Python STDOUT to file with openssl subprocess

Question

I am trying to write a python script to automate the process of checking for SSL renegotiation through openSSL and output the results to a file. I have run into 2 problems.

My first problem is that the output from the initial handshake gets written to the file, however the actual renegotiation part does not. It is instead displayed on the console.

subprocess.call("echo \"R\" | openssl s_client -connect example.com:443", 
        shell=True, stdout=FILE)

My other problem (although this may be the wrong spot for it) is that I cannot get the openSSL command to work for sending the GET command.

subprocess.call("echo -e \"GET / HTTP/1.1\r\n\r\n\" | openssl s_client -connect
        example.com:443", shell=True)   

Again, the initial connection is set up but then openSSL exists, it does not process the GET request.

Any help would be greatly appreciated. Thanks.

Answer 1

There's no reason to use shell=True for inputs. Instead, use stdin=subprocess.PIPE. Also, note that your request is not valid since HTTP 1.1 requires the Host header. Additionally, I can't think of a reason to use the command line openssl instead of the ssl module.

That being said, here's a working example:

import subprocess

f = open('http_answer', 'w')
_,log = subprocess.Popen(
    ['openssl', 's_client', '-quiet', '-connect', 'twitter.com:443'],
    stdout=f, stderr=subprocess.PIPE, stdin=subprocess.PIPE
).communicate('GET / HTTP/1.0\r\n\r\n')
print('Output of SSL:\n' + log)

Answer 2

Keep in mind that openssl s_client uses also stderr for some of the output. You need to check whether the renegotiation goes to stderr, which I believe it does, though my memory might be fading.

I've accomplished this in a different way, though not in python. I've created a process and hooked the stdin, stdout, stderr file descriptors to ones I can read/write and I actually drive the input and read the output. It is a bit more work, but you have full control over what is going on and interacting with the process. I've done this in php and the test is available online at http://netsekure.org/2009/11/tls-renegotiation-test/.

Alternatively, you can just try using python to program openssl itself, instead of using the s_client, but this is more work and I've used the previous approach.

There are two things you can be checking and you didn't make it clear which one you are interested in:

• checking whether remote server supports client initiated renegotiation
• checking whether remote server supports the secure renegotiation extension

Both of these can be simply deduced by just doing s_client and grep for the keywords applicable to both cases. It all depends on how much control/sophistication you need.