Am 22.10.2014 um 20:14 schrieb Benjamin Smith <lists at benjamindsmith.com>: > On Tuesday, October 21, 2014 07:28:13 PM Stephen Harris wrote: >> On Tue, Oct 21, 2014 at 04:17:25PM -0700, lists at benjamindsmith.com wrote: >>> I've already confirmed for example, that using openssl s_client as you >>> mention above doesn't actually check the certs, just lists them. >> >> Actually it does check them as well. >> >> e.g. >> openssl s_client -connect localhost:443 < /dev/null > /dev/null >> depth=0 >> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/ >> CN=a.example.com/emailAddress=root at a.example.com verify error:num=18:self >> signed certificate >> verify return:1 >> depth=0 >> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/ >> CN=a.example.com/emailAddress=root at a.example.com verify >> error:num=10:certificate has expired >> notAfter=Aug 9 23:55:39 2014 GMT >> verify return:1 >> depth=0 >> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/ >> CN=a.example.com/emailAddress=root at a.example.com notAfter=Aug 9 23:55:39 >> 2014 GMT >> verify return:1 >> DONE >> >> Notice the "verify error" lines; it's both self-signed _and_ expired. >> >> In chained certs it'll check each of the chains. >> >> e.g. >> openssl s_client -connect www.google.com:443 < /dev/null > /dev/null >> CONNECTED(00000003) >> depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority >> verify return:1 >> depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA >> verify return:1 >> depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2 >> verify return:1 >> depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com >> i:/C=US/O=Google Inc/CN=Google Internet Authority G2 >> 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 >> i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA >> 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA >> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority >> >> You can do a _LOT_ with the openssl command line (e.g. show all the >> intermediate certs in detail with -showcerts). 'man s_client' >> >> If you have a server with a broken intermediate chain then run the command >> and see what it returns. > > I ended up discovering that curl recently added the option --resolve that > allows me to do what I need. I had to download a statically compiled version > and install in /usr/local to get it working on EL6. just add your host into /etc/hosts -- LF