[CentOS] Testing "dark" SSL sites

Wed Oct 22 18:14:39 UTC 2014
Benjamin Smith <lists at benjamindsmith.com>

On Tuesday, October 21, 2014 07:28:13 PM Stephen Harris wrote:
> On Tue, Oct 21, 2014 at 04:17:25PM -0700, lists at benjamindsmith.com wrote:
> > I've already confirmed for example, that using openssl s_client as you
> > mention above doesn't actually check the certs, just lists them.
> 
> Actually it does check them as well.
> 
> e.g.
>   openssl s_client -connect localhost:443 < /dev/null > /dev/null
>   depth=0
> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
> CN=a.example.com/emailAddress=root at a.example.com verify error:num=18:self
> signed certificate
>   verify return:1
>   depth=0
> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
> CN=a.example.com/emailAddress=root at a.example.com verify
> error:num=10:certificate has expired
>   notAfter=Aug  9 23:55:39 2014 GMT
>   verify return:1
>   depth=0
> /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
> CN=a.example.com/emailAddress=root at a.example.com notAfter=Aug  9 23:55:39
> 2014 GMT
>   verify return:1
>   DONE
> 
> Notice the "verify error" lines; it's both self-signed _and_ expired.
> 
> In chained certs it'll check each of the chains.
> 
> e.g.
>   openssl s_client -connect www.google.com:443 < /dev/null > /dev/null
>   CONNECTED(00000003)
>   depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>   verify return:1
>   depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>   verify return:1
>   depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
>   verify return:1
>   depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
> verify return:1
>   ---
>   Certificate chain
>    0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
>      i:/C=US/O=Google Inc/CN=Google Internet Authority G2
>    1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
>      i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>    2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>      i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> 
> You can do a _LOT_ with the openssl command line (e.g. show all the
> intermediate certs in detail with -showcerts).  'man s_client'
> 
> If you have a server with a broken intermediate chain then run the command
> and see what it returns.

I ended up discovering that curl recently added the option --resolve that 
allows me to do what I need. I had to download a statically compiled version 
and install in /usr/local to get it working on EL6.