#6 OpenSSL 检查 HTTPS 和 SMTP (STARTTLS) 连接

OpenSSL HTTPS SMTP TLS 2023-12-10

HTTPS

echo | openssl s_client -connect sendcloud.net:443
echo | openssl s_client -showcerts -connect sendcloud.net:443
echo | openssl s_client -showcerts -debug -connect sendcloud.net:443 >/dev/null
echo | openssl s_client -showcerts -debug -connect sendcloud.net:443 2>/dev/null | openssl x509 -inform pem -noout -text

# 导出证书
openssl s_client -connect sendcloud.net:443 </dev/null | openssl x509 -outform pem > sendcloud.net.cer
# 导出所有证书
openssl s_client -showcerts -connect sendcloud.net:443 </dev/null | sed -n '/-----BEGIN/,/-----END/p' > sendcloud.net.cer
# 查看证书信息
openssl s_client -showcerts -connect sendcloud.net:443 </dev/null | sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -text
# 查看证书链上所有证书信息
OLDIFS=$IFS; IFS=':' certs=$(openssl s_client -showcerts -connect sendcloud.net:443 2>/dev/null </dev/null | sed -n '/-----BEGIN/,/-----END/{/-----BEGIN/ s/^/:/; p}'); for cert in ${certs#:}; do echo $cert | openssl x509 -noout -text; done; IFS=$OLDIFS
# # 查看证书链上所有证书 OCSP URI
OLDIFS=$IFS; IFS=':' certs=$(openssl s_client -showcerts -connect sendcloud.net:443 2>/dev/null </dev/null | sed -n '/-----BEGIN/,/-----END/{/-----BEGIN/ s/^/:/; p}'); for cert in ${certs#:}; do echo $cert | openssl x509 -noout -ocsp_uri; done; IFS=$OLDIFS
# -ocsp_uri
# -serial
# -fingerprint
# -subject
# 检查证书在 30 天之后有没有过期
openssl s_client -connect sendcloud.net:443 2>/dev/null </dev/null | openssl x509 -outform pem | openssl x509 -noout -checkend 2592000
# -checkend intmax  Check whether the cert expires in the next arg seconds
# -checkhost val    Check certificate matches host
# -checkemail val   Check certificate matches email
# -checkip val      Check certificate matches ipaddr
echo | openssl s_client -verify_hostname baidu.com -connect sendcloud.net:443 1>/dev/null

SMTP

一样的,只是加 -starttls smtp

echo | openssl s_client -connect smtp.sendcloud.net:25 -starttls smtp
echo | openssl s_client -connect smtp.sendcloud.net:25 -starttls smtp 2>/dev/null | openssl x509 -inform pem -noout -text

其他

校验证书

# echo | openssl s_client -connect smtp.sendcloud.net:25 -starttls smtp 2>/dev/null | openssl verify
# echo | openssl s_client -showcerts -connect smtp.sendcloud.net:25 -starttls smtp 2>/dev/null | openssl verify
echo | openssl s_client -showcerts -connect smtp.sendcloud.net:25 -starttls smtp 2>/dev/null | sed -n '/-----BEGIN/,/-----END/p' > smtp.sendcloud.net.cer
openssl verify -CAfile smtp.sendcloud.net.cer smtp.sendcloud.net.cer

IMAP

echo | openssl s_client -connect imap.126.com:143 -starttls imap

测试 TLS 1.3 支持

echo | openssl s_client -connect smtp.sendcloud.net:25 -starttls smtp -tls1_3

OCSP 检测

用上面的 sendcloud.net.cer 举例,需要将文件中第一个证书和下面的其他证书拆开,分成 sendcloud.cer 和 chain.cer

openssl x509 -noout -ocsp_uri -in sendcloud.cer
# http://ocsp.sectigo.com
openssl ocsp -issuer chain.cer -cert sendcloud.cer -text -url http://ocsp.sectigo.com
# Error querying OCSP responder
# 140052849842064:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=400,Reason=Bad Request

