How to Verify A Connection is Secure Using OpenSSL

Posted on May 7, 2020 by Isabel Kettnich

Category: Tutorials | Tags: AES, Camellia, CAST, Certificate Signing Request, Ciphers, Communication, CRLF, Cryptographic Functions, Cryptography, CSR, Decryption, DES, Encryption, HTTP, HTTPS, OpenSSL, Password, Password Hash, Port 443, Private Keys, Secure Communications, Secure Sockets Layer, Security, SHA, SSL, SSL Certificate, S_Client, TLS, Toolkit, Transport Layer Security

Reading Time: 11 minutes

What is OpenSSL?

OpenSSL is a free and open-source software cryptography library that provides cryptographic functionality to applications to ensure secure internet communication. It is widely used on many server applications, and it is available for most Unix-like operating systems (including Solaris, Linux, Mac OS X, the four open-source BSD operating systems), OpenVMS and Microsoft Windows.

Besides that, OpenSSL is also a fully equipped instrumentation for implementation of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

With the OpenSSL toolkit, we can perform various SSL related tasks along with a variety of cryptographic functions. Among these other tasks, we can generate CSRs (Certificate Signing Requests) and private keys. We can perform an SSL certificate installation, or we can convert our certificates into different formats. Then, we can verify its details or even extract information about the certificate.

If we are talking about cryptographic function, we can use it for file encryption and decryption purposes along with generating password hashes.

However, today, we are going to dedicate ourselves to a completely different function of this free toolkit - verifying a secure connection.

Prerequisites

One of the Unix/Linux OS platforms, which include the OpenSSL program by default. On Microsoft Windows, we must download and install OpenSSL from a binary and install it.

Getting Started

As the natural environment for OpenSSL is a Unix platform, we will assume we are working on one. Before we start with checking our connections, we need to make sure our OpenSSL is up to date, so let us check which version are we running with the following command.

[root@host ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

For those a bit more experienced and interested in the full details, we can append the -a flag.

[root@host ~]# openssl version -a
OpenSSL 1.0.2k-fips 26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rdrand dynamic
[root@host ~]#

In most cases, we will be using the system-supplied version of OpenSSL. However, if we find ourselves in need of an upgrade, we will need to download the latest version, extract it and compile from source.

There is not a specific help keyword among OpenSSL commands, but if we append a flag that OpenSSL does not recognize to our command, a help text will be provided to us. To examine the available options of this powerful tool, we can use the following command.

root@host:~# openssl help
Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dhparam
dsa               dsaparam          ec                ecparam
enc               engine            errstr            gendsa
genpkey           genrsa            help              list
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              rehash
req               rsa               rsautl            s_client
s_server          s_time            sess_id           smime
speed             spkac             srp               storeutl
ts                verify            version           x509

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md4
md5               rmd160            sha1              sha224
sha256            sha3-224          sha3-256          sha3-384
sha3-512          sha384            sha512            sha512-224
sha512-256        shake128          shake256          sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc
rc2-cfb           rc2-ecb           rc2-ofb           rc4
rc4-40            seed              seed-cbc          seed-cfb
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb
sm4-ctr           sm4-ecb           sm4-ofb

root@host:~#

For additional guidance, feel free to explore the man pages using the following command.

[root@host ~]# man openssl

Checking a Connection With OpenSSL

Among the many commands that OpenSSL offers, for testing secure connections we will use the openssl s_client command. The basic command outline is as follows:

[root@host ~]# openssl s_client -connect <domain name or IP>:<port>

In order to test a connection, we are going to need a domain name and a port. For the purpose of this test, we will be using the liquidweb.com domain. Since we are trying to confirm if our connection is secure, we will use port 443, which is the standard port for all secured HTTP (Hypertext Transfer Protocol over TLS/SSL) traffic.

The command we are going to use will open a connection to the www.liquidweb.com domain on port 443 and show us the SSL certificate used on it. It will provide us with a fair amount of other relevant output, such as the certificate chain, the ciphers that are in use, and other characteristics of the SSL/TLS session.

