I want to send IMAP commands via Mac OS X Terminal to server and get response. I can connect to the server using this line:
openssl s_client -connect imap.gmail.com:993
And I can successfully login:
? LOGIN m.client2 passwordhere
But all other commands do not work, no response from server. I tried for instance this:
? LIST "" "*"
? SELECT INBOX
Found an error by help of a friend:
openssl s_client -connect imap.gmail.com:993 -crlf
-crlf is critical
Try this, this should works for you (replace the first line by your
openssl s_client -connect imap.gmail.com:993 -crlf
command (mandatory -crlf) & type only the blue part) :
First thing first, is imap activated on your gmail account???
if you are able to login successfully that means ssl is working fine.
whats the return code that you get for
a1 LOGIN m.client2 passwordhere command.
have you tried the command
a1 capability
try other alternative commands since not all IMAP servers implementa all the IMAP commands.
I have faced this issue while I was creating the data migration tools for different vendors like gmail rediffmail yahoo...
A few more options to consider: You may be connecting to a server offering STARTTLS (esp. for IMAP on port 143) in which case you can tell openssl to proceed in negotiating this, you need to specify which protocol you're using (choose from pop3, imap, smtp, ftp); the -crlf option has been mentioned by others, and I also find the -showcerts option useful if I'm debugging an SSL/TLS configuration. So for example you might end up with,
openssl s_client -showcerts -connect target.server.name.here:143 -starttls imap
More options with the relevant man page if you've got that available,
man s_client
Related
I am trying to access the Outlook mail server via IMAP using PHP. As this is not working as intended and the error messages are not helping, I looked up ways to test the basic connectivity and came across the following line of code:
openssl s_client -connect outlook.office365.com:993
This should, supposedly, let me connect to the mail server using an encrypted connection, so that I can then issue some commands to actually log in etc.
However, the command only generates the following output:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
I have tried researching the error message (write:errno=104), which lead to some suggestions like enforcing TLSv1.2 using the -tls1_2 parameter, neither of which made any difference.
Can someone point me in the right direction? I already ran this command on Ubuntu and Windows 10 using the latest version of OpenSSL.
I can connect using your command, but I needed to force \r\n line ending characters using the -crlf option when connecting in order to be able to type commands and have the server recognise them.
You can also add -quiet to reduce the amount of output:
openssl s_client -connect outlook.office365.com:993 -crlf -quiet
However, it seems the connection is getting reset in your case. This means there's some sort of network issue. There might be a firewall blocking your access to port 993 on outlook.office365.com. e.g. this might be the case if you normally have to connect via a proxy server.
Recent versions of openssl s_client have a -proxy option, but don't seem to allow specifying a proxy username and password. Also it might not work with your proxy even if you don't need to authenticate to the proxy server. One workaround might be to use http://ntlmaps.sourceforge.net/. I have tried it in the past, but it was over 15 years ago.
You could also try using cURL's IMAP support instead of openssl s_client, since it has better proxy support.
Another possibility is to connect to port 143 and use STARTTLS instead of connecting to port 993. Obviously if port 993 is firewalled then port 143 might also be, but in your case it seems like it is allowed:
openssl s_client -connect outlook.office365.com:143 -starttls imap -crlf -quiet
If you are behind a proxy and can't connect to the IMAP server directly, then you can also use something like EmailEngine that handles connections itself and allows access mailbox contents via a REST API.
Note: this is not a duplicate of openssl s_client using a proxy, as I am specifically interested in proxy authentication, not the ability to use proxy.
I'm using openssl s_client to inspect certificates of the target server to understand how/where the connection works or not. As I'm behind a corporate proxy, I can specify the proxy server with -proxy flag, however I need to pass authentication details (username/password) to this proxy - and I haven't figured out how to do that.
openssl s_client -proxy my.proxy.server:8080 -connect my.target.host
successfully connect to the proxy server, however, understandably, results in error s_client: HTTP CONNECT failed: 407 Unauthorized.
Passing proxy server in the form of user:pass#my.proxy.server or http://user:pass#my.proxy.server both result in error s_client: -proxy argument malformed or ambiguous.
How can I pass proxy authentication to s_client? I would find it hard to believe that it supports proxy but not authenticated proxy.
I'm using openssl version 1.1.1a.
Just to follow up on #Arnaud Grandville's answer: OpenSSL v3 beta 1 has now been released, and it includes proxy authentication options. You have to compile it yourself, however.
Unfortunately in v3 beta 1 the HTTP code had some issues so you can't use the code from their website as-is. Anyone looking to compile from source can use the commands below to get an OpenSSL installation with working proxy authentication:
git clone --branch openssl-3.0.0-beta1 https://github.com/openssl/openssl.git
cd openssl
git fetch
git checkout 6a1f9cd -- crypto/http/http_client.c
./Configure
make
make install
Edit: For later versions this is no longer necessary as the bug was fixed. For example for version 3.0.5 you can simply run:
git clone --branch openssl-3.0.5 https://github.com/openssl/openssl.git
cd openssl
./Configure
make
make install
You can use escape-from-intranet https://github.com/quaddy-services/escape-from-intranet#introduction
and specify
host=my.proxy.server
port=8080
in the app and use
openssl s_client -proxy localhost:3128 -connect my.target.host
and your local running application will enrich the real proxy call with your credentials.
(In case you have a transparent proxy you need to switch the default proxy decision to "PROXY" in the "Decision" Menu)
openssl v3.0 will supports proxy_user and proxy_pass options.
no solution for now, the syntax after proxy is
host + ':' + service
host + ':' + '*'
host + ':'
':' + service
'*' + ':' + service
host
service
cf. BIO_parse_hostserv
I'm using Jython 2.latest and I cannot for the life of me figure out how to securely (i.e. not turning off verification) to download an HTTPS link.
All I can seem to find are examples where you turn off validation.
I'm using code like
thefile = urllib2.urlopen("https://example.com/index.php")
with open(save_path, 'wb') as output:
output.write(thefile.read())
logging.info("Successfully downloaded %s", save_path)
But I get a handshake error, totally expected.
So I've generated the ssl cert:
openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >example.pem
So now I have the PEM file. Now what do I do, does anyone know? Am I stuck installing the PEM file into the keystore?
Link here: Problem with Jython urllib2.urlopen for HTTPS pages says that you can only add it to the java keystore.
I'm using command line on Windows 7 or Windows Command Processor. I'm trying to connect to gmail pop server (pop.gmail.com) on port 995 because that is what I have seen on other Web sites. I want at least to get an "+OK Hello there" message. This is the command I wrote:
telnet pop.gmail.com 995
I'm not getting any answer. What am I doing wrong?
Port 995 is for SSL connection. You cannot do it with telnet.
You could probably try OpenSSL and to test it that way.
openssl s_client -connect pop.gmail.com:995 -quiet
More info on OpenSSL for Windows is here:
OpenSSL for Windows
ADDED:
I have just tested with openssl command I gave you above. It works like a charm:
user#localhost$ openssl s_client -connect pop.gmail.com:995 -quiet
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
+OK Gpop ready for requests from 11.11.111.11 v45pf1517914yhk.21
I'm trying to connect to Apple's push notification server using my key and certificate
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert MyApp.pem -key MyApp.pem
I keep getting the following error. Does anyone know what might be wrong?
7495:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/bio/bss_file.c:358:
unable to load client certificate private key file
You might be entering the wrong pass phrase.