x.x.x.x:port
where x.x.x.x is the IP address of the remote system and port is
the relevant port or you can use the
fully qualified domain name (FQDN) in place of the IP
address. E.g., I used the command below to check the status of a certificate I
obtained from Let's Encrypt, a
"certificate authority that
launched on April 12, 2016 that provides free
X.509
certificates for
Transport Layer Security (TLS) encryption via an automated
process designed to eliminate the current complex process of manual
creation, validation,
signing, installation, and renewal of certificates for secure websites."
The server I checked functions as a
POP3S server using port 995, so that was the port I
specified.$ openssl s_client -connect pop3.moonpoint.com:995 CONNECTED(00000003) depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/CN=support.moonpoint.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFbDCCBFSgAwIBAgISA0LlJ8LrKl5QWJNTuUFzBVR6MA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA2MTMwMDMxMDBaFw0x NjA5MTEwMDMxMDBaMCAxHjAcBgNVBAMTFXN1cHBvcnQubW9vbnBvaW50LmNvbTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO2JzmsFeHvqt/VD1KjvYUss 0k4zfN2qLW5/nXcgoGMNdpKh/8kur3660SFNtdMAvCXZk33pfeS7FsgFTife5ZjD Uprp4iP6OAA1zAxM/WJ4J9hd4RX3XdfOjumIbPZF7ubc4GHIiJvtDZH/VvNgG3oV 3G156ltvhR6pjuyfOouSMsAyF1/RjtGggWRKavM73LZ3tnSdXAa3LZ4wsQtKsGyo U+AIJix81q+6fv2peQYYhYQ34i8+gNREaIE0GaeFo/2b1mLE+ds9OLxFy1aTcP4R +NvbwiZHdpVXvsXJmhSek+CWwyBDOFDtmQS4kuw9GGG+hWUw/2Uo2LK2+ECGGecC AwEAAaOCAnQwggJwMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUhCuG3XVreHE8ex2v KXgFYQO5EIswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYB BQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu Y3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl bmNyeXB0Lm9yZy8wfgYDVR0RBHcwdYISaW1hcC5tb29ucG9pbnQuY29tgg1tb29u cG9pbnQuY29tghJwb3AzLm1vb25wb2ludC5jb22CEnNtdHAubW9vbnBvaW50LmNv bYIVc3VwcG9ydC5tb29ucG9pbnQuY29tghF3d3cubW9vbnBvaW50LmNvbTCB/gYD VR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUH AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyB m1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVs eWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2Vy dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3Jn L3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAuAersicmQ//mmDZp+TonL YdopelHfChTiX+oI1vtcLO6h0TkEn1VPPC0aKkVwct3/ZxLmSJDkpllUuAkePauj oY+J5ruEnX1cBmwyHzTaA6uM+DWPGc0EHPaxs5hRsAFTC9RSzVRikL4aTfhoDpUo 1ZHbfOI+8X8h8Y6LXPPjH2Z0zBzlUouBBCpMcNn4Bdpm/BqdNYGz2Sce43AQDOuh zH33kJfeZMnAITP6O5rIaT021jPn2ZfXkbcne6+QF4j/R8iCmFCyt6fMjuD6dGad H0A3o0RxmGimr3t7zA+IrGybjwvfwaJVCBEEd2txsrlpqBHbPnM6OtdS0Ca7k+dt -----END CERTIFICATE----- subject=/CN=support.moonpoint.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent --- SSL handshake has read 3268 bytes and written 328 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: B4BF64DA7C5405A704622F4DEDA01608486D155438C2F6A2ECD5C01D590D7DEA Session-ID-ctx: Master-Key: 50A497DFBFCF75212A9B4B7E4FDFC03AC1D7EA64F6CC634616BB4A2E0DC8D45A 95F33B33AA671C8D173806071C04538F Key-Arg : None Start Time: 1465783418 Timeout : 300 (sec) Verify return code: 0 (ok) --- +OK Dovecot ready. QUIT DONE $
When the remote server, which is using the
open-source
Dovecot software responded with "+OK Dovecot ready", I entered
QUIT
and hit Enter which caused the server to respond
with DONE
, returning me to the shell prompt.
