How to: Debug SSL certificate problems from the shell prompt

last updated in Categories Apache, Howto, Linux, Security, Shell scripting, Sys admin, Tips, Troubleshooting, UNIX

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

It also includes the openssl command, which provides a rich variety of commands You can use the same command to debug problems with SSL certificates.

To test the secure connections to a server, type the following command at a shell prompt:
openssl s_client -connect ssl.servername.com:443
Where,

  • s_client : This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It’s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. You can also connect to secure mail server (such as POP3S ~ 995) / web server port (443) and issue commands.

For example connect to www.cyberciti.biz at port 443, enter:
openssl s_client -connect www.cyberciti.biz:443
Output:

CONNECTED(00000003)
depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
verify return:1
---
Certificate chain
 0 s:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
   i:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhDCCAu2gAwIBAgIJAMgof8IIjdD9MA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
VQQGEwJJTjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw
FQYDVQQKEw5NeSBDb21wYW55IEx0ZDEYMBYGA1UEAwwPKi5jeWJlcmNpdGkuYml6
MSEwHwYJKoZIhvcNAQkBFhJ2aXZla0BuaXhjcmFmdC5jb20wHhcNMDcwOTIwMTEw
MzExWhcNMDgwOTE5MTEwMzExWjCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJl
cmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBM
dGQxGDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2
ZWtAbml4Y3JhZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzYIxz
2JGAgYUJhLnmDbtC5kc+S4AHJHGTZmFuxVZDFOacHPitS4ohwzDadruUONucVZJY
Gi1M9j1jPUBX7oZ7F/Y7pbEO/YMfEPPDGq6uEkkwHDTXRH1qgL6v7q9XtP9Dafck
n3+YeTO0eYk0Or9a6xBqJmuN6M+ajprfXmQ9cwIDAQABo4HxMIHuMB0GA1UdDgQW
BBQH94MQusbxTH8UxH83EpmMz5v5UjCBvgYDVR0jBIG2MIGzgBQH94MQusbxTH8U
xH83EpmMz5v5UqGBj6SBjDCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJlcmtz
aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx
GDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2ZWtA
bml4Y3JhZnQuY29tggkAyCh/wgiN0P0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQUFAAOBgQActMUY+8CbFCcxGWvmN95/LsVxZMWWqOGoiFOgqKI9t1T/nBN6TrW5
MYeMwcMbI4OoBo5vnp6mHzcZNoMPiK9DITgb8O/P0EUhjL+QdARJYZX6lLB3qJkP
ts65VY0rFxjIhndtixKP1fLC/K2ovzo+43pE1EQB6UhjhHlHV2v34w==
-----END CERTIFICATE-----
subject=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
issuer=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddress=vivek@nixcraft.com
---
No client certificate CA names sent
---
SSL handshake has read 1066 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 989C62FBF87884C9F6904DD216A9A36189BE660059F419DAA16711AF2A7F42D4
    Session-ID-ctx:
    Master-Key: 9A01374F14D7300E8DD02BE2AA3C3567F26E1BB00267D5AB0156C6C11A10EB0D8424FBD06D3B15013B4FBA0F121EC99D
    Key-Arg   : None
    Start Time: 1192732059
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Using grep you can see the SSL and TLS connection handshaking, security negotiate, public keys and transfer of digital certificates and key information to the client:
$ openssl s_client -state -nbio -connect www.cyberciti.biz:443 2>&1 | grep "^SSL"
Output:

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read finished A
SSL_connect:error in SSLv3 read finished A
SSL_connect:SSLv3 read finished A
SSL handshake has read 1066 bytes and written 316 bytes
SSL-Session:

Further readings:

=> OpenSSL man pages and documentation.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

1 comment

  1. I tried the above information and it did not work on sites that were functioning properly.

    openssl s_client -connect test2-cqr2.meap.me:443
    Gave me:
    socket: Connection refused
    connect:errno=111

    openssl s_client -state -nbio -connect test2-cqr2.meap.me:443 2>&1 | grep “^SSL”

    Gave me no response.

    Have a question? Post it on our forum!

Tagged as: Tags , , , , ,