Use openssl to verify the server certificate and handshake process

Source: Internet
Author: User

Background

Due to the heart of openssl recently, I changed the ssl library 1.0.1g. I need to use this library to connect to the server. However, after I find that the Library is replaced, for some domain names, the ssl handshake will fail. In order to find out the cause of failure, we can find the handshaking status in the openssl tool.

Tracking the ssl port of the Website 1. Tracking the handshake without any protocol parameters
openssl s_client -connect gmail.com:443CONNECTED(00000003)depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CAverify error:num=20:unable to get local issuer certificateverify return:0---Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com   i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority---Server certificate-----BEGIN CERTIFICATE-----MIIEeDCCA2CgAwIBAgIILdHLb3yg3v8wDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNTIyMTEyNjU3WhcNMTQwODIwMDAwMDAwWjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFpbC5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs7ilDvSrk0jlEY0HSNv+7V1LUhUD9r7RUHsFHpkYo5Z+9vD9PJvYuHVbkUPHXMC0XLid7R5esEf7l1Cn29nBO8swVCgOcd2bn2rVG6N/N0YfBL5Hk11NNrl4BtX9E6TpD1XppUQumwL10Zqk4MF4zhj7VQMeg9eeS4FBWPz7LShcdJt6jfgC2yQ9dk3M/2OVztPtoOwkGDpmSxzXrFBglJmwjnOKER9GiZHmbp4OjcQQ+0vdoRbOTSrgyIfS22idWLei1ZLwfqHlcNn+OhLBzT4pTAjFOZBw5ez2+QqxiufY8qiuzT+KOIlKXQn/Nj/YFk2pTYvJEBolZ6pEVnwm5QIDAQABo4IBQjCCAT4wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBoGA1UdEQQTMBGCD21haWwuZ29vZ2xlLmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29jc3AwHQYDVR0OBBYEFJ+aSQdtCR/3p4hwPsDDYjPn6HJTMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQEFBQADggEBAF5N1Dj+Y9k4MjADPH0qEebzd/8+b2SlsYjGJAn3gsdrkIB+HFwQJ4XjsS6FL8lsJhIqMWO4uw5Kt+hwLc8b6uuWTcx8Mx6O56YLivdFJ62ki0vxAwpDemjP7ktXwsW4vnjAyUYgO1CGxUlSy0PWYK5lmYJ8qXwfVKLBRZIXc/6cFYX5QiNZExQeFXzHogGgHtKwRU+yQSnd6mUSBmbCuEydR0hIESmCgnYHK48QRxYKOlenuXPeJoMAsuks0dqtAzYFZa0H/jwXSByNQAkwyRmOP62js1JIVXxc8V+zEf5Kp655M2VOZ6ihv89XAI5ADDNXFttfbfBVTvDYceb3nyQ=-----END CERTIFICATE-----subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.comissuer=/C=US/O=Google Inc/CN=Google Internet Authority G2---No client certificate CA names sent---SSL handshake has read 3741 bytes and written 443 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONESSL-Session:    Protocol  : TLSv1.2    Cipher    : ECDHE-RSA-AES128-GCM-SHA256    Session-ID: E91F0144E74B2A6E363BBEF57E9366D8B8EEFA6BE0C45BF97079786D08B4DDC4    Session-ID-ctx:     Master-Key: 7751AAA26F0E30F4A4C01468912E41A412684F9D2C422EF15D105375591358B5239045BF361CBB55810F38AE1560AC75    Key-Arg   : None    PSK identity: None    PSK identity hint: None    SRP username: None    TLS session ticket lifetime hint: 100800 (seconds)    TLS session ticket:    0000 - 92 80 c7 a1 08 8f d6 9f-2f bd 71 73 f7 4f 51 59   ......../.qs.OQY    0010 - 41 8a 03 5d f3 3e 87 df-5b 5e d3 3b 0d 1a eb 65   A..].>..[^.;...e    0020 - 5d de a9 36 24 6e 9a 69-b3 37 87 35 c9 bb 3e a6   ]..6$n.i.7.5..>.    0030 - 63 30 c1 19 10 d5 d9 0d-5c d0 9c 37 6e 47 dc a3   c0......\..7nG..    0040 - 48 40 ce 13 92 8c e9 c5-ed 4b 5a f0 a6 30 fe cc   H@.......KZ..0..    0050 - b0 b5 23 ac 6c 76 63 63-54 d1 ff 76 e6 28 3d 31   ..#.lvccT..v.(=1    0060 - 7c 08 3b fe f2 bd 93 28-76 6d 01 ba 3a d4 e7 3f   |.;....(vm..:..?    0070 - 82 bd 31 cf 4d 3b a6 50-c7 76 0a 92 63 a9 78 b6   ..1.M;.P.v..c.x.    0080 - 8f 19 5f 83 85 84 36 da-be da 87 4c af 80 1a c8   .._...6....L....    0090 - ff 2e 00 8e 11 95 f5 8f-59 b1 cb e1 e7 62 cc 9a   ........Y....b..    00a0 - 44 8d 07 1b                                       D...    Start Time: 1401703776    Timeout   : 300 (sec)    Verify return code: 20 (unable to get local issuer certificate)---
The connect parameter is a basic parameter. The above content will show the server certificate and the handshake protocol used last. 2. Tracking the detailed handshake process.

