Find out how many browsers reject SSL certificate
I'd like to find out how many browsers reject our SSL certificate when making HTTP requests to our webserver. We're using a free CA which now seems to be recognised by most modern browsers, but I'd like to get some numbers without exhaustively testing combinations of browsers and operating systems.
I understand that the browser terminates the connection when certificate verification fails, so is there any way for Apache to detect this? I don't expect to get specific diagnostic information - just the fact that there was a certificate/SSL problem is enough.
The SSL protocol does indeed have an alert code for when the CA is unknown... you could detect it using something like tshark I suppose.
but more usefully is knowing how to avoid the problem. In Apache, make sure you have the following THREE directives:
SSLCertificateFile /etc/pki/tls/certs/myserver.cert
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key
SSLCertificateChainFile /etc/pki/tls/certs/myserver.ca-bundle
The extensions given to the filenames don't really matter to Apache. In this case, the SSLCertificateFile will be a single X.509 certificate with the Subject of the server, and the SSLCertificateChainFile will be a concatenation of Intermediate and Root CA certificates (starting with the root first).
Here's a useful script for helping to explore certificate chains in PEM encoding.
#!/bin/bash
#
# For an input of concatenated PEM ("rfc style") certificates, and a
# command-line consisting of a command to run, run the command over each PEM
# certificate in the file. Typically the command would be something like
# 'openssl x509 -subject -issuer'.
#
# Example:
#
# ssl-rfc-xargs openssl x509 -subject -issuer -validity -modulus -noout < mynewcert.pem
#
sed -e 's/^[ \t]*<ds:X509Certificate>\(.*\)$/-----BEGIN CERTIFICATE-----\n\1/' \
-e 's/^[ \t]*<\/ds:X509Certificate>[ \t]*$/-----END CERTIFICATE-----\n/' \
-e 's/^\(.*\)<\/ds:X509Certificate>[ \t]*$/\1\n-----END CERTIFICATE-----\n/' \
| gawk -vcommand="$*" '
/^-----BEGIN /,/^-----END / {
print |& command
}
/^-----END / {
while ((command |& getline results) > 0) {
print results
}
close(command)
}
'
(this particular script is also used for a particular XML application, which is what the sed bits near the start are meant to support; the interesting bits are done by gawk.)
Here's an example of how you can use it (such as to determine in the certificates in the CA bundle are in the right order -- sometimes this matters)
$ openssl s_client -connect google.com:443 -showcerts </dev/null 2>&1 | ssl-rfc-xargs openssl x509 -subject -issuer -noout
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2
subject= /C=US/O=Google Inc/CN=Google Internet Authority G2
issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
subject= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Notice how the issuer of one one certificate is adjacent to the subject of parent [immediately below]
Here's another example of how you can use that script, to inspect a local file.
$ < /etc/pki/tls/certs/example.ca-bundle ssl-rfc-xargs openssl x509 -subject -issuer -noout