How to Verify A Connection is Secure Using OpenSSL
What is OpenSSL?
OpenSSL is a free and open-source software cryptography library that provides cryptographic functionality to applications to ensure secure internet communication. It is widely used on many server applications, and it is available for most Unix-like operating systems (including Solaris, Linux, Mac OS X, the four open-source BSD operating systems), OpenVMS and Microsoft Windows.
Besides that, OpenSSL is also a fully equipped instrumentation for implementation of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
With the OpenSSL toolkit, we can perform various SSL related tasks along with a variety of cryptographic functions. Among these other tasks, we can generate CSRs (Certificate Signing Requests) and private keys. We can perform an SSL certificate installation, or we can convert our certificates into different formats. Then, we can verify its details or even extract information about the certificate.
If we are talking about cryptographic function, we can use it for file encryption and decryption purposes along with generating password hashes.
However, today, we are going to dedicate ourselves to a completely different function of this free toolkit - verifying a secure connection.
Prerequisites
One of the Unix/Linux OS platforms, which include the OpenSSL program by default. On Microsoft Windows, we must download and install OpenSSL from a binary and install it.
Getting Started
As the natural environment for OpenSSL is a Unix platform, we will assume we are working on one. Before we start with checking our connections, we need to make sure our OpenSSL is up to date, so let us check which version are we running with the following command.
[root@host ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
For those a bit more experienced and interested in the full details, we can append the -a flag.
[root@host ~]# openssl version -a
OpenSSL 1.0.2k-fips 26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rdrand dynamic
[root@host ~]#
In most cases, we will be using the system-supplied version of OpenSSL. However, if we find ourselves in need of an upgrade, we will need to download the latest version, extract it and compile from source.
There is not a specific help keyword among OpenSSL commands, but if we append a flag that OpenSSL does not recognize to our command, a help text will be provided to us. To examine the available options of this powerful tool, we can use the following command.
root@host:~# openssl help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 gost md4
md5 rmd160 sha1 sha224
sha256 sha3-224 sha3-256 sha3-384
sha3-512 sha384 sha512 sha512-224
sha512-256 shake128 shake256 sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb
root@host:~#
For additional guidance, feel free to explore the man pages using the following command.
[root@host ~]# man openssl
Checking a Connection With OpenSSL
Among the many commands that OpenSSL offers, for testing secure connections we will use the openssl s_client command. The basic command outline is as follows:
[root@host ~]# openssl s_client -connect <domain name or IP>:<port>
In order to test a connection, we are going to need a domain name and a port. For the purpose of this test, we will be using the liquidweb.com domain. Since we are trying to confirm if our connection is secure, we will use port 443, which is the standard port for all secured HTTP (Hypertext Transfer Protocol over TLS/SSL) traffic.
The command we are going to use will open a connection to the www.liquidweb.com domain on port 443 and show us the SSL certificate used on it. It will provide us with a fair amount of other relevant output, such as the certificate chain, the ciphers that are in use, and other characteristics of the SSL/TLS session.
However, once connected, we will be able to type whatever we want, and that will provide us with the opportunity to send HTTP requests manually. For those who previously used the telnet command, this will feel familiar as the tool itself is similar to it. To test the connection to liquidweb.com domain on port 443, we are going to use the following command:
[root@host ~]# openssl s_client -connect www.liquidweb.com:443
And here is the full output of this command.
