![]() ![]() Soon enough I was regarded as some sort of black wizard for having the ability to "predict", within seconds of receiving endpoint information, what exact browser warnings a clients customers might expect to see. I quickly downloaded a Win32 port of the openssl binaries and started playing with the s_client and x509 contexts, and compared the output to the behavior i was seeing in different browsers. ![]() Say what? At that point I'd naively assumed - having known no other way to do it - that you needed a browser to diagnose configuration issues with certificates (open browser -> navigate to endpoint -> observe potential browser error or open the certificate UI from the browser). "Identify the tools that help you get the job done truly familiarize yourself with them"Īfter shadowing one of our unix admins months prior, I'd noticed that he managed to print the full SSL certificate associated with an SSL-terminated non-HTTP endpoint using the openssl command line tool: openssl s_client -connect somefqdn:1234 -showcerts One of the most important lessons I learned early on through this experience can be summed up as: So, the career I thought I'd left behind kept haunting me, and I ended up becoming the "web security" person of interest at my then-employer, and got the responsibility of optimizing our SSL Certificate sales and deployment processes, along with another junior Sysadmin.įiguring out what tools and processes best fit the needs of our clients, negotiating re-selling contracts with vendors, and designing (and sometimes building) a lot of the tooling and automation required for it was a great experience, as it pushed me to challenge my own understanding of the intracacies of PKI, X509 and SSL/TLS - my head almost exploded (10-12 years later, I'm still not sure I'd consider myself an X509 or TLS "expert"). And of course all our big enterprise clients had public facing websites, intranet portals, extranet platforms and so on. In any case, the company I was working for went bankrupt in early 2008, just as I was getting ready to drop out of high school and work full time, yay! It left me slightly bitter, and so I sought out new challenges, working at a large managed hosting provider-type company and thought to myself, smugly, that I'd never have to worry about web stuff again.Īt the same time however, everyone else took a great deal of interest in all things web, and all of a sudden HTTP was the new old hotness - not just on the web, but in highly specialized systems on closed-circuit enterprise networks as well. Well, it was actually JScript for all I knew, as we only had Windows 98 in my home growing up, and Internet Explorer 7 was the fanciest browser around when I first got the job. When I say javascript, I mean pure, unadulterated, stand-alone inline javascript - jQuery was not yet a thing. Many moons ago (in the naughts), before I figured out that you could make a legitimate career out of enterprise computering, I was obsessed with web development - so much in fact that the first real tech gig I got, my job was to write CSS(2) stylesheets from scratch and implement dynamic menu animation behavior in javascript. One of my favorite SSL/TLS troubleshooting tools is the openssl s_client CLI context - but what if I want to pull peer certificate information from a client that doesn't have openssl binaries installed? Can we get similar functionality out of say, PowerShell 5.1 or PowerShell 7 on a vanilla Win10? Let's find out! A glimpse into the long-long-ago $ 2>&1 openssl s_client -connect localhost:443 -servername local.bar.← graceful is noforce openssl s_client. This option cannot be used in conjunction with -noservername.įor example (for a test server running on localhost): $ 2>&1 openssl s_client -connect localhost:443 -servername | grep "^subject" This is the default since OpenSSL 1.1.1.Įven though SNI should normally be a DNS name and not an IP address, if -servername is provided then that name will be sent, regardless of whether it is a DNS name or not. If -connect is not provided either, the SNI is set to “localhost”. If -servername is not provided, the TLS SNI extension will be populated with the name given to -connect if it follows a DNS name format. Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value. When testing network connections to a server using the TLS SNI extension to allow a single IP address to respond with different certificates the openssl s_client program supports this with the -servername command-line option: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |