Using '-servername' param with openssl s_client

user1398017 picture user1398017 · May 4, 2017 · Viewed 13.9k times · Source

I am installing a new SSL certificate on Centos6/Apache and my web browser keeps picking up the old certificate. To test my setup, I am using "openssl s_client" but I am seeing different results based on the "-servername" parameter. No one seems to us this parameter and it does not appear in the man pages but I saw it mentioned here OpenSSL: Check SSL Certificate Expiration Date and More .

If I run this command:

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

I get the correct date for the certificate.

(notBefore=Apr 20 00:00:00 2017 GMT notAfter=Apr 20 23:59:59 2018 GMT)

However, if I intruduce the -servername parameter into the commmand

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

I then get the expired date that my browser is showing -

(notBefore=Apr 20 00:00:00 2016 GMT notAfter=Apr 20 23:59:59 2017 GMT)

Can anyone explain why this is happening, as this must be related to the reason why my SSL certificate shows as expired in my browser.

Thanks O

Answer

Matt Caswell picture Matt Caswell · May 4, 2017

The servername argument to s_client is documented (briefly) on this page:

https://www.openssl.org/docs/man1.0.2/apps/s_client.html

Essentially it works a little like a "Host" header in HTTP, i.e. it causes the requested domain name to be passed as part of the SSL/TLS handshake (in the SNI - Server Name Indication extension). A server can then host multiple domains behind a single IP. It will respond with the appropriate certificate based on the requested domain name.

If you do not request a specific domain name the server does not know which certificate to give you, so you end up with a default one. In your case one of the certificates that the server is serving up for your domain has expired, but the default certificate has not.

You need to make sure you are updating the correct VirtualHost entry for your domain, e.g. see:

https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm