Stupid SSL tricks
Some hints and tips foor doing SSL related things:
Netcat for SSL
This command lets you connect to a SSL server (a-la netcat):
cat request.txt | openssl s_client -connect server:443Creating self-signed certificates
This is a single command to generate a self-signed certificate:
openssl req -new \
-newkey rsa:4096 \
-days 365 \
-nodes -x509 \
-subj "/C=NL/ST=ZH/L=Den Haag/O=HomeBase/CN=$fqdn" \
-keyout $ca_root/$fqdn/$fqdn.key \
-out $ca_root/$fqdn/$fqdn.cerThis is unlike other recipes where you create a csr and key
first and then create the certificate.
Checking and verifying certificates
- Check certificate
openssl x509 -in server.crt -text -noout
- Check SSL key and verify consistency
openssl rsa -in server.key -check
- Check CSR and print CSR data
openssl req -text -noout -verify -in server.csr
- Verify that certificate and key matches:
openssl x509 -noout -modulus -in server.crt| openssl md5openssl rsa -noout -modulus -in server.key| openssl md5
- Check SSL Certificate expiration date
openssl x509 -dates -noout -in hydssl.cer
Check SSL connection
- Tests connectivity to an HTTPS service:
openssl s_client -connect <hostname>:443
- Prints all certificates in the certificate chain presented by the
SSL service. Useful when troubleshooting missing intermediate CA
certificate issues.
openssl s_client -connect <hostname>:<port> -showcerts
- Forces TLSv1 and DTLSv1.
openssl s_client -connect <hostname>:<port> -tls1openssl s_client -connect <hostname>:<port> -dtls1
- Forces a specific cipher. This option is useful in testing enabled
SSL ciphers. Use the
openssl cipherscommand to see a list of available ciphers for OpenSSL.openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA
For troubleshooting connection and SSL handshake problems, see the following:
- If there is a connection problem reaching the domain, the OpenSSL
s_client -connectcommand waits until a timeout occurs and prints an error, such asconnect: Operation timed out. - If you use the OpenSSL client to connect to a non-SSL service, the
client connects but the SSL handshake doesn't happen.
CONNECTED (00000003)prints as soon as a socket opens, but the client waits until a timeout occurs and prints an error message, such as44356:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_lib.c:182:.
After disabling a weak cipher, you can verify if it has been disabled or not with the following command.
openssl s_client -connect google.com:443 -cipher EXP-RC4-MD5Check SSL certificates on a remote server:
- Check who has issued the SSL certificate:
echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer
- Check whom the SSL certificate is issued to:
echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -subject
- Check for what dates the SSL certificate is valid:
echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -dates
- Show the SHA1 fingerprint of the SSL certificate:
echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -fingerprint
- Extract all information from the SSL certificate (decoded)
echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -text
- Show the SSL certificate itself (encoded):
echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509
Becoming your own CA
The easiest way is to use mkcert. mkcert is a command line tool that automates most of the activities related a CA.
Otherwise, this article by Brad Touesnard explains the process fully.