Re: Testing "dark" SSL sites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Tue, Oct 21, 2014 at 04:17:25PM -0700, lists@xxxxxxxxxxxxxxxxxx wrote:
> I've already confirmed for example, that using openssl s_client as you mention
> above doesn't actually check the certs, just lists them. 

Actually it does check them as well.

e.g.
  openssl s_client -connect localhost:443 < /dev/null > /dev/null
  depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=a.example.com/emailAddress=root@xxxxxxxxxxxxx
  verify error:num=18:self signed certificate
  verify return:1
  depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=a.example.com/emailAddress=root@xxxxxxxxxxxxx
  verify error:num=10:certificate has expired
  notAfter=Aug  9 23:55:39 2014 GMT
  verify return:1
  depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=a.example.com/emailAddress=root@xxxxxxxxxxxxx
  notAfter=Aug  9 23:55:39 2014 GMT
  verify return:1
  DONE

Notice the "verify error" lines; it's both self-signed _and_ expired.

In chained certs it'll check each of the chains.

e.g.
  openssl s_client -connect www.google.com:443 < /dev/null > /dev/null
  CONNECTED(00000003)
  depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
  verify return:1
  depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
  verify return:1
  depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
  verify return:1
  depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
  verify return:1
  ---
  Certificate chain
   0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
     i:/C=US/O=Google Inc/CN=Google Internet Authority G2
   1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
     i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
     i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
  
You can do a _LOT_ with the openssl command line (e.g. show all the
intermediate certs in detail with -showcerts).  'man s_client'

If you have a server with a broken intermediate chain then run the command
and see what it returns.

-- 

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux