I am using openssl s_client -showcerts -connect test.abc.com:443 -state -debug to check the server certificate. The server is using nginx. But when i request the above openssl shows the server certificate as *.xyz.com. I want to know where openssl is getting this as the server certificate. OS is Linux. checked in /etc/pki/tls but the certificate which openssl reads as the server certificate is not there. And the nginx config points to the correct certificate for abc.com. Also if I access using the browser the correct cert is shown. This happens only with openssl. :(
The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers.
there is a SNI issue with openssl, try using this command:
openssl s_client -showcerts -connect www.example.com:443 -servername www.example.com </dev/null
The addition of -servername according to this article should clear it up.
The server is issuing a permanent redirect to ethornetworks.com
. To see it, first issue your s_client
command:
$ openssl s_client -CAfile AddTrustExternalCARoot.crt -connect apitest.ethormapp.com:443
CONNECTED(00000003)
depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=3 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN - DATACorp SGC
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = EssentialSSL CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.ethornetworks.com
verify return:1
...
At the very bottom, after you get the verify result, enter a GET / HTTP/1.0
command and press RETURN twice:
...
Start Time: 1390985154
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET / HTTP/1.0
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.4
Date: Wed, 29 Jan 2014 08:46:01 GMT
Content-Type: text/html
Content-Length: 184
Connection: close
Location: https://www.ethornetworks.com/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.4.4</center>
</body>
</html>
closed
$
If you follow the redirect, then you will get the expected result:
$ openssl s_client -CAfile AddTrustExternalCARoot.crt -connect www.ethornetworks.com:443
CONNECTED(00000003)
depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.ethornetworks.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
...
Finally, you can use the AddTrust External CA Root to ensure the chain verifies as expected. Without it and the -CAfile
option, s_client
will report 19 (self signed certificate in certificate chain)
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With