However, once connected, we will be able to type whatever we want, and that will provide us with the opportunity to send HTTP requests manually. For those who previously used the telnet command, this will feel familiar as the tool itself is similar to it. To test the connection to liquidweb.com domain on port 443, we are going to use the following command:

[root@host ~]# openssl s_client -connect www.liquidweb.com:443

And here is the full output of this command.

[root@host ~]# openssl s_client -connect www.liquidweb.com:443


CONNECTED(00000005)
---
Certificate chain
 0 s:businessCategory = Private Organization, serialNumber = D9406J, jurisdictionC = US, jurisdictionST = Michigan, C = US, ST = Michigan, L = Plymouth, street = 40600 Ann Arbor Rd E Ste 201, O = "Liquid Web, LLC", CN = www.liquidweb.com
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
 2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHwTCCBqmgAwIBAgIMZuWs07WLoi8uhNCpMA0GCSqGSIb3DQEBCwUAMGIxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTgwNgYDVQQDEy9H
bG9iYWxTaWduIEV4dGVuZGVkIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMzAe
Fw0yMDAyMTAxOTI1MzBaFw0yMjAzMjIxODIzNDBaMIHwMR0wGwYDVQQPDBRQcml2
YXRlIE9yZ2FuaXphdGlvbjEPMA0GA1UEBRMGRDk0MDZKMRMwEQYLKwYBBAGCNzwC
AQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCE1pY2hpZ2FuMQswCQYDVQQGEwJVUzER
MA8GA1UECBMITWljaGlnYW4xETAPBgNVBAcTCFBseW1vdXRoMSUwIwYDVQQJExw0
MDYwMCBBbm4gQXJib3IgUmQgRSBTdGUgMjAxMRgwFgYDVQQKEw9MaXF1aWQgV2Vi
LCBMTEMxGjAYBgNVBAMTEXd3dy5saXF1aWR3ZWIuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEArPlau7eH8GjzmN6Q9dNDQ/A5O2D8putk4F4S6LiQ
w/CO7KQS5YFCPhxW42AyiBImhzdrHL8TZ00srvOYGhDmlwt78Pnb+aFBsrAJNq65
Ty0BOlKF0uDJe01DH9amdphuQEyiNXtSN5OlSSPRGrypiTm8MOnGt/2pJxK49YGX
0XVMMdxtrgDViAoRW3WWqpcSsTtCRx4rGKUIC60e/+z8QAVADyy/9QzLBuJSyjkG
GLanR8Dn/4lNo8dJg5ovkcmghXSo0BpLvBWtZBhTS0eAe/VODD2I6uXohDDkBzW6
pEN5wTcOotxXP6neqdD5jbxs49D+dicWVrsUv4+QoeUT+QIDAQABo4ID5jCCA+Iw
DgYDVR0PAQH/BAQDAgWgMIGWBggrBgEFBQcBAQSBiTCBhjBHBggrBgEFBQcwAoY7
aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NleHRlbmR2YWxz
aGEyZzNyMy5jcnQwOwYIKwYBBQUHMAGGL2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWdu
LmNvbS9nc2V4dGVuZHZhbHNoYTJnM3IzMFUGA1UdIAROMEwwQQYJKwYBBAGgMgEB
MDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9z
aXRvcnkvMAcGBWeBDAEBMAkGA1UdEwQCMAAwRQYDVR0fBD4wPDA6oDigNoY0aHR0
cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2V4dGVuZHZhbHNoYTJnM3IzLmNy
bDCBqwYDVR0RBIGjMIGgghF3d3cubGlxdWlkd2ViLmNvbYISY2FydC5saXF1aWR3
ZWIuY29tghRtYW5hZ2UubGlxdWlkd2ViLmNvbYIRbmV3LmxpcXVpZHdlYi5jb22C
GG1hbmFnZS5zdG9ybW9uZGVtYW5kLmNvbYIOd3d3LnNvbmV0Ny5jb22CFXd3dy5z
dG9ybW9uZGVtYW5kLmNvbYINbGlxdWlkd2ViLmNvbTAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU3bPnbagu6MVObs905nU8lBXO6B0w
HQYDVR0OBBYEFPhVNQlDuYjW8he+m/phOpW9dlNRMIIBfwYKKwYBBAHWeQIEAgSC
AW8EggFrAWkAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAXAw
kGUSAAAEAwBHMEUCIQD4dzIeqx4PkeoPSRoljPjqexdZPntdUXXHBhU7hkfdUQIg
AshbvBANLIqKBLGN0vpU8Lq6LAdc0hwq2536VEarag8AdgAiRUUHWVUkVpY/oS/x
922G4CMmY63AS39dxoNcbuIPAgAAAXAwkGOpAAAEAwBHMEUCIDVT3mV7GHfu5Wz9
QVxm/ewe/NaFTFMXjXtQpH6FNZP8AiEA50qff+xJDgYuvYWqcGo67+pOfP+BiCgW
L6b34XIwbQIAdwBRo7D1/QF5nFZtuDd4jwykeswbJ8v3nohCmg3+1IsF5QAAAXAw
kGSXAAAEAwBIMEYCIQDHY+1MVRlxSR7Gfv3SQ6us7nawS4dqFcRMEztDTlYWmwIh
AOkXVShugJdmRvTEXLbVhGNIf1Jcrmxb3ssH39GD8y8RMA0GCSqGSIb3DQEBCwUA
A4IBAQAOYcvVEjvLqHpYHxeO001Ywz9PLQcuM0u3oPG915hdp+a42qMZmb7kOc6S
sEG7mvytYkVE7Pghj2KoxS9ZRUplD+K/7vGJKuS9YeCTejheA0otNb6t/ui+GU6X
+HSamCru/psNe8Q15rhsaWqrGZa4rR6vBvNiJd5xCL1FBYtVRoHliYjWNrAqq6Ia
2Iy07Xqg7Cuk89ZexeFZa8KUqcH7S0jfLe+5M7LRV+tFvLgdiBA4U1M0hX+ME8eD
T8QBizu5zjGN6Fz4+R3zZrH9GrbahsG88HRmlsVnOPvkt4BqmXfITfDJLxImTXc3
CWWNBZJzxuISBzQvWMxQvk3nXZdB
-----END CERTIFICATE-----

