On Tue, 2016-02-09 at 22:51 +1000, Jonathan Wilson wrote:
> OpenSSL has a s_client command that allows you to pull the certificates a 
> web page sends and verify the chain of trust against whatever root CA store 
> OpenSSL is using. Is there a way to do something similar for NSS? i.e. pull 
> the certificates a web page sends and validate them against the current set 
> of Mozilla root certificates?
> And if there is, where do I get it from and how do I compile it? (if its 
> one of the standard utilities in NSS, how do I compile those?)

If you use a Linux distribution, you can probably get a package that already
contains the tools. On fedora it's nss-tools

We have test utilities, that are primarily used as part of the NSS test suite,
and which (at least on Fedora) are shipped in a separate "unsupported-tools"
directory, but they can do what you want.

On Fedora, you can execute 
  /usr/lib64/nss/unsupported-tools/vfyserv www.yourhost

which will attempt to validate the server's cert against the CA trust list that
comes with NSS (from the libnssckbi.so module).

This doesn't show the full chain on the terminal, but there's an option -c that
will dump all certs sent by the server into files.

I also like tstclnt, which has recently been enhanced to print information about
the server chain:

/usr/lib64/nss/unsupported-tools/tstclnt -C -D -b -h www.yourhost -p 443

You can use -C up to three times, to get more details about the certs.

If your platform doesn't offer you the NSS tools pre-packaged, then tollow the
standard NSS build instructions:


dev-tech-crypto mailing list

Reply via email to