Tags: https, ssl, tls, ingress, certificate, security
TABLE OF CONTENTS
- Overview
- 1. Verify HTTPS certificate on an HTTP(S) endpoint
- 2. Send an HTTP request to analyze response
- 3. Analyze TLS/SSL protocols and ciphers
Overview
This article provides useful commands to verify various parameters of HTTPS, SSL and TLS endpoints.
These commands may be useful to troubleshoot Ingress controller and ingress rules.
1. Verify HTTPS certificate on an HTTP(S) endpoint
This may be used, for example, to test that a valid HTTPS certificate was issued by letsencrypt for a certain ingress rule; in this case HOST should be the host DNS name specified in the ingress rule, and the ENDPOINT should be a corresponding ingress controller endpoint (e.g. load balancer address).
HOST=my-host.example.com HOST_PORT=443 ENDPOINT=my-endpoint.example.com ENDPOINT_PORT=443 curl \ --connect-to $HOST:$HOST_PORT:$ENDPOINT:$ENDPOINT_PORT \ https://$HOST:$HOST_PORT
Print the certificate used by an HTTPS server for the specified host:
HOST=my-host.example.com ENDPOINT=my-endpoint.example.com ENDPOINT_PORT=443 echo | \ openssl s_client -showcerts -servername "$HOST" -connect "$ENDPOINT:$ENDPOINT_PORT" 2>/dev/null | \ openssl x509 -inform pem -noout -text
2. Send an HTTP request to analyze response
HOST=my-host.example.com ENDPOINT=my-endpoint.example.com ENDPOINT_PORT=443 curl \ -k \ -H "Host: $HOST" \ "https://$ENDPOINT:$ENDPOINT_PORT"
3. Analyze TLS/SSL protocols and ciphers
The online SSL testing tools such as https://www.ssllabs.com/ssltest/ can be used to verify supported ciphers and protocols on an endpoint.
Alternatively, the following script will test the provided endpoint for supported ciphers on different protocols.
ENDPOINT=my-endpoint.example.com:443
# test all ciphers on all protocols
for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do
for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
openssl s_client -connect "$ENDPOINT" \
-cipher $c -$v < /dev/null > /dev/null 2>&1 &&
echo -e "$v:\t$c"
done
done
# test a specific cipher/protocol pair
openssl s_client -connect "$ENDPOINT" \
-cipher ECDHE-RSA-AES256-GCM-SHA384 -tls1_3 < /dev/null &&
echo supportedNote that not all protocols and/or ciphers can be supported by a specific openssl client - it may depend on the version, OS, and on the options used to build it.
The following commands will help check if the necessary protocols and/or ciphers are supported by the client:
# list all cipher/protocol combinations supported by the client
openssl ciphers -v
# print unique list of protocols supported
openssl ciphers -v | awk '{print $2}' | sort | uniq