Login/Register
openssl hangs and does not exit
Asked Answered
Solved cmdopensslquit
D

7

89

I am trying to use openssl to get a certificate, and it seems to keep hanging. I have done a lot of research but not all of the available options seem to work on Windows.

openssl s_client -showcerts -connect google.com:443 > cert.txt

I have tried this:

openssl s_client -connect xyz:443 < quit.txt > cert.txt

Where quit.txt contains "quit\n" from http://bytes.com/topic/php/answers/8802-automate-openssl-s_client-command-batch-php-script

That did not work. I also looked at Openssl s_clinet -connect scripting. Force quit help

I have also tried -prexit

I have also looked into this as well and can't get it working: https://serverfault.com/questions/139728/how-to-download-ssl-certificate-from-a-website

I was doing so well! I managed to do something that I thought would be impossible and a simple thing like this bug managed to stop me for the time being :(

Drumfire answered 26/2, 2012 at 2:55 Comment(2)
Edited basic spelling and grammar, attempting to make it look like you put some effort into asking the question. Relocate the new version to ServerFault, where you're more likely to get an answer.Straticulate
Check out #16823568 -- SendKeys("\n") in WScript can make OpenSSL quit where an EOF cannot.Khudari
A
34

It looks like some OpenSSL distributions for Windows are expecting an additional keypress, independant of standard input. Quit.txt gets correctly piped into openssl's STDIN (the server receives QUIT command), but nothing happens until you press any key.

This problem does not exist in Cygwin's version of OpenSSL. Unfortunatly base installation of Cygwin takes about 100 MB of disk space, but you can try to extract only openssl.exe and required libraries.

This method works:

echo QUIT | c:\cygwin\bin\openssl.exe s_client -showcerts -connect google.com:443 > cert.txt
Allaallah answered 27/2, 2012 at 20:27 Comment(5)
thank you for that MBu. it worked this is the list of files i needed to copy cygcrypto-0.9.8.dll cyggcc_s-1.dll cygssl-0.9.8.dll cygwin1.dll cygz.dll find-serial.bat libeay32.dll openssl.exe ssleay32.dll </code>Drumfire
Non only on Windows but also on Linux the echo QUIT piped into the command solves the stalling output issue.Cirro
This solved my time out issue when trying to scan for expired certificates on on our network. I had to add a sleep to make it more stable (sleep 2; echo QUIT;)|openssl ...Edgeways
has anyone found out how to suppress the console output depth = ... etc on that command when still sending ouput to a file?Indraft
Using the -quiet option breaks this.Demission
L
182

On windows, simply typing winpty before your openssl command will do the trick. So, for example, you could create a certificate like so:

winpty openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX

Linkman answered 17/8, 2017 at 10:38 Comment(4)
Worked for me in Git Bash on Windows 7!Ramsey
@Ramsey exactly - this issue occurs due to the use of mintty in Git Bash for Windows.Baeda
For a different command in openssl, I found out it was sitting there waiting for me to enter a password, but I could not see the prompt.Kerstinkerwin
For some including myself: 'winpty' is not recognized as an internal or external command, operable program or bath file.Hardie
A
34

It looks like some OpenSSL distributions for Windows are expecting an additional keypress, independant of standard input. Quit.txt gets correctly piped into openssl's STDIN (the server receives QUIT command), but nothing happens until you press any key.

This problem does not exist in Cygwin's version of OpenSSL. Unfortunatly base installation of Cygwin takes about 100 MB of disk space, but you can try to extract only openssl.exe and required libraries.

This method works:

echo QUIT | c:\cygwin\bin\openssl.exe s_client -showcerts -connect google.com:443 > cert.txt
Allaallah answered 27/2, 2012 at 20:27 Comment(5)
thank you for that MBu. it worked this is the list of files i needed to copy cygcrypto-0.9.8.dll cyggcc_s-1.dll cygssl-0.9.8.dll cygwin1.dll cygz.dll find-serial.bat libeay32.dll openssl.exe ssleay32.dll </code>Drumfire
Non only on Windows but also on Linux the echo QUIT piped into the command solves the stalling output issue.Cirro
This solved my time out issue when trying to scan for expired certificates on on our network. I had to add a sleep to make it more stable (sleep 2; echo QUIT;)|openssl ...Edgeways
has anyone found out how to suppress the console output depth = ... etc on that command when still sending ouput to a file?Indraft
Using the -quiet option breaks this.Demission
K
9

If running under mingw64 on windows you can use the winpty program to correctly wrap the terminal

Eg creating alias under bash alias openssl='winpty openssl.exe'

Then openssl s_client -connect blah

Should work as expected

Kirman answered 11/2, 2016 at 14:43 Comment(1)
Or just typing winpty before openssl. That is what worked for me. Thanks.Witticism
B
5

If you just run the openssl command and when it seems to hang just keep hitting the enter key it will eventually continue with the prompts. Whenever you get to another hang just keep hitting the enter key and eventually it will get the job done. In the output below you can see where it hung after Locality Name and Common Name and the blank lines indicate roughly the number of times I hit enter to get it to move on to the next prompt.

PS C:\somedir> openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
Enter pass phrase for rootSSL.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Delaware
Locality Name (eg, city) []:Newark



Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost



Email Address []:
PS C:\somedir> ls


    Directory: C:\somedir


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         12/6/2023   4:32 PM           1884 rootSSL.key
-a----         12/6/2023   4:35 PM           1382 rootSSL.pem
Bealle answered 7/12, 2023 at 0:36 Comment(3)
Yes, but if you look at the resulting file, it contains extra \0D characters at the end of the corresponding fields.Ferdy
This worked for using openssl ca ... to sign a certificate on Windows 11. The other commands to create the signing request, key, etc all worked just fine without needing to resort to this. It was hanging at Sign the certificate? [y/n]:yInhibitory
OP is using the command openssl s_client, not openssl req.Nymphomania
R
4

For reasons i do not completeley understand, echoing QUIT or quit\n into the input did not work in my case. I'm using MINGW64 with OpenSSL 1.0.2d on Windows 8.1, and i'm using openssl to get certificates from servers inside a bash script. However, just running the openssl command in background and waiting a bit worked for me:

#!/bin/bash

openssl s_client -connect my.server.com:443 -showcerts > output.txt 2>/dev/null &
sleep 2
Ralfston answered 12/11, 2015 at 9:16 Comment(0)
S
0

The data to send to the server is expected when using the s_client option of openssl. On *nix, prepending echo |sends a CR so that openssl does not hang, for example:

echo | openssl s_client -servername www.microsoft.com -connect www.microsoft.com:443 2>/dev/null  | openssl x509 -noout -subject -issuer -dates
Surefire answered 6/3, 2023 at 16:55 Comment(1)
On Windows too. Replace /dev/null with nul. But this trick fails if you use the -quiet option for some reason.Demission
N
0

Redirecting input from /dev/null results in a nonzero exit code. However, redirecting input from a herestring works. (Note: this is a bash feature.)

openssl s_client -connect google.com:443 <<<''
Nymphomania answered 6/5 at 18:59 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.