Use Openssl to tunnel plaintext connections over SSL/TLS

Published: 2021-08-24 11:35:56 +0000
Categories: Misc,




It's not a common requirement, but sometimes you want to have something to use a plaintext connection, and then tunnel that onwards over a TLS connection.

My most common use for this is to make it easy to intercept/inspect behaviour between some software and a HTTPS endpoint controlled by someone else - if you can get the software to make a plaintext connection, you can tunnel it onwards whilst running pcaps/logging to observe the conversation

To achieve this, we

  • Create a FIFO to pass output through
  • Have netcat listen on a port of our choosing
  • Pass netcat's output into the FIFO, and read from the FIFO
  • Read the FIFO into OpenSSL's s_client to effect the tunnel
  • Have our plaintext app speak to netcat


mkfifo foobar

# With logging to /tmp/testlog
nc -k -l $PORT < foobar | tee /tmp/testlog | openssl s_client -quiet -connect $DEST_NAME:443 -servername $DEST_NAME | tee -a /tmp/testlog >foobar

# Without logging
nc -k -l $PORT < foobar | openssl s_client -quiet -connect $DEST_NAME:443 -servername $DEST_NAME > foobar

Usage Example

mkfifo foobar
nc -k -l 4444 < foobar | tee -a /tmp/testlog | openssl s_client -quiet -connect -servername | tee -a /tmp/testlog >foobar

# Place a requests
curl -H "Host:"

# Request headers and the response will be logged to /tmp/testlog
# you can also just run a packet capture against 4444 to get 
# the entire plaintext conversation
# tcpdump -i lo -s0 -w cap.pcap -v port 4444

# Although we've used HTTP for an example, this will work for various other protocols too.

# For a slightly more advanced example, we might also want to manipulate the output somehow
nc -k -l 4444 < foobar | tee -a /tmp/testlog | openssl s_client -quiet -connect -servername | sed '~s/bentasker/me/g' | tee -a /tmp/testlog >foobar

# or even manipulate the input
nc -k -l 4444 < foobar | tee -a /tmp/testlog | python my_evil_script | openssl s_client -quiet -connect -servername | tee -a /tmp/testlog >foobar


openssl, tunnel, s_client,

Latest Posts

Copyright © 2022 Ben Tasker | Sitemap | Privacy Policy
Available at, http://phecoopwm6x7azx26ctuqcp6673bbqkrqfeoiz2wwk36sady5tqbdpqd.onion and http://snippets.bentasker.i2p
hit counter