openssl 1.0 vs 1.1 s_client verify CA cert expiration
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Sep 30 19:55:03 UTC 2021
> On 30 Sep 2021, at 3:34 pm, nate <openssl at linuxpowered.net> wrote:
>
>> $ openssl s_client -showcerts \
>> -connect bad_server_name:443 \
>> -servername bad_server_name 2>/dev/null |
>> openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
>> openssl pkcs7 -print_certs -noout -text |
>> egrep 'not(Before|After)'
>> or write the errors to a separate file.
>
>
> That almost worked.. but because the first openssl command
> never completes the other commands just wait..
>
> I poked around and found that sending Q to the command gets it
> to exit so I came up with this:
>
> echo "Q" | [...]
True, I forgot that I usually write:
$ sleep 2 | openssl s_client ...
which generally gives s_client enough time to complete the handshake,
and then it exits when it sees EOF on stdin. The "Q" is perhaps cleaner.
--
Viktor.
More information about the openssl-users
mailing list