MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
June
Sun Mon Tue Wed Thu Fri Sat
 
18
       
2020
Months
Jun
Jul Aug Sep
Oct Nov Dec


Thu, Jun 18, 2020 7:44 pm

Verifying a website's security certificate with openssl

You can verify a website's security certificate from a command line interface (CLI), such as a shell prompt, by using OpenSSL, which is available for Linux, macOS, Microsoft Windows and other operating systems — for a Windows version, see the instructions at How to install the most recent version of OpenSSL on Windows 10 in 64 Bit. To check a certificate, you can issue the command openssl s_client -connect example.com:443 -showcerts, substituting the fully qualified domain name (FQDN) of the site you wish to check for example.com. The output for example.com is shown below.

$ openssl s_client -connect example.com:443 -showcerts         CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIHQDCCBiigAwIBAgIQD9B43Ujxor1NDyupa2A4/jANBgkqhkiG9w0BAQsFADBN
<text snipped>
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 907C391C745555481A141A04D65B7CD175BD5E052FF39EFD17B30848D535F0D1
    Session-ID-ctx:
    Master-Key: 9DC337D789BB8DB7CCE82BBC3EAD28C4A9E98016C98D35AD9A6B737C0B76AE3118881303F7E7890BEE0567FFC402B5F9
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b1 7d 3a 56 0e 17 8f 5a-37 b0 4b 03 dd de 8d 98   .}:V...Z7.K.....
    0010 - 59 36 bb 73 43 e2 95 2a-9b 2e de ef 99 5e 92 d8   Y6.sC..*.....^..
    0020 - 3a 16 b6 4d 78 2b c6 a4-58 a5 5b 2e c0 8a 1f a6   :..Mx+..X.[.....
    0030 - e6 35 dd 8d 77 fb 4e 09-82 94 c0 8c 6e f8 56 41   .5..w.N.....n.VA
    0040 - 9a bb 82 a6 b1 30 5d bc-38 24 00 9c a6 a3 10 c5   .....0].8$......
    0050 - 6f cc e8 c8 25 62 6f e0-8f 7d 1a d9 18 6a db 32   o...%bo..}...j.2
    0060 - 48 07 df b0 15 fc 98 a0-5d 27 93 df 20 4c 6c ae   H.......]'.. Ll.
    0070 - cf 95 23 49 d0 c0 57 10-c1 8b 12 fa b0 c4 33 41   ..#I..W.......3A
    0080 - 2f 21 cf df dc 9a 1f 44-68 a3 76 81 0f b8 04 ab   /!.....Dh.v.....
    0090 - 59 e7 c4 29 79 28 f9 45-43 82 b9 a0 5a e5 6d 5a   Y..)y(.EC...Z.mZ

    Start Time: 1592522720
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed
$

If you wish to check on whether a particular cipher is supported, you can use the command openssl s_client -cipher followed by the particular cipher for which you wish to connect and then -connect followed by the FQDN, a colon, and then the HTTPS port, port 443, as shown below for example.com. If you see the response "handshake failure" as in the example below, the cipher is not supported.

$ openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect example.com:443
CONNECTED(00000003)
140497569793952:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1592522976
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
$

If the cipher is supported, you will see "connected" instead, as shown below.

$ openssl s_client -cipher 'ECDHE-RSA-AES128-GCM-SHA256' -connect example.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
<text snipped>
   Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 27 d3 5d a3 cf ac 34 0b-92 af c6 00 17 0d 15 bc   '.]...4.........
    0010 - 6b be b4 92 dc 1a 01 97-98 9c f4 2b 68 f7 fd 69   k..........+h..i
    0020 - 1c fd 25 16 21 ba aa f9-43 2b 1a 4b 54 d8 48 37   ..%.!...C+.KT.H7
    0030 - 90 f7 2f 3f 76 d1 88 22-cf db 43 77 55 40 d2 41   ../?v.."..CwU@.A
    0040 - c8 3a 8c f5 75 02 9b 88-92 92 38 f3 53 46 e7 48   .:..u.....8.SF.H
    0050 - 9a bf 2d db 78 00 cd 12-2c 30 fc f8 81 20 e9 89   ..-.x...,0... ..
    0060 - c0 8f 3c e3 e6 22 69 af-cb cd b0 ec dd 06 1b c9   ..<.."i.........
    0070 - f3 82 cb ee 85 f1 c8 6a-27 29 5b 42 7e bb 87 60   .......j')[B~..`
    0080 - c3 17 4a ff 54 41 b3 1a-8e 3b e3 30 b6 48 fa 9d   ..J.TA...;.0.H..
    0090 - b3 50 a5 2b 73 8d 59 16-4c fd b4 24 54 48 14 08   .P.+s.Y.L..$TH..

    Start Time: 1592523392
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

closed
$

[/security/encryption/openssl] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo