Easy Way to Debug SSL Connections

Posted: 9 Mar 2005

PROBLEM: It is difficult to debug SSL connections, especially with services like POP or IMAP, without using complex scripts/tools.

SOLUTION: Use OpenSSL to negotiate the SSL/TLS connection. This allows you to interact with the service in plain-text and obviate the need for an SSL-aware client.

The OpenSSL tool is used to generate keys, and perform various certificate-related functions. However, the "s_client" option provides a fully SSL/TLS compliant client. OpenSSL performs all the SSL/TLS negotiation, encryption, and decryption over the "wire", and leaves you with a plaintext session that you can use to test or debug services.

EXAMPLE: Suppose you are having problems with your SSL IMAP server (which previously worked fine on port 143). You could perform the following:

OpenSSL s_client -connect imap_server:993 -crlf

The s_client will negotiate the connection (and provide you with nifty details about the connection) and then present you with an interactive session (as if you were connected to the imap server on port 143). You can then issue commands as with a normal (non-SSL) IMAP server to debug the interface.

This will also work for many other services, such as a web server (use port 443 for the default) or other SSL/TLS services.

If you have any questions you may contact Chander at chander@mti-nc.com

Informacja z serwisu http://www.djack.com.pl