How to test SSL connectivity from the command line?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux

Issue

  • How to test SSL connectivity from the command line?

Resolution

See also: How to test which SSL/TLS protocols & ciphersuites are offered by a server

Red Hat Enterprise Linux provides several tools for testing SSL connectivity. Depending on what needs to be tested, one tool may be more suitable than another.

OpenSSL s_client

Use openssl s_client -connect TARGET:PORT to test & troubleshoot SSL/TLS connections to a target server.

  • Test a webserver on the standard port:

    openssl s_client -connect www.example.com:443

  • Some protocols support STARTTLS, where a normal session is upgraded to a secure one before any traffic goes through the connection. s_client supports this with the -starttls option.
    Example:

    openssl s_client -connect smtp.example.com:25 -starttls smtp

  • Note that by default an interactive session is opened where commands could optionally be typed as in the following example. This can be used to debug problems with SSL/TLS certificates -- for example, on webservers, mail servers, and ftp servers.

    $ openssl s_client -connect redhat.com:443

CONNECTED(00000003)
depth=0 /C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=Web Operations/CN=www.redhat.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=Web Operations/CN=www.redhat.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=Web Operations/CN=www.redhat.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=Web Operations/CN=www.redhat.com
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
(certificate details removed)
---
GET /
GET /
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 &nbs!
p;      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
        <title>redhat.com | Home</title>
...

  • Note that s_client also includes a -CAfile option to provide a bundle of trusted CA certificates to use when attempting to build the client certificate chain.
    Example:

    openssl s_client -connect TARGET:PORT -CAfile /path/to/some/ca_chain.crt

  • s_client also supports specifying client certificates/keys and requesting specific SSL/TLS protocols & ciphersuites.
    See man s_client or openssl s_client -help for more details.

cURL

This tool is often the first choice as it allows you to quickly change between the http and https protocols.

  • Restricting output to HTTP headers is often sufficient to test webserver communication.
    For example:

    $ curl --head https://www.redhat.com/en
HTTP/1.1 200 OK
Content-Language: en
Content-Type: text/html; charset=utf-8
ETag: "1467394864-1"
Last-Modified: Fri, 01 Jul 2016 17:41:04 GMT
Link: <https://www.redhat.com/en>; rel="canonical"
Server: Apache
X-Content-Type-Options: nosniff
X-Drupal-Cache: HIT
X-Generator: Drupal 7 (http://drupal.org)
X-Powered-By: PHP/5.3.3
X-RedHat-Debug: 1
X-Trace: 1B2F60831EC3EB5298FA800116C69F42E650C938ECCE6732C69D36688D
Cache-Control: public, no-cache
Expires: Sun, 03 Jul 2016 22:39:23 GMT
Date: Sun, 03 Jul 2016 22:39:23 GMT
Connection: keep-alive

  • As with openssl s_client above, curl has an option to pass a file containing CA certs (--cacert), an option to specify a client cert file (--cert), and an option to specify a private key (--key).

Standalone Client (Example: Java)

In some cases neither openssl s_client nor curl will work -- usually when certs need to be tested with some specialized programming language. In these cases a standalone client that uses the appropriate underlying SSL/TLS components might need to be written.

  • Here's an example of testing the SSL connection, with a Java based client

    # java JavaHttpsClient https://www.google.com 1

    This can be use in coordination with the Java (-Djavax.net.ssl.keyStore and -Djavax.net.ssl.trustStore) options, allowing you to test the Java keystore and truststore configuration from a client perspective.

Diagnostic Steps

  • The following command will print the target server's SSL/TLS certificate

    openssl s_client -connect HOST:PORT <<<"" 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p'

  • The following command will print the target server's CA certificate chain if the server is configured properly to present it

    openssl s_client -connect HOST:PORT -showcerts <<<"" 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p'
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.