:::: MENU ::::

BG Go Further

SRE – Systems/Network

Home

  • Oct 04 / 2017
  • 0
Linux

Write multiple lines to file in bash (script)

If you need to push multiple lines to one file through a bash script, you can simply use that syntax:

cat > /etc/ntp.conf << _NTPconf_
  server 1.2.3.4
  server 5.6.7.8
_NTPconf_

Tip: Be aware that if you’re using indentation, last line should not be indented (this would lead you to some errors).

If you want to add line instead of overwriting file (like we did in the previous example), just replace the “>” with “>>” after cat command.

cat >> /etc/ntp.conf << _NTPconf_
  server 1.2.3.4
  server 5.6.7.8
_NTPconf_
  • Sep 09 / 2017
  • 0
Linux

Find IPs connecting to a postfix server through logs

There’s no easy way to list all the IPs connecting to your postfix server for sending mail. But you can easily extract them from all your postfix logs.

For our example, we will consider the logs from postfix to be as default and located in /var/log/maillog

Here is what a postfix log look like when a connection is received:

Sep  1 10:22:32 mail-server-01 postfix/smtpd[700]: connect from ha-lb-03[10.10.1.3]

For extracting exclusively the IPs, we will use a combination of commands:

$ grep " connect from " /var/log/maillog |cut -d '[' -f3 |cut -d ']' -f1 |sort -u
  • grep ” connect from ” /var/log/maillog will extract every lines containing a connection attempt
  • cut -d ‘[‘ -f3 |cut -d ‘]’ -f1 will extract the IP from the line (which is contained between [] )
  • sort -u will sort the output by unique values

Here is what we will get as a result once the command is executed (nothing will appear until it finished):

$ grep " connect from " /var/log/maillog |cut -d '[' -f3 |cut -d ']' -f1 |sort -u
10.10.1.1
10.10.1.2
10.10.1.3
10.20.4.4
10.20.4.8
10.250.250.250
127.0.0.1

You can obviously re-use this command for any log file that you want to filter out by updating the filtering.

  • Aug 02 / 2017
  • 0
Linux

Connect to serial/console terminal with MacOS using screen

It’s possible to connect to serial console with MacOS without using a specific app but only screen.

First, you need to find the correct device you will use to connect to the serial console. Depending on your installation and your adapter, you’ll can find it under different names with one these commands:

$ ls /dev*/usb*
ls: /dev*/usb*: No such file or directory
$ ls /dev/tty*usb*
tty.usbserial

Here, we can see that our device is available on /dev/tty.usbserial

If you have any doubt with the screen command, you can check the documentation, with the specific part regarding the console connection:

If  a  tty  (character  special  device)  name  (e.g.  "/dev/ttya") is specified as the first parameter, then the window is directly connected to this device.  This window type is similar to "screen cu -l /dev/ttya".  Read and write access is required on the device node, an exclusive open is attempted on the node to mark the connection line as busy. An optional parameter is allowed consisting of a comma separated list of flags in the notation used by stty(1):
    [1200,9600,19200] - First parameter is the baud rate        
        Usually 300, 1200, 9600 or 19200. This affects transmission as well as receive speed.
    cs8 or cs7
        Specify the transmission of eight (or seven) bits per byte.
    ixon or -ixon
        Enables (or disables) software flow-control (CTRL-S/CTRL-Q) for sending data.
    ixoff or -ixon
        Enables (or disables) software flow-control for receiving data.
    istrip or -istrip
        Clear (or keep) the eight bit in each received byte.

For example, if you want to connect to serial port with those parameters:

  • 9600 bps
  • 8 data bits
  • flow control

You can just use this command:

$ screen /dev/tty.usbserial 9600,cs8,ixon

Hint: Note that if you’re using a specific adapter (like an adapter DB9/RS232 to USB), you will probably need to install the driver first to get the device available.

  • Jul 22 / 2017
  • 0
Linux

Get CPU/RAM usage per process on Linux

When you’re facing performance issues, it’s always useful to check CPU/MEM usage per process to see if you have an issue with a specific process. For that, you can use ps and some sorting commands.

