I am writing a script that calls the command.
openssl s_client -showcerts -connect server:9999 > out.pem -key key.pem -cert cert.pem -pass pass:password
But it displays an output, I tried adding -quiet but with no luck. Is there a way I can get it so that it won't report to the console. If I run the command in terminal I have to type exit to get out of the connection.
Edit
I want this to exit automatically with in my script. Is there a way to do that?
For the automatically exit part, you could do this:
echo | openssl s_client -connect www.google.com:443
The output is possibly being sent to stderr (rather than stdout). It should work if you use >& for the redirection.
Related
I am trying a TLS connection to aws_iot core using openssl s_client.
openssl s_client -connect ajvldjdsdggr-ats.iot.us-east-1.amazonaws.com:8883 -CAfile AmazonRootCA1.crt
cert 6fceaadfd6a-certificate.pem.crt -key 6fceaadfd6a-private.pem.key
OUTPUT RECIEVED
CONNECTED(00000003)
And it is stuck at this point.
Can anyone please explain what might be the issue?
I'm dealing with an issue where python can't connect to a specific server over ssl due to openssl not being able to complete the handshake. Curl and my browser work. I've tried a couple of different openssl versions and solutions, but can't seem to connect.
Here is what I've tried on both of the following platforms. The output is printed slightly different on OpenSSL 1.0.1e, but it's still the same errors.
Mac OSX Yosemite - OpenSSL 0.9.8zg 14 July 2015
Debian GNU/Linux 7 (wheezy) - OpenSSL 1.0.1e 11 Feb 2013
Without specifying which version of
openssl s_client -connect www.uk-recruitment.net:443
openssl s_client -connect www.uk-recruitment.net:443 -cipher 'DEFAULT:!ECDH'
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem -cipher 'DEFAULT:!ECDH'
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem -cipher 'DEFAULT:!ECDH' -servername uk-recruitment.net
but I always get the same result
CONNECTED(00000003)
66716:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593:
If I add -tls1, -tls1_1 or -tls1_2 with all the same options, I get a slightly different error:
openssl s_client -connect www.uk-recruitment.net:443 -tls1
CONNECTED(00000003)
66750:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s3_pkt.c:1145:SSL alert number 80
66750:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s3_pkt.c:566:
The sites requires Server Name Indication (SNI) and SSL handshakes not using SNI will cause failure:
$ openssl s_client -connect www.uk-recruitment.net:443
CONNECTED(00000003)
139999237719712:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:
With SNI instead it looks much better:
$ openssl s_client -connect www.uk-recruitment.net:443 -servername www.uk-recruitment.net
CONNECTED(00000003)
...
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
It might be that the -servername option is not available with OpenSSL 0.9.8, but it should be with OpenSSL 1.0.1.
I have a flask application running using a self signed certificate. I'm able to send in a curl request using:
curl -v -k -H "Content-Type: application/json" -d '{"data":"value1","key":"value2"}' https://<server_ip>:<port>
The verbose logs show that everything went alright.
I wanted to avoid using the -k (--insecure) option and instead specify a .pem file that curl could use. Looking at the curl man page I found that you could do this using the --cert option.
So I created a .pem file using this:
openssl rsa -in server.key -text > private.pem
CURL throws me this error when using the private.pem file:
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
Any suggestions? - or is this only possible with a properly signed certificate?
Tnx
This is just another version of this question: Using openssl to get the certificate from a server
Or put more bluntly:
Using curl --cert is wrong, it is for client certificates.
First, get the the certs your server is using:
$ echo quit | openssl s_client -showcerts -servername server -connect server:443 > cacert.pem
(-servername is necessary for SNI so that you get the right virtual server's certificate back)
Then make your curl command line use that set to verify the server in subsequent operations:
$ curl --cacert cacert.pem https://server/ [and the rest]
special teaser
Starting with curl 7.88.0 (to be shipped in February 2023), curl can save the certificates itself with the new %{certs} variable for the -w option. Blogged about here.
To make request from https server through curl. I make use of below steps
Step1: Generate self signed certificate with below code at root of the project you want to make use of it.openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes
Step2: Fill the prompt with required details but when you get to Common name input localhost e.g Common Name (eg, fully qualified host name) []:localhost
step3: When your openssl cert.pem & key.pem has being generated startup your server then in another terminal or command line run curl --cacert cert.pem https://localhost:443
Note: I use port 443 which is the default https port, you can make use of another port then make sure cert.pem file path is well referenced.
Can someone explain this behavior:
If I run an s_server with:
openssl s_server -key privateKey.key -cert certificate.crt -msg -no_tls1_1
And an s_client with:
openssl s_client -connect localhost:4433 -msg -no_tls1
I receive on the client:
3073448136:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:697:
And just Error on the server.
I find this very strange since they should be able to communicate over some other protocol except tls1 and tls1.1, for example ssl3 should work.
I am currently running OpenSSL 1.0.1 from 14 March 2012 (it's old I know, but is this really a bug, it feels like something I have not understood about OpenSSL)
i am trying to do push notification in my app and following this link
http://www.raywenderlich.com/3443/apple-push-notification-services-tutorial-part-12
my system has been successfully connected with telnet but when i enter the query for connecting ssl certificate and private key then found a error
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev-cert.pem -key apns-dev-key.pem
unable to load client certificate private key file
1301:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
any one can tell me what type of error and what's the solution of it?
Thanks in advance
The following command is good enough to verify the key/cert:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert push_development.pem
The key part is to select both certificate and private key when exporting the .p12 from Keychain Access (you will be asked for 3 passwords, one for the .p12, one for the cert, one for the private key).
To convert .p12 to .pem, follow the instruction from Apple:
openssl pkcs12 -in CertificateName.p12 -out CertificateName.pem -nodes
At first i was facing this problem too.
We have two files
1) one is aps_development.cer from apple
2) Another 1 is from the keychain access with the common name that we just created.
After that, both convert it to .pem files.
For example, cert.pem and key.pem.
After that combine this two files using below command
cat cert.pem key.pem > ck.pem
At first I openssl using below command.
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert cert.pem -key key.pem
Which returns me the error you mentioned.
After that I try using
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert cert.pem -key ck.pem
Then its working already. Hope this helps.
I was facing the same issue while I was generating a PEM file for Enterprise Distribution, but i figured out later that I generated a p12 file against the iPhone Distribution Certificate key though i should had generated the p12 against Apple Production iOS Push Servies key. Hope this may resolve the issue if any one had used the Distribution key.
Hello Please follow below commands.
step1
openssl pkcs12 -clcerts -nokeys -out developer_key.pem -in developer_key.p12
Note: just drag the file path on terminal...
step2
openssl pkcs12 -nocerts -out apns_key.pem -in apns_key.p12
step3
openssl pkcs12 -in developer_key.p12 -out developer_key.pem -nodes -clcerts
step4
openssl pkcs12 -in apns_key.p12 -out apns_key.pem -nodes -clcerts
step 5
cat apns_key.pem developer_ket.pem >developer.pem
DO the same step For Distribution certificates
After creating developer.pem and distribution.pem
Please verify both file in to below commands.
Step6
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert developer.pem -debug -showcerts -CAfile "Entrust.net.Certification Authority (2048).pem
A Notice is Pass Phrase must longer than 3 characters.
I have just fixed with pass Phrase is 1234 :D