OpenSSL s_client Stdin – How to Get OpenSSL s_client to Read from Stdin

openssl

I want to make a script that creates a list of bounced emails on a gmail account. I know I can connect using:

openssl s_client -crlf -connect imap.gmail.com:993

I initially tried something like:

openssl s_client -crlf -connect imap.gmail.com:993 <<!
a login [email protected] Apa55w0rd
a select INBOX
a search on 4-oct-2021
!

However, all I get back is the initial response from connecting to the server, nothing from the commands; it clearly doesn't read stdin. Is there any way to get s_client to read commands from a file (preferably stdin)?

Edit

I've tried out the suggestion in the post linked by Gerald Schneider (https://stackoverflow.com/questions/13707092/openssl-pass-first-few-lines-from-script-then-read-from-stdin), but it doesn't seem to work – at least, it doesn't produce the output I'm after:

db1 root : cat <<! | openssl s_client -crlf -connect imap.gmail.com:993
a login [email protected] Apa55w0rd
a select INBOX
a search on 4-oct-2021
!

CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = imap.gmail.com
verify return:1
---
Certificate chain
 0 s:/CN=imap.gmail.com
   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIRANYAB4MRC2TJCgAAAAD/Y6YwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjEwOTEzMDMxMTI3WhcNMjExMTIw
MDMxMTI2WjAZMRcwFQYDVQQDEw5pbWFwLmdtYWlsLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALRQpfQvddKjDkAtx0dNu8ifeLqzo8Lv6892Ij8O
KZBsAGcP39G9elE5UGklMH4Jzo88scMmSq+gTNW+Zss/DJ64RMfh/hBXSemdlfnF
Ro/HywsuPZ4YqHOVBvgW+7/K7YspqhfKn/oSZl5jCXz/J6qcxX7O9+phWD7nWwGS
ksrNkuwBT2fg/mA64q0sGgz+cE0k8LGwWoJSZ+B3Nosl07IKv9Jwddxu85d5cAcQ
djoEHiGTF4bluMlkHKlzQhNLh8bEiAkMV/pu/79D1HD+05z6I2EXt+f7O0Dgc8HC
hYHYGw2x2T4ZHAEH+0vG+2CTQMcNoTJ4jfITe4/OUaDm39ECAwEAAaOCAmcwggJj
MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
AjAAMB0GA1UdDgQWBBQGYvnDmgImhQkT2mNBuYvWoMf2wTAfBgNVHSMEGDAWgBSK
dH+vhc3ulc09nNDiRhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGG
G2h0dHA6Ly9vY3NwLnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDov
L3BraS5nb29nL3JlcG8vY2VydHMvZ3RzMWMzLmRlcjAZBgNVHREEEjAQgg5pbWFw
LmdtYWlsLmNvbTAhBgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwG
A1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFjMy9mVkp4
YlYtS3Rtay5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQDuwJXujXJkD5Lj
w7kbxxKjaWoJe0tqGhQ45keyy+3F+QAAAXvdWlDzAAAEAwBGMEQCICZIv+JvLRvF
G192uY3wdMdxa7F1Cjkf4Ts++Nj+VBcTAiBTVo0coasZSSvLhfhpFFgVaYjALw1d
kjNEGOhKDfNX4gB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAAB
e91aUA0AAAQDAEgwRgIhAJZ/m/XmVsCx5iuxrdiHmKWq04qmdutaRSqyG2X6wFED
AiEAwvkkC+8egz7BfGcAcsdx04FzMrDYfReDn6elgMCsBBAwDQYJKoZIhvcNAQEL
BQADggEBAD+0liFWMdNxq5xWOLiTCw1mWatA3ZdrDqi51cYN4thboxRa+iNfYUn/
AvSel4sJ+5HhdUmgSpXc98x/OFybrYyLXg/Tk3R1hgZmRsgUTrGMP6H6bkrA1du9
qt23JMScvB2P5pmGMoXdKh1dGaigaIEErixhjlALztEvrWUVSzmpg6A4yx0O/9lw
iHgXY0XNcjtZJ/2tta0nizTMKn2NJbjAW2Pdi0GDZUV9DRcicdvhB9uFd/RFEU2o
muPY4eRc/P4n6NE7TH2S3aEGxD74hwZSmb1Jo/g7L8Ta1caomqHIEFBBU4G+8x0h
8XQpI2zZhTJ82wPjEz7GrVdJt/KDwy0=
-----END CERTIFICATE-----
subject=/CN=imap.gmail.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4870 bytes and written 261 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: FA01523E2366640CFAA49BFA681D23F7118556474A67072E09F188D42B4FCDAB
    Session-ID-ctx:
    Master-Key: F26BDF82C66AE5B7D08847C29D786E382212B8017292EEE7A826D2085FC6F73877441EDC72EDFF2A66342EDE147EB2EE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 01 d9 8f a9 94 2e 5a 89-e0 93 18 8f 99 fc 66 63   ......Z.......fc
    0010 - c3 b5 cb 58 7b ba ae 67-d4 4d c6 6b e9 56 f5 48   ...X{..g.M.k.V.H
    0020 - b3 c7 21 b6 39 84 c5 f0-77 3b 74 95 c3 84 9a 1e   ..!.9...w;t.....
    0030 - 6a 18 f9 a0 73 41 99 f4-b4 fb c8 4f 32 64 bc 4e   j...sA.....O2d.N
    0040 - 70 64 b8 de 50 27 7d 34-b1 c9 a0 e1 9c c4 8d e6   pd..P'}4........
    0050 - cb cf 09 92 a3 5c 9e 09-75 27 e0 f4 d0 fc 75 06   .....\..u'....u.
    0060 - f0 7e 1b 37 f7 6d 74 b3-d9 cb 24 32 a9 fd d0 aa   .~.7.mt...$2....
    0070 - a2 9e 7d e0 58 1d 70 83-e8 a3 f0 5c 1c eb ce 09   ..}.X.p....\....
    0080 - 08 92 d0 de 28 84 6e 14-51 3a 99 a7 20 f3 5c b5   ....(.n.Q:.. .\.
    0090 - 98 9e b5 6a 62 d4 da 45-42 52 70 2b 21 49 46 0e   ...jb..EBRp+!IF.
    00a0 - 87 ca b3 90 a2 d8 5a b8-1d c4 8a 55 e2 57 88 20   ......Z....U.W.
    00b0 - 5f a1 3d 7e d0 84 53 51-d0 a7 c4 e1 f3 30 69 2c   _.=~..SQ.....0i,
    00c0 - 68 16 18 3f 29 28 d5 42-fa cd d2 11 da 2d b2 c2   h..?)(.B.....-..
    00d0 - 9e e3 ef 50 b9 dc b6 97-fa 66 4e 71 6d 02 6a 6e   ...P.....fNqm.jn
    00e0 - 91 3b                                             .;

