How to debug SSL Certificate issue(s) with a host in linux: openssl utility ?

Today we will look how to debug SSL Issues with a website/host and the issues with different HTTP/IMP/POP port.

In short, this post describes the usage of openssl command.

I. Debugging SSL Connection at 443 port

$ openssl s_client -connect www.google.com:443
CONNECTED(00000005)
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIQDkCYvd2AsNM5Sg4Uh9d2XDANBgkqhkiG9w0BAQsFADBU
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw
IwYDVQQDExxHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEczMB4XDTE5MDMyNjEz
NDA0OVoXDTE5MDYxODEzMjQwMFowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2ds
ZSBMTEMxFzAVBgNVBAMMDnd3dy5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAjTFp+4USvDIqcw1a4b743Ihut+UfUU0ompZU5Cl7Z17z
6sq3R8XuJWG3tveAKbIs0M2YhnYFqkGLelLRsZbfsReJUX5LLtDW1H0srCAfuCHs
j2hOEMuKZQQ9tAjGOIzSx2RmAEIn+3AWstobrczaG8UwKUZNRi4aA+bNX1gzGgqd
x637YuA76+5VWdFLeJeKuX7XVY8RfQI0tuSS9rwu3ZCL6LMiJ6Df0uTiyTU7IHCq
7OgyG95QXPxcRZNtH4dyRsNkrEtT+ySelJuwI5eZv746qbu6Bs/FW5VrXlA9gt/Y
42dE5U1Vfx5RkyUxBJ9FM+V8cSJPDRj73zHIalDBPwIDAQABo4IBQjCCAT4wEwYD
VR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYI
KwYBBQUHAQEEXDBaMC0GCCsGAQUFBzAChiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9H
VFNHSUFHMy5jcnQwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnBraS5nb29nL0dU
U0dJQUczMB0GA1UdDgQWBBTqQr2KplYFp0cGJXGf5Nsbd7KsuTAMBgNVHRMBAf8E
AjAAMB8GA1UdIwQYMBaAFHfCuFCaZ3Z2sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgw
DAYKKwYBBAHWeQIFAzAIBgZngQwBAgIwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDov
L2NybC5wa2kuZ29vZy9HVFNHSUFHMy5jcmwwDQYJKoZIhvcNAQELBQADggEBAGZR
XYIPaJP/5bRtuIrX2kdkYdP5aegjsKmgPJNryqbIBKSxOYtEv/RuDNcedB3DU/Pl
w9YYSP+FtGs7jZCJCe9WqTJ2Kxm/83kuDHEeZvWnqQS3qBnmcrFoDJJooy7WfGMb
n5xXIcX0JHa/kvXvV5xpHIiuA9dFEtQt9jgQgP2r1DUGp+HU2iUAp3PA0OJLXATE
KNO84S+2Y5frOZy9k2/abzxl9muvR4TL/lcSp7NRybqVa6OoplgRjOdOVUvBMGz1
mTAdyIjuI1btu3y01bTRf2LfiES7hhmYGCZrjw8jIZyumRPNQhm+7B/l/3xX6Asy
pO0K1vKoryu9hbgqDtg=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
---
No client certificate CA names sent
---
SSL handshake has read 2994 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 4F59F46FA94E35BACC60B9C1D9247161519658CFB9AA49922358472AF1428024
    Session-ID-ctx: 
    Master-Key: E2BC557EAE0AAF99EBE30F8351B7E42180FCFEA49C6A65170A16225D1B0B297A7D9B60DB07852F2743E87B2328851307
    TLS session ticket lifetime hint: 100799 (seconds)
    TLS session ticket:
    0000 - 00 53 e0 91 9b d9 9e 95-65 db 32 64 b9 c0 04 6e   .S......e.2d...n
    0010 - 0e 4f bc b2 2e 51 ac 53-37 be 06 88 54 7d 1e 54   .O...Q.S7...T}.T
    0020 - 72 06 b7 a0 1b 70 0b 67-43 cb 4a 59 ac ad e0 20   r....p.gC.JY... 
    0030 - 19 e8 b8 13 c6 8a 14 5f-49 ef 3a 07 9e 26 55 17   ......._I.:..&U.
    0040 - 07 8b 29 db de cc c4 4d-b9 e0 87 53 34 7c 13 e7   ..)....M...S4|..
    0050 - 64 cd 41 f7 b3 84 01 56-70 6f d2 51 a4 a6 72 67   d.A....Vpo.Q..rg
    0060 - fb 2c c0 71 f8 53 47 69-fb 40 d2 71 db 3f 2f 50   .,.q.SGi.@.q.?/P
    0070 - da 58 51 63 df 4a d0 ac-da a1 3d 5a 46 0a b4 6d   .XQc.J....=ZF..m
    0080 - 66 0c e1 fd 7f 02 37 f1-58 a8 ef f3 61 20 6b 35   f.....7.X...a k5
    0090 - 5a c5 c7 6e ab ac b3 72-ff c9 55 75 83 ec e8 d2   Z..n...r..Uu....
    00a0 - d7 e1 de 1c e4 52 d6 f3-4b 5b a2 9b b9 80 11 3a   .....R..K[.....:
    00b0 - 5a 56 83 97 9c ae a8 80-43 d3 7f ba 05 16 55 b4   ZV......C.....U.
    00c0 - 46 39 89 18 c8 84 a0 58-55 83 e1 6c d0 b7 06 b5   F9.....XU..l....
    00d0 - 63 ea dc 49 42                                    c..IB

    Start Time: 1555898602
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Debugging Steps
1. First verify the address and port is correct and able to conect –> www.google.com:443
2. The return code of above query should be 0 –> Verify return code: 0 (ok)
3. Fix SSL certificates if verification is failed due to self-signed or bad certificate(s).


