> OpenSSL has a s_client command that allows you to pull the certificates a
> web page sends and verify the chain of trust against whatever root CA store > OpenSSL is using. Is there a way to do something similar for NSS? i.e. pull > the certificates a web page sends and validate them against the current set > of Mozilla root certificates? >
If you use a Linux distribution, you can probably get a package that already
contains the tools. On fedora it's nss-tools
We have test utilities, that are primarily used as part of the NSS test suite,
and which (at least on Fedora) are shipped in a separate "unsupported-tools"
directory, but they can do what you want.
On Fedora, you can execute
which will attempt to validate the server's cert against the CA trust list that
comes with NSS (from the libnssckbi.so module).
This doesn't show the full chain on the terminal, but there's an option -c that
will dump all certs sent by the server into files.
I also like tstclnt, which has recently been enhanced to print information about
the server chain:
/usr/lib64/nss/unsupported-tools/tstclnt -C -D -b -h www.yourhost -p 443
You can use -C up to three times, to get more details about the certs.
Real life example of vfyserv output:
$ /usr/lib64/nss/unsupported-tools/vfyserv www.fusemail.com
Connecting to host www.fusemail.com (addr 126.96.36.199) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
bulk cipher AES-256, 256 secret key bits, 256 key bits, status: 1
CN=*.fusemail.com,OU=Domain Control Validated
CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 392 bytes total.
The output itself is much easy to parse than openssl and that could be handy in monitoring purposes.
nss-3.23.0-alt1 -> sisyphus:
* Mon Mar 21 2016 Alexey Gladkov <legion@altlinux> 3.23.0-alt1
- New version (3.23).
- Add tstclnt and vfyserv (ALT#31803)
- Disable SSL2.