Knowledge Base (Posts about tls)https://bgstack15.ddns.net/blog/enContents © 2022 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Sat, 16 Jul 2022 13:00:29 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssModify postfix for webhook plugin for Jellyfinhttps://bgstack15.ddns.net/blog/posts/2022/07/04/modify-postfix-for-webhook-plugin-for-jellyfin/bgstack15<p>With the recent Gmail change that requires oauth2 for sending authenticated gmail (covered in <a href="https://bgstack15.ddns.net/blog/posts/2022/03/10/postfix-use-oauth2-for-gmail/">Postfix use oauth2 for gmail</a>), my jellyfin Webhook plugin that includes an smtp option has finally stopped working.</p> <p>First of all, I had to ensure that I had network connectivity to my smtp server which is available over my wireguard connection.</p> <div class="code"><pre class="code literal-block">nc server2.ipa.internal.com 25 Ncat: Connection refused. </pre></div> <p>So I had to modify the nftables rules on server2. That took me a while, but I finally got it. For a real-time modification, I used this command.</p> <div class="code"><pre class="code literal-block">sudo nft add rule 'inet filter' input position 4 iif wg0 accept </pre></div> <p>This rule means "for input interface wg0 [wireguard], accept all packets." And insert this rule in a certain position, and not just at the end (so after the infamous "DROP ALL" of a well-behaved firewall.</p> <p>And my full ruleset is now in <code>/etc/nftables.conf</code>.</p> <div class="code"><pre class="code literal-block"><span class="n">flush</span><span class="w"> </span><span class="n">ruleset</span><span class="w"></span> <span class="k">table</span><span class="w"> </span><span class="n">inet</span><span class="w"> </span><span class="n">filter</span><span class="w"> </span><span class="p">{</span><span class="w"></span> <span class="w"> </span><span class="n">chain</span><span class="w"> </span><span class="k">input</span><span class="w"> </span><span class="p">{</span><span class="w"></span> <span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">filter</span><span class="w"> </span><span class="n">hook</span><span class="w"> </span><span class="k">input</span><span class="w"> </span><span class="n">priority</span><span class="w"> </span><span class="mh">0</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="p">#</span><span class="w"> </span><span class="n">accept</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">localhost</span><span class="w"> </span><span class="n">traffic</span><span class="w"></span> <span class="w"> </span><span class="n">iif</span><span class="w"> </span><span class="n">lo</span><span class="w"> </span><span class="n">accept</span><span class="w"></span> <span class="w"> </span><span class="n">iif</span><span class="w"> </span><span class="n">wg0</span><span class="w"> </span><span class="n">accept</span><span class="w"> </span><span class="n">comment</span><span class="w"> </span><span class="s">"trust all wireguard traffic"</span><span class="w"></span> <span class="w"> </span><span class="p">#</span><span class="w"> </span><span class="n">accept</span><span class="w"> </span><span class="n">traffic</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">originated</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">system</span><span class="w"></span> <span class="w"> </span><span class="p">#</span><span class="w"> </span><span class="n">accept</span><span class="w"> </span><span class="n">traffic</span><span class="w"> </span><span class="n">originated</span><span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">us</span><span class="w"></span> <span class="w"> </span><span class="n">ct</span><span class="w"> </span><span class="n">state</span><span class="w"> </span><span class="n">established</span><span class="p">,</span><span class="n">related</span><span class="w"> </span><span class="n">accept</span><span class="w"></span> <span class="w"> </span><span class="p">#</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="n">array</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="n">comma</span><span class="o">-</span><span class="n">separated</span><span class="w"></span> <span class="w"> </span><span class="n">tcp</span><span class="w"> </span><span class="n">dport</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="mh">22</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">ct</span><span