Using OpenSSL to Verify Service Availability and Configuration

Using OpenSSL to Verify Service Availability and Configuration

May 14

  • Created: May 14, 2011 7:54 PM

Using OpenSSL to Verify Service Availability and Configuration
SSL is one of the most widely-used technologies for securing communications over the internet. It does have a few design flaws, but it’s still widely used to secure e-mail (IMAP-SSL and POP3-SSL), HTTP traffic (via HTTPS), and other communications.

By far, the most common implementation of SSL is the OpenSSL suite which is developed by a community of voluenteers. OpenSSL is the library powering the majority of SSL communications on the internet. Today, we’re going to look at how to use a part of the OpenSSL suite to make sure that services are working correctly.

and here is the man page for what we’ll be using today (s_client).

If we just run s_client with basic options, the transaction looks like this:

<br />
helios:~$ openssl s_client -connect www.nexcess.net:443<br />
CONNECTED(00000003)<br />
depth=0 /serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net<br />
verify error:num=20:unable to get local issuer certificate<br />
verify return:1<br />
depth=0 /serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net<br />
verify error:num=27:certificate not trusted<br />
verify return:1<br />
depth=0 /serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net<br />
verify error:num=21:unable to verify the first certificate<br />
verify return:1<br />
---<br />
Certificate chain<br />
 0 s:/serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net<br />
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority<br />
---<br />
Server certificate<br />
-----BEGIN CERTIFICATE-----<br />
MIIDfjCCAuegAwIBAgIDE2szMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT<br />
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0<br />
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAwNjE1MTQxNDI4WhcNMTEwNzE4MTQ0NzQy<br />
WjCB4TEpMCcGA1UEBRMgUm95bkgzSmxoLzZWNjJSTnRxS0k1VHZVY1dsNUdEclEx<br />
CzAJBgNVBAYTAlVTMRYwFAYDVQQKDA0qLm5leGNlc3MubmV0MRMwEQYDVQQLEwpH<br />
VDYyMDYwNzQwMTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJj<br />
ZXMvY3BzIChjKTEwMS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQg<br />
LSBSYXBpZFNTTChSKTEWMBQGA1UEAwwNKi5uZXhjZXNzLm5ldDCBnzANBgkqhkiG<br />
9w0BAQEFAAOBjQAwgYkCgYEAssPkKI8aM9wz4q4fJJOT8ozYrOJjTef8ym7DXN8s<br />
uFNddDlngnJa49vrEkxF7in++H+xecACh9yqdSeyRTIIGSh+bmHFIvZprvBXVWzd<br />
15fkqEDe/xTFPIDoIGLhu3codd0egHLdco22wPtVTiOD7gxEElMK6PGGHifn0Xw6<br />
jHcCAwEAAaOB1TCB0jAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAO<br />
BgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCUG<br />
A1UdEQQeMByCDSoubmV4Y2Vzcy5uZXSCC25leGNlc3MubmV0MDoGA1UdHwQzMDEw<br />
L6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvc2VjdXJlY2EuY3Js<br />
MB0GA1UdDgQWBBQZCmOHWJ/9U+RiJhytPcMIXWHmmzANBgkqhkiG9w0BAQUFAAOB<br />
gQCvRnAboCuVr9XHPmScDDuhDSjA7Ln74U4n+vmaRh2rHHhzqyYBeoMaKy6scsaS<br />
+R3ZUglVZK9G5K6Yb2UfG1Js/5+QgymL8lq80PCYyHxNmGnw2HHEGW83cJPTlJkt<br />
qmzBvJn6eekhX4YiCNAbXO5nbUg6SjIwRrfxt7zPL8AizA==<br />
-----END CERTIFICATE-----<br />
subject=/serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net<br />
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority<br />
---<br />
No client certificate CA names sent<br />
---<br />
SSL handshake has read 1469 bytes and written 293 bytes<br />
---<br />
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA<br />
Server public key is 1024 bit<br />
Secure Renegotiation IS supported<br />
Compression: zlib compression<br />
Expansion: zlib compression<br />
SSL-Session:<br />
    Protocol  : TLSv1<br />
    Cipher    : DHE-RSA-AES256-SHA<br />
    Session-ID: 34CF6330F1886C710889496977BCE15D48596F7815737AE86D3147D6FF0EC01D<br />
    Session-ID-ctx:<br />
    Master-Key: C64AF2B8E3522EA2E5B767F4D0B024685090362E197CDEA17EB31745593E848144052095FC3640B299F0E84FA0DDAD48<br />
    Key-Arg   : None<br />
    Compression: 1 (zlib compression)<br />
    Start Time: 1305412433<br />
    Timeout   : 300 (sec)<br />
    Verify return code: 21 (unable to verify the first certificate)<br />
---<br />
GET /<br />
&lt;!DOCTYPE HTML PUBLIC &quot;-//IETF//DTD HTML 2.0//EN&quot;&gt;<br />
&lt;html&gt;&lt;head&gt;<br />
&lt;title&gt;302 Found&lt;/title&gt;<br />
&lt;/head&gt;&lt;body&gt;<br />
&lt;h1&gt;Found&lt;/h1&gt;<br />
&lt;p&gt;The document has moved &lt;a href=&quot;http://www.nexcess.net/&quot;&gt;here&lt;/a&gt;.&lt;/p&gt;<br />
&lt;/body&gt;&lt;/html&gt;<br />
closed<br />

You can see above how openssl connects to the server and tries to verify the certificate. This fails because we didn’t tell it to use any local certificate store. If you have a self-signed cert, you’ll need to follow the instructions here to install that. Otherwise, on most Linux distros, you can just specify /etc/ssl/certs/ as the CApath. Let’s try:

<br />
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority<br />
verify return:1<br />
depth=0 /serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net<br />
verify return:1<br />
---<br />
Certificate chain<br />
 0 s:/serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net<br />
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority<br />

We can see that the certificate for CN=*.nexcess.net is provided by rapidSSL, which is in turn trusted by Equifax, which is a certificate that is installed in pretty much every major web browser, and so it validates OK.

What if we wanted to test mail service on a server to ensure that it’s properly handling the SSL connection, or to see what ciphers it supports to verify PCI-DSS compliance? Easy:

<br />
helios:~$ openssl s_client -CApath /etc/ssl/certs/ -connect imap.gmail.com:993<br />
CONNECTED(00000003)<br />
depth=2 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority<br />
verify return:1<br />
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority<br />
verify return:1<br />
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com<br />
verify return:1<br />
---<br />
Certificate chain<br />
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com<br />
   i:/C=US/O=Google Inc/CN=Google Internet Authority<br />
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority<br />
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority<br />
---<br />
Server certificate<br />
-----BEGIN CERTIFICATE-----<br />
MIIDWzCCAsSgAwIBAgIKaNPuGwADAAAisjANBgkqhkiG9w0BAQUFADBGMQswCQYD<br />
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu<br />
dGVybmV0IEF1dGhvcml0eTAeFw0xMTAyMTYwNDQzMDRaFw0xMjAyMTYwNDUzMDRa<br />
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N<br />
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw5pbWFw<br />
LmdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqfPyPSEHpfzv<br />
Xx+9zGUxoxcOXFrGKCbZ8bfUd8JonC7rfId32t0gyAoLCgM6eU4lN05VenNZUoCh<br />
L/nrX+ApdMQv9UFV58aYSBMU/pMmK5GXansbXlpHao09Mc8eur2xV+4cnEtxUvzp<br />
co/OaG15HDXcr46c6hN6P4EEFRcb0ccCAwEAAaOCASwwggEoMB0GA1UdDgQWBBQj<br />
27IIOfeIMyk1hDRzfALz4WpRtzAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra<br />
42sSJDBbBgNVHR8EVDBSMFCgTqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dv<br />
b2dsZUludGVybmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNy<br />
bDBmBggrBgEFBQcBAQRaMFgwVgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRp<br />
Yy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRo<br />
b3JpdHkuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJ<br />
