I want to make a script that creates a list of bounced emails on a gmail account. I know I can connect using:
openssl s_client -crlf -connect imap.gmail.com:993
I initially tried something like:
openssl s_client -crlf -connect imap.gmail.com:993 <<!
a login [email protected] Apa55w0rd
a select INBOX
a search on 4-oct-2021
!
However, all I get back is the initial response from connecting to the server, nothing from the commands; it clearly doesn't read stdin. Is there any way to get s_client to read commands from a file (preferably stdin)?
Edit
I've tried out the suggestion in the post linked by Gerald Schneider (https://stackoverflow.com/questions/13707092/openssl-pass-first-few-lines-from-script-then-read-from-stdin), but it doesn't seem to work – at least, it doesn't produce the output I'm after:
db1 root : cat <<! | openssl s_client -crlf -connect imap.gmail.com:993
a login [email protected] Apa55w0rd
a select INBOX
a search on 4-oct-2021
!
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = imap.gmail.com
verify return:1
---
Certificate chain
0 s:/CN=imap.gmail.com
i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIRANYAB4MRC2TJCgAAAAD/Y6YwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjEwOTEzMDMxMTI3WhcNMjExMTIw
MDMxMTI2WjAZMRcwFQYDVQQDEw5pbWFwLmdtYWlsLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALRQpfQvddKjDkAtx0dNu8ifeLqzo8Lv6892Ij8O
KZBsAGcP39G9elE5UGklMH4Jzo88scMmSq+gTNW+Zss/DJ64RMfh/hBXSemdlfnF
Ro/HywsuPZ4YqHOVBvgW+7/K7YspqhfKn/oSZl5jCXz/J6qcxX7O9+phWD7nWwGS
ksrNkuwBT2fg/mA64q0sGgz+cE0k8LGwWoJSZ+B3Nosl07IKv9Jwddxu85d5cAcQ
djoEHiGTF4bluMlkHKlzQhNLh8bEiAkMV/pu/79D1HD+05z6I2EXt+f7O0Dgc8HC
hYHYGw2x2T4ZHAEH+0vG+2CTQMcNoTJ4jfITe4/OUaDm39ECAwEAAaOCAmcwggJj
MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
AjAAMB0GA1UdDgQWBBQGYvnDmgImhQkT2mNBuYvWoMf2wTAfBgNVHSMEGDAWgBSK
dH+vhc3ulc09nNDiRhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGG
G2h0dHA6Ly9vY3NwLnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDov
L3BraS5nb29nL3JlcG8vY2VydHMvZ3RzMWMzLmRlcjAZBgNVHREEEjAQgg5pbWFw
LmdtYWlsLmNvbTAhBgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwG
A1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFjMy9mVkp4
YlYtS3Rtay5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQDuwJXujXJkD5Lj
w7kbxxKjaWoJe0tqGhQ45keyy+3F+QAAAXvdWlDzAAAEAwBGMEQCICZIv+JvLRvF
G192uY3wdMdxa7F1Cjkf4Ts++Nj+VBcTAiBTVo0coasZSSvLhfhpFFgVaYjALw1d
kjNEGOhKDfNX4gB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAAB
e91aUA0AAAQDAEgwRgIhAJZ/m/XmVsCx5iuxrdiHmKWq04qmdutaRSqyG2X6wFED
AiEAwvkkC+8egz7BfGcAcsdx04FzMrDYfReDn6elgMCsBBAwDQYJKoZIhvcNAQEL
BQADggEBAD+0liFWMdNxq5xWOLiTCw1mWatA3ZdrDqi51cYN4thboxRa+iNfYUn/
AvSel4sJ+5HhdUmgSpXc98x/OFybrYyLXg/Tk3R1hgZmRsgUTrGMP6H6bkrA1du9
qt23JMScvB2P5pmGMoXdKh1dGaigaIEErixhjlALztEvrWUVSzmpg6A4yx0O/9lw
iHgXY0XNcjtZJ/2tta0nizTMKn2NJbjAW2Pdi0GDZUV9DRcicdvhB9uFd/RFEU2o
muPY4eRc/P4n6NE7TH2S3aEGxD74hwZSmb1Jo/g7L8Ta1caomqHIEFBBU4G+8x0h
8XQpI2zZhTJ82wPjEz7GrVdJt/KDwy0=
-----END CERTIFICATE-----
subject=/CN=imap.gmail.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4870 bytes and written 261 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: FA01523E2366640CFAA49BFA681D23F7118556474A67072E09F188D42B4FCDAB
Session-ID-ctx:
Master-Key: F26BDF82C66AE5B7D08847C29D786E382212B8017292EEE7A826D2085FC6F73877441EDC72EDFF2A66342EDE147EB2EE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 01 d9 8f a9 94 2e 5a 89-e0 93 18 8f 99 fc 66 63 ......Z.......fc
0010 - c3 b5 cb 58 7b ba ae 67-d4 4d c6 6b e9 56 f5 48 ...X{..g.M.k.V.H
0020 - b3 c7 21 b6 39 84 c5 f0-77 3b 74 95 c3 84 9a 1e ..!.9...w;t.....
