2

I am working with an external company. Lets call them evilcorp.com. I want to use openssl to debug a two way SSL handshake.

  • https://evilcorp.com is setup to not require client authentication.
  • https://evilcorp.com/webservices is setup to require client authentication.

How can I specify this path in openssl. So basically this works:

openssl s_client -connect evilcorp.com:443

But this does not work and gives me gethostbyname failure

openssl s_client -connect evilcorp.com/webservices:443

How can I get this to work (if possible)

jww
  • 97,681
  • 90
  • 411
  • 885
arahant
  • 2,203
  • 7
  • 38
  • 62
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/), [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Sep 09 '16 at 19:22
  • So I'm clear... You provide fake information: *"lets call them `evilcorp.com`"*; the lookup with the {fake|real} name fails: *"...gives me gethostbyname failure"*; and you somehow want us to help you with it? How, exactly, are we supposed to help when you don't provide real information? What more can w say other than "use the right name"? – jww Sep 09 '16 at 19:26
  • 1
    Shouldn't you be requesting connection to a valid url? I.e. port then path: `evilcorp.com:443/webservices`. But I'm not sure it makes sense to specify path as connection doesn't use it. It doesn't sound like you're using the right tool to test details specific to requests. – HonoredMule May 10 '17 at 20:03

2 Answers2

3

You have a very simple error in the address. Here's the fix:

"openssl s_client -connect evilcorp.com:443/webservice"

You had the 443 at the end - it needs to go directly after to the domain name.

JakeJ
  • 2,361
  • 5
  • 23
  • 35
2

I'm not sure if this can be done at all but if it can be done then you first have to use openssl to connect to the clients host and already specify the client certificates. Then inside the successful connection you need to speak HTTP to access the relevant page.

I.e. you first connect:

 $ openssl s_client -connect host:port -cert cert.pem -key key.pem
 ... CONNECTED
 ... Verify return code...
 ---

And then access the URL using the HTTP protocol

 GET /protected_page/ HTTP/1.0
 Host: example.org
 <empty line>

Note that the last line must be an empty line according to the HTTP protocol. It might also that you need to use the -crlf option in openssl to get the line ends correct in case you have a strict web server. If all goes right the server should now issue a renegotiation request to the client, i.e another TLS handshake is done.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172