How can I view the SSL certificate details that is being used on ports 587, 25, 110, 465, 995, 143 & 993
I need to check which domain name is being used to secure these ports.
I've search here and on google but can't find anything!
Asked
Active
Viewed 4.5k times
2 Answers
51
Use OpenSSL (installed by default on almost all Linux distributions, you can also get a binary build for Windows from Shining Light Productions):
openssl s_client -connect host:port -servername host [-starttls protocol]
where host is the host you want to connect to and port is the port number.
-servername host will include the host name in the TLS handshake (via the Server Name Indication extension), to allow servers hosting multiple protected resources on the same IP to choose the correct certificate.
The -starttls protocol part is needed only if the server you are checking starts a plain text session by default and switches to SSL/TLS later, when the client requests it (in this case, protocol must be one of smtp, pop3, imap, ftp, xmpp); you should check if your server configuration requires the switch and include the command line option accordingly.
Alessandro Menti
- 1,290
- 20
- 28
-
1thanks guys this one worked for me... openssl s_client -connect mydomain.com:25 -starttls smtp – user1398287 Jul 31 '12 at 11:13
-
1In my case I needed to add `-servername host` otherwise it did not work with SNI. – Knaģis Jul 13 '16 at 15:48
14
You can use OpenSSL:
openssl s_client -connect x.x.x.x:port
(You can also use the -showcerts option for the full chain.)
Assuming that the usual services run on these ports, this should show you the certificates for port 465, 995 and 993, because they're protocols where the SSL/TLS connection is initiated first.
Ports 587, 25 (SMTP), 110 (POP3) and 143 (IMAP) use SSL/TLS via a "START TLS" upgrade. You'll need to add -starttls prot where prot is smtp, imap or pop3, as appropriate.
Note that if any of these services support Server Name Indication, you might not get all the certificates, if you don't request the correct host name in the first place. (SNI is probably more common for HTTPS than for these protocols, though.)
Once you get the certificate, you can copy/paste (or pipe) the PEM block (between BEGIN/END delimiters) into the input of openssl x509 -text -noout. The host names should be in the Subject Alternative Names (DNS entries) or, if absent, in the CN of the Subject DN.
Bruno
- 119,590
- 31
- 270
- 376
-
1Hi @Bruno. Do you happen to know how to check the validity of certificates, as they do here? http://www.geocerts.com/ssl_checker Try typing for instance "itunesconnect.apple.com" there, and they will show various tests for the certificate on this secure website. Unfortunately, this site doesn't seem to work on mail servers. Do you know how to perform these same checks on a mail server's certificate from the command line? – NoobOverflow Oct 13 '12 at 12:38
-
8Even just piping it directly works: `openssl s_client -connect server:25 -starttls smtp -showcerts | openssl x509 -text` – Paul Jan 10 '14 at 08:11
-
Paul's comment could be incorporated into the answer, it makes it so much easier... – David Fraser Jan 09 '15 at 12:12