Is there a way to tell s_client to just "send a command" and quit?
25 views
Skip to first unread message
Dan Mahoney
Sep 25, 2025, 5:25:17 PM (7 days ago) Sep 25
to openssl-users
Hey there folks.
I'm writing some certificate checks that call s_client to fetch my cert, but openssl s_client is blocking. Â Is there an easy way to tell it "hang up as soon as negotiation settles?"
Perhaps with a "clean" command like "QUIT" or something (depending on the protocol being used).
This complicates scripting it with a simple shell script or something like that, and would be super useful.
Christian, Mark
Sep 25, 2025, 6:12:13 PM (6 days ago) Sep 25
to openss...@openssl.org
% echo | openssl s_client -connect ...
Mark
Michael Wojcik
Sep 25, 2025, 6:43:22 PM (6 days ago) Sep 25
to openss...@openssl.org
Mark Christian wrote:
> On Thu, 2025-09-25 at 14:25 -0700, Dan Mahoney wrote:
> >
> > I'm writing some certificate checks that call s_client to fetch my
> > cert, but openssl s_client is blocking. Is there an easy way to tell
> > it "hang up as soon as negotiation settles?"
> On Thu, 2025-09-25 at 14:25 -0700, Dan Mahoney wrote:
> >
> > I'm writing some certificate checks that call s_client to fetch my
> > cert, but openssl s_client is blocking. Is there an easy way to tell
> > it "hang up as soon as negotiation settles?"
> Perhaps there is a better way than piping echo to openssl. If not:
> % echo | openssl s_client -connect ...
Even the newline from echo is unnecessary, so you can save a few characters:
> % echo | openssl s_client -connect ...
$ openssl s_client -connect ... </dev/null
(The </dev/null can go anywhere after the command name, actually, so "openssl </dev/null s_client ..." works too.)
On Windows, use "<nul" rather than "</dev/null".
In any case, the idea is to give s_client an EOF on stdin right off the bat.
--
Michael Wojcik
================================
Rocket Software, Inc. and subsidiaries â– 77 Fourth Avenue, Waltham MA 02451 â– Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================
This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.
Viktor Dukhovni
Sep 25, 2025, 10:43:25 PM (6 days ago) Sep 25
to openss...@openssl.org
On Thu, Sep 25, 2025 at 10:42:16PM +0000, 'Michael Wojcik' via openssl-users wrote:
> Even the newline from echo is unnecessary, so you can save a few characters:
>
> $ openssl s_client -connect ... </dev/null
>
> (The </dev/null can go anywhere after the command name, actually, so "openssl </dev/null s_client ..." works too.)
And, for matter, also before the command name,
> Even the newline from echo is unnecessary, so you can save a few characters:
>
> $ openssl s_client -connect ... </dev/null
>
> (The </dev/null can go anywhere after the command name, actually, so "openssl </dev/null s_client ..." works too.)
</dev/null openssl s_client ...
but this isn't a POSIX shell beginner forum, so the reason I'm replying
is in fact to add a bit more substance on two potentially relevant
points.
1. With some combinations of options s_client will ignore
end-of-file on standard input, and remain connected to
the remote end. An explicit "-no_ign_eof" as a final
option can be helpful. From the docs:
-ign_eof
Inhibit shutting down the connection when end of file is
reached in the input.
-quiet
Inhibit printing of session and certificate information.
This implicitly turns on -ign_eof as well.
-no_ign_eof
Shut down the connection when end of file is reached in
the input. Can be used to override the implicit -ign_eof
after -quiet.
2. With TLS 1.3, resumption PSKs (session tickets) are sent *after*
the handshake completes, sometimes when it is the server's
first turn to send application data (to avoid potential deadlock
if both sides are writing large messages without concurrently
reading). So if processing of resumption PSKs is part of the
diagnostic goals, the client may need to solicit an application
layer response from the server. Therefore, e.g. for an SMTP
connection, one might:
(printf 'QUIT\r\n'; sleep 2) |
openssl s_client -starttls smtp \
-connect foo.example:25 ... \
-no_ign_eof
--
Viktor. 🇺🇦 Слава Україні!
Jochen Bern
Sep 26, 2025, 3:36:38 AM (6 days ago) Sep 26
to openss...@openssl.org
you need to avoid the server seeing a "dirty" connection/request, as in,
writing a warning thereto to the logs. (Otherwise, see the previous
replies about making /dev/null the stdin.)
Needless to say, such a method depends on the protocol for the service
you're connecting to, so support by s_client will necessarily be
limited. "Natively", you (only) need to make sure that there's enough
time for the server to process the request before s_client sees the EOF
and closes the connection.
For example, most *HTTPS* servers I need to "ping" like that are OK with
HTTP 1.0 and Unix EOLs, so I'm essentially doing
(echo "HEAD / HTTP/1.0";echo "";sleep 5)|openssl s_client -connect ...
A truly picky one with name-based virtual hosts, on the other hand,
needs something like
( echo -e 'GET / HTTP/1.1\r' ; echo -e 'Host: foo.bar\r' ; echo -e
'Connection: close\r' ; echo -e '\r' ; sleep 5 ) | openssl s_client
-connect foo.bar:443 -servername foo.bar ...
(Again, assuming that the client's "echo" command is appending the
unixoid \n EOL on its own, and that 5s are enough time for the server to
reply.)
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
Viktor Dukhovni
Sep 26, 2025, 4:53:59 AM (6 days ago) Sep 26
to openss...@openssl.org
On Fri, Sep 26, 2025 at 09:36:24AM +0200, Jochen Bern wrote:
> A truly picky one with name-based virtual hosts, on the other hand, needs
> something like
>
> ( echo -e 'GET / HTTP/1.1\r' ; echo -e 'Host: foo.bar\r' ; echo -e
> 'Connection: close\r' ; echo -e '\r' ; sleep 5 ) | openssl s_client -connect
> foo.bar:443 -servername foo.bar ...
It seems you may be unaware of the `-crlf` option of openssl-s_client(1).
> A truly picky one with name-based virtual hosts, on the other hand, needs
> something like
>
> ( echo -e 'GET / HTTP/1.1\r' ; echo -e 'Host: foo.bar\r' ; echo -e
> 'Connection: close\r' ; echo -e '\r' ; sleep 5 ) | openssl s_client -connect
> foo.bar:443 -servername foo.bar ...
host="foo.bar"
(
printf 'GET / HTTP/1.1\nHost: %s\nConnection: close\n\n' "$host"
sleep 5
) | openssl s_client -crlf -nocommands -connect "$host:443" -servername "$host" ...
--
Viktor. 🇺🇦 Слава Україні!
Jochen Bern
Sep 26, 2025, 7:14:49 AM (6 days ago) Sep 26
to openss...@openssl.org
On 26.09.25 10:53, Viktor Dukhovni wrote:
> On Fri, Sep 26, 2025 at 09:36:24AM +0200, Jochen Bern wrote:
>> ( echo -e 'GET / HTTP/1.1\r' ; echo -e 'Host: foo.bar\r' ; ...
> On Fri, Sep 26, 2025 at 09:36:24AM +0200, Jochen Bern wrote:
>
> It seems you may be unaware of the `-crlf` option of openssl-s_client(1).
I was, thanks. :-)
> It seems you may be unaware of the `-crlf` option of openssl-s_client(1).
(Now if only it were equally simple for the no-crypto counterpart ...
say, there's no way to call s_client so as to serve as a drop-in
replacement for (non-port-23) "telnet", is there? ;-)
Reply all
Reply to author
Forward
0 new messages