Bug 31803

Summary: Add tstclnt and vfyserv
Product: Sisyphus Reporter: Konstantin A Lepikhov (L.A. Kostis) <lakostis>
Component: nss-utilsAssignee: Alexey Gladkov <legion>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: normal    
Priority: P3 CC: legion
Version: unstableKeywords: relnote
Hardware: all   
OS: Linux   
URL: http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12466.html

Description Konstantin A Lepikhov (L.A. Kostis) 2016-02-15 17:32:29 MSK
----

> OpenSSL has a s_client command that allows you to pull the certificates a
> web page sends and verify the chain of trust against whatever root CA store  > OpenSSL is using. Is there a way to do something similar for NSS? i.e. pull  > the certificates a web page sends and validate them against the current set   > of Mozilla root certificates?                        >                                                            
...

If you use a Linux distribution, you can probably get a package that already
contains the tools. On fedora it's nss-tools

We have test utilities, that are primarily used as part of the NSS test suite,
and which (at least on Fedora) are shipped in a separate "unsupported-tools"
directory, but they can do what you want.

On Fedora, you can execute
  /usr/lib64/nss/unsupported-tools/vfyserv www.yourhost

which will attempt to validate the server's cert against the CA trust list that
comes with NSS (from the libnssckbi.so module).

This doesn't show the full chain on the terminal, but there's an option -c that
will dump all certs sent by the server into files.

I also like tstclnt, which has recently been enhanced to print information about
the server chain:

/usr/lib64/nss/unsupported-tools/tstclnt -C -D -b -h www.yourhost -p 443

You can use -C up to three times, to get more details about the certs.

---

Real life example of vfyserv output:

$ /usr/lib64/nss/unsupported-tools/vfyserv www.fusemail.com
Connecting to host www.fusemail.com (addr 107.170.212.214) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
bulk cipher AES-256, 256 secret key bits, 256 key bits, status: 1
subject DN:
CN=*.fusemail.com,OU=Domain Control Validated
issuer  DN:
CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 392 bytes total.

The output itself is much easy to parse than openssl and that could be handy in monitoring purposes.
Comment 1 Repository Robot 2016-03-22 15:43:58 MSK
nss-3.23.0-alt1 -> sisyphus:

* Mon Mar 21 2016 Alexey Gladkov <legion@altlinux> 3.23.0-alt1
- New version (3.23).
- Add tstclnt and vfyserv (ALT#31803)
- Disable SSL2.