How to send an email with attachment using openssl s_client command as:
openssl s_client -crlf -quiet -starttls smtp -connect $SMTPHostName:587
using bash script
You can pipe smtp commands into the openssl s_client with
$ openssl s_client -crlf -quiet -starttls smtp -connect smtp.xs4all.nl:587 <<< QUIT
Result:
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = smtp.xs4all.nl
verify return:1
250 8BITMIME
221 2.0.0 Bye
Available commands can be shown with 'help'.
The sequence of commands is usually something like this:
helo mail.example.com
data
To: dummy#dummy.nl
From: dummy#example.com
Date: Fri, 15 dec 2021 14:00:00 -0200
Message-ID: <xxxx.xxxx.xx#mail.example.com>
This is a test
.
NB. There may be an authentication needed.
To add an attachment something like the following needs to be added to the email.
Content-Type: image/png;
name="bullet.png"
Content-Transfer-Encoding: x-uuencode
begin 664 bullet.png
MB5!...
<snipped>
'
end
The file bullet.png was encoded with uuencode to ascii and added to the message. You can use other MIME formats.
Commands can vary from mailserver to mailserver depending on what for mailextensions and RFC's they support
Related
I'm securing an internal web server using stunnel and easyRSA.
I've tried to use the default x509 types in easyRSA but my probes failed because the server cert does not have the clientAuth, I've added a new type of cert which adds the server and client auth
extendedKeyUsage = serverAuth,clientAuth
Stunnel is configured with verify=2 which should also check client certificates
This is my signing certs structure:
Root.CA
| Signer.CA
| | server.crt
| | clientA.crt
| \ clientB.crt
| WebClient.CA
| | server.crt
| | user.alice.crt
| \ user.bob.crt
| RPC.CA
| | server.crt
| | rpcClient1.crt
| | rpcClient2.crt
\ \ rpcClient3.crt
The idea is to use client certificates on webpages and have a central CA that will be trusted everywhere it is needed. This works fine with nginx client certs
But the rpc client in ruby can't verify the server cert. I'm using this code to debug the connection
require 'openssl'
require 'net/http'
host = 127.0.0.1 # Not really but for example
port = 443
ruby = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
ruby_version = RUBY_VERSION
if patch = RbConfig::CONFIG['PATCHLEVEL']
ruby_version += "-p#{patch}"
end
puts "%s (%s)" % [ruby, ruby_version]
openssl_dir = OpenSSL::X509::DEFAULT_CERT_AREA
mac_openssl = '/System/Library/OpenSSL' == openssl_dir
puts "%s: %s" % [OpenSSL::OPENSSL_VERSION, openssl_dir]
[OpenSSL::X509::DEFAULT_CERT_DIR_ENV, OpenSSL::X509::DEFAULT_CERT_FILE_ENV].each do |key|
puts "%s=%s" % [key, ENV[key].to_s.inspect]
end
ca_file = ENV[OpenSSL::X509::DEFAULT_CERT_FILE_ENV] || OpenSSL::X509::DEFAULT_CERT_FILE
ca_path = (ENV[OpenSSL::X509::DEFAULT_CERT_DIR_ENV] || OpenSSL::X509::DEFAULT_CERT_DIR).chomp('/')
puts "\nHEAD https://#{host}:#{port}"
http = Net::HTTP.new(host, port)
http.use_ssl = true
# Explicitly setting cert_store like this is not needed in most cases but it
# seems necessary in edge cases such as when using `verify_callback` in some
# combination of Ruby + OpenSSL versions.
http.cert_store = OpenSSL::X509::Store.new
http.cert_store.set_default_paths
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_depth = 5
failed_cert = failed_cert_reason = nil
# http.ca_file = File.read('ca.crt')
http.cert = OpenSSL::X509::Certificate.new(File.read('tls.crt'))
http.key = OpenSSL::PKey::RSA.new(File.read('tls.key'))
if mac_openssl
warn "warning: will not be able show failed certificate info on OS X's OpenSSL"
# This drives me absolutely nuts. It seems that on Rubies compiled against OS X's
# system OpenSSL, the mere fact of defining a `verify_callback` makes the
# cert verification fail for requests that would otherwise be successful.
else
http.verify_callback = lambda { |verify_ok, store_context|
if !verify_ok
failed_cert = store_context.current_cert
failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
end
verify_ok
}
end
user_agent = "net/http #{ruby_version}"
req = Net::HTTP::Head.new("/?#{rand()}", 'user-agent' => user_agent)
begin
res = http.start { http.request(req) }
abort res.inspect if res.code.to_i >= 500
puts "OK"
rescue Errno::ECONNREFUSED
puts "Error: connection refused"
exit 1
rescue OpenSSL::SSL::SSLError => e
puts "#{e.class}: #{e.message}"
if failed_cert
puts "\nThe server presented a certificate that could not be verified:"
puts " subject: #{failed_cert.subject}"
puts " issuer: #{failed_cert.issuer}"
puts " error code %s" % failed_cert_reason
end
ca_file_missing = !File.exist?(ca_file) && !mac_openssl
ca_path_empty = Dir["#{ca_path}/*"].empty?
if ca_file_missing || ca_path_empty
puts "\nPossible causes:"
puts " `%s' does not exist" % ca_file if ca_file_missing
puts " `%s/' is empty" % ca_path if ca_path_empty
end
exit 1
end
This is the output:
$ ruby client.rb
/Users/user/.rvm/rubies/ruby-2.7.0/bin/ruby (2.7.0-p0)
OpenSSL 1.1.1h 22 Sep 2020: /usr/local/etc/openssl#1.1
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://127.0.0.1:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
The server presented a certificate that could not be verified:
subject: /C=US/ST=State/L=Location/O=My Certificates/OU=Security/CN=myCN/emailAddress=signer#cn.app
issuer: /C=US/ST=State/L=Location/O=My Certificates/OU=Security/CN=myCN/emailAddress=signer#cn.app
error code 19: self signed certificate in certificate chain
Possible causes:
`/usr/local/etc/openssl#1.1/certs/' is empty
If I create a cert bundle with cat root.crt rpc.crt > bundle.crt and set the SSL_CET_FILE to it I get:
$ SSL_CERT_FILE=bundle.crt ruby client.rb
/Users/user/.rvm/rubies/ruby-2.7.0/bin/ruby (2.7.0-p0)
OpenSSL 1.1.1h 22 Sep 2020: /usr/local/etc/openssl#1.1
SSL_CERT_DIR=""
SSL_CERT_FILE="/Users/user/easyrsa/certs/rpc/bundle.crt"
HEAD https://127.0.0.1:443
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected)
The server presented a certificate that could not be verified:
subject: /C=US/ST=State/L=Location/O=My Certificates/OU=Security/CN=server#rpc/emailAddress=signer#cn.app
issuer: /C=US/ST=State/L=Location/O=My Certificates/OU=Security/CN=rpc#ca/emailAddress=signer#cn.app
error code 0: ok
Possible causes:
`/usr/local/etc/openssl#1.1/certs/' is empty
Which tells me it can connect, but it is not being accepted anyway
I've tried to verify the connection with OpenSSL and I can connect and get a response:
openssl s_client -host 127.0.0.1 -port 443 -state -debug \
-cert tls.crt \
-key key.crt \
-CAfile <(kubectl get secret tls-explorer -n explorer --output="jsonpath={ .data.ca\.crt }" | base64 -d)
# If I then type "GET / HTTP/1.1" it returns me the contents
Also I'm using Paw as a postman replacement, and with it I can connect just fine with any of the rpc client cert
So what could be the problem?
We have a web service application in which we perform the following procedure to generate certificates:
1.Create a file named openssl.ini in the folder with the following content:
# OpenSSL configuration file.
#----Begin----
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = XYZ Corp
countryName_default = US
stateOrProvinceName_default = CA
localityName_default = San Francisco
emailAddress_default = support#xyz.com
organizationalUnitName_default = Business Division
commonName_default = ServerSystem1
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
#----End----
2.Run the following Openssl commands to generate the RootCA and Server certificate
md ServerCert
cd ServerCert
md newcerts private
copy ..\openssl.ini ServerCert
echo 01 > serial
copy /y nul index.txt
openssl genrsa -out private/cakey.pem 1024
openssl req -new -x509 -extensions v3_ca -key private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.ini
openssl x509 -in cacert.pem -out ServerCA.crt
openssl req -new -nodes -out req.pem -extensions v3_req -config ./openssl.ini
openssl ca -out cert.pem -extensions v3_req -config ./openssl.ini -infiles req.pem
move cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem
openssl rsa -in key.pem -inform PEM -out ServerKey.der -outform DER
openssl x509 -in cert.pem -inform PEM -out ServerCert.der -outform DER
At the end of the process, the 3 files that are used later are:
ServerCA.crt -> Used on Windows to trust the webserver application
ServerKey.der -> Key used by the webserver
ServerCert.der -> Certificate used by the webserver application
The web server application requires the DER files to send the certificates. But in the browser, upon running the web-service application, the browser shows “Not Secure” warning.