 

II. Debugging Certificate Chain
Run below command to verify the certificate chain.

$ openssl s_client -connect www.google.com:443 -servername google.com -showcerts
CONNECTED(00000005)
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
-----BEGIN CERTIFICATE-----
MIIIDTCCBvWgAwIBAgIQXD9eCvh/44P1ET5RI1LuJjANBgkqhkiG9w0BAQsFADBU
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw
IwYDVQQDExxHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEczMB4XDTE5MDMyNjEz
NDA0MFoXDTE5MDYxODEzMjQwMFowZjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2ds
ZSBMTEMxFTATBgNVBAMMDCouZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABANpWSLXLbJm5eRzc1EJmvSIbz0nANT+b11r+XhSUCAbfQhS+4M/91YJ
gVE6UtZJrLO7GGxvp1tV/DL857NaLEWjggWSMIIFjjATBgNVHSUEDDAKBggrBgEF
BQcDATAOBgNVHQ8BAf8EBAMCB4AwggRXBgNVHREEggROMIIESoIMKi5nb29nbGUu
Y29tgg0qLmFuZHJvaWQuY29tghYqLmFwcGVuZ2luZS5nb29nbGUuY29tghIqLmNs
b3VkLmdvb2dsZS5jb22CGCouY3Jvd2Rzb3VyY2UuZ29vZ2xlLmNvbYIGKi5nLmNv
gg4qLmdjcC5ndnQyLmNvbYIKKi5nZ3BodC5jboIWKi5nb29nbGUtYW5hbHl0aWNz
LmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5jby5pboIO
Ki5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5jb20uYXKC
DyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2dsZS5jb20u
Y2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdvb2dsZS5j
b20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUuZnKCCyou
Z29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29vZ2xlLnBs
ggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2dsZWFwaXMu
Y26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNvbYIRKi5n
b29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNvbYISKi5n
c3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQqLm1ldHJp
Yy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUuY29tghYq
LnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVl
ZHVjYXRpb24uY29tghEqLnlvdXR1YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGlt
Zy5jb22CGmFuZHJvaWQuY2xpZW50cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIb
ZGV2ZWxvcGVyLmFuZHJvaWQuZ29vZ2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQu
Z29vZ2xlLmNuggRnLmNvgghnZ3BodC5jboIGZ29vLmdsghRnb29nbGUtYW5hbHl0
aWNzLmNvbYIKZ29vZ2xlLmNvbYIPZ29vZ2xlY25hcHBzLmNughJnb29nbGVjb21t
ZXJjZS5jb22CGHNvdXJjZS5hbmRyb2lkLmdvb2dsZS5jboIKdXJjaGluLmNvbYIK
d3d3Lmdvby5nbIIIeW91dHUuYmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0
aW9uLmNvbYIPeW91dHViZWtpZHMuY29tggV5dC5iZTBoBggrBgEFBQcBAQRcMFow
LQYIKwYBBQUHMAKGIWh0dHA6Ly9wa2kuZ29vZy9nc3IyL0dUU0dJQUczLmNydDAp
BggrBgEFBQcwAYYdaHR0cDovL29jc3AucGtpLmdvb2cvR1RTR0lBRzMwHQYDVR0O
BBYEFM8C2hpNgJL/BEX/yzeB408dhba2MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgw
FoAUd8K4UJpndnaxLcKG0IOgfqZ+ukswIQYDVR0gBBowGDAMBgorBgEEAdZ5AgUD
MAgGBmeBDAECAjAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLnBraS5nb29n
L0dUU0dJQUczLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAF9PM41ShwCbhtJG7tj2y
ZvF2sHbQ5YuZrMfJc6eeCG+nCKm1U5iJzXnXctFGvfJnUCZpj9YrfwDswdEddWyZ
IG6m6wONF3ZiQifQrcDi0oDA+0BwjEuzYGCGkbfE+Xxb30bVEyDRe51DpJf+cqsb
+DW2pYdikbdrPem5/hwdNerc7nqrQOJ93sqwbVNGktuyJsTOGNKkSwSaejxdN7yl
g5aa4CJsE94gy4+mCywWjnnsjcLGJM3RBUxDdAdTGMldU/r33HCUCXl33Qxc4nvP
MlE9LyFOTIJoajWcpGOsbKWiL3Zr19DKNBSn4Xof0onbtCH7dbpyMwP8XcA2O1dA
ow==
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
-----BEGIN CERTIFICATE-----
MIIEXDCCA0SgAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy
MTUwMDAwNDJaMFQxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg
U2VydmljZXMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzMw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKUkvqHv/OJGuo2nIYaNVW
XQ5IWi01CXZaz6TIHLGp/lOJ+600/4hbn7vn6AAB3DVzdQOts7G5pH0rJnnOFUAK
71G4nzKMfHCGUksW/mona+Y2emJQ2N+aicwJKetPKRSIgAuPOB6Aahh8Hb2XO3h9
RUk2T0HNouB2VzxoMXlkyW7XUR5mw6JkLHnA52XDVoRTWkNty5oCINLvGmnRsJ1z
ouAqYGVQMc/7sy+/EYhALrVJEA8KbtyX+r8snwU5C1hUrwaW6MWOARa8qBpNQcWT
kaIeoYvy/sGIJEmjR0vFEwHdp1cSaWIr6/4g72n7OqXwfinu7ZYW97EfoOSQJeAz
AgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHfCuFCa
Z3Z2sS3ChtCDoH6mfrpLMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYu
MDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdv
b2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dz
cjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEA
HLeJluRT7bvs26gyAZ8so81trUISd7O45skDUmAge1cnxhG1P2cNmSxbWsoiCt2e
ux9LSD+PAj2LIYRFHW31/6xoic1k4tbWXkDCjir37xTTNqRAMPUyFRWSdvt+nlPq
wnb8Oa2I/maSJukcxDjNSfpDh/Bd1lZNgdd/8cLdsE3+wypufJ9uXO1iQpnh9zbu
FIwsIONGl1p3A8CgxkqI/UAih3JaGOqcpcdaCIzkBaR9uYQ1X4k2Vg5APRLouzVy
7a8IVk6wuy6pm+T7HT4LY8ibS5FEZlfAFLSW8NwsVz9SBK2Vqn1N0PIMn5xA6NZV
c7o835DLAFshEWfC7TIe3g==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
---
No client certificate CA names sent
---
SSL handshake has read 3707 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 6FBE522F3D345ADE581DD895F89CEEF8A62A6700C9E30A4976078E95E2D3F301
    Session-ID-ctx: 
    Master-Key: 61C18BE8E8E0F00E4D8A08F88AE1E031CD08D25C8ACB04438D4E6930815A6DCFB82785581EA8E809426D6A3D2F395CDF
    TLS session ticket lifetime hint: 100799 (seconds)
    TLS session ticket:
    0000 - 00 63 a1 25 4b da 4f b1-6e 39 a2 4d fe c6 54 64   .c.%K.O.n9.M..Td
    0010 - 2d e2 6a 6a ee 36 0e 7d-c1 94 f7 e0 6a 28 21 a5   -.jj.6.}....j(!.
    0020 - 04 9c 37 a2 89 9d 47 74-bc a0 6c ac ad 5d 4a 21   ..7...Gt..l..]J!
    0030 - 18 a4 b0 86 d0 d8 53 81-47 c9 19 c5 64 e6 72 b7   ......S.G...d.r.
    0040 - b8 17 d9 ce b8 19 2e cb-9b 96 5c 43 41 11 3c 35   ..........\CA.<5 0050 - 69 04 57 22 de e7 5e a9-e3 88 60 bf 5a 43 4a 8e i.W"..^...`.ZCJ. 0060 - b3 e5 f5 3f a6 0a 46 c9-e1 4b 58 1d 5a c5 ab ee ...?..F..KX.Z... 0070 - 93 20 de 00 20 be 06 7d-f0 94 16 74 f1 de 20 90 . .. ..}...t.. . 0080 - 2a e2 fe bf 6c 4e 25 e2-c1 3d e0 f1 90 24 92 3e *...lN%..=...$.>
    0090 - c0 9f cc 47 9b 4a a6 0d-8a dd 20 62 39 4e 50 62   ...G.J.... b9NPb
    00a0 - d6 fb 28 97 57 e0 6e e8-20 24 ce f1 61 dd 5b 1d   ..(.W.n. $..a.[.
    00b0 - ae ec fa e9 82 75 a9 d9-be 20 21 7c 77 0b 4d 25   .....u... !|w.M%
    00c0 - 11 a6 94 a2 49 5b 36 dd-38 d2 ff ba 7f b1 f4 fd   ....I[6.8.......
    00d0 - 24 55 4f c2 b5                                    $UO..

    Start Time: 1555899462
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Error in case of certificate issue(s)
In case of self signed certifocate, the output used to throw below error:

verify error:num=18:self signed certificate
verify return:1

 

III. Troubleshooting any other port connection say POP at 995.

$ openssl s_client -connect www.google.com:995

Similar to HTTPS port 443, we can mention any other port number to debug that as well.

References

We recommend to read below reference for deeper dive into SSL debugging:
https://maulwuff.de/research/ssl-debugging.html

Leave a Reply

avatar
  Subscribe  
Notify of