openssl 1.0 vs 1.1 s_client verify CA cert expiration

nate openssl at
Thu Sep 30 19:34:32 UTC 2021

On 2021-09-30 11:36, Viktor Dukhovni wrote:

> Ah, you also need to add "-showcerts" to s_client and best to separate
> stdout and stderr in order to avoid confusion due to error text leaking
> through, sender stderr to /dev/null:
>   $ openssl s_client -showcerts \
>         -connect bad_server_name:443 \
>         -servername bad_server_name 2>/dev/null |
>     openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
>     openssl pkcs7 -print_certs -noout -text |
>     egrep 'not(Before|After)'
> or write the errors to a separate file.

That almost worked.. but because the first openssl command
never completes the other commands just wait..

I poked around and found that sending Q to the command gets it
to exit so I came up with this:

echo "Q" | openssl s_client -showcerts -connect 
  -servername 2>/dev/null |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -noout -text |
grep "\(Issuer:\|Subject:\|Not Before:\|Not After :\)"

which does the trick for me, used one of my personal servers to test

thanks for the help!


More information about the openssl-users mailing list