openssl as a debugging client

Today’s “useful tool of the day” comes to us thanks to the openssl command line tool from openssl. It was probably well known to all, but I just found out about it today.

From the openssl man page:

       s_client  This implements a generic SSL/TLS client which can establish
                 a transparent connection to a remote server speaking SSL/TLS.
                 It's intended for testing purposes only and provides only
                 rudimentary interface functionality but internally uses
                 mostly all functionality of the OpenSSL ssl library.

Here’s an example:

Port 465 is reserved for SMTP over SSL. I have that turned on for my mail server as that’s a useful port to have open for mail clients that can’t do a STARTTLS for port 25 (and/or for 587/submission.) How do I make sure that my smtps is configured property and sharing the right services? I would do something like this (my command line is in bold):

# openssl s_client -host my.mailhost.example -port 465
CONNECTED(00000003)
depth=0 /C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
verify return:1
---
Certificate chain
 0 s:/C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
   i:/C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
---
Server certificate
-----BEGIN CERTIFICATE-----
<certificate spew snipped>
-----END CERTIFICATE-----
subject=/C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
issuer=/C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
---
No client certificate CA names sent
---
SSL handshake has read 1247 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: <snipped>
    Session-ID-ctx:
    Master-Key: <snipped>
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1086191863
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
220 my.mailhost.example ESMTP Postfix
EHLO mailhost.example
250-my.mailhost.example
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME
quit
221 Bye
read:errno=0

One thought on “openssl as a debugging client”

Leave a Reply