s_server openssl Getting Started with OpenSSL's s_Server

Author

Reads 731

Computer server in data center room
Credit: pexels.com, Computer server in data center room

The s_server command in OpenSSL is a simple tool for testing SSL/TLS connections. It acts as a server and listens for incoming connections.

To use s_server, you need to specify the port number it should listen on, as seen in the example where s_server is run with the -accept option and a specific port number.

The -accept option tells s_server to accept connections from the specified port.

Usage

To start the OpenSSL s_server, you can use a command like this: openssl s_server -key key.pem -cert cert.pem -accept 44330 -www. This will launch a secure server on port 44330.

The openssl s_server command has a lot of options, but some of the techniques used are rather old, making the C source for this command hard to read.

To determine what version of OpenSSL you currently have installed on your computer, open a command prompt and type the command, openssl version. This will show you the version of OpenSSL you're running.

A unique perspective: Openssl Gen Cert

Credit: youtube.com, Use openssl s_server as a reverse proxy (2 Solutions!!)

The openssl ciphers command will display a condensed list of what ciphers are currently available. This is useful for testing purposes.

You can use the openssl s_server command with various options to customize its behavior. For example, you can specify the certificate and key files using the -cert and -key options.

To make the server more secure, you can use the -no_ssl3 option to disable SSL version 3. This is a good practice, as SSL version 3 is no longer considered secure.

You can also use the -no_ticket option to disable TLS session tickets. This can help prevent certain types of attacks.

The openssl s_server command has many other options, but these are some of the most commonly used ones.

For your interest: Openssl Cert Key

Accessing the Server

You can access the s_server via a web browser by visiting the URL https://localhost:44330. If everything went right, you'll see a privacy error due to the self-signed certificate.

The browser will continue to load the page, and you'll see the response from the openssl s_server internal webserver. This is a good indication that the s_server is working correctly.

To further test the s_server, you can use the openssl s_client command to connect to it. Simply type "openssl s_client -connect localhost:44330" and press enter.

Accessing via Web Browser

Credit: youtube.com, How to Access Server Files in a Web Browser (with filebrowser)

You can test your server by accessing the URL https://localhost:44330 in your web browser.

This will trigger a privacy error due to the self-signed certificate created in the preparation.

To proceed, you'll need to continue past the privacy error.

After doing so, you'll see the response from the openssl s_server internal webserver.

Accessing the s_server via OpenSSL

To access the s_server via openssl s_client, you'll need to use the following command: openssl s_client -connect localhost:44330. This will establish a connection to the s_server.

The output of this command will show you the details of the connection, including the certificate chain and the server's public key. The certificate chain will show you the hierarchy of certificates that have been issued to the server.

The server's public key is 2048 bits long, and the cipher used for the connection is ECDHE-RSA-AES256-GCM-SHA384. This cipher is a type of encryption that provides a high level of security for the connection.

Credit: youtube.com, `openssl s_server` giving less information than it used to

The connection is established using the TLSv1.2 protocol, which is a secure protocol for encrypting data in transit. The session ticket is also included in the output, which is used to store the session state.

The verify return code is 18, which indicates that the server's certificate is self-signed. This means that the certificate is not issued by a trusted certificate authority, but rather by the server itself.

Worth a look: Openssl Server

Testing and Verification

To get your server up and running, type the following command from your command line: openssl s_server -key Server.key -cert Server.crt -accept 4433.

You should see an ACCEPT message in the command window, indicating that the server is waiting for a connection request. This message is a sign that everything is set up correctly.

Before you can load your client example onto the board, you'll need to make one small code change. Open up main.cpp, find the #DEFINE that sets the server's IP address, SSL_SERVER_NAME, and set it to your computer's IP address.

Credit: youtube.com, Understanding mutual TLS with openssl s_server: Common Mistakes and Solutions

The client will then attempt a connection to the IP address you specified, and if successful, you'll see some timing information and a connection counter from the serial terminal. This is a good indication that the connection is working as expected.

The example is set up to repeatedly connect to the server in order to test session resumption, which should look something like the image below. This feature allows for faster and more efficient connections.

Check this out: Openssl Check Connection

Commands and Flags

The s_server command in OpenSSL offers a range of special operations that can be performed using certain commands. These commands are letters that must appear at the start of a line and are used to end connections, renegotiate sessions, and request client certificates.

You can use the following special operations: q to end the current SSL connection, Q to end the current SSL connection and exit, r to renegotiate the SSL session, RR to renegotiate the SSL session and request a client certificate, PS to send some plain text down the underlying TCP connection, SP to print out some session cache status information, k to send a key update message to the client, K to send a key update message to the client and request one back, and c to send a certificate request to the client.

A fresh viewpoint: Openssl Command Line

Credit: youtube.com, openssl s_client introduction

Here are the special operations listed in a table for easy reference:

Options

The s_server command has several useful options that can be used to set specific behaviors for your tests. The -CAfile flag dictates which certificate authority should be used to validate server certificates.

You can also use the -verify_hostname option to ensure that the hostname you're connecting to is verified by your Certificate Authority list. This is especially useful when using self-signed certificates.

The -showcerts option shows all of the certificates in the certificate list sent by the server. This can be helpful for debugging purposes.

You can specify which certificate the client should send if the server is doing peer verification using the -cert option. This option takes a certificate name as an argument.

To restrict the use of certain ciphers, you can use the -cipher option. This option modifies the list sent to the server and takes a cipher list as an argument.

Credit: youtube.com, Linux Command line for Beginners 06 | Linux Terminal | Flags

The -no_ticket option disables support for session tickets. This can be useful in certain testing scenarios.

Here are some common options used with the s_server command:

Connected Commands

Connected Commands are a set of special operations that can be performed on an SSL connection. They are recognized by a single letter that must appear at the start of a line.

If you're using an SSL client and haven't used the -www or -WWW option, you can end the current SSL connection but still accept new connections by typing 'q' at the start of a line. This is useful for testing or troubleshooting purposes.

Certain commands are only supported on specific versions of TLS. For example, renegotiating the SSL session is only supported on TLSv1.2 and below, and can be done by typing 'r' at the start of a line.

If you're using a client that supports TLSv1.3, you can send a key update message to the client by typing 'k' at the start of a line. This is useful for testing key exchange protocols.

Closeup of switch in server with connectors and adapters connected to plastic device in dark room on blurred background inside
Credit: pexels.com, Closeup of switch in server with connectors and adapters connected to plastic device in dark room on blurred background inside

Here are some of the Connected Commands that you can use:

  • q: End the current SSL connection but still accept new connections.
  • Q: End the current SSL connection and exit.
  • r: Renegotiate the SSL session (TLSv1.2 and below only).
  • RR: Renegotiate the SSL session and request a client certificate (TLSv1.2 and below only).
  • P: Send some plain text down the underlying TCP connection: this should cause the client to disconnect due to a protocol violation.
  • S: Print out some session cache status information.
  • BS: Send a heartbeat message to the client (DTLS only).
  • k: Send a key update message to the client (TLSv1.3 only).
  • K: Send a key update message to the client and request one back (TLSv1.3 only).
  • c: Send a certificate request to the client (TLSv1.3 only).

Getting Started

To get started with OpenSSL's s_server, you'll need to have OpenSSL installed on your machine. If you've installed the NNDK, it should be in the pcbin folder of your install directory. Otherwise, you can download it from the OpenSSL website.

Make sure to grab the right version, as it determines which ciphers you can use during testing. The version that ships with our tools is OpenSSL 1.1.0l, which supports several of the latest ciphers.

To check your current OpenSSL version, open a command prompt and type "openssl version". This will tell you which version you're running.

To see your current list of available ciphers, use the command "openssl ciphers". This will display a condensed list of what ciphers are currently available.

Before you can start testing, you'll need to create two certificates using the OpenSSL req command. You can do this with a single command: "openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes". Fill in the details of your brand new certificate.

You'll only need to run this command once to create the certificates.

Recommended read: Openssl Convert Pfx to Pem

Victoria Kutch

Senior Copy Editor

Victoria Kutch is a seasoned copy editor with a keen eye for detail and a passion for precision. With a strong background in language and grammar, she has honed her skills in refining written content to convey a clear and compelling message. Victoria's expertise spans a wide range of topics, including digital marketing solutions, where she has helped numerous businesses craft engaging and informative articles that resonate with their target audiences.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.