遇到上面报错是因为 OSCP 客户端使用 HTTP 1.0,但是服务器端现在都是 1.1,需要 Host 头。

$ openssl ocsp -issuer chain.cer -cert sendcloud.cer -text -url http://ocsp.sectigo.com -header "HOST" "ocsp.sectigo.com"
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 21F3459A10CAA6C84BDA1E3962B127D5338A7C48
          Issuer Key Hash: 17D9D6252767F931C24943D93036448C6CA94FEB
          Serial Number: DB5F1FFAFFB770CA38E8120A6121852E
    Request Extensions:
        OCSP Nonce:
            0410F47624DDB17E9703BFCDCC96E983018B
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 17D9D6252767F931C24943D93036448C6CA94FEB
    Produced At: Dec  9 07:52:17 2023 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 21F3459A10CAA6C84BDA1E3962B127D5338A7C48
      Issuer Key Hash: 17D9D6252767F931C24943D93036448C6CA94FEB
      Serial Number: DB5F1FFAFFB770CA38E8120A6121852E
    Cert Status: good
    This Update: Dec  9 07:52:17 2023 GMT
    Next Update: Dec 16 07:52:16 2023 GMT

    Signature Algorithm: sha256WithRSAEncryption
         5f:65:bf:3e:d1:8c:16:63:76:bc:83:82:b8:a3:67:54:1d:26:
         78:e1:b9:7f:64:c7:61:bc:40:0d:4b:b0:7f:49:29:bc:38:48:
         43:87:a5:dd:a1:e6:b4:74:ce:58:44:24:30:c3:0d:f5:ab:da:
         8c:f9:25:0e:3e:e2:fe:5a:64:5f:32:d9:f5:15:6f:0c:0c:89:
         97:30:f6:6c:07:56:6e:54:81:4f:d3:22:1f:16:94:a0:2b:99:
         49:2f:2c:0f:c8:b7:b4:90:2f:60:01:54:9c:f9:34:c0:c6:e1:
         09:3f:93:d4:dd:a7:0b:34:bb:cb:4b:06:c3:5a:8c:fc:dc:85:
         4f:9d:a7:08:c3:22:98:06:b8:b9:d4:47:51:9c:36:43:f3:53:
         db:f5:d1:2f:4c:a6:97:c7:5a:f5:15:04:c4:94:a4:9e:95:4c:
         03:fd:5a:60:b8:4c:75:e8:02:74:e4:80:1c:8f:17:85:8a:a2:
         9e:b9:5d:74:4a:2e:7d:9f:5e:d8:40:6b:60:63:74:3f:dc:11:
         d4:f6:b4:86:6e:6b:83:8a:ff:57:cf:b4:41:1f:a3:66:b2:e2:
         00:6a:3a:33:dc:c3:3d:13:1d:37:97:d9:9c:d9:b5:9b:24:74:
         24:82:7a:f9:ca:51:b3:39:24:e3:90:f4:ff:4b:8e:be:f8:0f:
         ec:7a:16:55
WARNING: no nonce in response
Response Verify Failure
139766041024400:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92:
sendcloud.cer: good
        This Update: Dec  9 07:52:17 2023 GMT
        Next Update: Dec 16 07:52:16 2023 GMT

#5 SMTP 校验主机域名

SMTP Email 2023-02-15

Python

import smtplib
import ssl

host = 'smtp.126.com'
s = smtplib.SMTP(host)
context = ssl.create_default_context()
context.check_hostname = True
s.starttls(context=context)
s.quit()

Golang

如果服务器支持 STARTTLS,标准库 net/smtp 的 SendMail 方法就会校验主机名。

package main

import (
    "crypto/tls"
    "fmt"
    "net/smtp"
)

func main() {
    host := "smtp.126.com"
    port := 25
    c, err := smtp.Dial(fmt.Sprintf("%s:%d", host, port))
    if err != nil {
        panic(err)
    }
    tlsConfig := &tls.Config{ServerName: host}
    if err := c.StartTLS(tlsConfig); err != nil {
        panic(err) // panic: x509: certificate is valid for xxx, not yyy
    }
    if err = c.Quit(); err != nil {
        panic(err)
    }
}

#4 Go SMTP 发送邮件

Golang SMTP 2021-01-15 
package main

import (
    "crypto/tls"
    "errors"
    "fmt"
    "net"
    "net/smtp"
)

// ============================================================================

type Transaction struct {
    Host      string
    Port      uint16
    LocalName string
    TlsEnable bool
    Username  string
    Password  string
    MailFrom  string
    RcptTo    []string
    Data      []byte
}

func NewTransaction() Transaction {
    trans := Transaction{}
    return trans
}

func (trans Transaction) Send() error {
    addr := fmt.Sprintf("%s:%d", trans.Host, trans.Port)

    // SendMail(addr string, a Auth, from string, to []string, msg []byte) error
    c, err := smtp.Dial(addr)
    if err != nil {
        return err
    }
    defer c.Close()

    c.Hello(trans.LocalName)

    if ok, _ := c.Extension("STARTTLS"); ok {
        serverName, _, _ := net.SplitHostPort(addr)
        config := &tls.Config{
            InsecureSkipVerify: true,
            ServerName:         serverName,
        }
        if err = c.StartTLS(config); err != nil {
            return err
        }
    } else {
        fmt.Printf("smtp: server doesn't support STARTTLS\n")
    }

    if trans.Username != "" {
        if ok, _ := c.Extension("AUTH"); !ok {
            return errors.New("smtp: server doesn't support AUTH")

        }
        auth := smtp.PlainAuth("", trans.Username, trans.Password, trans.Host)
        if err = c.Auth(auth); err != nil {
            fmt.Println("smtp: authentication failed")
            return err
        }
    }

    if err = c.Mail(trans.MailFrom); err != nil {
        return err
    }

    for _, addr := range trans.RcptTo {
        if err = c.Rcpt(addr); err != nil {
            return err
        }
    }

    w, err := c.Data()
    if err != nil {
        return err
    }

    _, err = w.Write(trans.Data)
    if err != nil {
        return err
    }

    err = w.Close()
    if err != nil {
        return err
    }

    return c.Quit()
}

// ============================================================================

func main() {
    from := "ninedoors@126.com"
    to := "ninedoors@qq.com"
    msg := []byte{}
    fmt.Println("============================================================")
    trans := Transaction{
        "smtp.126.com", 25, "peach", false,
        from, "password",
        from, []string{to},
        msg,
    }
    trans.Send()
}
  1. net/smtp 没有发现有好的日志实现,我只能定制了一个版本实现了日志
  2. smtp.Client -> textproto.Conn -> textproto.Writer

#2 Python 应用: 简易 SMTP 服务器

Python SMTP PythonSimpleServer Email 2018-05-07

Python2

python2 -m smtpd -h
# An RFC 2821 smtp proxy.
# Usage: /usr/lib/python2.7/smtpd.py [options] [localhost:localport [remotehost:remoteport]]
#     --nosetuid, -n
#     --version, -V
#     --class classname, -c classname
#     --debug, -d
#     --help, -h

Python3

python -m smtpd -h
# An RFC 5321 smtp proxy with optional RFC 1870 and RFC 6531 extensions.
# Usage: /usr/lib/python3.9/smtpd.py [options] [localhost:localport [remotehost:remoteport]]
#     --nosetuid, -n  默认会设置用户为 nobody,如果不是 root 会因权限不足失败
#     --version, -V
#     --class classname, -c classname 默认: PureProxy
#     --size limit, -s limit 消息大小限制(RFC 1870 SIZE extension),默认是 33554432 字节,即 32MB
#     --smtputf8, -u 启用 SMTPUTF8 扩展(RFC 6531)
#     --debug, -d
#     --help, -h

# 如果不指定主机,就使用 localhost
# 如果主机是 localhost,端口使用 8025
# 如果是其他主机,端口使用 25
python3 -m smtpd -n

# 默认的 PureProxy 会给转信出去,正常情况会被服务器拒绝
python3 -m smtpd -n -c smtpd.DebuggingServer

Python 3.9 的 PureProxy 有 BUG,会报 process_message() got an unexpected keyword argument 'mail_options'

自定义黑洞服务器

blackhole.py

import smtpd
import time
class BlackHoleServer(smtpd.SMTPServer):
    def process_message(self, peer, mailfrom, rcpttos, data, **kwargs):
        print('%s %s %s -> %s' % (time.strftime('%Y-%m-%d %H:%M:%S'), peer, mailfrom, rcpttos))

setup.py

import setuptools
setuptools.setup(name="blackhole", py_modules=["blackhole"])

附件下载:blackhole.zip

python setup.py install --user
python -m smtpd -n -c blackhole.BlackHoleServer

测试

import smtplib
smtp = smtplib.SMTP('localhost', 8025)
from_addr = 'admin@markjour.com'
to_addr = 'you@markjour.com'
smtp.sendmail(from_addr, to_addr,
    f"""From: {from_addr}\nTo: {to_addr}\nSubject: just4fun\n\nhello, world!""")

#1 SMTP 拓展

SMTP Email 2018-04-24

RFC#821 定义的 SMTP 协议非常简单(简陋)。
1993 年,RFC#1425 SMTP Service Extensions 定义了 SMTP 协议的拓展框架。
这个向前兼容的安全拓展框架是通过 EHLO 命令来实现。