A big chunk of the problems I tackle every day surround SSL connections. I’ve written a few articles on SSL that cover off its main tasks which are encryption and non-repudiation and some ways to determine if your SSL certificate is non-functioning. The tool I use 99% of the time to diagnose SSL problems is openssl so that is the topic of this post.
I am a Linux guy, if you’re using Windows you may find a binary here you can use.
An SSL connection needs two things: a private key which you likely won’t have for websites you don’t own and a public certificate which is necessarily available to the whole world. It’s the certificate we’re interested in and here’s how to get it:
|
1 2 |
openssl s_client -showcerts -connect slumpedoverkeyboarddead.com:443 |
This spits out a lot of info and you can pipe the output into openssl again to extract specific data like the valid date range:
|
1 2 3 4 5 |
$ echo | openssl s_client -showcerts -connect slumpedoverkeyboarddead.com:443 2>/dev/null | openssl x509 -noout -dates notBefore=Jan 30 00:00:00 2015 GMT notAfter=Jan 29 23:59:59 2020 GMT |
Or the name the certificate is made out for:
|
1 2 3 4 |
$ echo | openssl s_client -showcerts -connect slumpedoverkeyboarddead.com:443 2>/dev/null | openssl x509 -noout -subject subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.sucuri.net |
Or both!
|
1 2 3 4 5 6 |
$ echo | openssl s_client -showcerts -connect slumpedoverkeyboarddead.com:443 2>/dev/null | openssl x509 -noout -subject -dates subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.sucuri.net notBefore=Jan 30 00:00:00 2015 GMT notAfter=Jan 29 23:59:59 2020 GMT |
Most of your SSL problems will fall into two categories: the subject name of the certificate does not match the domain name or the certificate is expired.
Note in my output above that it looks like I asked for the certificate for slumpedoverkeyboarddead.com but I ended up with the certificate for .sucuri.net. This is kind of misleading. I didn’t *ask for the slumpedoverkeyboarddead.com certificate, rather I told openssl to connect to slumpedoverkeyboarddead.com. It did and since I did not supply a domain name, the server responded with its default certificate. This will happen on any server that is configured to serve more than one domain which includes things like my firewall or any shared hosting server. To get a specific certificate you must supply the servername directive:
|
1 2 3 4 5 6 |
$ echo | openssl s_client -showcerts -servername slumpedoverkeyboarddead.com -connect slumpedoverkeyboarddead.com:443 2>/dev/null | openssl x509 -noout -subject -dates subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=slumpedoverkeyboarddead.com notBefore=Oct 30 00:00:00 2015 GMT notAfter=Oct 29 23:59:59 2016 GMT |
If your domain name does not resolve directly to your web host as is the case with slumpedoverkeyboarddead.com, you can specify the real hosting IP address in the connect directive to get the certificate from that host, instead of the intermediate proxy or firewall:
|
1 2 3 4 5 6 |
$ echo | openssl s_client -showcerts -servername slumpedoverkeyboarddead.com -connect 192.124.249.6:443 2>/dev/null | openssl x509 -noout -subject -dates subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=slumpedoverkeyboarddead.com notBefore=Oct 30 00:00:00 2015 GMT notAfter=Oct 29 23:59:59 2016 GMT |
Note that I have used the same IP address that slumpedoverkeyboarddead.com resolves to instead of my real hosting IP because I don’t want to divulge that. But, it works the same way.
This is usually enough to diagnose SSL connection issue and resolving them should be obvious. Either renew it if the certificate is expired, or replace it with a valid certificate if the domain name does not match.