I am trying to use the GnuWin32 version of OpenSSL to fetch certificates from several WebSphere MQ queue managers. All attempts result in OpenSSL keeping the connection open until I manually hit ENTER.
I tried piping various text into the command as per this SO question and this SO question, but with no luck.
Ideally, OpenSSL would close the connection once the input file or piped text hit EOF.
Examples:
echo QUIT | openssl s_client -connect qmgrhost:1414 -showcerts
openssl s_client -connect qmgrhost:1414 -showcerts < responsefile.txt
The examples using the QUIT
command appear to work in the other SO question because they are hitting an HTTP server. Since this is WMQ in my case, the connection handshake is different and sending QUIT
(or anything else I've tried) doesn't get it to close the connection. I could probably feed it a giant file until the QMgr choked and killed the connection but I'm trying to be as polite as possible to the server. The current method of supplying an ENTER from the keyboard is causing FDC dumps on each connection as it is, setting off all kinds of alarms and making the Tivoli guys mad at me.
So best case would be a string or hex value the QMgr interprets as a graceful rejection and closes the connection. Second best case is any method that allows this to be scripted and we'll accept the FDC files as a cost of automating this function.
UPDATE: 31 May 2013
I've since moved to AIX where this works perfectly. The s_client hangs up immediately after making the connection when run in a script and piping a newline into it. However, I'd still like to have a solution for Windows. Does anyone know if the Cygwin version works or has the same problem? Is it Windows signalling/POSIX issue? Code bug?
It seems that this problem is related to a synchronization issue between the Batch file and the openssl.exe program. I need your collaboration in order to do some tests and report the result. Below is a Batch-JScript hybrid script for the first test. The JScript section have two parts; the first one WScript.Stdout.WriteLine("QUIT");
is entirely equivalent to echo QUIT
Batch command. The second part (with two lines) is similar, but it load the keyboard buffer with "QUIT" and an Enter key instead of send the string via STDOUT.
I need you to make a test with both sections of the JScript code and report the result (the double-slash //
mark the rest of the line as comment). If we are lucky, the openssl.exe
program will end with the Sendkeys
method; if not, try to send a "QUIT" string via STDOUT
and type just an Enter key with Sendkeys
. If the openssl.exe
program terminate before returning the desired information then the problem is almost solved, because in this case we can synchronize the sending of the Enter key until the desired information had been received from openssl.exe
.
Save the following as a .bat
file. Try it, then comment out the Wscript
line, uncomment the WshShell
lines, and then try it again.
@if (@CodeSection == @Batch) @then
:: The first line above is...
:: in Batch: a valid IF command that does nothing.
:: in JScript: a conditional compilation IF statemente that is false,
:: so this section is omitted until next "at-sign end".
@echo off
CScript //nologo //E:JScript "%~F0" | openssl s_client -connect qmgrhost:1414 -showcerts
goto :EOF
@end
// JScript section
WScript.Stdout.WriteLine("QUIT");
// var WshShell = WScript.CreateObject("WScript.Shell");
// WshShell.SendKeys("QUIT{ENTER}");
You may also try with String.fromCharCode(26)
to generate a Ctrl-Z (EOF) character, both in WriteLine
or Sendkeys
methods; for example:
WshShell.SendKeys("QUIT{ENTER}" + String.fromCharCode(26));