> Rachel,
>
> As a first step, try using s_client to connect to a TLS service and see what
> comes back:
>
> $ openssl s_client -connect <hostname>:<port> -showcerts
>
> There are more possible options on s_client to debug more deeply but this is
> a good start.
>
>
> --Paul
>
In answer to the above. Testing against three "random" servers (see bottom of
the email for full exchange, top three are through VPN, rest are bypassing VPN):
Through the VPN:
- Server "A" (HTTPS with "real" cert)- Nothing more than "CONNECTED (00000005)"
- Server "B" (HTTPS with "self-signed" cert)- Certificates get displayed (this
correlates with behaviour seen in browser where I get shown the "do you want to
continue" prompt, I can see details of the certs presented, but when I click
continue it hangs)
- Server "C" (IMAPS) - Nothing more than "CONNECTED (00000005)"
Bypassing the VPN:
- Server A shows certs in openssl(and browser works ok)- Server "C" shows certs
in openssl (and email client works ok)
foobarOVERVPN $ openssl s_client -connect web1.example.com:443 -showcerts
CONNECTED(00000005)
^C
foobarOVERVPN $ openssl s_client -connect web2.example.com:8443 -showcerts
CONNECTED(00000005)
depth=0 C = US, ST = CA, L = San Jose, O = example.com, OU = MyCorp, CN = MyCorp
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = CA, L = San Jose, O = example.com, OU = MyCorp, CN = MyCorp
verify return:1
---
Certificate chain
0 s:/C=ZZ/ST=AA/L=BB/O=example.com/OU=MyCorp/CN=MyCorp
<http://example.com/OU=MyCorp/CN=MyCorp>
i:/C=ZZ/ST=AA/L=BB/O=example.com/OU=MyCorp/CN=MyCorp
<http://example.com/OU=MyCorp/CN=MyCorp>
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
---
Server certificate
subject=/C=ZZ/ST=AA/L=BB/O=example.com/OU=MyCorp/CN=MyCorp
<http://example.com/OU=MyCorp/CN=MyCorp>
issuer=/C=ZZ/ST=AA/L=BB/O=example.com/OU=MyCorp/CN=MyCorp
<http://example.com/OU=MyCorp/CN=MyCorp>
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1316 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 5C0575730056006E28542F880C1AB6541729337C0DDBEC95347E2B5B4669EAD7
Session-ID-ctx:
Master-Key:
66B8EB1A3FB0857509627840D8DDB595659A5794D365D462DED737AAD4532F4AD542663B8BAE27A7665539D15C14ADEA
Start Time: 1543861619
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
^C
foobarOVERVPN $ openssl s_client -connect imaps.example.com:993 -showcerts
CONNECTED(00000005)
^C
foobarBYPASSVPN $ openssl s_client -connect web1.example.com:443 -showcerts
CONNECTED(00000005)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = web1.example.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=web1.example.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=web1.example.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6299 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 6D5EC20FC1493D55F28309A02B1B589268F251D625A7EB3B5958426225C51795
Session-ID-ctx:
Master-Key:
D8B2A8181AB5FB4BC6A55ED226CFA9D0F77CF539CE3E4A9FAE6524D631B42BB057375E96BD4EB6014C02996BD6A645C4
Start Time: 1543861687
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
^C
foobarBYPASSVPN $ openssl s_client -connect imaps.example.com:993 -showcerts
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com
<http://www.digicert.com>, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com
<http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = ZZ, L = MYTOWN, O = MYCORP, CN = imaps.example.com
verify return:1
---
Certificate chain
0 s:/C=ZZ/L=MYTOWN/O=MYCORP/CN=imaps.example.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> SHA2 High Assurance Server CA
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> High Assurance EV Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----
---
Server certificate
subject=/C=ZZ/L=MYTOWN/O=MYCORP/CN=imaps.example.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> SHA2 High Assurance Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4243 bytes and written 358 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: F8BB41516529FA657513FB23B803D7CA0990B674446CB78A9D71184C93A810FE
Session-ID-ctx:
Master-Key:
FCA69ED068B34A1A3B1256A0390A9508357762AFC9E9EEA605979B6A6CD3C2EEA5CEB29E9A67DF219213C924E29328A7
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
<SNIP>
Start Time: 1543861700
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
^C