Upon clicking on the “Not Secure” warning, the following message is displayed.
However upon clicking on the Certificate and navigating to the tab “certification path”, the message says “This certificate is OK”.
This message is the same for Root Certificate and Server Certificate.
How to change the procedure to generate the certificates or modify the .ini file, so that the web-server application is trusted by the Browser?
Question Update:
To install the certificate in the Windows Trust store, i followed the following steps:
Typed "mmc" from command prompt(administrator)
Clicked on "File" -> "Add/Remove snap-in..."
Clicked on "Certificate" -> "Add" -> "Computer Account" -> "Next" -> "Finish"
Clicked on "Certificates" -> "Trusted Root Certification Authorities" -> "Certificates"
Right clicked on "Certificates"
Clicked on "All tasks" -> "import" -> "Next" -> "Browse" -> Selected the CRT file
I am just trying to encrypt/decrypt a password with the shell (non-interactively - it's for an automated script). I am following this example:
https://superuser.com/a/20552/362669
I tried converting it to this so that it doesn't use a file output.bin to store the encrypted text:
#!/usr/bin/env bash
cd `dirname "$BASH_SOURCE"`
# generate a 2048-bit RSA key and store it in key.txt
openssl genrsa -out key.txt 2048
# encrypt "hello world" using the RSA key in key.txt
encrypted="$(echo "hello world" | openssl rsautl -inkey key.txt -encrypt)"
echo "encrypted: $encrypted"
# decrypt the message and output to stdout
decrypted="$(echo "$encrypted" | openssl rsautl -inkey key.txt -decrypt)"
echo "decrypted: $decrypted";
but all I get is this garbully-guk:
Generating RSA private key, 2048 bit long modulus
........................................................................................................................+++
............................+++
e is 65537 (0x10001)
��◆J��┌ܥײ��R▒��%⎽F�� 1l�}�%��?�0���+��%���C�8|_/!�A"Ꜵ:�������.��W2Pras��1���� ��(�a
��]�[�남␍◆�=┬─�з≤�ɦ�;�└�1MFP��^␋�#D� �T_⎺F�Eπ�2��U2Ÿ┌π��N│�� ⎽��_\2�� 8V��%��(�^���␍4�#�π���*^D ���/�└�
RSA ⎺⎻␊⎼▒├␋⎺┼ ␊⎼⎼⎺⎼
4662363756:␊⎼⎼⎺⎼:04FFF06B:⎼⎽▒ ⎼⎺┤├␋┼␊⎽:CRYPTO_␋┼├␊⎼┼▒┌:␉┌⎺␌┐ ├≤⎻␊ ␋⎽ ┼⎺├ 02:/B┤␋┌␍R⎺⎺├/L␋␉⎼▒⎼≤/C▒␌␊⎽/␌⎺└.▒⎻⎻┌␊.│␉⎽/S⎺┤⎼␌␊⎽/┌␋␉⎼␊⎽⎽┌/┌␋␉⎼␊⎽⎽┌-22.260.1/┌␋␉⎼␊⎽⎽┌-2.6/␌⎼≤⎻├⎺/⎼⎽▒/⎼⎽▒_⎻┐1.␌:185:
4662363756:␊⎼⎼⎺⎼:04FFF072:⎼⎽▒ ⎼⎺┤├␋┼␊⎽:CRYPTO_␋┼├␊⎼┼▒┌:⎻▒␍␍␋┼± ␌␊␌┐ °▒␋┌␊␍:/B┤␋┌␍R⎺⎺├/L␋␉⎼▒⎼≤/C▒␌␊⎽/␌⎺└.▒⎻⎻┌␊.│␉⎽/S⎺┤⎼␌␊⎽/┌␋␉⎼␊⎽⎽┌/┌␋␉⎼␊⎽⎽┌-22.260.1/┌␋␉⎼␊⎽⎽┌-2.6/␌⎼≤⎻├⎺/⎼⎽▒/⎼⎽▒_␊▒≤.␌:580:
␍␊␌⎼≤⎻├␊␍:
▒┌␊│⎽-└▒␌:␋┼├␊⎼⎺⎽ ▒┌␊│$
and my shell session is basically messed up.
Anyone know what that is? Maybe it's outputting characters that the shell can't handle?