[root@host ~]# openssl s_client -connect www.liquidweb.com:443
CONNECTED(00000005)
---
Certificate chain
0 s:businessCategory = Private Organization, serialNumber = D9406J, jurisdictionC = US, jurisdictionST = Michigan, C = US, ST = Michigan, L = Plymouth, street = 40600 Ann Arbor Rd E Ste 201, O = "Liquid Web, LLC", CN = www.liquidweb.com
i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHwTCCBqmgAwIBAgIMZuWs07WLoi8uhNCpMA0GCSqGSIb3DQEBCwUAMGIxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTgwNgYDVQQDEy9H
bG9iYWxTaWduIEV4dGVuZGVkIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMzAe
Fw0yMDAyMTAxOTI1MzBaFw0yMjAzMjIxODIzNDBaMIHwMR0wGwYDVQQPDBRQcml2
YXRlIE9yZ2FuaXphdGlvbjEPMA0GA1UEBRMGRDk0MDZKMRMwEQYLKwYBBAGCNzwC
AQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCE1pY2hpZ2FuMQswCQYDVQQGEwJVUzER
MA8GA1UECBMITWljaGlnYW4xETAPBgNVBAcTCFBseW1vdXRoMSUwIwYDVQQJExw0
MDYwMCBBbm4gQXJib3IgUmQgRSBTdGUgMjAxMRgwFgYDVQQKEw9MaXF1aWQgV2Vi
LCBMTEMxGjAYBgNVBAMTEXd3dy5saXF1aWR3ZWIuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEArPlau7eH8GjzmN6Q9dNDQ/A5O2D8putk4F4S6LiQ
w/CO7KQS5YFCPhxW42AyiBImhzdrHL8TZ00srvOYGhDmlwt78Pnb+aFBsrAJNq65
Ty0BOlKF0uDJe01DH9amdphuQEyiNXtSN5OlSSPRGrypiTm8MOnGt/2pJxK49YGX
0XVMMdxtrgDViAoRW3WWqpcSsTtCRx4rGKUIC60e/+z8QAVADyy/9QzLBuJSyjkG
GLanR8Dn/4lNo8dJg5ovkcmghXSo0BpLvBWtZBhTS0eAe/VODD2I6uXohDDkBzW6
pEN5wTcOotxXP6neqdD5jbxs49D+dicWVrsUv4+QoeUT+QIDAQABo4ID5jCCA+Iw
DgYDVR0PAQH/BAQDAgWgMIGWBggrBgEFBQcBAQSBiTCBhjBHBggrBgEFBQcwAoY7
aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NleHRlbmR2YWxz
aGEyZzNyMy5jcnQwOwYIKwYBBQUHMAGGL2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWdu
LmNvbS9nc2V4dGVuZHZhbHNoYTJnM3IzMFUGA1UdIAROMEwwQQYJKwYBBAGgMgEB
MDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9z
aXRvcnkvMAcGBWeBDAEBMAkGA1UdEwQCMAAwRQYDVR0fBD4wPDA6oDigNoY0aHR0
cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2V4dGVuZHZhbHNoYTJnM3IzLmNy
bDCBqwYDVR0RBIGjMIGgghF3d3cubGlxdWlkd2ViLmNvbYISY2FydC5saXF1aWR3
ZWIuY29tghRtYW5hZ2UubGlxdWlkd2ViLmNvbYIRbmV3LmxpcXVpZHdlYi5jb22C
GG1hbmFnZS5zdG9ybW9uZGVtYW5kLmNvbYIOd3d3LnNvbmV0Ny5jb22CFXd3dy5z
dG9ybW9uZGVtYW5kLmNvbYINbGlxdWlkd2ViLmNvbTAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU3bPnbagu6MVObs905nU8lBXO6B0w
HQYDVR0OBBYEFPhVNQlDuYjW8he+m/phOpW9dlNRMIIBfwYKKwYBBAHWeQIEAgSC
AW8EggFrAWkAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAXAw
kGUSAAAEAwBHMEUCIQD4dzIeqx4PkeoPSRoljPjqexdZPntdUXXHBhU7hkfdUQIg
AshbvBANLIqKBLGN0vpU8Lq6LAdc0hwq2536VEarag8AdgAiRUUHWVUkVpY/oS/x