subject=businessCategory = Private Organization, serialNumber = D9406J, jurisdictionC = US, jurisdictionST = Michigan, C = US, ST = Michigan, L = Plymouth, street = 40600 Ann Arbor Rd E Ste 201, O = "Liquid Web, LLC", CN = www.liquidweb.com

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4657 bytes and written 735 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: ECD5CD026E4FC0F951C7237E62B6C9C0250E6B711F4FFB8D053F10D34E89419F
    Session-ID-ctx:
    Resumption PSK: BD9B7DE5FDF601C0015BAEB6C52143850F20F7ADFFD253577681152268BD162A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 14400 (seconds)
    TLS session ticket:
0000 - 01 58 6e 4f ba 9a ae 76-f2 25 d1 be 8f 3c 30 a1   .XnO...v.%...<0.
0010 - 57 91 03 38 63 24 a9 4a-d9 cc 82 c2 bb 7e e4 80   W..8c$.J.....~..
0020 - 02 63 26 97 28 7d ce e4-0e fa 46 20 b6 ce 00 3c   .c&.(}....F ...<
0030 - a4 34 66 38 ff 01 bf 36-17 9c 2b 9c 4e eb e1 32   .4f8...6..+.N..2
0040 - e2 39 e5 0c f2 55 0c 72-19 08 37 c6 be 2e 9f 22   .9...U.r..7...."
0050 - c0 b3 85 0a fe 5f b5 03-43 ec 42 7e b7 34 b7 c2   ....._..C.B~.4..
0060 - 64 ea 4f 73 7a ac 65 1d-5d 3f 5b 91 9f 05 7d 87   d.Osz.e.]?[...}.
0070 - a4 fd 4f a0 cb 65 a5 e2-d6 5c 25 db db 6a 3d 76   ..O..e...\%..j=v
0080 - 92 91 3c ca 63 0b bd 22-35 b8 28 7d 8a 87 67 3e   ..<.c.."5.(}..g>
0090 - 14 d9 d2 3e d0 73 68 be-ea 57 13 93 63 52 2b 9f   ...>.sh..W..cR+.
00a0 - 2b 9e a9 92 84 0d 74 6c-7c 4e 5c d5 9a 00 c3 ed   +.....tl|N\.....
00b0 - 92                                                .

    Start Time: 1588773944
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Now, once we are connected, we can send a HEAD command with our HTTP to instruct the HTTP server not to send the response body. To send our request, we’ll need to type the following command.

HEAD / HTTP/1.1
Host: www.liquidweb.com

Note:

There must be an empty line appended to the request, as that is a vital part of HTTP format.

Once the request has been sent, the server will send us a reply.

HTTP/1.1 200 OK
Server: nginx/1.16.1
Vary: Accept-Encoding
Cache-Control: max-age=0, no-cache
Content-Type: text/html; charset=UTF-8
Date: Sun, 03 May 2020 12:07:26 GMT
Link: <https://www.liquidweb.com/lw-api/>; rel="https://api.w.org/"
Link: <https://www.liquidweb.com/>; rel=shortlink
Transfer-Encoding: chunked
X-Nginx-Cache: HIT
Connection: Keep-Alive
Set-Cookie: lwDisableCookiePrompt=1;domain=liquidweb.com;path=/;max-age=315360000
X-Page-Speed: 1
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/7.2.20

closed

Now we have successfully confirmed that the TLS communication layer is working. With our initial command, OpenSSL connected to the liquidweb.com domain on the secure HTTPS port of 443. We received details back about the SSL certificate, certificate authority, ciphers, etc. Then, we sent a raw HTTP HEAD request and received a reply which confirmed the web server not only accepted our connection, but also responded to our request.

Basically, there are two outputs to the mentioned s_client -connect command:

The server accepted our connection, which will display an SSL certificate along with the additional output.
The server rejected our connection and provided us with an error message such as connect: Connection timed out or connect:errno=110.

If the connection is rejected and the domain name and port are correct, the server will not accept secure connections on that specified port.

However, if we establish a connection with the initial command and HTTP requests keep failing, there might be a solution for us. For this example, let us use one of our testing domains, yesnt.tk. We will try to connect with the same command used for testing liquidweb.com

[root@host ~]# openssl s_client -connect yesnt.tk:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 CN = shellbear.ga
verify error:num=10:certificate has expired
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
depth=0 CN = shellbear.ga
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
---
Certificate chain
 0 s:/CN=shellbear.ga
   i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
 1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/DCCBOSgAwIBAgIQeWEqm8k8c3HNVdzCT7Q/rjANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxEDAOBgNVBAcTB0hvdXN0b24xFTAT
BgNVBAoTDGNQYW5lbCwgSW5jLjEtMCsGA1UEAxMkY1BhbmVsLCBJbmMuIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE5MDcyNDAwMDAwMFoXDTE5MTAyMjIzNTk1
OVowFzEVMBMGA1UEAxMMc2hlbGxiZWFyLmdhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAm1Sht3pf1nCetcyrAbQeQwE8ofny8iyGo9vbnc5zRaHJ3lnP
sfnGvOkDo1MgHCLWgn6bzOfgY+9L9NsmSG4rXqbDsJs0XQEsmjWeGklJA57P6Yng
5Hi0KjQBsOqEL5tklAACdNpWIEMoX5zSdWKTj4RmI8lQdhBdSaXK+ymNDpUu52jC
BBhXorUqFLgXuagvu2CBFNM599X66exvbvs68qRYJhwjguPKwp9i1wANqBWICcoD
+k2+sP/OCtl5i8XHvX9JOchV/MHxg0D7SiCDnaQAzOgyfDg9NLgsl3cEV+Afaasw
TYdchquAiDw4zHL14WotZ6pHlyr1cuHCr+P1mQIDAQABo4IC5zCCAuMwHwYDVR0j
BBgwFoAUfgNaZUFrp34K4bidCOodjh1qx2UwHQYDVR0OBBYEFBqgj8p3hHmwlJcb
XiStJkU7Y+7RMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgI0
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9jUGFuZWxJbmNDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB9BggrBgEFBQcB
AQRxMG8wRwYIKwYBBQUHMAKGO2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL2NQYW5l
bEluY0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3J0MCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5jb21vZG9jYS5jb20wPAYDVR0RBDUwM4IMc2hlbGxiZWFyLmdhghFt
YWlsLnNoZWxsYmVhci5nYYIQd3d3LnNoZWxsYmVhci5nYTCCAQYGCisGAQQB1nkC
BAIEgfcEgfQA8gB3AGPy283oO8wszwtyhCdXazOkjWF3j711pjixx2hUS9iNAAAB
bCIpo84AAAQDAEgwRgIhAI80yjN/XG95oLxj0JGkmceRnZUrVK+wnqYJ4iWS/XbZ
AiEAgI92Ifz0I5kQBBHGU/ojwXlrhNIuyPT6o/mJzw4CdDcAdwB0ftqDMa0zEJEh
nM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWwiKhzaAAAEAwBIMEYCIQDrEL3R/pQj
0U/IFp48w5M61Y9jkZMZL3iF2J0Qf/AdugIhAMV0HttIGa2I8xRXeXXd+7NpAjbA
Qt413brsFnLXyuGTMA0GCSqGSIb3DQEBCwUAA4IBAQAEGiu+Y2aLUM/0xy8tiPfl
vu11aolTodX4DyfqlUM0HoIIOHUWFq3zGcjU9hcDXzsq26N7/BZLqJNJMUn6BaoQ
Zvy79xwN/rgKFOZb/wK7wMr0fvM7eOHhHYGoAS+M/2g3RtVh8Fi9lAidL2tsrzHs
CxzoCY1aA6yRsRdkTNgKaSn/ZtEqmYeBeAxgrPhXSZ2GSSHU6rdnrmF6G8GQQGn1
4njMUZ2ll7077HsJbhsjhy1FtYiYt4lR2hPd2jgPNUmbTpLsR6i4SuBXLPpAwRRX
QgvpIiaFpbHKOwd1C3LFND+FdfzykW/Lp9YMmteF6NNeZFfdGRlH0u0l15HyfqRO
-----END CERTIFICATE-----
subject=/CN=shellbear.ga
issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5153 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7E143DC254451082AABC45067936A675AD210CEDA7643F85347AA6DCE16B5615
    Session-ID-ctx:
    Master-Key: FD615434DC4AD0F2955F0801B2B451636CE14D1B567E400725E213245A9B80D932257F9529D05524551D5A9F1B48F37C
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 6c 1f 89 0f fb 47 fa 8d-54 85 f7 14 82 2f 7b 1f l....G..T..../{.
    0010 - 1e c4 66 3a eb 28 98 b9-a2 75 fd 67 0d 0e f0 02 ..f:.(...u.g....
    0020 - ce b0 bd 41 25 df d9 86-b0 39 8d 46 ce cc e5 75 ...A%....9.F...u
    0030 - 2c 9c 23 e5 2e 62 1a 30-fe c2 a0 f8 86 f2 09 7c ,.#..b.0.......|
    0040 - 92 29 d0 d4 14 26 22 16-c2 40 9b 3f b3 6a c9 51 .)...&"..@.?.j.Q
    0050 - 85 01 ba df 90 20 41 05-e0 72 bd 97 73 d5 99 93 ..... A..r..s...
    0060 - 6c a4 50 2e b0 9e d3 6a-2d 05 b1 e8 9f 03 8f 3e l.P....j-......>
    0070 - 06 8f b3 29 88 6d 32 91-79 5c f2 70 b4 5d 3c 9c ...).m2.y\.p.]<.
    0080 - 63 ab 99 3b ce 7f cb c6-4e 12 cc 9a cb a5 e6 45 c..;....N......E
    0090 - 6b 91 ae 74 13 e5 fd 76-d3 69 57 45 73 8e 74 f9 k..t...v.iWEs.t.
    00a0 - df 23 cb ad 89 3f 72 10-ec a5 0b 69 45 2b 28 a3 .#...?r....iE+(.
    00b0 - 4c 8e 92 c1 46 1b 13 f0-9f 48 6d 45 b5 55 11 82 L...F....HmE.U..