You can add the-msg parameter.

openssl s_client -msg -connect hotmail.com:443CONNECTED(00000003)>>> TLS 1.2 Handshake [length 0138], ClientHello    01 00 01 34 03 03 d0 c0 d2 37 b7 d5 87 73 29 67    60 15 07 3f 05 3b fe b2 49 89 7e e4 18 60 9d c5    98 d9 b2 21 d2 7f 00 00 9e c0 30 c0 2c c0 28 c0    24 c0 14 c0 0a c0 22 c0 21 00 a3 00 9f 00 6b 00    6a 00 39 00 38 00 88 00 87 c0 32 c0 2e c0 2a c0    26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 12 c0    08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0    2f c0 2b c0 27 c0 23 c0 13 c0 09 c0 1f c0 1e 00    a2 00 9e 00 67 00 40 00 33 00 32 00 9a 00 99 00    45 00 44 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00    9c 00 3c 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0    02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00    08 00 06 00 03 00 ff 01 00 00 6d 00 0b 00 04 03    00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00    0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00    06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00    01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00    0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05    03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02    02 02 03 00 0f 00 01 01<<< TLS 1.0 Handshake [length 0051], ServerHello    02 00 00 4d 03 01 53 8c 4e d5 e0 c1 a4 5a a6 d0    90 4f ba b9 39 b1 f0 d9 8f 83 7f 93 a8 06 32 6c    e6 bc 7a 71 33 f4 20 6d 07 00 00 80 44 45 b5 d4    53 9c 88 4c 80 70 f8 a1 fe 48 61 0a 8a b4 db 74    62 c7 6c f4 ea fe 0a 00 2f 00 00 05 ff 01 00 01    00<<< TLS 1.0 Handshake [length 17be], Certificate    0b 00 17 ba 00 17 b7 00 0c b8 30 82 0c b4 30 82    0b 9c a0 03 02 01 02 02 10 62 cb 44 b9 c9 36 90......subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=600413485/C=US/postalCode=98052/ST=Washington/L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/OU=Outlook Kahuna SNT-DC A May2013/CN=mail.live.comissuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA---No client certificate CA names sent---SSL handshake has read 6227 bytes and written 643 bytes---New, TLSv1/SSLv3, Cipher is AES128-SHAServer public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONESSL-Session:    Protocol  : TLSv1    Cipher    : AES128-SHA    Session-ID: 6D070000804445B5D4539C884C8070F8A1FE48610A8AB4DB7462C76CF4EAFE0A    Session-ID-ctx:    Master-Key: AEA9E75A6B34444A3B9D10355CFD5F12F75A950E5F51FD1415D8ACB535D9156D0F0A0CBA41C1E9DFD6C0424CFB0B8EC8    Key-Arg   : None    PSK identity: None    PSK identity hint: None    SRP username: None    Start Time: 1401704135    Timeout   : 300 (sec)    Verify return code: 20 (unable to get local issuer certificate)--- 
3. Other available parameters of openssl s_client
openssl s_client -hunknown option -husage: s_client args -host host     - use -connect instead -port port     - use -connect instead -connect host:port - who to connect to (default is localhost:4433) -ssl2         - just use SSLv2 -ssl3         - just use SSLv3 -tls1_2       - just use TLSv1.2 -tls1_1       - just use TLSv1.1 -tls1         - just use TLSv1 -dtls1        - just use DTLSv1 -mtu          - set the link layer MTU -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol -bugs         - Switch on all SSL implementation bug workarounds -serverpref   - Use server's cipher preferences (only SSLv2) -cipher       - preferred cipher to use, use the 'openssl ciphers'                 command to see what is available
The cipher parameter indicates the encryption algorithm negotiated between the client and the server.

Ssl2, ssl3, tls1, tls1_1, tls1_2 indicates the protocol used to interact with the server.
No _ * Indicates disabling interaction with the server using the specified protocol.

