Just because you are able to connect to a TLS server, that doesn’t mean that the service is configured correctly, even if the server supports all the right protocols and cipher suites. It is equally important that the configured certificate matches the correct DNS names.
By default, the
s_client tool reports but otherwise ignores certificate issues. Further, before you begin to trust its judgment you need to be confident that it can recognize a valid certificate when it sees one. This is especially true when you’re using a custom-compiled binary.
In the example from the previous section, the verification status code (shown on the penultimate line) was
0, which means that the verification has been successful. If you’re connecting to a server that has a valid public certificate but you see status
20 instead, that probably means that trusted roots haven’t been correctly configured:
Verify return code: 20 (unable to get local issuer certificate)
At this point, if you don’t wish to fix your OpenSSL installation, you can instead use the
-CApath switch to point to the location where the roots are kept. For example:
$ openssl s_client -connect www.feistyduck.com:443 -CApath /etc/ssl/certs/
If you instead have a single file with the roots in it, use the
$ openssl s_client -connect www.feistyduck.com:443 \ -CAfile /etc/ssl/certs/ca-certificates.crt
Even if you get a successful status code at this point, that doesn’t mean that the certificate is correctly configured. That’s because the
s_client tool doesn’t check that the certificate is correct for the given hostname; you have to tell it to do that manually and tell it which hostname to use:
$ openssl s_client -connect www.feistyduck.com:443 -verify_hostname www.feistyduck.com
If there is a mismatch, you might see status code 62:
Verify return code: 62 (Hostname mismatch)
Otherwise, you’ll see the familiar status code
0. In the rare instance that you need to verify a certificate that has been issued for an IP address instead of a hostname, you’ll need to use the
-verify_ip switch for the verification.