SSL: Difference between revisions
Jump to navigation
Jump to search
Creating page |
→OpenSSL: Added Test a Protocol |
||
| Line 18: | Line 18: | ||
When testing STARTTLS: | When testing STARTTLS: | ||
echo | openssl s_client -starttls smtp -crlf -connect example.domain.com:587 | echo | openssl s_client -starttls smtp -crlf -connect example.domain.com:587 | ||
==Test a Protocol== | |||
openssl s_client -connect example.domain.com:443 -tls1_3 | |||
You can go all the way down to TLS 1.0 (SSLv3 is so old it's not supported anymore): | |||
openssl s_client -connect google.com:443 -tls1 | |||
Revision as of 15:02, January 16, 2024
OpenSSL
Get Certificate Information
From a Local File
Basic information for verifying a cert:
cat cert.crt | openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates
CentOS 7 has an older version installed that doesn't support the -ext flag, but cPanel servers may have ea-openssl11 installed with an alternate binary path:
cat cert.crt | /opt/cpanel/ea-openssl11/bin/openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates
Decode everything:
openssl x509 -in cert.crt -text -noout
From a Remote Certificate
openssl s_client -connect example.domain.com:443 -showcerts -CApath /etc/ssl/certs/ </dev/null
Don't show the CA certs:
openssl s_client -connect example.domain.com:443 -CApath /etc/ssl/certs/ </dev/null
Just show cert names, issuer, and dates:
openssl s_client -connect example.domain.com:443 </dev/null |openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates
If SNI is involved:
openssl s_client -servername example.domain.com -connect example.domain.com:443 </dev/null |openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates
When testing STARTTLS:
echo | openssl s_client -starttls smtp -crlf -connect example.domain.com:587
Test a Protocol
openssl s_client -connect example.domain.com:443 -tls1_3
You can go all the way down to TLS 1.0 (SSLv3 is so old it's not supported anymore):
openssl s_client -connect google.com:443 -tls1