Skip to content

Instantly share code, notes, and snippets.

@mbbx6spp

mbbx6spp/README.md Secret

Last active December 12, 2015 07:49
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mbbx6spp/3e37671632ff9261ded7 to your computer and use it in GitHub Desktop.
Save mbbx6spp/3e37671632ff9261ded7 to your computer and use it in GitHub Desktop.
Download ZIP
For Desk.com support purposes. Use this as a cheatsheet to verify or determine the underlying issue of SSL errors customers get in the app.
Raw
README.md

Installation

Please install XCode and Homebrew first, then:

brew install openssl # assumes you have Homebrew installed - only needed first time
brew install curl-ca-bundle

Test/Verification Scripts

Set this environment variable in your $HOME/.bashrc file assuming you use Bash or the appropriate shell rc file:

# the version of this might need changing in path; depends on version Homebrew installed above
export CA_FILE=/usr/local/share/ca-bundle.crt

Shared Hosts

When verifying SSL/TLS certs against shared hosted mail or web servers, you should append -servername HOSTNAME for the HOSTNAME you which the OpenSSL command line to do server name indication (SNI) negotiation with the server. I have appended this to the subsequent commands.

Mail Hosts

# test command line for mail servers - set/replace $CUSTOMER_HOST and $MAIL_PORT
echo "HELO" | openssl s_client -connect $CUSTOMER_HOST:$MAIL_PORT -verify 5 -servername $CUSTOMER_HOST -CAfile $CA_FILE | grep "Verify return code"

HTTPS SSL Cert Hosts (e.g. for Jira integration SSL error problems)

# test command line for HTTPS SSL certs - set/replace $CUSTOMER_HOST and $SSL_PORT
echo "GET / HTTP/1.1" | openssl s_client -connect $CUSTOMER_HOST:$SSL_PORT -verify 5 -servername $CUSTOMER_HOST -CAfile $CA_FILE | grep "Verify return code"

Successful output

One example of a successful run would be this:

$ echo "HELO" | openssl s_client -connect imap.gmail.com:993 -verify 5 -servername $CUSTOMER_HOST -CAfile ${CA_FILE} | grep "Verify return code"    
verify depth is 5
depth=2 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
verify return:1
    Verify return code: 0 (ok)
DONE

Note: the Verify return code: 0 (ok) output.

Unsuccessful cases

Here is an example of output that show unsuccessful verification of the host's SSL/TLS:

$ echo "HELO" | openssl s_client -connect imap.gmail.com:993 -verify 5 -servername $CUSTOMER_HOST -CAfile ${CA_FILE} | grep "Verify return code"    
verify depth is 5
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
verify return:1
    Verify return code: 27 (certificate not trusted)
DONE

Note: command line is missing the -CAfile PATH option, which is important to have on OS X with the above installation. Otherwise your output will be erroneous, like above. To fix just add the -CAfile $CA_FILE part of the command line before the last pipe to grep.

There are many more possible return codes than 0 and 27. These include the following more commons ones:

  • 10 (certificate has expired)
  • 18 (self signed certificate)
  • 19 (self signed certificate in certificate chain)
  • 21 (unable to verify the first certificate)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment