0

I have TCP endpoint for a Service running with TLS (Self-Signed) Certificate. To test this endpoint I use openssl s_client -connect service.domain.com:5050 which prints CONNECTED(00000006) nothing else.

I have cert & key for the self-signed certificate I am using for this endpoint. How can I use the key with openssl command above ?

If this is not possible with openssl, what other way I can test this ?

roy
  • 119
  • 1
  • 2
  • 15
  • You _can_ tell `s_client` to trust a server's selfsigned cert with `-CAfile` and/or `-CApath`; see the man page. But you don't need to; `s_client` is designed as a test/debug tool and even if the server cert isn't trusted `s_client` will continue with a warning (which is fairly subtle and easily missed). You appear to be getting no protocol response at all from the server. Try `s_client ... -debug` to see in much more detail what is happening. – dave_thompson_085 Oct 29 '19 at 04:14

2 Answers2

1

man s_client reveals:

   -cert certname
       The certificate to use, if one is requested by the server. The default is not to use a certificate.

   -key keyfile
       The private key to use. If not specified then the certificate file will be used.

Look also at -keyform and -certform if necessary.

Also, nowadays, always using -servername (to enable SNI) makes sense.

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43
  • Like this ? `openssl s_client -cert ~/test/service_domain_com.crt -key ~/test/service_domain_com.key -servername service.domain.com:5050` – roy Oct 29 '19 at 14:14
0

I experienced similar problem yesterday. That endpoint was a Microsoft IIS 8.0 server, which wasn't able to talk modern TLS 1.2 and 1.3, and s_client was stopping exactly after CONNECTED(...). Other server only didn't support TLS 1.3. So, in my case, -tls1 or -tls1_1 key of the s_client helped.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45