2015-09-24

Using openssl to test two way SSL connectivity

In my previous post Building a two way https web service server using Java, I said I used openssl to do the web service server testing.

In fact, before choosing openssl, I have tried other methods like curl, various Chrome extensions.  But finally I stick to openssl because of its flexibility and availability of low level output to facilitate my debugging.

In fact the script is as simple as follows:

openssl s_client -connect localhost:8000 -cert client.pem -key key.pem -CApath . -CAfile ca.pem -showcerts -debug -msg -state -crlf -ign_eof <<EOF
POST /app HTTP/1.1
hostname: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: XXX

<?xml version='1.0'?><Envelope xmlns='http://schemas.xmlsoap.org/soap/envelope/' xmlns:op='http://schemas.xyz.com/svc' xmlns:ems='http://schemas.xyz.com/ems'><Header>Header_Text</Header><Body><op:AddPbs><ems:ChannelAcctId><ems:ChannelId>06</ems:ChannelId><ems:AcctId>1234567</ems:AcctId></ems:ChannelAcctId></op:AddPbs></Body></Envelope>

EOF

Let me explain each parameter one by one:

s_client: it is the SSL/TLS client program of openssl suite
connect: it designates the web service connection details (IP address and port)
cert: it specifies the self (client) certificate to present to the host
key: it specifies the private key file signing the client certificate
CApath: it designates the folder containing the certificate chain(s)
CAfile: it designates the "trusted" CA which signs the server certificate
showcerts: it shows the whole server certificate chain
debug: it is a treasure of openssl
msg: ditto
state: ditto
crlf: in Unix, the line delimiter is LF only.  This switch will cause the content to be transmitted with CR+LF instead (but please note the Content-Length has to be modified accordingly)
ign_eof: I originally omitted this switch.  But I find it is needed because otherwise the connection is closed too early by openssl before the server can send  the response back.