class="w"> </span><span class="n">state</span><span class="w"> </span><span class="n">new</span><span class="w"> </span><span class="n">accept</span><span class="w"></span> <span class="w"> </span><span class="p">#</span><span class="w"> </span><span class="n">count</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="n">drop</span><span class="w"> </span><span class="n">any</span><span class="w"> </span><span class="n">other</span><span class="w"> </span><span class="n">traffic</span><span class="w"></span> <span class="w"> </span><span class="n">counter</span><span class="w"> </span><span class="n">drop</span><span class="w"></span> <span class="w"> </span><span class="p">}</span><span class="w"></span> <span class="w"> </span><span class="n">chain</span><span class="w"> </span><span class="n">forward</span><span class="w"> </span><span class="p">{</span><span class="w"></span> <span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">filter</span><span class="w"> </span><span class="n">hook</span><span class="w"> </span><span class="n">forward</span><span class="w"> </span><span class="n">priority</span><span class="w"> </span><span class="mh">0</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="p">}</span><span class="w"></span> <span class="w"> </span><span class="n">chain</span><span class="w"> </span><span class="k">output</span><span class="w"> </span><span class="p">{</span><span class="w"></span> <span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">filter</span><span class="w"> </span><span class="n">hook</span><span class="w"> </span><span class="k">output</span><span class="w"> </span><span class="n">priority</span><span class="w"> </span><span class="mh">0</span><span class="p">;</span><span class="w"></span> <span class="w"> </span><span class="p">}</span><span class="w"></span> <span class="p">}</span><span class="w"></span> </pre></div> <p>So finally my netcat worked.</p> <div class="code"><pre class="code literal-block">$ nc server2.ipa.internal.com <span class="m">25</span> <span class="m">220</span> server2.ipa.internal.com ESMTP Postfix <span class="o">(</span>Debian/GNU<span class="o">)</span> </pre></div> <p>So when I trigger a notification in Jellyfin, I get this error.</p> <p>Jun 26 18:27:50 server2 postfix/smtpd[14319]: connect from server1.remote.internal.com[10.198.0.14] Jun 26 18:27:50 server2 postfix/smtpd[14319]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:308: Jun 26 18:27:50 server2 postfix/smtpd[14319]: lost connection after STARTTLS from server1.remote.internal.com[10.198.0.14] Jun 26 18:27:50 server2 postfix/smtpd[14319]: disconnect from server1.remote.internal.com[10.198.0.14] ehlo=1 starttls=1 commands=2</p> <p>Researching on the Internet for "jellyfin webhook smtp starttls" led to information mostly about disabling starttls. I didn't even realize I had it enabled. So I made some changes to my postfix to disable the silly snakeoil TLS certificate.</p> <p>And then I logged in again, and got this message in my postfix logs! So this is progress.</p> <div class="code"><pre class="code literal-block"><span class="n">Jun</span><span class="w"> </span><span class="mi">26</span><span class="w"> </span><span class="mi">18</span><span class="err">:</span><span class="mi">34</span><span class="err">:</span><span class="mi">49</span><span class="w"> </span><span class="n">server2</span><span class="w"> </span><span class="k">postfix</span><span class="o">/</span><span class="n">smtpd</span><span class="o">[</span><span class="n">15802</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="nl">NOQUEUE</span><span class="p">:</span><span class="w"> </span><span class="nl">reject</span><span class="p">:</span><span class="w"> </span><span class="n">RCPT</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">server1</span><span class="p">.</span><span class="n">remote</span><span class="p">.</span><span class="n">internal</span><span class="p">.</span><span class="n">com</span><span class="o">[</span><span class="n">10.198.0.14</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="mi">454</span><span class="w"> </span><span class="mf">4.7.1</span><span class="w"> </span><span class="o">&lt;</span><span class="n">example</span><span class="nv">@gmail</span><span class="p">.