922G4CMmY63AS39dxoNcbuIPAgAAAXAwkGOpAAAEAwBHMEUCIDVT3mV7GHfu5Wz9
QVxm/ewe/NaFTFMXjXtQpH6FNZP8AiEA50qff+xJDgYuvYWqcGo67+pOfP+BiCgW
L6b34XIwbQIAdwBRo7D1/QF5nFZtuDd4jwykeswbJ8v3nohCmg3+1IsF5QAAAXAw
kGSXAAAEAwBIMEYCIQDHY+1MVRlxSR7Gfv3SQ6us7nawS4dqFcRMEztDTlYWmwIh
AOkXVShugJdmRvTEXLbVhGNIf1Jcrmxb3ssH39GD8y8RMA0GCSqGSIb3DQEBCwUA
A4IBAQAOYcvVEjvLqHpYHxeO001Ywz9PLQcuM0u3oPG915hdp+a42qMZmb7kOc6S
sEG7mvytYkVE7Pghj2KoxS9ZRUplD+K/7vGJKuS9YeCTejheA0otNb6t/ui+GU6X
+HSamCru/psNe8Q15rhsaWqrGZa4rR6vBvNiJd5xCL1FBYtVRoHliYjWNrAqq6Ia
2Iy07Xqg7Cuk89ZexeFZa8KUqcH7S0jfLe+5M7LRV+tFvLgdiBA4U1M0hX+ME8eD
T8QBizu5zjGN6Fz4+R3zZrH9GrbahsG88HRmlsVnOPvkt4BqmXfITfDJLxImTXc3
CWWNBZJzxuISBzQvWMxQvk3nXZdB
-----END CERTIFICATE-----
subject=businessCategory = Private Organization, serialNumber = D9406J, jurisdictionC = US, jurisdictionST = Michigan, C = US, ST = Michigan, L = Plymouth, street = 40600 Ann Arbor Rd E Ste 201, O = "Liquid Web, LLC", CN = www.liquidweb.com
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4657 bytes and written 735 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: ECD5CD026E4FC0F951C7237E62B6C9C0250E6B711F4FFB8D053F10D34E89419F
Session-ID-ctx:
Resumption PSK: BD9B7DE5FDF601C0015BAEB6C52143850F20F7ADFFD253577681152268BD162A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 14400 (seconds)
TLS session ticket:
0000 - 01 58 6e 4f ba 9a ae 76-f2 25 d1 be 8f 3c 30 a1 .XnO...v.%...<0.
0010 - 57 91 03 38 63 24 a9 4a-d9 cc 82 c2 bb 7e e4 80 W..8c$.J.....~..
0020 - 02 63 26 97 28 7d ce e4-0e fa 46 20 b6 ce 00 3c .c&.(}....F ...<
0030 - a4 34 66 38 ff 01 bf 36-17 9c 2b 9c 4e eb e1 32 .4f8...6..+.N..2
0040 - e2 39 e5 0c f2 55 0c 72-19 08 37 c6 be 2e 9f 22 .9...U.r..7...."
0050 - c0 b3 85 0a fe 5f b5 03-43 ec 42 7e b7 34 b7 c2 ....._..C.B~.4..
0060 - 64 ea 4f 73 7a ac 65 1d-5d 3f 5b 91 9f 05 7d 87 d.Osz.e.]?[...}.
0070 - a4 fd 4f a0 cb 65 a5 e2-d6 5c 25 db db 6a 3d 76 ..O..e...\%..j=v
0080 - 92 91 3c ca 63 0b bd 22-35 b8 28 7d 8a 87 67 3e ..<.c.."5.(}..g>
0090 - 14 d9 d2 3e d0 73 68 be-ea 57 13 93 63 52 2b 9f ...>.sh..W..cR+.
00a0 - 2b 9e a9 92 84 0d 74 6c-7c 4e 5c d5 9a 00 c3 ed +.....tl|N\.....
00b0 - 92 .
Start Time: 1588773944
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Now, once we are connected, we can send a HEAD command with our HTTP to instruct the HTTP server not to send the response body. To send our request, we’ll need to type the following command.
HEAD / HTTP/1.1
Host: www.liquidweb.com
Once the request has been sent, the server will send us a reply.
