Stupid SSL tricks

Some hints and tips foor doing SSL related things:

Netcat for SSL

This command lets you connect to a SSL server (a-la netcat):

cat request.txt | openssl s_client -connect server:443

Creating self-signed certificates

This is a single command to generate a self-signed certificate:

openssl req -new \
      -newkey rsa:4096 \
      -days 365 \
      -nodes -x509 \
      -subj "/C=NL/ST=ZH/L=Den Haag/O=HomeBase/CN=$fqdn" \
      -keyout $ca_root/$fqdn/$fqdn.key \
      -out $ca_root/$fqdn/$fqdn.cer

This is unlike other recipes where you create a csr and key first and then create the certificate.

Checking and verifying certificates

  • Check certificate
    • openssl x509 -in server.crt -text -noout
  • Check SSL key and verify consistency
    • openssl rsa -in server.key -check
  • Check CSR and print CSR data
    • openssl req -text -noout -verify -in server.csr
  • Verify that certificate and key matches:
    • openssl x509 -noout -modulus -in server.crt| openssl md5
    • openssl rsa -noout -modulus -in server.key| openssl md5
  • Check SSL Certificate expiration date
    • openssl x509 -dates -noout -in hydssl.cer

Check SSL connection

  • Tests connectivity to an HTTPS service:
    • openssl s_client -connect <hostname>:443
  • Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.
    • openssl s_client -connect <hostname>:<port> -showcerts
  • Forces TLSv1 and DTLSv1.
    • openssl s_client -connect <hostname>:<port> -tls1
    • openssl s_client -connect <hostname>:<port> -dtls1
  • Forces a specific cipher. This option is useful in testing enabled SSL ciphers. Use the openssl ciphers command to see a list of available ciphers for OpenSSL.
    • openssl s_client -connect <hostname>:<port> -cipher DHE-RSA-AES256-SHA

For troubleshooting connection and SSL handshake problems, see the following:

  • If there is a connection problem reaching the domain, the OpenSSL s_client -connect command waits until a timeout occurs and prints an error, such as connect: Operation timed out.
  • If you use the OpenSSL client to connect to a non-SSL service, the client connects but the SSL handshake doesn't happen. CONNECTED (00000003) prints as soon as a socket opens, but the client waits until a timeout occurs and prints an error message, such as 44356:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_lib.c:182:.

After disabling a weak cipher, you can verify if it has been disabled or not with the following command.

openssl s_client -connect google.com:443 -cipher EXP-RC4-MD5

Check SSL certificates on a remote server:

  • Check who has issued the SSL certificate:
    • echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer
  • Check whom the SSL certificate is issued to:
    • echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -subject
  • Check for what dates the SSL certificate is valid:
    • echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -dates
  • Show the SHA1 fingerprint of the SSL certificate:
    • echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -fingerprint
  • Extract all information from the SSL certificate (decoded)
    • echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -text
  • Show the SSL certificate itself (encoded):
    • echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509

Becoming your own CA

The easiest way is to use mkcert. mkcert is a command line tool that automates most of the activities related a CA.

Otherwise, this article by Brad Touesnard explains the process fully.