Connecting the world…


OpenSSL for testing TLS

I was looking for a way to test the TLS configuration of a secure mail server and stumbled across a website called “OpenSSL Command-Line HOWTO”. This websites explains how to test a TLS connection using OpenSSL.

The s_client and s_server options provide a way to launch SSL-enabled command-line clients and servers. There are other examples of their use scattered around this document, but this section is dedicated solely to them.

In this section, I assume you are familiar with the specific protocols at issue: SMTP, HTTP, etc. Explaining them is out of the scope of this article.

You can test, or even use, an SSL-enabled SMTP server from the command line using the s_client option. Secure SMTP servers offer secure connections on up to three ports: 25 (TLS), 465 (SSL) and 587 (TLS). Some time around the OpenSSL 0.9.7 release, the openssl binary was given the ability to use STARTTLS when talking to SMTP servers.

# port 25/TLS; use same syntax for port 587
openssl s_client –connect –starttls smtp

# port 465/SSL
openssl s_client –connect

RFC821 suggests (although it falls short of explicitly specifying) the two charaters “<CRLF>” as line-terminator. Most mail agents do not care about this and accept either “<LF>” or “<CRLF>” as line-terminators, but Qmail does not. If you want to comply to the letter with RFC821 and/or communicate with Qmail, use also the –crlf option:

openssl s_client –connect –starttls smtp –crlf