Tip: You can shrink the results to the first lines by using head

Memory analysis

We’re using the –sort -rss attributes to get the results sorted by RSS in the desc order (use –sort rss for the asc order)

$ps auxw --sort -rss | head -n5
USER       PID %CPU %MEM     VSZ     RSS TTY      STAT START   TIME COMMAND
mysql      604  0.2  8.4 1628428  177968 ?        Ssl  Jun30  71:59 /usr/sbin/mysqld
phpuser   9625  0.1  1.9  239588   40896 ?        S    Jul12  12:35 php-fpm: pool www
phpuser  14625  0.1  1.8  239572   39668 ?        S    Jul12  12:08 php-fpm: pool www
named     1849  0.0  1.2  299868   25984 ?        Ssl  Jun30   0:11 /usr/sbin/named -f -u bind
root       252  0.0  0.5  82868    12096 ?        Ss   Jun30   1:19 /usr/sbin/syslog-ng -F

CPU analysis

We’re using the –sort -%cpu attributes to get the results sorted by CPU in the desc order (use –sort %cpu for the asc order)

ps auxw --sort -%cpu | head -n5
USER       PID %CPU %MEM     VSZ    RSS TTY      STAT START   TIME COMMAND
named     1849  0.9  0.1  299868  25984 ?        Ssl  Jun30   0:21 /usr/sbin/named -f -u bind
root      1668  0.5  0.0  259000  10332 ?        Sl   Jun23 195:48 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
postfix   9889  0.4  0.0  102368   7736 ?        S    05:44   0:00 smtpd -n smtp -t inet -u -o stress=
mysql      604  0.2  8.4 1628428 177968 ?        Ssl  Jun30  72:09 /usr/sbin/mysqld
phpuser   7960  0.1  1.8  238572  38780 ?        S    Jul17   4:35 php-fpm: pool www

Then…

Once you got the results, it’s time for you to investigate further and analyze what’s happening with those processes! Good luck!

  • Jul 05 / 2017
  • 0
Linux

Generate self-generated SSL certificate (cert/key pair)

Here is a simple script with configuration file to generate a self-generated SSL certificate (cert/key pair).

First define a config file openssl.cnf containing the certificate informations:

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=FR

# State or Province Name (full name)
ST=IdF

# Locality Name (eg. city)
L=Paris

# Organization (eg. company)
O=MyOrg

# Organizational Unit Name (eg. section)
OU=My SSL server

# Common Name (*.example.com is also possible)
CN=my.domain.com

# E-mail contact
[email protected]

[ cert_type ]
nsCertType = server

Then, create the bash script makessl.sh and configure your own parameters (directories, cert filename and validity duration):

#!/bin/sh

# Generates a self-signed certificate.
# Edit openssl.cnf before running this.

umask 077
OPENSSL=${OPENSSL-openssl}

# Define SSL directory
SSLDIR=${SSLDIR-/opt}
# Define SSL config file
OPENSSLCONFIG=${OPENSSLCONFIG-/opt/openssl.cnf}
# Define crt/key directories
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private
# Define crt/key file
CERTFILE=$CERTDIR/mynewssl.pem
KEYFILE=$KEYDIR/mynewssl.key
# Define validity duratin for the cert
DAYS=365

# Check that directories exist or create themt
if [ ! -d $CERTDIR ]; then
  mkdir -p $CERTDIR
fi
if [ ! -d $KEYDIR ]; then
  mkdir -p $KEYDIR
fi

# Check that the files do not exist or move them
if [ -f $CERTFILE ]; then
  mv $CERTFILE $CERTFILE.old
fi
if [ -f $KEYFILE ]; then
  mv $KEYFILE $KEYFILE.old
fi

# Generate crt/key files
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days $DAYS || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

Now, execute the bash script:

$ bash makessl.sh
Generating a 2048 bit RSA private key
...............+++
................................................................................+++
writing new private key to '/opt/private/mynewssl.key'
-----

subject= /C=FR/ST=IdF/L=Paris/O=MyOrg/OU=My SSL server/CN=my.domain.com/[email protected]
SHA1 Fingerprint=F0:B1:B3:DF:F9:4D:A0:97:4E:71:E0:7F:8E:DA:13:F9:D5:E8:AF:88

