====== TLS/SSL Certificate Testing ======

https://www.ssllabs.com/ssltest/analyze.html

http://www.madboa.com/geek/openssl/#cert-test

http://blog.logicexception.com/2010/05/securing-postfix-and-dovecot-with-tls.html

===== Common Ports Used for SSL =====

^Port Number ^Common Usage ^
|443         |HTTPS        |
|21          |FTP - TLS    |
|25          |SMTP - TLS   |
|465         |SMTP - SSL   |
|587         |SMTP - TLS   |
|993         |IMAP - SSL   |
|995         |POP - SSL    |
|10000       |Webmin       |
|20000       |Usermin      |

===== Web Tools =====

Check Internet accessible hosts here:

https://www.sslchecker.com

https://www.digicert.com/help/

http://www.geocerts.com/ssl_checker

===== OpenSSL =====

==== Verify a New Certificate Before Installation ====

<file>
openssl verify /path/to/yourcert.pem
</file>

If it needs an intermediate cert:

<file>
openssl verify -CAfile /path/to/intermediate.crt /path/to/yourcert.pem
</file>

==== Testing ====

The OpenSSL toolkit allows checking SSL certificate installation on a server either remotely or locally. To check STARTTLS ports, run the following command replacing [port] with the port number and [protocol] with **smtp**, **pop3** or **imap** value (see the example below) respectively:

<file>
openssl s_client -connect example.com:[port] -servername example.com -starttls [protocol] < /dev/null
</file>

The same command but without -starttls switch can be used for checking non-STARTTLS ports:

<file>
openssl s_client -connect example.com:[port] -servername example.com
</file>

This test is easiest and should work from anywhere:

<file>
openssl s_client -tls1 -crlf -connect fqdn.yourdomain.com:portnum < /dev/null
</file>

If the intermediate certificate is not correct, the test may return (near the end):

<file>
Verify return code: 21 (unable to verify the first certificate)
</file>

These commands may help in troubleshooting when used on the SSL host itself:

<file>
openssl s_client -tls1 -crlf -showcerts -CAfile /etc/postfix/ssl/ca-bundle.pem -connect fqdn.yourdomain.com:465  < /dev/null
</file>

With debug:

<file>
openssl s_client -tls1 -crlf -showcerts -debug -CAfile /etc/postfix/ssl/ca-bundle.pem -connect fqdn.yourdomain.com:465  < /dev/null
</file>

=== Show Expiration Date ===

Pipe the output of other ''openssl'' commands into this:

<file>
 | openssl x509 -noout -enddate
</file>

==== SMTP and SMTPS ====

<file>
openssl s_client -connect fqdn.hostname.tld:25 -starttls smtp < /dev/null

openssl s_client -connect fqdn.hostname.tld:587 -starttls smtp < /dev/null

openssl s_client -crlf -connect fqdn.hostname.tld:465 < /dev/null
</file>

===== Curl =====

This test connects to the remote server with curl and verifies the key, cert and intermediate CA cert:

<file>
curl -G -v --key /etc/postfix/ssl/fqdn.yourdomain.com.key --cert /etc/postfix/ssl/fqdn.yourdomain.com.crt --cacert /etc/postfix/ssl/ca-bundle.pem https://fqdn.yourdomain.com/robots.txt
</file>

===== Apache =====

See how your Apache web server is configured for SSL:

<file>
grep -R SSL /etc/apache2/ |grep -v \#
</file>

===== Dovecot =====

See how Dovecot is configured for SSL with one of these commands:

<file>
grep ssl /etc/dovecot.conf

grep -R ssl /etc/dovecot/ |grep -v \#
</file>

===== Postfix =====

See how Postfix is configured for SSL:

<file>
postconf | grep tls
</file>