OpenSSL - Cryptography and SSL/TLS Toolkit

Get verbose list of cipher suites :

DHE-RSA-AES128-SHA256		TLSv1.2		Kx=DH		Au=RSA		Enc=AES(128)		Mac=SHA256
DHE-PSK-AES256-GCM-SHA384	TLSv1.2		Kx=DHEPSK	Au=PSK		Enc=AESGCM(256)		Mac=AEAD
AES256-SHA			SSLv3		Kx=RSA		Au=RSA		Enc=AES(256)		Mac=SHA1

^^^^				^^^^		^^^^		^^^^		^^^^			^^^^
cipher				protocol	key		authent.	encryption		message
name				version		exchange	method		method			digest
			

Validity date range :

• for a local certificate :
  openssl x509 -noout -in /path/to/certificate.pem -dates

  notBefore=Jan 8 13:42:16 2016 GMT
  notAfter=Jan 7 13:42:16 2019 GMT

• for a remote certificate :
  openssl s_client -connect www.example.com:443 | openssl x509 -noout -in - -dates
  Looks like the -in - syntax is now deprecated (details : man openssl x509 | grep -A1 -- ' -in filename') : it defaults to stdin and - seems unsupported anymore. Run instead :
  openssl s_client -connect www.example.com:443 | openssl x509 -noout -dates

issuer :

openssl x509 -noout -in /path/to/certificate.pem -issuer

issuer= /C=FR/O=MA PETITE ENTREPRISE/OU=1234 987654321/CN=AC INFRASTRUCTURE MA PETITE ENTREPRISE

Purpose (what the certificate may be used for) :

openssl x509 -noout -in /path/to/certificate.pem -purpose

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

subject aka Common Names (CN) :

• openssl x509 -noout -in /path/to/certificate.pem -subject

  subject= /C=FR/O=MA PETITE ENTREPRISE/OU=1234 987654321/CN=ma.petite.entreprise.fr

• openssl x509 -noout -in /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt -subject

  subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

Subject Alternative Names (SAN) :

openssl s_client -connect www.example.com:443 | openssl x509 -noout -text | grep 'DNS:'

Output the certificate in text form :

openssl x509 -noout -in /path/to/certificate.pem -text

Certificate:
	Data:
		Version: 3 (0x2)
		Serial Number: 3896 (0xf38)
	Signature Algorithm: sha256WithRSAEncryption
		Issuer: C=FR, O=MA PETITE ENTREPRISE, OU=1234 987654321, CN=AC INFRASTRUCTURE MA PETITE ENTREPRISE

		Validity
			Not Before: Jan 8 13:42:16 2016 GMT
			Not After : Jan 7 13:42:16 2019 GMT
		Subject: C=FR, O=MA PETITE ENTREPRISE, OU=1234 987654321, CN=ma.petite.entreprise.fr
		Subject Public Key Info:
			Public Key Algorithm: rsaEncryption
				Public-Key: (2048 bit)
				Modulus:
					69:07:44:7b:dc:c0:64:70:5e:a2:49:60:df:ab:e5:
					
					4d:c1
				Exponent: 65537 (0x10001)
		X509v3 extensions:
			X509v3 Subject Key Identifier:
				DE:AD:BE:EF:2D:9E:79:94:05:22:E1:F3:60:7C:59:2E:A7:12:0B:03
			X509v3 Authority Key Identifier:
				keyid:B1:6B:00:B5:59:BF:DA:BF:CE:CE:F4:FE:74:E3:12:86:51:19:53:85

			X509v3 Certificate Policies:
				Policy: 1.2.250.1.240.0.1.1.2.1.22.1.1
				CPS: http://www.xxx.yyy.fr/cps/policies.pdf

			X509v3 Extended Key Usage:
				TLS Web Client Authentication, TLS Web Server Authentication
			X509v3 Key Usage: critical
				Digital Signature, Key Encipherment
			X509v3 Subject Alternative Name:
				DNS:ma.petite.entreprise.fr, DNS:ma.ptite.entreprise.fr, DNS:ma.minuscule.entreprise.fr
			X509v3 CRL Distribution Points:

				Full Name:
				URI:http://www.xxx.yyy.fr/crl/truc.crl

	Signature Algorithm: sha256WithRSAEncryption
		e6:2e:a1:e3:27:65:3e:2b:c8:5d:bd:a1:ab:2d:e4:8d:8e:8e:
		
		ce:a3:77:0e:0b:96:dd:e4

1. Check basic network connectivity :
   nc -vz ssl.example.com 443

   ssl.example.com [12.34.56.78] 443 (?) open

   The chunk between parentheses ((?) here) identifies the recognized protocol type, if any (based on common port numbers ?).
2. Ensure you can contact the remote host :
   telnet ssl.example.com 443

   Trying 12.34.56.78...
   Connected to ssl.example.com.
   Escape character is '^]'.