    Start Time: 1588530922
    Timeout : 300 (sec)
    Verify return code: 10 (certificate has expired)
---


HEAD / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Sun, 03 May 2020 18:35:29 GMT
Server: Apache
Content-Length: 347
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<p>Additionally, a 400 Bad Request
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
closed

As we can see from the output, the connection was established. But, as soon as we typed in the HEAD request, the server replied with an error.

Some servers require us to translate our line feed from the terminal into CR+LF (Carriage Return, Line Feed). Basically, CR and LF are control characters or bytecode that are used to mark a line break in a text file to help the server to understand what we are requesting from it. Let’s append the -crlf flag to our OpenSSL command. We will test it by using the following command.


[root@host ~]# openssl s_client -connect yesnt.tk:443 -crlf
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 CN = shellbear.ga
verify error:num=10:certificate has expired
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
depth=0 CN = shellbear.ga
notAfter=Oct 22 23:59:59 2019 GMT
verify return:1
---
Certificate chain
 0 s:/CN=shellbear.ga
   i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
 1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/DCCBOSgAwIBAgIQeWEqm8k8c3HNVdzCT7Q/rjANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxEDAOBgNVBAcTB0hvdXN0b24xFTAT
BgNVBAoTDGNQYW5lbCwgSW5jLjEtMCsGA1UEAxMkY1BhbmVsLCBJbmMuIENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE5MDcyNDAwMDAwMFoXDTE5MTAyMjIzNTk1
OVowFzEVMBMGA1UEAxMMc2hlbGxiZWFyLmdhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAm1Sht3pf1nCetcyrAbQeQwE8ofny8iyGo9vbnc5zRaHJ3lnP
sfnGvOkDo1MgHCLWgn6bzOfgY+9L9NsmSG4rXqbDsJs0XQEsmjWeGklJA57P6Yng
5Hi0KjQBsOqEL5tklAACdNpWIEMoX5zSdWKTj4RmI8lQdhBdSaXK+ymNDpUu52jC
BBhXorUqFLgXuagvu2CBFNM599X66exvbvs68qRYJhwjguPKwp9i1wANqBWICcoD
+k2+sP/OCtl5i8XHvX9JOchV/MHxg0D7SiCDnaQAzOgyfDg9NLgsl3cEV+Afaasw
TYdchquAiDw4zHL14WotZ6pHlyr1cuHCr+P1mQIDAQABo4IC5zCCAuMwHwYDVR0j
BBgwFoAUfgNaZUFrp34K4bidCOodjh1qx2UwHQYDVR0OBBYEFBqgj8p3hHmwlJcb
XiStJkU7Y+7RMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgI0
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9jUGFuZWxJbmNDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB9BggrBgEFBQcB
AQRxMG8wRwYIKwYBBQUHMAKGO2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL2NQYW5l
bEluY0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3J0MCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5jb21vZG9jYS5jb20wPAYDVR0RBDUwM4IMc2hlbGxiZWFyLmdhghFt
YWlsLnNoZWxsYmVhci5nYYIQd3d3LnNoZWxsYmVhci5nYTCCAQYGCisGAQQB1nkC
BAIEgfcEgfQA8gB3AGPy283oO8wszwtyhCdXazOkjWF3j711pjixx2hUS9iNAAAB
bCIpo84AAAQDAEgwRgIhAI80yjN/XG95oLxj0JGkmceRnZUrVK+wnqYJ4iWS/XbZ
AiEAgI92Ifz0I5kQBBHGU/ojwXlrhNIuyPT6o/mJzw4CdDcAdwB0ftqDMa0zEJEh
nM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWwiKhzaAAAEAwBIMEYCIQDrEL3R/pQj