HTTP/1.1 200 OK
Server: nginx/1.16.1
Vary: Accept-Encoding
Cache-Control: max-age=0, no-cache
Content-Type: text/html; charset=UTF-8
Date: Sun, 03 May 2020 12:07:26 GMT
Link: <https://www.liquidweb.com/lw-api/>; rel="https://api.w.org/"
Link: <https://www.liquidweb.com/>; rel=shortlink
Transfer-Encoding: chunked
X-Nginx-Cache: HIT
Connection: Keep-Alive
Set-Cookie: lwDisableCookiePrompt=1;domain=liquidweb.com;path=/;max-age=315360000
X-Page-Speed: 1
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/7.2.20
closed
Now we have successfully confirmed that the TLS communication layer is working. With our initial command, OpenSSL connected to the liquidweb.com domain on the secure HTTPS port of 443. We received details back about the SSL certificate, certificate authority, ciphers, etc. Then, we sent a raw HTTP HEAD request and received a reply which confirmed the web server not only accepted our connection, but also responded to our request.
Basically, there are two outputs to the mentioned s_client -connect command:
- The server accepted our connection, which will display an SSL certificate along with the additional output.
- The server rejected our connection and provided us with an error message such as connect: Connection timed out or connect:errno=110.
If the connection is rejected and the domain name and port are correct, the server will not accept secure connections on that specified port.
However, if we establish a connection with the initial command and HTTP requests keep failing, there might be a solution for us. For this example, let us use one of our testing domains, yesnt.tk. We will try to connect with the same command used for testing liquidweb.com
[root@host ~]# openssl s_client -connect yesnt.tk:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 CN = shellbear.ga
verify error:num=10:certificate has expired
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
depth=0 CN = shellbear.ga
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
---
Certificate chain
0 s:/CN=shellbear.ga
i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/DCCBOSgAwIBAgIQeWEqm8k8c3HNVdzCT7Q/rjANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxEDAOBgNVBAcTB0hvdXN0b24xFTAT
BgNVBAoTDGNQYW5lbCwgSW5jLjEtMCsGA1UEAxMkY1BhbmVsLCBJbmMuIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE5MDcyNDAwMDAwMFoXDTE5MTAyMjIzNTk1
OVowFzEVMBMGA1UEAxMMc2hlbGxiZWFyLmdhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAm1Sht3pf1nCetcyrAbQeQwE8ofny8iyGo9vbnc5zRaHJ3lnP
sfnGvOkDo1MgHCLWgn6bzOfgY+9L9NsmSG4rXqbDsJs0XQEsmjWeGklJA57P6Yng
5Hi0KjQBsOqEL5tklAACdNpWIEMoX5zSdWKTj4RmI8lQdhBdSaXK+ymNDpUu52jC
BBhXorUqFLgXuagvu2CBFNM599X66exvbvs68qRYJhwjguPKwp9i1wANqBWICcoD
+k2+sP/OCtl5i8XHvX9JOchV/MHxg0D7SiCDnaQAzOgyfDg9NLgsl3cEV+Afaasw
TYdchquAiDw4zHL14WotZ6pHlyr1cuHCr+P1mQIDAQABo4IC5zCCAuMwHwYDVR0j
BBgwFoAUfgNaZUFrp34K4bidCOodjh1qx2UwHQYDVR0OBBYEFBqgj8p3hHmwlJcb
XiStJkU7Y+7RMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgI0
