openssl s_client using a proxy

Question

openssl s_client -connect some.https.server:443 -showcerts

is a nice command to run when you want to inspect the server's certificates and its certificate chain.

Is there a way to run this command when you are behind a HTTP/HTTPS proxy ?

score 63 · Answer 1 · edited Mar 07 '17 at 01:36

63

You can use proxytunnel:

proxytunnel -p yourproxy:8080 -d www.google.com:443 -a 7000

and then you can do this:

openssl s_client -connect localhost:7000 -showcerts

Hope this can help you!

edited Mar 07 '17 at 01:36

prot

240
4
23

answered Mar 19 '14 at 11:32

francarl

921
1
8
12

1

I had to make `proxytunnel -p yourproxy:8080 -d www.google.com:443 -a 7000` run in the background to free up the terminal for the second command. – Michael-7 Feb 22 '18 at 13:58
3

`proxytunnel` supports proxy auth, which (afaict) `openssl s_client -proxy` doesn't, at least not in 1.1.0h. – Roger Lipscombe Nov 13 '18 at 16:45

score 54 · Answer 2 · answered Mar 08 '18 at 09:57

54

since openssl v1.1.0

C:\openssl>openssl version
OpenSSL 1.1.0g  2 Nov 2017
C:\openssl>openssl s_client -proxy 192.168.103.115:3128 -connect www.google.com -CAfile C:\TEMP\internalCA.crt
CONNECTED(00000088)
depth=2 DC = com, DC = xxxx, CN = xxxx CA interne
verify return:1
depth=1 C = FR, L = CROIX, CN = svproxysg1, emailAddress = xxxx@xxxx.xx
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=xxxx/L=xxxx/CN=svproxysg1/emailAddress=xxxx@xxxx.xx
 1 s:/C=xxxx/L=xxxx/CN=svproxysg1/emailAddress=xxxx@xxxx.xx
   i:/DC=com/DC=xxxxx/CN=xxxxx CA interne
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIJAIv4/hQAAAAAMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
BAYTAkZSMQ4wDAYDVQQHEwVDUk9JWDETMBEGA1UEAxMKc3Zwcm94eXNnMTEeMBwG

answered Mar 08 '18 at 09:57

Arnaud Grandville

859
8
10

1

Downloaded 1.1.1 source, tried this syntax. Worked perfectly. Cheers. – Andy Brown Nov 06 '18 at 10:30
1

thanks, I have not noticed the `-proxy` option, but I wonder if instead of it, it should consider proxy envvars. – gonzalesraul Jan 30 '19 at 09:57
Raul, I have not find "http_proxy" in source code so I can consider proxy environment variable is not supported – Arnaud Grandville Jan 31 '19 at 04:49
unfortunately, no socks5 proxy support. – hbogert May 02 '23 at 07:39

score 34 · Answer 3 · answered Jul 20 '15 at 17:05

34

for anyone coming here as of post-May 2015: there's a new "-proxy" option that will be included in the next release of openssl: https://rt.openssl.org/Ticket/Display.html?id=2651&user=guest&pass=guest

answered Jul 20 '15 at 17:05

Erich Eichinger

1,898
17
15

5

I just tried OpenSSL 1.0.2g 1 Mar 2016 (Windows), and it doesn't know anything about a proxy option. Why? – syr Mar 21 '16 at 11:48
3

Is it ok to update openssl package to a version that isn't bundled with the OS? – Krishter Jun 12 '16 at 05:11
4

@ChristianSchäfer It's because version 1.0.2xx is not a "next release". This option available only in OpenSSL 1.1.0xx and later. – zed Mar 17 '17 at 21:53
1

Indeed, see manual page https://www.openssl.org/docs/man1.1.0/apps/openssl-s_client.html#OPTIONS – Franklin Yu Dec 04 '18 at 15:16
https://www.openssl.org/docs/man1.1.1/man1/openssl-s_client.html#OPTIONS – qris Mar 01 '22 at 08:54

score 19 · Accepted Answer · edited Oct 21 '19 at 13:21

19

Officially not.

But here's a patch: http://rt.openssl.org/Ticket/Display.html?id=2651&user=guest&pass=guest

edited Oct 21 '19 at 13:21

sschuberth

28,386
6
101
146

answered Dec 29 '11 at 13:22

mtomy

1,585
1
13
17

5

It appears actually that as of May 22 2015, that patch was actually implemented. I also see in the – David Hergert Jul 06 '15 at 18:40
Specified URL no longer work. – teamdever Mar 01 '23 at 10:29

score 1 · Answer 5 · answered Sep 10 '18 at 09:54

Even with openssl v1.1.0 I had some problems passing our proxy, e.g. s_client: HTTP CONNECT failed: 400 Bad Request That forced me to write a minimal Java-class to show the SSL-Handshake

    public static void main(String[] args) throws IOException, URISyntaxException {
    HttpHost proxy = new HttpHost("proxy.my.company", 8080);
    DefaultProxyRoutePlanner routePlanner = new DefaultProxyRoutePlanner(proxy);
    CloseableHttpClient httpclient = HttpClients.custom()
            .setRoutePlanner(routePlanner)
            .build();
    URI uri = new URIBuilder()
            .setScheme("https")
            .setHost("www.myhost.com")
            .build();
    HttpGet httpget = new HttpGet(uri);
    httpclient.execute(httpget);
}

With following dependency:

    <dependency>
        <groupId>org.apache.httpcomponents</groupId>
        <artifactId>httpclient</artifactId>
        <version>4.5.2</version>
        <type>jar</type>
    </dependency>

you can run it with Java SSL Logging turned on

This should produce nice output like

trustStore provider is :
init truststore
adding as trusted cert:
  Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0xc3517
  Valid from Mon Jun 21 06:00:00 CEST 1999 until Mon Jun 22 06:00:00 CEST 2020

adding as trusted cert:
  Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
  Issuer:  CN=SecureTrust CA, O=SecureTrust Corporation, C=US
(....)

openssl s_client using a proxy

5 Answers5

Linked