Short Tip: Test TLS connections on command line [Update]

920839987_135ba34fff

When you set up the TLS encryption of a web or also of an IMAP server like Dovecot it is sometimes handy to test the encryption on command line level, to see what really happens there. A good tool to do just that is openssl:

# openssl s_client -crlf -connect www.example.net:993
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.

Afterwards, if you want to for example try an IMAP login, the command is as follows:

A login user password
A OK User logged in
A OK [CAPABILITY IMAP4rev1 ...
A status INBOX (messages)
* STATUS INBOX (MESSAGES 0)
A OK Status completed.
C logout
* BYE Logging out
C OK Logout completed.
closed

At the same time, if you want to test HTTPS encryption:

$ openssl s_client -crlf -connect www.example.net:443
CONNECTED(00000003)
[...]
---
GET / HTTP/1.0

HTTP/1.1 302 Found
[...]

4 thoughts on “Short Tip: Test TLS connections on command line [Update]”

  1. “-starttls imap” will help you if using encrypted imap on the non-ssl port (default 143)

  2. I find gnutls-cli even betten, because you can even use it for connections using STARTTLS: While the traditional services provide an additional SSL-wrapped port, where the encryption happens outside the traditional unencrypted protocol, newer protocols upgrade the existing connection to enable encryption. For example you connect the the default unencrypted SMTP port 25 and issue the STARTTLS command after the initial HELO/EHLO greeting. Only then encruption is setup and the connection is secured. To trigger that transition from unencrypted to encrypted, you need to press Ctrl-D:
    $ gnutls-cli –starttls –insecure –port 25 my-smtp.example.com
    220 my-smtp-example.com ESMTP Postfix (Debian/GNU)
    STARTTLS
    220 2.0.0 Ready to start TLS
    ^D
    *** Starting TLS handshake

Comments are closed.