Tracking the 25-port handshake of the email system

You can specify the-startls parameter in the parameter.

openssl s_client -connect gmail-smtp-in.l.google.com.:25 -starttls smtpCONNECTED(00000003)depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CAverify error:num=20:unable to get local issuer certificateverify return:0---Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com   i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority---Server certificate-----BEGIN CERTIFICATE-----MIIGhDCCBWygAwIBAgIIMl2Cl5h9ULAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTMwOTA5MTEzMjM1WhcNMTQwOTA5MTEzMjM1WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXguZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQmg0q3bImRb43P8haKbOdXQfu/70b8bAocDzb6EmbwSxQ26TxkekhyMPV6i+eD/LKuOhOZapTlWEF8Wtx+OePmhSNQalHnM6UoOEXt9/2ZpZcMQxTYUI+MWPDMbYnU3HF1j6L8B81Ien4fvRJkKhORIEkLRtqxo7jxusmw82Ocjjx8WZINBJB5Q5jcX2FKXMZMWj0wOzfGmIwb/qlrf4nKHOpwZmGbkvqw9xYld+lnYrz/BRYIJ0YQWx7E5kCp4A4ymsDpGzagy+UiYVLu4lh8rPOYJa4Ft1spelj/PJ/yb45/oFNSs6P2zBfJaLN95Fa5OmvMYyvIcKc01slMvKECAwEAAaOCA1AwggNMMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAiYGA1UdEQSCAh0wggIZghJhc3BteC5sLmdvb2dsZS5jb22CF2FsdDEuYXNwbXgubC5nb29nbGUuY29tghdhbHQyLmFzcG14LmwuZ29vZ2xlLmNvbYIXYWx0My5hc3BteC5sLmdvb2dsZS5jb22CF2FsdDQuYXNwbXgubC5nb29nbGUuY29tghpnbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0Mi5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0My5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0NC5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIYZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQxLmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0Mi5nbXItc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDMuZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQ0Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYINbXguZ29vZ2xlLmNvbYIVYXNwbXgyLmdvb2dsZW1haWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29nbGVtYWlsLmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tMGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNVHQ4EFgQU24ESi+juxG5r5hR9BEYIUDYGXmIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAYdeafaH4JBz+Bq+m2P/VKlCLWYhzNHc4hV+KdqQYVtdUXtwvm3DmLYcoR75Wr8exsA9pN+/WaOLjnZITWAOAy/yce/X/POH2iWLt2O/EMvclqiKTczTHcmMYAz5UlmUktyZCGwT0WUgyJRL25HfAblVyei0NcthXXfvCHiCNU19TuaWnTVVv1W4iAMJpvOzOMlGhoKoineHMQF1jbYQLldWlqxgseE55YDgyneHbRRzmPOxtQwuN7LFKC5EN1+WY/xOp5Es9MJkOjbO5EVaLh+nLR7gwUN3f4yf37nLIMSyQZ2j/R39yfAhZR50aOwPQDbiCequZoNd1i352lfyHFA==-----END CERTIFICATE-----subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.comissuer=/C=US/O=Google Inc/CN=Google Internet Authority G2---No client certificate CA names sent---SSL handshake has read 4485 bytes and written 478 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONESSL-Session:    Protocol  : TLSv1.2    Cipher    : ECDHE-RSA-AES128-GCM-SHA256    Session-ID: CE3B604D876B1010D655B012FD383C9C06F72932FCD53A3C13272F94EE684ACC    Session-ID-ctx:     Master-Key: 7C72F8BB7FED11F80A1C207CEE447635A8B41859D3C2043705D15E42FB2E5D9315B465B17D564EF2C72A453EDE4630D5    Key-Arg   : None    PSK identity: None    PSK identity hint: None    SRP username: None    TLS session ticket lifetime hint: 100800 (seconds)    TLS session ticket:    0000 - de 5b 3b e2 8a 56 28 7d-6b e9 5d 06 be bc 6c c7   .[;..V(}k.]...l.    0010 - 14 5d b1 00 93 bf a5 5a-bb 42 a2 d6 6f fa a6 61   .].....Z.B..o..a    0020 - 83 9d 08 1e 25 27 50 6e-04 5f 43 ac 30 bb e9 c5   ....%'Pn._C.0...    0030 - a2 40 7d f3 e3 0e 8c ff-6f 01 78 73 11 a1 66 e8   .@}.....o.xs..f.    0040 - 57 aa 09 1a d5 c5 a6 af-ba 9e 05 46 e2 34 1a 6d   W..........F.4.m    0050 - 70 01 86 c7 e5 d3 ce 32-57 dc 81 86 75 b3 0c e8   p......2W...u...    0060 - f5 75 0e 23 15 ce 42 55-7b ee 9d f9 45 3c 2d 38   .u.#..BU{...E<-8    0070 - b0 07 60 e6 78 05 06 c6-ff a1 90 f1 04 2f 7c 39   ..`.x......../|9    0080 - f2 a6 a7 58 b6 57 bf b0-60 2c ad 59 24 22 ca b1   ...X.W..`,.Y$"..    0090 - 04 6d 35 6b 17 e6 28 f5-28 f7 9d e2 e5 ff 1a 08   .m5k..(.(.......    00a0 - a1 16 e9 79                                       ...y    Start Time: 1401704720    Timeout   : 300 (sec)    Verify return code: 20 (unable to get local issuer certificate)---250 CHUNKING

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.