To show the server certificates on the AD (Active Directory) or ldap server, run the following command: openssl s_client -connect ldap-host:636 -showcertsĪfter showing the certificates returned by openssl s_client connect, decode the certificates for more information about each section of the certificate with our Certificate Decoder tool. For example, testing SSL configuration on an active directory or open ldap host works the same, just specify the port, commonly 636. While most examples you find test port 443, this will work with other ports as well. The returned list of certificates by the server when using the showcerts flag is not a verified chain and is returned in the same order the server sent them. Other than that one difference, the output is the same. The showcerts flag appended onto the openssl s_client connect command prints out and will show the entire certificate chain in PEM format, whereas leaving off showcerts only prints out and shows the end entity certificate in PEM format. Openssl s_client showcerts openssl s_client -connect :443 -showcerts If you are looking for a less technical testing tool, try an application that will return the same or similar results such as SSL Labs. Regardless of what you are trying to test, the s_client is an ideal utility for testing and troubleshooting SSL configuration on your server. To debug the SSL/TLS connection with openssl s_client connect, append the -tlsextdebug flag onto your command: openssl s_client -connect :443 -tlsextdebugĪdditional information is included and can be used to verify the ssl configuration of the server, but leave a comment and ask questions about anything not covered. If the specified protocol is not supported on the server, you will receive an error similar to: “ SSL routines:tls_construct_client_hello:no protocols available“ To verify the protocol, view the SSL-Session section of the console output. To disable TLSv1.3, use the -no_tls1_3 flag: openssl s_client -connect :443 -no_tls1_3 Alternatively, to disable the use of a specific SSL/TLS protocol version, the following flags are supported: -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, and -no_tls1_3.įor the case of, TLSv1.3 is supported. Other supported SSL and TLS version flags include -tls1_2, tls1_1, tls1, ssl2, and ssl3. For example, to test TLS 1.3 with openssl s_client, run the following: openssl s_client -connect :443 -tls1_3 To specify the TLS version in the connection for testing various protocols, add the appropriate TLS/SSL flag to the command. Here is a screenshot of the beginning of an example output from the above command:
The server’s public key bit length is also returned. The end entity server certificate will be the only certificate printed in PEM format.ĭetails about the SSL handshake, its verification, and the TLS version and cipher will be returned. The information will include the servers certificate chain, printed as subject and issuer. Use the openssl s_client -connect flag to display diagnostic information about the SSL connection to the server. openssl s_client examples openssl s_client connect openssl s_client -connect :443 If you are testing the performance of your SSL connections, read our article on the openssl s_time utility.
This utility will help uncover errors and misconfigurations. Testing SSL configuration on servers is a critical function that should be routine in your organization or systems. The post strives to walk you through various examples of testing SSL connections with different ciphers, TLS versions, and SSL server certificate analysis. The s_client command from OpenSSL is a helpful test client for troubleshooting remote SSL or TLS connections.
0 kommentar(er)
