On Tuesday, October 21, 2014 07:28:13 PM Stephen Harris wrote: > On Tue, Oct 21, 2014 at 04:17:25PM -0700, lists at benjamindsmith.com wrote: > > I've already confirmed for example, that using openssl s_client as you > > mention above doesn't actually check the certs, just lists them. > > Actually it does check them as well. > > e.g. > openssl s_client -connect localhost:443 < /dev/null > /dev/null > depth=0 > /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/ > CN=a.example.com/emailAddress=root at a.example.com verify error:num=18:self > signed certificate > verify return:1 > depth=0 > /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/ > CN=a.example.com/emailAddress=root at a.example.com verify > error:num=10:certificate has expired > notAfter=Aug 9 23:55:39 2014 GMT > verify return:1 > depth=0 > /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/ > CN=a.example.com/emailAddress=root at a.example.com notAfter=Aug 9 23:55:39 > 2014 GMT > verify return:1 > DONE > > Notice the "verify error" lines; it's both self-signed _and_ expired. > > In chained certs it'll check each of the chains. > > e.g. > openssl s_client -connect www.google.com:443 < /dev/null > /dev/null > CONNECTED(00000003) > depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority > verify return:1 > depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > verify return:1 > depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2 > verify return:1 > depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com > i:/C=US/O=Google Inc/CN=Google Internet Authority G2 > 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > > You can do a _LOT_ with the openssl command line (e.g. show all the > intermediate certs in detail with -showcerts). 'man s_client' > > If you have a server with a broken intermediate chain then run the command > and see what it returns. I ended up discovering that curl recently added the option --resolve that allows me to do what I need. I had to download a statically compiled version and install in /usr/local to get it working on EL6.