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9jUGFuZWxJbmNDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB9BggrBgEFBQcB
AQRxMG8wRwYIKwYBBQUHMAKGO2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL2NQYW5l
bEluY0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3J0MCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5jb21vZG9jYS5jb20wPAYDVR0RBDUwM4IMc2hlbGxiZWFyLmdhghFt
YWlsLnNoZWxsYmVhci5nYYIQd3d3LnNoZWxsYmVhci5nYTCCAQYGCisGAQQB1nkC
BAIEgfcEgfQA8gB3AGPy283oO8wszwtyhCdXazOkjWF3j711pjixx2hUS9iNAAAB
bCIpo84AAAQDAEgwRgIhAI80yjN/XG95oLxj0JGkmceRnZUrVK+wnqYJ4iWS/XbZ
AiEAgI92Ifz0I5kQBBHGU/ojwXlrhNIuyPT6o/mJzw4CdDcAdwB0ftqDMa0zEJEh
nM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWwiKhzaAAAEAwBIMEYCIQDrEL3R/pQj
0U/IFp48w5M61Y9jkZMZL3iF2J0Qf/AdugIhAMV0HttIGa2I8xRXeXXd+7NpAjbA
Qt413brsFnLXyuGTMA0GCSqGSIb3DQEBCwUAA4IBAQAEGiu+Y2aLUM/0xy8tiPfl
vu11aolTodX4DyfqlUM0HoIIOHUWFq3zGcjU9hcDXzsq26N7/BZLqJNJMUn6BaoQ
Zvy79xwN/rgKFOZb/wK7wMr0fvM7eOHhHYGoAS+M/2g3RtVh8Fi9lAidL2tsrzHs
CxzoCY1aA6yRsRdkTNgKaSn/ZtEqmYeBeAxgrPhXSZ2GSSHU6rdnrmF6G8GQQGn1
4njMUZ2ll7077HsJbhsjhy1FtYiYt4lR2hPd2jgPNUmbTpLsR6i4SuBXLPpAwRRX
QgvpIiaFpbHKOwd1C3LFND+FdfzykW/Lp9YMmteF6NNeZFfdGRlH0u0l15HyfqRO
-----END CERTIFICATE-----
subject=/CN=shellbear.ga
issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5153 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7E143DC254451082AABC45067936A675AD210CEDA7643F85347AA6DCE16B5615
Session-ID-ctx:
Master-Key: FD615434DC4AD0F2955F0801B2B451636CE14D1B567E400725E213245A9B80D932257F9529D05524551D5A9F1B48F37C
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6c 1f 89 0f fb 47 fa 8d-54 85 f7 14 82 2f 7b 1f l....G..T..../{.
0010 - 1e c4 66 3a eb 28 98 b9-a2 75 fd 67 0d 0e f0 02 ..f:.(...u.g....
0020 - ce b0 bd 41 25 df d9 86-b0 39 8d 46 ce cc e5 75 ...A%....9.F...u
0030 - 2c 9c 23 e5 2e 62 1a 30-fe c2 a0 f8 86 f2 09 7c ,.#..b.0.......|
0040 - 92 29 d0 d4 14 26 22 16-c2 40 9b 3f b3 6a c9 51 .)...&"..@.?.j.Q
0050 - 85 01 ba df 90 20 41 05-e0 72 bd 97 73 d5 99 93 ..... A..r..s...
0060 - 6c a4 50 2e b0 9e d3 6a-2d 05 b1 e8 9f 03 8f 3e l.P....j-......>
0070 - 06 8f b3 29 88 6d 32 91-79 5c f2 70 b4 5d 3c 9c ...).m2.y\.p.]<.
0080 - 63 ab 99 3b ce 7f cb c6-4e 12 cc 9a cb a5 e6 45 c..;....N......E
0090 - 6b 91 ae 74 13 e5 fd 76-d3 69 57 45 73 8e 74 f9 k..t...v.iWEs.t.
00a0 - df 23 cb ad 89 3f 72 10-ec a5 0b 69 45 2b 28 a3 .#...?r....iE+(.
00b0 - 4c 8e 92 c1 46 1b 13 f0-9f 48 6d 45 b5 55 11 82 L...F....HmE.U..
Start Time: 1588530922
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
HEAD / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Sun, 03 May 2020 18:35:29 GMT
Server: Apache
Content-Length: 347
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<p>Additionally, a 400 Bad Request
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
closed
As we can see from the output, the connection was established. But, as soon as we typed in the HEAD request, the server replied with an error.