    Start Time: 1633347887
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

Best Answer

Looking at the source code it seems that s_client only reads from console or TTY devices and not from just any stdin.

You can work around that by interposing a program that wraps a (pseudo)TTY around the command.

screen can do that, but it makes it a bit hard, I sometimes use the ssh trick.

Also there is the goto for interactive console programs (expect): https://linux.die.net/man/1/expect, but never tried that.

with SSH

echo -e 'GET / HTTP/1.0\nHost: www.example.com\n\n' | ssh -tt user@localhost 'openssl s_client -crlf -servername www.example.com -brief -connect www.example.com:443'

The -tt forces TTY allocation, which ssh by default wouldn't do, if it detects a pipe.

Disadvantage is that you have to set this loopback SSH connection to logon automatically to use it in a script.

This is NOT binary safe. For simple ASCII it will do.

with Screen

Somewhat harder, but minus the logon hassle.

Prepare a file query with lines for input to the server.

For example:

GET / HTTP/1.0
Host: www.example.com

Make a detached screen with name myscreen and save output to ./out.log

screen -d -m -S myscreen -L -Logfile ./out.log

Send the openssl connection command (-X stuff) to the first window (-p 0) of the screen named myscreen (-S myscreen) and then immediately send the data from file ./query. Note that the $(cat..) process substitution will chomp any trailing newlines in file ./query and the openssl command MUST have -crlf in case of HTTP protocol. The query data MUST be send not long after opening the connection or the s_client will timeout.

screen -S myscreen -p 0 -X stuff "openssl s_client -crlf -servername www.example.com -brief -connect www.example.com:443^M";screen -S myscreen -p 0 -X stuff "$(cat ./query)^M^M"

Finally exit the screen, to erase the myscreen session (This assumes the preceding query made the server already drop the connection and s_client exited itself):

screen -S myscreen -p 0 -X stuff "exit^M"

Output including the query and exit and s_client output is now in ./out.log

If s_client does not exit after the query you could first send an interrupt signal.

screen -S myscreen -p 0 -X stuff "^C"

Best Answer

with SSH

with Screen

Related Solutions

Postgresql – Connecting to PostgreSQL with SSL using OpenSSL s_client

Convert from P7B to PEM via OpenSSL

Related Topic