Please install XCode and Homebrew first, then:
brew install openssl # assumes you have Homebrew installed - only needed first time
brew install curl-ca-bundle
Set this environment variable in your $HOME/.bashrc
file assuming you use Bash or the appropriate shell rc file:
# the version of this might need changing in path; depends on version Homebrew installed above
export CA_FILE=/usr/local/share/ca-bundle.crt
When verifying SSL/TLS certs against shared hosted mail or web servers, you should append -servername HOSTNAME
for the HOSTNAME you which the OpenSSL command line to do server name indication (SNI) negotiation with the server. I have appended this to the subsequent commands.
# test command line for mail servers - set/replace $CUSTOMER_HOST and $MAIL_PORT
echo "HELO" | openssl s_client -connect $CUSTOMER_HOST:$MAIL_PORT -verify 5 -servername $CUSTOMER_HOST -CAfile $CA_FILE | grep "Verify return code"
# test command line for HTTPS SSL certs - set/replace $CUSTOMER_HOST and $SSL_PORT
echo "GET / HTTP/1.1" | openssl s_client -connect $CUSTOMER_HOST:$SSL_PORT -verify 5 -servername $CUSTOMER_HOST -CAfile $CA_FILE | grep "Verify return code"
One example of a successful run would be this:
$ echo "HELO" | openssl s_client -connect imap.gmail.com:993 -verify 5 -servername $CUSTOMER_HOST -CAfile ${CA_FILE} | grep "Verify return code"
verify depth is 5
depth=2 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
verify return:1
Verify return code: 0 (ok)
DONE
Note: the Verify return code: 0 (ok)
output.
Here is an example of output that show unsuccessful verification of the host's SSL/TLS:
$ echo "HELO" | openssl s_client -connect imap.gmail.com:993 -verify 5 -servername $CUSTOMER_HOST -CAfile ${CA_FILE} | grep "Verify return code"
verify depth is 5
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
verify return:1
Verify return code: 27 (certificate not trusted)
DONE
Note: command line is missing the -CAfile PATH
option, which is important to have on OS X with the above installation. Otherwise your output will be erroneous, like above. To fix just add the -CAfile $CA_FILE
part of the command line before the last pipe to grep.
There are many more possible return codes than 0 and 27. These include the following more commons ones:
- 10 (certificate has expired)
- 18 (self signed certificate)
- 19 (self signed certificate in certificate chain)
- 21 (unable to verify the first certificate)