Posted on
Questions and Answers

Use `openssl s_client` to test TLS handshakes in a script

Author
  • User
    Linux Bash
    Posts by this author
    Posts by this author

Using OpenSSL s_client to Test TLS Handshakes in Bash Scripts

In the world of web security, ensuring that your TLS (Transport Layer Security) configurations are correct is crucial for safeguarding data in transit. One powerful tool to help with this is the openssl s_client command. This command-line tool can initiate TLS connections to a remote server, allowing you to check and troubleshoot your SSL/TLS settings. Below, we'll explore how openssl s_client can be utilized within a Bash script to test TLS handshakes.

Q&A on Using openssl s_client in Scripts

Q1: What is openssl s_client?

A1: openssl s_client is a utility provided by OpenSSL that acts as a client program that connects to a server. It's primarily used to debug SSL/TLS servers, fetch server certificates, and even test the encryption.

Q2: How do I use openssl s_client to test a TLS handshake?

A2: To test a TLS handshake, you can run a command like:

openssl s_client -connect example.com:443

This command attempts to establish a TLS connection to example.com on port 443 and outputs the negotiation details of the handshake.

Q3: Can I include this in a Bash script to perform automated checks?

A3: Absolutely! You can wrap openssl s_client in a Bash script to periodically check your servers or integrate it into your CI/CD pipelines for automated testing.

Q4: What are some common parameters used with openssl s_client?

A4: Some useful parameters include:

  • -connect host:port: Specifies the host and port to connect.

  • -servername name: Sets the TLS SNI (Server Name Indication) extension.

  • -cert file: Client certificate to send to the server.

  • -key file: Private key file to use for the SSL connection.

Background: Simplifying SSL/TLS with Bash and OpenSSL

openssl s_client is not only powerful but also highly versatile. Let's look at some simple examples to understand how we can utilize it in different scenarios.

Example 1: Fetching a Server Certificate

To simply fetch and view the SSL certificate of a server:

openssl s_client -connect example.com:443 -showcerts

Example 2: Verifying Hostname and Certificate

Although openssl s_client doesn't automatically verify a hostname, you can manually extract this information:

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates -subject

An Executable Script to Demonstrate TLS Handshake Testing

Here is a basic Bash script that utilizes openssl s_client to test TLS handshakes and log results:

#!/bin/bash
SERVER="example.com:443"
LOGFILE="tls-handshake-test.log"

echo "Starting TLS handshake test for $SERVER" | tee -a $LOGFILE
echo | openssl s_client -connect $SERVER 2>&1 | tee -a $LOGFILE

if [ "${PIPESTATUS[0]}" -eq 0 ]; then
    echo "TLS handshake successful." | tee -a $LOGFILE
else
    echo "TLS handshake failed." | tee -a $LOGFILE
fi

Conclusion

Testing TLS handshakes using openssl s_client within a Bash script provides a resilient method to ensure your SSL/TLS configurations are set up correctly and remain robust. This toolkit not only assists in testing but also in automating the monitoring of secured connections, paving the way for a safer web experience. Utilizing scripts like the one demonstrated above, system administrators and DevSecOps teams can effectively streamline the testing processes, integrate security checks into development pipelines, and react swiftly to misconfigurations or emerging vulnerabilites.

Further Reading

Related posts