Skip to content
Archive of entries posted on October 2016

OpenSSL s_client recipes

This post is pretty much a reminder note to myself how to quickly start debugging certificate errors. I have googled this stuff way too often.

Checking the certification expiration date:

openssl s_client -connect www.google.com:443 | openssl x509 -text

You could also add -servername parameter to support new ssl spec

 openssl s_client -servername google.com -connect www.google.com:443 | openssl x509 -text 

Then see these blocks

Validity
Not Before: Mar 22 00:00:00 2016 GMT
Not After : Mar 23 23:59:59 2017 GMT

Let’s verify the whole certificate chain:

openssl s_client -showcerts -connect www.google.com:443

This is the most common case for me. Most of the time the certificate is somehow installed in a wrong way. One common error is that the certificates are sent to the client in wrong order. This is fine for most of the clients, but at least Android seems to be expecting correct certificate order, as specified in the RFC document.

After this we can make simple GET request to the host with

GET /myresource.html HTTP/1.1
Host: www.google.com

After this remember to press the enter twice.