Here are a few commands that could be helpful for debugging TLS handshake issues.
Set your host and port.
export HOST=example.com
export PORT=443
Debug the handshake and view full certificate chain
echo | openssl s_client -debug -connect $HOST:$PORT -servername $HOST -showcerts
Extract Certificate from Server and Inspect
Extract the server's certificate and save it for later inspection.
echo | openssl s_client -connect $HOST:$PORT \
-servername $HOST 2>/dev/null \
| openssl x509 -outform pem \
> server_certificate.crt
View Certificate Details
openssl x509 -in server_certificate.crt -text -noout
If the certificate is in DER format:
openssl x509 -inform der -in server_certificate.der -text -noout
Check Certificate Expiry
openssl x509 -in server_certificate.crt -enddate -noout
Verify a Certificate Against a CA
Ensure the certificate is signed by the provided CA.
openssl verify -CAfile ca.crt server_certificate.crt
Check for Cipher Support
Test if the server supports a specific cipher suite. See cipher suite names for reference.
export $CIPHER=ECDHE-RSA-AES256-GCM-SHA384
openssl s_client -connect $HOST:$PORT -cipher $CIPHER
Comments
0 comments
Article is closed for comments.