Re: How to test SSL cert from CA?

On Wed, Jul 8, 2015 at 10:17 PM, Francisco Reyes <lists(at)natserv(dot)net> wrote:

> Anyone knows of a way to test the SSL connection such that it validates
> against the CA? Preferably an open source application. Connecting through
> psql works fine on SSL with what I have setup, but the application, xtuple,
> seems to still be having the issue.
>

openssl s_client -connect HOST:PORT -CAfile /path/to/CA.pem

check the man page for more options that will help you.

Here is what a bad connection looks like. This particular server does not
send along the necessary intermediate certificate:

% openssl s_client -connect filer:443
CONNECTED(00000003)
depth=0 OU = GT35717807, OU = See www.rapidssl.com/resources/cps (c)15, OU
= Domain Control Validated - RapidSSL(R), CN = *.int.kcilink.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = GT35717807, OU = See www.rapidssl.com/resources/cps (c)15, OU
= Domain Control Validated - RapidSSL(R), CN = *.int.kcilink.com
verify error:num=21:unable to verify the first certificate
verify return:1
[ ... ]
Start Time: 1436468482
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

Here's what a good connection looks like where the server sends the
necessary intermediate certificate:

% openssl s_client -connect vk-dev:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify return:1
depth=0 OU = GT35717807, OU = See www.rapidssl.com/resources/cps (c)15, OU
= Domain Control Validated - RapidSSL(R), CN = *.int.kcilink.com
verify return:1
[ ... ]
Start Time: 1436468764
Timeout : 300 (sec)
Verify return code: 0 (ok)

The -verify_return_error option may help you as well.