Connecting the world…

OpenSSL for testing TLS

I was looking for a way to test the TLS configuration of a secure mail server and stumbled across a website called “OpenSSL Command-Line HOWTO”. This websites explains how to test a TLS connection using OpenSSL.

The s_client and s_server options provide a way to launch SSL-enabled command-line clients and servers. There are other examples of their use scattered around this document, but this section is dedicated solely to them.

In this section, I assume you are familiar with the specific protocols at issue: SMTP, HTTP, etc. Explaining them is out of the scope of this article.

You can test, or even use, an SSL-enabled SMTP server from the command line using the s_client option. Secure SMTP servers offer secure connections on up to three ports: 25 (TLS), 465 (SSL) and 587 (TLS). Some time around the OpenSSL 0.9.7 release, the openssl binary was given the ability to use STARTTLS when talking to SMTP servers.

# port 25/TLS; use same syntax for port 587
openssl s_client –connect mail.booches.nl:25 –starttls smtp

# port 465/SSL
openssl s_client –connect mail.booches.nl:465

RFC821 suggests (although it falls short of explicitly specifying) the two charaters “<CRLF>” as line-terminator. Most mail agents do not care about this and accept either “<LF>” or “<CRLF>” as line-terminators, but Qmail does not. If you want to comply to the letter with RFC821 and/or communicate with Qmail, use also the –crlf option:

openssl s_client –connect mail.booches.nl:25 –starttls smtp –crlf

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Mobility First Expert (AMFX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

One Response to OpenSSL for testing TLS

  • Thank you for posting this. It would be easier to use if you had dashes in the examples instead of em dashes. Copy n pasting the above simply yields an openssl “unknown option” error.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.