Test SSL / TLS with GnuTLS from the Command Line

Introduction

In this tutorial we are going to use gnutls-cli to test SSL/TLS connection from the command line. Some people could use telnet or netcat, however this command will do the proper handshake and retrieve information about the certificate. For testing SSL we are going to use openssl. The gnutls-cli command is simple client program to set up a TLS connection to some other computer. It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa. OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer ( SSL v2/v3) and Transport Layer Security ( TLS v1) network protocols

Step 1: Install

Use apt to install gnutls-cli and openssl:

sudo apt install gnutls-bin openssl

For Redhat or Fedora:

sudo yum install gnutls-utils openssl

Testing SSL

For testing SSL we are goign to use s_client with the openssl command:

openssl s_client -connect www.google.com:443

The output will provide a lot of information:

ONNECTED(00000005)
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgIIYXVTXYe/lLYwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODA2MTkxMTQwNDlaFw0x
ODA4MjgxMTMyMDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRcw
FQYDVQQDDA53d3cuZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALdwHKnncaMpblvpBxdOvhwnXXLKOGDV34W+KgETBqECFuGtDy6mz5ze
dc/fF4pOhgCzeTzrq2QLC8SIN2TPI6svHRzhToncCmT4WPjh/FrIfIZrw2z4YkZO
B7vHpfEG4VKW5df4GdJYQzXojTEB/1Ygh2bKSXI5ixyCxZmCfwW8yC4aqzRYU2JC
Kp7iv6Ku22GN0DySr3j+ZnJqF5p944+ulm5G6wbELJm5Tium4CebqSYdoc7umhON
5mAOi+Vyz/d02tP4ZNgVX0OZSS7vLaHNCIt5z3fMfY3txk5leAtJqXkrJOOXxphG
OCh/523XxgEWkWcThCKT5t/WNGdxBz0CAwEAAaOCAUIwggE+MBMGA1UdJQQMMAoG
CCsGAQUFBwMBMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMGgGCCsGAQUFBwEB
BFwwWjAtBggrBgEFBQcwAoYhaHR0cDovL3BraS5nb29nL2dzcjIvR1RTR0lBRzMu
Y3J0MCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcC5wa2kuZ29vZy9HVFNHSUFHMzAd
BgNVHQ4EFgQUHAP6eDGx4jvgTOmtVopa1EsbD/IwDAYDVR0TAQH/BAIwADAfBgNV
HSMEGDAWgBR3wrhQmmd2drEtwobQg6B+pn66SzAhBgNVHSAEGjAYMAwGCisGAQQB
1nkCBQMwCAYGZ4EMAQICMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwucGtp
Lmdvb2cvR1RTR0lBRzMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCvclrI29RpE7BM
S2PLs9VJIUaqrgTbiuS9Smz5Ij7roHiS+vzdQesh92omENwKeiLbDlWWgvBUXbbl
mDlAtQOV2cqOIXlxVKe6Ntwah4poX2G32pXEa0nPoOYqrThzNDITDbhQD3v1X3J5
XT/387tvl9661DNLp3jXqGdQTPvHK+tvSMovWibK6Q50Me0uonqxj5FQJ5uW8V32
I1EbLtjr8HOsWqsVnF0+HZyqURwng8izCMUsVIjMffyyqul+2a0T+S+N3JSDARh8
KjdRYiMTLUmNqJGwas3qNvln/Qt74GciRqhXdOsWgvB0Wh3oVfPhpw5AqHpxUyk+
mQDr1Ja4
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
---
No client certificate CA names sent
---
SSL handshake has read 2986 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 81C44F06288F391DF7A08DF9FA8728FFE4F9E175D9C8DDAA2AE10C3E0F1796FB
    Session-ID-ctx:
    Master-Key: 4AA37FB4365FE2B37ED0DCF0C06D9F6D0298046C36E0A5E37D6CDFDF02616F6FE4B1655C1A72B1ACCD1C201A9076B868
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 75 78 bf ca aa 97 9c-b8 85 6f f3 b8 48 22 86   .ux.......o..H".
    0010 - 2f a6 1f 44 cd ea a0 eb-f5 12 dd ce f8 27 cb 08   /..D.........'..
    0020 - 1c 0f 5e 77 15 e5 78 9c-eb ef 21 0a 4d 4e 1b 50   ..^w..x...!.MN.P
    0030 - e5 db e2 6f 92 a2 c9 2b-1a 0f 30 ac 34 4e 37 57   ...o...+..0.4N7W
    0040 - 71 5e 36 64 15 35 66 10-a1 6f fd 60 21 5b 0a ee   q^6d.5f..o.`![..
    0050 - d5 bd ee 4d 6a bb 5c 46-07 ce b6 b9 25 9a c5 9e   ...Mj.\F....%...
    0060 - 8c 67 d8 56 aa 65 a9 89-47 34 98 50 9d 56 c1 c9   .g.V.e..G4.P.V..
    0070 - 7e 37 38 2a 09 a9 4b 93-b9 36 db ca 15 bf 2e 56   ~78*..K..6.....V
    0080 - 28 af 80 ec ef 28 9f 05-e5 1c ce 1a 5a 78 49 d4   (....(......ZxI.
    0090 - dc 62 2a 98 2d 99 5f 56-8e ab bd af b5 6d c9 99   .b*.-._V.....m..
    00a0 - e6 36 64 53 6b 82 74 c6-d3 39 d9 ae d2 d1 97 75   .6dSk.t..9.....u
    00b0 - 40 69 30 34 98 4c 32 3c-3f 2f ec 5e 1a 05 af 05   @i04.L2<?/.^....
    00c0 - fc 16 93 8c 2c ec 66 69-24 e6 00 ff cc 61 13 5d   ....,.fi$....a.]
    00d0 - c9 a4 b1 13 b1                                    .....

