Following my blog post RFC 6176 - what’s in for you [2], I received a couple of emails regarding how to (test) connect with SSL/TLS to a SMTP, IMAP, POP3 or FTP server, the brief examples from my previous blog entry being vague.
First of all, when using SSL/TLS with a SMTP, IMAP or POP3 server, you can use STARTTLS or SSL wrapped service.
Using STARTTLS with IMAP or POP3 is described within RFC 2595. [1]
Using STARTTLS with SMTP is described within RFC 2487. [3]
Normally you connect to the regular SMTP, IMAP or POP3 port and request the starting of a secure connection with the STARTTLS command(this command may vary per protocol); usually the SMTP port is TCP port 25, the IMAP port is the TCP port 143 and the POP3 port is the TCP port 110.
The SSL wrapped service means that you connect directly with SSL/TLS to a specified port listening for SSL/TLS connections; usually the SMTPS port is TCP port 465, the IMAPS port is the TCP port 993 and the POP3S port is the TCP port 995.
With FTP, you can have explicit FTP over SSL [6] or implicit FTP over SSL. [7]
With explicit FTP over SSL you usually connect to the FTP TCP port 21 and request the starting of a secure connection with the AUTH TLS command.
With implicit FTP over SSL, you connect directly with SSL/TLS to a specified port listening for SSL/TLS connections; usually the port is TCP port 990.
In terms of test clients you have two nice utilities, the openssl s_client [4] and the gnutls-cli. [5]
Both OpenSSL and GnuTLS can be installed on Linux and Windows(or Mac).
OpenSSL provides support for SSL 2.0, SSL 3.0 and TLS 1.0; plus it has support for ECC.
GnuTLS, version 2.10+ provides support for SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2.
Probably the simplest way to test is with the openssl s_client.
-------
openssl s_client
For STARTTLS we have the -starttls option, usable with the smtp, pop3, imap or ftp arguments.
Example:
openssl s_client -starttls -smtp -crlf -connect ‘servername:port’
openssl s_client -starttls -pop3 -crlf -connect ‘servername:port’
openssl s_client -starttls -imap -crlf -connect ‘servername:port’
openssl s_client -starttls -ftp -crlf -connect ‘servername:port’
---
For a wrapped service or implicit FTP over SSL we connect with the openssl_sclient just like to a HTTPS server:
openssl s_client -connect servername:port
Example, for SMTPS:
openssl s_client -crlf -connect smtp.gmail.com:465
---
You can play as usual with the needed protocols or cipher suites.
Upon the connection was successfully established, you can test your server similarly you do it with a telnet client.
-------
gnutls-cli
With gnutls-cli for STARTTLS or explicit FTP over SSL we need to “work” a little.
Basically we enter something like:
gnutls-cli -s -p ‘portnumber’ --crlf --insecure ‘servername’
---
- Example, for SMTP(see below the colored text for a real world example, with green are the commands I’ve typed), we enter:
gnutls-cli -s -p 25 --crlf --insecure smtp.example.net
Then at the prompt enter EHLO.
The server lists its options, you should spot the STARTTLS one.
Next at the prompt enter STARTTLS. The server should say 220 so you can start the TLS connection.
Then hit Ctrld-d(I believe on Windows is Ctrl-z, but on the GnuTLS Windows version this does not seem to work properly, at least on my Win7 machine) to start the TLS handshake.
gnutls-cli -s -p 587 --crlf --insecure smtp.live.com
Resolving 'smtp.live.com'...
Connecting to '65.55.172.254:587'...
- Simple Client Mode:
220 BLU0-SMTP11.blu0.hotmail.com Microsoft ESMTP MAIL Service, Version: 6.0.3790
.4675 ready at Tue, 22 Mar 2011 12:43:19 -0700
EHLO wee
250-BLU0-SMTP11.blu0.hotmail.com Hello [86.104.57.241]
250-TURN
250-SIZE 41943040
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250 OK
STARTTLS
220 2.0.0 SMTP server ready
Ctrl-D
*** Starting TLS handshake
-----output omitted-----
---
- Example, for POP3, we enter:
gnutls-cli -s -p 110 --crlf --insecure pop3.example.net
Then at the prompt enter STLS.
The server should say OK so you can start the TLS connection.
Next hit Ctrld-d(I believe on Windows is Ctrl-z, but on the GnuTLS Windows version this does not seem to work properly, at least on my Win7 machine) to start the TLS handshake.
---
- Example, for IMAP, we enter:
gnutls-cli -s -p 143 --crlf --insecure imap.example.net
Then at the prompt enter . STARTLS.
The server should say OK so you can start the TLS connection.
Next hit Ctrld-d(I believe on Windows is Ctrl-z, but on the GnuTLS Windows version this does not seem to work properly, at least on my Win7 machine) to start the TLS handshake.
---
- Example, for explicit FTP over SSL, we enter:
gnutls-cli -s -p 21 --crlf --insecure ftp.example.net
Then at the promp enter AUTH TLS.
The server should say 234 so you can start the TLS connection.
Next hit Ctrld-d(I believe on Windows is Ctrl-z, but on the GnuTLS Windows version this does not seem to work properly, at least on my Win7 machine) to start the TLS handshake.
---
For a wrapped service or implicit FTP over SSL we connect with the gnutls-cli just like to a HTTPS server:
gnutls-cli -p ‘portnumber’ --insecure --crlf ‘servername’
Example, for SMTPS:
gnutls-cli -p 465 --insecure --crlf smtp.gmail.com
---
You can play as usual with the needed protocols or cipher suites.
Upon the connection was successfully established, you can test your server similarly you do it with a telnet client.
-------
References
[1] Using TLS with IMAP, POP3 and ACAP
http://www.ietf.org/rfc/rfc2595.txt
[2] RFC 6176 - what’s in for you
http://www.carbonwind.net/blog/post/RFC-6176-what’s-in-for-you.aspx
[3] SMTP Service Extension for Secure SMTP over TLS
http://www.ietf.org/rfc/rfc2487.txt
[4] OpenSSL: Documents, s_client(1)
http://www.openssl.org/docs/apps/s_client.html
[5] gnutls-cli(1): GNU TLS test client - Linux man page
http://linux.die.net/man/1/gnutls-cli
[6] Securing FTP with TLS
http://www.ietf.org/rfc/rfc4217.txt
[7] FTPS
http://en.wikipedia.org/wiki/FTPS#Implicit