Let’s check your freshly created certificate and double check the information:

$ openssl x509 -in /opt/certs/mynewssl.pem -noout -dates -subject
notBefore=Jul  5 19:45:17 2017 GMT
notAfter=Jul  5 19:45:17 2018 GMT
subject= /C=FR/ST=IdF/L=Paris/O=MyOrg/OU=My SSL server/CN=my.domain.com/[email protected]
  • Jun 25 / 2017
  • 0
Linux

Check SSL certificate of an URL with openssl

You can get standard information about the certificate directly by opening a connection to a website:

openssl s_client -showcerts -connect python.org:443 </dev/null

Answer will be like:

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.python.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.python.org
   i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
-----BEGIN CERTIFICATE-----
MIIE9jCCA96gAwIBAgIQHln71qn2oJvHLSLy+zxhezANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w
DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw
HhcNMTcwMjAyMDAwMDAwWhcNMjAwMjAyMjM1OTU5WjBgMSEwHwYDVQQLExhEb21h
aW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsTG0dhbmRpIFN0YW5kYXJkIFdp
bGRjYXJkIFNTTDEVMBMGA1UEAwwMKi5weXRob24ub3JnMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAtQa3kv/HeLbcZb07lBvqM/etX3Cu3vLfvQ2fWQvC
46fAzdQ8eV3p/ZOkqLxaSWlgLATNDOyGBMZLsO1Tg/iEhAMoSa9XZMdax76DAPh1
fdRllDvJ6Z8Mi2BW3KiIEfXhMkFU6M8ROcrvQNh/D8GL8+s/8pgTsuWM5xqmV1ng
8fSE4mD6QdYFtw9T7DgSECLt12KDII01fJnbNWp488PDFt1UKJrPzEMUZ5/osjHE
vlbU1EKwLSKBQsFjMnYq/797VhA30P2LywWkHpZH/6ImGINR1R5legpb+NN5v8kv
9JXXqrwcs/6l63Y0PncedHn/pmbLW0cDaONC7Z/IpJkRLQIDAQABo4IBqzCCAacw
HwYDVR0jBBgwFoAUs5Cn2MmvTs1hPJ98rV1/Qf1pMOowHQYDVR0OBBYEFK1TlIvL
TxQ50kgLdmFfn2MQo8onMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBLBgNVHSAERDBCMDYGCysGAQQB
sjEBAgIaMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8vY3BzLnVzZXJ0cnVzdC5jb20w
CAYGZ4EMAQIBMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNybDBzBggrBgEFBQcBAQRnMGUwPAYI
KwYBBQUHMAKGMGh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9HYW5kaVN0YW5kYXJk
U1NMQ0EyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNv
bTAjBgNVHREEHDAaggwqLnB5dGhvbi5vcmeCCnB5dGhvbi5vcmcwDQYJKoZIhvcN
AQELBQADggEBAIdLnn5Rk/RcaFP1zBsbuDTLJpRR1lsMNPjMTJ/mR+h12A8vU76Z
IjhHDTbSS4a/yBAFFyH+83Y/ykY9/FTlVZUwWmzZJA5/RqYoQNq7EXXNAsGp8jcg
KD51NWID4c/rn02uL3+rWUQRRR0+/cYdR4jZQswrd+gRMO5KVPhHnoUIbFQFQ0yS
WwqV8em1GIKHjYtaIuPEbc36elzL14BXN37b+0lWTJDFeeG/K0YNqrYxlCIDUn+3
etbaf0wYVeg5Nl6QGu0Na1F3XTScl+SdkZXfh1e9lIr2U+Pm/yoBNDL5R/HkliAg
ZzgFJZql5yymhSQuZEc7Qe6AvcB58QGvgPo=
-----END CERTIFICATE-----
