Testing TLS

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Testing TLS

Warrick FitzGerald-2
Hi Guys,

I'm trying to test a connection to a TLS enabled SMTP server. Is it possible to use use OpenSSL to setup the TLS sessison and then interact with the mail server as if I'd telnet'd to port 25?

Thanks
Warrick
Reply | Threaded
Open this post in threaded view
|

Re: Testing TLS

Victor Duchovni
On Wed, Nov 09, 2005 at 08:38:02PM -0500, Warrick FitzGerald wrote:

> Hi Guys,
>
> I'm trying to test a connection to a TLS enabled SMTP server. Is it
> possible to use use OpenSSL to setup the TLS sessison and then interact
> with the mail server as if I'd telnet'd to port 25?
>

Yes, with significant limitations via "openssl s_client". For full
interactive TLS you can use stunnel which supports SMTP.

The problems with s_client are:

    - It does not send EHLO, and many servers refuse STARTTLS before EHLO.

    - It is a debugging tool, not a proxy, so "R" causes renegotiation, and
    literal "R" cannot be sent, ...

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Testing TLS

Victor B. Wagner
On 2005.11.09 at 20:50:39 -0500, Victor Duchovni wrote:

> On Wed, Nov 09, 2005 at 08:38:02PM -0500, Warrick FitzGerald wrote:
>
> > Hi Guys,
> >
> > I'm trying to test a connection to a TLS enabled SMTP server. Is it
> > possible to use use OpenSSL to setup the TLS sessison and then interact
> > with the mail server as if I'd telnet'd to port 25?
> >
>
> Yes, with significant limitations via "openssl s_client". For full
> interactive TLS you can use stunnel which supports SMTP.
>
> The problems with s_client are:
>
>     - It does not send EHLO, and many servers refuse STARTTLS before EHLO.
>
>     - It is a debugging tool, not a proxy, so "R" causes renegotiation, and
>     literal "R" cannot be sent, ...
>

I've just encountered same problem - need to test protocol which starts
as unencrypted connection and begins to use SSL somewhere in the middle.
So, I've hacked up a quick script which is free of these limitations

It uses tcl and tcltls package from tls.sf.net. It assumes that patch
for engine support is applied (see patch manager for tcltls) but if not,
nothing wrong with it unless you want to use -engine or -conf option

http://45.free.net/~vitus/ice/works/starttls.tcl
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Testing TLS

gordey (Bugzilla)
In reply to this post by Warrick FitzGerald-2

Hi Warrick,

 

For sendmail verify TLS: openssl s_client -starttls smtp -showcerts -connect MTA.FQDN:25

 

 

 

~R.Gordey

 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Warrick FitzGerald
Sent: Wednesday, November 09, 2005 8:38 PM
To: [hidden email]
Subject: Testing TLS

 

Hi Guys,

I'm trying to test a connection to a TLS enabled SMTP server. Is it possible to use use OpenSSL to setup the TLS sessison and then interact with the mail server as if I'd telnet'd to port 25?

Thanks
Warrick