ISSCloud - Information Systems Solutions

isscloud

Using OpenSSL to verify SSL/TLS connections

Using OpenSSL to verify SSL/TLS connections

OpenSSL is a general-purpose cryptography library and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It’s licensed under the Apache License 2.0, meaning that you are free to get and use it for both commercial and non-commercial purposes, subject to a few simple license conditions.

Using OpenSSL to check and verify secure connections

Today we’ll be focusing on the s_client tool, which can be used to connect, check and list SSL/TLS related information. In this article we’ll go through a few different use cases of s_client.

To end any command and return to the terminal, press Ctrl+D – also known as EOF or “End of File”, a special control character parameter of the terminal driver in the kernel (like Ctrl+C to interrupt). It tells the system that the file or transmission stream has finished and the current data stream has reached the end.

Check the SSL/TLS of a website

This is probably the most common and popular use for s_client. This command establishes a connection to the domain isscloud.io, port 443 for the HTTPS protocol.

openssl s_client -connect isscloud.io:443Code language: Shell Session (shell)

Check using IPv6

You can also check all connections forcing IPv6, by using the -6 option

openssl s_client -6 -connect isscloud.io:443Code language: Shell Session (shell)

Check the TLS/SSL against a specific Certificate Authority

In order for the certificates to by trusted by web browsers and applications, their require a valid signature from the Global Certificate Authorities.

While this is the standard on most organizations and public facing web servers and services, some pages or applications have certificates created in house.

Many times you’ll have a Certificate Authority file that can be use to check these connections, specifying its location with the following command:

openssl s_client -connect isscloud.io:443 -CAfile /etc/ssl/CA.crtCode language: Shell Session (shell)

Testing SMTP and TLS connection

We may also use the s_client tool to test the connection to an email server, testing the SMTP protocol and moving to a secure TLS connection. We can do it to test if the server is accepting new connections, or even to see if everything is alright with the security certificate, so clients can connect cleanly. To do so we use the -starttls smtp option.

openssl s_client -connect mail.isscloud.io:25 -starttls smtpCode language: Shell Session (shell)

Testing IMAP connectivity and certificates

Just like we did for checking the connection for an HTTPS website, or checking the SMTP service, we may also use the s_client tool to test an IMAP connection, and we can either do it by connecting directly to the TLS/SSL port, or by asking to negotiate just like we did with SMTP using the -starttls smtp option.

Using StartTLS:

openssl s_client  -connect mail.isscloud.io:143 -starttls imapCode language: Shell Session (shell)

Connecting directly to the secure port:

When connecting directly to a secure port, we should use the -crlf option. This option emulates the line feed of the terminal into CR+LF (carriage return/line feed) as required by some systems, and is usually recommended to use it while testing IMAP connections.

openssl s_client -connect mail.isscloud.io:993 -crlfCode language: Shell Session (shell)

Specify desired version or cipher

Security protocols have different versions and sub-versions, or use different hash algorithms. We can tell the s_client tool to choose a specific version to use or to only connect using a specific cipher.

Specifying or disabling TLS version

To use only TLS1.0, 1.1, or 1.2, we use the options -tls1 | -tls1_1 | -tls1_2 respectively. In the following example we’re selecting TLS1.2:

openssl s_client -connect isscloud.io:443 -tls1_2Code language: Shell Session (shell)

Or, disable the use of a specific TLS version with the options -no_tls1 | -no_tls1_1 | -no_tls1_2 | -no_ssl2 | -no_ssl3 respectively. In the following example we’ll be disabling TLS1.1:

openssl s_client -connect isscloud.io:443 -no_tls1_1Code language: Shell Session (shell)

Specifying Cipher

You can also specify the use of a determined hash algorithm for encryption. For example, if you want to test the RC4-SHA cipher, use the following command:

openssl s_client -connect isscloud.io:443 -cipher RC4-SHACode language: Shell Session (shell)

Debugging the connection

Most of the times you’ll be looking to the s_client tool will be to test SSL/TLS connections and check what’s going out under the wood. The s_client tool has many options that can help you successfully identify and fix most issues going on with a secure connection.

Among the various options available, you can use -pause to pause 1 second between each read/write call, -debug to get extensive debug information including an hex dump of all traffic, or -tlsextdebug to print a hex dump of any TLS extensions received from the server.

Should you have any questions left regarding this article, or if you want to discuss this article with other users, please leave a comment. Thank you.

UPDATED: This article has been updated in July 2022 to include new commands and options.

Facebook
Twitter
LinkedIn
Picture of Ricardo Mendes

Ricardo Mendes

Ricardo is a Senior Systems Administrator and Consultant at ISSCloud, after +10 years working in Private Telecom. He enjoys writing about Technology, Security & Privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *