Five Essential OpenSSL Troubleshooting Commands

OpenSSL Logo Troubleshooting SSL certificates and connections? Here are five handy openssl commands that every network engineer should be able to use. Bookmark this – you never know when it will come in handy!

1. Check the Connection

 openssl s_client -showcerts -connect www.microsoft.com:443

This command opens an SSL connection to the specified site and displays the entire certificate chain as well. Here’s an abridged version of the sample output:

MBP$ openssl s_client -showcerts -connect www.microsoft.com:443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
 Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=
     Washington/businessCategory=Private Organization/
     serialNumber=600413485/C=US/postalCode=98052/ST=Washington/
     L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/
     OU=MSCOM/CN=www.microsoft.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/
     CN=Symantec Class 3 EV SSL CA - G3
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/
     CN=Symantec Class 3 EV SSL CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
     VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3
     Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
[...]
 Continue reading

When SSL Certificates Go Wild

Padlock

You’ve set up your website and secured it with an SSL certificate that you bought through your ISP. Everything works fine and the chain of trust is just fine in your browser, but when you try accessing your secured site using a command line tool, the connection fails. Why? There’s a good chance that you are not sending your intermediate certificate(s) along with the server certificate.

PKI Trust Review

As a quick reminder, the whole point of SSL certificates and the Public Key Infrastructure is to prove that the site you connected to is the one it says it is. How do we know? The server sends you a certificate with its name in it, digitally signed by an Issuer. If you choose to trust that Issuer’s honesty and believe that they made sure they issued to the right site, you implicitly trust that the end site is the right one; it’s a “Chain of Trust.”

In reality, we don’t typically trust many Issuers. Look in the Trusted Root certificates for your browser, or on a Mac, open Keychain Access and look in System Roots, and you’ll see that for Yosemite in this case, globally – to establish SSL Continue reading

Software Defined Reality – NFD9 Redux

NFD Logo

I’ve just got back from Networking Field Day 9 (NFD9) and my head is buzzing after a busy week of presentations. I posted a preview of NFD9 so it seems only fair to give a quick wrap up of the week’s themes and presentations as I saw it.

My NFD9

After some time spent thinking on the flights back home, I came to the conclusion that there were two themes that were recurring this week.

The dominating theme for me was, at last, seeing the magic rainbow-expelling problem-solving unicorn that is Software Defined Networking – SDN – and all its inherent paradigm-shifting magic, turned into products that actually seem real, and are starting to deal with some of the issues that were flagged up when SDN was first being described. It’s relatively easy to SDN-wash a product, but making it something from which a user can actually benefit, well, that’s something else.

The second theme was that many of the products looked to the concept of detecting or fixing problems before the users were aware of them, whether as an alert from a monitoring system, or a network that automatically self-heals or otherwise avoids problem areas.

SDN == Programming

Don’t Continue reading

Networking Field Day 9 Is Almost Here!

Networking Field Day Logo

Confession: I fly out to San Jose, CA for Networking Field Day 9 tomorrow morning and I have yet to pack a single thing.

This last minute preparation thing seems to have become a habit. I’d like to tell you that it’s because I’m a seasoned traveller and I can calmly pack for a two week vacation in under 15 minutes, but really it’s just procrastination. It’s not even that I dislike travel; I quite enjoy going places and I definitely enjoy Networking Field Day so I know there’s something amazing waiting for me when I get there. I conclude then that my lackadaisical approach to travel packing is laziness in its purest form.

Networking Field Day 9

Any idea of being lazy at NFD9 though is laughable. As ever, we have a packed schedule meeting some really interesting vendors. There are some old faces and some new ones both in the attendees and the vendors!

Wednesday 10th February

VeloCloud – “Cloud-Delivered Software Defined WAN”. If they give prizes for buzz-word density, VeloCloud just won. The only thing missing is “as a Service”. Humor aside, VeloCloud seem to have an interesting product; it sounds almost like Cisco Continue reading

The F-Script – Now on GitHub

A while back I posted about my “f-script”, a tool that reads device configurations and extracts IP/subnet information so that it can quickly and easily queried to find where an IP might exist on the network, and what else is on the same subnet.

I was also lucky enough to take part in an early episode of Ivan Pepelnjak’s “Software Gone Wild” podcast where I talked about network automation and in particular, the f-script. In that podcast I promised that I would put the f-script up on GitHub once I had the time to clean it up a little and remove things that tied it to a particular environment.

At the end of 2014 I finally uploaded the scripts, and you are now in the lucky position of being able to laugh at how badly it’s written (and really, it is) or, better still, to help me improve it by submitting your own edits. Bear in mind that this started off as a hack (“I’ll do it like this just to prove that it can work”) and as with so many temporary solutions, ended up never being rewritten “properly”. Still, it works and has been pretty Continue reading

Big Switch Is Getting Bigger. Much Bigger.

Cool news today from BigSwitch who have taken some big steps forward with their rather awesome Big Cloud Fabric (BCF) solution.

Building on the existing features of BCF 2.0 that was announced last July (see my post on the BCF launch for more details), version 2.5 adds some pretty good new features and a surprise partner.

BCF 2.5 New Features

VMWare vCenter Support

BCF now supports VMWare vCenter. BigSwitch sees an Ethernet fabric as a complementary technology to VMWare’s NSX, not a competitor; very wisely they would like to be the underlay while NSX provides the overlay. The BCF controller integrates right into vCenter so that network configuration can be automated with the virtual environment, and the controller provides a single interface to the entire fabric.

CloudStack / OpenStack

The original BCF supported OpenStack. BCF 2.5 now has more elements of OpenStack (Juno) support and adds CloudStack support. With this and the vCenter integration, BCF has positioned itself quite nicely for full server and switch automation.

Brite Box Switching?

My first question when I heard about this was “What on earth is Brite Box switching?” It turns out that somebody somewhere coined the phrase Continue reading

MovingPackets.NET – The New Name for LameJournal

I’ve been quiet lately, mostly because I’ve been horribly busy but also in part because I’ve been thinking that it’s about time to rebrand LameJournal to something that better reflects the content. And to that end, MovingPackets.net has been born. All the … Continue reading →

If you liked this post, please do click through to the source at MovingPackets.NET – The New Name for LameJournal and give me a share/like. Thank you!

30 Blogs in 30 Days – Lessons Learned

So with some triumph and minor exhaustion, I completed Etherealmind’s 30 Blogs in 30 Days challenge; but so what? Does it change anything? Do I get a prize? Here’s what I learned. 30 Blogs in 30 Days As a reminder, … Continue reading →

If you liked this post, please do click through to the source at 30 Blogs in 30 Days – Lessons Learned and give me a share/like. Thank you!

Viva España – Heading to HP Discover

It’s ironic to end the 30 day challenge by not posting for a short while, but what can I say? I’ve been very busy! Today I’m traveling to Barcelona to attend the HP Discover 2014 Barcelona event as a guest … Continue reading →

If you liked this post, please do click through to the source at Viva España – Heading to HP Discover and give me a share/like. Thank you!

See Schprokits Dance! Demo of Unreleased Code

My second “Secret Sunday” post back in August introduced Schprokits, a company founded by Jeremy Schulman, previously the Director of Network Automation at Juniper. I was truly flattered when Jeremy invited me to be part of a small team testing … Continue reading →

If you liked this post, please do click through to the source at See Schprokits Dance! Demo of Unreleased Code and give me a share/like. Thank you!

Secret Sunday – Greg Ferro

Just over a month ago I accepted Etherealmind’s “30 Blogs in 30 Days Challenge”, and this Friday I ‘m pleased to say that I completed the challenge without missing a day. It seems appropriate then that I should use today’s Secret Sunday … Continue reading →

If you liked this post, please do click through to the source at Secret Sunday – Greg Ferro and give me a share/like. Thank you!

Infuriating Inconsistent Interfaces; F5 on the stand.

Ok, it’s another f5 post and if you’re not using f5 you might think this is irrelevant to you. However, I beg you to read on because the issue I’m describing today has a relationship to SDN and network automation, … Continue reading →

If you liked this post, please do click through to the source at Infuriating Inconsistent Interfaces; F5 on the stand. and give me a share/like. Thank you!

Cisco ISR: Enable Features, No Performance Hit?

Last month I visited Interop NYC 2014 as a guest of Tech Field Day Extra! where our group was given a presentation about the new Cisco ISR routers by Matt Bolick, a Technical Marketing Engineer for Cisco. The Integrated Service … Continue reading →

If you liked this post, please do click through to the source at Cisco ISR: Enable Features, No Performance Hit? and give me a share/like. Thank you!

Scary Poodle: Quickly Checking Websites for SSLv3

Weird looking poodle, right? *coughs* With the recent SSLv3 Poodle vulnerability being disclosed, there has been a rush to disable SSLv3. But if you manage quite a few web sites, how can you quickly check whether or not you are … Continue reading →

If you liked this post, please do click through to the source at Scary Poodle: Quickly Checking Websites for SSLv3 and give me a share/like. Thank you!

Goodbye Lync, Hello “Skype for Business”

Microsoft Lync, perhaps the most well known business communication and collaboration tools, is getting a new name in 2015. The next version of Microsoft Lync, according to the Lync Team on Microsoft’s Office Blog will be called “Skype for Business.” … Continue reading →

If you liked this post, please do click through to the source at Goodbye Lync, Hello “Skype for Business” and give me a share/like. Thank you!

Response: Cisco, Arista Disaggregating

Jim Duffy wrote an interesting article on Network World’s Cisco Connection blog called “Cisco, Arista Disaggregating?” in which he speculates that Cisco and Arista may make their network operating systems (NOS) available for use on bare metal switches. Is there … Continue reading →

If you liked this post, please do click through to the source at Response: Cisco, Arista Disaggregating and give me a share/like. Thank you!

Teambuilding. Whisky Tango Foxtrot? Check.

If you’ve ever done a network audit or a stock inventory check, you’ll know that it is possible one of the most boring activities you could possibly undertake, unless the stock you’re checking is particular salacious, I suppose. Certainly it’s … Continue reading →

If you liked this post, please do click through to the source at Teambuilding. Whisky Tango Foxtrot? Check. and give me a share/like. Thank you!

Secret Sunday: Microsoft’s Raymond Chen

Taking a little side-step from the normal networking-based Sunday hero worship, today’s Secret Sunday is a pointer to Microsoft’s Raymond Chen, sometimes referred to as “Microsoft’s Chuck Norris“. But John, you say, it’s Microsoft; why would you do that to … Continue reading →

If you liked this post, please do click through to the source at Secret Sunday: Microsoft’s Raymond Chen and give me a share/like. Thank you!

Anachronism In the UK (and elsewhere)

I’m a long way from being the first person to comment that some of the icons we use in our software are somewhat anachronistic. The example we hear most often is that of the Save icon in most software: It … Continue reading →

If you liked this post, please do click through to the source at Anachronism In the UK (and elsewhere) and give me a share/like. Thank you!

SDN And More – Interop Roundtable Discussion

This September I was invited to come to New York for Interop New York 2014 and participate in a couple of technical sessions as part of a Tech Field Day Extra event. In addition to the presentations by HP Networking and … Continue reading →

If you liked this post, please do click through to the source at SDN And More – Interop Roundtable Discussion and give me a share/like. Thank you!

« Previous 1 2 3 4 5 6 Next »

Archive