Site icon The Introverted Engineer

SSL Certificate Validation Failing: Caveat to Using Openssl s_client

SSL Certificate Validation Failing: Caveat to Using Openssl s_client

If you're failing Vulnerability or PCI Compliance Scans but have a valid SSL certificate, here's the fix for you. Most likely nothing is wrong, it's simply a problem with the method of checking!

If you’re running multiple sites on a single server (using Server Name Indication), you might be running into issues using openssl s_client to validate your SSL certificate. Make sure you’re using the -servername flag, otherwise your verification may fail.

For example, when checking my blog, I needed to make sure I included everything here:

openssl s_client -showcerts -servername introvertedengineer.com -connect introvertedengineer.com:443

Why is SSL Verification Failing?

Since you most likely have multiple SSL certificates on your server, the openssl s_client tool doesn’t know which certificate to use, and instead uses a default certificate (which isn’t valid).

If you’re running into errors with your security or PCI compliance scans related to your SSL certificate, chances are this could be it. Some common errors you’ll get on those scans include:

  • 38173 – SSL Certificate – Signature Verification Failed Vulnerability
  • 38167 – SSL Certificate – Expired

Both of these issues are high severity and will cause your scan to fail, but don’t worry! Nothing is wrong with your certificates (if they are indeed valid). You just need to make sure to request an exception and make sure the scan is adding in the proper -servername in the request.

I hope this helps save you the hours it took me to realize this!

 

Reference: https://community.letsencrypt.org/t/testing-with-openssl-and-s-client-cloudflare-proxying/35003/5

Credit: Feature image by Vecteezy.com