s_client's R "feature"

I’ve just spent a few hours brain-haemorrhaging over why my new Postfix server wasn’t allowing me to enter “RCPT TO:” over a STARTTLS connection. Instead it would renegotiate the TLS.

Eventually I found an e-mail by Wietse Venema saying:

Victor Duchovni:
> On Mon, Jan 22, 2007 at 04:31:12PM -0500, Wietse Venema wrote: 
> > RCPT TO:<postmaster>
> You got bit by the "s_client" "R" feature... try "rcpt to:" lower case,
> then it hangs up.

What utter brain damage, a non-transparent SSL client program.

Read this and be warned — we are all stupid, in the eyes of the truly mad s_client


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

no way

Thank you. I can’t believe that was the problem.

I’ve just

I’ve just “encountered” this.

How insane.

OMG, you are a life saver!!

OMG, you are a life saver!! :D
Thanks. I just got bit ;)

Q will get you, too

For future reference, also note that Q is 'q'uit. That one got me while I was trying to diagnose a complicated IMAP problem, where I was prefixing my commands in alphabetical order. Apparently I'd've only gotten one command further...

(This one just bit me with Postfix.)

...and a workaround + patch/bug-report

From looking at the code I figured out that the '-ign_eof' flag will short-circuit this behavior (with the side-effect of not being able to Ctrl+D out of the session).

But the initial surprise is pretty great, and I didn't see why anyone would ever want this particular behavior, so I also filed a bug with two patches against OpenSSL.

"#1872: [PATCH] Change 'Q' and 'R' behavior in s_client" at http://rt.openssl.org/Ticket/Display.html?id=1872

me too



Wow. So glad this was result #1 on Google for "postfix rcpt renegotiating". If there were elections for "stupidest feature ever" I would nominate this R "hotkey". Thanks for sharing this here.

What is this I don't even

After much frustration I ended up posting on Serverfault where somebody linked me to your page. I find it a little amusing that after trawling half the internet I end up finding the answer on a fellow South African's blog. :) Thanks for this post!


[...] I found this in 30 seconds by Googling “openssl s_client RENEGOTIATING”: s_client’s R “feature” [...]

You just made a spaniard happy

Sólo quería decir que te quiero mucho

Two workarounds

It’s surprisingly hard to find workarounds for this online, at least besides “use lowercase” (which doesn’t work, for example, if you’re doing SMTP AUTH LOGIN and your username is “A” which must be entered as “QQ==”).

Anyway, the workarounds:

1. Use the “-quiet” or “-ign_eof” flags when invoking s_client, which both have the side-effect of disabling the “R” and “Q” “features.” (At least this works in some versions* of OpenSSL.)

2. Ditch openssl s_client, and instead use gnutls-cli (https://www.gnu.org/software/gnutls/). Added bonus: you get complete control over all the commands pre-STARTTLS as well.

* $ openssl version
OpenSSL 1.0.0e 6 Sep 2011

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.