0

I am trying to automate a TLS handshake and get the session information in a .pem file, using the following command:

openssl s_client -connect www.domain.com:443 -sess_out domain.pem

Every time that command is entered, a connection is started and waits for a user input (such as GET). My first goal would be to avoid that (just close the session when the session information is received, and move to the next domain). The second goal is to get the session information.

This thread gives a partial solution that works just fine when TLS 1.2 is negociated (as setting the session is part of the handshake): https://unix.stackexchange.com/questions/47852/openssl-s-client-hangs

So for readers trying to solve the issue for TLS 1.2, here is a good solution:

echo -n | openssl s_client -connect www.domaintls1-2.com:443 -sess_out ticket1-2.pem

Now my problem is that for TLS 1.3, the session information is sent AFTER the handshake. So I need to initiate a GET (or HEADER, or even send a bad request) to get the post-handshake new session ticket, and have it being saved in that .pem file.

It works fine when done manually, but using an echo isn't working (I tried echo "GET" | openssl ..., openssl ... <<< GET, openssl s_client -connect www.domaintls1-3.com:443 -sess_out test1_3.pem < /dev/null, but in all these cases, I guess the connection is simply closed after the handshake and doesn't take the coming post-handshake tickets into account to be saved in the .pem file.

I'd be happy to test any suggestions, I am running out of ideas!

System: Ubuntu 20.01

OpenSSL version 1.1.1f 31 Mar 2020

Edit: Changed the title to emphasize that problem is with post-handshake information

jess
  • 1
  • When using a pipe for stdin, s_client will close when it hits EOF. Therefore, as you correctly identified above the connection is closed as soon as the "GET" command is sent. To get around this you can use the s_client option "-ign_eof" which will keep the s_client process running regardless of the EOF. Unfortunately you then will have to subsequently close it somehow...I don't have a solution for that. – Matt Caswell Apr 29 '21 at 10:53
  • If your total handshake time is consistently not more than $X, `sleep $X | openssl s_client ...` With GNU coreutils you can even use fractional seconds. This depends on your network(s) or server(s) not too often taking longer because e.g. someone downloaded a video, or the cat walked past the AP. PS: Ubuntu only does releases in .04 April and .10 October. And this isn't really a programming question. – dave_thompson_085 Apr 29 '21 at 11:27
  • My issue is not really about closing connection, which can also be done using the above commands. But about retrieving the Post-Handshake New Session Ticket that I can see when entering GET manually, but not through an echo or something. @dave_thompson_085 sorry if this is the wrong place to post, I saw some similar issues posted here so I figured I might add my problem here, in the end I just feel like I am typing the wrong command (so programming issue still?) – jess Apr 29 '21 at 14:56
  • Topicality of SO has gotten stricter recently (about the past 2 years) because there are now about a hundred other stacks to handle most computer-related and some non-computer-related topics. But there remain many older Qs (and As) asked on SO years ago when there were fewer or no better options. Here there's a rather fuzzy border: merely running or using programs is not programming, but shell _scripting_ can be, and other primarily-scripting languages like perl, powershell, autohotkey. But as I said, `sleep` is the simple answer to your problem. – dave_thompson_085 Apr 29 '21 at 23:51

0 Answers0