31803 2016-02-15 17:32:29 +0300 Add tstclnt and vfyserv 2016-03-22 15:43:58 +0300 1 1 4 Development Sisyphus nss-utils unstable all Linux CLOSED FIXED http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12466.html relnote P3 normal --- 1 lakostis legion legion rauty qa-sisyphus oldest_to_newest 155021 0 lakostis 2016-02-15 17:32:29 +0300 ---- > OpenSSL has a s_client command that allows you to pull the certificates a > web page sends and verify the chain of trust against whatever root CA store > OpenSSL is using. Is there a way to do something similar for NSS? i.e. pull > the certificates a web page sends and validate them against the current set > of Mozilla root certificates? > ... If you use a Linux distribution, you can probably get a package that already contains the tools. On fedora it's nss-tools We have test utilities, that are primarily used as part of the NSS test suite, and which (at least on Fedora) are shipped in a separate "unsupported-tools" directory, but they can do what you want. On Fedora, you can execute /usr/lib64/nss/unsupported-tools/vfyserv www.yourhost which will attempt to validate the server's cert against the CA trust list that comes with NSS (from the libnssckbi.so module). This doesn't show the full chain on the terminal, but there's an option -c that will dump all certs sent by the server into files. I also like tstclnt, which has recently been enhanced to print information about the server chain: /usr/lib64/nss/unsupported-tools/tstclnt -C -D -b -h www.yourhost -p 443 You can use -C up to three times, to get more details about the certs. --- Real life example of vfyserv output: $ /usr/lib64/nss/unsupported-tools/vfyserv www.fusemail.com Connecting to host www.fusemail.com (addr 107.170.212.214) on port 443 Handshake Complete: SERVER CONFIGURED CORRECTLY bulk cipher AES-256, 256 secret key bits, 256 key bits, status: 1 subject DN: CN=*.fusemail.com,OU=Domain Control Validated issuer DN: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US 0 cache hits; 0 cache misses, 0 cache not reusable ***** Connection 1 read 392 bytes total. The output itself is much easy to parse than openssl and that could be handy in monitoring purposes. 155821 1 repository-robot 2016-03-22 15:43:58 +0300 nss-3.23.0-alt1 -> sisyphus: * Mon Mar 21 2016 Alexey Gladkov <legion@altlinux> 3.23.0-alt1 - New version (3.23). - Add tstclnt and vfyserv (ALT#31803) - Disable SSL2.