OpenSSL is a general-purpose cryptography library and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It’s licensed under the Apache License 2.0, meaning that you are free to get and use it for both commercial and non-commercial purposes, subject to a few simple license conditions.
Using OpenSSL to check and verify secure connections
Today we’ll be focusing on the s_client
tool, which can be used to connect, check and list SSL/TLS related information. In this article we’ll go through a few different use cases of s_client
.
Check the SSL/TLS of a website
This is probably the most common and popular use for s_client
. This command establishes a connection to the domain isscloud.io, port 443 for the HTTPS protocol.
openssl s_client -connect isscloud.io:443
Check using IPv6
You can also check all connections forcing IPv6, by using the -6 option
openssl s_client -6 connect isscloud.io:443
Check the TLS/SSL against a specific Certificate Authority
In order for the certificates to by trusted by web browsers and applications, their require a valid signature from the Global Certificate Authorities.
While this is the standard on most organizations and public facing web servers and services, some pages or applications have certificates created in house.
Many times you’ll have a Certificate Authority file that can be use to check these connections, specifying its location with the following command:
openssl s_client -connect isscloud.io:443 -CAfile /etc/ssl/CA.crt
Testing SMTP and TLS connection
We may also use the s_client
tool to test the connection to an email server, testing the SMTP protocol and moving to a secure TLS connection. To do so we use the -starttls smtp
option.
openssl s_client -connect mail.isscloud.io:25 -starttls smtp
Specify desired version or cipher
Security protocols have different versions and sub-versions, or use different hash algorithms. We can tell the s_client
tool to choose a specific version to use or to only connect using a specific cipher.
Specifying or disabling TLS version
To use only TLS1.0, 1.1, or 1.2, we use the options -tls1
| -tls1_1
| -tls1_2
respectively. In the following example we’re selecting TLS1.2:
openssl s_client -connect isscloud.io:443 -tls1_2
Or, disable the use of a specific TLS version with the options -no_tls1
| -no_tls1_1
| -no_tls1_2
| -no_ssl2
| -no_ssl3
respectively. In the following example we’ll be disabling TLS1.1:
openssl s_client -connect isscloud.io:443 -no_tls1_1
Specifying Cipher
You can also specify the use of a determined hash algorithm for encryption. For example, if you want to test the RC4-SHA cipher, use the following command:
openssl s_client -connect isscloud.io:443 -cipher RC4-SHA
Debugging the connection
Most of the times you’ll be looking to the s_client
tool will be to test SSL/TLS connections and check what’s going out under the wood. The s_client
tool has many options that can help you successfully identify and fix most issues going on with a secure connection.
Among the various options available, you can use -pause
to pause 1 second between each read/write call, -debug
to get extensive debug information including an hex dump of all traffic, or -tlsextdebug
to print a hex dump of any TLS extensions received from the server.
Should you have any questions left regarding this article, or if you want to discuss this article with other users, please leave a comment. Thank you.