OpenSSL : client telnet sécurisé

Boris HUISGEN
|
La commande openssl contient un client telnet sécurisé. Ce dernier s’avère très utile pour tester les connexions aux serveurs sécurisées par SSL/TLS.
La commande demeure simple d’usage :
$ openssl s_client -connect host:443
La sortie console permet en retour de diagnostiquer le certificat SSL et sa liste d’autorités de certification.
Exemple concernant ce site web :
$ echo | openssl s_client -connect blog.hbis.fr:443
CONNECTED(00000003)
---
Certificate chain
0 s:CN = *.hbis.fr
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFFzCCA/+gAwIBAgISBPTkGiRzcW54WtTBFYgKIIJmMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMTIxMDE3MDJaFw0yMTAzMTIxMDE3MDJaMBQxEjAQBgNVBAMM
CSouaGJpcy5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDRiBgo
l/hUCbBS+sxy05+A1YwQ6MGGusoZjnSbFp1kKpO5hGO7hUiwo52zUsMiKXsINem+
8oFy9UgHHcSGojzGzoARMcWdxoKkzAms2BZNRSDXSimqD7m8RxFAR+RwSMILTPg+
HYr2viSvNaPB/lzsbIe3jdpjm/ZmlvLYnE6RGJhQzLGtmN/Ujrn2+RJa6841rkJI
Ea6m1dws4NM1DMilleoZ6IOrmRuzTBWwIR5+3HfGcnJChQ0KCfbRXOS/Wfg5f245
H55rD5UFI5r39GC++1Rw7a9nKmvf4Hje//XyYTsg7GpPHVYXACSKJ3yiYGCjolS0
EserGUz/xEqxrukCAwEAAaOCAkMwggI/MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
L75w/TMgdKt01h+J6w9YgYatnq0wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wFAYD
VR0RBA0wC4IJKi5oYmlzLmZyMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQB
gt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3Jn
MIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkC
wQApBo2yCJo32RMAAAF2VqsZkgAABAMARzBFAiEA697SEb+Euu5zZtYYx9jvw6HC
fDVnBMFyEwxf/KT50CACIFVgTjPNhLsTkGELMMB2Mr9MfhNfYj/OTLC52zroDD6n
AHUAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF2VqsZkgAABAMA
RjBEAiBFTf1rWgFoI6QdiVwza57sgAOScRrQH7YjiFGO/RekhwIgKsb5Nojg/puR
uvYzBkBg9eDHVOsY4FqS7fK2aGVTb+AwDQYJKoZIhvcNAQELBQADggEBAHyGUdHM
4D2GR/C1nlrEeNeQLW6o/5BMKTmZTKPMXW6N0vZndmXzDwuWzg+rR7jCZ3BgdtZK
DL08DpGsIDI7xkeqiteW5xKmpvgDNQJg2DiePWRXwssTf2Njv/Y+wgpTFMcrf+qu
8CdLSxbWzElKDCQEspOdeZk8TL8SynPQt7B20ac5a9CF+KcLOHCQEbjx4PgQ9ymM
ZG4tYPxoNyMEHrznI3BXs2vsS7xxcPVx28KsPs612/03WxkmYDDBhVwj9Vw9xCFu
S1K7zI3s+B+Zb6zCEtM0ylThNgBfdcO+ty1Eh0NIwMNJqFIpW1EbFJal9WK5UaEU
qesD8r6y7MHLEUY=
-----END CERTIFICATE-----
subject=CN = *.hbis.fr
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3159 bytes and written 753 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
published: true
---
Pour extraire rapidement les dates de validité et d’expiration du certificat, la commande suivante est utile :
$ echo | openssl s_client -connect blog.hbis.fr:443 2>/dev/null | \
openssl x509 -noout -dates
notBefore=Dec 12 10:17:02 2020 GMT
notAfter=Mar 12 10:17:02 2021 GMT