-
Notifications
You must be signed in to change notification settings - Fork 19
OpenSSL Debugging Hints
Here is a short list of some OpenSSL debugging hints and examples.
Some useful generic documentation links to get familiar with SSL, keys and certificates:
- Public key infrastructure - the generic concept
- Certificate authority
- Self-signed certificate
- OpenSSL
To display the SSL details of the connection to https://example.com use this command:
echo | openssl s_client -connect example.com:443
This will connect to the server and display the SSL details, like the certificate details, certificate chain, used encryption, verification result, etc. The port 443 is the default HTTPS port.
Use the -servername example.com option if the server is a virtual host and uses several SSL certificates for the same IP, this will enable the SNI SSL feature.
Use -CAfile cert.pem option with if you have a custom certificate, you can verify that the connection to the server works using the specific certificate.
The previous command also dumps the certificate (in PEM format) in the output, you can either manually extract it from the output or you can use this sed command:
echo | openssl s_client -connect example.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
openssl x509 -in cert.pem -text -noout
This displays the certificate details in a human readable format.
To create a self-signed certificate use this command:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
The OpenSSL tool will ask for some input data interactively, like the organization name, your location, etc. For testing purposes it does not matter what you enter, feel free to use any values.
The only important value is the certificate subject, you must use the server host name otherwise the SSL verification will fail. You might even use localhost if you use the service only locally via the https://localhost address.
A simple HTTPS web server can be started with this command:
ruby -r webrick/https -e 'WEBrick::HTTPServer.new(Port: 8000, DocumentRoot: ".", SSLEnable: true, SSLCertName: [["CN", "localhost", OpenSSL::ASN1::PRINTABLESTRING]]).start'
It generates a different self-signed certificate at each start. (Note: technically it is a self-signed certificate, but for some reason the CA flag for the certificate is set to false so the certificate cannot be used for verification. The OpenSSL will not complain about a self-signed certificate, but about an unknown issuer certificate.)
If you want to always use the same certificate you have to point it to the certificate files:
ruby -r webrick/https -e 'WEBrick::HTTPServer.new(Port: 8000, DocumentRoot: ".", SSLEnable: true, SSLCertificate: OpenSSL::X509::Certificate.new(File.read("cert.pem")), SSLPrivateKey: OpenSSL::PKey::RSA.new(File.read("key.pem"))).start'
Alternatively you can run a testing HTTPS server using the OpenSSL tools:
openssl s_server -key key.pem -cert cert.pem -accept 9000 -www
If you want to verify the SSL connection to the server using a custom SSL certificate you might run this curl command:
curl --cacert cert.pem https://example.com
- The custom SSL certificates should be stored in the
/etc/pki/trust/anchorsdirectory. - After adding a certificate there you need to call the
update-ca-certificatescommand to create the correct symlinks to find it.