Loading...

Connecting to SSL Services with openssl

Currently I have to deal a lot with SSL/TLS. openssl comes in handy to test connections. Also if you have setup 2-way SSL or mutual authentication, it is a good test for the SSL handshake.

This example just connects to my server (one way SSL - output shortened). We enforce TLSv1.2 and if you need more information, add -debug option to the command.

tan@pavilion:~$ openssl s_client -connect cinhtau.net:443 -tls1_2
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=www.cinhtau.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDzCCA/egAwIBAgISAaIBPGf27jqM0aPwVl+1rpuhMA0GCSqGSIb3DQEBCwUA
..
hs9JyqagwgHMhnA9wj6xwlZZOAaL2x1I64sbXVYcOvcC1XAM422GpEb37KYoEI6V
iu1b
-----END CERTIFICATE-----
subject=/CN=www.cinhtau.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
---
No client certificate CA names sent
---
SSL handshake has read 3189 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: C2806D679F15EBE0F35A5EEC9BE01CB396C44D82BD9E56BC323FAE06E122F8A7
    Session-ID-ctx:
    Master-Key: 47E9D9509D9DF135E3DDB250E186A226CB336AFD0EDB314BDA12E52081AFE3261777B79875D2D3C27FA4B7ED90D8A071
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 3e ba c2 90 c1 53 95 c8-68 6a 63 17 c2 58 f1 b1   >....S..hjc..X..
    0010 - 6a 65 be 10 8f 75 c9 e6-1c 27 39 48 6c 43 81 ef   je...u...'9HlC..
    0020 - b9 c3 37 86 cc f5 80 6d-48 c0 c2 e1 e8 41 98 da   ..7....mH....A..
    0030 - 73 90 28 5d c9 d7 74 5b-1e ec 78 a6 6e fe 19 d7   s.(]..t[..x.n...
    0040 - b8 37 82 31 25 51 e5 f5-8b 3f 41 4d d9 a7 a3 ec   .7.1%Q...?AM....
    0050 - 56 ed bd 2e 81 49 2a d1-3d 75 a3 8b 41 f8 7e 0d   V....I*.=u..A.~.
    0060 - 5f 75 58 fe 62 7b a5 20-21 73 8b b6 1e 6c 05 e6   _uX.b{. !s...l..
    0070 - 4a 74 c3 3d 21 11 de 0a-8f d7 82 20 33 05 86 ec   Jt.=!...... 3...
    0080 - 19 18 58 de 40 90 4f 82-85 42 1a ec 1f 0c 22 e1   ..X.@.O..B....".
    0090 - 12 2c b2 3a 51 cd 86 71-7d a8 8d fe 9d 3c 7c 3c   .,.:Q..q}....<|<
    00a0 - 8b e6 39 ee f9 9a f9 91-83 f1 ff 14 3a 64 02 d8   ..9.........:d..
    00b0 - 1b 39 99 08 4e 8a f8 c4-ca 18 a6 61 10 b6 e3 67   .9..N......a...g
    Start Time: 1456955079
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

After the client has connected, you can enter a HTTP command to it and you will receive the HTTP response.

HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 02 Mar 2016 21:44:41 GMT
Server: Apache/2.4.10 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 OpenSSL/1.0.1k mod_wsgi/4.3.0 Python/2.7.9
Last-Modified: Wed, 17 Jun 2015 23:03:46 GMT
ETag: "e3-518beb40a509a"
Accept-Ranges: bytes
Content-Length: 227
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
read:errno=0
ssl