Some servers require us to translate our line feed from the terminal into CR+LF (Carriage Return, Line Feed). Basically, CR and LF are control characters or bytecode that are used to mark a line break in a text file to help the server to understand what we are requesting from it. Let’s append the -crlf flag to our OpenSSL command. We will test it by using the following command.
[root@host ~]# openssl s_client -connect yesnt.tk:443 -crlf
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 CN = shellbear.ga
verify error:num=10:certificate has expired
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
depth=0 CN = shellbear.ga
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
---
Certificate chain
0 s:/CN=shellbear.ga
i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/DCCBOSgAwIBAgIQeWEqm8k8c3HNVdzCT7Q/rjANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxEDAOBgNVBAcTB0hvdXN0b24xFTAT
BgNVBAoTDGNQYW5lbCwgSW5jLjEtMCsGA1UEAxMkY1BhbmVsLCBJbmMuIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE5MDcyNDAwMDAwMFoXDTE5MTAyMjIzNTk1
OVowFzEVMBMGA1UEAxMMc2hlbGxiZWFyLmdhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAm1Sht3pf1nCetcyrAbQeQwE8ofny8iyGo9vbnc5zRaHJ3lnP
sfnGvOkDo1MgHCLWgn6bzOfgY+9L9NsmSG4rXqbDsJs0XQEsmjWeGklJA57P6Yng
5Hi0KjQBsOqEL5tklAACdNpWIEMoX5zSdWKTj4RmI8lQdhBdSaXK+ymNDpUu52jC
BBhXorUqFLgXuagvu2CBFNM599X66exvbvs68qRYJhwjguPKwp9i1wANqBWICcoD
+k2+sP/OCtl5i8XHvX9JOchV/MHxg0D7SiCDnaQAzOgyfDg9NLgsl3cEV+Afaasw
TYdchquAiDw4zHL14WotZ6pHlyr1cuHCr+P1mQIDAQABo4IC5zCCAuMwHwYDVR0j
BBgwFoAUfgNaZUFrp34K4bidCOodjh1qx2UwHQYDVR0OBBYEFBqgj8p3hHmwlJcb
XiStJkU7Y+7RMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgI0
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9jUGFuZWxJbmNDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB9BggrBgEFBQcB
AQRxMG8wRwYIKwYBBQUHMAKGO2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL2NQYW5l
bEluY0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3J0MCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5jb21vZG9jYS5jb20wPAYDVR0RBDUwM4IMc2hlbGxiZWFyLmdhghFt
YWlsLnNoZWxsYmVhci5nYYIQd3d3LnNoZWxsYmVhci5nYTCCAQYGCisGAQQB1nkC
BAIEgfcEgfQA8gB3AGPy283oO8wszwtyhCdXazOkjWF3j711pjixx2hUS9iNAAAB
bCIpo84AAAQDAEgwRgIhAI80yjN/XG95oLxj0JGkmceRnZUrVK+wnqYJ4iWS/XbZ
AiEAgI92Ifz0I5kQBBHGU/ojwXlrhNIuyPT6o/mJzw4CdDcAdwB0ftqDMa0zEJEh
nM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWwiKhzaAAAEAwBIMEYCIQDrEL3R/pQj
0U/IFp48w5M61Y9jkZMZL3iF2J0Qf/AdugIhAMV0HttIGa2I8xRXeXXd+7NpAjbA
Qt413brsFnLXyuGTMA0GCSqGSIb3DQEBCwUAA4IBAQAEGiu+Y2aLUM/0xy8tiPfl
vu11aolTodX4DyfqlUM0HoIIOHUWFq3zGcjU9hcDXzsq26N7/BZLqJNJMUn6BaoQ
Zvy79xwN/rgKFOZb/wK7wMr0fvM7eOHhHYGoAS+M/2g3RtVh8Fi9lAidL2tsrzHs
CxzoCY1aA6yRsRdkTNgKaSn/ZtEqmYeBeAxgrPhXSZ2GSSHU6rdnrmF6G8GQQGn1
4njMUZ2ll7077HsJbhsjhy1FtYiYt4lR2hPd2jgPNUmbTpLsR6i4SuBXLPpAwRRX
QgvpIiaFpbHKOwd1C3LFND+FdfzykW/Lp9YMmteF6NNeZFfdGRlH0u0l15HyfqRO
-----END CERTIFICATE-----
subject=/CN=shellbear.ga
issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5153 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 6C2B159BF25C8942FE43813565753C50F23E0C2E3E5A8B8A7100C192DF295234
Session-ID-ctx:
Master-Key: B2B682A170DB961847D63AA01298ED843DD7C51D537F3E9E1B2703697307E2CFC0D8CDFE5BDE1F3BE2F90B98D95B7C81
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6c 1f 89 0f fb 47 fa 8d-54 85 f7 14 82 2f 7b 1f l....G..T..../{.
