Fuse ESB - Web Services Security Guide

The s_client Utility

Purpose of the s_client utility

You can use the s_client utility to debug an SSL/TLS server. Using the s_client utility, you can negotiate an SSL/TLS handshake under controlled conditions, accompanied by extensive logging and error reporting.

Options

The options supported by the openssl s_client utility are as follows:

`-connect host[:port]`	`- Specify the host and (optionally) port to connect to. Default is local host and port 4433.`
`-cert certname`	`- Specifies the certificate to use, if one is requested by the server.`
`-certform format`	`- The certificate format, which can be either PEM or DER. Default is PEM.`
`-key keyfile`	`- File containing the client’s private key. Default is to extract the key from the client certificate.`
`-keyform format`	`- The private key format, which can be either PEM or DER. Default is PEM.`
`-pass arg`	`- The private key password.`
`-verify depth`	`- Maximum server certificate chain length.`
`-CApath directory`	`- Directory to use for server certificate verification.`
`-CAfile file`	`- File containing trusted CA certificates.`
`-reconnect`	`- Reconnects to the same server five times using the same session ID.`
`-pause`	`- Pauses for one second between each read and write call.`
`-showcerts`	`- Display the whole server certificate chain.`
`-prexit`	`- Print session information when the program exits.`
`-state`	`- Prints out the SSL session states.`
`-debug`	`- Log debug data, including hex dump of messages.`
`-msg`	`- Show all protocol messages with hex dump.`
`-nbio_test`	`- Tests non-blocking I/O.`
`-nbio`	`- Turns on non-blocking I/O.`
`-crlf`	`- Translates a line feed (LF) from the terminal into CR+LF, as required by some servers.`
`-ign_eof`	`- Inhibits shutting down the connection when end of file is reached in the input.`
`-quiet`	`- Inhibits printing of session and certificate information; implicitly turns on -ign_eof as well.`
`-ssl2`, `-ssl3`, `-tls1`, `-no_ssl2`, `-no_ssl3`, `-no_tls1`	`- These options enable/disable the use of certain SSL or TLS protocols.`
`-bugs`	`- Enables workarounds to several known bugs in SSL and TLS implementations.`
`-cipher cipherlist`	`- Specifies the cipher list sent by the client. The server should use the first supported cipher from the list sent by the client.`
`-starttls protocol`	`- Send the protocol-specific message(s) to switch to TLS for communication, where the protocol can be either smtp or pop3.`
`-engine id`	`- Specifies an engine, by it's unique id string.`
`-rand file(s)`	`- A file or files containing random data used to seed the random number generator, or an EGD socket. The file separator is ; for MS-Windows, , for OpenVMS, and : for all other platforms.`

Using the s_client utility

Before running the s_client utility, there must be an active SSL/TLS server to connect to. For example, you can have an s_server test server running on the local host, listening on port 9000. To run the s_client test client, open a command prompt and enter the following:

openssl s_client -connect localhost:9000 -ssl3 -cert clientcert.pem

Where clientcert.pem is a file containing the client’s X.509 certificate in PEM format. When you enter the command, you are prompted to enter the pass phrase for the clientcert.pem file.

Comments powered by Disqus

Contents
Search