Skip to content

OpenSSL Debugging Hints

Ladislav Slezák edited this page Feb 28, 2019 · 12 revisions

Debugging OpenSSL Issues

Here is a short list of some OpenSSL debugging hints and examples.

Links

Some useful generic documentation links to get familiar with SSL, keys and certificates:

Display SSL Details

To display the SSL details of the connection to https://example.com use this command:

echo | openssl s_client -connect example.com:443

This will connect to the server and display the SSL details, like the certificate details, certificate chain, used encryption, verification result, etc. The port 443 is the default HTTPS port.

Use the -servername example.com option if the server is a virtual host and uses several SSL certificates for the same IP, this will enable the SNI SSL feature.

Use -CAfile cert.pem option with if you have a custom certificate, you can verify that the connection to the server works using the specific certificate.

Dump the Server SSL Certificate

The previous command also dumps the certificate (in PEM format) in the output, you can either manually extract it from the output or you can use this sed command:

echo | openssl s_client -connect example.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

Display Certificate Details

openssl x509 -in cert.pem -text -noout

This displays the certificate details in a human readable format.

Create a Self-signed Key

To create a self-signed certificate use this command:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

The OpenSSL tool will ask for some input data interactively, like the organization name, your location, etc. For testing purposes it does not matter what you enter, feel free to use any values.

The only important value is the certificate subject, you must use the server host name otherwise the SSL verification will fail. You might even use localhost if you use the service only locally via the https://localhost address.

Start a Testing SSL Server

A simple HTTPS web server can be started with this command:

ruby -r webrick/https -e 'WEBrick::HTTPServer.new(Port: 8000, DocumentRoot: ".", SSLEnable: true, SSLCertName: [["CN", "localhost", OpenSSL::ASN1::PRINTABLESTRING]]).start'

It generates a different self-signed certificate at each start. (Note: technically it is a self-signed certificate, but for some reason the CA flag for the certificate is set to false so the certificate cannot be used for verification. The OpenSSL will not complain about a self-signed certificate, but about an unknown issuer certificate.)

If you want to always use the same certificate you have to point it to the certificate files:

ruby -r webrick/https -e 'WEBrick::HTTPServer.new(Port: 8000, DocumentRoot: ".", SSLEnable: true, SSLCertificate: OpenSSL::X509::Certificate.new(File.read("cert.pem")), SSLPrivateKey: OpenSSL::PKey::RSA.new(File.read("key.pem"))).start'

Alternatively you can run a testing HTTPS server using the OpenSSL tools:

openssl s_server -key key.pem -cert cert.pem -accept 9000 -www

CURL and Custom Certificate

If you want to verify the SSL connection to the server using a custom SSL certificate you might run this curl command:

curl --cacert cert.pem https://example.com

Custom Client Certificates

  • The custom SSL certificates should be stored in the /etc/pki/trust/anchors directory.
  • After adding a certificate there you need to call the update-ca-certificates command to create the correct symlinks to find it.
You can’t perform that action at this time.