-
Created by
Phil Benchoff, last updated on Nov 15, 2013
3 minute read
Testing SSL and authentication on various services.
OpenSSL s_client
For protocols that are carried in TLS, the OpenSSL s_client command can be used:
openssl s_client -connecthostname:port
For protocols where TLS is started after the initial connection (STARTTLS), see below.
SASL AUTH PLAIN
For SASL AUTH PLAIN, a base-64 encoded string of the username and password is used. SASL is used for SMTP and some other services.
Beware of passwords that begin with numbers
For octal values, echo uses \0NNN byte with octal value NNN (1 to 3 digits)
$ echo -ne '\000ABC' | xxd
0000000: 0041 4243 .ABC
# Wrong
$ echo -ne '\000123' | xxd
0000000: 0132 33 .23
# Works
$ echo -ne '\0000123' | xxd
0000000: 0031 3233 .123
# Works
$ echo -ne '\x00123' | xxd
0000000: 0031 3233 .123
echo -ne '\x00username\x00password' | openssl base64- The result with the username and password above is
AHVzZXJuYW1lAHBhc3N3b3Jk
- The result with the username and password above is
SMTP
SMTP can do STARTTLS or SMTP in TLS. STARTTLS is far more common.
# Test of submission port with telnet # STARTTLS should be available # AUTH should not since this connection isn't encrypted. $ telnet smtp.whoever.vt.edu submission Trying X.X.X.X... Connected to smtp.whoever.vt.edu. Escape character is '^]'. 220 smtp.whoever.vt.edu ESMTP Postfix ehlo host.dept.vt.edu 250-smtp.whoever.vt.edu 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host.
# # Connection using STARTTLS and SASL AUTH PLAIN # Note that AUTH is now available # $ openssl s_client -connect smtp.whoever.vt.edu:submission -starttls smtp # [A bunch of OpenSSL messages here] 250 DSN ehlo host.dept.vt.edu 250-smtp.whoever.vt.edu 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN auth plain [base-64 string here] 235 2.7.0 Authentication successful quit 221 2.0.0 Bye closed $
# # Connection using STARTTLS and SASL AUTH LOGIN # Note that AUTH is now available # $ openssl s_client -connect smtp.whoever.vt.edu:submission -starttls smtp # [A bunch of OpenSSL messages here] 250 DSN ehlo host.dept.vt.edu 250-smtp.whoever.vt.edu 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN auth login 334 VXNlcm5hbWU6 [base64 encoded username] 334 UGFzc3dvcmQ6 [base64 encoded password] 235 2.7.0 Authentication successful quit 221 2.0.0 Bye closed $
- SMTP in TLS:
openssl s_client -connect smtp.whoever.vt.edu:smtps
IMAP
IMAP supports both STARTTLS and IMAP in TLS.
# # IMAP with telnet # STARTTLS is enabled. # LOGIN is disabled since TLS has not been started. # $ telnet imap.whoever.vt.edu imap Trying X.X.X.X... Connected to imap.whoever.vt.edu. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready. x capability * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED x OK Capability completed. x logout * BYE Logging out x OK Logout completed. Connection closed by foreign host.
# # IMAP with STARTTLS # Note that AUTH is now listed and LOGINDISABLED is not. # $ openssl s_client -connect imap.whoever.vt.edu:imap -starttls imap . OK Capability completed. x capability * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN x OK Capability completed. x login <username> <password> * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS x OK Logged in x logout * BYE Logging out x OK Logout completed. closed $
# # IMAPS (IMAP in TLS) # Note that AUTH is now listed and LOGINDISABLED is not. # $ openssl s_client -connect imap.whoever.vt.edu:imaps * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. x login <username> <password> x OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in x logout * BYE Logging out x OK Logout completed. closed $
POP3
# # POP3 with telnet # Login is not allowed since this is unencrypted # $ telnet pop.whoever.vt.edu pop3 Trying X.X.X.X... Connected to pop.whoever.vt.edu. Escape character is '^]'. +OK Dovecot ready. user <username> -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections. quit +OK Logging out Connection closed by foreign host. $
# # POP3 with STARTTLS # $ openssl s_client -connect pop.whoever.vt.edu:pop3 -starttls pop3 # [A bunch of OpenSSL messages here] +OK Dovecot ready. user <username> +OK pass <password> +OK Logged in. quit +OK Logging out. closed $
- POP3 in TLS:
openssl s_client -connect pop.whoever.vt.edu:pop3s