User Tools

Site Tools


info:cryptography:openssl:debug_server_certificate_from_client

Debug Server Certificate from Client

Credit for this example goes to “ Checking A Remote Certificate Chain With OpenSSL” from langui.sh.

openssl s_client -showcerts -connect www.andunix.net:443

Informations about the used arguments from the OpenSSL man page:

  • s_client: SSL/TLS client program
  • -showcerts: display the whole server certificate chain: normally only the server certificate itself is displayed.
  • -connect www.andunix.net:443: This specifies the host and optional port to connect to. If not specified then an attempt is made to connect to the local host on port 443.

Example Output

$ openssl s_client -showcerts -connect www.andunix.net:443
CONNECTED(00000003)
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.andunix.net
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
-----BEGIN CERTIFICATE-----
MIIE+jCCA+KgAwIBAgIRAMcY2QMjFj4GndFjFpXVm+0wDQYJKoZIhvcNAQEFBQAw
czELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNV
BAMTEFBvc2l0aXZlU1NMIENBIDIwHhcNMTMxMDA4MDAwMDAwWhcNMTQxMDA4MjM1
OTU5WjBTMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNV
BAsTC1Bvc2l0aXZlU1NMMRgwFgYDVQQDEw93d3cuYW5kdW5peC5uZXQwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtJusPIYfOy5Y9W/izrGQn3N2hq2NV
UBSbLfoz779vWYIg7eBaEC7YUlS9kGUxEnTlOm5J5pBNbeuajJxjKmBH47at3G2j
5Sd2+CHfqAvhbSFMkX0T5OiFiXmqyXLQMxXw6lqYm7ceo4ozr/5SLGishZeOU8Gw
O23231khOMPtR3SUlvk0524VmVV94wr4wJWFQ/C33WGv688cAoZsxtJp5MCs0/av
1kpiYUwiBrIaKfD38j4X2xU2HZ3ITi7dxO6PDGekkhGakPTWH0VBrzHcbOBEEy3Z
louCqoUs8ji6HX3O9QV56xZwLKnL0CEDZ7vZp8joMP1d5Qza5XMD2koDAgMBAAGj
ggGnMIIBozAfBgNVHSMEGDAWgBSZ5EBfaxRePgXZ3dNjVPxiuPcArDAdBgNVHQ4E
FgQUkpRXtIfUe+4i2AJaUrbBVhR0kVgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFAGA1UdIARJMEcw
OwYLKwYBBAGyMQECAgcwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3dy5wb3NpdGl2
ZXNzbC5jb20vQ1BTMAgGBmeBDAECATA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8v
Y3JsLmNvbW9kb2NhLmNvbS9Qb3NpdGl2ZVNTTENBMi5jcmwwbAYIKwYBBQUHAQEE
YDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9Qb3NpdGl2
ZVNTTENBMi5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv
bTAnBgNVHREEIDAegg93d3cuYW5kdW5peC5uZXSCC2FuZHVuaXgubmV0MA0GCSqG
SIb3DQEBBQUAA4IBAQDGbm9yfDQSYgq8reAv//2wV5JvGdeNsrKfb4PLDzWQhaEx
YHBMBnrO9BPZkt+GACDASmeFc6QSJMB7dfYwmp6Be6KoJDQ6bPjA1kZNzQyUejEo
FeFuU4X+dAKy/bjvQkKzeXdhc3luFQ0IuqRYITIKYP2q/rPhl72qmBl5IQSOT6iC
9aBgdPMZRVwOawy9OADrIrqEYfyoEykTk6gi/Z3bq0G3s4FjlZf5vOJ5TGl3sz/x
xJCu3pzT1bWPbn+nS04SwyKAsuKK89YwiwY+XwPB4eII3H7XXllQWvwsyRCM+YVM
TJuq31OGofW/TongbIlFUbaEpSts2OfQnjE1kxdA
-----END CERTIFICATE-----
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIE5TCCA82gAwIBAgIQB28SRoFFnCjVSNaXxA4AGzANBgkqhkiG9w0BAQUFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTEyMDIxNjAwMDAwMFoXDTIwMDUzMDEwNDgzOFow
czELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNV
