SSL

From My Wiki
Revision as of 15:02, January 16, 2024 by J-Admin (talk | contribs) (OpenSSL: Added Test a Protocol)
Jump to navigation Jump to search

OpenSSL

Get Certificate Information

From a Local File

Basic information for verifying a cert: 

cat cert.crt  | openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates

CentOS 7 has an older version installed that doesn't support the -ext flag, but cPanel servers may have ea-openssl11 installed with an alternate binary path: 

cat cert.crt | /opt/cpanel/ea-openssl11/bin/openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates

Decode everything: 

openssl x509 -in cert.crt -text -noout

From a Remote Certificate

openssl s_client -connect example.domain.com:443 -showcerts -CApath /etc/ssl/certs/ </dev/null

Don't show the CA certs: 

openssl s_client -connect example.domain.com:443 -CApath /etc/ssl/certs/ </dev/null

Just show cert names, issuer, and dates: 

openssl s_client -connect example.domain.com:443 </dev/null |openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates

If SNI is involved: 

 openssl s_client -servername example.domain.com -connect  example.domain.com:443 </dev/null |openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates

When testing STARTTLS: 

echo | openssl s_client -starttls smtp -crlf -connect example.domain.com:587

Test a Protocol

openssl s_client -connect example.domain.com:443 -tls1_3

You can go all the way down to TLS 1.0 (SSLv3 is so old it's not supported anymore): 

openssl s_client -connect google.com:443 -tls1
Retrieved from "https://wiki.whatplanetisthis.net/index.php?title=SSL&oldid=122"