IBM Support

QRadar: How to verify certifcate connections by using OpenSSL

Troubleshooting


Problem

You have a TLS or SSL log source that all required settings and configuration options are correct, but the log source is still in ERROR status. 

Cause

This TLS or SSL log source requires a connection to the remote host. When the connection cannot be made, the log source displays an error condition.

Resolving The Problem

OpenSSL is a helpful test client for troubleshooting remote SSL or TLS connections. Administrators can use openssl s_client to check whether the certificate is valid, trusted, and complete. The s_client command can be used to analyze client or server communication, including whether a port is open and if that port is capable of accepting a connection. The openssl verify command can verify a certificate chain.
Before you begin
  • This procedure requires a TLS or SSL log source.
  • The article is an overview and not a complete guide on how to use openssl s_client commands. 
  • Command examples to be demonstrated. 
    • openssl s_client connect
    • openssl s_client verify_return_error
    • openssl s_client showcerts
    • openssl verify

openssl s_client connect

Use the openssl s_client -connect flag to display information about the SSL connection to the server. With this command you can retrieve or view an LDAPS certificate from a Domain Controller, or examine what a log source, or a receiving hosts. The information includes the servers certificate chain, printed as subject and issuer. The command output also shows CONNECTED(00000003) to confirm a connection is made. 
  1. Use SSH to log in to the Console as root user
  2. Use SSH to connect from the Console to the Collector that used in the log source configuration.
  3. Use the openssl command to display the connection to the remote host:  Type the command:  openssl s_client -connect www.example.com:443 
    # openssl s_client -connect email-smtp.us-west-2.amazonaws.com:465
    Example 1 uses email-smtp.us-west-2.amazonaws.com.
    Results
    The output of the command displays CONNECTED(00000003) 
    CONNECTED(00000003)
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = email-smtp.us-west-2.amazonaws.com
verify return:1
---
Certificate chain
 0 s:/CN=email-smtp.us-west-2.amazonaws.com
   i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
 1 s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
   i:/C=US/O=Amazon/CN=Amazon Root CA 1
 2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
   i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
[Truncated Output] 
-----END CERTIFICATE-----
subject=/CN=email-smtp.us-west-2.amazonaws.com
issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5474 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 18353E73C57F012C28416DABC1597A4AB5287D333B957D6EC3C3AE44735A0271
    Session-ID-ctx:
    Master-Key: FADCBBC9A44097EE3DAEF1BB8608A897042EF907C68A17693C3C09F821B856207A3FFE78ABAE67F8B274A224CAB1773A
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1664128138
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-B2A7I8WCJ CPjXdQvhBcVYkP4QJjy1
451 4.4.2 Timeout waiting for data from client.
closed

openssl s_client verify_return_error

By using the openssl s_client verify_return_error command, if the server returns any errors then the SSL Handshake fails and the connection aborts. In the example, a successful handshake with no errors is displayed. The command output also shows CONNECTED(00000003) to confirm a connection. 
  1. Use SSH to log in to the Console as root user.
  2. Use SSH to connect from the Console to the Collector that used in the log source configuration.
  3. Use the openssl command to display connection to the remote host:  Type the command:  openssl s_client -verify_return_error -connect example.com:443 
    # openssl s_client -verify_return_error -connect google.com:443
    Example 2 uses google.com. 

    Results
    The output of the command displays CONNECTED(00000003) and information about the connection are displayed.  
    CONNECTED(00000003)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
---
Certificate chain
 0 s:/CN=*.google.com
   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[Truncated Output]
-----END CERTIFICATE-----
subject=/CN=*.google.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 7311 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B21EAAD8E3C37723AC85387E9F76D8A6A1276313B6C92B5168EDFD91E9ACA82B
    Session-ID-ctx:
    Master-Key: 6417AD35DED707AC008C550C0822899CF986C44A047228573E74BF9DAFB53B0099BB2A70B57EA6B6F0D1219CF445F1B1
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 02 7e 52 fb bc 29 cb 2e-08 39 4c f2 6b 0c 6f ef   .~R..)...9L.k.o.
    0010 - a9 88 24 51 f7 49 c5 6d-cb 27 0a 59 36 87 9e 9e   ..$Q.I.m.'.Y6...
  [Truncated output]

    Start Time: 1664127701
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=0

     

openssl s_client showcerts

The showcerts flag appended onto the openssl s_client connect command and shows the entire certificate chain in PEM format, where leaving off -showcerts flag shows only the end entity certificate. The command output also shows CONNECTED(00000003) to confirm a connection is made. This option allows administrators to display the actual PEM formatted certificate so they can cut and paste this certificate to other locations such as a WinCollect destination.
  1. Use SSH to log in to the Console as root user.
  2. Use SSH to connect from the Console to the Collector that used in the Log Source configuration.
  3. Use the openssl command to display connection to the remote host:  Type the command:  openssl s_client -showcerts -connect  email-smtp.us-west-2.amazonaws.com:465
      
    # openssl s_client -showcerts -connect  email-smtp.us-west-2.amazonaws.com:465
    Figure 3 uses email-smtp.us-west-2.amazonaws.com.
     
    Results
    The output of the command displays CONNECTED(00000003) and information about the connection are displayed.  
    CONNECTED(00000003)
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = email-smtp.us-west-2.amazonaws.com
verify return:1
---
Certificate chain
 0 s:/CN=email-smtp.us-west-2.amazonaws.com
   i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
-----BEGIN CERTIFICATE-----
[Truncated output]

-----END CERTIFICATE-----
 1 s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
   i:/C=US/O=Amazon/CN=Amazon Root CA 1
-----BEGIN CERTIFICATE-----

[Truncated output]

-----END CERTIFICATE-----
 2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----

[Truncated output]

-----END CERTIFICATE-----
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
   i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
-----BEGIN CERTIFICATE-----

[Truncated output]

-----END CERTIFICATE-----
---
Server certificate
subject=/CN=email-smtp.us-west-2.amazonaws.com
issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5474 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 908FBF637852821447CF4588A00352AC08CB45CC3024C3853665E5A1CD2ABE52
    Session-ID-ctx:
    Master-Key: 30C2D18CD625D7B4B759C3FF901FCA698A78F649E504C55E89237995DF88B0D3A9E56A6B4F3BEEC84586802B2ABEDD12
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1664128952
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-JOAS8KIDJ r4ClAdMc41SqvQPAy8tU
451 4.4.2 Timeout waiting for data from client.
closed

openssl verify

The openssl verify command is used to verify a certificate chain. In the example the certificate is in .pem format.
openssl verify -CAfile <ca_cert.pem> <target_cert.pem>
Example 3 is using a certificate in .pem format.
Results
The intermediate certificate is validated. 
# openssl verify -CAfile /etc/pki/ca-trust/source/anchors/RootCA.crt /opt/qradar/conf/trusted_certificates/IntermediateCA.crt
IntermediateCA.crt: OK
For more information about this topic, see www.openssl.org.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.3;7.5.0"}]

Document Information

Modified date:
30 September 2022

UID

ibm16695911

Page Feedback