Testing an SMTP server with SSL?
I want to be sure a SSL/TLS connection is really being made to my SMTP Server on port 465. (The Server is running on Ubuntu 14.04)
Using:-
openssl s_client -connect example.co.uk:465
I get the responses shown below...
Notice I get the message:-
"Verify return code: 20 (unable to get local issuer certificate)"
Yet, I am able to continue the dialog with EHLO and AUTH LOGIN.
Does that mean I am "not" on a secure connection, and continuing on unencrypted?
Thanks John
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=example.co.uk
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
<removed for clarity>
-----END CERTIFICATE-----
subject=/CN=example.co.uk
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3050 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-DES-CBC3-SHA
Session-ID: 5728D30BFCCB912A3DEC177610B5CF260F35B9E0F2E6F8E51FC8B59B80E377FD
Session-ID-ctx:
Master-Key: 2E2B2E3A9AD05E4F8DF346C3E0C017ED2E8203D8C8391391F8F0042065FE7688DA8D836B5C31E3A5F9C77E8353CFA10C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1462293259
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
220 example.co.uk - Xeams SMTP server; Version: 4.9 - build: 5819; 5/3/16 5:34 PM
250-april.example.co.uk. Please to meet you
250-SIZE 20971520
250-AUTH LOGIN
250-AUTH=LOGIN
250 OK
---
220 example.co.uk - Xeams SMTP server; Version: 4.9 - build: 5819; 5/3/16 5:37 PM
EHLO example.co.uk
250-april.example.co.uk. Please to meet you
250-SIZE 20971520
250-AUTH LOGIN
250-AUTH=LOGIN
250 OK
AUTH LOGIN
334 VXNlcm5hbWU6
Solution 1:
It's encrypted, but not authenticated.
Does that mean I am "not" on a secure connection, and continuing on unencrypted?
No. It is encrypted alright. But it is not authenticated. So while we do know that we are having an ENCRYPTED conversation we do not know WITH WHOM.
This shows that the connection is encrypted:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
Try testssl.sh
You are using s_client without supplying the path to the trusted CAs. And OpenSSL does not trust any CAs by default anymore. I think it once did but then stopped 5+ years ago. And ever since then this unable-to-find-local-issuer error is what you get for just about every connection.
But that being said: just go straight for something better and explicitly engineered to test and rate SSL/TLS connections: http://testssl.sh/.
It is a nice wrapper around OpenSSL.
You may also try these to test encrypted SMTP: http://checktls.com/, https://www.htbridge.com/ssl/.
Solution 2:
output from your question, suggest that you're using SSL for that connection.
Non-SSL output would look like this:
$ openssl s_client -connect alexus.biz:80
CONNECTED(00000003)
139684765820832:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
$