KoZIhvcNAQEFBQADgYEAxHVhW4aII3BPrKQGUdhOLMmdUyyr3TVmhJM9tPKhcKQ/<br />
IcBYUev6gLsB7FH/n2bIJkkIilwZWIsj9jVJaQyJWP84Hjs3kus4fTpAOHKkLqrb<br />
IZDYjwVueLmbOqr1U1bNe4E/LTyEf37+Y5hcveWBQduIZnHn1sDE2gA7LnUxvAU=<br />
-----END CERTIFICATE-----<br />
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com<br />
issuer=/C=US/O=Google Inc/CN=Google Internet Authority<br />
---<br />
No client certificate CA names sent<br />
---<br />
SSL handshake has read 1866 bytes and written 281 bytes<br />
---<br />
New, TLSv1/SSLv3, Cipher is RC4-SHA<br />
Server public key is 1024 bit<br />
Secure Renegotiation IS supported<br />
Compression: NONE<br />
Expansion: NONE<br />
SSL-Session:<br />
    Protocol  : TLSv1<br />
    Cipher    : RC4-SHA<br />
    Session-ID: 447356938BD3F2CABB91A9049D245611C51F777BEA34AD16D27FA0D5A9A61FE1<br />
    Session-ID-ctx:<br />
    Master-Key: D75E188B0D7BB7CDE8C39FEA10498B3693E333B66FA6BB152069EC71946866BBB33600B41488509AE428884FB11814D6<br />
    Key-Arg   : None<br />
    TLS session ticket lifetime hint: 100800 (seconds)<br />
    TLS session ticket:<br />
    0000 - b3 1f ec 8d cd bd 28 2e-4a 7d 78 92 d5 71 ff ef   ......(.J}x..q..<br />
    0010 - 60 cc dc fe 79 0e 63 2d-8b c5 2f 7d fc 94 49 9c   `...y.c-../}..I.<br />
    0020 - 16 ff 4e 13 89 ec 2a c2-b1 a2 8e 43 5a 00 b3 4d   ..N...*....CZ..M<br />
    0030 - a1 11 b8 6a 1c d8 c4 a1-04 ab cf f5 94 15 c0 a2   ...j............<br />
    0040 - 08 5b 12 b3 9b 80 16 6b-50 f4 50 35 ab 5f e2 0e   .[.....kP.P5._..<br />
    0050 - d3 2b c1 9b 49 bd 06 ea-29 2e b2 18 28 51 53 83   .+..I...)...(QS.<br />
    0060 - fb 06 2d 92 9a c7 70 4b-c5 46 cb c4 ee d8 52 0f   ..-...pK.F....R.<br />
    0070 - c9 52 ec 6b 53 d6 72 69-e0 5f f7 21 00 86 31 33   .R.kS.ri._.!..13<br />
    0080 - 1b f2 a6 ef 08 5e c1 5f-ff 27 d6 e3 25 01 f1 ea   .....^._.'..%...<br />
    0090 - fc 0b 80 d4 ee fa db 02-7c 28 df 5a 72 ed 9e 5e   ........|(.Zr..^<br />
    00a0 - d6 22 01 83                                       .&quot;..</p>
<p>    Start Time: 1305413015<br />
    Timeout   : 300 (sec)<br />
    Verify return code: 0 (ok)<br />
---<br />
* OK Gimap ready for requests from 208.69.120.120 51if4445225yhl.133<br />

We can see that Google is trusted by Equifax and that they’re supporting the TLSv1 and SSLv3 protocols along with the RC4-SHA cipher. We get some details about the session and the entire certificate. The Vierfy return code was 0 (no error) and we now have a session open with one of the GMail IMAP servers (a list of IMAP commands can be found if you’d like to play with them). The same can easily be done with FTPS, POP3-SSL, or any other service that is being wrapped in SSL.

Posted in: Security / Tagged: , , , , ,
  • https://www.rapidsslonline.com/code-signing-certificates.aspx Code Signing Certificate

    Thanks for sharing step by step instructions and in-depth understanding of SSL certificates using scripts.

  • wanda burdell

    Wanda burdell thanks for sending me here