0030 - 6a 18 f9 a0 73 41 99 f4-b4 fb c8 4f 32 64 bc 4e j...sA.....O2d.N
0040 - 70 64 b8 de 50 27 7d 34-b1 c9 a0 e1 9c c4 8d e6 pd..P'}4........
0050 - cb cf 09 92 a3 5c 9e 09-75 27 e0 f4 d0 fc 75 06 .....\..u'....u.
0060 - f0 7e 1b 37 f7 6d 74 b3-d9 cb 24 32 a9 fd d0 aa .~.7.mt...$2....
0070 - a2 9e 7d e0 58 1d 70 83-e8 a3 f0 5c 1c eb ce 09 ..}.X.p....\....
0080 - 08 92 d0 de 28 84 6e 14-51 3a 99 a7 20 f3 5c b5 ....(.n.Q:.. .\.
0090 - 98 9e b5 6a 62 d4 da 45-42 52 70 2b 21 49 46 0e ...jb..EBRp+!IF.
00a0 - 87 ca b3 90 a2 d8 5a b8-1d c4 8a 55 e2 57 88 20 ......Z....U.W.
00b0 - 5f a1 3d 7e d0 84 53 51-d0 a7 c4 e1 f3 30 69 2c _.=~..SQ.....0i,
00c0 - 68 16 18 3f 29 28 d5 42-fa cd d2 11 da 2d b2 c2 h..?)(.B.....-..
00d0 - 9e e3 ef 50 b9 dc b6 97-fa 66 4e 71 6d 02 6a 6e ...P.....fNqm.jn
00e0 - 91 3b .;
Start Time: 1633347887
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
DONE
Best Answer
Looking at the source code it seems that s_client only reads from console or TTY devices and not from just any stdin.
You can work around that by interposing a program that wraps a (pseudo)TTY around the command.
screen
can do that, but it makes it a bit hard, I sometimes use thessh
trick.Also there is the goto for interactive console programs (expect): https://linux.die.net/man/1/expect, but never tried that.
with SSH
echo -e 'GET / HTTP/1.0\nHost: www.example.com\n\n' | ssh -tt user@localhost 'openssl s_client -crlf -servername www.example.com -brief -connect www.example.com:443'
The -tt forces TTY allocation, which ssh by default wouldn't do, if it detects a pipe.
Disadvantage is that you have to set this loopback SSH connection to logon automatically to use it in a script.
This is NOT binary safe. For simple ASCII it will do.
with Screen
Somewhat harder, but minus the logon hassle.
Prepare a file
query
with lines for input to the server.For example:
Make a detached screen with name
myscreen
and save output to./out.log
screen -d -m -S myscreen -L -Logfile ./out.log
Send the openssl connection command (-X stuff) to the first window (-p 0) of the screen named
myscreen
(-S myscreen) and then immediately send the data from file./query
. Note that the $(cat..) process substitution will chomp any trailing newlines in file./query
and the openssl command MUST have -crlf in case of HTTP protocol. The query data MUST be send not long after opening the connection or the s_client will timeout.screen -S myscreen -p 0 -X stuff "openssl s_client -crlf -servername www.example.com -brief -connect www.example.com:443^M";screen -S myscreen -p 0 -X stuff "$(cat ./query)^M^M"
Finally exit the screen, to erase the
myscreen
session (This assumes the preceding query made the server already drop the connection and s_client exited itself):screen -S myscreen -p 0 -X stuff "exit^M"
Output including the query and exit and s_client output is now in
./out.log
If s_client does not exit after the query you could first send an interrupt signal.
screen -S myscreen -p 0 -X stuff "^C"