</span><span class="n">com</span><span class="o">&gt;</span><span class="err">:</span><span class="w"> </span><span class="n">Relay</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="n">denied</span><span class="p">;</span><span class="w"> </span><span class="k">from</span><span class="o">=&lt;</span><span class="n">example</span><span class="nv">@gmail</span><span class="p">.</span><span class="n">com</span><span class="o">&gt;</span><span class="w"> </span><span class="k">to</span><span class="o">=&lt;</span><span class="n">example</span><span class="nv">@gmail</span><span class="p">.</span><span class="n">com</span><span class="o">&gt;</span><span class="w"> </span><span class="n">proto</span><span class="o">=</span><span class="n">ESMTP</span><span class="w"> </span><span class="n">helo</span><span class="o">=&lt;[</span><span class="n">192.168.58.18</span><span class="o">]&gt;</span><span class="w"></span> <span class="n">Jun</span><span class="w"> </span><span class="mi">26</span><span class="w"> </span><span class="mi">18</span><span class="err">:</span><span class="mi">34</span><span class="err">:</span><span class="mi">49</span><span class="w"> </span><span class="n">server2</span><span class="w"> </span><span class="k">postfix</span><span class="o">/</span><span class="n">smtpd</span><span class="o">[</span><span class="n">15802</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">lost</span><span class="w"> </span><span class="k">connection</span><span class="w"> </span><span class="k">after</span><span class="w"> </span><span class="n">RSET</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">server1</span><span class="p">.</span><span class="n">remote</span><span class="p">.</span><span class="n">internal</span><span class="p">.</span><span class="n">com</span><span class="o">[</span><span class="n">10.198.0.14</span><span class="o">]</span><span class="w"></span> <span class="n">Jun</span><span class="w"> </span><span class="mi">26</span><span class="w"> </span><span class="mi">18</span><span class="err">:</span><span class="mi">34</span><span class="err">:</span><span class="mi">49</span><span class="w"> </span><span class="n">server2</span><span class="w"> </span><span class="k">postfix</span><span class="o">/</span><span class="n">smtpd</span><span class="o">[</span><span class="n">15802</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="k">disconnect</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">server1</span><span class="p">.</span><span class="n">remote</span><span class="p">.</span><span class="n">internal</span><span class="p">.</span><span class="n">com</span><span class="o">[</span><span class="n">10.198.0.14</span><span class="o">]</span><span class="w"> </span><span class="n">ehlo</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">mail</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">rcpt</span><span class="o">=</span><span class="mi">0</span><span class="o">/</span><span class="mi">1</span><span class="w"> </span><span class="n">rset</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">commands</span><span class="o">=</span><span class="mi">3</span><span class="o">/</span><span class="mi">4</span><span class="w"></span> </pre></div> <p>After all the changes, my postfix main.cf includes at least these lines:</p> <div class="code"><pre class="code literal-block"><span class="p">#</span><span class="w"> </span><span class="n">Important</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">comment</span><span class="w"> </span><span class="n">these</span><span class="w"> </span><span class="n">out</span><span class="o">!</span><span class="w"></span> <span class="p">#</span><span class="n">smtpd_tls_cert_file</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">ssl</span><span class="o">-</span><span class="n">cert</span><span class="o">-</span><span class="n">snakeoil</span><span class="p">.</span><span class="n">pem</span><span class="w"></span> <span class="p">#</span><span class="n">smtpd_tls_key_file</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">private</span><span class="o">/</span><span class="n">ssl</span><span class="o">-</span><span class="n">cert</span><span class="o">-</span><span class="n">snakeoil</span><span class="p">.