openssl s_client behind proxy server
Gordon Brown
--0-1745371647-1249928548=:91537
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Hi All, =0A=0AI am trying to test a web service client (using openSSL for c=
rypto related stuff) with https/SSL. For this, I need to get the server cer=
t. I was able to do this in a desktop machine using the=A0following command=
:=0A=0A=A0=A0=A0 openssl s_client -connect <servername>:<port> =0Aand then =
copying the portion of the output bounded by and including:=0A=A0=A0=A0 ---=
--BEGIN CERTIFICATE-----=0A=0A=A0=A0=A0 -----END CERTIFICATE-----=0AHowever=
, when I try to do the same on another machine that is behind a proxy serve=
r, I noticed that this same command=0Adoes not work. I got an error message=
like this: =0A Loading 'screen' into ramdom state -done=0A =
gethostbyname failure=0A connect:errno=3D11004=0A=0AI also n=
oticed that in the macine NOT behind the proxy server my web service client=
was able to communicate with the=0Aweb server throught https/ssl using the=
server cert obtained through the openssl command, but in this machine that=
IS behind=0Athe proxy server, the communication does not work. My client i=
s getting a no response error.=0A=0ACan anyone please advise me on this?=0A=
=0AThanks in advance.=0AGordon =0A=0A=0A
--0-1745371647-1249928548=:91537
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:times new roman, new york, times, serif;=
font-size:12pt"><DIV>Hi All, </DIV>=0A<DIV> </DIV>=0A<DIV>I am trying =
to test a web service client (using openSSL for crypto related stuff) with =
https/SSL. For this, I need to get the server cert. I was able to do this i=
n a desktop machine using the following command:</DIV>=0A<DIV> </=
DIV>=0A<DIV><FONT face=3D"Courier New"> openssl s_client =
-connect <servername>:<port></FONT> </DIV>=0A<DIV>and then copy=
ing the portion of the output bounded by and including:</DIV>=0A<DIV class=
=3Dsource><PRE> -----BEGIN CERTIFICATE-----<BR><BR> =
-----END CERTIFICATE-----</PRE><PRE><FONT face=3D"Times New Ro=
man"><DIV>However, when I try to do the same on another machine that is beh=
ind a proxy server, <FONT face=3D"times new roman, new york, times, serif">=
I noticed that this same command</FONT></DIV><DIV><FONT face=3D"times new r=
oman, new york, times, serif">does not work. I got an error message like th=
is:</FONT></DIV><DIV> </DIV><DIV> Loading 'screen' into ramdom st=
ate -done</DIV><DIV> gethostbyname failure</DIV><DIV> c=
onnect:errno=3D11004</DIV><DIV> </DIV><DIV>I also noticed that in the =
macine NOT behind the proxy server my web service client was able to commun=
icate with the</DIV><DIV>web server throught https/ssl using the server cer=
t obtained through the openssl command, but in this machine that IS behind<=
/DIV><DIV>the proxy server, the communication does not work. My
client is getting a no response error.</DIV><DIV> </DIV><DIV>Can anyo=
ne please advise me on this?</DIV><DIV> </DIV><DIV>Thanks in advance.<=
/DIV><DIV>Gordon</DIV><DIV> </DIV><DIV> </DIV></FONT></PRE><PRE><FONT fa=
ce=3D"Times New Roman"></FONT> </PRE></DIV></div><br>=0A=0A=0A=0A =
</body></html>
--0-1745371647-1249928548=:91537--
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
David Schwartz
Gordon Brown wrote:
> However, when I try to do the same on another machine
> that is behind a proxy server, I noticed that this same command
> does not work.
NAT? Socks proxy? Squid proxy? Transparent proxy? It's not clear what you're
talking about.
> I got an error message like this:
> Loading 'screen' into ramdom state -done
> gethostbyname failure
It looks like DNS doesn't work. Is it supposed to? What happens if you
connect by IP?
> connect:errno=11004
Since you don't say what platform you're using, there's no way to make sense
of this error code.
> I also noticed that in the macine NOT behind the proxy server
> my web service client was able to communicate with the
> web server throught https/ssl using the server cert obtained
> through the openssl command, but in this machine that IS behind
> the proxy server, the communication does not work. My
> client is getting a no response error.
