openssl s_client commands and examples - Mister PKI

The s_client command from OpenSSL is a helpful test client for troubleshooting remote SSL or TLS connections. The post strives to walk you ... SkiptoprimarynavigationSkiptomaincontentSkiptoprimarysidebarSkiptofooteropenssls_clientcommandsandexamplesOctober21,2021byMisterPKILeaveaCommentThes_clientcommandfromOpenSSLisahelpfultestclientfortroubleshootingremoteSSLorTLSconnections.ThepoststrivestowalkyouthroughvariousexamplesoftestingSSLconnectionswithdifferentciphers,TLSversions,andSSLservercertificateanalysis.TestingSSLconfigurationonserversisacriticalfunctionthatshouldberoutineinyourorganizationorsystems.Thisutilitywillhelpuncovererrorsandmisconfigurations.openssls_clientexamplesopenssls_clientconnectopenssls_client-connectexample.com:443Usetheopenssls_client-connectflagtodisplaydiagnosticinformationabouttheSSLconnectiontotheserver.Theinformationwillincludetheserverscertificatechain,printedassubjectandissuer.TheendentityservercertificatewillbetheonlycertificateprintedinPEMformat.DetailsabouttheSSLhandshake,itsverification,andtheTLSversionandcipherwillbereturned.Theserver’spublickeybitlengthisalsoreturned.Hereisascreenshotofthebeginningofanexampleoutputfromtheabovecommand:openssls_clientexampleTospecifytheTLSversionintheconnectionfortestingvariousprotocols,addtheappropriateTLS/SSLflagtothecommand.Forexample,totestTLS1.3withopenssls_client,runthefollowing:openssls_client-connectexample.com:443-tls1_3OthersupportedSSLandTLSversionflagsinclude-tls1_2,tls1_1,tls1,ssl2,andssl3.Alternatively,todisabletheuseofaspecificSSL/TLSprotocolversion,thefollowingflagsaresupported:-no_ssl2,-no_ssl3,-no_tls1,-no_tls1_1,-no_tls1_2,and-no_tls1_3.Forthecaseofexample.com,TLSv1.3issupported.TodisableTLSv1.3,usethe-no_tls1_3flag:openssls_client-connectexample.com:443-no_tls1_3Toverifytheprotocol,viewtheSSL-Sessionsectionoftheconsoleoutput.SSL-Session: Protocol:TLSv1.3 Cipher:ECDHE-RSA-AES128-GCM-SHA256 Session-ID:2BFA471935218231CFC481C6AD4E72025834B51C8791AC33AB54A4B923D04A36 Session-ID-ctx: Master-Key:935153C4FD38007F942A4215D2763CADB16DD3103FC9B5DD625A98AE8081D6C2934B7FC860A5DC484C393Ifthespecifiedprotocolisnotsupportedontheserver,youwillreceiveanerrorsimilarto:“SSLroutines:tls_construct_client_hello:noprotocolsavailable“TodebugtheSSL/TLSconnectionwithopenssls_clientconnect,appendthe-tlsextdebugflagontoyourcommand:openssls_client-connectexample.com:443-tlsextdebugAdditionalinformationisincludedandcanbeusedtoverifythesslconfigurationoftheserver,butleaveacommentandaskquestionsaboutanythingnotcovered.Regardlessofwhatyouaretryingtotest,thes_clientisanidealutilityfortestingandtroubleshootingSSLconfigurationonyourserver.Ifyouarelookingforalesstechnicaltestingtool,tryanapplicationthatwillreturnthesameorsimilarresultssuchasSSLLabs.openssls_clientshowcertsopenssls_client-connectexample.com:443-showcertsTheshowcertsflagappendedontotheopenssls_clientconnectcommandprintsoutandwillshowtheentirecertificatechaininPEMformat,whereasleavingoffshowcertsonlyprintsoutandshowstheendentitycertificateinPEMformat.Otherthanthatonedifference,theoutputisthesame.Thereturnedlistofcertificatesbytheserverwhenusingtheshowcertsflagisnotaverifiedchainandisreturnedinthesameordertheserversentthem.Whilemostexamplesyoufindtestport443,thiswillworkwithotherportsaswell.Forexample,testingSSLconfigurationonanldaphostworksthesame,justspecifytheport,commonly636.Toshowtheservercertificatesontheldapserver,runthefollowingcommand:openssls_client-connectldap-host:636-showcertsAftershowingthecertificatesreturnedbyopenssls_clientconnect,decodethecertificatesformoreinformationabouteachsectionofthecertificatewithourCertificateDecodertool.openssls_client-starttlsAddingthe-starttlsflagtoyouropenssls_client-connectcommandwillsendtheprotocolspecificmessageforswitchingtoSSL/TLScommunication.Supportedprotocolsincludesmtp,pop3,imap,ftp,xmpp,xmpp-server,irc,postgres,mysql,lmtp,nntp,sieveandldap.Fortheldapexample:openssls_client-connectldap-host:389-starttlsldapTestSIPSSLconnectionTheSIPprotocolcanalsobetestedwiththeopenssls_clienttools.TheSIPprotocolisavailableoverport5061bydefault,sojustspecify:5061asapartofyourcommand.HereisanexampledemonstratinghowtotesttheSIPSSLconnectionandreturnthecertificatechainwiths_client.openssls_client-connectsip-host:5061-showcerts&1|sed--quiet'/-BEGINCERTIFICATE-/,/-ENDCERTIFICATE-/p'>example.com.pemToprintorshowtheentirecertificatechaintoafile,remembertousethe-showcertsoption.openssls_clientverifyToverifytheSSLconnectiontotheserver,runthefollowingcommand:openssls_client-verify_return_error-connectexample.