3. Try a basic connection and get details about the certificate (CA-signed / self-signed ?) :
   • To an HTTP host :
     openssl s_client -connect ssl.example.com:443 | less

     CONNECTED(00000003)
     depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, (--8<--)
     Certification Authority - L1C
     verify error:num=20:unable to get local issuer certificate
     verify return:0
     23504:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40
     23504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

   • To an FTP host :
     openssl s_client -connect ftp.example.com:990 -ssl2 -starttls ftp
4. Time to look for :
   • .crt : certificates
   • .key : private key
   • .pem : client certificate private key. You will also need the attached passphrase.
5. Now let's try this as root, since certificate or key files may not be readable by everybody:
   openssl s_client -connect ssl.example.com:443 -cert /var/www/www.example.com/extension/app/file/application.pem -key /var/www/www.example.com/extension/app/file/application.pem
   + passPhrase (if any)
6. Until then, we had :
   openssl s_client -connect 12.34.56.78:443

   CONNECTED(00000003)
   write:errno=104
   ---
   no peer certificate available
   ---
   No client certificate CA names sent
   ---
   SSL handshake has read 0 bytes and written 290 bytes
   ---
   New, (NONE), Cipher is (NONE)
   Secure Renegotiation IS NOT supported
   Compression: NONE
   Expansion: NONE
   SSL-Session:
   	Protocol  : TLSv1.2
   	Cipher    : 0000
   	Session-ID:			nothing
   	Session-ID-ctx:
   	Master-Key:			nothing
   	Key-Arg   : None
   	

   But give a try with :
   openssl s_client -connect 12.34.56.78:443 -bugs

   CONNECTED(00000003)
   
   Certificate chain
   
   ---
   Server certificate
   -----BEGIN CERTIFICATE-----
   5idUUvuYS3ompLYsF/C49EaNCZJ0SHBGujK5IKojOUKIjbLWwCZUY1PttlLwbwVA
   ...
   mj37XAHZIquh1LiyBdKXmCbcqfS5sDaMRk46EqXPVGZCbeL9G3/TmTmLaqTLMZal
   -----END CERTIFICATE-----
   
   No client certificate CA names sent
   ---
   SSL handshake has read 3283 bytes and written 831 bytes
   ---
   New, TLSv1/SSLv3, Cipher is RC4-SHA
   Server public key is 2048 bit
   Secure Renegotiation IS NOT supported
   Compression: NONE
   Expansion: NONE
   SSL-Session:
   	Protocol  : TLSv1
   	Cipher    : RC4-SHA
   	Session-ID: 6988A27FAD0A83E74CA5C77562E4FF3D7A67F1642398D0EF9643AFF8AB4AB24B	not empty anymore 
   	Session-ID-ctx:
   	Master-Key: FA15AD54374A44022DA8E72B855C3B4FF668A23AF83FE364106ED037B0E83BBC36195BB7BDCAD7C3C2A14EBA0A2A4410	not empty anymore 
   	Key-Arg   : None
   	
   	Verify return code: 0 (ok)
   ---
   read:errno=0

7. If everything looks fine on the SSL / TLS side, maybe time has come to start playing with curl.

write:errno=104

https://superuser.com/questions/297889/does-openssl-errno-104-mean-that-sslv2-is-disabled#answer-297929

At least on Linux, 104 is ECONNRESET for "Connection reset by peer" – in other words, the connection was forcibly closed with a TCP RST packet, either sent out by the server or spoofed by an intermediary.
I would try Wireshark/tshark on the Ubuntu server to see what actually gets sent. If the RST is real, it could be that the httpd process died – check the log files and dmesg just in case.


https://stackoverflow.com/questions/24457408/openssl-command-to-check-if-a-server-is-presenting-a-certificate#answer-29215480

I was debugging an SSL issue today which resulted in the same write:errno=104 error. Eventually I found out that the reason for this behavior was that the server required SNI (servername TLS extensions) to work correctly. Supplying the -servername option to openssl made it connect successfully:

	openssl s_client -connect domain.tld:443 -servername domain.tld


https://github.com/requests/requests/issues/2543
All of those exceptions indicate that [the remote server] is closing the connection on you (i.e. closed the connection while we were expecting to read data from it). You should check whether your data is valid.
Could be the request headers, could be the request body.


https://stackoverflow.com/questions/16332053/openssl-s-client-connect-ldaphost636-returns-error-message-writeerrno-104
Are you sure that SSL is correctly set up on the Active Directory server ? 104 means the server sent a RST, which may be the behavior of Active Directory without a correct certificate, I guess. Could you look at what really happens at the network layer, using Wireshark for example ?


http://openssl.6102.n7.nabble.com/Handshake-fails-for-unknown-reason-td9466.html
errno 104 on Linux is ECONNRESET. It appears to be happening before/without receiving the ServerHello. Try with -msg to confirm this.
	openssl s_client -connect 12.34.56.78:443 -bugs -msg | grep ServerHello

error setting private key

the passphrase fits the -key value, but the -key value doesn't match the -cert value

unable to load client certificate private key file

wrong passphrase for the -key value

SSL23_GET_SERVER_HELLO:unknown protocol

This error happens when OpenSSL receives something other than a ServerHello in a protocol version it understands from the server. It can happen if the server answers with a plain (unencrypted) HTTP. It can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn't (by implementation or configuration). (source).

Try specifying explicitly the network protocol to use : SSLv3, TLSv1, ...

SSL3_GET_RECORD:wrong version number

No known root cause so far. Adding -starttls ftp to the command line fixed it.

Get openssl's version :

How to list the supported SSL / TLS versions ? (source)

SSLv3
TLSv1
TLSv1.2