Verification of TCP port 443 (https) access with openssl

In this article, we show how to test the HTTPS access to a webserver on TCP port 443 with openssl.

HTTPS protocol basics

HTTPS works - except the encryption - like HTTP. Wiht the openssl command, we built an encrypted connection. Therefore, plain text commands can be used for testing the encrypted HTTP connection (see TCP Port 80 (http) Zugriff mit telnet überprüfen).

Example

In the following example, an encrypted connection to www.thomas-krenn.com is established and then the homepage is accessed.

The following commands are issued for this purpose:

1. Establishing the encrypted connection: openssl s_client -connect www.thomas-krenn.com:https
2. Retrieval of HTTP content:

   GET / HTTP/1.1

   HOST: www.thomas-krenn.com

Here is the example output:

$ openssl s_client -connect www.thomas-krenn.com:https
CONNECTED(00000003)
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust EV SSL CA - G4
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.1=Passau/businessCategory=Private Organization/serialNumber=HRB 6790/C=DE/ST=Bayern/L=Freyung/O=Thomas-Krenn.AG/OU=IT-Administration/CN=www.thomas-krenn.com
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust EV SSL CA - G4
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust EV SSL CA - G4
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQdsLl6S/15DX24whVp+PEkzANBgkqhkiG9w0BAQsFADBH
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMX
[...]
Dt9LEG3mekCVMa1ARwHkud6xhk7aDTcyP7YVTWaBzV/B2+UhdiUsB+J+hkvHFpmU
DDnFHKD0wrk2I2DrUJ8DX+ips8XD37LZZni2zL3Z9eGJ7p4+eocKLK0dADIRF8eU
SaScUc2R8xE=
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.1=Passau/businessCategory=Private Organization/serialNumber=HRB 6790/C=DE/ST=Bayern/L=Freyung/O=Thomas-Krenn.AG/OU=IT-Administration/CN=www.thomas-krenn.com
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust EV SSL CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 3216 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7C[...]35
    Session-ID-ctx: 
    Master-Key: 04[...]75
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 76 f0 73 36 87 29 34 9c-02 2c 16 17 62 77 2b 51   v.s6.)4..,..bw+Q
    0010 - 69 97 7e 29 7f 8b ee b4-70 07 e5 b9 6b e2 1a b5   i.~)....p...k...
    [...]
    0090 - 7b 8e 0d 94 7a 60 d7 45-d2 af 21 2a df 72 90 cc   {...z`.E..!*.r..
    00a0 - 5f 67 f8 b4 00 54 e1 8c-4a 3c d1 b9 7f 64 7c 99   _g...T..J<...d|.

    Start Time: 1440680775
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
GET / HTTP/1.1
HOST: www.thomas-krenn.com

HTTP/1.1 200 OK
Date: Thu, 27 Aug 2015 13:06:26 GMT
Server: Apache
Strict-Transport-Security: max-age=2592000
Set-Cookie: TKID=73l3kuh9r4s1veqmg7395dm9r3; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tk_country_code=at; expires=Sat, 26-Sep-2015 13:06:26 GMT; path=/
X-Frame-Options: SAMEORIGIN
Set-Cookie: REDX_RESPONSIVE_DESKTOP=1; expires=Sat, 26-Sep-2015 13:06:26 GMT; path=/; domain=www.thomas-krenn.com
Set-Cookie: copol_www_thomas-krenn_com_optout=accepted; expires=Thu, 27-Aug-2015 13:06:56 GMT; path=/; domain=www.thomas-krenn.com
Vary: Accept-Encoding
Content-Type: text/html; UTF-8; charset=UTF-8
X-Varnish: 10450364
Age: 0
Via: 1.1 varnish-v4
X-Cache: MISS
Transfer-Encoding: chunked
Connection: keep-alive
Accept-Ranges: bytes

0014000
<!DOCTYPE html>
<html lang="de" class="no-responsive"><head>
[...]

More information

• Configuration of Apache and OpenSSL for Forward Secrecy #test Cipher Suites (Thomas-Krenn-Wiki)
• s_client - SSL/TLS client program (www.openssl.org/docs)

Author: Werner Fischer Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.

Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.