Log in

Registration

Check SSL Services with OpenSSL s_client, Part I

Posted: June 16, 2011 / in: Howtos / No comments

openssl-logoWhen setting up SSL services it is important to check connection properties, certificates and a number of SSL specific parameters.

This article will show you how to utilize a simple command line tool to be successful with this task. It is part of virtually every Unix/Linux installation.

The OpenSSL Toolkit

The OpenSSL Project provides a number of powerful tools related to security, encryption and a variaty of network protocols. This article will give you some hints how to utilize the client implementation s_client that is part of the binary openssl to check details of SSL secured network services.

OpenSSL s_client is a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It’s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library.

Install OpenSSL

Installing OpenSSL to the Linux box of your choice is quite easy. You just have to utilize the package manager of your current Linux distribution to perform the installation on-the-fly.

To install OpenSSL on Debian based distributions, please follow the instructions as follows, or just run graphical user frontends if a graphical desktop is available:

# check for openssl software packages
$ apt-cache search openssl
[...]
 
# or set a filter to get a smaller list
$ apt-cache search openssl | grep -P "^openssl"
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
openssl-blacklist - list of blacklisted OpenSSL RSA keys
openssl-blacklist-extra - list of non-default blacklisted OpenSSL RSA keys
openssl-doc - Secure Socket Layer (SSL) documentation
 
# install 'openssl'
$ sudo apt-get install openssl
 

Manuals and Documentation

Beside the documentation availabe at the Homepage of the OpenSSL project there are quite a number of manuals installed at your present Linux box. If you did not install software packages containing additional documents, you can still consult your systems manual pages or the online help at command line. Here are some examples how to access this information:

# consult man pages
$ man openssl
 
# ask openssl for help reqarding s_client
$ openssl s_client --help
unknown option --help
usage: s_client args
 
 -host host     - use -connect instead
 -port port     - use -connect instead
 -connect host:port - who to connect to (default is localhost:4433)
 -verify depth - turn on peer certificate verification
 -cert arg     - certificate file to use, PEM format assumed
 -certform arg - certificate format (PEM or DER) PEM default
 -key arg      - Private key file to use, in cert file if
                 not specified but cert file is.
 -keyform arg  - key format (PEM or DER) PEM default
 -pass arg     - private key file pass phrase source
 -CApath arg   - PEM format directory of CA's
 -CAfile arg   - PEM format file of CA's
 -reconnect    - Drop and re-make the connection with the same Session-ID
 -pause        - sleep(1) after each read(2) and write(2) system call
 -showcerts    - show all certificates in the chain
 -debug        - extra output
 -msg          - Show protocol messages
 -nbio_test    - more ssl protocol testing
 -state        - print the 'ssl' states
 -nbio         - Run with non-blocking IO
 -crlf         - convert LF from terminal into CRLF
 -quiet        - no s_client output
 -ign_eof      - ignore input eof (default when -quiet)
 -no_ign_eof   - don't ignore input eof
 -ssl2         - just use SSLv2
 -ssl3         - just use SSLv3
 -tls1         - just use TLSv1
 -dtls1        - just use DTLSv1
 -mtu          - set the link layer MTU
 -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
 -bugs         - Switch on all SSL implementation bug workarounds
 -serverpref   - Use server's cipher preferences (only SSLv2)
 -cipher       - preferred cipher to use, use the 'openssl ciphers'
                 command to see what is available
 -starttls prot - use the STARTTLS command before starting TLS
                 for those protocols that support it, where
                 'prot' defines which one to assume.  Currently,
                 only "smtp", "pop3", "imap", "ftp" and "xmpp"
                 are supported.
 -engine id    - Initialise and use the specified engine
 -rand file:file:...
 -sess_out arg - file to write SSL session to
 -sess_in arg  - file to read SSL session from
 -servername host  - Set TLS extension servername in ClientHello
 -tlsextdebug      - hex dump of all TLS extensions received
 -status           - request certificate status from server
 -no_ticket        - disable use of RFC4507bis session tickets
 -legacy_renegotiation - enable use of legacy renegotiation (dangerous)
 

Depending on your use case you can find a number of options to modify the default behaviour of openssl s_client. The following sections do contain several examples of possible applications.

Simple Examples

Now let’s take a look at some basic examples where an HTTPs server is going to be connected. openssl s_client is creating the SSL secured connection. If the connection has been created successfully, then you are able to send commands via this connection that are related to the service you are connected to.

The first example contains some state information related to the SSL connection. We are trying to connect to a HTTP service via a SSL connection. The example contains the outputs of openssl s_client that are related to the creation of the SSL connection, only.

# get an overview of states when creating the SSL connection
$ openssl s_client -host www.citigroup.com -port 443 -quiet -state
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
 

The default outpouts of s_client are bit more detailed containing information regarding certificates, utilized protocols etc.