BAMTEFBvc2l0aXZlU1NMIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDo6jnjIqaqucQA0OeqZztDB71Pkuu8vgGjQK3g70QotdA6voBUF4V6a4Rs
NjbloyTi/igBkLzX3Q+5K05IdwVpr95XMLHo+xoD9jxbUx6hAUlocnPWMytDqTcy
Ug+uJ1YxMGCtyb1zLDnukNh1sCUhYHsqfwL9goUfdE+SNHNcHQCgsMDqmOK+ARRY
FygiinddUCXNmmym5QzlqyjDsiCJ8AckHpXCLsDl6ez2PRIHSD3SwyNWQezT3zVL
yOf2hgVSEEOajBd8i6q8eODwRTusgFX+KJPhChFo9FJXb/5IC1tdGmpnc5mCtJ5D
YD7HWyoSbhruyzmuwzWdqLxdsC/DAgMBAAGjggF3MIIBczAfBgNVHSMEGDAWgBSt
vZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUmeRAX2sUXj4F2d3TY1T8Yrj3
AKwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwEQYDVR0gBAow
CDAGBgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYIKwYBBQUHAQEEgaYw
gaMwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9BZGRUcnVz
dEV4dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0cDovL2NydC51c2Vy
dHJ1c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRw
Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCcNuNOrvGK
u2yXjI9LZ9Cf2ISqnyFfNaFbxCtjDei8d12nxDf9Sy2e6B1pocCEzNFti/OBy59L
dLBJKjHoN0DrH9mXoxoR1Sanbg+61b4s/bSRZNy+OxlQDXqV8wQTqbtHD4tc0azC
e3chUN1bq+70ptjUSlNrTa24yOfmUlhNQ0zCoiNPDsAgOa/fT0JbHtMJ9BgJWSrZ
6EoYvzL7+i1ki4fKWyvouAt+vhcSxwOCKa9Yr4WEXT0K3yNRw82vEL+AaXeRCk/l
uuGtm87fM04wO+mPZn+C+mv626PAcwDj1hKvTfIPWhRRH224hoFiB85ccsJP81cq
cdnUl4XmGFO3
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.andunix.net
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
---
No client certificate CA names sent
---
SSL handshake has read 3229 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9B356D595A9E2F7330136DB12E1CE20CCFAC3490563E358B9A5C833B46552A67
    Session-ID-ctx: 
    Master-Key: C9BFCE43302AD337656D867BC6D253BFD034B59E942F7A53012E4CEC5EE3615C34B75571C934E58D96C10DEC47A071B3
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - a0 74 cd da 9f 5c f5 b1-ca ea 52 c0 55 5c a0 6c   .t...\....R.U\.l
    0010 - 48 02 bc aa bf 50 52 7b-ab 40 9b 02 d1 da 54 44   H....PR{.@....TD
    0020 - 3d 5c aa 8d ff 00 41 ce-32 84 ee ca 51 15 c7 38   =\....A.2...Q..8
    0030 - 72 b8 84 14 b9 be 9e 08-54 30 30 ff 3a ec b6 fa   r.......T00.:...
    0040 - 23 45 d5 5b 05 14 45 8c-ab 96 bd d9 ab 84 80 65   #E.[..E........e
    0050 - b5 91 cc 25 ca 7a c9 89-64 7e 87 5e 47 e6 42 b8   ...%.z..d~.^G.B.
    0060 - f8 33 9f d0 da b7 92 bf-62 ff 3b 40 a7 e4 fe 61   .3......b.;@...a
    0070 - 7f 72 7c 82 19 32 d0 95-aa d0 60 1d 40 ac e2 55   .r|..2....`.@..U
    0080 - f4 66 a5 01 8b 66 09 ee-9c 10 6f be 7f cd 37 c2   .f...f....o...7.
    0090 - 41 c7 fa 7b f9 55 ea e3-4c 8d 33 58 1e 30 90 bc   A..{.U..L.3X.0..
    00a0 - 9b 60 8a be 7b 86 e3 13-ee de 77 fb c3 9e 7a 3c   .`..{.....w...z<
    00b0 - d9 cb 46 94 a3 92 76 8a-b8 b4 de 18 c6 d0 8b 82   ..F...v.........

    Start Time: 1398672406
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
^C
info/cryptography/openssl/debug_server_certificate_from_client.txt · Last modified: 2014-04-28 10:07 by andunix