OpenSSL is a general-purpose cryptography library and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It’s licensed under the Apache License 2.0, meaning that you are free to get and use it for both commercial and non-commercial purposes, subject to a few simple license conditions.

Using OpenSSL to check and verify secure connections

Today we’ll be focusing on the s_client tool, which can be used to connect, check and list SSL/TLS related information. In this article we’ll go through a few different use cases of s_client.

Check the SSL/TLS of a website

This is probably the most common and popular use for s_client. This command establishes a connection to the domain, port 443 for the HTTPS protocol.

openssl s_client -connect
Code language: Bash (bash)

Check using IPv6

You can also check all connections forcing IPv6, by using the -6 option

openssl s_client -6 connect
Code language: Bash (bash)

Check the TLS/SSL against a specific Certificate Authority

In order for the certificates to by trusted by web browsers and applications, their require a valid signature from the Global Certificate Authorities.

While this is the standard on most organizations and public facing web servers and services, some pages or applications have certificates created in house.

Many times you’ll have a Certificate Authority file that can be use to check these connections, specifying its location with the following command:

openssl s_client -connect -CAfile /etc/ssl/CA.crt
Code language: Bash (bash)

Testing SMTP and TLS connection

We may also use the s_client tool to test the connection to an email server, testing the SMTP protocol and moving to a secure TLS connection. To do so we use the -starttls smtp option.

openssl s_client -connect -starttls smtp
Code language: Bash (bash)

Specify desired version or cipher

Security protocols have different versions and sub-versions, or use different hash algorithms. We can tell the s_client tool to choose a specific version to use or to only connect using a specific cipher.

Specifying or disabling TLS version

To use only TLS1.0, 1.1, or 1.2, we use the options -tls1 | -tls1_1 | -tls1_2 respectively. In the following example we’re selecting TLS1.2:

openssl s_client -connect -tls1_2
Code language: Bash (bash)

Or, disable the use of a specific TLS version with the options -no_tls1 | -no_tls1_1 | -no_tls1_2 | -no_ssl2 | -no_ssl3 respectively. In the following example we’ll be disabling TLS1.1:

openssl s_client -connect -no_tls1_1
Code language: Bash (bash)

Specifying Cipher

You can also specify the use of a determined hash algorithm for encryption. For example, if you want to test the RC4-SHA cipher, use the following command:

openssl s_client -connect -cipher RC4-SHA
Code language: Bash (bash)

Debugging the connection

Most of the times you’ll be looking to the s_client tool will be to test SSL/TLS connections and check what’s going out under the wood. The s_client tool has many options that can help you successfully identify and fix most issues going on with a secure connection.

Among the various options available, you can use -pause to pause 1 second between each read/write call, -debug to get extensive debug information including an hex dump of all traffic, or -tlsextdebug to print a hex dump of any TLS extensions received from the server.

Should you have any questions left regarding this article, or if you want to discuss this article with other users, please leave a comment. Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts