[Ref: OpenBSD 5.5, openssl s_client], SSL Checklist for Pentesters - the Manual Cheatsheet, testssl.sh ]
Table of Contents
As a security tool, it’s only as secure as you continue to validate it’s effectiveness.
Fortunately, s_client is a command-line option that allows us some measure of ‘access’ to an encrypted connection to assist with validating the service on the other side, let alone the encryption.
The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.
For all the above protocols (smtp, pop3, imap) we can use openssl s_client to connect to the remote host, and use the standard diagnostics commands, as if it were a cleartext connection.
SMTP is provided into two flavours, a cleartext connection which can then be negotiated into an encrypted connection, and the 2nd with encrypted connection to begin with.
Connect to your mail server (Mail Transport Agenet, MTA) through the standard port ‘25’.
openssl s_client -starttls smtp -crlf -connect your_MTA:25
A lot of certificate information is exchanged, and shown on the screen ... 250 DSN
openssl’s s_client -starttls smtp -crlf connects to the server your_MTA to make the encryption/decrypting between our console and an SMTP server.
Once TLS is negotiated using “-starttls”, the console output is interepreted for us as if we have connected in cleartext.
Continue validation of the SMTP service such as in the below scenario:
MAIL FROM: <samt@example.com>
250 2.1.0 Ok
RCPT TO: mylocaluser
250 2.1.5 Ok
DATA
354 End data with.
From: <samt@example.com> Subject: STARTTLS Test Message Postfix will decrypt .
250 2.0.0 Ok: queued as XXXXXXXXXXX
quit
221 2.0.0 Bye
If the connection -starttls fails, the first place to review is the logs on your_MTA server.
Verify the wrapmode smtps service is working correctly using the generic openssl s_client connection.
openssl s_client -connect localhost:465
CONNECTED(0000000X) Plenty of Certificate negotiation/information 220 mx.coco.nut.to ESMTP Postfix
At this point, we have an example of connecting SSL secured to SMTPS. The same approach is made for connecting to other SSL services:
openssl s_client -connect localhost:${PORT}
[Ref: OpenSSL Command-Line HOWTO]
Consider the legitimacy, currency of your SSL connection by reviewing current practises, and accepted revisions. There are a number Open Source tools, try https://testssl.sh The following is a quick shortcut
Dates tend to be the most common error (i.e. we forget their expiring)
To get the date from a remote site (e.g.: example.com):
echo | openssl s_client -connect example.com:port# 2>/dev/null | openssl x509 -noout -subject -datesTo get the dates from your local certificate:
openssl x509 -noout -subject -dates -in mycertificate.crtThe following should fail, as either it is no longer perceived as robust or has been shown to be insecure:
openssl s_client -ssl2 -connect host:portSSL v2 service should be disabled.
openssl s_client -ssl3 -connect host:portSSL v3 service should be disabled.
openssl s_client -cipher NULL,EXPORT,LOW,3DES -connect site:portWeak ciphers are supported on the connection.
openssl s_client -cipher aNULL -connect site:portopenssl s_client [-ssl2|-ssl3|-tls1|-tls1_1|tls1_2] -cipher {{CIPHERS}} -connect site:portChange the order of CIPHERS to change client preferences. The server should always return it’s preference.
Note: This makes no claim on the server’s preferred cipher.
From the reference: testssl.sh man, Mozilla’s Cipher names correspondence table
The following should be successful, as they are deemed secure methods for communications.
openssl s_client -tls1_1 -connect host:port
openssl s_client -tls1_2 -connect host:portTLS v1.1 and v1.2 are current, as of (2014/09/01) and should be enabled on your server.
openssl s_client -connect host:portReview host response for the output:
Note the ‘positive’ response. If your response does not include the above, you need to review the version of the SSL on your server.