Table of Contents

TLS/SSL Certificate Testing

https://www.ssllabs.com/ssltest/analyze.html

http://www.madboa.com/geek/openssl/#cert-test

http://blog.logicexception.com/2010/05/securing-postfix-and-dovecot-with-tls.html

Common Ports Used for SSL

Port Number Common Usage
443 HTTPS
21 FTP - TLS
25 SMTP - TLS
465 SMTP - SSL
587 SMTP - TLS
993 IMAP - SSL
995 POP - SSL
10000 Webmin
20000 Usermin

Web Tools

Check Internet accessible hosts here:

https://www.sslchecker.com

https://www.digicert.com/help/

http://www.geocerts.com/ssl_checker

OpenSSL

Verify a New Certificate Before Installation

openssl verify /path/to/yourcert.pem

If it needs an intermediate cert: 

openssl verify -CAfile /path/to/intermediate.crt /path/to/yourcert.pem

Testing

The OpenSSL toolkit allows checking SSL certificate installation on a server either remotely or locally. To check STARTTLS ports, run the following command replacing [port] with the port number and [protocol] with smtp, pop3 or imap value (see the example below) respectively: 

openssl s_client -connect example.com:[port] -servername example.com -starttls [protocol] < /dev/null

The same command but without -starttls switch can be used for checking non-STARTTLS ports: 

openssl s_client -connect example.com:[port] -servername example.com

This test is easiest and should work from anywhere: 

openssl s_client -tls1 -crlf -connect fqdn.yourdomain.com:portnum < /dev/null

If the intermediate certificate is not correct, the test may return (near the end): 

Verify return code: 21 (unable to verify the first certificate)

These commands may help in troubleshooting when used on the SSL host itself: 

openssl s_client -tls1 -crlf -showcerts -CAfile /etc/postfix/ssl/ca-bundle.pem -connect fqdn.yourdomain.com:465  < /dev/null

With debug: 

openssl s_client -tls1 -crlf -showcerts -debug -CAfile /etc/postfix/ssl/ca-bundle.pem -connect fqdn.yourdomain.com:465  < /dev/null

Show Expiration Date

Pipe the output of other openssl commands into this: 

 | openssl x509 -noout -enddate

SMTP and SMTPS

openssl s_client -connect fqdn.hostname.tld:25 -starttls smtp < /dev/null

openssl s_client -connect fqdn.hostname.tld:587 -starttls smtp < /dev/null

openssl s_client -crlf -connect fqdn.hostname.tld:465 < /dev/null

Curl

This test connects to the remote server with curl and verifies the key, cert and intermediate CA cert: 

curl -G -v --key /etc/postfix/ssl/fqdn.yourdomain.com.key --cert /etc/postfix/ssl/fqdn.yourdomain.com.crt --cacert /etc/postfix/ssl/ca-bundle.pem https://fqdn.yourdomain.com/robots.txt

Apache

See how your Apache web server is configured for SSL: 

grep -R SSL /etc/apache2/ |grep -v \#

Dovecot

See how Dovecot is configured for SSL with one of these commands: 

grep ssl /etc/dovecot.conf

grep -R ssl /etc/dovecot/ |grep -v \#

Postfix

See how Postfix is configured for SSL: 

postconf | grep tls