[openssl-users] Getting info on the ciphers supported by a client

Waldin nospam.waldin at yopmail.com
Mon Mar 9 13:13:37 UTC 2015


Am 08.03.2015 um 09:14 schrieb Waldin:

> Now, I also want to check ciphers enabled in (mobile) mail clients.
> I've tried to make OpenSSL listen on port 110 (for POP with TLS) and
> redirected the client to the OpenSSL server.  But when trying to pull
> mail I can't see any handshake information:

FTR, I've now managed to check my mobile mail client.  The hint was the
argument to the s_client command's -starttls option, which made me
realize that for handshaking with starttls a minimum understanding of
the protocol is needed.  OpenSSL probably doesn't include a POP or IMAP
server.  But it works without starttls, when listening on port 993:

> >openssl s_server -cert public.pem -key ca-key.pem -accept 993
> Enter pass phrase for ca-key.pem:
> Loading 'screen' into random state - done
> Using default temp DH parameters
> ACCEPT
> -----BEGIN SSL SESSION PARAMETERS-----
> MFUCAQECAgMBBAIAOQQABDAM5TDoa/9vlS6pUsqtlPWpgpMc1L7bvwCS5UGiIhut
> 13A4uf0Zm8T2/q3ULkxnkPKhBgIEVP2ataIEAgIBLKQGBAQBAAAA
> -----END SSL SESSION PARAMETERS-----
> Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3
> -SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES
> 128-SHA:IDEA-CBC-SHA:RC4-SHA
> CIPHER is DHE-RSA-AES256-SHA
> Secure Renegotiation IS NOT supported
> ~A1 LOGIN "MYLOGIN" "MYPASSWORD"
> ERROR
> shutting down SSL
> CONNECTION CLOSED
> ACCEPT

Hurray!  But wait, a plain text password?  And no server certificate
pinning?  Oh, no!

Wald



More information about the openssl-users mailing list