DEV Community

Maxime Guilbert
Maxime Guilbert

Posted on • Edited on

Tips to test SSL parameters in command line

During an Istio set-up with all the SSL Stuff, I had some issues with SSL. So I found the following commands to do some tests.


Check the certificate exposed by an endpoint

With OpenSSL, we can check if an endpoint support a specific version of TLS, and if yes, with which certificate.

Request

Example to test google.com on port 443 with TLS 1.2

openssl s_client -connect google.com:443 -tls1_2

To test with other versions of TLS, you just need to change tls1_2 by tls1_1 or tls1_3.

Answer

Example of an answer where the endpoint support TLS 1.2

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
 0 s:/CN=example.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA0nt67i+GAazJs4e+bBSMqB6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA1MjMyMTU5MDBaFw0x
NzA4MjEyMTU5MDBaMBcxFTATBgNVBAMTDGluaXNtZWFpbi5pZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANLrc8IH2BP51XLhR6L2/IjRuNYcoj6UH58K
NzA4MjEyMTU5MDBaMBcxFTATBgNVBAMTDGluaXNtZWFpbi5pZTCCASI.........
dl0=
-----END CERTIFICATE-----
subject=/CN=example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3019 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: DF39CB241F6580C6E6570E0E9827D7F8615A71A76359DB4F9D1B9D3AD
    Session-ID-ctx:
    Master-Key: 12E8FF788E15AAA2E95BE35C5864784B90ED5A9AE8352AFE98C7DCADB04E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1502214066
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
closed
Enter fullscreen mode Exit fullscreen mode

Do curl with a specific version of TLS

Sometimes you need to do some calls with a specific version of TLS. So here, with curl, you can add parameters to define which version of TLS you want to use.

curl --tlsv1.2 --tls-max 1.2


Retrieve supported ciphers list

If you are not sure about which ciphers are supported by your server, you can use the following command to list them.

Request

openssl ciphers -v

Answer

Example of one line representing a cipher. Normally you should have a couple of lines like this one.

...
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
...
Enter fullscreen mode Exit fullscreen mode

I hope it will help you!

Please don't hesitate to give me feedback to help me to improve my writing skills.

Top comments (0)