Today’s “useful tool of the day” comes to us thanks to the openssl command line tool from openssl. It was probably well known to all, but I just found out about it today.
From the openssl man page:
s_client This implements a generic SSL/TLS client which can establish
a transparent connection to a remote server speaking SSL/TLS.
It's intended for testing purposes only and provides only
rudimentary interface functionality but internally uses
mostly all functionality of the OpenSSL ssl library.
Here’s an example:
Port 465 is reserved for SMTP over SSL. I have that turned on for my mail server as that’s a useful port to have open for mail clients that can’t do a STARTTLS for port 25 (and/or for 587/submission.) How do I make sure that my smtps is configured property and sharing the right services? I would do something like this (my command line is in bold):
# openssl s_client -host my.mailhost.example -port 465
CONNECTED(00000003)
depth=0 /C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
verify return:1
---
Certificate chain
0 s:/C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
i:/C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
---
Server certificate
-----BEGIN CERTIFICATE-----
<certificate spew snipped>
-----END CERTIFICATE-----
subject=/C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
issuer=/C=US/ST=IL/L=Boogietown/O=mailhost.example/OU=mail/CN=my.mailhost.example/emailAddress=admin@mailhost.example
---
No client certificate CA names sent
---
SSL handshake has read 1247 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: <snipped>
Session-ID-ctx:
Master-Key: <snipped>
Key-Arg : None
Krb5 Principal: None
Start Time: 1086191863
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 my.mailhost.example ESMTP Postfix
EHLO mailhost.example
250-my.mailhost.example
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME
quit
221 Bye
read:errno=0
a very timely blog entry, as I am setting up the new rsiegler.org server to use Apache 2 with SSL & Postfix with TLS/SSL. thanks!