Testing SSL with OpenSSL

The Basic Command

openssl s_client -connect hostname:port -servername hostname

This is the basic telnet command for SSL operations. The s_client in openssl allows us to connect into servers securely, and push/get data via that TCP connection. The -connect hostname:port tells s_client where to connect to, and the -servername passes a hostname to the endpoint.

Passing a hostname to the endpoint is handy in shared tenancy environments. As an example, if you were pulling the SSL certificates for example.com but example.net is also hosted on the same server, you might pull the example.net SSL certificates, depending how the web server is configured.

It’s handy to always pass -servername as you don’t always know when you’re dealing with shared tenancy.

Extended Usage

Switching TLS versions

Testing for TLS 1.0

HOSTNAME=
PORT=
openssl s_client -connect ${HOSTNAME}:${PORT} -hostname ${HOSTNAME} -tls1

Testing for TLS 1.1

HOSTNAME=
PORT=
openssl s_client -connect ${HOSTNAME}:${PORT} -hostname ${HOSTNAME} -tls1_1

Testing for TLS 1.2

HOSTNAME=
PORT=
openssl s_client -connect ${HOSTNAME}:${PORT} -hostname ${HOSTNAME} -tls1_2

Testing for TLS 1.3

HOSTNAME=
PORT=
openssl s_client -connect ${HOSTNAME}:${PORT} -hostname ${HOSTNAME} -tls1_3

Output

In all cases, you will notice two lines that are important. CONNECTED(00000003) at the start, but also lines about TLS version and ciphers later in the output. For example:

New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA
...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA

You can see in the above exerpt that TLS 1.0 connectivity remains possible on the host that I am testing for this example. We can easily confirm the positive based on it’s ability to connect and negotiate using the protocol. Proving that it doesn’t exist can be a little bit tricky.

Suffice to say, you should investigate nmap scripts and re-read documentation and configuration to be certain, however in the scope of openssl, suffice to say that the following output tells me that TLS 1.0 is not support:

write:errno=104
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 136 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1629842210
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

Edit I need to finish this later :\