0U/IFp48w5M61Y9jkZMZL3iF2J0Qf/AdugIhAMV0HttIGa2I8xRXeXXd+7NpAjbA
Qt413brsFnLXyuGTMA0GCSqGSIb3DQEBCwUAA4IBAQAEGiu+Y2aLUM/0xy8tiPfl
vu11aolTodX4DyfqlUM0HoIIOHUWFq3zGcjU9hcDXzsq26N7/BZLqJNJMUn6BaoQ
Zvy79xwN/rgKFOZb/wK7wMr0fvM7eOHhHYGoAS+M/2g3RtVh8Fi9lAidL2tsrzHs
CxzoCY1aA6yRsRdkTNgKaSn/ZtEqmYeBeAxgrPhXSZ2GSSHU6rdnrmF6G8GQQGn1
4njMUZ2ll7077HsJbhsjhy1FtYiYt4lR2hPd2jgPNUmbTpLsR6i4SuBXLPpAwRRX
QgvpIiaFpbHKOwd1C3LFND+FdfzykW/Lp9YMmteF6NNeZFfdGRlH0u0l15HyfqRO
-----END CERTIFICATE-----
subject=/CN=shellbear.ga
issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5153 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 6C2B159BF25C8942FE43813565753C50F23E0C2E3E5A8B8A7100C192DF295234
    Session-ID-ctx:
    Master-Key: B2B682A170DB961847D63AA01298ED843DD7C51D537F3E9E1B2703697307E2CFC0D8CDFE5BDE1F3BE2F90B98D95B7C81
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 6c 1f 89 0f fb 47 fa 8d-54 85 f7 14 82 2f 7b 1f l....G..T..../{.
    0010 - 35 d6 6f 80 92 f9 fc 42-7a e0 be 8b c9 e6 60 f4 5.o....Bz.....`.
    0020 - 90 c4 7b e1 c4 b2 56 54-ea ee e2 1c d0 13 10 18 ..{...VT........
    0030 - 95 e5 15 71 45 91 2c 65-a9 34 b5 45 a3 32 c0 bd ...qE.,e.4.E.2..
    0040 - d0 6c 0a 88 06 12 3e 33-0a 88 b4 93 18 55 6e d1 .l....>3.....Un.
    0050 - 63 f4 72 8a 14 db 61 3f-77 4e d1 f1 b1 ee d5 9e c.r...a?wN......
    0060 - 8a 99 39 65 b4 55 72 15-2d 5f a6 0e dc 35 dd 69 ..9e.Ur.-_...5.i
    0070 - f5 dc 33 28 55 73 3e 40-80 d7 e2 7a e9 b9 d3 c2 ..3(Us>@...z....
    0080 - c3 3c 67 d6 5f 99 ec 3a-e8 1d 1c 3c 74 16 6d 2d .<g._..:...<t.m-
    0090 - e9 76 8b 31 d8 c3 5a ac-ee 32 aa 0b 23 2d c2 fc .v.1..Z..2..#-..
    00a0 - df de bb b7 8c 57 40 6f-5c 67 2e bb a9 46 62 0f .....W@o\g...Fb.
    00b0 - 50 4b 20 42 5a 58 ac fa-1e 6d 2b d9 66 fa 42 84 PK BZX...m+.f.B.

    Start Time: 1588531475
    Timeout : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
HEAD / HTTP/1.1
Host: yesnt.tk

HTTP/1.1 200 OK
Date: Sun, 03 May 2020 18:44:38 GMT
Server: Apache
Link: <https://yesnt.tk/wp-json/>; rel="https://api.w.org/"
Cache-Control: max-age=86400
Expires: Mon, 04 May 2020 18:44:38 GMT
Content-Type: text/html; charset=UTF-8

closed

Now, the server understood our request, and we received a response. Multiple other flags can be used with the OpenSSL s_client command that can assist us in troubleshooting our connection, and all of them are available on the OpenSSL man pages which we can review from our terminal or via the following URL: https://www.openssl.org/docs/man1.1.1/man1/s_client.html

Conclusion

In this tutorial, we learned what OpenSSL is and how to verify if we have a secure connection to a domain. This tutorial is only a small part of this powerful and useful command. This practical tool makes testing connections an easy task, and as it comes preinstalled on most Unix platforms, it provides all of its functionality from the start. Overall, OpenSSL is an invaluable tool in our kit that has much to offer.