OpenSSL test certificate

June 12, 2017
Click On Certificate

Well, EJP was on the right track, but didn't take it quite far enough or explain it thoroughly enough.

In order to verify a client certificate is being sent to the server, you need to analyze the output from the combination of the -state and -debug flags.

First as a baseline, try running

openssl s_client -connect host:443 -state -debug

You'll get a ton of output, but the lines we are interested in look like this:

SSL_connect:SSLv3 read server done A write to 0x211efb0 [0x21ced50] (12 bytes => 12 (0xC)) 0000 - 16 03 01 00 07 0b 00 00-03 . 000c - SSL_connect:SSLv3 write client certificate A

What's happening here:

  • The -state flag is responsible for displaying the end of the previous section: "SSL_connect:SSLv3 read server done A". This is only important for helping you find your place in the output.
  • Then the -debug flag is showing the raw bytes being sent in the next step: "write to...", "0000 - ...", "000c - ...".
  • Finally, the -state flag is once again reporting the result of the step that -debug just echoed: "SSL_connect:SSLv3 write client certificate A".

So in other words: s_client finished reading data sent from the server, and sent 12 bytes to the server as (what I assume is) a "no client certificate" message.

If you repeat the test, but this time include the -cert and -key flags like this,

openssl s_client -connect host:443 -cert cert_and_key.pem -key cert_and_key.pem -state -debug

your output between the "read server done" line and the "write client certificate" line will be much longer, representing the binary form of your client certificate:

SSL_connect:SSLv3 read server done A write to 0x7bd970 [0x86d890] (1576 bytes => 1576 (0x628)) 0000 - 16 03 01 06 23 0b 00 06-1f 00 06 1c 00 06 19 31 .#.1 (*SNIP*) 0620 - 95 ca 5e f4 2f 6c 43 11- ..^%/lC. SSL_connect:SSLv3 write client certificate A

The "1576 bytes" is an excellent indication on its own that the cert was transmitted, but on top of that, the right-hand column will show parts of the certificate that are human-readable: You should be able to recognize the CN and issuer strings of your cert in there.

Source: stackoverflow.com
RELATED VIDEO
117-010 - Entry Exam Linux Essentials Certificate Test
117-010 - Entry Exam Linux Essentials Certificate Test ...
3g Mig Welding Certification Test
3g Mig Welding Certification Test
RELATED FACTS
Share this Post