OpenSSL is a general-purpose cryptography library and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It’s licensed under the Apache License 2.0, meaning that you are free to get and use it for both commercial and non-commercial purposes, subject to a few simple license conditions.
Using OpenSSL to check and verify secure connections
Today we’ll be focusing on the s_client tool, which can be used to connect, check and list SSL/TLS related information. In this article we’ll go through a few different use cases of s_client.
Check the SSL/TLS of a website
This is probably the most common and popular use for s_client. This command establishes a connection to the domain isscloud.io, port 443 for the HTTPS protocol.
openssl s_client -connect isscloud.io:443Check using IPv6
You can also check all connections forcing IPv6, by using the -6 option
openssl s_client -6 connect isscloud.io:443Check the TLS/SSL against a specific Certificate Authority
In order for the certificates to by trusted by web browsers and applications, their require a valid signature from the Global Certificate Authorities.
While this is the standard on most organizations and public facing web servers and services, some pages or applications have certificates created in house.
Many times you’ll have a Certificate Authority file that can be use to check these connections, specifying its location with the following command:
openssl s_client -connect isscloud.io:443 -CAfile /etc/ssl/CA.crtTesting SMTP and TLS connection
We may also use the s_client tool to test the connection to an email server, testing the SMTP protocol and moving to a secure TLS connection. To do so we use the -starttls smtp option.
openssl s_client -connect mail.isscloud.io:25 -starttls smtpSpecify desired version or cipher
Security protocols have different versions and sub-versions, or use different hash algorithms. We can tell the s_client tool to choose a specific version to use or to only connect using a specific cipher.
Specifying or disabling TLS version
To use only TLS1.0, 1.1, or 1.2, we use the options -tls1 | -tls1_1 | -tls1_2 respectively. In the following example we’re selecting TLS1.2:
openssl s_client -connect isscloud.io:443 -tls1_2Or, disable the use of a specific TLS version with the options -no_tls1 | -no_tls1_1 | -no_tls1_2 | -no_ssl2 | -no_ssl3 respectively. In the following example we’ll be disabling TLS1.1:
openssl s_client -connect isscloud.io:443 -no_tls1_1Specifying Cipher
You can also specify the use of a determined hash algorithm for encryption. For example, if you want to test the RC4-SHA cipher, use the following command:
openssl s_client -connect isscloud.io:443 -cipher RC4-SHADebugging the connection
Most of the times you’ll be looking to the s_client tool will be to test SSL/TLS connections and check what’s going out under the wood. The s_client tool has many options that can help you successfully identify and fix most issues going on with a secure connection.
Among the various options available, you can use -pause to pause 1 second between each read/write call, -debug to get extensive debug information including an hex dump of all traffic, or -tlsextdebug to print a hex dump of any TLS extensions received from the server.
Should you have any questions left regarding this article, or if you want to discuss this article with other users, please leave a comment. Thank you.
