Tyler's Site

Abstract

In many cases, it can be difficult to gather information about problems with resources using the same tools that an end user would use to access those resources. For example, it may be difficult to understand an email authentication issue by just using an email client to attempt to authenticate. Sometimes the client will provide helpful error codes that can be searched, but other times it might give you a very generic error that is difficult to track down. In such situations, it might be nice to be able to interact with the application a bit more directly to see what might be going on. This is where tools like Telnet and OpenSSL can help out.

Telnet is deprecated and insecure, why use it?

Telnet was originally used as a network protocol to interact with systems remotely, however, because it is a clear text protocol it is highly insecure and is extremely susceptible to various network attacks. That being said, Telnet does still have modern uses. As stated from the Wikipedia article on Telnet:

The Telent client may be used in debugging network services such as SMTP, IRC, HTTP, FTP or POP3, to issue commands to a server and examine the responses. For example, Telnet client applications can establish an interactive TCP session to a port other than the Telnet server port. However, communication with such ports does not involve the Telnet protocol, because these service merely use a transparent 8-bit TCP connection, because most elements of the telnet protocol were designed around the idea of accessing a command line interface and non of these options or mechanisms is employed in most other internet service connections.

Essentially, telnet can be used to make a TCP connection on an arbitrary port and the admin can make command line calls to the service to see what the responses are. As an example of this from this StackOverflow post:

telnet stackoverflow.com 80
Trying 172.64.155.249...
Connected to stackoverflow.com.
Connection closed by foreign host.
Escape character is '^]'.
GET /questions HTTP/1.0
Host: stackoverflow.com

HTTP/1.1 403 Forbidden
Date: Tue, 17 Dec 2024 02:14:16 GMT
...

Running those commands will spit out the application headers (HTTP headers in this case) as well as what the response would be from a given client. This example is for HTTP. Using similar commands for this website gives the following response:

Trying 172.245.181.191...
Connected to foxide.xyz.
Escape character is '^]'.
GET /index.html HTTP/1.1
Host: foxide.xyz

HTTP/1.1 301 Moved Permanently
Server: nginx/1.26.2
Date: Tue, 17 Dec 2024 02:20:57 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://foxide.xyz/index.html

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.26.2</center>
</body>
</html>
^CConnection closed by foreign host.

Nginx returns a 301 error, because I automatically re-direct HTTP traffic on port 80 to HTTPS traffic on port 443. Since telnet does not support encryption, how would one go about doing this for HTTPS traffic?

OpenSSL for Modern Command Line Troubleshooting

The tool to troubleshoot modern applications that are behind (most likely) Transport Layer Security TLS, and thus telnet will not be able to understand the encrypted traffic; this is where a tool like OpenSSL comes into play. Specifically, OpenSSL’s s_client function; from the OpenSSL man`` page ons_client**:

This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It’s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library.

Here is the analog of the telnet example in the previous section, but using OpenSSL’s s_client to perform the same task.

openssl s_client -connect foxide.xyz:443
Connecting to 172.245.181.191
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E6
verify return:1
depth=0 CN=foxide.xyz
verify return:1
---
Certificate chain
 0 s:CN=foxide.xyz
   i:C=US, O=Let's Encrypt, CN=E6
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Oct 21 03:09:36 2024 GMT; NotAfter: Jan 19 03:09:35 2025 GMT
 1 s:C=US, O=Let's Encrypt, CN=E6
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDmjCCAx+gAwIBAgISBO5wd7WEOdqbgg2ZxG8R9J3ZMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNDEwMjEwMzA5MzZaFw0yNTAxMTkwMzA5MzVaMBUxEzARBgNVBAMTCmZv
eGlkZS54eXowWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASB3sT482vbUr8zsGWd
GGvRVctZVGcXPschnLuTUoxFTT/sgsB6CnyfD3gqIKqGppb4L58t1wdNxMmmCZ0A
Ptrco4ICMDCCAiwwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQtds7pKOO9N/h5hM1N
ovja00JAwzAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEF
BQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggr
BgEFBQcwAoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzA6BgNVHREEMzAxghJjb250
YWluLmZveGlkZS54eXqCD2RvY3MuZm94aWRlLnh5eoIKZm94aWRlLnh5ejATBgNV
HSAEDDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AKLjCuRF
772tm3447Udnd1PXgluElNcrXhssxLlQpEfnAAABkq1CxWcAAAQDAEYwRAIgFY8h
E3vu1bTL2UmWBypEhfbN5Fw/cgYjtK0nbwf7YAICIGePDHPQIOpKrkRbGgXx+jxh
qvwyJOCssJaGs/medWCBAHYAE0rfGrWYQgl4DG/vTHqRpBa3I0nOWFdq367ap8Kr
4CIAAAGSrULG2AAABAMARzBFAiATEsvrayeCsWpcm1sGzmuBFP8sazeCDe6i8bfY
LrjV2wIhAPVshF00u1Chtu5C8LEhXhLX3vVNOSClQfAlm/6ZoEsIMAoGCCqGSM49
BAMDA2kAMGYCMQCGExlw5KTniWzQqLRodBDWzGT6RB/TM5Kaux/ARKiX0N7OQnV6
SsJ6xyX+74uyUAQCMQCel3ISqjn2Y0oMBiR5d2p/j8p71KwUTPEnmCkzBBWDDKUE
yF9vARxsOe3ltetRRno=
-----END CERTIFICATE-----
subject=CN=foxide.xyz
issuer=C=US, O=Let's Encrypt, CN=E6
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2421 bytes and written 398 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DECD4B808369B03981BD1DFD7CB9510D851C9BBBD77F38AB0C5A4E8916803BC7
    Session-ID-ctx: 
    Resumption PSK: 5AE0AC37D01DC46CECFE733C43D6DDCEECEE801780232EA5B2EE24ED38FFC77B7D0A57A27270B75F1A07F39ACAEB9A29
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 8b f7 43 30 03 60 3b 21-10 ae 15 9b bd 17 ac d8   ..C0.`;!........
    0010 - f5 32 77 0e 39 af 1a 90-ee f0 1c 6d fe f8 8b 95   .2w.9......m....

    Start Time: 1734663386
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 90EACD532A3149074067947556B18A029C09188C70D94D06E48737504FE3B6EF
    Session-ID-ctx: 
    Resumption PSK: 2B3A17104B7E4978AFEFE581A53DAEC95C0AC1C409FDB8EE0D5CF5CF5FA8D91F4653875A3670E656D21F3F5F72F69BC9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - f3 da a3 44 ad b1 8d 65-ad 8c a3 09 95 f2 7d 87   ...D...e......}.
    0010 - c6 c6 f6 98 38 f8 7b 69-c4 c9 af 6c f0 35 ee 35   ....8.{i...l.5.5

    Start Time: 1734663386
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
GET /index.html HTTP/1.1
Host: foxide.xyz

HTTP/1.1 200 OK
Server: nginx/1.26.2
Date: Fri, 20 Dec 2024 02:56:46 GMT
Content-Type: text/html
Content-Length: 1157
Last-Modified: Tue, 01 Oct 2024 02:28:32 GMT
Connection: keep-alive
ETag: "66fb5e50-485"
Accept-Ranges: bytes

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
        <link rel="icon" type="image/png" href="favicon.png" />
        <link rel="stylesheet" type="text/css" href="style.css" />
        <link rel="stylesheet" type="text/css" href="../style.css" />
        <title>Tyler's website</title>
    </head>

    <body>
        <header>
            <h1>Tyler's Site</h1>
        </header>
        <nav>
            <a href="https://foxide.xyz/">home</a>&emsp;
            <a href="https://foxide.xyz/articles.html">articles</a>&emsp;
            <a href="https://foxide.xyz/projects.html ">projects</a>&emsp;
            <a href="https://foxide.xyz/consulting.html">consulting</a>&emsp;
            <a href="https://codeberg.org/fac3plant">code</a>
        </nav>
        <article>
            <h1>Tyler's home page</h1>
            <p>Hi my name is Tyler, and this is my home page! I mostly do tech stuff, but may occationally post about other interests as well.</p>

</article>
<footer>
    <p>
        Thank you for visiting the site.
    </p>
</footer>

This time rather than getting some HTML containing a 301 error, we get the HTML for the home page of this site. Wonderful, but what next? Next, it is time to learn the command line.

Actually Working with the Command Line

Many people find working in the command line difficult, however, when most people speak of working in the command line it is command line applications such as cat, grep, or vi. This section is not about that command line; rather it is about the application command line for the various layer 7 (Application Layer in OCI Model). Unfortunately, outlining all of the basic commands for all of the various Request for Comments (RFCs) that telnet and/or OpenSSL can work with would be A LOT of information. Additionally, there is a chance that I would not communicate a piece of the RFC accurately or otherwise miss something. So, rather than doing that, I am going to include some resources on RFCs that might be commonly needed/wanted as well as the website to look for other RFCs that were not on the list.

Finding further help than this will require finding the RFC on RFC Editor or searching online via your favorite search engine.