Here, I collected some essential commands for OpenSSL.
Check the Connection:
$ openssl s_client -showcerts -connect www.microsoft.com:443
Decoding BASE64 (PEM) Certificate
Capture the output between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” tags, and save as a text file (i.e. cert_microsoft.com).
Run the command below to read the file, and display it in a textual format.
$ openssl x509 -noout -text -in cert_microsoft.com
Decoding Binary Certificate (DER) Certificate
DER is a binary certificate format and the content is the same as PEM (Base64).
$ openssl x509 -noout -text -inform der -in cert_microsoft.der
Convert Certificate between DER and PEM format
By the way, -inform
is short for “input format”
$ openssl x509 -inform der -in cert_microsoft.der -out cert_microsoft.pem
$ openssl x509 -inform der -in cert_mirosoft.der -outform pem -out cert_microsoft.pem
$ openssl x509 -in cert_microsoft.pem -outform der -out cert_microsoft.der
$ openssl x509 -inform pem -in cert_microsoft.pem -outform der -out cert_microsoft.der
Checking the Chain of Trust
$ openssl verify -verbose cert_microsoft.pem
If you see "Error 20 at 0 depth lookup", it means that the intermediate certificate (or certificate for the Issuer of the server certificate) is missing.
$ openssl verify -untrusted cert_symantec cert_microsoft.pem
If you see "Error 20 at 1 depth lookup", it means the error is no longer on the server certificate (0 depth) but now can't find the issuer certificate for the Symantec cert.
$ openssl verify -untrusted cert_symantec -CAfile ./RootCerts.pem cert_microsoft.pem
You should see everything is "OK" now.
If you have more than 1 intermediate certificate, just concatenate both certs into one.
$ cat inter1.pem inter2.pem > inter_both.pem
Testing SSLv2/SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3
$ openssl s_client -ssl2 -connect microsoft.com:443
$ openssl s_client -ssl3 -connect microsoft.com:443
$ openssl s_client -tls1 -connect microsoft.com:443
$ openssl s_client -tls1_1 -connect microsoft.com:443
$ openssl s_client -tls1_2 -connect microsoft.com:443
$ openssl s_client -tls1_3 -connect microsoft.com:443
$ openssl s_client [-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3] -connect microsoft.com:443
Get the Common Name (cn) or Subject
$ openssl x509 -noout -subject -in cert_microsoft.pem
Renegotiation (by client)
$ openssl s_client -connect www.microsoft.com:443
HEAD / HTTP/1.0
R
<CRLF>
Testing Weak Ciphers
$ openssl s_client -cipher NULL,EXPORT,LOW,3DES -connect <site:port>Testing NULL Cipher
$ openssl s_client -cipher aNULL -connect <site:port>Forward Secrecy
Testing RC4 ciphers
$ openssl s_client -cipher RC4 -connect <site:port>Testing Compression (CRIME/TLS or BREACH/HTTP)
"Compression: zlib compression" and "Compression: 1 (zlib compression)"
indicate that the remote server is vulnerable to the CRIME attack. "Compression: NONE" means not vulnerable to TLS compression.
$ openssl s_client -connect <site:port>
GET / HTTP/1.1 Host: example.com Accept-Encoding: compress, gzip
<CRLF><CRLF>
If the response contains encoded data, it indicates that HTTP compression is supported; therefore the remote host is vulnerable (to BREACH).