OpenSSL s_client cheat sheet



Published: 2017-08-16 11:03:21 +0000
Categories: BASH,

Language

BASH

Description

A quick reference for a number of common tasks using OpenSSL's s_client to connect to a SSL/TLS service, including checking expiry dates etc

Snippet


# Set some variables for convenience
SERVER='myserver.com:443'
SITENAME='myserver.com'

# Sitename is the SNI name, so you can, for example, do
#
# SERVER='myserver.com:443'
# SITENAME='snippets.bentasker.co.uk'
#

# Connect to a server and check the expiry date of the certificate
echo | openssl s_client -connect $SERVER -servername $SITENAME -showcerts 2>&1 | openssl x509 -noout -dates

# Get expiry for comparison in script
expiry=$(date --date="$(echo -n | openssl s_client -connect $SERVER -servername $SITENAME -showcerts 2> /dev/null \
| openssl x509 -dates -noout | grep not | grep -i "notAfter" | cut -d\= -f 2)" +'%s')
echo $expiry

# List Subject Alternate Names
echo | openssl s_client -connect $SERVER -servername $SITENAME -showcerts | openssl x509 -noout -text | grep DNS: | tr ',' '\n'

# Check whether certificate verifies for 'foo.com' (includes SANs)
echo | openssl s_client -connect $SERVER -servername $SITENAME -showcerts -verify_hostname foo.com 2>&1

# Only use sslv3
echo | openssl s_client -connect $SERVER -servername $SITENAME -ssl3

# Only use tls 1.2
echo | openssl s_client -connect $SERVER -servername $SITENAME -tls1_2

# Only Use specific ciphersuite
echo | openssl s_client -connect $SERVER -servername $SITENAME -cipher EDH-DSS-DES-CBC3-SHA

Usage Example

#!/usr/bin/bash
#
# Test remote server support for all ciphersuites supported by local openssl install
#
#
# usage: ./cipher_test.sh [server fqdn/ip]
#

SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
  error=$(echo -n $result | cut -d':' -f6)
  echo NO \($error\)
else
  if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
    echo YES
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

Keywords

openssl, s_client, client, https, cert, expiry, ciphersuites, remote, test, check,

Latest Posts

Remotely backing up PFsense Configuration (BASH)
FFMPEG: Converting RMVB to X264 MP4 (BASH)
Recursively print table (print_r equivalent) (LUA)
Bulk Delete Comments from (Self-Hosted) JIRA Issues (Misc)
Add a static entry to the ARP table (BASH)
SSL Cipher Hex codes to Human Readable Names (Misc)
Convert Ascii to Binary (BASH)
Intercepting Outbound DNS Queries (BASH)
Handle Google Verification files within NGinx Configuration (NGinx)
Getting WhatsApp Rich Snippet Previews Working (Misc)

Copyright © 2018 Ben Tasker | Sitemap | Privacy Policy
Available at snippets.bentasker.co.uk and snippets.6zdgh5a5e6zpchdz.onion