View the SSL certificate of a page that immediately redirects to another

Question

So I've googled quite a bit for this but it appears that my google-fu fails me - apologies if this is a trivial and already answered question, I could not find anything about this

I'm trying to diagnose an SSL certificate hostname mismatch. When I visit the url in question, it redirects me to another page that has the correct SSL certificate. However, some clients are reporting that they are receiving an SSL certificate hostname mismatch error. My only assumption is that the redirecting page has the wrong certificate and some clients are letting it slide because it resolves with a new page that has the correct certificate.

(The how and why of the issue isn't really the question)

The question:

From the outside in (aka, as a client in the world) - how would one view the certificate that was delivered by a page that automatically redirects to another page?

Another useful resource is the [SSL Server Test](https://www.ssllabs.com/ssltest/) from Qualy's SSL Labs. — TRiG, Jan 18 '19 at 14:34

score 46 · Accepted Answer · edited Jul 04 '18 at 18:06

46

Use openssl s_client piped to openssl x509:

$ openssl s_client -connect foo.example.com:443 < /dev/null | openssl x509 -text

(Add -servername foo.example.com to the s_client command if the server uses SNI.)

The redirection of stdin from /dev/null for the first invocation of openssl will prevent it from hanging waiting for input.

edited Jul 04 '18 at 18:06

mwfearnley

816
1
11
22

answered Jun 22 '15 at 21:55

EEAA

109,363
18
175
245

2

You can also pipe the output to `openssl x509 -text` to actually see what's in the server's cert, and redirect the input of the initial `openssl` command from `/dev/null` so the command doesn't hang: `openssl s_client -connect ... < /dev/null | openssl x509 -text`. Look for the "X509v3 Subject Alternative Name" field. – Andrew Henle Jun 22 '15 at 22:20
@AndrewHenle Great addition. Feel free to edit that into my answer if you'd like. – EEAA Jun 22 '15 at 22:31
Worked like a charm - I've only spent a limited amount of time with openSSL, yet everytime I need to do anything ssl related it always boils back down to it haha...Thanks for the tip! – Robert Petz Jun 22 '15 at 22:49
6

If the server uses SNI, you should add `-servername foo.example.com` to the `s_client` options. – Bruno Jun 23 '15 at 15:24
I don't see the trust chain in the output. If I want to see whether a website is trusted by VeriSign or LetsEncrypt or ChineseGov or DO_NOT_TRUST_FiddlerRoot, what should I look for? – Carl Walsh Jan 03 '17 at 16:18
@CarlWalsh If you have another question, please post it using the "Ask Question" button above. – EEAA Jan 03 '17 at 16:34
1

@Bruno+ update: since OpenSSL 1.1.1 in 2018 `-servername` is now default (though it doesn't hurt to redundantly specify it). Also, if you have Java 7 up installed (which is rarer now than it used to be) `keytool -printcert -sslserver $host[:$port]` – dave_thompson_085 Jun 23 '20 at 07:25
Careful: Without `-servername foo.example.com`, the displayed certicifate will be the one AFTER the redirection! – 4wk_ Nov 23 '20 at 16:16

mpavey · Answer 2 · 2017-11-27T16:29:38.737

17

In Firefox 57, if you open the Developer Tools and go to the Network tab:

Make sure Persist Logs is checked
Visit the URL of interest
Click on the top row (i.e., the one corresponding to the request to the server you're interested in, which resulted in the redirect response)
Click on the Security tab (half-way down, still within Network)

This will let you view certificate info such as the issuee common name, issuer details, validity period and fingerprints.

This worked for me on a site responding with a 301 redirect to another HTTPS website. (Unfortunately the accepted answer just gave me the certificate for the final destination page.)

edited Nov 27 '17 at 16:29

answered Nov 27 '17 at 16:18

mpavey

393
3
6

Thanks for a native Browser method. Did you try the `-servername` option with `openssl`? That can give a different result, even if it's the same name. – mwfearnley Jul 04 '18 at 12:54
@mwfearnley No! With `openssl`, I just copied and pasted from the answer and gave up after it didn't work :) Thanks for the suggestion. – mpavey Oct 16 '18 at 20:50
Firefox 71. Had to check Disable Cache also in order to make the Security tab visible. – CodeClimber Jan 08 '20 at 12:25

score 6 · Answer 3 · answered Jun 23 '15 at 07:18

6

Also, there is a graphical tool for Windows with detailed text trace: SSL Certificate Verifier Tool and tool description: Verifying The SSL Certificates with a tool and here is an example of how it handles redirects:

enter image description here

answered Jun 23 '15 at 07:18

Crypt32

6,639
1
15
33

score 0 · Answer 4 · answered Jun 22 '20 at 23:11

Try mangling the url, so it fails to redirect. eg: https://www.example.com/>

Depending on the server you may be able to hit a URL that returns an error instead of redirecting. For example if you're visiting an IIS server appendending > to the URL will show an error page, but the cert can then be viewed in the normal way as this prevents the redirect occurring.

score 0 · Answer 5 · answered Jan 14 '22 at 01:03

Attempting this again today, what worked for me on Windows was:

Go to https://www.ssllabs.com/ssltest/ and enter the domain (not URL) you want the certificate for.
Let the SSL report process.
In the output click the Download server certificate button.
Save the output to a *.cer file.
Double-click the file and voila!

score 0 · Answer 6 · edited May 23 '17 at 12:41

0

As an alternative to the separate programs mentioned in other answers, you can also disable automatic redirection in your browser.

The option to do this varies by browser, here are methods for Firefox and Chrome:

edited May 23 '17 at 12:41

Community

1

answered Jun 23 '15 at 12:46

jpa

184
3

Not sure who downvoted this? – Robert Petz Jun 23 '15 at 16:32
Yeah, this is exactly what I wanted, a completely in-browser solution. – Michael12345 Sep 27 '16 at 19:34
4

This didn't work for me in Chrome. I can see the 302 in the network trace, but I don't see how to inspect the certificate from the network traces. If I click the Security tab, Chrome instead shows me the cert from the current webpage (the redirection target). – Carl Walsh Jan 03 '17 at 16:31
The downvote is probably because "link-only" answers tend to rot over the years as products change. Maybe this answer worked before Chrome introduced the Security tab? – Carl Walsh Jan 03 '17 at 16:32
@CarlWalsh Hmm, if you disable redirection, the cert from the current webpage should be the redirection page (because it doesn't go into redirection target automatically). And usually links within the stack exchange network are considered fine, because they don't rot as easily. – jpa Jan 03 '17 at 17:00
2

@jpa The link you provided for Chrome appears to explain how to preserve the network log after a redirect has taken place, rather than how to prevent Chrome from following the redirect. – mpavey Aug 01 '17 at 19:11
2

down voted- this answer is not useful on Chrome. The linked resource shows how to enable "preserve log" which still does not allow the SSL cert of the redirecting domain to be introspected. Does not actually answer OP. – Brad Wood Feb 08 '21 at 22:04
Hmm, neither Firefox or Chrome solution worked for me today. – Michael12345 Jan 14 '22 at 00:51

View the SSL certificate of a page that immediately redirects to another

6 Answers6