Loading ...How to: Debug SSL certificate problems from the shell prompt
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.
It also includes the openssl command, which provides a rich variety of commands You can use the same command to debug problems with SSL certificates.
To test the secure connections to a server, type the following command at a shell prompt:
openssl s_client -connect ssl.servername.com:443
Where,
- s_client : This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It’s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. You can also connect to secure mail server (such as POP3S ~ 995) / web server port (443) and issue commands.
For example connect to www.cyberciti.biz at port 443, enter:
openssl s_client -connect www.cyberciti.biz:443
Output:
CONNECTED(00000003)
depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
verify return:1
---
Certificate chain
0 s:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
i:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhDCCAu2gAwIBAgIJAMgof8IIjdD9MA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
VQQGEwJJTjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw
FQYDVQQKEw5NeSBDb21wYW55IEx0ZDEYMBYGA1UEAwwPKi5jeWJlcmNpdGkuYml6
MSEwHwYJKoZIhvcNAQkBFhJ2aXZla0BuaXhjcmFmdC5jb20wHhcNMDcwOTIwMTEw
MzExWhcNMDgwOTE5MTEwMzExWjCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJl
cmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBM
dGQxGDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2
ZWtAbml4Y3JhZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzYIxz
2JGAgYUJhLnmDbtC5kc+S4AHJHGTZmFuxVZDFOacHPitS4ohwzDadruUONucVZJY
Gi1M9j1jPUBX7oZ7F/Y7pbEO/YMfEPPDGq6uEkkwHDTXRH1qgL6v7q9XtP9Dafck
n3+YeTO0eYk0Or9a6xBqJmuN6M+ajprfXmQ9cwIDAQABo4HxMIHuMB0GA1UdDgQW
BBQH94MQusbxTH8UxH83EpmMz5v5UjCBvgYDVR0jBIG2MIGzgBQH94MQusbxTH8U
xH83EpmMz5v5UqGBj6SBjDCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJlcmtz
aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx
GDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2ZWtA
bml4Y3JhZnQuY29tggkAyCh/wgiN0P0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQUFAAOBgQActMUY+8CbFCcxGWvmN95/LsVxZMWWqOGoiFOgqKI9t1T/nBN6TrW5
MYeMwcMbI4OoBo5vnp6mHzcZNoMPiK9DITgb8O/P0EUhjL+QdARJYZX6lLB3qJkP
ts65VY0rFxjIhndtixKP1fLC/K2ovzo+43pE1EQB6UhjhHlHV2v34w==
-----END CERTIFICATE-----
subject=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
issuer=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
---
No client certificate CA names sent
---
SSL handshake has read 1066 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 989C62FBF87884C9F6904DD216A9A36189BE660059F419DAA16711AF2A7F42D4
Session-ID-ctx:
Master-Key: 9A01374F14D7300E8DD02BE2AA3C3567F26E1BB00267D5AB0156C6C11A10EB0D8424FBD06D3B15013B4FBA0F121EC99D
Key-Arg : None
Start Time: 1192732059
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
Using grep you can see the SSL and TLS connection handshaking, security negotiate, public keys and transfer of digital certificates and key information to the client:
$ openssl s_client -state -nbio -connect www.cyberciti.biz:443 2>&1 | grep "^SSL"
Output:
SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:error in SSLv3 read finished A SSL_connect:error in SSLv3 read finished A SSL_connect:SSLv3 read finished A SSL handshake has read 1066 bytes and written 316 bytes SSL-Session:
Further readings:
=> OpenSSL man pages and documentation.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or full RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in...
- Retrieve php’s configure options from the shell prompt
- How to debug a Shell Script under Linux or UNIX
- Tutorial: Working with UNIX and Linux Shell
- Upgrade wordpress quickly in 3 easy steps from UNIX shell prompt
- nixCraft FAQ Roundup
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: debug_ssl_connectivity_problem, debug_ssl_problems, grep_command, Linux, openssl_command, UNIX ~ Last updated on: October 18, 2007
Recent Comments
Today ~ 2 Comments
Today ~ 37 Comments
Today ~ 1 Comment
Yesterday ~ 12 Comments
Yesterday ~ 2 Comments