The term "proxy server" can mean anything (NAT, Squid, Socks, ...). And a
"no response" error can also mean many different things. (No response at the
TCP level? No response from the application?)
DS
Gordon Brown
--0-733239099-1249938623=:29311
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Hi David, =0A=0AThanks for the reply.=0AWith=A0regard to my questions, as I=
=A0really don't have deep knowledge about proxy server, so they=A0might be =
a=A0bit ambiguous.=A0=0A=0AI think the proxy server I am taking about here =
is a transparant proxy. It is also the proxy server I have to set in IE bro=
wser in order to browse internet (go to internet Options->Local Area Networ=
k=A0Settings->Proxy Server). What I was trying to do is to test my web serv=
ice client with https/SSL connection. As I said,=A0HTTPS/SSL=A0(using openS=
SL technology)=A0fails when the proxy server is involved. However, I also n=
oticed that regular web services using HTTP (not https)=A0are just fine eve=
n my web service client is behind the proxy server as long as I specify the=
proxy server host and port properly.=0A=0AThe question I am asking here is=
=A0if the command "openssl s_client -connect <serverhost>:<port>" is suppos=
ed to work behind a proxy server? How should I specify the proxy settings i=
n this command?=0A=0AThanks!=0AGordon=A0=A0=A0=A0=0A=0A=A0=0A=0A=0A________=
________________________=0AFrom: David Schwartz <dav...@webmaster.com>=0ATo=
: openss...@openssl.org; opens...@openssl.org=0ASent: Monday, August=
10, 2009 1:25:09 PM=0ASubject: RE: openssl s_client behind proxy server=0A=
=0A=0AGordon Brown wrote:=0A=0A> However, when I try to do the same on anot=
her machine=0A> that is behind a proxy server, I noticed that this same com=
mand=0A> does not work.=0A=0ANAT? Socks proxy? Squid proxy? Transparent pro=
xy? It's not clear what you're=0Atalking about.=0A=0A> I got an error messa=
ge like this:=0A> Loading 'screen' into ramdom state -done=0A> gethostbynam=
e failure=0A=0AIt looks like DNS doesn't work. Is it supposed to? What happ=
ens if you=0Aconnect by IP?=0A=0A> connect:errno=3D11004=0A=0ASince you don=
't say what platform you're using, there's no way to make sense=0Aof this e=
rror code.=0A=0A> I also noticed that in the macine NOT behind the proxy se=
rver=0A> my web service client was able to communicate with the=0A> web ser=
ver throught https/ssl using the server cert obtained=0A> through the opens=
sl command, but in this machine that IS behind=0A> the proxy server, the co=
mmunication does not work. My=0A> client is getting a no response error.=0A=
=0AThe term "proxy server" can mean anything (NAT, Squid, Socks, ...). And =
a=0A"no response" error can also mean many different things. (No response a=
t the=0ATCP level? No response from the application?)=0A=0ADS=0A=0A=0A_____=
_________________________________________________________________=0AOpenSSL=
Project=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 htt=
p://www.openssl.org=0AUser Support Mailing List=A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 openss...@openssl.org=0AAutomated List Manager=A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 majo...@openssl.org=0A=0A=0A=0A =
--0-733239099-1249938623=:29311
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:times new roman, new york, times, serif;=
font-size:12pt"><DIV>Hi David, </DIV>=0A<DIV> </DIV>=0A<DIV>Thanks for=
the reply.<BR>With regard to my questions, as I really don't hav=
e deep knowledge about proxy server, so they might be a bit ambig=
uous. </DIV>=0A<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: times new r=
oman, new york, times, serif"> </DIV>=0A<DIV style=3D"FONT-SIZE: 12pt;=
FONT-FAMILY: times new roman, new york, times, serif">I think the proxy se=
rver I am taking about here is a transparant proxy. It is also the proxy se=
rver I have to set in IE browser in order to browse internet (go to interne=
t Options->Local Area Network Settings->Proxy Server). What I wa=
s trying to do is to test my web service client with https/SSL connection. =
As I said, HTTPS/SSL (using openSSL technology) fails when t=
he proxy server is involved. However, I also noticed that regular web servi=
ces using HTTP (not https) are just fine even my web service client is=
