5

I want to be sure a SSL/TLS connection is really being made to my SMTP Server on port 465. (The Server is running on Ubuntu 14.04)

Using:-

openssl s_client -connect example.co.uk:465

I get the responses shown below...

Notice I get the message:-

"Verify return code: 20 (unable to get local issuer certificate)"

Yet, I am able to continue the dialog with EHLO and AUTH LOGIN.

Does that mean I am "not" on a secure connection, and continuing on unencrypted?

Thanks John

CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=example.co.uk
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
<removed for clarity>
-----END CERTIFICATE-----
subject=/CN=example.co.uk
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3050 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-DES-CBC3-SHA
    Session-ID: 5728D30BFCCB912A3DEC177610B5CF260F35B9E0F2E6F8E51FC8B59B80E377FD
    Session-ID-ctx: 
    Master-Key: 2E2B2E3A9AD05E4F8DF346C3E0C017ED2E8203D8C8391391F8F0042065FE7688DA8D836B5C31E3A5F9C77E8353CFA10C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1462293259
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
220 example.co.uk - Xeams SMTP server; Version: 4.9 - build: 5819; 5/3/16 5:34 PM
250-april.example.co.uk. Please to meet you
250-SIZE 20971520
250-AUTH LOGIN
250-AUTH=LOGIN
250 OK
---
220 example.co.uk - Xeams SMTP server; Version: 4.9 - build: 5819; 5/3/16 5:37 PM
EHLO example.co.uk
250-april.example.co.uk. Please to meet you
250-SIZE 20971520
250-AUTH LOGIN
250-AUTH=LOGIN
250 OK
AUTH LOGIN
334 VXNlcm5hbWU6
alexus
  • 13,112
  • 32
  • 117
  • 174
jradxl
  • 171
  • 1
  • 1
  • 5
  • `Verify return code: 20 (unable to get local issuer certificate)` means that `openssl s_client` doesn't have the CA certs used by your server in its list of trusted CAs it uses by default; you can use the `-CAfile` (or `-CApath`) options to point `s_client` at the list of trusted CAs. – Castaglia May 03 '16 at 19:41

2 Answers2

6

It's encrypted, but not authenticated.

Does that mean I am "not" on a secure connection, and continuing on unencrypted?

No. It is encrypted alright. But it is not authenticated. So while we do know that we are having an ENCRYPTED conversation we do not know WITH WHOM.

This shows that the connection is encrypted:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA

Try testssl.sh

You are using s_client without supplying the path to the trusted CAs. And OpenSSL does not trust any CAs by default anymore. I think it once did but then stopped 5+ years ago. And ever since then this unable-to-find-local-issuer error is what you get for just about every connection.

But that being said: just go straight for something better and explicitly engineered to test and rate SSL/TLS connections: http://testssl.sh/.

It is a nice wrapper around OpenSSL.

You may also try these to test encrypted SMTP: http://checktls.com/, https://www.htbridge.com/ssl/.

StackzOfZtuff
  • 1,842
  • 13
  • 21
2

output from your question, suggest that you're using SSL for that connection.

Non-SSL output would look like this:

$ openssl s_client -connect alexus.biz:80
CONNECTED(00000003)
139684765820832:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
$
alexus
  • 13,112
  • 32
  • 117
  • 174