Telnet for SSL

From LB Wiki

Revision as of 03:45, 22 June 2008 by Tony (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

Telnet, oddly enough, is a powerful tool for diagnosing all sorts of network troubles. It can be used as a generic TCP client, enabling connections to all manner of TCP-based services. With some knowledge of the Layer 7 protocol that you're connected to (such as HTTP), you can even test the protocol.

So what if you’re using SSL? Fortunately, there’s a utility out there that works pretty much the same. It’s part of the freeware OpenSSL package, which is included with just about every Linux, Solaris, BSD, Unix system around, and a Windows version is pretty easy to get.

The specific utility is openssl s_client -host [ip address or hostname] -port [tcp port]. To use, do the following on a command line prompt: 

openssl s_client -host 192.168.0.200 -port 443

This will attempt an SSL/TLS connection to the host 192.168.0.200 on port 443. Initially, this spits out a bunch of debugging on the specifics of the connection, including the type of certificate, full certificate chain, cypher, etc. 

....

Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 07764E503260A11EBF0D690
Session-ID-ctx:
Master-Key: B108C37807C831EC1895324ED83FDFD4A8DDA0
Key-Arg : None
Krb5 Principal: None
Start Time: 1197668809
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---

You’re then connected to the other end as if you’d used telnet. You can give the other end whatever HTTP requests (or other protocols) you’d like. This utility works not only with HTTPS, but any other SSL/TLS wrapped protocol, including SMTPS, IMAPS, etc.

Layer 7 Connectivity

Using OpenSSL in this manner is especially important for testing end-to-end connectivity when troubleshooting a load balancer, because anytime you do SSL termination on a load balancer, you're automatically in Layer 7 mode. As such, you can be connected to the load balancer, even if there's no connectivity to the back end servers. If you make this connection and get cryptic error, such as "errno=0", it typically means the load balancer doesn't have an available server to send the connection to.


Retrieved from "http://lbwiki.com/index.php/Telnet_for_SSL"
Advertisements