Discussion:
Know Extended Key Usage
Akash Jain
2014-10-08 05:40:00 UTC
Permalink
HI,

How can I know the "Extended Key Usage" parameters of a remote SSL enabled
site using OpenSSL ?

Thanks,
Akash
Lewis Rosenthal
2014-10-08 06:40:13 UTC
Permalink
Hi, Akash...
Post by Akash Jain
HI,
How can I know the "Extended Key Usage" parameters of a remote SSL
enabled site using OpenSSL ?
Does this help:

https://www.madboa.com/geek/openssl/#cert-retrieve

You could modify the one script there to something like:

#!/bin/sh
#
for CERT in \
www.somesite.tld:443
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -text
done

and filter the output of the -text param.

It's interesting that I can't seem to hit on a specific option to dump
just the extended key usage data.

Actually, as I was drafting this, I thought that perl might be a more
elegant way to go. Perhaps have a look at:

http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.47/examples/x509_cert_details.pl

Anyone else have a suggestion?

Cheers
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------
--
This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Akash Jain
2014-10-08 07:28:32 UTC
Permalink
Thanks Lewis !

I also used -

openssl s_client -showcerts -connect google.com:443 < /dev/null | openssl
x509 -outform PEM | openssl x509 -noout -text | grep -A1 "X509v3 Extended
Key Usage"

On Tue, Oct 7, 2014 at 11:40 PM, Lewis Rosenthal <
Post by Lewis Rosenthal
Hi, Akash...
Post by Akash Jain
HI,
How can I know the "Extended Key Usage" parameters of a remote SSL
enabled site using OpenSSL ?
https://www.madboa.com/geek/openssl/#cert-retrieve
#!/bin/sh
#
for CERT in \
www.somesite.tld:443
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -text
done
and filter the output of the -text param.
It's interesting that I can't seem to hit on a specific option to dump
just the extended key usage data.
Actually, as I was drafting this, I thought that perl might be a more
http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.47/
examples/x509_cert_details.pl
Anyone else have a suggestion?
Cheers
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------
--
This email was Anti Virus checked by Astaro Security Gateway.
http://www.astaro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Jakob Bohm
2014-10-08 12:43:39 UTC
Permalink
I think you can safely omit the middle openssl command.
Post by Akash Jain
Thanks Lewis !
I also used -
openssl s_client -showcerts -connect google.com:443
<http://google.com:443> < /dev/null | openssl x509 -outform PEM |
openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
On Tue, Oct 7, 2014 at 11:40 PM, Lewis Rosenthal
Hi, Akash...
HI,
How can I know the "Extended Key Usage" parameters of a remote
SSL enabled site using OpenSSL ?
https://www.madboa.com/geek/openssl/#cert-retrieve
#!/bin/sh
#
for CERT in \
www.somesite.tld:443
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -text
done
and filter the output of the -text param.
It's interesting that I can't seem to hit on a specific option to
dump just the extended key usage data.
Actually, as I was drafting this, I thought that perl might be a
http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.47/examples/x509_cert_details.pl
Anyone else have a suggestion?
Cheers
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
<http://www.2rosenthals.com>
visit my IT blog www.2rosenthals.net/wordpress
<http://www.2rosenthals.net/wordpress>
IRS Circular 230 Disclosure applies see www.2rosenthals.com
<http://www.2rosenthals.com>
-------------------------------------------------------------
--
This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Lewis Rosenthal
2014-10-08 14:56:52 UTC
Permalink
Hi, all...

Actually, Jakob, I think it's the second one (the first one after the
pipe) which can come out, i.e.:

openssl s_client -showcerts -connect google.com:443 < \
/dev/null | openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"

which seems to produce a little less noise, but it's still not down to a
single line of output. Still, it's more elegant than what I cited, I think.

