This article provides useful commands to verify various parameters of HTTPS, SSL and TLS endpoints.


These commands may be useful to troubleshoot Ingress controller and ingress rules.


1. Verify that a valid certificate is set for a specific HTTP host on a specific HTTP(S) endpoint.


This may be used, for example, to test that a valid HTTPS certificate was issued by letsencrypt for a certain ingress rule; in this case HOST should be the host DNS name specified in the ingress rule, and the ENDPOINT should be a corresponding ingress controller endpoint (e.g. load balancer address).

 

HOST=my-host.example.com
HOST_PORT=443
ENDPOINT=my-endpoint.example.com
ENDPOINT_PORT=443

curl \
  --connect-to $HOST:$HOST_PORT:$ENDPOINT:$ENDPOINT_PORT \
  https://$HOST:$HOST_PORT

Print the certificate used by an HTTPS server for the specified host:


HOST=my-host.example.com
ENDPOINT=my-endpoint.example.com
ENDPOINT_PORT=443

echo | \
  openssl s_client -showcerts -servername "$HOST" -connect "$ENDPOINT:$ENDPOINT_PORT" 2>/dev/null | \
  openssl x509 -inform pem -noout -text


2. Send HTTP request to analyze response


HOST=my-host.example.com
ENDPOINT=my-endpoint.example.com
ENDPOINT_PORT=443

curl \
  -k \
  -H "Host: $HOST" \
  "https://$ENDPOINT:$ENDPOINT_PORT"


3. Analyze TLS/SSL protocols and ciphers


ENDPOINT=pentest-cs.apps-uat.ilendx.tech:443

for v in ssl2 ssl3 tls1 tls1_1 tls1_2; do
  for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
    openssl s_client -connect $ENDPOINT -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
  done
done


The online SSL testing tools such as https://www.ssllabs.com/ssltest/ can also be used.