    Start Time: 1531600238
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Testing TLS

gnutls-cli -d 1 imap.gmail.com -p 993

gnutls-cli "-d" parameter is to specify the log level and "-p" is the port number. In the example we are checking googles imap server.

Here is a sample output of the command without debug level:


|<1>| There was a non-CA certificate in the trusted list: O=Entrust.net,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Certification Authority (2048).
Processed 170 CA certificate(s).
Resolving 'imap.gmail.com:993'...
Connecting to '64.233.190.109:993'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=imap.gmail.com,O=Google LLC,L=Mountain View,ST=California,C=US', issuer `CN=Google Internet Authority G3,O=Google Trust Services,C=US', serial 0x7b56c8c2401526c5, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-06-19 11:40:14 UTC', expires `2018-08-28 11:32:00 UTC', pin-sha256="2Un4NOrrwqvFyH82BJ6QNOIEmVi5cUquZNYN55rcP3Q="
    Public Key ID:
        sha1:065af6fcd6eb0b9bff6fbb2c990e8b8ffcb7f74f
        sha256:d949f834eaebc2abc5c87f36049e9034e2049958b9714aae64d60de79adc3f74
    Public Key PIN:
        pin-sha256:2Un4NOrrwqvFyH82BJ6QNOIEmVi5cUquZNYN55rcP3Q=
    Public key's random art:
        +--[ RSA 2048]----+
        |                 |
        |                 |
        |      +          |
        |     + +         |
        |    .   S        |
        |       . . .     |
        |          +.. o E|
        |        ..o+o*.o.|
        |         +=*B==*O|
        +-----------------+

- Certificate[1] info:
 - subject `CN=Google Internet Authority G3,O=Google Trust Services,C=US', issuer `CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2', serial 0x01e3a9301cfc7206383f9a531d, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-06-15 00:00:42 UTC', expires `2021-12-15 00:00:42 UTC', pin-sha256="f8NnEFZxQ4ExFOhSN7EiFWtiudZQVD2oY60uauV/n78="
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(CHACHA20-POLY1305)
- Session ID: D5:1A:92:A2:81:AB:D8:9F:68:A3:A0:E0:BD:D0:F3:2F:F4:CB:F0:B5:5A:69:1C:DB:C4:6D:38:8C:55:D8:61:68
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: CHACHA20-POLY1305
- MAC: AEAD
- Compression: NULL
- Options: extended master secret, safe renegotiation,
- Handshake was completed

- Simple Client Mode: