Skip to content

Servername in openssl command

Filip Aleksic requested to merge openssl-command-servername into main

What does this MR do?

  • Updates the documentation to use -servername in openssl

Why was this MR needed?

Without specifying -servername <DOMAIN> we are not specifying what domain are we trying to connect to, so the webserver will offer us the default SSL certificate (if defined), example:

$ echo | openssl s_client -connect gitlab.com:443 -servername gitlab.com # (truncated for visibility)
-----END CERTIFICATE-----
subject=/CN=gitlab.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---

$ echo | openssl s_client -connect gitlab.com:443
CONNECTED(00000005)
4337616428:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure:/System/Volumes/Data/SWE/macOS/BuildRoots/533514bb11/Library/Caches/com.apple.xbs/Sources/libressl/libressl-75.60.3/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40
4337616428:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/System/Volumes/Data/SWE/macOS/BuildRoots/533514bb11/Library/Caches/com.apple.xbs/Sources/libressl/libressl-75.60.3/libressl-2.8/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1647869099
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

What's the best way to test this MR?

Using the commands from the documentation:

$ openssl s_client -showcerts -connect gitlab.com:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM
unable to load certificate
4315416108:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/System/Volumes/Data/SWE/macOS/BuildRoots/533514bb11/Library/Caches/com.apple.xbs/Sources/libressl/libressl-75.60.3/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: TRUSTED CERTIFICATE

$ openssl s_client -showcerts -connect gitlab.com:443 -servername gitlab.com < /dev/null 2>/dev/null | openssl x509 -outform PEM
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

What are the relevant issue numbers?

None

Edited by Filip Aleksic

Merge request reports