Test SSL / TLS with GnuTLS from the Command Line

By | 2014/03/12



GnuTLS has a command line app gnutls-cli that can inspect any various SSL or TLS connections. Check it out!



On Debian, install the gnutls command line tools with:

$ sudo apt-get install gnutls-bin



Let’s check out the scottlinux.com TLS connection over port 443. The tack d is debug, and then debug level 5 here.


stmiller@bruckner:~$ gnutls-cli -d 5 scottlinux.com -p 443
Resolving 'scottlinux.com'...
Connecting to '2600:3c01::f03c:91ff:fe96:edba:443'...
|<4>| REC[0x16b9f00]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x16b9f00]: Allocating epoch #1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x16b9f00]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0x16b9f00]: Sending extension SERVER NAME (19 bytes)
|<2>| EXT[0x16b9f00]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x16b9f00]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x16b9f00]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x16b9f00]: CLIENT HELLO was sent [139 bytes]
|<4>| REC[0x16b9f00]: Sending Packet[0] Handshake(22) with length: 139
|<4>| REC[0x16b9f00]: Sent Packet[1] Handshake(22) with length: 144
|<4>| REC[0x16b9f00]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x16b9f00]: Received Packet[0] Handshake(22) with length: 57
|<4>| REC[0x16b9f00]: Decrypted Packet[0] Handshake(22) with length: 57
|<3>| HSK[0x16b9f00]: SERVER HELLO was received [57 bytes]
|<3>| HSK[0x16b9f00]: Server's version: 3.3
|<3>| HSK[0x16b9f00]: SessionID length: 0
|<3>| HSK[0x16b9f00]: SessionID: 00
|<3>| HSK[0x16b9f00]: Selected cipher suite: DHE_RSA_AES_128_CBC_SHA1
|<2>| EXT[0x16b9f00]: Parsing extension 'SERVER NAME/0' (0 bytes)
|<2>| EXT[0x16b9f00]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<2>| EXT[0x16b9f00]: Parsing extension 'SESSION TICKET/35' (0 bytes)
|<3>| HSK[0x16b9f00]: Safe renegotiation succeeded
|<4>| REC[0x16b9f00]: Expected Packet[1] Handshake(22) with length: 1
|<4>| REC[0x16b9f00]: Received Packet[1] Handshake(22) with length: 2316
|<4>| REC[0x16b9f00]: Decrypted Packet[1] Handshake(22) with length: 2316
|<3>| HSK[0x16b9f00]: CERTIFICATE was received [2316 bytes]
|<2>| ASSERT: ext_signature.c:393
|<2>| ASSERT: ext_signature.c:393
|<4>| REC[0x16b9f00]: Expected Packet[2] Handshake(22) with length: 1
|<4>| REC[0x16b9f00]: Received Packet[2] Handshake(22) with length: 527
|<4>| REC[0x16b9f00]: Decrypted Packet[2] Handshake(22) with length: 527
|<3>| HSK[0x16b9f00]: SERVER KEY EXCHANGE was received [527 bytes]
|<3>| HSK[0x16b9f00]: verify handshake data: using RSA-SHA1
|<2>| ASSERT: ext_signature.c:393
|<4>| REC[0x16b9f00]: Expected Packet[3] Handshake(22) with length: 1
|<4>| REC[0x16b9f00]: Received Packet[3] Handshake(22) with length: 4
|<4>| REC[0x16b9f00]: Decrypted Packet[3] Handshake(22) with length: 4
|<3>| HSK[0x16b9f00]: SERVER HELLO DONE was received [4 bytes]
|<2>| ASSERT: gnutls_handshake.c:1369
|<3>| HSK[0x16b9f00]: CLIENT KEY EXCHANGE was sent [134 bytes]
|<4>| REC[0x16b9f00]: Sending Packet[1] Handshake(22) with length: 134
|<4>| REC[0x16b9f00]: Sent Packet[2] Handshake(22) with length: 139
|<3>| REC[0x16b9f00]: Sent ChangeCipherSpec
|<4>| REC[0x16b9f00]: Sending Packet[2] Change Cipher Spec(20) with length: 1
|<4>| REC[0x16b9f00]: Sent Packet[3] Change Cipher Spec(20) with length: 6
|<4>| REC[0x16b9f00]: Initializing epoch #1
|<4>| REC[0x16b9f00]: Epoch #1 ready
|<3>| HSK[0x16b9f00]: Cipher Suite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x16b9f00]: Initializing internal [write] cipher sessions
|<4>| REC[0x16b9f00]: Start of epoch cleanup
|<4>| REC[0x16b9f00]: End of epoch cleanup
|<3>| HSK[0x16b9f00]: recording tls-unique CB (send)
|<3>| HSK[0x16b9f00]: FINISHED was sent [16 bytes]
|<4>| REC[0x16b9f00]: Sending Packet[0] Handshake(22) with length: 16
|<4>| REC[0x16b9f00]: Sent Packet[1] Handshake(22) with length: 181
|<4>| REC[0x16b9f00]: Expected Packet[4] Handshake(22) with length: 1
|<4>| REC[0x16b9f00]: Received Packet[4] Handshake(22) with length: 218
|<4>| REC[0x16b9f00]: Decrypted Packet[4] Handshake(22) with length: 218
|<3>| HSK[0x16b9f00]: NEW SESSION TICKET was received [218 bytes]
|<4>| REC[0x16b9f00]: Expected Packet[5] Change Cipher Spec(20) with length: 1
|<4>| REC[0x16b9f00]: Received Packet[5] Change Cipher Spec(20) with length: 1
|<4>| REC[0x16b9f00]: ChangeCipherSpec Packet was received
|<3>| HSK[0x16b9f00]: Cipher Suite: DHE_RSA_AES_128_CBC_SHA1
|<4>| REC[0x16b9f00]: Start of epoch cleanup
|<4>| REC[0x16b9f00]: Epoch #0 freed
|<4>| REC[0x16b9f00]: End of epoch cleanup
|<4>| REC[0x16b9f00]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x16b9f00]: Received Packet[0] Handshake(22) with length: 64
|<4>| REC[0x16b9f00]: Decrypted Packet[0] Handshake(22) with length: 16
|<3>| HSK[0x16b9f00]: FINISHED was received [16 bytes]
|<2>| ASSERT: ext_server_name.c:300
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 2 certificates.
 - Certificate[0] info:
|<2>| ASSERT: dn.c:305
|<2>| ASSERT: dn.c:305
  - subject `serialNumber=1XZdnS3S/eEXEFBKquhTKEWRuzCLADYy,OU=GT05040709,OU=See www.rapidssl.com/resources/cps (c)13,OU=Domain Control Validated - RapidSSL(R),CN=scottlinux.com', issuer `C=US,O=GeoTrust\, Inc.,CN=RapidSSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-01-24 18:16:35 UTC', expires `2017-01-26 20:17:52 UTC', SHA-1 fingerprint `ab679fbaae46d195f0444b3ec3f5aeccb59fe736'
 - Certificate[1] info:
|<2>| ASSERT: dn.c:305
|<2>| ASSERT: dn.c:305
  - subject `C=US,O=GeoTrust\, Inc.,CN=RapidSSL CA', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-02-19 22:45:05 UTC', expires `2020-02-18 22:45:05 UTC', SHA-1 fingerprint `c039a3269ee4b8e82d00c53fa797b5a19e836f47'
- The hostname in the certificate matches 'scottlinux.com'.
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: verify.c:343
|<2>| ASSERT: verify.c:588
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