Cheers
Post by Jakob Bohm
I think you can safely omit the middle openssl command.
Post by Akash Jain
Thanks Lewis !
I also used -
openssl s_client -showcerts -connect google.com:443
<http://google.com:443> < /dev/null | openssl x509 -outform PEM |
openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
On Tue, Oct 7, 2014 at 11:40 PM, Lewis Rosenthal
Hi, Akash...
HI,
How can I know the "Extended Key Usage" parameters of a remote
SSL enabled site using OpenSSL ?
https://www.madboa.com/geek/openssl/#cert-retrieve
#!/bin/sh
#
for CERT in \
www.somesite.tld:443
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -text
done
and filter the output of the -text param.
It's interesting that I can't seem to hit on a specific option to
dump just the extended key usage data.
Actually, as I was drafting this, I thought that perl might be a
http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.47/examples/x509_cert_details.pl
Anyone else have a suggestion?
Cheers
-- Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
<http://www.2rosenthals.com>
visit my IT blog www.2rosenthals.net/wordpress
<http://www.2rosenthals.net/wordpress>
IRS Circular 230 Disclosure applies see www.2rosenthals.com
<http://www.2rosenthals.com>
-------------------------------------------------------------
-- This email was Anti Virus checked by Astaro Security Gateway.
http://www.astaro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Enjoy
Jakob
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
IRS Circular 230 Disclosure applies see www.2rosenthals.com
-------------------------------------------------------------

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Jakob Bohm
2014-10-08 15:04:52 UTC
Permalink
Yep, middle of 3 openssl commands in the pipeline...
Post by Lewis Rosenthal
Hi, all...
Actually, Jakob, I think it's the second one (the first one after the
openssl s_client -showcerts -connect google.com:443 < \
/dev/null | openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
which seems to produce a little less noise, but it's still not down to
a single line of output. Still, it's more elegant than what I cited, I
think.
Cheers
Post by Jakob Bohm
I think you can safely omit the middle openssl command.
Post by Akash Jain
Thanks Lewis !
I also used -
openssl s_client -showcerts -connect google.com:443
<http://google.com:443> < /dev/null | openssl x509 -outform PEM |
openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
On Tue, Oct 7, 2014 at 11:40 PM, Lewis Rosenthal
Hi, Akash...
HI,
How can I know the "Extended Key Usage" parameters of a remote
SSL enabled site using OpenSSL ?
https://www.madboa.com/geek/openssl/#cert-retrieve
#!/bin/sh
#
for CERT in \
www.somesite.tld:443
do
echo |\
openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -text
done
and filter the output of the -text param.
It's interesting that I can't seem to hit on a specific option to
dump just the extended key usage data.
Actually, as I was drafting this, I thought that perl might be a
http://cpansearch.perl.org/src/MIKEM/Net-SSLeay-1.47/examples/x509_cert_details.pl
Anyone else have a suggestion?
Cheers
-- Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
<http://www.2rosenthals.com>
visit my IT blog www.2rosenthals.net/wordpress
<http://www.2rosenthals.net/wordpress>
IRS Circular 230 Disclosure applies see www.2rosenthals.com
<http://www.2rosenthals.com>
-------------------------------------------------------------
-- This email was Anti Virus checked by Astaro Security Gateway.
http://www.astaro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Enjoy
Jakob
Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Dave Thompson
2014-10-13 21:57:57 UTC
Permalink
Sent: Wednesday, October 08, 2014 10:57
Actually, Jakob, I think it's the second one (the first one after the
Yes.
openssl s_client -showcerts -connect google.com:443 < \
/dev/null | openssl x509 -noout -text | grep -A1 "X509v3 Extended Key Usage"
which seems to produce a little less noise, but it's still not down to a
single line of output. Still, it's more elegant than what I cited, I think.
The remaining noise is a few lines s_client writes to stderr.
Add 2>/dev/null, or 2>&1 and let the next stage discard it.
(I prefer the latter because it's the same Unix/Windows;
one less on the list of adjustments I must remember.)

Also the -showcerts is useless and misleading. x509 -noout -text
only decodes and displays the *first* cert in the s_client output,
so including and then ignoring the CA certs is just wasted.


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...