SSL troubleshooting

Checking the certs remotely

Below you will find a few commands to check against SSL/TLS services. Here’s what you should look for:

• look at the CN= entry, it should have an FQDN
• look at the cert chain, the authority should be an official one, not one’s own CA
• look at the Protocol used, it should be TLSv1.1 and TLSv1.2, nothing else ! SSLv1,2,3 is deprecated and TLSv1.0 has a vulnerability in conjunction with SSLv3.
• look at the ciphers, e.g. RC4 should not be used anymore

SSL/TLS against any port and service

Check the certificate e.g.,

openssl s_client -connect address:port
#openssl s_client -connect address:port </dev/null

STARTTLS / SMTP

What ports should we look for?

    egrep 'submission|smtp' /etc/services

See what ports an MX or SMARTHOST offers (25 or 587 / STARTTLS are prefered),

nmap -Pn -p 25,465,587 SMTP_SERVER

Check the certificate provided through SMTP STARTTLS remotely e.g. against port 25,

openssl s_client -starttls smtp -crlf -connect SMTP_SERVER:25 </dev/null

IMAP

What ports should we look for?

    grep 'imap' /etc/services

See what ports an MX or SMARTHOST offers (143 / STARTTLS is prefered,

nmap -Pn -p 143,993 IMAP_SERVER

IMAP // STARTTLS

Check the certificate provided through IMAP STARTTLS remotely e.g. against port 143,

openssl s_client -starttls imap -crlf -connect IMAP_SERVER:143 </dev/null

openssl s_client -connect IMAP_SERVER:143 -starttls imap
openssl s_client -connect IMAP_SERVER:143 -starttls imap -quiet -crlf
1 login TESTACCOUNT PASSWORD
1 list "" "*"
1 logout

#openssl s_client -connect IMAP_SERVER:143
#openssl s_client -tls1 -connect IMAP_SERVER:143
#-tls1_2

Check that it does NOT respond to SSL version 3,

openssl s_client -connect IMAP_SERVER:993 -ssl3

IMAP // TLS

You need -crlf to talk to an Exchange server,

openssl s_client -connect IMAP_SERVER:993 -crlf

References

• SSL/TLS - Typical problems and how to debug them: http://maulwuff.de/research/ssl-debugging.html

• SSL3 error when requesting connection using TLS 1.2: http://security.stackexchange.com/questions/101965/ssl3-error-when-requesting-connection-using-tls-1-2

• SSL routines:SSL23_WRITE:ssl handshake failure: http://serverfault.com/questions/389197/ssl-routinesssl23-writessl-handshake-failure

• OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed: http://stackoverflow.com/questions/33669611/opensslsslsslerror-ssl-connect-returned-1-errno-0-state-error-certificate

• Testing with OpenSSL - https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html

Ruby

• 6 Action Mailer Configuration: http://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration

• How to bypass SSL certificate verification in open-uri?: http://stackoverflow.com/questions/1113422/how-to-bypass-ssl-certificate-verification-in-open-uri

• OpenSSL Errors and Rails – Certificate Verify Failed: http://railsapps.github.io/openssl-certificate-verify-failed.html

• http://qaoverflow.com/question/ruby-ssl-handshake-failure/

• https://www.google.fr/search?q=stack+overflow+question/ruby-ssl-handshake-failure/&ie=utf-8&oe=utf-8&gws_rd=cr&ei=et1GWMH_G4uma-3mi8AD