66
40
I would like to test client connections with IMAP over SSL, HTTPS, and other secure text-based Internet protocols over SSL/TLS, the same way I would using telnet or netcat if they were not tunneled over a secure protocol. Is there a way to get telnet or netcat to go through SSL/TLS such as with a pipe or alternate program?
user553702
Posted 2011-10-15T20:29:00.317
Reputation: 1 081
139
There is no Telnet/Netcat client – they are two separate programs, and there exist at least 10 different Telnet clients and at least 6 different Netcat versions (original netcat, GNU netcat, OpenBSD netcat, nmap's ncat; forgot the rest).
The preferred tools come from TLS libraries themselves. They might be a bit verbose, though.
GnuTLS has a TLS client tool on Linux:
gnutls-cli imap.gmail.com -p 993
Use -s for STARTTLS; you will need to manually enter the necessary protocol commands and press CtrlD when ready.
Supports IPv6, validates server certificates by default.
OpenSSL has a TLS client tool:
openssl s_client -connect imap.gmail.com:993
This is available for all operating systems. STARTTLS is supported via -starttls imap or -starttls smtp options, and the program will automatically negotiate it. (Although it throws away the initial server reply after doing so, but it's usually fine.)
Only version ≥ 1.1 supports IPv6.
Only version ≥ 1.0.2 (IIRC) validates server certificate by default; older versions require manual -CApath specification.
(I'd like to also have tools for testing NSS and SChannel, but couldn't find any.)
The programs also use the same libraries, but might have fewer configuration knobs. Some even skip on peer certificate checks by default...
socat:
socat openssl:imap.gmail.com:993 stdio
readline mode can be used for convenience:
socat ssl:imap.gmail.com:993 readline
STARTTLS is not supported.
ncat from nmap supports TLS (but not STARTTLS):
ncat --ssl imap.gmail.com 993
Some Telnet clients, such as the telnet-ssl package on Debian, also support TLS:
telnet-ssl -z ssl imap.gmail.com 993
STARTTLS can be activated using starttls from the Ctrl] escape menu.
user1686
Posted 2011-10-15T20:29:00.317
Reputation: 283 655
4I wish I could simply favorite your answer instead of the question that the asker didn't even bother marking as accepted. – Sammitch – 2014-11-19T22:54:51.037
gnutls-cli also seems to be the only one, with which I can test STARTLS with IPv6. Thanks! – karoshi – 2017-03-29T10:59:13.707
OpenSSL s_client has IPv6 support in the 1.1 release. – user1686 – 2017-03-29T12:32:04.630
@grawity I would really appreciate if you can check this similar question: https://serverfault.com/questions/887224/ssl-unsupported-protocol-error
– Spring – 2017-12-08T18:03:40.7671
OpenSSL's s_client has a "useful" feature where lines that begin with R or Q are treated as commands (see manual). Use -ign_eof to disable this. Also, s_client will continue even if verification fails; you have to check that it says "Verify return code: 0 (ok)" and hope the server doesn't try to spoof this message. Better to use gnutls-cli if possible.
1Luckily it also has -verify_return_error for that. – user1686 – 2018-01-08T05:27:53.380
The -verify_return_error option indeed works, provided -verify is also specified (this tripped me up when I wrote my previous comment). – tom – 2018-02-01T04:41:28.317
5
You may want to look at openssl s_client, e.g.
# openssl s_client -connect dummy.com:8443
dchampion
Posted 2011-10-15T20:29:00.317
Reputation: 51
2
Yeah there's a program called stunnel
it has a configuration file,
you tell it what port to listen on, what port to forward to.
it works for client side, or server side, or both.
so it can turn a server that doesn't support ssl, into effectively one that does.
or a client that doesn't support ssl, effectively into one that does.
or make both a client and server have an ssl connection.
barlop
Posted 2011-10-15T20:29:00.317
Reputation: 18 677
1
There's also sclient (git) if you need cross-platform support (i.e. Windows).
Create a local server that unwraps tls for example.com
$ sclient example.com:443 localhost:3000
> [listening] example.com:443 <= localhost:3000
Make a request to example.com with telnet
$ telnet localhost 3000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
> GET / HTTP/1.1
> Host: example.com
> Connection: close
>
>
CoolAJ86
Posted 2011-10-15T20:29:00.317
Reputation: 593
2
Same on serverfault: http://serverfault.com/questions/102032/connecting-to-https-with-netcat-nc
– Ciro Santilli 新疆改造中心法轮功六四事件 – 2014-12-08T23:18:18.423