view SSL certificate on ports 587, 25, 110, 465, 995, 143, 993
https://stackoverflow.com/questions/11738389
-
23-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
How can I view the SSL certificate details that is being used on ports 587, 25, 110, 465, 995, 143 & 993
I need to check which domain name is being used to secure these ports.
I've search here and on google but can't find anything!
Solution
Use OpenSSL (installed by default on almost all Linux distributions, you can also get a binary build for Windows from Shining Light Productions):
openssl s_client -connect host:port -servername host [-starttls protocol]
where host is the host you want to connect to and port is the port number.
-servername host will include the host name in the TLS handshake (via the Server Name Indication extension), to allow servers hosting multiple protected resources on the same IP to choose the correct certificate.
The -starttls protocol part is needed only if the server you are checking starts a plain text session by default and switches to SSL/TLS later, when the client requests it (in this case, protocol must be one of smtp, pop3, imap, ftp, xmpp); you should check if your server configuration requires the switch and include the command line option accordingly.
OTHER TIPS
You can use OpenSSL:
openssl s_client -connect x.x.x.x:port
(You can also use the -showcerts option for the full chain.)
Assuming that the usual services run on these ports, this should show you the certificates for port 465, 995 and 993, because they're protocols where the SSL/TLS connection is initiated first.
Ports 587, 25 (SMTP), 110 (POP3) and 143 (IMAP) use SSL/TLS via a "START TLS" upgrade. You'll need to add -starttls prot where prot is smtp, imap or pop3, as appropriate.
Note that if any of these services support Server Name Indication, you might not get all the certificates, if you don't request the correct host name in the first place. (SNI is probably more common for HTTPS than for these protocols, though.)
Once you get the certificate, you can copy/paste (or pipe) the PEM block (between BEGIN/END delimiters) into the input of openssl x509 -text -noout. The host names should be in the Subject Alternative Names (DNS entries) or, if absent, in the CN of the Subject DN.