</span><span class="n">key</span><span class="w"></span> <span class="p">#</span><span class="n">smtpd_tls_security_level</span><span class="o">=</span><span class="n">may</span><span class="w"></span> <span class="n">smtpd_use_tls</span><span class="o">=</span><span class="n">no</span><span class="w"></span> <span class="p">#</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">already</span><span class="w"> </span><span class="n">existed</span><span class="p">,</span><span class="w"> </span><span class="n">but</span><span class="p">...</span><span class="w"></span> <span class="n">smtpd_relay_restrictions</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">permit_mynetworks</span><span class="w"> </span><span class="n">permit_sasl_authenticated</span><span class="w"> </span><span class="n">defer_unauth_destination</span><span class="w"></span> <span class="p">#</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">added</span><span class="w"> </span><span class="n">my</span><span class="w"> </span><span class="n">wireguard</span><span class="w"> </span><span class="n">subnet</span><span class="w"> </span><span class="n">here</span><span class="p">.</span><span class="w"></span> <span class="n">mynetworks</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">127.0.0.0</span><span class="o">/</span><span class="mh">8</span><span class="w"> </span><span class="p">[</span><span class="o">::</span><span class="nl">ffff:</span><span class="mf">127.0.0.0</span><span class="p">]</span><span class="o">/</span><span class="mh">104</span><span class="w"> </span><span class="p">[</span><span class="o">::</span><span class="mh">1</span><span class="p">]</span><span class="o">/</span><span class="mh">128</span><span class="w"> </span><span class="mf">10.198.0.0</span><span class="o">/</span><span class="mh">24</span><span class="w"></span> </pre></div> <p>And now I can receive notifications when my users visit my Jellyfin server.</p> <p>And just for completeness's sake, here is my smtp notification information.</p> <div class="code"><pre class="code literal-block">Add smtp destination. Name: smtp2 Webhook Url: (not relevant) https://www.example.com/internal/jellyfin-webhook2.html Items: playback start, playback stop, session start User filter: (all users) Item time: (all) Send all properties: no Template: <span class="nt">&lt;pre&gt;</span>Username: <span class="cp">{{</span><span class="nv">Username</span><span class="cp">}}</span> Action: <span class="cp">{{</span><span class="nv">NotificationType</span><span class="cp">}}</span> Timestamp: <span class="cp">{{</span><span class="nv">UtcTimestamp</span><span class="cp">}}</span> Title:: <span class="cp">{{</span><span class="nv">Name</span><span class="cp">}}</span> <span class="cp">{{</span><span class="err">#</span><span class="nv">if_exist</span> <span class="nv">SeriesName</span><span class="cp">}}</span> Series: <span class="cp">{{</span><span class="nv">SeriesName</span><span class="cp">}}</span> Season: <span class="cp">{{</span><span class="nv">SeasonNumber00</span><span class="cp">}}</span> Episode: <span class="cp">{{</span><span class="nv">EpisodeNumber00</span><span class="cp">}}</span> <span class="cp">{{</span><span class="o">/</span><span class="nv">if_exist</span><span class="cp">}}</span> DeviceName: <span class="cp">{{</span><span class="nv">DeviceName</span><span class="cp">}}</span> ClientName: <span class="cp">{{</span><span class="nv">ClientName</span><span class="cp">}}</span> PlaybackPosition: <span class="cp">{{</span><span class="nv">PlaybackPosition</span><span class="cp">}}</span> <span class="nt">&lt;/pre&gt;</span> END TEMPLATE CONTENTS Sender: example@gmail.com Receiver: example@gmail.com smtp server address: server2.ipa.internal.com smtp port: 25 Use credentials: no Use ssl: no Is html body: yes Subject template: Jellyfin activity for <span class="cp">{{</span><span class="nv">Username</span><span class="cp">}}</span> </pre></div> <h6>Update 2022-07-12:</h6> <p>I have since learned that the nftables.conf contents should NOT have double-quotes around the <code>wg0</code> interface name. The output of <code>nft list table 'inet filter'</code> shows double-quotes, but these do not work when placed in the rules file.