Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Display received cert with curl?

Tags:

curl

ssl

With a slightly older version of curl, I had a handy batch file:

curl --verbose -k https://%1 2>&1 |grep -E "Connected to|subject|expire"

This would show me the IP connected to, with the subject and expiration date of the actual certificate negotiated, even if that was not the correct certificate for that domain name -- which is sometimes a problem for our hosting (we host literally thousands of domains on our multitenant application, about half with their own certs).

In specific, I would see something like this in the stderr output before grep filtered it:

* Server certificate:
*  subject: CN=academy-fran.chi.v6.pressero.com
*  start date: Feb 22 04:55:00 2017 GMT
*  expire date: May 23 04:55:00 2017 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.

Today I had to reinstall the OS on my machine, and reinstalled curl. Now at version 7.52.1 (x86_64-w64-mingw32); previous one seems to have been 7.49.1 (i686-pc-cygwin). Curl no longer displays ANY certificate information, regardless of whether -k is used or not, if the TLS connection succeeds or not.

Is there an option that will give it back to me?

like image 737
Ross Presser Avatar asked Mar 06 '17 20:03

Ross Presser


People also ask

How do I check my curl certificate?

You can check if the correct root certificate is installed by querying our platform using the following cURL command: curl --verbose https://live.cardeasexml.com/ultradns.php . If the connection is successful and verified by the root certificate, you will see the following entry below.

How do I display CERT information?

For most browsers, look to see if a site URL begins with “https,” which indicates it has an SSL certificate. Then click on the padlock icon in the address bar to view the certificate information.

Where does curl get certificates?

Curl verifies the SSL certificate of the target URL against the local CA certificate store that comes with the Curl installation. CA certificates are retrieved from the Mozilla CA certificate store and can be manually updated by downloading the cacert.


1 Answers

For anyone else on OSX or Linux, you can add this to your ~/.zshrc file:

function seecert () {
  nslookup $1
  (openssl s_client -showcerts -servername $1 -connect $1:443 <<< "Q" | openssl x509 -text | grep -iA2 "Validity")
}

Example usage, after you have run a source ~/.zshrc after the above additions:

% seecert www.google.com
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   www.google.com
Address: 172.217.10.100

depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1
DONE
        Validity
            Not Before: Nov  3 07:39:18 2020 GMT
            Not After : Jan 26 07:39:18 2021 GMT

Thanks go to @ross-presser and his answer for the inspiration for this function.

like image 112
Myles Steinhauser Avatar answered Sep 22 '22 00:09

Myles Steinhauser