Update: if I don't log the encrypted value, then I get this:
Generating RSA private key, 2048 bit long modulus
........................+++
..........+++
e is 65537 (0x10001)
RSA operation error
4558829164:error:04FFF06B:rsa routines:CRYPTO_internal:block type is not 02:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/rsa/rsa_pk1.c:185:
4558829164:error:04FFF072:rsa routines:CRYPTO_internal:padding check failed:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/rsa/rsa_eay.c:580:
decrypted:
I think the best idea would be to convert the binary to/from base64.
Just pipe output through a "openssl base64" to command to enable and "openssl base64 -d" command to decode.
so:
encrypted="$(echo "hello world" | openssl rsautl -inkey key.txt
-encrypt | openssl base64)"
and
decrypted="$(echo "$encrypted" | openssl base64 -d | openssl rsautl
-inkey key.txt -decrypt)"
I am trying to set a variable from my while loop to itself. I've looked around a lot and tested various methods but haven't been able to get anything to work.
while read ip port srv ban
do
rm -f certificate.crt #sterilizing
echo -e "$ban" | base64 -d | dos2unix | openssl x509 -inform d > certificate.crt
sleep .5
cert=$(openssl x509 -in certificate.crt -text -noout)
echo "$cert"
$ban = $cert
done < outfiles.txt
Here's what outfiles.txt looks like with a one line snippet.
xxx.xx.xxx.xxx 443 X509 MIIE/zCCA+egAwIBAgIEUdNARDANBgkqhkiG9w0BAQsFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MDkyMjE3MTQ1N1oXDTI0MDkyMzAxMzE1M1owgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAwOSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvimekwAad26jK4lUEaydphTlhyz/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ0GqAgABFHrDH55q/ElcnHKNoLwqHvWprDl5l8xx31dSFjXAhtLMy54ui1YY5ArG40kfO5MlJxDun3vtUfVe+8OhuwnmyOgtV4lCYFjITXC94VsHClLPyWuQnmp8k18bs0JslguPMwsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNfnD70FyzmaaxOMkxid+q36OW7NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBYrGQ0EgP4to2UYySkcQIDAQABo4IBDzCCAQswDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L3Jvb3RjYTEuY3JsMDsGA1UdIAQ0MDIwMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NQUzAdBgNVHQ4EFgQUanImetAe733nO2lR1GyNn5ASZqswHwYDVR0jBBgwFoAUaJDkZ6SmU4DHhmak8fdLQ/uEvW0wDQYJKoZIhvcNAQELBQADggEBAGkzg/woem99751V68U+ep11s8zDODbZNKIoaBjqHmnTvefQd9q4AINOSs9v0fHBIj905PeYSZ6btp7h25h3LVY0sag82f3Azce/BQPUAsXx5cbaCKUTx2IjEdFhMB1ghEXveajGJpOkt800uGnFE/aRs8lFc3a2kvZ2ClvhA0e36SlMkTIjN0qcNdh4/R0f5IOJJICtt/nP5F2l1HHEhVtwH9s/HAHrGkUmMRTMZb9n3srMM2XlQZHXN75BGpad5oqXnafOrE6aPb0BoGrZTyIAi0TVaWJ7LuvMuueSfWlnPfy4fN5Bh9Bp6roKGHoalUOzeXEodm2h+1dK7E3IDhA=
I'm trying to decode the cert, which I can do but I'm trying to replace (overwrite) the encoded certificate with the decoded certificate from the file I'm reading from on each line I go though by setting the $ban variable from while read ip port srv ban to the $cert variable.
So when looking at the outfiles.txt you should se
xxx.xx.xxx.xxx 443 Certificate: Data: Version: 3 (0x2) Serial Number: 1372799044 (0x51d34044) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority Validity Not Before: Sep 22 17:14:57 2014 GMT Not After : Sep 23 01:31:53 2024 GMT Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ba:84:b6:72:db:9e:0c:6b:e2:99:e9:30:01:a7: 76:ea:32:b8:95:41:1a:c9:da:61:4e:58:72:cf:fe: f6:82:79:bf:73:61:06:0a:a5:27:d8:b3:5f:d3:45: 4e:1c:72:d6:4e:32:f2:72:8a:0f:f7:83:19:d0:6a: 80:80:00:45:1e:b0:c7:e7:9a:bf:12:57:27:1c:a3: 68:2f:0a:87:bd:6a:6b:0e:5e:65:f3:1c:77:d5:d4: 85:8d:70:21:b4:b3:32:e7:8b:a2:d5:86:39:02:b1: b8:d2:47:ce:e4:c9:49:c4:3b:a7:de:fb:54:7d:57: be:f0:e8:6e:c2:79:b2:3a:0b:55:e2:50:98:16:32: 13:5c:2f:78:56:c1:c2:94:b3:f2:5a:e4:27:9a:9f: 24:d7:c6:ec:d0:9b:25:82:e3:cc:c2:c4:45:c5:8c: 97:7a:06:6b:2a:11:9f:a9:0a:6e:48:3b:6f:db:d4: 11:19:42:f7:8f:07:bf:f5:53:5f:9c:3e:f4:17:2c: e6:69:ac:4e:32:4c:62:77:ea:b7:e8:e5:bb:34:bc: 19:8b:ae:9c:51:e7:b7:7e:b5:53:b1:33:22:e5:6d: cf:70:3c:1a:fa:e2:9b:67:b6:83:f4:8d:a5:af:62: 4c:4d:e0:58:ac:64:34:12:03:f8:b6:8d:94:63:24: a4:71 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 Authority Information Access: OCSP - URI:http://ocsp.entrust.net X509v3 CRL Distribution Points: Full Name: URI:http://crl.entrust.net/rootca1.crl X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: http://www.entrust.net/CPS X509v3 Subject Key Identifier: 6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB X509v3 Authority Key Identifier: keyid:68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D Signature Algorithm: sha256WithRSAEncryption 69:33:83:fc:28:7a:6f:7d:ef:9d:55:eb:c5:3e:7a:9d:75:b3: cc:c3:38:36:d9:34:a2:28:68:18:ea:1e:69:d3:bd:e7:d0:77: da:b8:00:83:4e:4a:cf:6f:d1:f1:c1:22:3f:74:e4:f7:98:49: 9e:9b:b6:9e:e1:db:98:77:2d:56:34:b1:a8:3c:d9:fd:c0:cd: c7:bf:05:03:d4:02:c5:f1:e5:c6:da:08:a5:13:c7:62:23:11: d1:61:30:1d:60:84:45:ef:79:a8:c6:26:93:a4:b7:cd:34:b8: 69:c5:13:f6:91:b3:c9:45:73:76:b6:92:f6:76:0a:5b:e1:03: 47:b7:e9:29:4c:91:32:23:37:4a:9c:35:d8:78:fd:1d:1f:e4: 83:89:24:80:ad:b7:f9:cf:e4:5d:a5:d4:71:c4:85:5b:70:1f: db:3f:1c:01:eb:1a:45:26:31:14:cc:65:bf:67:de:ca:cc:33: 65:e5:41:91:d7:37:be:41:1a:96:9d:e6:8a:97:9d:a7:ce:ac: 4e:9a:3d:bd:01:a0:6a:d9:4f:22:00:8b:44:d5:69:62:7b:2e: eb:cc:ba:e7:92:7d:69:67:3d:fc:b8:7c:de:41:87:d0:69:ea: ba:0a:18:7a:1a:95:43:b3:79:71:28:76:6d:a1:fb:57:4a:ec:
4d:c8:0e:10
Replace
$ban = $cert
with
ban=$cert
$ is only used to retrieve the value of a variable, not to set a variable.
I often use grep for openssl results when testing TLS security. For example:
$ openssl s_client -tls1_2 -connect 172.11.15.32:443 </dev/null | grep 'IS s'
depth=0 C = US, ST = asd, O = Billing, CN = asdasd, emailAddress = root#asdasd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = asd, O = Billing, CN = asdasd, emailAddress = root#asdasd
verify return:1
DONE
Secure Renegotiation IS supported
However, the issue is, that no matter what I grep for, output always contains these (or similar) lines in the beginning:
depth=0 C = US, ST = asd, O = Billing, CN = asdasd, emailAddress = root#asdasd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = asd, O = Billing, CN = asdasd, emailAddress = root#asdasd
verify return:1
Is it possible to somehow suppress these messages and receive only grep results as one would expect?
As indicated in comments, the problem is that the command openssl displays part of its output through stderr. Then, this will show no matter what you pipe.
So if you want to just show what grep has filtered to you, you have to previously redirect stderr to /dev/null so that it does not "jump the pipe":
openssl ... 2>/dev/null | grep 'IS s'
# ^^^^^^^^^^^
See another example of this:
$ touch hello
$ ls hello adlsfjaskldf
ls: cannot access adlsfjaskldf: No such file or directory # stderr
hello # stdout
Let's grep, where everything appears:
$ ls hello adlsfjaskldf | grep hello
ls: cannot access adlsfjaskldf: No such file or directory # stderr
hello # stdout
Let's grep but redirect stderr beforehand:
$ ls hello adlsfjaskldf 2>/dev/null | grep hello
hello # no "ls: cannot access..." here