Home > Network > SSL > opensslverify | About

Use openssl verify on a local certificate or s_client on a remote one.

s_client

Use s_client with the -CApath option set to /etc/ssl/certs so that it can reach the root certificate if it's not in the certificate itself (which is usually the case). 

ychaouche@ychaouche-PC 10:30:22 ~/TMP/CERTS $ openssl s_client -CApath /etc/ssl/certs/ -connect domain.tld:993 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domain.tld
verify return:1
---
[...]
    Start Time: 1557137051
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
^C
ychaouche@ychaouche-PC 10:30:23

The first verify return:1 is done by a function that returns 1 on success and 0 on failure ([https://serverfault.com/questions/747525/what-does-verify-return1-mean-in-the-openssl-output|source])

The last verify is done by another function and should return 0 on success.

STARTTLS

For STARTTLS you must provide a -starttls smtp option, otherwise the s_client won't ask for a secure connexion if you connect to a port where STARTTLS is configured. 

$ openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect smtp.host.tld:25
[...]
    Start Time: 1535281464
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN
^C

verify

Verify doesn't trust anything and you'll get the "error 20 at 0 depth lookup:unable to get local issuer certificate" no matter what you do unless you give the -CApath and the -untrusted argument. All the intermediary certificates need to be downloaded and added to the -untrusted argument, so in my case I had to download the letsencrypt certificate, even though it has been added to my own, and add it to the -untrusted argument like so : 

ychaouche@ychaouche-PC 11:00:18 ~/TMP/CERTS $ openssl verify -CApath /etc/ssl/certs/ -untrusted letsencrypt.crt domaintld.crt
domaintld.crt: OK
ychaouche@ychaouche-PC 11:00:24 ~/TMP/CERTS $

contact : @ychaouche yacinechaouche at yahoocom


QR Code
QR Code s_client (generated for current page)