 1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF6TCCA9GgAwIBAgIQBeTcO5Q4qzuFl8umoZhQ4zANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQw
OTEyMDAwMDAwWhcNMjQwOTExMjM1OTU5WjBfMQswCQYDVQQGEwJGUjEOMAwGA1UE
CBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4wDAYDVQQKEwVHYW5kaTEgMB4GA1UE
AxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCUBC2meZV0/9UAPPWu2JSxKXzAjwsLibmCg5duNyj1ohrP0pIL
m6jTh5RzhBCf3DXLwi2SrCG5yzv8QMHBgyHwv/j2nPqcghDA0I5O5Q1MsJFckLSk
QFEW2uSEEi0FXKEfFxkkUap66uEHG4aNAXLy59SDIzme4OFMH2sio7QQZrDtgpbX
bmq08j+1QvzdirWrui0dOnWbMdw+naxb00ENbLAb9Tr1eeohovj0M1JLJC0epJmx
bUi8uBL+cnB89/sCdfSN3tbawKAyGlLfOGsuRTg/PwSWAP2h9KK71RfWJ3wbWFmV
XooS/ZyrgT5SKEhRhWvzkbKGPym1bgNi7tYFAgMBAAGjggF1MIIBcTAfBgNVHSME
GDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQUs5Cn2MmvTs1hPJ98
rV1/Qf1pMOowDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1UdIAQbMBkwDQYLKwYBBAGy
MQECAhowCAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAWGf9
crJq13xhlhl+2UNG0SZ9yFP6ZrBrLafTqlb3OojQO3LJUP33WbKqaPWMcwO7lWUX
zi8c3ZgTopHJ7qFAbjyY1lzzsiI8Le4bpOHeICQW8owRc5E69vrOJAKHypPstLbI
FhfFcvwnQPYT/pOmnVHvPCvYd1ebjGU6NSU2t7WKY28HJ5OxYI2A25bUeo8tqxyI
yW5+1mUfr13KFj8oRtygNeX56eXVlogMT8a3d2dIhCe2H7Bo26y/d7CQuKLJHDJd
ArolQ4FCR7vY4Y8MDEZf7kYzawMUgtN+zY+vkNaOJH1AQrRqahfGlZfh8jjNp+20
J0CT33KpuMZmYzc4ZCIwojvxuch7yPspOqsactIGEk72gtQjbz7Dk+XYtsDe3CMW
1hMwt6CaDixVBgBwAc/qOR2A24j3pSC4W/0xJmmPLQphgzpHphNULB7j7UTKvGof
KA5R2d4On3XNDgOVyvnFqSot/kGkoUeuDcL5OWYzSlvhhChZbH2UF3bkRYKtcCD9
0m9jqNf6oDP6N8v3smWe2lBvP+Sn845dWDKXcCMu5/3EFZucJ48y7RetWIExKREa
m9T8bJUox04FB6b9HbwZ4ui3uRGKLXASUoWNjDNKD/yZkuBjcNqllEdjB+dYxzFf
BT02Vf6Dsuimrdfp5gJ0iHRc2jTbkNJtUQoj1iM=
-----END CERTIFICATE-----
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.python.org
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4712 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: CA736CD734AA037795DE0BDCE046E201AD47343EB3E70F63F60BEC0E477F354E
    Session-ID-ctx:
    Master-Key: 72EC4ADFDFCC6DF2D2E7B086F39DB021891B2F5752D9DC8CFA8C86124085E6B223673C00B140553751654E030D39ADC0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1497599739
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

But this is not giving you some interesting information like the expiration date for example! To work around that, you can simply redirect the output (certificate) to openssl and ask for some specific information:

openssl s_client -showcerts -connect python.org:443 </dev/null |openssl x509 -dates -text -noout

