This mechanism is called Server Name Indication.īut why did our first example work without this option? By default, OpenSSL populates servername with the same value passed to connect. The reverse proxy (identified by the 172.64.104.34 address) serves multiple web-servers, including our own.Īs a result, we need to send a servername to it, so that it knows which certificate to return. SSL handshake has read 7 bytes and written 293 bytes Let’s run our previous example but with the host IP address instead: $ openssl s_client -showcerts -connect 172.64.104.34:443ġ40695394247936:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshakeįailure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40 In some situations, our server might sit behind a reverse proxy for load-balancing purposes.įirst, let’s find our host IP using nslookup: $ nslookup Finally, we use sed to filter the output and dump the certificates to a file.As a result, the interactive session closes because it reads EOF.First, we call the openssl s_client command and redirect the null device ( /dev/null) to its standard input.Let’s now take a look at the certifs.pem file: However, let’s use some Linux magic, and extract only the certificates from the whole output: $ openssl s_client -showcerts -connect :443 certifs.pem We could just copy-paste these outputs into a file, and do further processing. MTAxNDEyMDAwMFoXDTIwMTAwOTEyMDAwMFowbzELMAkGA1UEBhMCVVMxCzAJBgNV MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlĬlRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE1 MIIDozCCAougAwIBAgIQD/PmFjmqPRoSZfQfizTltjANBgkqhkiG9w0BAQsFADBa
We can use the -showcerts option to get the complete certificate chain: $ openssl s_client -showcerts -connect :443 This keeps the interactive session open until we type Q (quit) and press, or until EOF is encountered. SW5jIEVDQyBDQS0yMB4XDTIwMDEzMTAwMDAwMFoXDTIwMTAwOTEyMDAwMFowbTEL GTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkRmxhcmUg MIIE6DCCBI2gAwIBAgIQDJkqrAVVvIBWJvIMDkzpwzAKBggqhkjOPQQDAjBvMQswĬQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x We can get an interactive SSL connection to our server, using the openssl s_client command: $ openssl s_client -connect :443 Ĭ=US, ST=California, L=Palo Alto, O=Hewlett-Packard, OU=Operations, CN=Finished SSL/TLS connection with server. If successful, the certificates subject will be shown, and the connection closed. After establishing a TCP connection, it will try to switch to SSL/TLS and retrieve the servers certificate. If no port is given in the URL string, it will use the standard web SSL port 443. The program attempts to make a TCP connection to the server specified in the URL. The program expects a valid, hard-coded destination url set inside the c-programm. > gcc -o sslconnect sslconnect.c -lssl -lcrypto Example Output If ( connect(sockfd, (struct sockaddr *) &dest_addr,īIO_printf(out, "Error: Cannot connect to host %s on port %d.\n",
* initialize SSL library and register algorithms * Outbio = BIO_new_fp(stdout, BIO_NOCLOSE) * These function calls initialize openssl for correct work. * create_socket() creates a socket & TCP-connects to server. * First we need to make a standard TCP socket connection. * gcc -o sslconnect sslconnect.c -lssl -lcrypto *
#OPENSSL CONNECT CODE#
* purpose: Example code for building a SSL connection and * You’ll get a lot of output concerning the SSL session and certificates used, but afterwards you’ll see a similar confirmation as with the telnet. To use SSL on port 465: openssl sclient -connect :465.
#OPENSSL CONNECT HOW TO#
The example 'C' program sslconnect.c demonstrates how to make a basic SSL/TLS connection, using the OpenSSL library functions. To connect using the TLS protocol on port 587, use: openssl sclient -starttls smtp -connect :587.