Using OpenSSL to connect to SSL sites and STARTTLS services

Introduction

In this tutorial you will learn the basic usage of OpenSSL with SSL and STARTTLS connections.

To connect to a SSL site or service in general, having a telnet like terminal you just use the following, where example.com is the destination name and 443 is the default https port:

openssl s_client -connect example.com:443

If you are using a self signed certificate and are testing you can tell OpenSSL to use your own CA to check against with, using ca.crt as your CA certificate:

openssl s_client -CAfile ca.crt -connect example.com:443

If you need to check a STARTTLS service, like POP3, IMAP or SMTP you can use the following, with one line by service:

openssl s_client -starttls smtp -connect mail.example.com:25
openssl s_client -starttls pop3 -connect mail.example.com:110
openssl s_client -starttls imap -connect mail.example.com:143

Understanding the output of OpenSSL s_client

When you connect to the server you will get a lot of information, like when trying to send an email with gmail using TLS and SMTP:

ds@localhost ~ $ openssl s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
 i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIfMman9+czWkwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwNjMwMTQ1ODM5WhcNMTYwOTIyMTQ1MzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOc210
cC5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCG2pVu
NQl/MS3rRXTfsvMVqRwnq1Wp5lfZQzirPFDq5zVPZdUjFuvXWSARG3jTgWQmImxF
5LHadoDT/1hUcvXdHVMDToGidd7oS34uB0tJMzg5V5EYngpNapk5tG+1RnmATMGp
/FadP/ua5w4SQSy+HelVQDLEPBw69vaCvwVUpE/++36fJejxd3PFQTgOyxzfK7hO
q6kjD5CU22lhdg+/DBlO6jt/3k3s0870JJDzG5yPhRTQray/q82W0rdi7nSIBrpz
q0QjwrcqeTvEXn+WIMTKNar2pYMJ+3FM/IzMLxOZBdbkDIeC8hdOfc4nDCRHF9xr
GCBaa1mIoVWfOatlAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBRuqJafObl4pMJL80jVAaHoQvtvyTAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAZWAOHh4qrhVxHqfZ
kZGrVKOksEZcjqB1sS1R3vue7L9BcReufk/SsdQHn+Uo3UKgC0BJpiP0cZ+Du4ni
T4vUFdylXdz+N8eHCOx9lct2rcg2cEZI9nVCiQxKjXDF0eHguOrSOMt5v7cnKFei
C8fM2kfpmXSNyWpj/P38AOtjskBHBwfzdNEnro9xODMRNnp66bnGWXnOlAgi3vup
uTzYMTID/qE+uBKuXEvX050AqMM/DcB1DKUy97iJe8MjyHwrELJbBkIqP5gkNQsY
jOJ6ZzgW2aeCVCCoBw/EfpDYXCL6oKnn/2NJalWAfwCL7hO+DVsCKoXRBJA+eTob
UmrB4g==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3979 bytes and written 469 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
 Protocol : TLSv1.2
 Cipher : ECDHE-RSA-AES128-GCM-SHA256
 Session-ID: B3DEDB08318E277FFEED0321D213F94D29FDBBAD2CD4B4FC5A8F71514B5C3549
 Session-ID-ctx: 
 Master-Key: 7EADA15AF7DEBBEF1DBC4E7A5FB62C38C9278A40908B21F6E857682F69AFDCFB721A2F6558174D52AC821E0072B42E53
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket lifetime hint: 100800 (seconds)
 TLS session ticket:
 0000 - a5 e8 45 fe 7d 0a 4a 4d-1e e8 e1 87 36 72 35 ab ..E.}.JM....6r5.
 0010 - d5 70 5e 33 53 fd a0 a7-a5 fd f1 00 d8 0a 9b ee .p^3S...........
 0020 - 2e c1 29 09 ad 07 4c 82-9f e7 ee 3e fc e0 b5 31 ..)...L....>...1
 0030 - 2b 96 59 79 77 81 70 73-71 5d dc 11 c2 90 27 7f +.Yyw.psq]....'.
 0040 - a4 34 20 c5 cf b8 95 a4-be 84 87 f4 24 39 95 63 .4 .........$9.c
 0050 - b5 3e f2 cf 09 20 5f 1a-f8 7a 2f 1b c7 8a ea af .>... _..z/.....
 0060 - e4 40 ad cb ce 39 1b bf-46 e8 33 2b 17 f9 97 82 .@...9..F.3+....
 0070 - 94 bb 6b 38 8a 32 28 50-6f 6f bc d0 8d cd 9e 3e ..k8.2(Poo.....>
 0080 - 31 b3 a2 d2 79 7c de fa-fe 95 13 f7 de 60 cf ae 1...y|.......`..
 0090 - 67 a4 7b 67 dc a3 5a fb-05 02 53 4a 9b b0 f8 cc g.{g..Z...SJ....
 00a0 - 43 8c e2 55 C..U

 Start Time: 1467831400
 Timeout : 300 (sec)
 Verify return code: 0 (ok)
---
250 SMTPUTF8

Thats too much information? Let’s see piece by piece:

First you have the certificate chain, that is the certificate and all CAs that identify it as trusted, both in plain and parsed form:

depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
 i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---

This is saying that the certificate is the following:

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com

And is certified by the CAs:

i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Following you have the server certificate file, remember from our tutorial about generating a self certificate that the certificate is public? So here is the gmail.com certificate as I wrote this tutorial:

Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIfMman9+czWkwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwNjMwMTQ1ODM5WhcNMTYwOTIyMTQ1MzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOc210
cC5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCG2pVu
NQl/MS3rRXTfsvMVqRwnq1Wp5lfZQzirPFDq5zVPZdUjFuvXWSARG3jTgWQmImxF
5LHadoDT/1hUcvXdHVMDToGidd7oS34uB0tJMzg5V5EYngpNapk5tG+1RnmATMGp
/FadP/ua5w4SQSy+HelVQDLEPBw69vaCvwVUpE/++36fJejxd3PFQTgOyxzfK7hO
q6kjD5CU22lhdg+/DBlO6jt/3k3s0870JJDzG5yPhRTQray/q82W0rdi7nSIBrpz
q0QjwrcqeTvEXn+WIMTKNar2pYMJ+3FM/IzMLxOZBdbkDIeC8hdOfc4nDCRHF9xr
GCBaa1mIoVWfOatlAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBRuqJafObl4pMJL80jVAaHoQvtvyTAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAZWAOHh4qrhVxHqfZ
kZGrVKOksEZcjqB1sS1R3vue7L9BcReufk/SsdQHn+Uo3UKgC0BJpiP0cZ+Du4ni
T4vUFdylXdz+N8eHCOx9lct2rcg2cEZI9nVCiQxKjXDF0eHguOrSOMt5v7cnKFei
C8fM2kfpmXSNyWpj/P38AOtjskBHBwfzdNEnro9xODMRNnp66bnGWXnOlAgi3vup
uTzYMTID/qE+uBKuXEvX050AqMM/DcB1DKUy97iJe8MjyHwrELJbBkIqP5gkNQsY
jOJ6ZzgW2aeCVCCoBw/EfpDYXCL6oKnn/2NJalWAfwCL7hO+DVsCKoXRBJA+eTob
UmrB4g==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---

Later you have some information about the connection and the client certificate used to connect, since we didn’t use one client certificate this don’t have much:

---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---

Then you have some technical information about the ciphers used to encrypt and decrypt data and compression state, this will tell us also what version of SSL and TLS is used in this connection:

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE

In this case we have a TLS version 1, SSL version 3, Cipher information and key size as 2048 bit.

The cipher is the algorithms used to encrypt/decrypt data, this is the important part for the technical folks, we will not cover this here since it’s too advances for this tutorial.

Finally we have the connection openned and the server first line sent using the TLS/SSL protocol:

---
250 SMTPUTF8

After this you can start sending commands, like EHLO domain or RCPT/MAIL/DATA commands, these are SMTP commands and not covered by this tutorial.

The important part is that after the openssl s_client work you have a connection as you would have with a telnet, but secured by TLS/SSL, so you can send information like passwords without worry.

Maximizing Linux TCP Connections

To maximize Linux TCP Connections use following:

In /etc/sysctl.conf:

net.ipv4.tcp_fin_timeout = 5
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65001

# General gigabit tuning:
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_syncookies = 1
#
# # this gives the kernel more memory for tcp
# # which you need with many (100k+) open socket connections
net.ipv4.tcp_mem = 50576   64768   98152
net.core.netdev_max_backlog = 2500

To maximize maximum open files in Linux, you need this in /etc/security/limits.conf:

USER soft nofile 1000000
USER hard nofile 1000000

Where USER is the username, to raise limits for all users:

* soft nofile 1000000
* hard nofile 1000000

 

OpenSSL Self-Signed Certificates for authentication

13818327365_3ef3d8f556_o

Introduction

OpenSSL is a tool to manage certificates and SSL connections.

In this tutorial you will learn how to create certificates in general, as creating your own CA (certificate authority) or creating a CSR (certificate signing request) for a known CA sign for you.

Every certificate has two parts, the private key and the public certificate. The certificate is used to encrypt data and the private key is used to decrypt this data, thats why it’s called a private key since it will be used to read the encrypted data that was sent privately to you or your site.

This private key should never been sent to people you don’t trust, never. The certificate is different, it’s public and everyone can have it and your website will promptly show it to everyone trying to connect in a secure way.

To know if a certificate is valid and true it must be signed by an entity called Certificate Authority, or just CA. This CA will be trust by your browser or yourself and assumes the responsibility about the known state of your site. Saying plainly, the CA assumes to the user that you are who you are telling them you are.

You can also create your own CA to sign locally your certificates, this is widely used inside enterprise and in secondary servers like mail servers. This should not be used in a website except when all your users know your CA like in the case you have an e-commerce site for affiliates when they all have your CA installed, otherwise their browser will say the certificate is invalid and the site is not secure!

Commands

To generate an OpenSSL self-signed CA use the following code, the ca.key will have your private CA key, and ca.crt will have your CA certificate, you will have to install this ca.crt in browsers to use this key in a secure way:

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

To generate a CSR file for a CA sign later you use the following, the client.key have your private key and client.csr have your CSR file, you only send the CSR file to the CA, never send the client.key file!

openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr

If you are using an outside CA you can stop here, otherwise to use your own CA to sign the certificate you use the following, the client.crt will have your public certificate, if you are generating multiple certificates you should set the serial number different, in this case is just 01:

openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

If you need to export the private key to PKCS12 format:

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

If you need in PEM format:

openssl pkcs12 -in client.p12 -out client.pem -clcerts