</p>jellyfinpostfixtlshttps://bgstack15.ddns.net/blog/posts/2022/07/04/modify-postfix-for-webhook-plugin-for-jellyfin/Mon, 04 Jul 2022 12:48:40 GMTShow all TLS ports and their cert infohttps://bgstack15.ddns.net/blog/posts/2022/03/14/show-all-tls-ports-and-their-cert-info/bgstack15<p>I wanted to conduct an audit of what TLS certificates are in use on my system. This command should be run from the system to be scanned, but the connection is made to the main IP address and not loopback. So for host <code>server1</code>, run this command:</p> <pre class="code literal-block"><span></span><code>{ for word in $( sudo ss -tlnu | awk '{print $5}' | awk -F ':' '!x[$2]++{print $2}' | sort -n ) ; do timeout 3s sslscanner server1:<span class="cp">${</span><span class="n">word</span><span class="cp">}</span> | sed -r -e "s/^/<span class="cp">${</span><span class="n">word</span><span class="cp">}</span>: /;" ; done ; } 2&gt;<span class="err">&amp;</span>1 | grep -vE '^Terminated$' </code></pre> <p>Observe that this command does depend on the <a href="https://bgstack15.ddns.net/cgit/bgscripts/tree/src/usr/bin/sslscanner">sslscanner</a> script.</p> <p>The sample output is:</p> <pre class="code literal-block"><span></span><code><span class="mi">443</span><span class="o">:</span><span class="w"> </span><span class="n">subject</span><span class="o">=</span><span class="w"> </span><span class="sr">/O=IPA.EXAMPLE.COM/</span><span class="n">CN</span><span class="o">=</span><span class="n">server1</span><span class="o">.</span><span class="na">ipa</span><span class="o">.</span><span class="na">internal</span><span class="o">.</span><span class="na">com</span><span class="w"></span> <span class="mi">443</span><span class="o">:</span><span class="w"> </span><span class="n">issuer</span><span class="o">=</span><span class="w"> </span><span class="sr">/O=IPA.EXAMPLE.COM/</span><span class="n">CN</span><span class="o">=</span><span class="n">Certificate</span><span class="w"> </span><span class="n">Authority</span><span class="w"></span> <span class="mi">443</span><span class="o">:</span><span class="w"> </span><span class="n">notBefore</span><span class="o">=</span><span class="n">May</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="mi">19</span><span class="o">:</span><span class="mi">03</span><span class="o">:</span><span class="mi">38</span><span class="w"> </span><span class="mi">2021</span><span class="w"> </span><span class="n">GMT</span><span class="w"></span> <span class="mi">443</span><span class="o">:</span><span class="w"> </span><span class="n">notAfter</span><span class="o">=</span><span class="n">May</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="mi">19</span><span class="o">:</span><span class="mi">03</span><span class="o">:</span><span class="mi">38</span><span class="w"> </span><span class="mi">2023</span><span class="w"> </span><span class="n">GMT</span><span class="w"></span> <span class="mi">443</span><span class="o">:</span><span class="w"> </span><span class="n">san</span><span class="o">=</span><span class="n">www</span><span class="o">.</span><span class="na">example</span><span class="o">.</span><span class="na">com</span><span class="w"></span> <span class="mi">443</span><span class="o">:</span><span class="w"> </span><span class="n">san</span><span class="o">=</span><span class="n">server1</span><span class="o">.</span><span class="na">ipa</span><span class="o">.</span><span class="na">internal</span><span class="o">.</span><span class="na">com</span><span class="w"></span> <span class="mi">443</span><span class="o">:</span><span class="w"> </span><span class="n">san</span><span class="o">=</span><span class="n">www</span><span class="o">.</span><span class="na">ipa</span><span class="o">.</span><span class="na">internal</span><span class="o">.</span><span class="na">com</span><span class="w"></span> <span class="mi">443</span><span class="o">:</span><span class="w"> </span><span class="n">san</span><span class="o">=</span><span class="n">www</span><span class="o">.</span><span class="na">internal</span><span class="o">.</span><span class="na">com</span><span class="w"></span> <span class="mi">443</span><span class="o">:</span><span class="w"> </span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">subject</span><span class="o">=</span><span class="w"> </span><span class="o">/</span><span class="n">CN</span><span class="o">=</span><span class="n">www</span><span class="o">.</span><span class="na">example</span><span class="o">.</span><span class="na">com</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">issuer</span><span class="o">=</span><span class="w"> </span><span class="sr">/C=US/O=Let's Encrypt/</span><span class="n">CN</span><span class="o">=</span><span class="n">R3</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">notBefore</span><span class="o">=</span><span class="n">Feb</span><span class="w"> </span><span class="mi">26</span><span class="w"> </span><span class="mi">23</span><span class="o">:</span><span class="mi">38</span><span class="o">:</span><span class="mi">29</span><span class="w"> </span><span class="mi">2022</span><span class="w"> </span><span class="n">GMT</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">notAfter</span><span class="o">=</span><span class="n">May</span><span class="w"> </span><span class="mi">27</span><span class="w"> </span><span class="mi">23</span><span class="o">:</span><span class="mi">38</span><span class="o">:</span><span class="mi">28</span><span class="w"> </span><span class="mi">2022</span><span class="w"> </span><span class="n">GMT</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">san</span><span class="o">=</span><span class="n">www</span><span class="o">.</span><span class="na">example</span><span class="o">.</span><span class="na">com</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">subject</span><span class="o">=</span><span class="w"> </span><span class="sr">/C=US/O=Let's Encrypt/</span><span class="n">CN</span><span class="o">=</span><span class="n">R3</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">issuer</span><span class="o">=</span><span class="w"> </span><span class="sr">/C=US/O=Internet Security Research Group/</span><span class="n">CN</span><span class="o">=</span><span class="n">ISRG</span><span class="w"> </span><span class="n">Root</span><span class="w"> </span><span class="n">X1</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">notBefore</span><span class="o">=</span><span class="n">Sep</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="mi">00</span><span class="o">:</span><span class="mi">00</span><span class="o">:</span><span class="mi">00</span><span class="w"> </span><span class="mi">2020</span><span class="w"> </span><span class="n">GMT</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">notAfter</span><span class="o">=</span><span class="n">Sep</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="mi">16</span><span class="o">:</span><span class="mi">00</span><span class="o">:</span><span class="mi">00</span><span class="w"> </span><span class="mi">2025</span><span class="w"> </span><span class="n">GMT</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">subject</span><span class="o">=</span><span class="w"> </span><span class="sr">/C=US/O=Internet Security Research Group/</span><span class="n">CN</span><span class="o">=</span><span class="n">ISRG</span><span class="w"> </span><span class="n">Root</span><span class="w"> </span><span class="n">X1</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">issuer</span><span class="o">=</span><span class="w"> </span><span class="sr">/O=Digital Signature Trust Co./</span><span class="n">CN</span><span class="o">=</span><span class="n">DST</span><span class="w"> </span><span class="n">Root</span><span class="w"> </span><span class="n">CA</span><span class="w"> </span><span class="n">X3</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">notBefore</span><span class="o">=</span><span class="n">Jan</span><span class="w"> </span><span class="mi">20</span><span class="w"> </span><span class="mi">19</span><span class="o">:</span><span class="mi">14</span><span class="o">:</span><span class="mi">03</span><span class="w"> </span><span class="mi">2021</span><span class="w"> </span><span class="n">GMT</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"> </span><span class="n">notAfter</span><span class="o">=</span><span class="n">Sep</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="mi">18</span><span class="o">:</span><span class="mi">14</span><span class="o">:</span><span class="mi">03</span><span class="w"> </span><span class="mi">2024</span><span class="w"> </span><span class="n">GMT</span><span class="w"></span> <span class="mi">500</span><span class="o">:</span><span class="w"></span> </code></pre> <p>This oneliner makes it simple to see which certificates are in use, on what port.</p>certificatesonelinerportstlshttps://bgstack15.ddns.net/blog/posts/2022/03/14/show-all-tls-ports-and-their-cert-info/Mon, 14 Mar 2022 12:59:31 GMT