How to check SSL Valid

comparechoose · June 23, 2017, 2:20pm

Please fill out the fields below so we can help you better.

My domain is: www.compareandchoose.com.au

I ran this command: https://www.google.com/transparencyreport/https/ct/?hl=en

It produced this output: VALID Certificate

I am trying to produce the same to check if certificates are valid or not, any idea where they are looking up against

schoen · June 23, 2017, 5:19pm

They are making a TLS connection on port 443 of the host, sending the hostname as SNI data, and looking at the returned certificate chain. They are then checking whether the certificate chain is valid, whether it originates in a browser-trusted root certificate, and whether the end-entity certificate includes the intended hostname as a subject (and probably also whether they can complete a TLS session negotiation using the subject public key).

This is a very technical process, but one with which people who work on the web’s public key infrastructure (like operating certificate authorities) become extremely familiar. You can learn more about how it works by reading Ivan Ristić’s Bulletproof SSL and TLS, reading standards documents, playing with the openssl command, or hanging out on this forum for a long time.

You can see some of the specific information that Google is verifying inside your own browser if you go to https://www.compareandchoose.com.au/, and then in Firefox selecting Tools, Page Info, Security, View Certificate, Details. Or in Chromium or Chrome, choose Tools, Developer Tools, Security [which might be hidden behind the …], View Certificate, Details.

Are you trying to replicate this verification process in some other context?

comparechoose · June 24, 2017, 2:08am

Hi Schoen

Thanks for the information, i am actually try to run an SEO report when someone enters a url for some customers to show if website is secure or not

Similar to varvy.com

Enjoy your weekend

Patches · June 24, 2017, 2:18am

SSL Labs has a nifty API. Some certificate authorities actually use it for their online checkers.

https://www.ssllabs.com/projects/ssllabs-apis/

schoen · June 24, 2017, 5:31am

That sounds like a great suggestion, @Patches!

comparechoose · June 24, 2017, 6:35am

Thanks guys

Regards
Alan

leader · June 24, 2017, 12:06pm

While that API is nice indeed, it is not allowed to be used on public sites and/or for commercial purpose according to T&C. Judging by the phrase "run an SEO report when someone enters a url for some customers", this case falls under those T&Cs, so express permission from Qualys will be required.

schoen · June 24, 2017, 6:25pm

A quick and dirty option is to call out to curl and see if it returns an error (or whether it returns an error about “SSL”). For example,

curl https://wrong.host.badssl.com/

returns exit code 51, while

curl https://expired.badssl.com/

returns exit code 60, as does

curl https://incomplete-chain.badssl.com/ (unlike your browser, curl has no way of caching intermediates).

By contrast,

curl https://www.google.com/

returns exit code 0.

There are still potentially some divergences from browser behavior, and also the root store that you have may not align perfectly with those used by any particular browser, unless you deliberately import a copy of their root stores. But it’s not a bad test.

Most programming languages’ libraries for making HTTP connections can probably give similar information.

>>> import requests
>>> requests.get("https://www.google.com/")
<Response [200]>
>>> requests.get("https://expired.badssl.com/")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 67, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 53, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
>>> requests.get("https://incomplete-chain.badssl.com/")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 67, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 53, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

system · July 24, 2017, 6:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.