During an Istio set-up with all the SSL Stuff, I had some issues with SSL. So I found the following commands to do some tests.
Check the certificate exposed by an endpoint
With OpenSSL, we can check if an endpoint support a specific version of TLS, and if yes, with which certificate.
Request
Example to test google.com on port 443 with TLS 1.2
openssl s_client -connect google.com:443 -tls1_2
To test with other versions of TLS, you just need to change tls1_2 by tls1_1 or tls1_3.
Answer
Example of an answer where the endpoint support TLS 1.2
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA0nt67i+GAazJs4e+bBSMqB6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA1MjMyMTU5MDBaFw0x
NzA4MjEyMTU5MDBaMBcxFTATBgNVBAMTDGluaXNtZWFpbi5pZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANLrc8IH2BP51XLhR6L2/IjRuNYcoj6UH58K
NzA4MjEyMTU5MDBaMBcxFTATBgNVBAMTDGluaXNtZWFpbi5pZTCCASI.........
dl0=
-----END CERTIFICATE-----
subject=/CN=example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3019 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: DF39CB241F6580C6E6570E0E9827D7F8615A71A76359DB4F9D1B9D3AD
Session-ID-ctx:
Master-Key: 12E8FF788E15AAA2E95BE35C5864784B90ED5A9AE8352AFE98C7DCADB04E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1502214066
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
closed
Do curl with a specific version of TLS
Sometimes you need to do some calls with a specific version of TLS. So here, with curl, you can add parameters to define which version of TLS you want to use.
curl --tlsv1.2 --tls-max 1.2
Retrieve supported ciphers list
If you are not sure about which ciphers are supported by your server, you can use the following command to list them.
Request
openssl ciphers -v
Answer
Example of one line representing a cipher. Normally you should have a couple of lines like this one.
...
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
...
I hope it will help you!
Please don't hesitate to give me feedback to help me to improve my writing skills.
Top comments (0)