For a Post Office Protocol version 3 (POP3) server, I
could also connect to the standard POP3 port, TCP port 110, to check
the certificate with the command openssl s_client -connect
pop3.moonpoint.com:110 -starttls pop3
. E.g.:
$ openssl s_client -connect pop3.mail.com:110 -starttls pop3 CONNECTED(00000003) depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thaw te, Inc. - For authorized use only/CN=thawte Primary Root CA verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=Chesterbrook/O=1&1 Mail & Media Inc./CN=pop.mail.co m i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIErTCCA5WgAwIBAgIQbYGFE3wE0G7bEO1NIeFHczANBgkqhkiG9w0BAQsFADBB MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMRswGQYDVQQDExJ0 aGF3dGUgU1NMIENBIC0gRzIwHhcNMTUwOTE1MDAwMDAwWhcNMTYxMDAzMjM1OTU5 WjByMQswCQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMRUwEwYDVQQH DAxDaGVzdGVyYnJvb2sxHjAcBgNVBAoMFTEmMSBNYWlsICYgTWVkaWEgSW5jLjEV MBMGA1UEAwwMcG9wLm1haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA4lRYBBfHoQui8D6SKWRPD+8txnGtPp5sLTEpx/d2Ne043illvu64ml4Y 7Z4xCK0lO9VVSXMKymHwope7k3By3K3ykL+3No8stdBRYNbKIIds7oxpyf81RuEc 4tP7SKmBFkWSGZT2I4VV+jLqyrIBaualPijfpls3lUhMdSQiy5czqSRAFeLK9PyS BUx8q5e+WfR3aP6Y/l3T7jgqAgJHYud/n3yKhyTkF1/5gwuZTEHL0CJ28MF2dob8 ewJtf+z9dcXZkzxFTE5DuRkeCGPjfps3yW0+c3+BW8DF+tjb1iJPmC9WDnc3Eyo1 Wnn3Lb6AhoFzCNdgVJn7E4qooNSlIwIDAQABo4IBbjCCAWowFwYDVR0RBBAwDoIM cG9wLm1haWwuY29tMAkGA1UdEwQCMAAwbgYDVR0gBGcwZTBjBgZngQwBAgIwWTAm BggrBgEFBQcCARYaaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9jcHMwLwYIKwYBBQUH AgIwIwwhaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0b3J5MA4GA1UdDwEB /wQEAwIFoDAfBgNVHSMEGDAWgBTCT0hX/NFPmsBdOH0OBdvZLrVSYDArBgNVHR8E JDAiMCCgHqAchhpodHRwOi8vdGouc3ltY2IuY29tL3RqLmNybDAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzAB hhNodHRwOi8vdGouc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vdGouc3lt Y2IuY29tL3RqLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAGfQTfujr2aIEE0iEgT0P 2qYJCOYdvteFh3i+3xG0css5vdvaMpMOEd/apepwd7/cyLk8eOg82pAEmnfNSak6 HR42vz+BjicrnSfUeZyRimP+p0q+ZtW9Fdpd+jfJhLQ1aKiAnJXn7+70W7JmSqwN DmrPErzRqCjkO2JRigGWvQyp2UFwPkDL1+PLzxoQe1D+yKl9hgnrqojRKk9iNIVE tZbYXMtGMX46/EpLm3V8Bm8pgFhptb8ZfE/ORkVerYlVJqYQY7bE2MKIrLEYyiM8 lEHGx3iewMmHkBVKVIC+LILs6UGtgJNCtKAPuMp+6OFAiaJ+04jrfpEMlMZOgfOx gQ== -----END CERTIFICATE----- subject=/C=US/ST=Pennsylvania/L=Chesterbrook/O=1&1 Mail & Media Inc./CN=pop.mail .com issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 --- No client certificate CA names sent --- SSL handshake has read 4515 bytes and written 462 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 22D441610C1A9440FEDFAFA72855D208D086CEBE3B80DB28799AB6870D91B7EC Session-ID-ctx: Master-Key: 4C8B9FF56002F49EB505BBBFEB1D7258A25CA12E4CCA97F7A892F40FBB386941 F3C79DCF28D22ACCCD6EC6CD137FDB49 Key-Arg : None Start Time: 1465868919 Timeout : 300 (sec) Verify return code: 0 (ok) --- +OK POP server ready H migmxus003 0MQgmS-1b0Cwh38cn-00UCz6 QUIT DONE $
The arguments to the command have the following meaning:
s_client This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. -connect host:port - who to connect to (default is localhost:4433) -starttls prot - use the STARTTLS command before starting TLS for those protocols that support it, where 'prot' defines which one to assume. Currently, only "smtp", "pop3", "imap", "ftp" and "xmpp" are supported.