behind the proxy server as long as I specify the proxy server host and por=
t properly.</DIV>=0A<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: times new r=
oman, new york, times, serif"> </DIV>=0A<DIV style=3D"FONT-SIZE: 12pt;=
FONT-FAMILY: times new roman, new york, times, serif">The question I am as=
king here is if the command "openssl s_client -connect <serverhost&=
gt;:<port>" is supposed to work behind a proxy server? How should I s=
pecify the proxy settings in this command?</DIV>=0A<DIV style=3D"FONT-SIZE:=
12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>=
=0A<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, t=
imes, serif">Thanks!<BR>Gordon </DIV>=0A<DIV style=
=3D"FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">=
</DIV>=0A<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: times new roman,=
new york, times, serif"> <BR></DIV>=0A<DIV style=3D"FONT-SIZE: 13px; =
FONT-FAMILY: arial, helvetica, sans-serif"><FONT face=3DTahoma size=3D2>=0A=
<HR SIZE=3D1>=0A<B><SPAN style=3D"FONT-WEIGHT: bold">From:</SPAN></B> David=
Schwartz <dav...@webmaster.com><BR><B><SPAN style=3D"FONT-WEIGHT: bo=
ld">To:</SPAN></B> openss...@openssl.org; opens...@openssl.org<BR><B=
><SPAN style=3D"FONT-WEIGHT: bold">Sent:</SPAN></B> Monday, August 10, 2009=
1:25:09 PM<BR><B><SPAN style=3D"FONT-WEIGHT: bold">Subject:</SPAN></B> RE:=
openssl s_client behind proxy server<BR></FONT><BR><BR>Gordon Brown wrote:=
<BR><BR>> However, when I try to do the same on another machine<BR>> =
that is behind a proxy server, I noticed that this same command<BR>> doe=
s not work.<BR><BR>NAT? Socks proxy? Squid proxy? Transparent proxy? It's n=
ot clear what you're<BR>talking about.<BR><BR>> I got an error message l=
ike this:<BR>> Loading 'screen' into ramdom state -done<BR>> gethostb=
yname failure<BR><BR>It looks like DNS doesn't work. Is it supposed to? Wha=
t happens if you<BR>connect by IP?<BR><BR>> connect:errno=3D11004<BR><BR=
>Since you don't
say what platform you're using, there's no way to make sense<BR>of this er=
ror code.<BR><BR>> I also noticed that in the macine NOT behind the prox=
y server<BR>> my web service client was able to communicate with the<BR>=
> web server throught https/ssl using the server cert obtained<BR>> t=
hrough the openssl command, but in this machine that IS behind<BR>> the =
proxy server, the communication does not work. My<BR>> client is getting=
a no response error.<BR><BR>The term "proxy server" can mean anything (NAT=
, Squid, Socks, ...). And a<BR>"no response" error can also mean many diffe=
rent things. (No response at the<BR>TCP level? No response from the applica=
tion?)<BR><BR>DS<BR><BR><BR>_______________________________________________=
_______________________<BR>OpenSSL Project  =
; &nb=
sp; http://www.openssl.org<BR>User Support Mailing List
<A href=3D"mailto:=
openss...@openssl.org" ymailto=3D"mailto:openss...@openssl.org">ope=
nssl-...@openssl.org</A><BR>Automated List Manager &n=
bsp; <A href=
=3D"mailto:majo...@openssl.org" ymailto=3D"mailto:majo...@openssl.org">=
majo...@openssl.org</A><BR></DIV></div><br>=0A=0A </body></html>
--0-733239099-1249938623=:29311--
David Schwartz
Gordon Brown wrote:
> The question I am asking here is if the command
> "openssl s_client -connect <serverhost>:<port>" is
> supposed to work behind a proxy server?
There's no way to answer that without knowing what you mean by "proxy
server". Your response at one point hints at a NAT-type proxy server but
then elsewhere it hints at an HTTP-type proxy server.
> How should
> I specify the proxy settings in this command?
You can't. It sounds like you have a non-tranparent proxy, which means your
program has to be specifically designed to work with that type of proxy.
Have the client try this:
telnet <your_server_ip> <your_server_port>
If he cannot establish a connection, he can't reach your service. It's that
simple.
If he can tell you what type of proxy he has that he might be able to use,
then either your server does or does not support that type of proxy. If your
software doesn't support an HTTP CONNECT proxy, you might want to add that.
I wouldn't use the s_client too for network testing of any kind. It's really
only useful to tell if a server is up and basically working.
DS