[BlueOnyx:18606] Re: How to test your SSL certs?

Larry Smith lesmith at ecsis.net
Wed Oct 28 19:31:10 -05 2015 

Michael,

  Thanks, regretably the ssllabs only checks port 443 and you cannot specify
any other ports.  I found sslchecker.com which does allow one to specify the
port, but it also says "no certificate found".  This is on a fully patched 
5108R with self-signed certificate.  On a fairly new 5208R I get the same 
thing - which is why I asked how to check.

-- 
Larry Smith
lesmith at ecsis.net

On Wed October 28 2015 19:05, Michael Stauber wrote:
> Hi Larry,
>
> > Ok, probably a silly question, but I have run various sslcheckers on
> > several of my servers, used port 81, and port 444 and each comes back and
> > tells me that no certificate was found.  What is the secret sauce to get
> > your SSL cert?
>
> The usual SSL checkers just check port 443 as that is where SSL is
> usually used.
>
> A good SSL checker is this one: https://www.ssllabs.com/ssltest/
>
> It tells you all you need to know about the SSL on your public webserver.
>
> As for the GUI and it's own SSL?
>
> Port 444 uses the HTTP protocol. Port 81 uses HTTPS. So if you want to
> test the SSL there you would run the tester against port 81.
>
> To test that you can use "openssl" from the command line like this:
>
> openssl s_client -connect 5209r.smd.net:81 -state -debug
>
> It will show you everything that happens during the connect state such
> as the protocol negotiation and the certificate exchange. At the end you
> see the results:
>
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : DHE-RSA-AES256-GCM-SHA384
>     Session-ID:
> 1AF540FB925C1B64FF1A3D0DCD021F91E3EFE595B4413401934CEF626FC526D0
>     Session-ID-ctx:
>     Master-Key:
> 16EB1837FE0BA67AAA8D7D759ED65B858728E0B218D1DE1BB2BF8D19586A85268DE7546B651
>611E074A164A79A0D9A9B Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>
> The SSL self signed SSSL certificate for the GUI is generated
> automatically during initial setup of BlueOnyx. But you can re-generate
> it (or install a real SSL certificate) via the GUI. You do that via
> "Server Management" / "Security" / "SSL".
>
> There is currently a bug in the mod-ssl for 5207R, 5208R, 5209R which
> might result in the GUI page telling "There is currently no certificate
> for this site." Although there sure *is* a certificate present for the GUI.
>
> I'll fix this in an update today or tomorrow.

More information about the Blueonyx mailing list