Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using '-servername' param with openssl s_client

Tags:

ssl

openssl

apache

centos6

I am installing a new SSL certificate on Centos6/Apache and my web browser keeps picking up the old certificate. To test my setup, I am using "openssl s_client" but I am seeing different results based on the "-servername" parameter. No one seems to us this parameter and it does not appear in the man pages but I saw it mentioned here OpenSSL: Check SSL Certificate Expiration Date and More .

If I run this command:

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

I get the correct date for the certificate.

(notBefore=Apr 20 00:00:00 2017 GMT notAfter=Apr 20 23:59:59 2018 GMT)

However, if I intruduce the -servername parameter into the commmand

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

I then get the expired date that my browser is showing -

(notBefore=Apr 20 00:00:00 2016 GMT notAfter=Apr 20 23:59:59 2017 GMT)

Can anyone explain why this is happening, as this must be related to the reason why my SSL certificate shows as expired in my browser.

Thanks O

like image 573
user1398017 Avatar asked May 04 '17 14:05

user1398017

1 Answers

The servername argument to s_client is documented (briefly) on this page:

https://www.openssl.org/docs/man1.0.2/apps/s_client.html

Essentially it works a little like a "Host" header in HTTP, i.e. it causes the requested domain name to be passed as part of the SSL/TLS handshake (in the SNI - Server Name Indication extension). A server can then host multiple domains behind a single IP. It will respond with the appropriate certificate based on the requested domain name.

If you do not request a specific domain name the server does not know which certificate to give you, so you end up with a default one. In your case one of the certificates that the server is serving up for your domain has expired, but the default certificate has not.

You need to make sure you are updating the correct VirtualHost entry for your domain, e.g. see:

https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

like image 95
Matt Caswell Avatar answered Sep 29 '22 14:09

Matt Caswell
Sign in to Comment

Related questions

Parse Query String with HTTPclient to extract nameValuePairs
what is fastest as a django production server : twisted.web2 vs. apache mod_wsgi
How to make user session go on for 24 hours?
Can't get Xdebug var_dump formatting work on my ubuntu
Set path to php.ini
setting mamp ports to 80 and 3306
simple .htaccess redirect : how to redirect with parameters?
How to allow access to only a single file?
jQuery.get doesn't receive latest version of file on server [duplicate]
RewriteCond with SetEnv
How do you set the PHP error log location in the Apache configuration file?
how to solve error QXcbConnection: Could not connect to display when using exec function for phantomJs using PHP
Apache / PHP error_log location in Docker
Failed to start The Apache HTTP Server on ubuntu 18.04
mod_rewrite regex to match only if a certain string does NOT exist
Run PHP code from .htaccess?
How to log page requests using Apache?
.htaccess redirect index.php to /
How to download an HttpResponse into a file?
Android StringBody(String) is deprecated

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!