openssl to negotiate SSL encryption for STARTTLS - McMap

About

openssl to negotiate SSL encryption for STARTTLS

Asked 1/2, 2013 at 5:52 Answered 1/2, 2013 at 12:0

ssl smtp openssl starttls

T

1

17

I'm using openssl to connect to an SMTP server normally (without encryption), send a STARTTLS command, negotiate the SSL encryption, and then interact with the encrypted session.

This is the command I'm using (through telnet):

openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25

How can I ensure that TLS handshake was successful?

This is the sequence of commands used so far:

<< 220 example.com ESMTP ready
>> EHLO localhost
<< 250-smtp.mail.yahoo.com
<< 250-PIPELINING
<< 250-AUTH PLAIN LOGIN CRAM-MD5
<< 250 STARTTLS
>> STARTTLS
<< 220 2.0.0 Start TLS
>> openssl s_client -starttls smtp -crlf -connect 127.0.0.1:587

Tokyo answered 1/2, 2013 at 5:52 Comment(1)

I think this is what you need Test SMTP/IMAP(S)/POP3(S) configuration from the command line – Verdun 30/8, 2020 at 23:57

P

30

You seem to be confusing a shell (where you type commands such as telnet or openssl) and the socket's protocol.

Using telnet to connect to a port for a protocol like SMTP is a quick hack that allows you to type in directly what you'd normally have to program if implementing a client for that protocol. It can work a little for text-based protocols but it has limitations. In particular, you'll have a hard-time typing an TLS handshake this way: firstly you probably won't be able to find the right keys on your keyboard for some of the bytes you need to send; secondly, you certainly won't be able to read what the server sends you. In short, this approach doesn't make any sense.

openssl s_client -starttls smtp -crlf -connect 127.0.0.1:587 already does what you're trying to do with telnet: it opens the connection to that server, sends the EHLO SMTP command, sends the STARTTLS SMTP command and then starts the handshake. The OpenSSL command itself is not part of the SMTP protocol at all and mustn't be sent on the SMTP socket. What you'll get when running this command should be similar to having your telnet session with the handshake already performed, since you should be able to use its standard input/ouput in the same way you would be able telnet.

This being said, both telnet and openssl s_client to send SMTP commands are debugging techniques at best.

Pasargadae answered 1/2, 2013 at 12:0 Comment(3)

Thanks for the response. I took this command set from an online tutorial and was confused for what was really happening. I wanted to establish STARTTLS connection for understanding how things work. In the beginning I was using Net::SMTP::TLS which does all the necessary tasks of doing EHLo and initiating a TLS session through STARTTLS. But there was I kept getting "invalid SSL_version specified at /usr/lib/perl5/site_perl/5.14/IO/Socket/SSL.pm line 308". Is there any other way I could establish a STARTTLS connection? (I have the keys/certs in place and know their locations too) – Tokyo 1/2, 2013 at 18:22

Not without writing an application, which would also need to be able to use an SSL/TLS library. If you just want to understand how SMTP works against a server using STARTTLS, use your openssl s_client ... command: it will behave similarly to what you'd write with telnet after STARTTLS, and if you want to see what happens before STARTTLS (and the encrypted STARTTLS data), use Wireshark to see the traffic. – Pasargadae 1/2, 2013 at 18:31

Actually, I was writing a perl script first and was hoping to use Net::SMTP but as I just said I ended up stuck with more errors. Thanks a lot for helping me gather the facts. – Tokyo 1/2, 2013 at 19:24

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.