Using OpenSSL to connect to SSL sites and STARTTLS services

Introduction

In this tutorial you will learn the basic usage of OpenSSL with SSL and STARTTLS connections.

To connect to a SSL site or service in general, having a telnet like terminal you just use the following, where example.com is the destination name and 443 is the default https port:

openssl s_client -connect example.com:443

If you are using a self signed certificate and are testing you can tell OpenSSL to use your own CA to check against with, using ca.crt as your CA certificate:

openssl s_client -CAfile ca.crt -connect example.com:443

If you need to check a STARTTLS service, like POP3, IMAP or SMTP you can use the following, with one line by service:

openssl s_client -starttls smtp -connect mail.example.com:25
openssl s_client -starttls pop3 -connect mail.example.com:110
openssl s_client -starttls imap -connect mail.example.com:143

Understanding the output of OpenSSL s_client

When you connect to the server you will get a lot of information, like when trying to send an email with gmail using TLS and SMTP:

ds@localhost ~ $ openssl s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
 i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIfMman9+czWkwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwNjMwMTQ1ODM5WhcNMTYwOTIyMTQ1MzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOc210
cC5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCG2pVu
NQl/MS3rRXTfsvMVqRwnq1Wp5lfZQzirPFDq5zVPZdUjFuvXWSARG3jTgWQmImxF
5LHadoDT/1hUcvXdHVMDToGidd7oS34uB0tJMzg5V5EYngpNapk5tG+1RnmATMGp
/FadP/ua5w4SQSy+HelVQDLEPBw69vaCvwVUpE/++36fJejxd3PFQTgOyxzfK7hO
q6kjD5CU22lhdg+/DBlO6jt/3k3s0870JJDzG5yPhRTQray/q82W0rdi7nSIBrpz
q0QjwrcqeTvEXn+WIMTKNar2pYMJ+3FM/IzMLxOZBdbkDIeC8hdOfc4nDCRHF9xr
GCBaa1mIoVWfOatlAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBRuqJafObl4pMJL80jVAaHoQvtvyTAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAZWAOHh4qrhVxHqfZ
kZGrVKOksEZcjqB1sS1R3vue7L9BcReufk/SsdQHn+Uo3UKgC0BJpiP0cZ+Du4ni
T4vUFdylXdz+N8eHCOx9lct2rcg2cEZI9nVCiQxKjXDF0eHguOrSOMt5v7cnKFei
C8fM2kfpmXSNyWpj/P38AOtjskBHBwfzdNEnro9xODMRNnp66bnGWXnOlAgi3vup
uTzYMTID/qE+uBKuXEvX050AqMM/DcB1DKUy97iJe8MjyHwrELJbBkIqP5gkNQsY
jOJ6ZzgW2aeCVCCoBw/EfpDYXCL6oKnn/2NJalWAfwCL7hO+DVsCKoXRBJA+eTob
UmrB4g==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3979 bytes and written 469 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
 Protocol : TLSv1.2
 Cipher : ECDHE-RSA-AES128-GCM-SHA256
 Session-ID: B3DEDB08318E277FFEED0321D213F94D29FDBBAD2CD4B4FC5A8F71514B5C3549
 Session-ID-ctx: 
 Master-Key: 7EADA15AF7DEBBEF1DBC4E7A5FB62C38C9278A40908B21F6E857682F69AFDCFB721A2F6558174D52AC821E0072B42E53
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket lifetime hint: 100800 (seconds)
 TLS session ticket:
 0000 - a5 e8 45 fe 7d 0a 4a 4d-1e e8 e1 87 36 72 35 ab ..E.}.JM....6r5.
 0010 - d5 70 5e 33 53 fd a0 a7-a5 fd f1 00 d8 0a 9b ee .p^3S...........
 0020 - 2e c1 29 09 ad 07 4c 82-9f e7 ee 3e fc e0 b5 31 ..)...L....>...1
 0030 - 2b 96 59 79 77 81 70 73-71 5d dc 11 c2 90 27 7f +.Yyw.psq]....'.
 0040 - a4 34 20 c5 cf b8 95 a4-be 84 87 f4 24 39 95 63 .4 .........$9.c
 0050 - b5 3e f2 cf 09 20 5f 1a-f8 7a 2f 1b c7 8a ea af .>... _..z/.....
 0060 - e4 40 ad cb ce 39 1b bf-46 e8 33 2b 17 f9 97 82 .@...9..F.3+....
 0070 - 94 bb 6b 38 8a 32 28 50-6f 6f bc d0 8d cd 9e 3e ..k8.2(Poo.....>
 0080 - 31 b3 a2 d2 79 7c de fa-fe 95 13 f7 de 60 cf ae 1...y|.......`..
 0090 - 67 a4 7b 67 dc a3 5a fb-05 02 53 4a 9b b0 f8 cc g.{g..Z...SJ....
 00a0 - 43 8c e2 55 C..U

 Start Time: 1467831400
 Timeout : 300 (sec)
 Verify return code: 0 (ok)
---
250 SMTPUTF8

Thats too much information? Let’s see piece by piece:

First you have the certificate chain, that is the certificate and all CAs that identify it as trusted, both in plain and parsed form:

depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
 i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---

This is saying that the certificate is the following:

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com

And is certified by the CAs:

i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Following you have the server certificate file, remember from our tutorial about generating a self certificate that the certificate is public? So here is the gmail.com certificate as I wrote this tutorial:

Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIfMman9+czWkwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwNjMwMTQ1ODM5WhcNMTYwOTIyMTQ1MzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOc210
cC5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCG2pVu
NQl/MS3rRXTfsvMVqRwnq1Wp5lfZQzirPFDq5zVPZdUjFuvXWSARG3jTgWQmImxF
5LHadoDT/1hUcvXdHVMDToGidd7oS34uB0tJMzg5V5EYngpNapk5tG+1RnmATMGp
/FadP/ua5w4SQSy+HelVQDLEPBw69vaCvwVUpE/++36fJejxd3PFQTgOyxzfK7hO
q6kjD5CU22lhdg+/DBlO6jt/3k3s0870JJDzG5yPhRTQray/q82W0rdi7nSIBrpz
q0QjwrcqeTvEXn+WIMTKNar2pYMJ+3FM/IzMLxOZBdbkDIeC8hdOfc4nDCRHF9xr
GCBaa1mIoVWfOatlAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBRuqJafObl4pMJL80jVAaHoQvtvyTAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAZWAOHh4qrhVxHqfZ
kZGrVKOksEZcjqB1sS1R3vue7L9BcReufk/SsdQHn+Uo3UKgC0BJpiP0cZ+Du4ni
T4vUFdylXdz+N8eHCOx9lct2rcg2cEZI9nVCiQxKjXDF0eHguOrSOMt5v7cnKFei
C8fM2kfpmXSNyWpj/P38AOtjskBHBwfzdNEnro9xODMRNnp66bnGWXnOlAgi3vup
uTzYMTID/qE+uBKuXEvX050AqMM/DcB1DKUy97iJe8MjyHwrELJbBkIqP5gkNQsY
jOJ6ZzgW2aeCVCCoBw/EfpDYXCL6oKnn/2NJalWAfwCL7hO+DVsCKoXRBJA+eTob
UmrB4g==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---

Later you have some information about the connection and the client certificate used to connect, since we didn’t use one client certificate this don’t have much:

---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---

Then you have some technical information about the ciphers used to encrypt and decrypt data and compression state, this will tell us also what version of SSL and TLS is used in this connection:

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE

In this case we have a TLS version 1, SSL version 3, Cipher information and key size as 2048 bit.

The cipher is the algorithms used to encrypt/decrypt data, this is the important part for the technical folks, we will not cover this here since it’s too advances for this tutorial.

Finally we have the connection openned and the server first line sent using the TLS/SSL protocol:

---
250 SMTPUTF8

After this you can start sending commands, like EHLO domain or RCPT/MAIL/DATA commands, these are SMTP commands and not covered by this tutorial.

The important part is that after the openssl s_client work you have a connection as you would have with a telnet, but secured by TLS/SSL, so you can send information like passwords without worry.

Leave a Reply

Your email address will not be published. Required fields are marked *