OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.
It also includes the openssl command, which provides a rich variety of commands You can use the same command to debug problems with SSL certificates.
To test the secure connections to a server, type the following command at a shell prompt:
openssl s_client -connect ssl.servername.com:443
Where,
- s_client : This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It’s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. You can also connect to secure mail server (such as POP3S ~ 995) / web server port (443) and issue commands.
For example connect to www.cyberciti.biz at port 443, enter:
openssl s_client -connect www.cyberciti.biz:443
Output:
CONNECTED(00000003) depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/[email protected] verify error:num=18:self signed certificate verify return:1 depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/[email protected] verify return:1 --- Certificate chain 0 s:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/[email protected] i:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIDhDCCAu2gAwIBAgIJAMgof8IIjdD9MA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD VQQGEwJJTjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw FQYDVQQKEw5NeSBDb21wYW55IEx0ZDEYMBYGA1UEAwwPKi5jeWJlcmNpdGkuYml6 MSEwHwYJKoZIhvcNAQkBFhJ2aXZla0BuaXhjcmFmdC5jb20wHhcNMDcwOTIwMTEw MzExWhcNMDgwOTE5MTEwMzExWjCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJl cmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBM dGQxGDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2 ZWtAbml4Y3JhZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzYIxz 2JGAgYUJhLnmDbtC5kc+S4AHJHGTZmFuxVZDFOacHPitS4ohwzDadruUONucVZJY Gi1M9j1jPUBX7oZ7F/Y7pbEO/YMfEPPDGq6uEkkwHDTXRH1qgL6v7q9XtP9Dafck n3+YeTO0eYk0Or9a6xBqJmuN6M+ajprfXmQ9cwIDAQABo4HxMIHuMB0GA1UdDgQW BBQH94MQusbxTH8UxH83EpmMz5v5UjCBvgYDVR0jBIG2MIGzgBQH94MQusbxTH8U xH83EpmMz5v5UqGBj6SBjDCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJlcmtz aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx GDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2ZWtA bml4Y3JhZnQuY29tggkAyCh/wgiN0P0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B AQUFAAOBgQActMUY+8CbFCcxGWvmN95/LsVxZMWWqOGoiFOgqKI9t1T/nBN6TrW5 MYeMwcMbI4OoBo5vnp6mHzcZNoMPiK9DITgb8O/P0EUhjL+QdARJYZX6lLB3qJkP ts65VY0rFxjIhndtixKP1fLC/K2ovzo+43pE1EQB6UhjhHlHV2v34w== -----END CERTIFICATE----- subject=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/[email protected] issuer=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/[email protected] --- No client certificate CA names sent --- SSL handshake has read 1066 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 989C62FBF87884C9F6904DD216A9A36189BE660059F419DAA16711AF2A7F42D4 Session-ID-ctx: Master-Key: 9A01374F14D7300E8DD02BE2AA3C3567F26E1BB00267D5AB0156C6C11A10EB0D8424FBD06D3B15013B4FBA0F121EC99D Key-Arg : None Start Time: 1192732059 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
Using grep you can see the SSL and TLS connection handshaking, security negotiate, public keys and transfer of digital certificates and key information to the client:
$ openssl s_client -state -nbio -connect www.cyberciti.biz:443 2>&1 | grep "^SSL"
Output:
SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:error in SSLv3 read finished A SSL_connect:error in SSLv3 read finished A SSL_connect:SSLv3 read finished A SSL handshake has read 1066 bytes and written 316 bytes SSL-Session:
Further readings:
=> OpenSSL man pages and documentation.
1 comment
I tried the above information and it did not work on sites that were functioning properly.
openssl s_client -connect test2-cqr2.meap.me:443
Gave me:
socket: Connection refused
connect:errno=111
openssl s_client -state -nbio -connect test2-cqr2.meap.me:443 2>&1 | grep “^SSL”
Gave me no response.