000011696 - Using openssl as a substitute for telnet on the appliance 3.0

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011696
Applies ToRSA Appliance 3.0
telnet openssl
 
Issuecannot run the telnet client on the RSA Appliance 3.0
 
CauseMany current versions of Linux are not configured with a Telnet server by default, including the rPath Linux used in the RSA Appliance 3.0 , as the Telnet protocol uses clear-text, and is inherently insecure. The RSA Appliance also doesn't include a  Telnet client which would have other uses, such as testing open ports to itself or another system.  However, the RSA Appliance does include the OpenSSL tool, which can be used in a similar way to test that a connection can be made  (and also gives additional information about the SSL connection). There are various articles on the Internet about how to use openssl, here are a couple quick ones to replace the testing of telnet
openssl  s_client -connect fqhn:port  
where:
   fqhn:   the fully-qualified hostname of the target system
   port:  the port on the target system  that you are using to try to make a connection.
an example of the command and output, when connecting to port 7072 of the Operations Console is below: 
 
ResolutionThe CONNECTED in red shows the connection was made, the rest is additional information on the connection.
 

-bash-3.00$ openssl s_client -connect cs-appliance3-05.na.rsa.net:7072

CONNECTED(00000003)

depth=1 /CN=RSA Authentication Manager Root CA

verify error:num=19:self signed certificate in certificate chain

verify return:0

---

Certificate chain

 0 s:/CN=cs-appliance3-05.na.rsa.net

   i:/CN=RSA Authentication Manager Root CA

 1 s:/CN=RSA Authentication Manager Root CA

   i:/CN=RSA Authentication Manager Root CA

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIC7TCCAdWgAwIBAgIQUFnGDnn3ZwAaZm20LG1uoTANBgkqhkiG9w0BAQUFADAt

MSswKQYDVQQDDCJSU0EgQXV0aGVudGljYXRpb24gTWFuYWdlciBSb290IENBMB4X

DTExMDcxODIyNDQwMVoXDTM3MDEwMTA1MDAwMFowJjEkMCIGA1UEAwwbY3MtYXBw

bGlhbmNlMy0wNS5uYS5yc2EubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB

CgKCAQEAwQV++tp3BBuNbe3y49Qig7rOyAvmdfOgWFLvYO7qeXl291pWt43pWGcy

OfA9C8rS0Ri/YKe+UprrsN9KhNm+SJDg8xidbqX4CvrmiSVZ7+fzBwZeoJTCb8Q3

vEtmjeniNj2urDBdwim4IKN4WTtfjEzvLnVnedYsd/7sCy++wJfJh+tz2Yvvblt3

MSAHZUBtayvoSrXgmwqGj2w7hJBpqj33mw70Dt6zA71JoBoVb5v+Q6GbsxHACaeM

eRBBJrgtJrFlykGWv0Jcq1EtQ5M8aWsylxXp7h3eYbJMkihN6Myygver87DQ6GwF

S/oQ6Pmv7SMdDvW9W1ABnCQnZfajawIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0G

CSqGSIb3DQEBBQUAA4IBAQB218YN1CRDqhfdS1ndNhyQ+NwpUcMtOVIYWgTr0mLK

OsW+OqwY6qBioryCyDT1pHrr/pKD1DBE/ae0memrDYoyuL257go9ardM7zwNl8Nk

GITHIjFZioDoxfM2dTLHZB9/zFII70QRW2VtNgBJkUdgz4emev18oZ2DoFnKgMGU

rPyHpLA1Y5SjfKC4O1lEi1hkaBRKS6h41XDmKURkjNjJ9JrhBWwb9MqsoTmDEGb0

0x+QAX8OuZ1NRY7x14PyFeNGP44vN8khpOeFyvOIkVeusryKYLkhCXwpCu/QbPUX

84T6M1HHO7zytuW2zAWoOM6FTgLCtdmOXF6rQ8jD5gFJ

-----END CERTIFICATE-----

subject=/CN=cs-appliance3-05.na.rsa.net

issuer=/CN=RSA Authentication Manager Root CA

---

No client certificate CA names sent

---

SSL handshake has read 1652 bytes and written 452 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-MD5

Server public key is 2048 bit

SSL-Session:

    Protocol  : TLSv1

    Cipher    : RC4-MD5

    Session-ID: A7098CB3A62C7A3DB3809B687B39ED7A

    Session-ID-ctx:

    Master-Key: F2E98CD4E9CF85A0A7ADBD0B754B032A25FA57CF6B0E198A90C5CCB2FABF9BBE87108135F71E30A18DFB976A007C6F1A

    Key-Arg   : None

    Krb5 Principal: None

    Start Time: 1313674278

    Timeout   : 300 (sec)

    Verify return code: 19 (self signed certificate in certificate chain)

---

read:errno=0

-bash-3.00$
NotesSome other possible outputs:
Replication Port 2334 may give an ssl handshake error even when they are up and listening.  Replication control 7002 works the same as above
 openssl s_client -connect cs-appliance3-03.na.rsa.net:2334
CONNECTED(00000003)
22394:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
 
-bash-3.00$ openssl s_client -connect cs-appliance3-05.na.rsa.net:7004

connect: Connection refused

connect:errno=29
The target host can be reached,  but not the target port, as the host is refusing the connection.  Check services.

-bash-3.00$ openssl s_client -connect blockedhost.company.com:7004

connect: Connection timed out

connect:errno=29
A connection to the target host cannot be made, check the name/ip, , the target host is running, and network connectivity (such as a firewall)
 
Legacy Article IDa55632

Attachments

    Outcomes