Posted: 9 Mar 2005
PROBLEM: It is difficult to debug SSL connections, especially
with services like POP or IMAP, without using complex scripts/tools.
SOLUTION: Use OpenSSL to
negotiate the SSL/TLS connection. This allows you to interact with the service
in plain-text and obviate the need for an SSL-aware client.
The OpenSSL tool is used to generate keys, and perform various
certificate-related functions. However, the "s_client" option provides a fully
SSL/TLS compliant client. OpenSSL performs all the SSL/TLS negotiation,
encryption, and decryption over the "wire", and leaves you with a plaintext
session that you can use to test or debug services.
EXAMPLE: Suppose you are having problems with your SSL IMAP
server (which previously worked fine on port 143). You could perform the
OpenSSL s_client -connect imap_server:993
The s_client will negotiate the connection (and provide you
with nifty details about the connection) and then present you with an
interactive session (as if you were connected to the imap server on port 143).
You can then issue commands as with a normal (non-SSL) IMAP server to debug the
This will also work for many other services, such as a web
server (use port 443 for the default) or other SSL/TLS services.
If you have any questions you may contact Chander at email@example.com