Home » Quick Tips

Cant Speak SSL?

Posted 29 Sep 2009 | One Comment | 1,033 views
keyboard

Telnet is a good tool for testing basic connectivity to a service for such things as verifying firewall rules. It’s especially good for stripped down environments where there is not desktop environment with an assortment of user friendly GUI tools. It’s especially handy for troubleshooting automated connections between web-based services. A simple connectivity test to verify basic accessibility from the command line looks like the following:

$ telnet www.mydomain.com 80
Trying 192.168.100.100…
Connected to www.mydomain.com.
Escape character is ‘^]’.
HEAD / HTTP/1.1
Host: www.mydomain.com

HTTP/1.1 200 OK
Date: Wed, 30 Sep 2009 02:12:04 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 30 Sep 2009 02:12:09 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8

This works well as long as the connection is plain HTTP. What’s the matter? Can’t speak SSL? Use openssl as the client for connecting to your site.

$ openssl s_client -connect www.mydomain.com:443
…SSL certificate info removed for brevity. Can be used to verify certificate…
HEAD / HTTP/1.1
Host: www.mydomain.com

HTTP/1.1 200 OK
Date: Wed, 30 Sep 2009 02:42:27 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 30 Sep 2009 02:42:35 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8

SSL websites sometimes require authentication. We can use another tool to craft the authentication string to feed to the openssl client. Basic authentication use simple Base 64 encoding for the username and password. Keep in mind that Base 64 encoding is not encryption. The SSL encryption is the actual protection for the username and password.

$ perl -MMIME::Base64 -e ‘print encode_base64(“username:password”)’
dXNlcm5hbWU6cGFzc3dvcmQ=

Feeding this back to openssl, we have the following:

$ openssl s_client -connect www.mydomain.com:443
…SSL certificate info removed for brevity. Can be used to verify certificate…
HEAD / HTTP/1.1
Host: www.mydomain.com
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

HTTP/1.1 200 OK
Date: Wed, 30 Sep 2009 02:53:11 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 30 Sep 2009 02:53:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8

Of course, if more complex interactivity is needed, the Perl LWP module is your friend.

peter@newbook:~$ telnet its.vanderbilt.edu 80
Trying 129.59.4.10…
Connected to its.vanderbilt.edu.
Escape character is ‘^]’.
HEAD / HTTP/1.1
Host: its.vanderbilt.eduHTTP/1.1 200 OK
Date: Wed, 30 Sep 2009 02:12:04 GMT
Server: Apache
Set-Cookie: SESSde6181615159db966b99d5c478715e9e=9qv9r5d6ubdc6or9rmp0r4gnj4; expires=Fri, 23 Oct 2009 05:45:29 GMT; path=/; domain=.its.vanderbilt.edu
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 30 Sep 2009 02:12:09 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8

Related Posts

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS. Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled service. To get your own globally-recognized-avatar, please register at Gravatar.

CAPTCHA Image
*