openssl s_client using a proxy

openssl s_client certificate
openssl s_client dtls
openssl s_client rdp
openssl gethostbyname failure
curl get certificate
get certificate from proxy
openssl windows
how to test ssl connection
openssl s_client -connect some.https.server:443 -showcerts

is a nice command to run when you want to inspect the server's certificates and its certificate chain.

Is there a way to run this command when you are behind a HTTP/HTTPS proxy ?

Officially not.

But here's a patch: http://rt.openssl.org/Ticket/Display.html?id=2651&user=guest&pass=guest

openssl s_client TLS connection through proxy with clientAuth , How to use OpenSSL commands when behind a proxy server. an explicit -​proxy : openssl s_client -showcerts -connect "jvt.me:443" -proxy  oticed that in the macine NOT behind the proxy server my web service client=. was able to communicate with the=0Aweb server throught https/ssl using the=. server cert obtained through the openssl command, but in this machine that=. IS behind=0Athe proxy server, the communication does not work.

You can use proxytunnel:

proxytunnel -p yourproxy:8080 -d www.google.com:443 -a 7000

and then you can do this:

openssl s_client -connect localhost:7000 -showcerts

Hope this can help you!

Using OpenSSL Behind a (Corporate) Proxy · Jamie Tanna , openssl s_client [-help] [-connect host:port] [-proxy host:port] [-unix path] [-4] [-6] a generic SSL/TLS client which connects to a remote host using SSL/TLS. As I said, HTTPS/SSL (using openSSL technology) fails when the proxy server is involved. However, I also noticed that regular web services using HTTP (not https) are just fine even my web service client is behind the proxy server as long as I specify the proxy server host and port properly.

for anyone coming here as of post-May 2015: there's a new "-proxy" option that will be included in the next release of openssl: https://rt.openssl.org/Ticket/Display.html?id=2651&user=guest&pass=guest

/docs/man1.1.0/man1/s_client.html, openssl s_client [-help] [-connect host:port] [-bind host:port] [-proxy host:port] [-​unix It is possible to select the host and port using the optional target positional​  openssl s_client using a proxy. is a nice command to run when you want to inspect the server's certificates and its certificate chain.

since openssl v1.1.0

C:\openssl>openssl version
OpenSSL 1.1.0g  2 Nov 2017
C:\openssl>openssl s_client -proxy 192.168.103.115:3128 -connect www.google.com -CAfile C:\TEMP\internalCA.crt
CONNECTED(00000088)
depth=2 DC = com, DC = xxxx, CN = xxxx CA interne
verify return:1
depth=1 C = FR, L = CROIX, CN = svproxysg1, emailAddress = xxxx@xxxx.xx
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=xxxx/L=xxxx/CN=svproxysg1/emailAddress=xxxx@xxxx.xx
 1 s:/C=xxxx/L=xxxx/CN=svproxysg1/emailAddress=xxxx@xxxx.xx
   i:/DC=com/DC=xxxxx/CN=xxxxx CA interne
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIJAIv4/hQAAAAAMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
BAYTAkZSMQ4wDAYDVQQHEwVDUk9JWDETMBEGA1UEAxMKc3Zwcm94eXNnMTEeMBwG

/docs/manmaster/man1/s_client.html, openssl s_client [-help] [-connect host:port] [-proxy host:port] [-unix path] -​reconnect: reconnects to the same server 5 times using the same  $ openssl s_client -connect poftut.com:443 -CAfile /etc/ssl/CA.crt Connect Smtp and Upgrade To TLS We can use s_client to test smtp protocol and port and then upgrade to TLS connection.

Even with openssl v1.1.0 I had some problems passing our proxy, e.g. s_client: HTTP CONNECT failed: 400 Bad Request That forced me to write a minimal Java-class to show the SSL-Handshake

    public static void main(String[] args) throws IOException, URISyntaxException {
    HttpHost proxy = new HttpHost("proxy.my.company", 8080);
    DefaultProxyRoutePlanner routePlanner = new DefaultProxyRoutePlanner(proxy);
    CloseableHttpClient httpclient = HttpClients.custom()
            .setRoutePlanner(routePlanner)
            .build();
    URI uri = new URIBuilder()
            .setScheme("https")
            .setHost("www.myhost.com")
            .build();
    HttpGet httpget = new HttpGet(uri);
    httpclient.execute(httpget);
}

With following dependency:

    <dependency>
        <groupId>org.apache.httpcomponents</groupId>
        <artifactId>httpclient</artifactId>
        <version>4.5.2</version>
        <type>jar</type>
    </dependency>

you can run it with Java SSL Logging turned on

This should produce nice output like

trustStore provider is :
init truststore
adding as trusted cert:
  Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0xc3517
  Valid from Mon Jun 21 06:00:00 CEST 1999 until Mon Jun 22 06:00:00 CEST 2020

adding as trusted cert:
  Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
  Issuer:  CN=SecureTrust CA, O=SecureTrust Corporation, C=US
(....)

s_client(1ssl) — openssl — Debian stretch, Using proxy certificates and s_client. Setting up a mutually authenticated SSL connection means that  depuis openssl v1.1.0 . C:\openssl>openssl version OpenSSL 1.1.0g 2 Nov 2017 C:\openssl>openssl s_client -proxy 192.168.103.115:3128 -connect www.google.com -CAfile C:\TEMP\internalCA.crt CONNECTED(00000088) depth=2 DC = com, DC = xxxx, CN = xxxx CA interne verify return:1 depth=1 C = FR, L = CROIX, CN = svproxysg1, emailAddress = [email protected] verify return:1 depth=0 C = US, ST

How to handle OpenSSL and not get hurt using the CLI, First we tried to connect to the server using openssl s_client. For proxies requiring authentication, only Basic Authentication is supported. Using proxy certificates and s_client Setting up a mutually authenticated SSL connection means that you'll receive the server-side certificate for your (automated) verification and that your (client-side) credentials are to be passed over to the server-side for authentication (in that order).

Tools for Testing HTTPS Connections, There are very good answers around here how to get this with openssl s_client or gnutls-cli , which works fine. but NOT if you are behind a proxy! Doh! I did not  1 - Try to connect using openssl s_client. 2 - Use: www.ssllabs.com to test the server (or not as it turned out in our case) 3 - Use a custom script to test supported ciphers (found one on the internet) 4 - Use SSLYZE to have a better dig - after the fact. Now again in a bit more detail: First tests. test access to the server. telnet target

Download an SSL certificate from a remote website through a proxy , openssl s_client behind proxy server. Hi All, I am trying to test a web service client (using openSSL for crypto related stuff) with https/SSL.

Comments
  • It appears actually that as of May 22 2015, that patch was actually implemented. I also see in the
  • I had to make proxytunnel -p yourproxy:8080 -d www.google.com:443 -a 7000 run in the background to free up the terminal for the second command.
  • proxytunnel supports proxy auth, which (afaict) openssl s_client -proxy doesn't, at least not in 1.1.0h.
  • I just tried OpenSSL 1.0.2g 1 Mar 2016 (Windows), and it doesn't know anything about a proxy option. Why?
  • Is it ok to update openssl package to a version that isn't bundled with the OS?
  • @ChristianSchäfer It's because version 1.0.2xx is not a "next release". This option available only in OpenSSL 1.1.0xx and later.
  • Indeed, see manual page openssl.org/docs/man1.1.0/apps/openssl-s_client.html#OPTIONS
  • Downloaded 1.1.1 source, tried this syntax. Worked perfectly. Cheers.
  • thanks, I have not noticed the -proxy option, but I wonder if instead of it, it should consider proxy envvars.
  • Raul, I have not find "http_proxy" in source code so I can consider proxy environment variable is not supported