I am using openssl commandline as a client to communicate with a server that uses TLS like so:
openssl s_client -connect localhost:xxxx
I want the client to send TLS shutdown to the server with the command line. How can I do this?
A TLS shutdown is send on TLS connection close. There is no way supported in s_client to explicitly trigger a SSL_shutdown but keep the underlying TCP connection open.
A close can for example be triggered by entering "Q" on the input, see CONNECTED COMMANDS in the documentation. See also the comment from dave_thompson_085 for other ways how a close can be triggered.
Related
I am trying to automate a TLS handshake and get the session information in a .pem file, using the following command:
openssl s_client -connect www.domain.com:443 -sess_out domain.pem
Every time that command is entered, a connection is started and waits for a user input (such as GET). My first goal would be to avoid that (just close the session when the session information is received, and move to the next domain). The second goal is to get the session information.
This thread gives a partial solution that works just fine when TLS 1.2 is negociated (as setting the session is part of the handshake):
https://unix.stackexchange.com/questions/47852/openssl-s-client-hangs
So for readers trying to solve the issue for TLS 1.2, here is a good solution:
echo -n | openssl s_client -connect www.domaintls1-2.com:443 -sess_out ticket1-2.pem
Now my problem is that for TLS 1.3, the session information is sent AFTER the handshake. So I need to initiate a GET (or HEADER, or even send a bad request) to get the post-handshake new session ticket, and have it being saved in that .pem file.
It works fine when done manually, but using an echo isn't working (I tried echo "GET" | openssl ..., openssl ... <<< GET, openssl s_client -connect www.domaintls1-3.com:443 -sess_out test1_3.pem < /dev/null, but in all these cases, I guess the connection is simply closed after the handshake and doesn't take the coming post-handshake tickets into account to be saved in the .pem file.
I'd be happy to test any suggestions, I am running out of ideas!
System: Ubuntu 20.01
OpenSSL version 1.1.1f 31 Mar 2020
Edit: Changed the title to emphasize that problem is with post-handshake information
I have this problem using centos 7 the problem is when i try to connect with ssl and I'am using local internet provider the handshaking will block after client hello,
openssl version: OpenSSL 1.1.0g 2 Nov 2017
openssl s_client -connect 151.3.144.205:9093 -state -nbio 2>&1
CONNECTED(00000003)
Turned on non blocking io
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
write R BLOCK
If I use a mobile connection the handshaking goes ahead.
the certificates are generating for kafka server and I use the common guide to generate it.
I guess is a problem with openssl
I guess is a problem with openssl
If it would be a problem with openssl then it would not work with the mobile connection either, assuming that you are using the same openssl with mobile and without.
It is more likely that there is some firewall which blocks access on your normal connection and that by using the mobile connection you bypass the firewall. Thus, search for the cause of the problem in your network and not in openssl.
We found the problem in Centos 7 or Openssl version, we have installed a debian server machine with the same Kafka and zookeper configuration and we have solve the problem.
I guess that there is a bug in Openssl Centos version, becouse it's impossible
that the communication tcp by ssl secutity were interrupted by the firs client presentation and no server hello response.
i'm opening a kTLS connection using openssl client and server, how can i verify that it's actually opened a tls connection.
Note: i know that when i supply a certificate and cipher when establishing the connection but i want a way to know the type of the connection even if i don't know who and how someone open it.
i try netstat
Example : netstat -an | grep Port-No
and get tcp6 title but nothing regarding the security of the connection
the command is used:
Client:
env LD_LIBRARY_PATH=#LD_LIBRARY_PATH:`pwd`/.. ./openssl s_client -tls1_2 -debug -connect 1.1.1.2:4433
Server:
sudo env LD_LIBRARY_PATH=#LD_LIBRARY_PATH:`pwd`/.. ./openssl s_server -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256
I'm searching for a tool/command that can show the security protocol that established connection use.
I am working with an external company. Lets call them evilcorp.com. I want to use openssl to debug a two way SSL handshake.
https://evilcorp.com is setup to not require client authentication.
https://evilcorp.com/webservices is setup to require client authentication.
How can I specify this path in openssl. So basically this works:
openssl s_client -connect evilcorp.com:443
But this does not work and gives me gethostbyname failure
openssl s_client -connect evilcorp.com/webservices:443
How can I get this to work (if possible)
You have a very simple error in the address. Here's the fix:
"openssl s_client -connect evilcorp.com:443/webservice"
You had the 443 at the end - it needs to go directly after to the domain name.
I'm not sure if this can be done at all but if it can be done then you first have to use openssl to connect to the clients host and already specify the client certificates. Then inside the successful connection you need to speak HTTP to access the relevant page.
I.e. you first connect:
$ openssl s_client -connect host:port -cert cert.pem -key key.pem
... CONNECTED
... Verify return code...
---
And then access the URL using the HTTP protocol
GET /protected_page/ HTTP/1.0
Host: example.org
<empty line>
Note that the last line must be an empty line according to the HTTP protocol. It might also that you need to use the -crlf option in openssl to get the line ends correct in case you have a strict web server. If all goes right the server should now issue a renegotiation request to the client, i.e another TLS handshake is done.
In the following document: http://www.ietf.org/rfc/rfc2487.txt
It stated that after running starttls client must do .
What should I write there in place of that?
My aim is to emulate a connection to Zoho's mail server: https://www.zoho.com/mail/help/zoho-smtp.html through command line.
Can anyone help, please?
If you are to use telnet for connecting to a mail server using tls then you will have to perform handshake operations manually. But these handshake operations can be automated by using an open source library which implements TLS. One such library is 'OpenSSL'. Below is the openssl command using which you can try connecting to the mail server using tls
openssl s_client -starttls smtp -connect smtp.zoho.com:587 -crlf -ign_eof