0010 - 35 d6 6f 80 92 f9 fc 42-7a e0 be 8b c9 e6 60 f4 5.o....Bz.....`.
0020 - 90 c4 7b e1 c4 b2 56 54-ea ee e2 1c d0 13 10 18 ..{...VT........
0030 - 95 e5 15 71 45 91 2c 65-a9 34 b5 45 a3 32 c0 bd ...qE.,e.4.E.2..
0040 - d0 6c 0a 88 06 12 3e 33-0a 88 b4 93 18 55 6e d1 .l....>3.....Un.
0050 - 63 f4 72 8a 14 db 61 3f-77 4e d1 f1 b1 ee d5 9e c.r...a?wN......
0060 - 8a 99 39 65 b4 55 72 15-2d 5f a6 0e dc 35 dd 69 ..9e.Ur.-_...5.i
0070 - f5 dc 33 28 55 73 3e 40-80 d7 e2 7a e9 b9 d3 c2 ..3(Us>@...z....
0080 - c3 3c 67 d6 5f 99 ec 3a-e8 1d 1c 3c 74 16 6d 2d .<g._..:...<t.m-
0090 - e9 76 8b 31 d8 c3 5a ac-ee 32 aa 0b 23 2d c2 fc .v.1..Z..2..#-..
00a0 - df de bb b7 8c 57 40 6f-5c 67 2e bb a9 46 62 0f .....W@o\g...Fb.
00b0 - 50 4b 20 42 5a 58 ac fa-1e 6d 2b d9 66 fa 42 84 PK BZX...m+.f.B.
Start Time: 1588531475
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
HEAD / HTTP/1.1
Host: yesnt.tk
HTTP/1.1 200 OK
Date: Sun, 03 May 2020 18:44:38 GMT
Server: Apache
Link: <https://yesnt.tk/wp-json/>; rel="https://api.w.org/"
Cache-Control: max-age=86400
Expires: Mon, 04 May 2020 18:44:38 GMT
Content-Type: text/html; charset=UTF-8
closed
Now, the server understood our request, and we received a response. Multiple other flags can be used with the OpenSSL s_client command that can assist us in troubleshooting our connection, and all of them are available on the OpenSSL man pages which we can review from our terminal or via the following URL: https://www.openssl.org/docs/man1.1.1/man1/s_client.html
Conclusion
In this tutorial, we learned what OpenSSL is and how to verify if we have a secure connection to a domain. This tutorial is only a small part of this powerful and useful command. This practical tool makes testing connections an easy task, and as it comes preinstalled on most Unix platforms, it provides all of its functionality from the start. Overall, OpenSSL is an invaluable tool in our kit that has much to offer.
Related Articles:
About the Author: Isabel Kettnich
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.
Latest Articles
How to Clone a Drupal Site to Another Domain
Read ArticleTop Eight Virtualization Security Issues and Risks
Read ArticleAccessing Man Pages on Ubuntu 16.04 LTS
Read ArticlePremium Business Email Pricing FAQ
Read ArticleMicrosoft Exchange Server Security Update
Read Article