User Tools
This is an old revision of the document!
Table of Contents
TLS/SSL Certificate Testing
https://www.ssllabs.com/ssltest/analyze.html
http://www.madboa.com/geek/openssl/#cert-test
http://blog.logicexception.com/2010/05/securing-postfix-and-dovecot-with-tls.html
Common Ports Used for SSL
| Port Number | Common Usage |
|---|---|
| 443 | HTTPS |
| 21 | FTP - TLS |
| 25 | Mail - TLS |
| 465 | Mail - SSL |
| 587 | Mail - TLS |
| 10000 | Webmin |
| 20000 | Usermin |
Web Tools
Check Internet accessible hosts here: https://www.digicert.com/help/
or here: http://www.geocerts.com/ssl_checker
OpenSSL
Verify a New Certificate Before Installation
openssl verify /path/to/yourcert.pem
If it needs an intermediate cert:
openssl verify -CAfile /path/to/intermediate.crt /path/to/yourcert.pem
This first test is the one that is easiest and should work from anywhere:
openssl s_client -tls1 -crlf -connect fqdn.yourdomain.com:portnum < /dev/null
If the intermediate certificate is not correct, the test may return (near the end):
Verify return code: 21 (unable to verify the first certificate)
These commands may help in troubleshooting when used on the SSL host itself:
openssl s_client -tls1 -crlf -showcerts -CAfile /etc/postfix/ssl/ca-bundle.pem -connect mail.sonoracomm.com:465 < /dev/null
With debug:
openssl s_client -tls1 -crlf -showcerts -debug -CAfile /etc/postfix/ssl/ca-bundle.pem -connect mail.sonoracomm.com:465 < /dev/null
Curl
This test connects to the remote server with curl and verifies the key, cert and intermediate CA cert:
curl -G -v --key /etc/postfix/ssl/www2.sonoracomm.com.key --cert /etc/postfix/ssl/www2.sonoracomm.com.crt --cacert /etc/postfix/ssl/ca-bundle.pem https://www.sonoracomm.com/robots.txt
Dovecot
See how Dovecot is configured for SSL:
grep ssl /etc/dovecot.conf
Postfix
See how Postfix is configured for SSL:
postconf | grep tls
