Use the openssl Command to Test Certificate Installations

To see how this inclusion page fits in with similar ones, perhaps see one of

IncludeCertTestOpenssl
The openssl command has an s_client sub-command which can be a simple client for SSL smtp, imap, pop or ftp.
    arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect mail.cs.uwaterloo.ca:465
    arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls smtp -crlf -connect mail.cs.uwaterloo.ca:25
    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap
    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -crlf -connect mail.cs.uwaterloo.ca:imaps
    arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls pop3 -crlf -connect plg2.cs.uwaterloo.ca:110
    arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect plg2.cs.uwaterloo.ca:995

I had to hunt around for a pop3 example, because that is being shut down. The output from the above is lengthy, and includes the main server certificate. You can use the openssl command to view its details.

Other options can be given to the above. Most useful might be -showcerts which will show the entire certificate chain. Also -CAfile <file> or -CApath <dir>.

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -showcerts -CApath /etc/ssl/certs -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap

-starttls http is not supported, since there is no such concept. But since https is a standard SSL protocol port, the following does work to view the certificate used by https:

   arpepper@cscfpc20:~$ cat /dev/null | openssl s_client -crlf -connect cs.uwaterloo.ca:443

Since openssl x509 -text does ignore information outside the recognized CERTIFICATE area, the above commands can all be piped directly into it.

    arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap | openssl x509 -text

There might be a little untidy stderr output at the beginning, so...

    arpepper@cscfpc20:~$ echo 0 logout | 2>/dev/null openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap | openssl x509 -text


IncludeAdrianReferers

Referers

This topic IncludeCertTestOpenssl is referred to by...

-- AdrianPepper - 2013-07-08

Topic revision: r2 - 2013-11-01 - AdrianPepper
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback