TLS handshake is slow, how to investigate with openssl s_client?

Who Is Online