 

# default outputs of the the testing client
$ openssl s_client -host www.citigroup.com -port 443
CONNECTED(00000003)
depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2154254/C=US/postalCode=10043/ST=New York/L=New York/street=399 Park Avenue/O=Citigroup Inc./OU=gtcbweb6-www-san/CN=www.citibank.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGeTCCBWGgAwIBAgIQM2iln1n3DOFVPlnUHwnFjTANBgkqhkiG9w0BAQUFADCB
vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
HhcNMTAxMDIwMDAwMDAwWhcNMTIxMDE5MjM1OTU5WjCCAQ0xEzARBgsrBgEEAYI3
PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8TFFBy
aXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwcyMTU0MjU0MQswCQYDVQQGEwJV
UzEOMAwGA1UEERQFMTAwNDMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQHFAhO
ZXcgWW9yazEYMBYGA1UECRQPMzk5IFBhcmsgQXZlbnVlMRcwFQYDVQQKFA5DaXRp
Z3JvdXAgSW5jLjEZMBcGA1UECxQQZ3RjYndlYjYtd3d3LXNhbjEZMBcGA1UEAxQQ
d3d3LmNpdGliYW5rLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANO1Bl/uA6AjpNXCKd2Z5oA2IGiF2O7MUfQT+C7tA4Yuv/vrHepBupTGdIS967t5
B6+rRrGnnnFICokp4+1qGrQEw1FA5DPMrDZGBH0QMgpEbvh5DHW/WhKeiLe1YvZb
TngjYfnvhwLVjVa1qXad5+uwh9QxDQP6qJrYzGDS1KVwsNHLDIhdVPPqG0CBJaZS
iYtd/DytPEhXlDydui+RSAIXp7oYla02x8GLDRp+Fkd6ooCKiHsMElITwBiX1kLI
I9PnDmcYCdTEQIETgigjt/ZvT6VuytkfGzKaJG/q0pTFZgP9XUgDnkRlMGAoxiHn
6ss7ffiE1OrKarbMbanMRPsCAwEAAaOCAh8wggIbMCkGA1UdEQQiMCCCDGljZy5j
aXRpLmNvbYIQd3d3LmNpdGliYW5rLmNvbTAJBgNVHRMEAjAAMB0GA1UdDgQWBBSR
HiPvosEHsGdP5DYRIf8vH34rtTALBgNVHQ8EBAMCBaAwPgYDVR0fBDcwNTAzoDGg
L4YtaHR0cDovL0VWSW50bC1jcmwudmVyaXNpZ24uY29tL0VWSW50bDIwMDYuY3Js
MEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwYwKjAoBggrBgEFBQcCARYcaHR0cHM6
Ly93d3cudmVyaXNpZ24uY29tL3JwYTAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYB
BQUHAwIGCWCGSAGG+EIEATAfBgNVHSMEGDAWgBROQ8gddu83U3pP8lhvlPM44tW9
3zB2BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9FVkludGwtb2Nz
cC52ZXJpc2lnbi5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9FVkludGwtYWlhLnZl
cmlzaWduLmNvbS9FVkludGwyMDA2LmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFow
WDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEF
GDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZI
hvcNAQEFBQADggEBAJeU7kGLBoVvs4R7KRiHDCqZsn2G2SZeW6KXFbKtGNQmE4YE
I24ptG5yj4hjHUdPLBlnanaQMHFihZQSa8+mFR4f4k+YBARMWjVD83hhwh1fjZ1p
Da4ha8aH/lteE+6H39RdAl5rehYbxcZb4l/SME8Tz3z7nhWerS6hJvY8FzxwvoWm
1XaMv4Rl4ekXbmj279MzUCkGHhla8l5LKUsjpwxhO8ig6HbKl6EdHNhoUcIksCB8
NhUdEMQc6/2rpjgLxEwwIPissKbMddss7WucyLMttjxzGNwh2zO3yA1tv86Ql3eQ
GSd9pXX92ko/0XGEPX68hnRbcWd3yVGoWSn/jmA=
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2154254/C=US/postalCode=10043/ST=New York/L=New York/street=399 Park Avenue/O=Citigroup Inc./OU=gtcbweb6-www-san/CN=www.citibank.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 5178 bytes and written 405 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 5455F37626BA49923D318630FE6407CAD383DE212E61B269F4805AF4C6630460
    Session-ID-ctx: 
    Master-Key: 809F5D8010001E07A426523776356F3CFA7A8E6CAAB483E76E7D7B8C8BFB81DF102CB60D8586F09065511D859DA78FF0
    Key-Arg   : None
    Start Time: 1308292804
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
 

Advanced Testing

The list of parameters to customize s_client contains a number of  options to

  • control the kind of data printed to console
  • set versions of protocols to be utilized
  • set connection specific properties related to the TCP/IP connection
  • set connection specific properties related to the SSL connection itself
  • prohibit the utilization of certain protocols

The utilization of custom CA certificates and client certificates is supported as well. These topics will be covered by the next parts of this article. These articles will contain additional hints to help you to setup working SSL secured environments.

 

 

Releated articles:

Related resources:

Incoming search terms:

© Copyrights and Licenses, 2012 - Linux-Support.com The Professional Linux and OSS Services Portal