openssl 为 STARTTLS 协商 SSL 加密 [英] openssl to negotiate SSL encryption for STARTTLS

问题描述

我正在使用 openssl 正常连接到 SMTP 服务器(未加密)，发送 STARTTLS 命令，协商 SSL 加密，然后与加密会话进行交互.

I'm using openssl to connect to an SMTP server normally (without encryption), send a STARTTLS command, negotiate the SSL encryption, and then interact with the encrypted session.

这是我正在使用的命令(通过 telnet):

This is the command I'm using (through telnet):

openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25

如何确保 TLS 握手成功?

How can I ensure that TLS handshake was successful?

这是目前使用的命令序列:

This is the sequence of commands used so far:

<< 220 example.com ESMTP ready
>> EHLO localhost
<< 250-smtp.mail.yahoo.com
<< 250-PIPELINING
<< 250-AUTH PLAIN LOGIN CRAM-MD5
<< 250 STARTTLS
>> STARTTLS
<< 220 2.0.0 Start TLS
>> openssl s_client -starttls smtp -crlf -connect 127.0.0.1:587    

推荐答案

您似乎对 shell 感到困惑(您在其中键入命令，例如 telnet 或 openssl)并且套接字的协议.

You seem to be confusing a shell (where you type commands such as telnet or openssl) and the socket's protocol.

使用 telnet 连接到 SMTP 等协议的端口是一种快速破解方法，可让您直接输入在为该协议实现客户端时通常必须编程的内容.它可以对基于文本的协议工作一点，但它有局限性.特别是，您将很难以这种方式键入 TLS 握手:首先，您可能无法在键盘上为需要发送的某些字节找到正确的键；其次，您当然无法阅读服务器发送给您的内容.总之，这种做法没有任何意义.

Using telnet to connect to a port for a protocol like SMTP is a quick hack that allows you to type in directly what you'd normally have to program if implementing a client for that protocol. It can work a little for text-based protocols but it has limitations. In particular, you'll have a hard-time typing an TLS handshake this way: firstly you probably won't be able to find the right keys on your keyboard for some of the bytes you need to send; secondly, you certainly won't be able to read what the server sends you. In short, this approach doesn't make any sense.

openssl s_client -starttls smtp -crlf -connect 127.0.0.1:587 已经完成了您尝试使用 telnet 执行的操作:它打开与该服务器的连接，发送 EHLO SMTP 命令，发送 STARTTLS SMTP 命令，然后开始握手.OpenSSL 命令本身根本不是 SMTP 协议的一部分，并且不能在 SMTP 套接字上发送.运行此命令时您将获得的结果应该类似于已执行握手的 telnet 会话，因为您应该能够以与 telnet 相同的方式使用其标准输入/输出.

openssl s_client -starttls smtp -crlf -connect 127.0.0.1:587 already does what you're trying to do with telnet: it opens the connection to that server, sends the EHLO SMTP command, sends the STARTTLS SMTP command and then starts the handshake. The OpenSSL command itself is not part of the SMTP protocol at all and mustn't be sent on the SMTP socket. What you'll get when running this command should be similar to having your telnet session with the handshake already performed, since you should be able to use its standard input/ouput in the same way you would be able telnet.

话虽如此，发送 SMTP 命令的 telnet 和 openssl s_client 充其量都是调试技术.

This being said, both telnet and openssl s_client to send SMTP commands are debugging techniques at best.

这篇关于openssl 为 STARTTLS 协商 SSL 加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！