SSL troubleshooting

Checking the certs remotely

Below you will find a few commands to check against SSL/TLS services. Here’s what you should look for:

SSL/TLS against any port and service

Check the certificate e.g.,

openssl s_client -connect address:port
#openssl s_client -connect address:port </dev/null

STARTTLS / SMTP

What ports should we look for?

    egrep 'submission|smtp' /etc/services

See what ports an MX or SMARTHOST offers (25 or 587 / STARTTLS are prefered),

nmap -Pn -p 25,465,587 SMTP_SERVER

Check the certificate provided through SMTP STARTTLS remotely e.g. against port 25,

openssl s_client -starttls smtp -crlf -connect SMTP_SERVER:25 </dev/null

IMAP

What ports should we look for?

    grep 'imap' /etc/services

See what ports an MX or SMARTHOST offers (143 / STARTTLS is prefered,

nmap -Pn -p 143,993 IMAP_SERVER

IMAP // STARTTLS

Check the certificate provided through IMAP STARTTLS remotely e.g. against port 143,

openssl s_client -starttls imap -crlf -connect IMAP_SERVER:143 </dev/null

openssl s_client -connect IMAP_SERVER:143 -starttls imap
openssl s_client -connect IMAP_SERVER:143 -starttls imap -quiet -crlf
1 login TESTACCOUNT PASSWORD
1 list "" "*"
1 logout

#openssl s_client -connect IMAP_SERVER:143
#openssl s_client -tls1 -connect IMAP_SERVER:143
#-tls1_2

Check that it does NOT respond to SSL version 3,

openssl s_client -connect IMAP_SERVER:993 -ssl3

IMAP // TLS

You need -crlf to talk to an Exchange server,

openssl s_client -connect IMAP_SERVER:993 -crlf

References

Ruby


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun