I'm using command line on Windows 7 or Windows Command Processor. I'm trying to connect to gmail pop server (pop.gmail.com) on port 995 because that is what I have seen on other Web sites. I want at least to get an "+OK Hello there" message. This is the command I wrote:
telnet pop.gmail.com 995
I'm not getting any answer. What am I doing wrong?
Port 995 is for SSL connection. You cannot do it with telnet.
You could probably try OpenSSL and to test it that way.
openssl s_client -connect pop.gmail.com:995 -quiet
More info on OpenSSL for Windows is here:
OpenSSL for Windows
ADDED:
I have just tested with openssl command I gave you above. It works like a charm:
user#localhost$ openssl s_client -connect pop.gmail.com:995 -quiet
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
+OK Gpop ready for requests from 11.11.111.11 v45pf1517914yhk.21
Related
I am trying to access the Outlook mail server via IMAP using PHP. As this is not working as intended and the error messages are not helping, I looked up ways to test the basic connectivity and came across the following line of code:
openssl s_client -connect outlook.office365.com:993
This should, supposedly, let me connect to the mail server using an encrypted connection, so that I can then issue some commands to actually log in etc.
However, the command only generates the following output:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
I have tried researching the error message (write:errno=104), which lead to some suggestions like enforcing TLSv1.2 using the -tls1_2 parameter, neither of which made any difference.
Can someone point me in the right direction? I already ran this command on Ubuntu and Windows 10 using the latest version of OpenSSL.
I can connect using your command, but I needed to force \r\n line ending characters using the -crlf option when connecting in order to be able to type commands and have the server recognise them.
You can also add -quiet to reduce the amount of output:
openssl s_client -connect outlook.office365.com:993 -crlf -quiet
However, it seems the connection is getting reset in your case. This means there's some sort of network issue. There might be a firewall blocking your access to port 993 on outlook.office365.com. e.g. this might be the case if you normally have to connect via a proxy server.
Recent versions of openssl s_client have a -proxy option, but don't seem to allow specifying a proxy username and password. Also it might not work with your proxy even if you don't need to authenticate to the proxy server. One workaround might be to use http://ntlmaps.sourceforge.net/. I have tried it in the past, but it was over 15 years ago.
You could also try using cURL's IMAP support instead of openssl s_client, since it has better proxy support.
Another possibility is to connect to port 143 and use STARTTLS instead of connecting to port 993. Obviously if port 993 is firewalled then port 143 might also be, but in your case it seems like it is allowed:
openssl s_client -connect outlook.office365.com:143 -starttls imap -crlf -quiet
If you are behind a proxy and can't connect to the IMAP server directly, then you can also use something like EmailEngine that handles connections itself and allows access mailbox contents via a REST API.
I'm running PHPMailer with OpenSSL on XAMPP on Windows.
I'm having trouble establishing TLS-encrypted SMTP connections to our mail gateway.
I've turned on SMTP transcript debugging for PHPMailer. The transcript is not super informative IMO:
[06-Feb-2019 13:48:08 timezone/redacted] SERVER -> CLIENT: 220 redactedmailserver.example.com ESMTP Postfix
[06-Feb-2019 13:48:08 timezone/redacted] CLIENT -> SERVER: EHLO redactedclientname
[06-Feb-2019 13:48:08 timezone/redacted] SERVER -> CLIENT: 250-redactedmailserver.example.com
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5
250-AUTH=CRAM-MD5 PLAIN LOGIN DIGEST-MD5
250-ENHANCEDSTATUSCODES
250 8BITMIME
[06-Feb-2019 13:48:08 timezone/redacted] CLIENT -> SERVER: STARTTLS
[06-Feb-2019 13:48:08 timezone/redacted] SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
[06-Feb-2019 13:48:08 timezone/redacted] SMTP Error: Could not connect to SMTP host.
[06-Feb-2019 13:48:08 timezone/redacted] CLIENT -> SERVER: QUIT
[06-Feb-2019 13:48:08 timezone/redacted] SERVER -> CLIENT:
[06-Feb-2019 13:48:08 timezone/redacted] SMTP ERROR: QUIT command failed:
[06-Feb-2019 13:48:08 timezone/redacted] SMTP Error: Could not connect to SMTP host.
[06-Feb-2019 13:48:08 timezone/redacted] SMTP Error: Could not connect to SMTP host.
The transcript does, at least, prove that the error message is misleading; PHPMailer is successfully connecting to the SMTP server, but something is going wrong with STARTTLS. The error message and transcript give no hint as to what the specific TLS problem might be, though.
Similar symptoms are described in a closed issue on the PHPMailer Github, but the issue resolution there involved troubleshooting the connection using the OpenSSL command line client, as described in the PHPMailer troubleshooting page. This page gives some instructions on how to test the underlying OpenSSL connection outside of the PHP context, which should give details of why the connection might be failing. It says to run the following command:
echo QUIT | openssl s_client -starttls smtp -crlf -connect redactedemailserver.example.com:587
I imagine this works in bash on Linux, but I'm running XAMPP on Windows. I tried running a hopefully-equivalent PowerShell command:
echo QUIT | C:\xampp\php\extras\openssl\openssl.exe s_client -starttls smtp -crlf -connect redactedemailserver.example.com:587
But nothing seems to happen. A fresh PowerShell prompt reappears, and there is no apparent output from openssl.
I also tried running the command without the echo QUIT |. Still, nothing happened.
On Windows, what PowerShell/openssl.exe commands can I use to determine why the STARTTLS is failing?
Version numbers:
XAMPP 7.1.7
PHP 7.1.7
PHPMailer 6.0.6
OpenSSL 1.0.2l
XAMPP 7.1.7 includes two copies of openssl.exe.
The copy located in C:\xampp\php\extras\openssl doesn't work. When launched from PowerShell, nothing happens. When launched from Command Prompt, an error message box appears that says The ordinal 4070 could not be located in the dynamic link library. This appears to possibly be the result of a bad build.
The copy located in C:\xampp\apache\bin, however, works as described in the PHPMailer troubleshooting guide.
So the answer to my original question is to just run the command as given in the troubleshooting guide, but using the not-broken copy of openssl.exe:
echo QUIT | C:\xampp\apache\bin\openssl.exe s_client -starttls smtp -crlf -connect redactedemailserver.example.com:587
I have a questions about using SSL with self-signed certificate.
I was using this example here http://people.apache.org/~gmazza/restexamples/https-clientserver-grizzly
The unit test works perfectly. However, if I started grizzly server, and try to use curl to get the resources, I got errors like:
curl -v https://localhost:8443/api/v1/hello
* Adding handle: conn: 0x7ff69b004400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7ff69b004400) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8443 (#0)
* Trying ::1...
* Trying fe80::1...
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
I already add the certificate to the system key chains with always trusted for all categories. Still, no browser can get the resource. Here is the error message I got from Chrome.
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
Has anyone else encountered the same problem?
ADD:
For curl, I was generating java keystore and cert using key tool
keytool -genkey -keystore ./keystore_server -alias serverKey -dname "CN=localhost, OU=Jersey, O=Sun Microsystem, L=Prague, ST=Czech Republic, C=CZ"
keytool -export -alias serverKey -rfc -keystore ./keystore_server > ./server.cert
openssl x509 -in server.cert -inform PEM -text -out server.pem
I then ran
curl -E server.pem -v https://localhost:8443/api/v1/hello -u "username:password"
However, I got same error as before.
For browsers, I have now gotten it worked for Firefox and Chrome. However, I am still having trouble with Safari. I got error message saying that Safari cannot open the page because safari cannot establish a secure connection to the server.Anyone has any idea how can I make safari happy?
However, if I started grizzly server, and try to use curl to get the resources, I got errors like...
cURL does not use the operating system's keychain. The exception to the rule is if cURL is built against SecureTransport for iOS or OS X. See curl.1 the man page and the -E or --cert option. And even in that case, its not for trusted anchors.
If you have a particular CA you would like to use to certify the server, then you should specify it with the --cacert option. You can also specify the cacert.pem bundle with this option. See curl.1 the man page.
Chrome ... Error code: ERR_SSL_PROTOCOL_ERROR
This is a different issue. Chrome uses the operating system's keystore. See the Chromium Projects' Root Certificate Policy.
To fix it, you might want to look at Getting Chrome to accept self-signed localhost certificate.
It might be a good idea to post the certificate with your question. Use the following to generate it (assuming its PEM encoded):
openssl x509 -in <cert> -inform PEM -text -noout
Has anyone else encountered the same problem?
Others have probably experienced the issue, too.
I want to send IMAP commands via Mac OS X Terminal to server and get response. I can connect to the server using this line:
openssl s_client -connect imap.gmail.com:993
And I can successfully login:
? LOGIN m.client2 passwordhere
But all other commands do not work, no response from server. I tried for instance this:
? LIST "" "*"
? SELECT INBOX
Found an error by help of a friend:
openssl s_client -connect imap.gmail.com:993 -crlf
-crlf is critical
Try this, this should works for you (replace the first line by your
openssl s_client -connect imap.gmail.com:993 -crlf
command (mandatory -crlf) & type only the blue part) :
First thing first, is imap activated on your gmail account???
if you are able to login successfully that means ssl is working fine.
whats the return code that you get for
a1 LOGIN m.client2 passwordhere command.
have you tried the command
a1 capability
try other alternative commands since not all IMAP servers implementa all the IMAP commands.
I have faced this issue while I was creating the data migration tools for different vendors like gmail rediffmail yahoo...
A few more options to consider: You may be connecting to a server offering STARTTLS (esp. for IMAP on port 143) in which case you can tell openssl to proceed in negotiating this, you need to specify which protocol you're using (choose from pop3, imap, smtp, ftp); the -crlf option has been mentioned by others, and I also find the -showcerts option useful if I'm debugging an SSL/TLS configuration. So for example you might end up with,
openssl s_client -showcerts -connect target.server.name.here:143 -starttls imap
More options with the relevant man page if you've got that available,
man s_client
For various reasons I have created a simple HTTP server, and added SSL support via OpenSSL. I'm using self-signed certificates. IE, Firefox and Chrome happily load content as long as I add the CA to the trusted root CAs.
However, wget (even when using the --no-check-certificate flag) reports:
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
If I run the OpenSSL client against my server using:
openssl s_client -connect dnvista:82 -debug
I get back:
verify error:num=19:self signed certificate in certificate chain
verify return:0
and then
5852:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1060:SSL alert number 40
5852:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:
Do wget and the OpenSSL client simply not work with self-signed certificates?
UPDATE:
For anyone that comes along later, adding this code helped with the OpenSSL client and Firefox:
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
I checked the man page of wget, and --no-check-certificate only seems to affect the server certificate. You need to specify your self-signed certificate as a valid CA certificate locally.
To do this, specify the certificate as --ca-certificate=... in wget and -CAfile in the s_client case.
You can also install trusted root CA certificates into OpenSSL in one of a number of ways:
Put your CA certificate in /etc/pki/tls/certs or equivalent directory, then create a link based on the certificate hash. See http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl for details.
Append your CA certificate to /etc/pki/tls/certs/ca-bundle.crt, /etc/pki/tls/cert.pem, or equivalent CA bundle.