GOAL
The aim of this article is to describe several methods to check the Server Certificate exchanged for a particular Host.
PROCEDURE
With openssl
openssl s_client -connect <HOST>:<PORT> -ign_eof
With openssl through a proxy (openSSL v1.1+ is required)
openssl s_client -connect <HOST>:<PORT> -ign_eof -proxy <PROXY_HOST>:<PROXY_PORT
With curl
curl <HOST>:<PORT> -v
With curl through a proxy
curl --proxy <PROXY_HOST>:<PROXY_PORT> <HOST>:<PORT> -v
Sample output
➜ ~ curl https://www.google.com -v
* Trying 172.217.172.68...
* TCP_NODELAY set
* Connected to www.google.com (172.217.172.68) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
* start date: Nov 3 07:39:18 2020 GMT
* expire date: Jan 26 07:39:18 2021 GMT
* subjectAltName: host "www.google.com" matched cert's "www.google.com"
* issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f9d4f008200)
> GET / HTTP/2
> Host: www.google.com
> User-Agent: curl/7.64.1
> Accept: */*
➜ ~ openssl s_client -connect runtime-manager.anypoint.mulesoft.com:443 -ign_eof
CONNECTED(00000006)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = ca, L = San Francisco, O = "MuleSoft, LLC", OU = Mulesoft, CN = runtime-manager.anypoint.mulesoft.com
verify return:1
4632759916:error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 42
4632759916:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:585:
---
Certificate chain
0 s:/C=US/ST=ca/L=San Francisco/O=MuleSoft, LLC/OU=Mulesoft/CN=runtime-manager.anypoint.mulesoft.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG1TCCBb2gAwIBAgIQDr7nOnzfNIjmUAaB+x3nGTANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkwMTE3MDAwMDAwWhcN
MjEwMTIxMTIwMDAwWjCBjTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAmNhMRYwFAYD
VQQHEw1TYW4gRnJhbmNpc2NvMRYwFAYDVQQKEw1NdWxlU29mdCwgTExDMREwDwYD
VQQLEwhNdWxlc29mdDEuMCwGA1UEAxMlcnVudGltZS1tYW5hZ2VyLmFueXBvaW50
Lm11bGVzb2Z0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMlD
EdRkgbgH20EuUTQzd06+r4PMlsc9obhOdLjX5NAiKOqkcUn12Jn7IpoO2S+aS/LE
9mVjLbpydEkbB3vGQGl4eBMkWW72br3bqZnnMtQTy+0d1rymMklwxSNI0RYxmI/2
Xi52oTaQOJxUEVxDLOC1ZJpUnYAKmlqsYgHYnQ1ku6k/z0yO4DOteXftOVhQDO94
sp0ZvkQaiTnBqHz+cUyRl1tF1VO6jOHUx1peRXW7KYna1vS5FYftSNOL7t5QVpAZ
wxToDnpbK54rxEzre5+n7rv60VxbDXPOmi10xP5hKaSB3RpCHK9uKcBz7wSptWoy
raQywOYND4Bg6q989yECAwEAAaOCA24wggNqMB8GA1UdIwQYMBaAFA+AYRyCMWHV
LyjnjUY4tCzhxtniMB0GA1UdDgQWBBSfCqPRfhEc+JF53zGVZjndWwyA3DAwBgNV
HREEKTAngiVydW50aW1lLW1hbmFnZXIuYW55cG9pbnQubXVsZXNvZnQuY29tMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYD
VR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hh
Mi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNo
YTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsGAQUF
BwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEYG
CCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRT
SEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5
AgQCBIIBbgSCAWoBaAB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQ
AAABaF3qD9wAAAQDAEgwRgIhAOMyuiUoCDnCRfkqGiigAy/Z5Xy4gXSeDLpXmqe7
1wymAiEAzWl4V/c4O1z7Uq0lioJi/Ue0vCYj2lm/XB0i3U/JRtMAdQCHdb/nWXz4
jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWhd6hB9AAAEAwBGMEQCIF5k3WEw
FhvsaND9AvznGs8GXGGoIEcoloMb1Qgdj6YfAiBRdd8sq0f5WRrhUjSblKRiUPrd
Bb14rVSczdYFq3Rg1wB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kT
AAABaF3qESsAAAQDAEcwRQIgIXOLk8VAheYpq4EmojDDXVGPzA/qedcAc9tatTNK
HCcCIQCuo8xB1SYMvbS2BHPgD1zTP861jbM09dUXLw/Kjnd8HjANBgkqhkiG9w0B
AQsFAAOCAQEAZhkqfWI8RBM40mlFC/Qz8+lVEg+kEebZlEmHAdz5gPy+9+Pjd6Tq
DtBTDo7dRYb02tBtkepb8TuYB6JVpaj2OtBAL1dI7pdaMcqKSl0AuLmGHWqTCO8P
bre8aalh08DkQ2T6IjMLUH0oSEfuj4ETgnzg3aMXChfXEYIfz4gey9ktvSVPgqdX
C09nqiPckOaCnV9fURDFmUe7qcLAyXSssgTY/q6KtiE0G58+IjrzsJGDrz7nIrjE
tx76wbf9b27DpBzTnS7muDM6KzAzpn9guZCgLepAvZ1fUliyOJqLWhlFW6YpmJKE
bX7nYriIxvah58zpR5n0hRtQX3UY8s9vzQ==
-----END CERTIFICATE-----
subject=/C=US/ST=ca/L=San Francisco/O=MuleSoft, LLC/OU=Mulesoft/CN=runtime-manager.anypoint.mulesoft.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
Acceptable client certificate CA names
/emailAddress=devops@mulesoft.com/C=US/ST=CA/L=San Francisco/O=MuleSoft/OU=MuleSoft/CN=MuleSoft
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4508 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5FC11E0FE95BF917D4475DA725EE6A41160BE6F434AE4101D46DC6FFFDDA78A6
Session-ID-ctx:
Master-Key: 78D593D6085DE01AF5851FC86776168112DC969B7A451DB4317BF92DF56E149A348FB2AF8C2EE181C654D378D369F081
Start Time: 1606491663
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
