My new favorite tool for looking at TLS things is
For a long time I've used the OpenSSL command line tools to do
things like looking at certificates and chasing
certificate chains (although OpenSSL is
no longer what you want to use to make self-signed certificates). This works, and is in many ways
the canonical and most complete way to do this sort of stuff, but
if you've ever used the
openssl command and its many sub-options
you know that it's kind of a pain in the rear. As a result of this,
for some years now I've been using Square's
certigo command instead.
Certigo has two main uses. My most common case is to connect to some TLS-using service to see what its active certificate and certificate chain is (and try to verify it), as well as some TLS connection details:
$ certigo connect www.cs.toronto.edu:https ** TLS Connection ** Version: TLS 1.2 Cipher Suite: ECDHE_RSA key exchange, AES_128_GCM_SHA256 cipher ** CERTIFICATE 1 ** Valid: 2018-04-17 00:00 UTC to 2020-04-16 23:59 UTC Subject: [...]
Certigo will attempt to verify the certificate's OCSP status, but some OCSP verifiers seem to dislike its queries. In particular, I've never seen it succeed with Let's Encrypt certificates; it appears to always report 'ocsp: error from server: unauthorized'.
(Some digging suggest that Certigo is getting this 'unauthorized' response when it queries the OCSP status of the intermediate Let's Encrypt certificate.)
Certigo can connect to things that need STARTTLS using a variety of protocols, including SMTP but unfortunately not (yet) IMAP. For example:
$ certigo connect -t smtp smtp.cs.toronto.edu:smtp
(Fortunately IMAP servers usually also listen on
imaps, port 993,
which is TLS from the start.)
My other and less frequent use of Certigo is to dump the details
of a particular certificate that I have sitting around on disk,
certigo dump ...'. If you're dumping a certificate that's
in anything except PEM format, you may have to tell Certigo what
format it's in.
Certigo also has a '
certigo verify' operation that will attempt
to verify a certificate chain that you provide it (against a
particular host name). I don't find myself using this very much,
because it's not necessarily representative of what either browsers
or other sorts of clients are going to do (partly because it uses
your local OS's root certificate store, which is not necessarily
anything like what other programs will use). Generally if I want
to see a client-based view of how a HTTPS server's certificate chain
looks, I turn to the SSL server test from Qualys SSL Labs.
All Certigo sub-commands take a '
-v' argument to make them report
more detailed things. Their normal output is relatively minimal,
although not completely so.
Certigo is written in Go and uses Go's standard libraries for TLS, which means that it's limited to the TLS ciphers that Go supports. As a result I tend to not pay too much attention to the initial connection report unless it claims something pretty unusual.
(It also turns out that you can get internal errors in Certigo if you compile it with the very latest development version of Go, which may have added TLS ciphers that Certigo doesn't yet have names for. The moral here is likely that if you compile anything with bleeding edge, not yet released Go versions, you get to keep both pieces if something breaks.)