OpenSSL s_client Commands
OpenSSL is a multi-platform, open source SSL/TLS toolkit. OpenSSL can be downloaded from http://www.openssl.org/
The OpenSSL command line tool can be used for several purposes like creating certificates, viewing certificates and testing https services/connectivity etc. This document provides a summary of "openssl s_client" commands which can be used to test connectivity to SSL services. This document assumes that you have openssl software installed.
Testing HTTPS Services Using "openssl s_client -connect" Command
The following command can be used to test connectivity to an https service.
openssl s_client -connect <hostname>:<port>
For example :
openssl s_client -connect pingfederate.example.com:443
This will open an SSL connection to pingfederate.example.com port 443 and print the ssl certificate used by the service. After connecting you can manually send http requests. This is similar to using telnet to connect to an http service and manually sending an http, i.e GET, request.
If openssl fails to connect it will wait until a timeout occurs and will print an error similar to the following :
connect: Operation timed out
If you use openssl client to connect to a non-ssl service (i.e port 80 instead of 443) the client will connect but an ssl handshake will not take place. "CONNECTED(00000003)" message will be printed as soon as a socket is opened but then the client will wait until a timeout occurs and an error similar to the following will be printed.
44356:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_lib.c:182:
-showcerts
Adding -showcerts parameter to this command will print all certificates in the certificate chain presented by the SSL service. This may be useful in troubleshooting missing intermediate certificate authority certificate issues as described in this knowledge base article.
openssl s_client -connect <hostname>:<port> -showcerts
-ssl2
Adding this parameter forces openssl to use only SSLv2. This option is useful in testing supported SSL protocol versions. For example you can use this command to test if SSLv2 is enabled or not.
openssl s_client -connect <hostname>:<port> -ssl2
-ssl3,-tls1,-dtls1
Similar to -ssl2 switch -ssl3, -tls1 and -dtls1 force SSLv3, TLSv1 and DTLSv1 respectively.
-cipher
This parameter allows you to force a specific cipher. This option is useful in testing enabled SSL ciphers. For example after disabling weak ciphers you can test connecting using a disabled cipher to verify that it has been disabled successfully.
You can use "openssl ciphers" command to see a list of available ciphers for OpenSSL(These are the ciphers available to the openssl client, this list is not related to the PingFederate service).
For example:
openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA
Using a cipher not supported by the server results in an error similar to the following.
openssl s_client -connect google.com:443 -cipher EXP-RC4-MD5
CONNECTED(00000003)
42792:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:602
So after disabling a weak cipher you can verify if it has been disabled or not by using this command.
The following Ping Identity knowledge base articles also refer to OpenSSL commands :
New SSL certificate not trusted by Firefox web browser
Converting a DER x509 certificate to PEM
Search on "OpenSSL" in the knowledge base for a complete list of articles on OpenSSL.
Category:
https://ping.force.com/Support/PingFederate/Administration/OpenSSL-s-client-Commands
No comments:
Post a Comment