how to use curl to verify if a site's certificate has been revoked?
That's my everyday script:
curl --insecure -vvI https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
Ouput:
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* start date: 2016-01-07 11:34:33 GMT
* expire date: 2016-04-06 00:00:00 GMT
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify ok.
* Server GFE/2.0 is not blacklisted
* Connection #0 to host www.google.com left intact
Apparently, you cannot just verify a site with a single simple request. See https://stackoverflow.com/questions/16244084/how-to-programmatically-check-if-a-certificate-has-been-revoked?lq=1 and older related questions on stackoverflow.
curl did not work with Certificate Revocation Lists for me either, neither on Windows, nor on Linux. Why should you use curl? Openssl seems more appropriate:
openssl s_client -connect www.google.com:443
We get
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Then we can inspect some certificate:
curl http://pki.google.com/GIAG2.crt | openssl x509 -inform der -text
grep crl in the output of the above command. The interesting parts are:
X509v3 CRL Distribution Points:
URI:http://crl.geotrust.com/crls/gtglobal.crl
Authority Information Access:
OCSP - URI:http://gtglobal-ocsp.geotrust.com
Now we can manually inspect crl:
curl http://crl.geotrust.com/crls/gtglobal.crl | openssl crl -inform der -text
curl http://pki.google.com/GIAG2.crl | openssl crl -inform der -text
Now we see a list of revoked certificates. IMHO, using curl is not enough, another program is required to check certificates. By doing a simple
strace curl https://www.google.com -v
we see that curl is not checking revocations (not even connecting to the relevant places). It just says
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* start date: 2014-04-09 11:40:11 GMT
* expire date: 2014-07-08 00:00:00 GMT
* subjectAltName: www.google.com matched
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify ok.
curl since 7.41.0 has a --cert-status option, but it does not work for me:
$ curl --cert-status https://www.google.com
curl: (91) No OCSP response received
It appears maybe it only works if the server is configured with OCSP stapling, and it does not cause curl to make its own OCSP request.
I had better success using openssl with the steps at https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
Fetch the cert:
$ openssl s_client -connect www.google.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > /tmp/google.pem
Output the cert's OCSP URI:
$ openssl x509 -noout -ocsp_uri -in /tmp/google.pem
http://ocsp.pki.goog/gts1o1
Build a /tmp/chain.pem from the certs 1-n output by:
openssl s_client -connect www.google.com:443 -showcerts 2>&1 < /dev/null
Copy each cert into the chain.pem file, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and everything in between. Do not include the 0th cert since that's in the google.pem file.
Make the OCSP request:
openssl ocsp -issuer /tmp/chain.pem -cert /tmp/google.pem -text -url http://ocsp.pki.goog/gts1o1
...
Response verify OK
/tmp/google.pem: good
This Update: Mar 24 12:40:59 2020 GMT
Next Update: Mar 31 12:40:59 2020 GMT