OpenSSL s_client cheat sheet



Published: 2017-08-16 11:03:21 +0000
Categories: BASH,

Language

BASH

Description

A quick reference for a number of common tasks using OpenSSL's s_client to connect to a SSL/TLS service, including checking expiry dates etc

Snippet


# Set some variables for convenience
SERVER='myserver.com:443'
SITENAME='myserver.com'

# Sitename is the SNI name, so you can, for example, do
#
# SERVER='myserver.com:443'
# SITENAME='snippets.bentasker.co.uk'
#

# Connect to a server and check the expiry date of the certificate
echo | openssl s_client -connect $SERVER -servername $SITENAME -showcerts 2>&1 | openssl x509 -noout -dates

# Get expiry for comparison in script
expiry=$(date --date="$(echo -n | openssl s_client -connect $SERVER -servername $SITENAME -showcerts 2> /dev/null \
| openssl x509 -dates -noout | grep not | grep -i "notAfter" | cut -d\= -f 2)" +'%s')
echo $expiry

# List Subject Alternate Names
echo | openssl s_client -connect $SERVER -servername $SITENAME -showcerts | openssl x509 -noout -text | grep DNS: | tr ',' '\n'

# Check whether certificate verifies for 'foo.com' (includes SANs)
echo | openssl s_client -connect $SERVER -servername $SITENAME -showcerts -verify_hostname foo.com 2>&1

# Only use sslv3
echo | openssl s_client -connect $SERVER -servername $SITENAME -ssl3

# Only use tls 1.2
echo | openssl s_client -connect $SERVER -servername $SITENAME -tls1_2

# Only Use specific ciphersuite
echo | openssl s_client -connect $SERVER -servername $SITENAME -cipher EDH-DSS-DES-CBC3-SHA

Usage Example

#!/usr/bin/bash
#
# Test remote server support for all ciphersuites supported by local openssl install
#
#
# usage: ./cipher_test.sh [server fqdn/ip]
#

SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
  error=$(echo -n $result | cut -d':' -f6)
  echo NO \($error\)
else
  if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
    echo YES
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

Keywords

openssl, s_client, client, https, cert, expiry, ciphersuites, remote, test, check,

Latest Posts

Urldecode string (LUA)
FFMPEG Convert YUV444p to YUV420p (BASH)
Forcing FFMPEG to honour segment length in HLS Stream Creator (BASH)
Force CURL to place request to a specific IP (BASH)
Set a variable only if it is undefined (Javascript)
Ignore query string with Nginx caching proxy (NGinx)
Get breakdown of UK and non-UK votes for a Parliamentary Petition (Python)
Decompress Mozilla Firefox jsonlz4 bookmark backup files (Python)
Setting Git author details for a single repo (Git)
Checking Virtual Machine Resource Allocations with Libvirt (BASH)

Copyright © 2019 Ben Tasker | Sitemap | Privacy Policy
Available at snippets.bentasker.co.uk and snippets.6zdgh5a5e6zpchdz.onion