Using '-servername' param with openssl s_client

6
votes

I am installing a new SSL certificate on Centos6/Apache and my web browser keeps picking up the old certificate. To test my setup, I am using "openssl s_client" but I am seeing different results based on the "-servername" parameter. No one seems to us this parameter and it does not appear in the man pages but I saw it mentioned here OpenSSL: Check SSL Certificate Expiration Date and More .

If I run this command:

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

I get the correct date for the certificate.

(notBefore=Apr 20 00:00:00 2017 GMT notAfter=Apr 20 23:59:59 2018 GMT)

However, if I intruduce the -servername parameter into the commmand

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

I then get the expired date that my browser is showing -

(notBefore=Apr 20 00:00:00 2016 GMT notAfter=Apr 20 23:59:59 2017 GMT)

Can anyone explain why this is happening, as this must be related to the reason why my SSL certificate shows as expired in my browser.

Thanks O

1
apachesslopensslcentos6
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask. Also see Where do I post questions about Dev Ops? - jww
You usually need to use one of the -tls switches with -servername. SNI is a TLS 1.0 (and above) extension. - jww

1 Answers

17
votes

The servername argument to s_client is documented (briefly) on this page:

https://www.openssl.org/docs/man1.0.2/apps/s_client.html

Essentially it works a little like a "Host" header in HTTP, i.e. it causes the requested domain name to be passed as part of the SSL/TLS handshake (in the SNI - Server Name Indication extension). A server can then host multiple domains behind a single IP. It will respond with the appropriate certificate based on the requested domain name.

If you do not request a specific domain name the server does not know which certificate to give you, so you end up with a default one. In your case one of the certificates that the server is serving up for your domain has expired, but the default certificate has not.

You need to make sure you are updating the correct VirtualHost entry for your domain, e.g. see:

https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm