openssl s_client commands and examples - Mister PKI
文章推薦指數: 80 %
The s_client command from OpenSSL is a helpful test client for troubleshooting remote SSL or TLS connections. The post strives to walk you ...
SkiptoprimarynavigationSkiptomaincontentSkiptoprimarysidebarSkiptofooteropenssls_clientcommandsandexamplesOctober21,2021byMisterPKILeaveaCommentThes_clientcommandfromOpenSSLisahelpfultestclientfortroubleshootingremoteSSLorTLSconnections.ThepoststrivestowalkyouthroughvariousexamplesoftestingSSLconnectionswithdifferentciphers,TLSversions,andSSLservercertificateanalysis.TestingSSLconfigurationonserversisacriticalfunctionthatshouldberoutineinyourorganizationorsystems.Thisutilitywillhelpuncovererrorsandmisconfigurations.openssls_clientexamplesopenssls_clientconnectopenssls_client-connectexample.com:443Usetheopenssls_client-connectflagtodisplaydiagnosticinformationabouttheSSLconnectiontotheserver.Theinformationwillincludetheserverscertificatechain,printedassubjectandissuer.TheendentityservercertificatewillbetheonlycertificateprintedinPEMformat.DetailsabouttheSSLhandshake,itsverification,andtheTLSversionandcipherwillbereturned.Theserver’spublickeybitlengthisalsoreturned.Hereisascreenshotofthebeginningofanexampleoutputfromtheabovecommand:openssls_clientexampleTospecifytheTLSversionintheconnectionfortestingvariousprotocols,addtheappropriateTLS/SSLflagtothecommand.Forexample,totestTLS1.3withopenssls_client,runthefollowing:openssls_client-connectexample.com:443-tls1_3OthersupportedSSLandTLSversionflagsinclude-tls1_2,tls1_1,tls1,ssl2,andssl3.Alternatively,todisabletheuseofaspecificSSL/TLSprotocolversion,thefollowingflagsaresupported:-no_ssl2,-no_ssl3,-no_tls1,-no_tls1_1,-no_tls1_2,and-no_tls1_3.Forthecaseofexample.com,TLSv1.3issupported.TodisableTLSv1.3,usethe-no_tls1_3flag:openssls_client-connectexample.com:443-no_tls1_3Toverifytheprotocol,viewtheSSL-Sessionsectionoftheconsoleoutput.SSL-Session:
Protocol:TLSv1.3
Cipher:ECDHE-RSA-AES128-GCM-SHA256
Session-ID:2BFA471935218231CFC481C6AD4E72025834B51C8791AC33AB54A4B923D04A36
Session-ID-ctx:
Master-Key:935153C4FD38007F942A4215D2763CADB16DD3103FC9B5DD625A98AE8081D6C2934B7FC860A5DC484C393Ifthespecifiedprotocolisnotsupportedontheserver,youwillreceiveanerrorsimilarto:“SSLroutines:tls_construct_client_hello:noprotocolsavailable“TodebugtheSSL/TLSconnectionwithopenssls_clientconnect,appendthe-tlsextdebugflagontoyourcommand:openssls_client-connectexample.com:443-tlsextdebugAdditionalinformationisincludedandcanbeusedtoverifythesslconfigurationoftheserver,butleaveacommentandaskquestionsaboutanythingnotcovered.Regardlessofwhatyouaretryingtotest,thes_clientisanidealutilityfortestingandtroubleshootingSSLconfigurationonyourserver.Ifyouarelookingforalesstechnicaltestingtool,tryanapplicationthatwillreturnthesameorsimilarresultssuchasSSLLabs.openssls_clientshowcertsopenssls_client-connectexample.com:443-showcertsTheshowcertsflagappendedontotheopenssls_clientconnectcommandprintsoutandwillshowtheentirecertificatechaininPEMformat,whereasleavingoffshowcertsonlyprintsoutandshowstheendentitycertificateinPEMformat.Otherthanthatonedifference,theoutputisthesame.Thereturnedlistofcertificatesbytheserverwhenusingtheshowcertsflagisnotaverifiedchainandisreturnedinthesameordertheserversentthem.Whilemostexamplesyoufindtestport443,thiswillworkwithotherportsaswell.Forexample,testingSSLconfigurationonanldaphostworksthesame,justspecifytheport,commonly636.Toshowtheservercertificatesontheldapserver,runthefollowingcommand:openssls_client-connectldap-host:636-showcertsAftershowingthecertificatesreturnedbyopenssls_clientconnect,decodethecertificatesformoreinformationabouteachsectionofthecertificatewithourCertificateDecodertool.openssls_client-starttlsAddingthe-starttlsflagtoyouropenssls_client-connectcommandwillsendtheprotocolspecificmessageforswitchingtoSSL/TLScommunication.Supportedprotocolsincludesmtp,pop3,imap,ftp,xmpp,xmpp-server,irc,postgres,mysql,lmtp,nntp,sieveandldap.Fortheldapexample:openssls_client-connectldap-host:389-starttlsldapTestSIPSSLconnectionTheSIPprotocolcanalsobetestedwiththeopenssls_clienttools.TheSIPprotocolisavailableoverport5061bydefault,sojustspecify:5061asapartofyourcommand.HereisanexampledemonstratinghowtotesttheSIPSSLconnectionandreturnthecertificatechainwiths_client.openssls_client-connectsip-host:5061-showcerts&1|sed--quiet'/-BEGINCERTIFICATE-/,/-ENDCERTIFICATE-/p'>example.com.pemToprintorshowtheentirecertificatechaintoafile,remembertousethe-showcertsoption.openssls_clientverifyToverifytheSSLconnectiontotheserver,runthefollowingcommand:openssls_client-verify_return_error-connectexample.com:443IftheserverreturnsanyerrorsthentheSSLHandshakewillfailandtheconnectionwillbeaborted.openssls_clientverifyhostnameToverifythatthecertificateinstalledonaremoteservercoversthehostname,runthefollowingcommand:openssls_client-verify_hostnamewww.example.com-connectexample.com:443ItisusefultoverifythehostnamewiththeCNorSANsontheinstalledcertificatewithopenssls_clientifandwhentherearemultiplehostsprotectedandidentifiedbythesamecertificate.Ifthehostnamedoesnotmatch,youwillreceivethefollowingerror:verifyerror:num=62:HostnamemismatchInaddition,youwillseeanotherverificationerror:Verificationerror:HostnamemismatchIfthehostisprotectedbyawildcardcertificate,makesurethatthewildcardcoversthesubdomainofthehost.Forexample,acertificatewithCN=*.example.comwillcoverwww.example.combutnottest.www.example.com.Again,thewildcardmustbepresentonthesubdomainpartneedingcovered.Sofortest.www.example.com,youwouldneedacertificatewithaCNorSANequalto*.www.example.comopenssls_clientciphersYoucanpassaciphertotheopenssls_clientcommandwiththe-ciphersuitesflag.ThisflagisusefulfortheTLSv1.3cipherlisttobemodifiedbytheclient.WhiletheserverultimatelydetermineswhichcipherisusedintheSSLconnection,generallyspeakingitshouldtakethefirstsupportedcipherinthelistsentbytheclient.Ifyouhaveapreferredcipherorlistofciphers,itcanbesentalongwiththisflag.ReadourpostontheopensslcipherscommandtolearnhowtodisplayalistciphersforagivenSSLorTLSprotocolversion.Forexample:echo|openssls_client-connectwww.example.com:443-tls1_3-ciphersuitesTLS_AES_128_GCM_SHA2562>/dev/null|grepNewWilloutputthefollowing:New,TLSv1.3,CipherisTLS_AES_128_GCM_SHA256Theservershouldacceptandusetheprovidedcipherintheconnection.Ifyouwanttoprovidealistofciphers,theycanbedelimiteredwithacolon(:).IfmodifyingorspecifyingthecipherlistforaTLSv1.2connection,the-cipherflagisusedinsteadofthe-ciphersuitesflag.Forexample:echo|openssls_client-connectwww.example.com:443-tls1_2-cipherAES128-GCM-SHA2562>/dev/null|grepNewWilloutputthefollowing:New,TLSv1.2,CipherisAES128-GCM-SHA256Ahelpfulresourcefordeterminingthestrengthofeachciphersuiteisathttps://ciphersuite.info/cs/.TLSClientAuthwithopenssls_clientopenssls_clientalsoprovidesthecapabilitytotestTLSclientauth.Thereareacoupleofwaystodothisbyusingboththe-certand-keyoptions.Thisexamplemakesuseofonlythe-certoption,bycombiningboththecertificateandprivatekeyusedforauthenticationinthesamefile.openssls_client\
-connectexample.com:443\
-cert
延伸文章資訊
- 1Chapter 2. Testing TLS with OpenSSL - Feisty Duck
Using OpenSSL for testing purposes has become more difficult recently because, ... The recent one...
- 2openssl 指令command line - SSORC.tw
openssl req -in server.csr -noout -verify -key server.key. 檢查憑證 openssl verify server.crt. 查看csr ...
- 3Test TLS Connectivity with OpenSSL Command Line - django ...
openssl s_client is a SSL/TLS client program can be used to test TLS server connectivity, check s...
- 4Using OpenSSL s_client commands to test SSL connectivity
Steps · In the command line, enter openssl s_client -connect <hostname> : <port> . This opens an ...
- 5How to verify SSL certificates with OpenSSL on Command Line
How to verify SSL certificates with SNI (Server Name Indication) using OpenSSL ... Using SNI with...