User Tools
Table of Contents
TLS/SSL Certificate Testing
https://www.ssllabs.com/ssltest/analyze.html
http://www.madboa.com/geek/openssl/#cert-test
http://blog.logicexception.com/2010/05/securing-postfix-and-dovecot-with-tls.html
Common Ports Used for SSL
| Port Number | Common Usage |
|---|---|
| 443 | HTTPS |
| 21 | FTP - TLS |
| 25 | SMTP - TLS |
| 465 | SMTP - SSL |
| 587 | SMTP - TLS |
| 993 | IMAP - SSL |
| 995 | POP - SSL |
| 10000 | Webmin |
| 20000 | Usermin |
Web Tools
Check Internet accessible hosts here:
OpenSSL
Verify a New Certificate Before Installation
openssl verify /path/to/yourcert.pem
If it needs an intermediate cert:
openssl verify -CAfile /path/to/intermediate.crt /path/to/yourcert.pem
Testing
The OpenSSL toolkit allows checking SSL certificate installation on a server either remotely or locally. To check STARTTLS ports, run the following command replacing [port] with the port number and [protocol] with smtp, pop3 or imap value (see the example below) respectively:
openssl s_client -connect example.com:[port] -servername example.com -starttls [protocol] < /dev/null
The same command but without -starttls switch can be used for checking non-STARTTLS ports:
openssl s_client -connect example.com:[port] -servername example.com
This test is easiest and should work from anywhere:
openssl s_client -tls1 -crlf -connect fqdn.yourdomain.com:portnum < /dev/null
If the intermediate certificate is not correct, the test may return (near the end):
Verify return code: 21 (unable to verify the first certificate)
These commands may help in troubleshooting when used on the SSL host itself:
openssl s_client -tls1 -crlf -showcerts -CAfile /etc/postfix/ssl/ca-bundle.pem -connect fqdn.yourdomain.com:465 < /dev/null
With debug:
openssl s_client -tls1 -crlf -showcerts -debug -CAfile /etc/postfix/ssl/ca-bundle.pem -connect fqdn.yourdomain.com:465 < /dev/null
Show Expiration Date
Pipe the output of other openssl commands into this:
| openssl x509 -noout -enddate
SMTP and SMTPS
openssl s_client -connect fqdn.hostname.tld:25 -starttls smtp < /dev/null openssl s_client -connect fqdn.hostname.tld:587 -starttls smtp < /dev/null openssl s_client -crlf -connect fqdn.hostname.tld:465 < /dev/null
Curl
This test connects to the remote server with curl and verifies the key, cert and intermediate CA cert:
curl -G -v --key /etc/postfix/ssl/fqdn.yourdomain.com.key --cert /etc/postfix/ssl/fqdn.yourdomain.com.crt --cacert /etc/postfix/ssl/ca-bundle.pem https://fqdn.yourdomain.com/robots.txt
Apache
See how your Apache web server is configured for SSL:
grep -R SSL /etc/apache2/ |grep -v \#
Dovecot
See how Dovecot is configured for SSL with one of these commands:
grep ssl /etc/dovecot.conf grep -R ssl /etc/dovecot/ |grep -v \#
Postfix
See how Postfix is configured for SSL:
postconf | grep tls
