How to ignore certificate verification while using openssl s_client connect?

Question

I am trying to connect to a server using the following command:

openssl s_client -connect xx.xx.xx.xx:443

Error:

CONNECTED(00000005)
depth=0 L = XXXXXXX
verify error:num=20:**unable to get local issuer certificate**
verify return:1
depth=0 L = XXXXXXXX
verify error:num=21:**unable to verify the first certificate
verify return:1**
---
Certificate chain
 0 s:/L=XXXX
   i:/C=XXXX
---
Server certificate
-----BEGIN CERTIFICATE-----
....
...
..
<removed cert>
..
...
....
-----END CERTIFICATE-----
subject=xxxxxxx CN=*xxx.xom
issuer=XXXX CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2281 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 52A27BC97001D52A7DA4A73FBA87C7DD2902A0C55B0AE9FAA87A3A8DBA94A7CE
    Session-ID-ctx:
    Master-Key: ECD435DCDD59B2BAD50A1BF8BAEA39E68058524A082DC219CEE290DB7A80A37AE4E763DF7FA
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 5d b4 5c fe ca 2d 54 2e-31 49 74 a6 18 a7 3a f5   ].\..-T.1It...:.
    XXXX
    0080 - ab 5c 0a bc 45 9c 10 01-9f 3b ce 6e ee 1a a6 99   .\..E....;.n....
    0090 - 04 81 ea e0 be a5 91 a2-18 09 d4 b8 90 b7 c7 50   ...............P
    00a0 - f7 7d 73 e5 b1 3d 0d 58-20 07 78 7b 57 c4 34 58   .}s..=.X .x{W.4X

    Start Time: 1566410644
    Timeout   : 7200 (sec)
    **Verify return code: 21 (unable to verify the first certificate)**
---

So it looks like the command is trying to verify the certificate which I don't want. How can I bypass the verification? Is there something similar to curl -k flag?

Answer 1

OpenSSL's s_client is never terminating on wrong certificate unless you ask him too using
-verify_return_error argument (as already suggested by @bartonjs in comments).

You can read more about it in man page man 1 s_client or online. Look for -verify argument or later in NOTES:

If there are problems verifying a server certificate then the -showcerts option can be used to show all the certificates sent by the server.

The s_client utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will accept any certificate chain (trusted or not) sent by the peer. None test applications should not do this as it makes them vulnerable to a MITM attack. This behaviour can be changed by with the -verify_return_error option: any verify errors are then returned aborting the handshake.

If the result you are seeing is last "error" you are seeing, it is probably something else on server which is terminating the connection at that moment. You should see reason in web server logs.