For other options see the openssl man page.
A similar command can be used to check a Simple Mail Transfer Protocol (SMTP) server using port 25, instead, and specifying smtp for the protocol. E.g.:
$ openssl s_client -connect smtp.mail.com:25 -starttls smtp CONNECTED(00000003) depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thaw te, Inc. - For authorized use only/CN=thawte Primary Root CA verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=Chesterbrook/O=1&1 Mail & Media Inc./CN=smtp.mail.c om i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIErzCCA5egAwIBAgIQHU09xWQDto3heSOj82RKPzANBgkqhkiG9w0BAQsFADBB MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMRswGQYDVQQDExJ0 aGF3dGUgU1NMIENBIC0gRzIwHhcNMTUwOTE1MDAwMDAwWhcNMTYxMDAzMjM1OTU5 WjBzMQswCQYDVQQGEwJVUzEVMBMGA1UECAwMUGVubnN5bHZhbmlhMRUwEwYDVQQH DAxDaGVzdGVyYnJvb2sxHjAcBgNVBAoMFTEmMSBNYWlsICYgTWVkaWEgSW5jLjEW MBQGA1UEAwwNc210cC5tYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALUHm+BGVHDd0lVidH9nl5fvN2pw4JR1BlO/lpp/3Py2trd6sn0q9Ki2 os4tEx9TVVhLQ/BZ/eKj0P56TMEb+jqCBqpTYwfp7Mgt+oxq0LgOKzijITyLFiXP pNm7iVMKl4HwQWGKA95lTOOxxm4AqAsVbIfB+UiLdai9m9BmfUOiZ3hF+Uqv8dsj W8ip+iYSVB59UsUlQCNZnI/8XF0Y89YRWEEnuvgo/p3N/knoqVEPNulx2Qdk5x0x KGMIKkineAhVeU3wSgt4DRjBOwxhVsyuSZ7TqlTY1U+meOPdzPttilTt8i6FYhXM mvbbMTGVy+umXcg0PT/EACLrjMGWIQsCAwEAAaOCAW8wggFrMBgGA1UdEQQRMA+C DXNtdHAubWFpbC5jb20wCQYDVR0TBAIwADBuBgNVHSAEZzBlMGMGBmeBDAECAjBZ MCYGCCsGAQUFBwIBFhpodHRwczovL3d3dy50aGF3dGUuY29tL2NwczAvBggrBgEF BQcCAjAjDCFodHRwczovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRvcnkwDgYDVR0P AQH/BAQDAgWgMB8GA1UdIwQYMBaAFMJPSFf80U+awF04fQ4F29kutVJgMCsGA1Ud HwQkMCIwIKAeoByGGmh0dHA6Ly90ai5zeW1jYi5jb20vdGouY3JsMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUH MAGGE2h0dHA6Ly90ai5zeW1jZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly90ai5z eW1jYi5jb20vdGouY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQCT6eRxtQFUE4oUrOnr eY1giBw+ayE3BYPyHMtPDmzqqL7Xz7EaiD/HM95FZ48WWFlw0AlRBCTROUlVCP1i iJouX3kskFkxsBqGyHTn1jd4BMPYKkGAea1pQqIzO84FXVxI1gBpKtMfNzEE6qu+ fgtL3ITF7u8qLwwEQPC1of2FW2jDttgUODG8hmNBq6R/3DoCXfR5JAn+lZ81yrN6 gwopS9groNLfkJED/lR3AqR+UKaBcwyU+TK48SpuIzNho57vuNCs+9Lf2zlQsz+X b8vjkCZxq3X8nTuYPvGr83unM4W5sKqkJEqsOepW26fg7N154ATbmhZnyfh/Z3ol dks3 -----END CERTIFICATE----- subject=/C=US/ST=Pennsylvania/L=Chesterbrook/O=1&1 Mail & Media Inc./CN=smtp.mai l.com issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 --- No client certificate CA names sent --- SSL handshake has read 4603 bytes and written 491 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 7A47C2F2A9120FBECED058512B0CFA36E421D6C647C0120633F70C79E257F99D Session-ID-ctx: Master-Key: CE4E352B1B3CECB16A6C4BE262769931F5A775B0EBAFCE1E36D6BA0BA5B0A0CA 63079B65568F540C711100A11DCDBA30 Key-Arg : None Start Time: 1465869300 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 STARTTLS QUIT DONE
Again, you can type QUIT
at the last line from the server
to be returned to the shell prompt.