OpenSSL Table of contents Sending non-SNI TLS request SNI stands for Server Name Indication openssl s_client -connect 192.168.0.1:443 </dev/null>/dev/null \
| openssl x509 -text -noout \
| grep -i "subject:\|dns:\|signature algorithm:\|issuer:\|validity\|not before\|not after" \
| sed \$d
OpenSSL without defining -servername
flag, it sends non-sni by default. You can use hostname instead of IP, run openssl s_client -connect google.com:443
. Check certificate for hostname in the SNI Use flag -servername my.domain.com
openssl s_client -connect 192.168.0.1:443 -servername my.domain.com \
| openssl x509 -text -noout \
| grep -i "subject:\|dns:\|signature algorithm:\|issuer:\|validity\|not before\|not after" \
| sed \$d
SNI check openssl s_client -connect 192.168.0.1:443 -servername my.domain.com < /dev/null>/dev/null \
| openssl x509 -noout -text \
| grep 'DNS:\|Issuer:\|Subject:\|Not Before:\|Not After';
Non-SNI testing openssl s_client -connect my.domain.com:443 -servername domain.com
Check SSL over TLSv1 openssl s_client -connect 192.168.0.1:443 -servername my.domain.com -tls1
Using CDN and check Proxy Server SSL openssl s_client -connect my.domain.com:443 -servername my.domain.com -showcerts
Check certificate file Download the certificate (named: my_root.pem
) on to Desktop, and change directory cd ~/Desktop
, run below command. openssl x509 -in ~/Downloads/my_root.pem -text -noout
Check certificate dates openssl s_client -servername my.domain.com -connect 192.168.0.1:443 2> /dev/null \
| openssl x509 -noout -dates
Certificate & private key match check Assuming private key uses RSA, save both certificate and key in the directory of Desktop, cd ~/Desktop
, then run below 2 OpenSSL command to check if certificate and key matches. openssl x509 –noout –modulus –in ~/Desktop/example.crt | openssl md5
openssl rsa –noout –modulus –in ~/Desktop/example.key | openssl md5