com:443IftheserverreturnsanyerrorsthentheSSLHandshakewillfailandtheconnectionwillbeaborted.openssls_clientverifyhostnameToverifythatthecertificateinstalledonaremoteservercoversthehostname,runthefollowingcommand:openssls_client-verify_hostnamewww.example.com-connectexample.com:443ItisusefultoverifythehostnamewiththeCNorSANsontheinstalledcertificatewithopenssls_clientifandwhentherearemultiplehostsprotectedandidentifiedbythesamecertificate.Ifthehostnamedoesnotmatch,youwillreceivethefollowingerror:verifyerror:num=62:HostnamemismatchInaddition,youwillseeanotherverificationerror:Verificationerror:HostnamemismatchIfthehostisprotectedbyawildcardcertificate,makesurethatthewildcardcoversthesubdomainofthehost.Forexample,acertificatewithCN=*.example.comwillcoverwww.example.combutnottest.www.example.com.Again,thewildcardmustbepresentonthesubdomainpartneedingcovered.Sofortest.www.example.com,youwouldneedacertificatewithaCNorSANequalto*.www.example.comopenssls_clientciphersYoucanpassaciphertotheopenssls_clientcommandwiththe-ciphersuitesflag.ThisflagisusefulfortheTLSv1.3cipherlisttobemodifiedbytheclient.WhiletheserverultimatelydetermineswhichcipherisusedintheSSLconnection,generallyspeakingitshouldtakethefirstsupportedcipherinthelistsentbytheclient.Ifyouhaveapreferredcipherorlistofciphers,itcanbesentalongwiththisflag.ReadourpostontheopensslcipherscommandtolearnhowtodisplayalistciphersforagivenSSLorTLSprotocolversion.Forexample:echo|openssls_client-connectwww.example.com:443-tls1_3-ciphersuitesTLS_AES_128_GCM_SHA2562>/dev/null|grepNewWilloutputthefollowing:New,TLSv1.3,CipherisTLS_AES_128_GCM_SHA256Theservershouldacceptandusetheprovidedcipherintheconnection.Ifyouwanttoprovidealistofciphers,theycanbedelimiteredwithacolon(:).IfmodifyingorspecifyingthecipherlistforaTLSv1.2connection,the-cipherflagisusedinsteadofthe-ciphersuitesflag.Forexample:echo|openssls_client-connectwww.example.com:443-tls1_2-cipherAES128-GCM-SHA2562>/dev/null|grepNewWilloutputthefollowing:New,TLSv1.2,CipherisAES128-GCM-SHA256Ahelpfulresourcefordeterminingthestrengthofeachciphersuiteisathttps://ciphersuite.info/cs/.TLSClientAuthwithopenssls_clientopenssls_clientalsoprovidesthecapabilitytotestTLSclientauth.Thereareacoupleofwaystodothisbyusingboththe-certand-keyoptions.Thisexamplemakesuseofonlythe-certoption,bycombiningboththecertificateandprivatekeyusedforauthenticationinthesamefile.openssls_client\ -connectexample.com:443\ -certToelaboratefurtheronthealternateoptionsforconnectingwithTLSclientauth:openssls_clientoptionOptionDescription-certThecertificatetobeusedforTLSclientauthentication.-certformTheformatofthecertificate.PEMisthedefault,butDERmaybespecified.-keyTheprivatekeymatchingtheprovidedcertificate.-keyformTheformatoftheprivatekey.PEMisthedefault,butDERmaybespecified.-cert_chainThecompletetrustchain.-passThepasswordsourceoftheprivatekey,ifencryptedwithapassword.openssls_clienttlsclientauthoptionsOverrideopensslconfigurationfileWhenusingtheopenssls_clientutilitytotestaserver’sSSLorTLSconfiguration,sometimesitisusefultooverridethedefaultopensslconfiguration.Forexample,youmaywanttolowerthesecurityleveloftheopensslversionyouarerunning.Tolowerthesecuritylevelofyouropensslconfiguration,performthefollowingsteps:(hasonlybeentestedonUbuntu)Makeacopyofyouropensslconfigurationfile.Addthefollowingtothebeginningofyourconfigurationfile.openssl_conf=default_confAddthefollowingtotheendofyourconfigurationfile,makingsuretosetthesecurityleveltothelevelyouwishtotest.[default_conf] ssl_conf=ssl_sect [ssl_sect] system_default=system_default_sect [system_default_sect] MinProtocol=TLSv1.2 CipherString=DEFAULT:@SECLEVEL=1OverridethesystemconfigurationfilebyexportingtheOPENSSL_CONFenvironmentvariable.Thiswillallowyoutotestadifferentconfigurationwithoutaffectingyoursystemwideconfiguration.exportOPENSSL_CONF=mycopy-openssl.cnfConclusionWehopethisinformationhasbeenvaluableanddon’tforgettoaskquestionsinthecommentssection.Ifyouwouldliketoseemoreexamplesofhowtouseopensslsclientletusknow!Untilthen,visitoutOpenSSLpagetoviewmoreexamplesofopensslcommands.Readmoreofourcontent.ReaderInteractionsLeaveaReplyCancelreplyYouremailaddresswillnotbepublished.Requiredfieldsaremarked*CommentName*Email*WebsitePrimarySidebarSearchthiswebsitePopularPostsPKCS12openssls_clientKeytoolKeytoollistECDSAvsRSAOpenSSLPKCS7CertificateDecoderLinuxTrainingBuySSLCertificatesTheSSLStoreComodoStoreSectigoStoreRapidSSLRecentPostsWhatisaCertificateSigningRequest(CSR)?CodeSigningCertificate–ComparisonandUsageOVCertificate–WhatisanOrganizationValidatedCertificate?openssls_clientcommandsandexamplesHowtoInstallKeytool