Home > Network > SSL > opensslverify | About
Use openssl verify
on a local certificate or s_client
on a remote one.
s_client
Use s_client with the -CApath option set to /etc/ssl/certs so that it can reach the root certificate if it's not in the certificate itself (which is usually the case).
ychaouche@ychaouche-PC 10:30:22 ~/TMP/CERTS $ openssl s_client -CApath /etc/ssl/certs/ -connect domain.tld:993 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = domain.tld verify return:1 --- [...] Start Time: 1557137051 Timeout : 300 (sec) Verify return code: 0 (ok) --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. ^C ychaouche@ychaouche-PC 10:30:23
The first verify return:1 is done by a function that returns 1 on success and 0 on failure ([https://serverfault.com/questions/747525/what-does-verify-return1-mean-in-the-openssl-output|source])
The last verify is done by another function and should return 0 on success.
STARTTLS
For STARTTLS you must provide a -starttls smtp
option, otherwise the s_client won't ask for a secure connexion if you connect to a port where STARTTLS is configured.
$ openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect smtp.host.tld:25 [...] Start Time: 1535281464 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 DSN ^C
verify
Verify doesn't trust anything and you'll get the "error 20 at 0 depth lookup:unable to get local issuer certificate" no matter what you do unless
you give the -CApath and
the -untrusted argument. All the intermediary certificates need to be downloaded and added to the -untrusted argument, so in my case I had to download the letsencrypt certificate, even though it has been added to my own, and add it to the -untrusted argument like so :
ychaouche@ychaouche-PC 11:00:18 ~/TMP/CERTS $ openssl verify -CApath /etc/ssl/certs/ -untrusted letsencrypt.crt domaintld.crt domaintld.crt: OK ychaouche@ychaouche-PC 11:00:24 ~/TMP/CERTS $
contact : @ychaouche yacinechaouche at yahoocom