|<4>| REC[0x16b9f00]: Expected Packet[1] Application Data(23) with length: 4096
|<4>| REC[0x16b9f00]: Received Packet[1] Alert(21) with length: 48
|<4>| REC[0x16b9f00]: Decrypted Packet[1] Alert(21) with length: 2
|<4>| REC[0x16b9f00]: Alert[1|0] - Close notify - was received
- Peer has closed the GnuTLS connection
|<4>| REC[0x16b9f00]: Epoch #1 freed





Test gmail’s IMAP connection over 993:

stmiller@bruckner:~$ gnutls-cli -d 5 imap.gmail.com -p 993
Resolving 'imap.gmail.com'...
Connecting to '2607:f8b0:400d:c00::6d:993'...
|<4>| REC[0xa0bf00]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0xa0bf00]: Allocating epoch #1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0xa0bf00]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0xa0bf00]: Sending extension SERVER NAME (19 bytes)
|<2>| EXT[0xa0bf00]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0xa0bf00]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0xa0bf00]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0xa0bf00]: CLIENT HELLO was sent [139 bytes]
|<4>| REC[0xa0bf00]: Sending Packet[0] Handshake(22) with length: 139
|<4>| REC[0xa0bf00]: Sent Packet[1] Handshake(22) with length: 144
|<4>| REC[0xa0bf00]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xa0bf00]: Received Packet[0] Handshake(22) with length: 57
|<4>| REC[0xa0bf00]: Decrypted Packet[0] Handshake(22) with length: 57
|<3>| HSK[0xa0bf00]: SERVER HELLO was received [57 bytes]
|<3>| HSK[0xa0bf00]: Server's version: 3.3
|<3>| HSK[0xa0bf00]: SessionID length: 0
|<3>| HSK[0xa0bf00]: SessionID: 00
|<3>| HSK[0xa0bf00]: Selected cipher suite: RSA_ARCFOUR_SHA1
|<2>| EXT[0xa0bf00]: Parsing extension 'SERVER NAME/0' (0 bytes)
|<2>| EXT[0xa0bf00]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<2>| EXT[0xa0bf00]: Parsing extension 'SESSION TICKET/35' (0 bytes)
|<3>| HSK[0xa0bf00]: Safe renegotiation succeeded
|<4>| REC[0xa0bf00]: Expected Packet[1] Handshake(22) with length: 1
|<4>| REC[0xa0bf00]: Received Packet[1] Handshake(22) with length: 3091
|<4>| REC[0xa0bf00]: Decrypted Packet[1] Handshake(22) with length: 3091
|<3>| HSK[0xa0bf00]: CERTIFICATE was received [3091 bytes]
|<2>| ASSERT: ext_signature.c:393
|<2>| ASSERT: ext_signature.c:393
|<2>| ASSERT: ext_signature.c:393
|<4>| REC[0xa0bf00]: Expected Packet[2] Handshake(22) with length: 1
|<4>| REC[0xa0bf00]: Received Packet[2] Handshake(22) with length: 4
|<4>| REC[0xa0bf00]: Decrypted Packet[2] Handshake(22) with length: 4
|<3>| HSK[0xa0bf00]: SERVER HELLO DONE was received [4 bytes]
|<2>| ASSERT: gnutls_handshake.c:1369
|<3>| HSK[0xa0bf00]: CLIENT KEY EXCHANGE was sent [262 bytes]
|<4>| REC[0xa0bf00]: Sending Packet[1] Handshake(22) with length: 262
|<4>| REC[0xa0bf00]: Sent Packet[2] Handshake(22) with length: 267
|<3>| REC[0xa0bf00]: Sent ChangeCipherSpec
|<4>| REC[0xa0bf00]: Sending Packet[2] Change Cipher Spec(20) with length: 1
|<4>| REC[0xa0bf00]: Sent Packet[3] Change Cipher Spec(20) with length: 6
|<4>| REC[0xa0bf00]: Initializing epoch #1
|<4>| REC[0xa0bf00]: Epoch #1 ready
