92

I would like to test client connections with IMAP over SSL, HTTPS, and other secure text-based Internet protocols over SSL/TLS, the same way I would using telnet or netcat if they were not tunneled over a secure protocol. Is there a way to get telnet or netcat to go through SSL/TLS such as with a pipe or alternate program?

sleske
  • 23,525
user553702
  • 1,451

5 Answers5

175

There is no Telnet/Netcat client – they are two separate programs, and there exist at least 10 different Telnet clients and at least 6 different Netcat versions (original netcat, GNU netcat, OpenBSD netcat, nmap's ncat; forgot the rest).

The preferred tools come from TLS libraries themselves. They might be a bit verbose, though.

  • GnuTLS has a TLS client tool on Linux:

    gnutls-cli imap.gmail.com -p 993

    Use -s for STARTTLS; you will need to manually enter the necessary protocol commands and press CtrlD when ready.

    Supports IPv6, validates server certificates by default.

  • OpenSSL has a TLS client tool:

    openssl s_client -connect imap.gmail.com:993

    This is available for all operating systems. STARTTLS is supported via -starttls imap or -starttls smtp options, and the program will automatically negotiate it. (Although it throws away the initial server reply after doing so, but it's usually fine.)

    Only version ≥ 1.1 supports IPv6.

    Only version ≥ 1.0.2 (IIRC) validates server certificate by default; older versions require manual -CApath specification.

(I'd like to also have tools for testing NSS and SChannel, but couldn't find any.)

The programs also use the same libraries, but might have fewer configuration knobs. Some even skip on peer certificate checks by default...

  • socat:

    socat openssl:imap.gmail.com:993 stdio

    readline mode can be used for convenience:

    socat ssl:imap.gmail.com:993 readline

    STARTTLS is not supported.

  • ncat from nmap supports TLS (but not STARTTLS):

    ncat --ssl imap.gmail.com 993

  • Some Telnet clients, such as the telnet-ssl package on Debian, also support TLS:

    telnet-ssl -z ssl imap.gmail.com 993

    STARTTLS can be activated using starttls from the Ctrl] escape menu.

grawity
  • 501,077
10

You may want to look at openssl s_client:

openssl s_client -connect dummy.com:8443
JW0914
  • 9,096
dchampion
  • 101
3

There is a program called stunnel, that turns a client or server that doesn't support SSL into one that does, working for client-side, server-side, or both, and you tell it what port to listen on and forward to.

Note- This is ok-ish, though I had worded this a bit differently. You can look at prior edits to see what I wrote.

barlop
  • 25,198
2

If you need cross-platform support, there's sclient (Git):

  • Create a local server that unwraps TLS for example.com: 
    sclient example.com:443 localhost:3000
  [listening] example.com:443 <= localhost:3000
  • Make a request to example.com via telnet: 
    telnet localhost 3000
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  GET / HTTP/1.1
  Host: example.com
  Connection: close
JW0914
  • 9,096
root-aj
  • 981
1

For completeness, there is (or was?) a thing called TelnetS, a "secured Telnet via TLS/SSL". Debian still provides the telnetd server component in package telnet-ssl. Per the linked resource it seems there should be a telnet client in existence, that has a "-z switch" to make the telnet command speak SSL - but I couldn't find this binary. This binary though, would fit as your requested debug helper tool.

isync
  • 331