This time, output will be:

depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.python.org
verify return:1
DONE
notBefore=Feb  2 00:00:00 2017 GMT
notAfter=Feb  2 23:59:59 2020 GMT
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1e:59:fb:d6:a9:f6:a0:9b:c7:2d:22:f2:fb:3c:61:7b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
        Validity
            Not Before: Feb  2 00:00:00 2017 GMT
            Not After : Feb  2 23:59:59 2020 GMT
        Subject: OU=Domain Control Validated, OU=Gandi Standard Wildcard SSL, CN=*.python.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b5:06:b7:92:ff:c7:78:b6:dc:65:bd:3b:94:1b:
                    ea:33:f7:ad:5f:70:ae:de:f2:df:bd:0d:9f:59:0b:
                    c2:e3:a7:c0:cd:d4:3c:79:5d:e9:fd:93:a4:a8:bc:
                    5a:49:69:60:2c:04:cd:0c:ec:86:04:c6:4b:b0:ed:
                    53:83:f8:84:84:03:28:49:af:57:64:c7:5a:c7:be:
                    83:00:f8:75:7d:d4:65:94:3b:c9:e9:9f:0c:8b:60:
                    56:dc:a8:88:11:f5:e1:32:41:54:e8:cf:11:39:ca:
                    ef:40:d8:7f:0f:c1:8b:f3:eb:3f:f2:98:13:b2:e5:
                    8c:e7:1a:a6:57:59:e0:f1:f4:84:e2:60:fa:41:d6:
                    05:b7:0f:53:ec:38:12:10:22:ed:d7:62:83:20:8d:
                    35:7c:99:db:35:6a:78:f3:c3:c3:16:dd:54:28:9a:
                    cf:cc:43:14:67:9f:e8:b2:31:c4:be:56:d4:d4:42:
                    b0:2d:22:81:42:c1:63:32:76:2a:ff:bf:7b:56:10:
                    37:d0:fd:8b:cb:05:a4:1e:96:47:ff:a2:26:18:83:
                    51:d5:1e:65:7a:0a:5b:f8:d3:79:bf:c9:2f:f4:95:
                    d7:aa:bc:1c:b3:fe:a5:eb:76:34:3e:77:1e:74:79:
                    ff:a6:66:cb:5b:47:03:68:e3:42:ed:9f:c8:a4:99:
                    11:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA

            X509v3 Subject Key Identifier:
                AD:53:94:8B:CB:4F:14:39:D2:48:0B:76:61:5F:9F:63:10:A3:CA:27
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.26
                  CPS: https://cps.usertrust.com
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt
                OCSP - URI:http://ocsp.usertrust.com

            X509v3 Subject Alternative Name:
                DNS:*.python.org, DNS:python.org
    Signature Algorithm: sha256WithRSAEncryption
         87:4b:9e:7e:51:93:f4:5c:68:53:f5:cc:1b:1b:b8:34:cb:26:
         94:51:d6:5b:0c:34:f8:cc:4c:9f:e6:47:e8:75:d8:0f:2f:53:
         be:99:22:38:47:0d:36:d2:4b:86:bf:c8:10:05:17:21:fe:f3:
         76:3f:ca:46:3d:fc:54:e5:55:95:30:5a:6c:d9:24:0e:7f:46:
         a6:28:40:da:bb:11:75:cd:02:c1:a9:f2:37:20:28:3e:75:35:
         62:03:e1:cf:eb:9f:4d:ae:2f:7f:ab:59:44:11:45:1d:3e:fd:
         c6:1d:47:88:d9:42:cc:2b:77:e8:11:30:ee:4a:54:f8:47:9e:
         85:08:6c:54:05:43:4c:92:5b:0a:95:f1:e9:b5:18:82:87:8d:
         8b:5a:22:e3:c4:6d:cd:fa:7a:5c:cb:d7:80:57:37:7e:db:fb:
         49:56:4c:90:c5:79:e1:bf:2b:46:0d:aa:b6:31:94:22:03:52:
         7f:b7:7a:d6:da:7f:4c:18:55:e8:39:36:5e:90:1a:ed:0d:6b:
         51:77:5d:34:9c:97:e4:9d:91:95:df:87:57:bd:94:8a:f6:53:
         e3:e6:ff:2a:01:34:32:f9:47:f1:e4:96:20:20:67:38:05:25:
         9a:a5:e7:2c:a6:85:24:2e:64:47:3b:41:ee:80:bd:c0:79:f1:
         01:af:80:fa
Pages:1234567...18
Question ? Contact