This article describes how to use the openssl program to troubleshoot SSL connections.
OpenSSL is an open-source implementation of the SSL and TLS protocols. It includes several code libraries and utility programs, one of which is the command-line openssl program.
The openssl program is a useful tool for troubleshooting secure TCP connections to a remote server. In addition to testing basic connectivity, openssl enables you to send raw protocol commands for additional testing.
Linux and Mac OS X include the openssl program by default. On Microsoft Windows, however, you must download and install openssl. To do this, follow these steps:
To troubleshoot a secure connection using the openssl program, you must know at least two things:
If you are only testing basic connectivity to a particular application, that is all you need. If you want to do more in-depth testing, however, you will need to know specific commands for the protocol you want to test (for example, IMAP or HTTP).
To open a connection to a remote server, open a terminal window on your computer, and then type the following command. Replace example.com with the domain name (or IP address) of the server, and replace port with the TCP port number of the protocol you want to test:
openssl s_client -connect example.com:port
When you try to establish a secure connection to a remote server using openssl, one of two things happens:
The following sections demonstrate how to do basic troubleshooting with some common types of secure connections.
You can use the openssl program to test and verify SSL certificates. For example, you can check whether a certificate is signed by a valid Certificate Authority (CA) or is self-signed. You can also examine the certificate's validity, expiration date, and much more.
To do this, type the following command. Replace example.com with your own domain name:
openssl s_client -connect example.com:443 -servername example.com -showcerts | openssl x509 -text -noout
The following sample output shows some important lines marked in bold:
$ openssl s_client -connect example.com:443 -servername example.com -showcerts | openssl x509 -text -noout depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2 verify return:0 Certificate: Data: Version: 3 (0x2) Serial Number: 31:11:4a:f7:c9:0e:fa:ff:9c:de:ad:be:ef:8a:84:1d:66:53 Signature Algorithm: sha256WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 Validity Not Before: Jun 11 19:26:24 2015 GMT Not After : Jun 11 19:26:24 2016 GMT Subject: OU=Domain Control Validated, CN=*.example.com [Output truncated]
In this output, you can see that the certificate is issued by a Certificate Authority (CA) and uses a SHA-256 fingerprint. Additionally, the certificate expires on June 11, 2016.
If this were a self-signed certificate, openssl would display the following lines:
verify error:num=18:self signed certificate verify return:1
Web server testing is a very common troubleshooting scenario. With openssl, you can open a secure connection to a remote server on port 443, and then send raw HTTP commands. For example, the following text shows an exchange between an openssl client and a remote web server. Text in red represents commands typed by the user:
$ openssl s_client -connect example.com:443 CONNECTED(00000003) depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2 verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.example.com i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA --- Server certificate -----BEGIN CERTIFICATE----- [Output truncated] -----END CERTIFICATE----- subject=/OU=Domain Control Validated/CN=*.example.com issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 --- No client certificate CA names sent --- SSL handshake has read 3042 bytes and written 424 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [Output truncated] Escape character is '^]'. HEAD / HTTP/1.1 Host: example.com HTTP/1.1 200 OK Date: Tue, 18 Aug 2015 16:07:15 GMT Server: Apache X-Powered-By: PHP/5.3.27 Content-Type: text/html
In this exchange, openssl opens a connection to example.com on port 443 (HTTP secure port). The user receives information about the SSL certificate, as well as the ciphers that are in use. The user then sends a raw HTTP command (HEAD). The HTTP response confirms that the web server is accepting connections and responding to requests on port 443.
Similar to the procedure for web server troubleshooting, you can test secure POP (port 995) and IMAP (port 993) connectivity.
The following text shows a sample exchange between an openssl client and a remote IMAP server. Text in red represents commands typed by the user:
$ openssl s_client -connect example.com:993 CONNECTED(00000003) depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:0 --- Certificate chain 0 s:/C=US/ST=Washington/L=Bellingham/O=Example.com, Inc./CN=*.example.com i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA --- Server certificate -----BEGIN CERTIFICATE----- [Output truncated] -----END CERTIFICATE----- subject=/C=US/ST=Washington/L=Bellingham/O=Example.com, Inc./CN=*.example.com issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA --- No client certificate CA names sent --- SSL handshake has read 3419 bytes and written 488 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit [Output truncated] --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE NAMESPACE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. QUIT
The responses show that the server is accepting connections and responding to requests on port 993. Additionally, the line that starts with * OK shows that IMAP is running and ready for requests.
For more information about OpenSSL, please visit https://www.openssl.org.