Differences

This shows you the differences between two versions of the page.

--- internet:security:ssl_tls_cert_testing [2016/02/12 11:39]
127.0.0.1 external edit
+++ internet:security:ssl_tls_cert_testing [2022/03/22 08:46] (current)
gcooper
@@ Line 12: / Line 12: @@
 |443         |HTTPS        |
 |21          |FTP - TLS    |
-|25          |Mail - TLS   |
+|25          |SMTP - TLS   |
-|465         |Mail - SSL   |
+|465         |SMTP - SSL   |
-|587         |Mail - TLS   |
+|587         |SMTP - TLS   |
+|993         |IMAP - SSL   |
+|995         |POP - SSL    |
 |10000       |Webmin       |
 |20000       |Usermin      |
@@ Line 20: / Line 22: @@
 ===== Web Tools =====
-Check Internet accessible hosts here: https://www.digicert.com/help/
+Check Internet accessible hosts here:
-or here: http://www.geocerts.com/ssl_checker
+https://www.sslchecker.com
+https://www.digicert.com/help/
+http://www.geocerts.com/ssl_checker
 ===== OpenSSL =====
@@ Line 38: / Line 44: @@
 </file>
-This first test is the one that is easiest and should work from anywhere:
+==== Testing ====
+The OpenSSL toolkit allows checking SSL certificate installation on a server either remotely or locally. To check STARTTLS ports, run the following command replacing [port] with the port number and [protocol] with **smtp**, **pop3** or **imap** value (see the example below) respectively:
+<file>
+openssl s_client -connect example.com:[port] -servername example.com -starttls [protocol] < /dev/null
+</file>
+The same command but without -starttls switch can be used for checking non-STARTTLS ports:
+<file>
+openssl s_client -connect example.com:[port] -servername example.com
+</file>
+This test is easiest and should work from anywhere:
 <file>
@@ Line 53: / Line 73: @@
 <file>
-openssl s_client -tls1 -crlf -showcerts -CAfile /etc/postfix/ssl/ca-bundle.pem -connect mail.sonoracomm.com:465  < /dev/null
+openssl s_client -tls1 -crlf -showcerts -CAfile /etc/postfix/ssl/ca-bundle.pem -connect fqdn.yourdomain.com:465  < /dev/null
 </file>
@@ Line 59: / Line 79: @@
 <file>
-openssl s_client -tls1 -crlf -showcerts -debug -CAfile /etc/postfix/ssl/ca-bundle.pem -connect mail.sonoracomm.com:465  < /dev/null
+openssl s_client -tls1 -crlf -showcerts -debug -CAfile /etc/postfix/ssl/ca-bundle.pem -connect fqdn.yourdomain.com:465  < /dev/null
+</file>
+=== Show Expiration Date ===
+Pipe the output of other ''openssl'' commands into this:
+<file>
+ | openssl x509 -noout -enddate
+</file>
+==== SMTP and SMTPS ====
+<file>
+openssl s_client -connect fqdn.hostname.tld:25 -starttls smtp < /dev/null
+openssl s_client -connect fqdn.hostname.tld:587 -starttls smtp < /dev/null
+openssl s_client -crlf -connect fqdn.hostname.tld:465 < /dev/null
 </file>
@@ Line 67: / Line 105: @@
 <file>
-curl -G -v --key /etc/postfix/ssl/www2.sonoracomm.com.key --cert /etc/postfix/ssl/www2.sonoracomm.com.crt --cacert /etc/postfix/ssl/ca-bundle.pem https://www.sonoracomm.com/robots.txt
+curl -G -v --key /etc/postfix/ssl/fqdn.yourdomain.com.key --cert /etc/postfix/ssl/fqdn.yourdomain.com.crt --cacert /etc/postfix/ssl/ca-bundle.pem https://fqdn.yourdomain.com/robots.txt
+</file>
+===== Apache =====
+See how your Apache web server is configured for SSL:
+<file>
+grep -R SSL /etc/apache2/ |grep -v \#
 </file>
 ===== Dovecot =====
-See how Dovecot is configured for SSL:
+See how Dovecot is configured for SSL with one of these commands:
 <file>
 grep ssl /etc/dovecot.conf
+grep -R ssl /etc/dovecot/ |grep -v \#
 </file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools