Diagnostiquer un problème de certificat SSL

Si les certificat SSL se sont fortement démocratisés ces dernières années, en grande partie avec l’arrivée d’offre à des coûts décents, leur installation n’est pas toujours aisée surtout quand c’est la première fois.

J’ai récemment découvert un outil très pratique pour diagnostiquer d’éventuels problèmes sur une installation de certificat SSL. Il s’agit de la commande openssl avec l’argument s_client qui s’utilise comme suit :

# openssl s_client -connect domaine.tld:443

Le résultat sur le site de Verisign donne ceci :

# openssl s_client -connect www.verisign.com:443 CONNECTED(00000003) depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain  0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=2497886/C=US/postalCode=94043/ST=California/L=Mountain View/streetAddress=487 East Middlefield Road/O=VeriSign, Inc./OU=Production Security Services/CN=www.verisign.com    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA  1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5  2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority  3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -BEGIN CERTIFICATE- MIIF5TCCBM2gAwIBAgIQKetbRjH16FBeijEqcmY5HTANBgkqhkiG9w0BAQUFADCB vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew HhcNMDkwNDIyMDAwMDAwWhcNMTAwNTA5MjM1OTU5WjCCASgxEzARBgsrBgEEAYI3 PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxGzAZBgNVBA8TElYx LjAsIENsYXVzZSA1LihiKTEQMA4GA1UEBRMHMjQ5Nzg4NjELMAkGA1UEBhMCVVMx DjAMBgNVBBEUBTk0MDQzMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHFA1N b3VudGFpbiBWaWV3MSIwIAYDVQQJFBk0ODcgRWFzdCBNaWRkbGVmaWVsZCBSb2Fk MRcwFQYDVQQKFA5WZXJpU2lnbiwgSW5jLjElMCMGA1UECxQcUHJvZHVjdGlvbiBT ZWN1cml0eSBTZXJ2aWNlczEZMBcGA1UEAxQQd3d3LnZlcmlzaWduLmNvbTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA01oIFLAcpSLnE9nH+sfA15AHTlUPVlEM ihxVeIBwJcc+ZzK+5OOqMyW+MtP8/U0IeE0im2an/EG7NjukNb605GOxuQ/eJ6qj wLgC4udKupFB7qYR4I73y6GZbGQN9Czl0cngp0H8f0v31ymOyc8TsqWtggrcQ5Ug fxklIHujMHcCAwEAAaOCAfQwggHwMAkGA1UdEwQCMAAwHQYDVR0OBBYEFA1sDVu0 ElhkbjtS6+Ci5Qk4d8WHMAsGA1UdDwQEAwIFoDA+BgNVHR8ENzA1MDOgMaAvhi1o dHRwOi8vRVZJbnRsLWNybC52ZXJpc2lnbi5jb20vRVZJbnRsMjAwNi5jcmwwRAYD VR0gBD0wOzA5BgtghkgBhvhFAQcXBjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3 dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEFBQcD AgYJYIZIAYb4QgQBMB8GA1UdIwQYMBaAFE5DyB127zdTek/yWG+U8zji1b3fMHYG CCsGAQUFBwEBBGowaDArBggrBgEFBQcwAYYfaHR0cDovL0VWSW50bC1vY3NwLnZl cmlzaWduLmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL0VWSW50bC1haWEudmVyaXNp Z24uY29tL0VWSW50bDIwMDYuY2VyMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYW CWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYW JGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0B AQUFAAOCAQEAAiMM2+ttMiSUAWsaReBUVAfHx/2Y9dZeAgGHd4xZPhqmncSs+0vU J1FJ1gDOHMEeUshJP2ZmP4V0Igy7pSizBWhqN84z0en48E799znrzyTpx/ahKkxx c9FGf2I/5lHdKanqmjh8nywW6fQrwLjxmtRdU6Xo8G2M7ettPT2xN3fZBBxfmR1d yIwTuCXk/NiPAWsFmkl3CGgeYLTrdVa/kcApcf1mohpLyiZY7HSavBElaBjKpAcp h3xM/pytlQj+rphiP0hsadJjpNnwyLnnhGGJCV9kwC8JDQIBQQkSCXjayE2msx7i DeBmWyAYetjeVZ2NQFBE47fopin/v/uiAw== -END CERTIFICATE- subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=2497886/C=US/postalCode=94043/ST=California/L=Mountain View/streetAddress=487 East Middlefield Road/O=VeriSign, Inc./OU=Production Security Services/CN=www.verisign.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA --- No client certificate CA names sent --- SSL handshake has read 5111 bytes and written 322 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session:     Protocol  : SSLv3     Cipher    : RC4-MD5     Session-ID: 409F900979983A704652A6A5316B5B24A9C102F88510F7E5790B9A07CC291DE6     Session-ID-ctx:     Master-Key: 234956F9E973E8A68E1AC7A55027F3FD998D2BB3365EC88DD59C6CD6E5ECE183265F5C5C7C6AF7072175E0D5FD73BB2E     Key-Arg   : None     Start Time: 1248899046     Timeout   : 300 (sec)     Verify return code: 19 (self signed certificate in certificate chain) ---
Ce contenu a été publié dans Développement Web. Vous pouvez le mettre en favoris avec ce permalien.