OpenSSL s_client – TLS Handshake Protocol Revisited
13.6 OpenSSL s_client
OpenSSL is an open source project implementing the OpenSSL software, a commercial-grade, feature-rich toolkit for cryptography and TLS [137]. OpenSSL’s technical decision making is governed by the OpenSSL Technical Committee (OTC) and the software is published under an Apache-style license, making it suitable for both non-commercial and commercial purposes.
At the time of this writing, the latest stable OpenSSL version is the 3.1 series, which the OpenSSL project will support until March 14, 2025. In addition, OpenSSL 3.0 series is available as a Long-Term Support (LTS) version, which will be supported until September 7, 2026.
The OpenSSL source code is hosted at https://github.com/openssl/openssl. The software includes the following:
- libssl, the implementation of TLS protocol versions up to TLS 1.3
- libcrypto, a feature-rich cryptography library that is the basis for libssl, but can also be used as a standalone library
- The openssl command-line tool, which, among other things, can be used for the generation of cryptographic keys and digital certificates, computation of hash functions and message authentication codes, encryption and decryption, and TLS client and server tests
One of the command-line tools, namely, openssl-s˙client, implements a generic TLS client that connects to remote hosts using the TLS protocol. In practice, this tool is mostly used for diagnostic purposes. In our case, however, openssl-s˙client is a great way to experiment with TLS: see the protocol at work to increase your understanding.
13.6.1 Installing OpenSSL
Before we can start experimenting with openssl-s˙client, we first need to install the OpenSSL toolkit. The easiest way to install OpenSSL is to use the source code tarballs available at https://www.openssl.org/source/. At the time of this writing, the latest stable OpenSSL tarball is https://www.openssl.org/source/openssl-3.1.0.tar.gz.
If you are on a Linux or macOS system, you likely already have OpenSSL installed, although probably in a different version than 3.1.0. You therefore need to be careful to not mess things up on your system. If you are on a Windows system, you would first need an appropriate Linux environment, such as WSL or Cygwin, where you could install OpenSSL.
We recommend to use a Docker container instead. Docker is a popular OS-level virtualization solution where software runs in so-called containers. Docker containers are isolated runtime environments created from Docker images, read-only files containing all source code, libraries, dependencies, tools, and runtime for running an application. Docker images can be created from Dockerfiles that specify what goes into the image. We prepared a repository on GitHub that contains a Dockerfile to build an image with a fully functional OpenSSL 3.1.0 installation. To use it and build the Docker image, execute the following commands:
$ gh repo clone duplys/tls_lab
$ cd tls_lab/openssl_docker
$ docker build .
-t openssl310
You can now start the Docker container by issuing the following command:
$ docker container run –rm -it openssl310
The -it option tells Docker to start the container in interactive mode. The –rm option ensures that Docker removes the container after you exit it. Once the container is running, you should see a similar command prompt:
root@07c3ba265c69:/opt/openssl#
To verify that everything works, you can execute an OpenSSL command in the Docker container prompt. As an example, you can try to access OpenSSL’s help pages by issuing the following command:
# openssl help
Does it work? Congratulations! You have successfully installed OpenSSL on your system.