Nifty openssl troubleshooting trick


August 10, 2013

Learned a neat trick today for performing diagnostics on failing ssl connections when working with programs making use of the openssl libs that are notorious for providing crappy ssl error information. You can use the openssl executable to setup a simple test client/server communication, and see any errors that occur in the process:

  1. The server:

    openssl s_server -cert /path/to/server-cert.crt -key /path/to/server-cert.key -www
  2. The client:

    openssl s_client -CAfile /path/to/ca-cert.pem -connect

These commands print out various information when establishing or attempting to establish a connection, in my case reminding me that my cert had expired (which mysql clearly communicated to me by saying “ASN: bad other sigature confirmation”).