How to debug SSL Certificate issue(s) with a host in linux: openssl utility ?
Today we will look how to debug SSL Issues with a website/host and the issues with different HTTP/IMP/POP port.
In short, this post describes the usage of openssl command.
I. Debugging SSL Connection at 443 port
$ openssl s_client -connect www.google.com:443 CONNECTED(00000005) depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign --- Server certificate -----BEGIN CERTIFICATE----- MIIEijCCA3KgAwIBAgIQDkCYvd2AsNM5Sg4Uh9d2XDANBgkqhkiG9w0BAQsFADBU MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw IwYDVQQDExxHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEczMB4XDTE5MDMyNjEz NDA0OVoXDTE5MDYxODEzMjQwMFowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2ds ZSBMTEMxFzAVBgNVBAMMDnd3dy5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAjTFp+4USvDIqcw1a4b743Ihut+UfUU0ompZU5Cl7Z17z 6sq3R8XuJWG3tveAKbIs0M2YhnYFqkGLelLRsZbfsReJUX5LLtDW1H0srCAfuCHs j2hOEMuKZQQ9tAjGOIzSx2RmAEIn+3AWstobrczaG8UwKUZNRi4aA+bNX1gzGgqd x637YuA76+5VWdFLeJeKuX7XVY8RfQI0tuSS9rwu3ZCL6LMiJ6Df0uTiyTU7IHCq 7OgyG95QXPxcRZNtH4dyRsNkrEtT+ySelJuwI5eZv746qbu6Bs/FW5VrXlA9gt/Y 42dE5U1Vfx5RkyUxBJ9FM+V8cSJPDRj73zHIalDBPwIDAQABo4IBQjCCAT4wEwYD VR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYI KwYBBQUHAQEEXDBaMC0GCCsGAQUFBzAChiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9H VFNHSUFHMy5jcnQwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnBraS5nb29nL0dU U0dJQUczMB0GA1UdDgQWBBTqQr2KplYFp0cGJXGf5Nsbd7KsuTAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFHfCuFCaZ3Z2sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgw DAYKKwYBBAHWeQIFAzAIBgZngQwBAgIwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDov L2NybC5wa2kuZ29vZy9HVFNHSUFHMy5jcmwwDQYJKoZIhvcNAQELBQADggEBAGZR XYIPaJP/5bRtuIrX2kdkYdP5aegjsKmgPJNryqbIBKSxOYtEv/RuDNcedB3DU/Pl w9YYSP+FtGs7jZCJCe9WqTJ2Kxm/83kuDHEeZvWnqQS3qBnmcrFoDJJooy7WfGMb n5xXIcX0JHa/kvXvV5xpHIiuA9dFEtQt9jgQgP2r1DUGp+HU2iUAp3PA0OJLXATE KNO84S+2Y5frOZy9k2/abzxl9muvR4TL/lcSp7NRybqVa6OoplgRjOdOVUvBMGz1 mTAdyIjuI1btu3y01bTRf2LfiES7hhmYGCZrjw8jIZyumRPNQhm+7B/l/3xX6Asy pO0K1vKoryu9hbgqDtg= -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3 --- No client certificate CA names sent --- SSL handshake has read 2994 bytes and written 444 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 4F59F46FA94E35BACC60B9C1D9247161519658CFB9AA49922358472AF1428024 Session-ID-ctx: Master-Key: E2BC557EAE0AAF99EBE30F8351B7E42180FCFEA49C6A65170A16225D1B0B297A7D9B60DB07852F2743E87B2328851307 TLS session ticket lifetime hint: 100799 (seconds) TLS session ticket: 0000 - 00 53 e0 91 9b d9 9e 95-65 db 32 64 b9 c0 04 6e .S......e.2d...n 0010 - 0e 4f bc b2 2e 51 ac 53-37 be 06 88 54 7d 1e 54 .O...Q.S7...T}.T 0020 - 72 06 b7 a0 1b 70 0b 67-43 cb 4a 59 ac ad e0 20 r....p.gC.JY... 0030 - 19 e8 b8 13 c6 8a 14 5f-49 ef 3a 07 9e 26 55 17 ......._I.:..&U. 0040 - 07 8b 29 db de cc c4 4d-b9 e0 87 53 34 7c 13 e7 ..)....M...S4|.. 0050 - 64 cd 41 f7 b3 84 01 56-70 6f d2 51 a4 a6 72 67 d.A....Vpo.Q..rg 0060 - fb 2c c0 71 f8 53 47 69-fb 40 d2 71 db 3f 2f 50 .,.q.SGi.@.q.?/P 0070 - da 58 51 63 df 4a d0 ac-da a1 3d 5a 46 0a b4 6d .XQc.J....=ZF..m 0080 - 66 0c e1 fd 7f 02 37 f1-58 a8 ef f3 61 20 6b 35 f.....7.X...a k5 0090 - 5a c5 c7 6e ab ac b3 72-ff c9 55 75 83 ec e8 d2 Z..n...r..Uu.... 00a0 - d7 e1 de 1c e4 52 d6 f3-4b 5b a2 9b b9 80 11 3a .....R..K[.....: 00b0 - 5a 56 83 97 9c ae a8 80-43 d3 7f ba 05 16 55 b4 ZV......C.....U. 00c0 - 46 39 89 18 c8 84 a0 58-55 83 e1 6c d0 b7 06 b5 F9.....XU..l.... 00d0 - 63 ea dc 49 42 c..IB Start Time: 1555898602 Timeout : 300 (sec) Verify return code: 0 (ok) ---
Debugging Steps
1. First verify the address and port is correct and able to conect –> www.google.com:443
2. The return code of above query should be 0 –> Verify return code: 0 (ok)
3. Fix SSL certificates if verification is failed due to self-signed or bad certificate(s).
II. Debugging Certificate Chain
Run below command to verify the certificate chain.
$ openssl s_client -connect www.google.com:443 -servername google.com -showcerts CONNECTED(00000005) depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 -----BEGIN CERTIFICATE----- MIIIDTCCBvWgAwIBAgIQXD9eCvh/44P1ET5RI1LuJjANBgkqhkiG9w0BAQsFADBU MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMSUw IwYDVQQDExxHb29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEczMB4XDTE5MDMyNjEz NDA0MFoXDTE5MDYxODEzMjQwMFowZjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2ds ZSBMTEMxFTATBgNVBAMMDCouZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49 AwEHA0IABANpWSLXLbJm5eRzc1EJmvSIbz0nANT+b11r+XhSUCAbfQhS+4M/91YJ gVE6UtZJrLO7GGxvp1tV/DL857NaLEWjggWSMIIFjjATBgNVHSUEDDAKBggrBgEF BQcDATAOBgNVHQ8BAf8EBAMCB4AwggRXBgNVHREEggROMIIESoIMKi5nb29nbGUu Y29tgg0qLmFuZHJvaWQuY29tghYqLmFwcGVuZ2luZS5nb29nbGUuY29tghIqLmNs b3VkLmdvb2dsZS5jb22CGCouY3Jvd2Rzb3VyY2UuZ29vZ2xlLmNvbYIGKi5nLmNv gg4qLmdjcC5ndnQyLmNvbYIKKi5nZ3BodC5jboIWKi5nb29nbGUtYW5hbHl0aWNz LmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5jby5pboIO Ki5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5jb20uYXKC DyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2dsZS5jb20u Y2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdvb2dsZS5j b20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUuZnKCCyou Z29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29vZ2xlLnBs ggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2dsZWFwaXMu Y26CESouZ29vZ2xlY25hcHBzLmNughQqLmdvb2dsZWNvbW1lcmNlLmNvbYIRKi5n b29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboINKi5nc3RhdGljLmNvbYISKi5n c3RhdGljY25hcHBzLmNuggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQqLm1ldHJp Yy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUuY29tghYq LnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVl ZHVjYXRpb24uY29tghEqLnlvdXR1YmVraWRzLmNvbYIHKi55dC5iZYILKi55dGlt Zy5jb22CGmFuZHJvaWQuY2xpZW50cy5nb29nbGUuY29tggthbmRyb2lkLmNvbYIb ZGV2ZWxvcGVyLmFuZHJvaWQuZ29vZ2xlLmNughxkZXZlbG9wZXJzLmFuZHJvaWQu Z29vZ2xlLmNuggRnLmNvgghnZ3BodC5jboIGZ29vLmdsghRnb29nbGUtYW5hbHl0 aWNzLmNvbYIKZ29vZ2xlLmNvbYIPZ29vZ2xlY25hcHBzLmNughJnb29nbGVjb21t ZXJjZS5jb22CGHNvdXJjZS5hbmRyb2lkLmdvb2dsZS5jboIKdXJjaGluLmNvbYIK d3d3Lmdvby5nbIIIeW91dHUuYmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0 aW9uLmNvbYIPeW91dHViZWtpZHMuY29tggV5dC5iZTBoBggrBgEFBQcBAQRcMFow LQYIKwYBBQUHMAKGIWh0dHA6Ly9wa2kuZ29vZy9nc3IyL0dUU0dJQUczLmNydDAp BggrBgEFBQcwAYYdaHR0cDovL29jc3AucGtpLmdvb2cvR1RTR0lBRzMwHQYDVR0O BBYEFM8C2hpNgJL/BEX/yzeB408dhba2MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgw FoAUd8K4UJpndnaxLcKG0IOgfqZ+ukswIQYDVR0gBBowGDAMBgorBgEEAdZ5AgUD MAgGBmeBDAECAjAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLnBraS5nb29n L0dUU0dJQUczLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAF9PM41ShwCbhtJG7tj2y ZvF2sHbQ5YuZrMfJc6eeCG+nCKm1U5iJzXnXctFGvfJnUCZpj9YrfwDswdEddWyZ IG6m6wONF3ZiQifQrcDi0oDA+0BwjEuzYGCGkbfE+Xxb30bVEyDRe51DpJf+cqsb +DW2pYdikbdrPem5/hwdNerc7nqrQOJ93sqwbVNGktuyJsTOGNKkSwSaejxdN7yl g5aa4CJsE94gy4+mCywWjnnsjcLGJM3RBUxDdAdTGMldU/r33HCUCXl33Qxc4nvP MlE9LyFOTIJoajWcpGOsbKWiL3Zr19DKNBSn4Xof0onbtCH7dbpyMwP8XcA2O1dA ow== -----END CERTIFICATE----- 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign -----BEGIN CERTIFICATE----- MIIEXDCCA0SgAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy MTUwMDAwNDJaMFQxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg U2VydmljZXMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzMw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKUkvqHv/OJGuo2nIYaNVW XQ5IWi01CXZaz6TIHLGp/lOJ+600/4hbn7vn6AAB3DVzdQOts7G5pH0rJnnOFUAK 71G4nzKMfHCGUksW/mona+Y2emJQ2N+aicwJKetPKRSIgAuPOB6Aahh8Hb2XO3h9 RUk2T0HNouB2VzxoMXlkyW7XUR5mw6JkLHnA52XDVoRTWkNty5oCINLvGmnRsJ1z ouAqYGVQMc/7sy+/EYhALrVJEA8KbtyX+r8snwU5C1hUrwaW6MWOARa8qBpNQcWT kaIeoYvy/sGIJEmjR0vFEwHdp1cSaWIr6/4g72n7OqXwfinu7ZYW97EfoOSQJeAz AgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHfCuFCa Z3Z2sS3ChtCDoH6mfrpLMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYu MDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdv b2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dz cjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYc aHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEA HLeJluRT7bvs26gyAZ8so81trUISd7O45skDUmAge1cnxhG1P2cNmSxbWsoiCt2e ux9LSD+PAj2LIYRFHW31/6xoic1k4tbWXkDCjir37xTTNqRAMPUyFRWSdvt+nlPq wnb8Oa2I/maSJukcxDjNSfpDh/Bd1lZNgdd/8cLdsE3+wypufJ9uXO1iQpnh9zbu FIwsIONGl1p3A8CgxkqI/UAih3JaGOqcpcdaCIzkBaR9uYQ1X4k2Vg5APRLouzVy 7a8IVk6wuy6pm+T7HT4LY8ibS5FEZlfAFLSW8NwsVz9SBK2Vqn1N0PIMn5xA6NZV c7o835DLAFshEWfC7TIe3g== -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3 --- No client certificate CA names sent --- SSL handshake has read 3707 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES128-GCM-SHA256 Session-ID: 6FBE522F3D345ADE581DD895F89CEEF8A62A6700C9E30A4976078E95E2D3F301 Session-ID-ctx: Master-Key: 61C18BE8E8E0F00E4D8A08F88AE1E031CD08D25C8ACB04438D4E6930815A6DCFB82785581EA8E809426D6A3D2F395CDF TLS session ticket lifetime hint: 100799 (seconds) TLS session ticket: 0000 - 00 63 a1 25 4b da 4f b1-6e 39 a2 4d fe c6 54 64 .c.%K.O.n9.M..Td 0010 - 2d e2 6a 6a ee 36 0e 7d-c1 94 f7 e0 6a 28 21 a5 -.jj.6.}....j(!. 0020 - 04 9c 37 a2 89 9d 47 74-bc a0 6c ac ad 5d 4a 21 ..7...Gt..l..]J! 0030 - 18 a4 b0 86 d0 d8 53 81-47 c9 19 c5 64 e6 72 b7 ......S.G...d.r. 0040 - b8 17 d9 ce b8 19 2e cb-9b 96 5c 43 41 11 3c 35 ..........\CA.<5 0050 - 69 04 57 22 de e7 5e a9-e3 88 60 bf 5a 43 4a 8e i.W"..^...`.ZCJ. 0060 - b3 e5 f5 3f a6 0a 46 c9-e1 4b 58 1d 5a c5 ab ee ...?..F..KX.Z... 0070 - 93 20 de 00 20 be 06 7d-f0 94 16 74 f1 de 20 90 . .. ..}...t.. . 0080 - 2a e2 fe bf 6c 4e 25 e2-c1 3d e0 f1 90 24 92 3e *...lN%..=...$.> 0090 - c0 9f cc 47 9b 4a a6 0d-8a dd 20 62 39 4e 50 62 ...G.J.... b9NPb 00a0 - d6 fb 28 97 57 e0 6e e8-20 24 ce f1 61 dd 5b 1d ..(.W.n. $..a.[. 00b0 - ae ec fa e9 82 75 a9 d9-be 20 21 7c 77 0b 4d 25 .....u... !|w.M% 00c0 - 11 a6 94 a2 49 5b 36 dd-38 d2 ff ba 7f b1 f4 fd ....I[6.8....... 00d0 - 24 55 4f c2 b5 $UO.. Start Time: 1555899462 Timeout : 300 (sec) Verify return code: 0 (ok) ---
Error in case of certificate issue(s)
In case of self signed certifocate, the output used to throw below error:
verify error:num=18:self signed certificate verify return:1
III. Troubleshooting any other port connection say POP at 995.
$ openssl s_client -connect www.google.com:995
Similar to HTTPS port 443, we can mention any other port number to debug that as well.
References
We recommend to read below reference for deeper dive into SSL debugging: https://maulwuff.de/research/ssl-debugging.html