Manually Test STARTTLS
Testing a TLS or SSL connection is not possible using telnet, since it lacks the necessary support. The OpenSSL library and tool suite does provide a means of manual testing TLS and SSL connections using s_client:
$ openssl s_client -help ...
SSL connection to POPS port 995
Some protocols like https, pops, imaps, and ftps expect a socket to immediately start the security layer handshake process upon connection. Here is an example of a SSL connection to POPS:
$ openssl s_client -connect mail.example.com:995 ... (lots of output about handshake and certificate details) ... +OK POP3 mail.example.com 2007f.104 server ready QUIT +OK Sayonara read:errno=0 $
TLS connection over SMTP port 25
TLS, on the other hand, is a little more involved, since the initial connection starts as an open unencrypted channel to the server which then expects some STARTTLS command suitable for a given protocol to transition to encrypted communications. The client software has to recognise and handle the various forms of STARTTLS so that it can begin the necessary handshakes. So for s_client we tell it which protocol is being used and let it figure out the rest. Currently s_client only supports STARTTLS for SMTP, POP, IMAP, and FTP.
$ openssl s_client -connect mail.example.com:25 -starttls smtp -tls1 ... (lots of output about handshake, certificate details, and EHLO reply) ... 250 HELP QUIT DONE $
Scripting TLS connection over SMTP port 25
Scripting with OpenSSL s_client tool can be a little tricky to get working correctly. openssl s_client will read from redirected standard input or from shell "here" documents, however, there are caveats. First you need to apply the -crlf option to ensure that all the LF newlines are converted to CRLF newlines, else some MTAs will treat all the input as one long line and eventually exceed the RFC 5321 command and/or text line limits. Next you need the -ign_eof option and an explicit SMTP QUIT at the end of the SMTP command input; without it, the standard input EOF terminates the script before s_client finishes processing. Finally the -quiet option simply hushes the extraneous certificate information.
$ openssl s_client -quiet -crlf -ign_eof -connect mail.example.com:25 -starttls smtp <<EOF > HELP > QUIT > EOF ... (connection details, last line of EHLO, HELP reply, QUIT reply) ... $