OpenSSL - Cryptography and SSL/TLS Toolkit

How to get certificate metadata ?

Validity date range :
openssl x509 -noout -in /path/to/certificate.pem -dates
notBefore=Jan 8 13:42:16 2016 GMT
notAfter=Jan 7 13:42:16 2019 GMT
issuer :
openssl x509 -noout -in /path/to/certificate.pem -issuer
Purpose (what the certificate may be used for) :
openssl x509 -noout -in /path/to/certificate.pem -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
subject :
openssl x509 -noout -in /path/to/certificate.pem -subject
subject= /C=FR/O=MA PETITE ENTREPRISE/OU=1234 987654321/
Output the certificate in text form :
openssl x509 -noout -in /path/to/certificate.pem -text
		Version: 3 (0x2)
		Serial Number: 3896 (0xf38)
	Signature Algorithm: sha256WithRSAEncryption

			Not Before: Jan 8 13:42:16 2016 GMT
			Not After : Jan 7 13:42:16 2019 GMT
		Subject: C=FR, O=MA PETITE ENTREPRISE, OU=1234 987654321,
		Subject Public Key Info:
			Public Key Algorithm: rsaEncryption
				Public-Key: (2048 bit)
				Exponent: 65537 (0x10001)
		X509v3 extensions:
			X509v3 Subject Key Identifier:
			X509v3 Authority Key Identifier:

			X509v3 Certificate Policies:

			X509v3 Extended Key Usage:
				TLS Web Client Authentication, TLS Web Server Authentication
			X509v3 Key Usage: critical
				Digital Signature, Key Encipherment
			X509v3 Subject Alternative Name:,,
			X509v3 CRL Distribution Points:

				Full Name:

	Signature Algorithm: sha256WithRSAEncryption

How to test an SSL / TLS connection as a client ?

  1. Check basic network connectivity :
    nc -vz 443 [] 443 (?) open
    The chunk between parentheses ((?) here) identifies the recognized protocol type, if any (based on common port numbers ?).
  2. Ensure you can contact the remote host :
    telnet 443
    Connected to
    Escape character is '^]'.
  3. Try a basic connection and get details about the certificate (CA-signed / self-signed ?) :
    • To an HTTP host :
      openssl s_client -connect | less
      depth=1 /C=US/O=Entrust, Inc./ is incorporated by reference/OU=(c) 2009 Entrust, (--8<--)
      Certification Authority - L1C
      verify error:num=20:unable to get local issuer certificate
      verify return:0
      23504:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40
      23504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
    • To an FTP host :
      openssl s_client -connect -ssl2 -starttls ftp
  4. Time to look for :
    • .crt : certificates
    • .key : private key
    • .pem : client certificate private key. You will also need the attached passphrase.
  5. Now let's try this as root, since certificate or key files may not be readable by everybody:
    openssl s_client -connect -cert /var/www/ -key /var/www/
    + passPhrase (if any)
  6. Until then, we had :
    openssl s_client -connect
    no peer certificate available
    No client certificate CA names sent
    SSL handshake has read 0 bytes and written 290 bytes
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    	Protocol  : TLSv1.2
    	Cipher    : 0000
    	Session-ID:			nothing
    	Master-Key:			nothing
    	Key-Arg   : None
    But give a try with :
    openssl s_client -connect -bugs
    Certificate chain
    Server certificate
    -----END CERTIFICATE-----
    No client certificate CA names sent
    SSL handshake has read 3283 bytes and written 831 bytes
    New, TLSv1/SSLv3, Cipher is RC4-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    	Protocol  : TLSv1
    	Cipher    : RC4-SHA
    	Session-ID: 6988A27FAD0A83E74CA5C77562E4FF3D7A67F1642398D0EF9643AFF8AB4AB24B	not empty anymore 
    	Master-Key: FA15AD54374A44022DA8E72B855C3B4FF668A23AF83FE364106ED037B0E83BBC36195BB7BDCAD7C3C2A14EBA0A2A4410	not empty anymore 
    	Key-Arg   : None
    	Verify return code: 0 (ok)
  7. If everything looks fine on the SSL / TLS side, maybe time has come to start playing with curl.

openssl errors


At least on Linux, 104 is ECONNRESET for "Connection reset by peer" – in other words, the connection was forcibly closed with a TCP RST packet, either sent out by the server or spoofed by an intermediary.
I would try Wireshark/tshark on the Ubuntu server to see what actually gets sent. If the RST is real, it could be that the httpd process died – check the log files and dmesg just in case.

I was debugging an SSL issue today which resulted in the same write:errno=104 error. Eventually I found out that the reason for this behavior was that the server required SNI (servername TLS extensions) to work correctly. Supplying the -servername option to openssl made it connect successfully:

	openssl s_client -connect domain.tld:443 -servername domain.tld
All of those exceptions indicate that [the remote server] is closing the connection on you (i.e. closed the connection while we were expecting to read data from it). You should check whether your data is valid.
Could be the request headers, could be the request body.
Are you sure that SSL is correctly set up on the Active Directory server ? 104 means the server sent a RST, which may be the behavior of Active Directory without a correct certificate, I guess. Could you look at what really happens at the network layer, using Wireshark for example ?
errno 104 on Linux is ECONNRESET. It appears to be happening before/without receiving the ServerHello. Try with -msg to confirm this.
	openssl s_client -connect -bugs -msg | grep ServerHello
error setting private key
the passphrase fits the -key value, but the -key value doesn't match the -cert value
unable to load client certificate private key file
wrong passphrase for the -key value
SSL23_GET_SERVER_HELLO:unknown protocol
This error happens when OpenSSL receives something other than a ServerHello in a protocol version it understands from the server. It can happen if the server answers with a plain (unencrypted) HTTP. It can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn't (by implementation or configuration). (source).
Try specifying explicitly the network protocol to use : SSLv3, TLSv1, ...
SSL3_GET_RECORD:wrong version number
No known root cause so far. Adding -starttls ftp to the command line fixed it.


Flags :

Flag Usage
genrsa generate an RSA private key :
openssl genrsa cipherAlgorithm -out outputFile keyLengthBits
-aes* and -des3 are good candidates for cipherAlgorithm (source)
req PKCS#10 certificate request and certificate generating utility
-debug Show debug information (verbose mode)
-starttls protocol Send the protocol-specific message(s) to switch to TLS communication. protocol is one of smtp, pop3, imap, ftp, xmpp, xmpp-server, irc.
-ssl2 Use the SSLv2 network protocol. This is prohibited since March 2011 (source).
-ssl3 Use the SSLv3 network protocol. This is prohibited since June 2015 (source).
-tls1 Use the TLSv1 network protocol
-tls1_1 Use the TLSv1.1 network protocol
-tls1_2 Use the TLSv1.2 network protocol

Example :

Get openssl's version :

  • dpkg -l | grep -E "[[:blank:]]openssl" | awk '{ print $2" "$3 }'
    openssl 1.1.0f-3+deb9u1
  • openssl version
    OpenSSL 1.1.0f 25 May 2017

How to list the supported SSL / TLS versions ? (source)

openssl ciphers -v | awk '{print $2}' | sort -u