[CentOS] Testing "dark" SSL sites
Leon Fauster
leonfauster at googlemail.com
Wed Oct 22 19:45:54 UTC 2014
Am 22.10.2014 um 20:14 schrieb Benjamin Smith <lists at benjamindsmith.com>:
> On Tuesday, October 21, 2014 07:28:13 PM Stephen Harris wrote:
>> On Tue, Oct 21, 2014 at 04:17:25PM -0700, lists at benjamindsmith.com wrote:
>>> I've already confirmed for example, that using openssl s_client as you
>>> mention above doesn't actually check the certs, just lists them.
>>
>> Actually it does check them as well.
>>
>> e.g.
>> openssl s_client -connect localhost:443 < /dev/null > /dev/null
>> depth=0
>> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
>> CN=a.example.com/emailAddress=root at a.example.com verify error:num=18:self
>> signed certificate
>> verify return:1
>> depth=0
>> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
>> CN=a.example.com/emailAddress=root at a.example.com verify
>> error:num=10:certificate has expired
>> notAfter=Aug 9 23:55:39 2014 GMT
>> verify return:1
>> depth=0
>> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
>> CN=a.example.com/emailAddress=root at a.example.com notAfter=Aug 9 23:55:39
>> 2014 GMT
>> verify return:1
>> DONE
>>
>> Notice the "verify error" lines; it's both self-signed _and_ expired.
>>
>> In chained certs it'll check each of the chains.
>>
>> e.g.
>> openssl s_client -connect www.google.com:443 < /dev/null > /dev/null
>> CONNECTED(00000003)
>> depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>> verify return:1
>> depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>> verify return:1
>> depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
>> verify return:1
>> depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
>> i:/C=US/O=Google Inc/CN=Google Internet Authority G2
>> 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
>> i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>> 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>>
>> You can do a _LOT_ with the openssl command line (e.g. show all the
>> intermediate certs in detail with -showcerts). 'man s_client'
>>
>> If you have a server with a broken intermediate chain then run the command
>> and see what it returns.
>
> I ended up discovering that curl recently added the option --resolve that
> allows me to do what I need. I had to download a statically compiled version
> and install in /usr/local to get it working on EL6.
just add your host into /etc/hosts
--
LF
More information about the CentOS
mailing list