|<3>| HSK[0xa0bf00]: Cipher Suite: RSA_ARCFOUR_SHA1
|<3>| HSK[0xa0bf00]: Initializing internal [write] cipher sessions
|<4>| REC[0xa0bf00]: Start of epoch cleanup
|<4>| REC[0xa0bf00]: End of epoch cleanup
|<3>| HSK[0xa0bf00]: recording tls-unique CB (send)
|<3>| HSK[0xa0bf00]: FINISHED was sent [16 bytes]
|<4>| REC[0xa0bf00]: Sending Packet[0] Handshake(22) with length: 16
|<4>| REC[0xa0bf00]: Sent Packet[1] Handshake(22) with length: 41
|<4>| REC[0xa0bf00]: Expected Packet[3] Handshake(22) with length: 1
|<4>| REC[0xa0bf00]: Received Packet[3] Handshake(22) with length: 174
|<4>| REC[0xa0bf00]: Decrypted Packet[3] Handshake(22) with length: 174
|<3>| HSK[0xa0bf00]: NEW SESSION TICKET was received [174 bytes]
|<4>| REC[0xa0bf00]: Expected Packet[4] Change Cipher Spec(20) with length: 1
|<4>| REC[0xa0bf00]: Received Packet[4] Change Cipher Spec(20) with length: 1
|<4>| REC[0xa0bf00]: ChangeCipherSpec Packet was received
|<3>| HSK[0xa0bf00]: Cipher Suite: RSA_ARCFOUR_SHA1
|<4>| REC[0xa0bf00]: Start of epoch cleanup
|<4>| REC[0xa0bf00]: Epoch #0 freed
|<4>| REC[0xa0bf00]: End of epoch cleanup
|<4>| REC[0xa0bf00]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xa0bf00]: Received Packet[0] Handshake(22) with length: 36
|<4>| REC[0xa0bf00]: Decrypted Packet[0] Handshake(22) with length: 16
|<3>| HSK[0xa0bf00]: FINISHED was received [16 bytes]
|<2>| ASSERT: ext_server_name.c:300
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
|<2>| ASSERT: dn.c:305
|<2>| ASSERT: dn.c:305
  - subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=imap.gmail.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority G2', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-09-10 07:59:51 UTC', expires `2014-09-10 07:59:51 UTC', SHA-1 fingerprint `89091347184d41768bfc0da9fad94bfe882dd358'
 - Certificate[1] info:
|<2>| ASSERT: dn.c:305
|<2>| ASSERT: dn.c:305
  - subject `C=US,O=Google Inc,CN=Google Internet Authority G2', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-04-05 15:15:55 UTC', expires `2015-04-04 15:15:55 UTC', SHA-1 fingerprint `d83c1a7f4d0446bb2081b81a1670f8183451ca24'
 - Certificate[2] info:
|<2>| ASSERT: dn.c:305
|<2>| ASSERT: dn.c:305
  - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2002-05-21 04:00:00 UTC', expires `2018-08-21 04:00:00 UTC', SHA-1 fingerprint `7359755c6df9a0abc3060bce369564c8ec4542a3'
- The hostname in the certificate matches 'imap.gmail.com'.
|<2>| ASSERT: dn.c:1209
|<2>| ASSERT: verify.c:343
|<2>| ASSERT: verify.c:588
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: ARCFOUR-128
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

|<4>| REC[0xa0bf00]: Expected Packet[1] Application Data(23) with length: 4096
|<4>| REC[0xa0bf00]: Received Packet[1] Application Data(23) with length: 107
|<4>| REC[0xa0bf00]: Decrypted Packet[1] Application Data(23) with length: 87
* OK Gimap ready for requests from 2001:470:8:950:447c:83c0:7f50:ae3b y1mb86478145qaw






Rock on,


Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.