Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenSSL Command to check if a server is presenting a certificate

Tags:

ssl

openssl

I'm trying to run an openssl command to narrow down what the SSL issue might be when trying to send an outbound message from our system.

I found this command in another topic: Using openssl to get the certificate from a server

openssl s_client -connect ip:port -prexit 

The output of this results in

CONNECTED(00000003) 15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 121 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- 

Does this mean the server isn't presenting any certificate? I tried other systems on a different ip:port and they present a certificate successfully.

Does mutual authentication affect this command with -prexit?

--Update--

I ran the command again

openssl s_client -connect ip:port -prexit 

And I get this response now

CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 121 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- 

I added -ssl3 to the command

openssl s_client -connect ip:port -prexit -ssl3 

Response:

CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session:     Protocol  : SSLv3     Cipher    : 0000     Session-ID:      Session-ID-ctx:      Master-Key:      Key-Arg   : None     Krb5 Principal: None     Start Time: 1403907236     Timeout   : 7200 (sec)     Verify return code: 0 (ok) --- 

Also trying -tls1

CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session:     Protocol  : TLSv1     Cipher    : 0000     Session-ID:      Session-ID-ctx:      Master-Key:      Key-Arg   : None     Krb5 Principal: None     Start Time: 1403907267     Timeout   : 7200 (sec)     Verify return code: 0 (ok) --- 
like image 678
R Zeal Avatar asked Jun 27 '14 17:06

R Zeal


People also ask

How do you check if a server has a valid certificate?

For most browsers, look to see if a site URL begins with “https,” which indicates it has an SSL certificate. Then click on the padlock icon in the address bar to view the certificate information.

How do I check if a certificate is available?

To view certificates for the local deviceSelect Run from the Start menu, and then enter certlm. msc. The Certificate Manager tool for the local device appears. To view your certificates, under Certificates - Local Computer in the left pane, expand the directory for the type of certificate you want to view.

What is s_client in OpenSSL?

DESCRIPTION. The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.

How to check SSL certificate with OpenSSL command?

Check SSL certificate with OpenSSL Command Check Private key info: openssl rsa -text -in privateKey.key -noout Check CSR info: openssl req -text -in CSR.csr -noout

How do I use OpenSSL to verify open ports?

Verify open ports using OpenSSL: OpenSSL can be used to verify if a port is listening, accepting connections, and if an SSL certificate is present. OpenSSL can be used for validation in the event plugin 51192 'SSL Certificate cannot be trusted' unexpectedly finds unknown certificates on a port: # openssl s_client -connect <URL or IP>:<port>

How to check if a CSR has been generated using OpenSSL?

Or, for example, which CSR has been generated using which Private Key. From the Linux command line, you can easily check whether an SSL Certificate or a CSR match a Private Key using the OpenSSL utility.

What is OpenSSL?

Check SSL Certificate with OpenSSL Updated: Aug 28 OpenSSL is an open-source command-line tool that is commonly used to generate private keys, create CSRs, install our SSL/TLS certificate, and identify certificate information. This quick reference can help us understand the most common OpenSSL commands and how to use them.


2 Answers

I was debugging an SSL issue today which resulted in the same write:errno=104 error. Eventually I found out that the reason for this behaviour was that the server required SNI (servername TLS extensions) to work correctly. Supplying the -servername option to openssl made it connect successfully:

openssl s_client -connect domain.tld:443 -servername domain.tld 

Hope this helps.

like image 53
piit79 Avatar answered Sep 16 '22 19:09

piit79


15841:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: ... SSL handshake has read 0 bytes and written 121 bytes 

This is a handshake failure. The other side closes the connection without sending any data ("read 0 bytes"). It might be, that the other side does not speak SSL at all. But I've seen similar errors on broken SSL implementation, which do not understand newer SSL version. Try if you get a SSL connection by adding -ssl3 to the command line of s_client.

like image 42
Steffen Ullrich Avatar answered Sep 16 '22 19:09

Steffen Ullrich