Manually Test STARTTLS

From Postmaster Administration Wiki
Jump to: navigation, search

Testing a TLS or SSL connection is not possible using telnet, since it lacks the necessary support. The OpenSSL library and tool suite does provide a means of manual testing TLS and SSL connections using s_client:

$ openssl s_client -help 
...

SSL connection to POPS port 995

Some protocols like https, pops, imaps, and ftps expect a socket to immediately start the security layer handshake process upon connection. Here is an example of a SSL connection to POPS:

$ openssl s_client -connect mail.example.com:995

... (lots of output about handshake and certificate details) ...

+OK POP3 mail.example.com 2007f.104 server ready
QUIT
+OK Sayonara
read:errno=0
$

TLS connection over SMTP port 25

TLS, on the other hand, is a little more involved, since the initial connection starts as an open unencrypted channel to the server which then expects some STARTTLS command suitable for a given protocol to transition to encrypted communications. The client software has to recognise and handle the various forms of STARTTLS so that it can begin the necessary handshakes. So for s_client we tell it which protocol is being used and let it figure out the rest. Currently s_client only supports STARTTLS for SMTP, POP, IMAP, and FTP.

$ openssl s_client -connect mail.example.com:25 -starttls smtp -tls1

... (lots of output about handshake, certificate details, and EHLO reply) ...

250 HELP
QUIT
DONE
$

Scripting TLS connection over SMTP port 25

Scripting with OpenSSL s_client tool can be a little tricky to get working correctly. openssl s_client will read from redirected standard input or from shell "here" documents, however, there are caveats. First you need to apply the -crlf option to ensure that all the LF newlines are converted to CRLF newlines, else some MTAs will treat all the input as one long line and eventually exceed the RFC 5321 command and/or text line limits. Next you need the -ign_eof option and an explicit SMTP QUIT at the end of the SMTP command input; without it, the standard input EOF terminates the script before s_client finishes processing. Finally the -quiet option simply hushes the extraneous certificate information.

This example will make a TLS connection, issue the SMTP HELP supported by some MTAs command, and QUIT:

$ openssl s_client -quiet -crlf -ign_eof -connect mail.example.com:25 -starttls smtp <<EOF
> HELP
> QUIT
> EOF

... (connection details, last line of EHLO, HELP reply, QUIT reply) ...

$

References