So, with all the hubbub around POODLE and ssl, we're preparing a new load balancer using HAProxy. So we have a set of unit tests written using PHPUnit, having trouble validating certificates. How do you test/validate an SSL cert for a prototype "foo.com" server if it's not actually active at the IP address that matches DNS for foo.com? For non-ssl sites, I can specify the url like http://1.2.3.4/path and pass an explicit "host: foo.com" http header but that fails for SSL certificate validation. You can also set a hosts file entry, but that's also rather painful. Is there a better option?
On 10/21/2014 04:57 PM, lists at benjamindsmith.com wrote:> So, with all the hubbub around POODLE and ssl, we're preparing a new load > balancer using HAProxy. > > So we have a set of unit tests written using PHPUnit, having trouble > validating certificates. How do you test/validate an SSL cert for a prototype > "foo.com" server if it's not actually active at the IP address that matches > DNS for foo.com? > > For non-ssl sites, I can specify the url like http://1.2.3.4/path and pass an > explicit "host: foo.com" http header but that fails for SSL certificate > validation. > > You can also set a hosts file entry, but that's also rather painful. Is there a > better option? > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosI just disabled SSLv3 altogether on my server and just use TLS. On my site I only use TLS 1.2 and not earlier versions or SSL so I was never affected by POODLE. -- Travis Kendrick
On Tue, Oct 21, 2014 at 02:57:42PM -0700, lists at benjamindsmith.com wrote:> So we have a set of unit tests written using PHPUnit, having trouble > validating certificates. How do you test/validate an SSL cert for a prototype > "foo.com" server if it's not actually active at the IP address that matches > DNS for foo.com?openssl s_client -connect ip.ad.dr.ess:443 then decode the cert e.g. $ openssl s_client -connect 1.2.3.4:443 < /dev/null >| cert Now you can use the "x509" to look at various things eg $ openssl x509 -in cert -subject -noout subject= /description=foobar/C=US/CN=ssl.example.com/emailAddress=foo at example.com "man x509" -- rgds Stephen