Using '-servername' param with openssl s_client

apache ssl openssl centos6
21,186

The servername argument to s_client is documented (briefly) on this page:

https://www.openssl.org/docs/man1.0.2/apps/s_client.html

Essentially it works a little like a "Host" header in HTTP, i.e. it causes the requested domain name to be passed as part of the SSL/TLS handshake (in the SNI - Server Name Indication extension). A server can then host multiple domains behind a single IP. It will respond with the appropriate certificate based on the requested domain name.

If you do not request a specific domain name the server does not know which certificate to give you, so you end up with a default one. In your case one of the certificates that the server is serving up for your domain has expired, but the default certificate has not.

You need to make sure you are updating the correct VirtualHost entry for your domain, e.g. see:

https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

Share:
21,186
user1398017
Author by

user1398017

Updated on May 05, 2020

Comments

  • user1398017
    user1398017 almost 4 years

    I am installing a new SSL certificate on Centos6/Apache and my web browser keeps picking up the old certificate. To test my setup, I am using "openssl s_client" but I am seeing different results based on the "-servername" parameter. No one seems to us this parameter and it does not appear in the man pages but I saw it mentioned here OpenSSL: Check SSL Certificate Expiration Date and More .

    If I run this command:

    echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

    I get the correct date for the certificate.

    (notBefore=Apr 20 00:00:00 2017 GMT notAfter=Apr 20 23:59:59 2018 GMT)

    However, if I intruduce the -servername parameter into the commmand

    echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

    I then get the expired date that my browser is showing -

    (notBefore=Apr 20 00:00:00 2016 GMT notAfter=Apr 20 23:59:59 2017 GMT)

    Can anyone explain why this is happening, as this must be related to the reason why my SSL certificate shows as expired in my browser.

    Thanks O

  • user1398017
    user1398017 almost 7 years
    Thanks Matt - that was the exact answer I needed. I looked at the man page link you sent me and without your explanation, I would have still been scratching my head. Thanks again!
  • Matt Caswell
    Matt Caswell almost 7 years
    Great! Glad you got it sorted. Please could you mark my answer as correct?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication
Invalid CA certificate with self signed certificate chain
LetsEncrypt SSL Error - SSL routines:ssl3_get_record:wrong version number
How can I do an SSL connection with PHP
Should I get Apache with no ssl or with open ssl? Can someone tell me what ssl is exactly?
MySQL ERROR 2026 (HY000): SSL connection error
client certificates issued by my own CA with Apache
Enable TLSv1.2 in apache 2.2.22
openssl unable to get local issuer certificate debian
Cannot get SSL to work in Docker container