Home » Quick Tips

Can’t Speak SSL?

Posted 29 Sep 2009 | Comments Off on Can’t Speak SSL? | 2,694 views

Telnet is a good tool for testing basic connectivity to a service for such things as verifying firewall rules. It’s especially good for stripped down environments where there is not desktop environment with an assortment of user friendly GUI tools. It’s especially handy for troubleshooting automated connections between web-based services. A simple connectivity test to verify basic accessibility from the command line looks like the following:

telnet www.mydomain.com 80
Trying 192.168.100.100…
Connected to www.mydomain.com.
Escape character is ‘^]’.
HEAD / HTTP/1.1
Host: www.mydomain.com

HTTP/1.1 200 OK
Date: Wed, 30 Sep 2009 02:12:04 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 30 Sep 2009 02:12:09 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8

This works well as long as the connection is plain HTTP. What’s the matter? Can’t speak SSL? Use opensslas the client for connecting to your site.

openssl s_client -connect www.mydomain.com:443
…SSL certificate info removed for brevity. Can be used to verify certificate…
HEAD / HTTP/1.1
Host: www.mydomain.com

HTTP/1.1 200 OK
Date: Wed, 30 Sep 2009 02:42:27 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 30 Sep 2009 02:42:35 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8

SSL websites sometimes require authentication. We can use another tool to craft the authentication string to feed to the openssl client. Basic authentication use simple Base 64 encoding for the username and password. Keep in mind that Base 64 encoding is not encryption. The SSL encryption is the actual protection for the username and password.

perl -MMIME::Base64 -e ‘print encode_base64(“username:password”)’
dXNlcm5hbWU6cGFzc3dvcmQ=

Feeding this back to openssl, we have the following:

openssl s_client -connect www.mydomain.com:443
…SSL certificate info removed for brevity. Can be used to verify certificate…
HEAD / HTTP/1.1
Host: www.mydomain.com
Authorization: Basic
 dXNlcm5hbWU6cGFzc3dvcmQ=

HTTP/1.1 200 OK
Date: Wed, 30 Sep 2009 02:53:11 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 30 Sep 2009 02:53:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8

Of course, if more complex interactivity is needed, the Perl LWP module is your friend.

Comments are closed.