Tags: https, ssl, tls, ingress, certificate, security


TABLE OF CONTENTS


Overview


This article provides useful commands to verify various parameters of HTTPS, SSL and TLS endpoints.


These commands may be useful to troubleshoot Ingress controller and ingress rules.


1. Verify HTTPS certificate on an HTTP(S) endpoint


This may be used, for example, to test that a valid HTTPS certificate was issued by letsencrypt for a certain ingress rule; in this case HOST should be the host DNS name specified in the ingress rule, and the ENDPOINT should be a corresponding ingress controller endpoint (e.g. load balancer address).

 

HOST=my-host.example.com
HOST_PORT=443
ENDPOINT=my-endpoint.example.com
ENDPOINT_PORT=443

curl \
  --connect-to $HOST:$HOST_PORT:$ENDPOINT:$ENDPOINT_PORT \
  https://$HOST:$HOST_PORT

Print the certificate used by an HTTPS server for the specified host:


HOST=my-host.example.com
ENDPOINT=my-endpoint.example.com
ENDPOINT_PORT=443

echo | \
  openssl s_client -showcerts -servername "$HOST" -connect "$ENDPOINT:$ENDPOINT_PORT" 2>/dev/null | \
  openssl x509 -inform pem -noout -text


2. Send an HTTP request to analyze response


HOST=my-host.example.com
ENDPOINT=my-endpoint.example.com
ENDPOINT_PORT=443

curl \
  -k \
  -H "Host: $HOST" \
  "https://$ENDPOINT:$ENDPOINT_PORT"


3. Analyze TLS/SSL protocols and ciphers


The online SSL testing tools such as https://www.ssllabs.com/ssltest/ can be used to verify supported ciphers and protocols on an endpoint.


Alternatively, the following script will test the provided endpoint for supported ciphers on different protocols.


ENDPOINT=my-endpoint.example.com:443

# test all ciphers on all protocols

for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do
  for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
    openssl s_client -connect "$ENDPOINT" \
        -cipher $c -$v < /dev/null > /dev/null 2>&1 &&
        echo -e "$v:\t$c"
  done
done

# test a specific cipher/protocol pair

openssl s_client -connect "$ENDPOINT" \
    -cipher ECDHE-RSA-AES256-GCM-SHA384 -tls1_3 < /dev/null &&
    echo supported


Note that not all protocols and/or ciphers can be supported by a specific openssl client - it may depend on the version, OS, and on the options used to build it.

The following commands will help check if the necessary protocols and/or ciphers are supported by the client:


# list all cipher/protocol combinations supported by the client

openssl ciphers -v

# print unique list of protocols supported

openssl ciphers -v | awk '{print $2}' | sort | uniq