Menu
picture of tbs certificates
picture of tbs certificates
Les produits
Notre gamme
Partenaires
Support
Numéro vert
Focus


Comment debuger la demande de certificat client avec openssl?

Lorsqu'une connexion SSL est établie, la demande de certificat client peut être effectuée. Mais ce n'est pas obligatoire, elle est bien souvent différée à la demande d'une URL spécifique.

Dans ce cas, il faut utiliser l'option -prexit de la commande openssl s_client pour lui demander un affichage de la session SSL juste avant la fin.

Exemple avec notre site https://testcert.pitux.com/php/testcrypto.php (attention il faut un openssl 0.97 au minimum et il est recommandé avoir actualisé votre base de racine, voir Utiliser un client SSL linux / openssl ).
openssl s_client -port 443 -CApath /usr/share/ssl/certs/ -host testcert.pitux.com -prexit
La premiére négociation donne:
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Calvados, L = Caen, O = TBS INTERNET, OU = TBS INTERNET CA, CN = TBS X509 CA business 2
verify return:1
depth=0 C = FR, postalCode = 14000, ST = Calvados, L = CAEN, street = 22 RUE DE BRETAGNE, O = TBS CERTIFICATS, OU = 0002 440443810, CN = *.pitux.com
verify return:1
139901678843712:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1407:SSL alert number 40
---
Certificate chain
 0 s:/C=FR/postalCode=14000/ST=Calvados/L=CAEN/street=22 RUE DE BRETAGNE/O=TBS CERTIFICATS/OU=0002 440443810/CN=*.pitux.com
   i:/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
 1 s:/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG3DCCBcSgAwIBAgIQURVOdMVmFiQuyGnIrd99wTANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCRlIxETAPBgNVBAgTCENhbHZhZG9zMQ0wCwYDVQQHEwRDYWVu
MRUwEwYDVQQKEwxUQlMgSU5URVJORVQxGDAWBgNVBAsTD1RCUyBJTlRFUk5FVCBD
QTEfMB0GA1UEAxMWVEJTIFg1MDkgQ0EgYnVzaW5lc3MgMjAeFw0yMDAxMDcwMDAw
MDBaFw0yMjAyMDQyMzU5NTlaMIGlMQswCQYDVQQGEwJGUjEOMAwGA1UEERMFMTQw
MDAxETAPBgNVBAgTCENhbHZhZG9zMQ0wCwYDVQQHEwRDQUVOMRswGQYDVQQJExIy
MiBSVUUgREUgQlJFVEFHTkUxGDAWBgNVBAoTD1RCUyBDRVJUSUZJQ0FUUzEXMBUG
A1UECxMOMDAwMiA0NDA0NDM4MTAxFDASBgNVBAMMCyoucGl0dXguY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu2QxZBbDn078IWyW4aZyR2NK/ra/
PxNAFa+r1+SEZLEuFruOehFs5j6f0sec/EhUM5Fb2gQGB4fl+U7ics5h3XS36m8l
ZU5LmfUEw5kPdnSW4z/zfTb0BRQcsmN5+fCOpf6fzYTgN/32ulKmw+N/knhvyP0P
3y1rRUJutQefESteb/+qcV29s6KJ2e7FmsjUVk1fZPtIw4LW7be04luVJDVf78uN
LlGEPyyhSKF9zoltX59P0q+tSser3/VfVcSQZpSdjW7BU9jtUssgZzpScejhRi+e
19ZD/In3Sq9CsWbdZKizpNLZNOEVuu1QSkMqiSY0eTg6J1Nj5tOJ80RDrQIDAQAB
o4IDKDCCAyQwHwYDVR0jBBgwFoAUcfILqaPtywNKDDwBO75MRG3rKvgwHQYDVR0O
BBYEFKRL936V0NoJHZbRtrqMnDBkL+RnMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMB
Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBB
MDUGCisGAQQB5TcCAQEwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly9jcHMudXNlcnRy
dXN0LmNvbTAIBgZngQwBAgIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NybC51
c2VydHJ1c3QuY29tL1RCU1g1MDlDQWJ1c2luZXNzMi5jcmwwcgYIKwYBBQUHAQEE
ZjBkMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVEJTWDUw
OUNBYnVzaW5lc3MyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRy
dXN0LmNvbTAhBgNVHREEGjAYggsqLnBpdHV4LmNvbYIJcGl0dXguY29tMIIBfgYK
KwYBBAHWeQIEAgSCAW4EggFqAWgAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiF
q/L8cP5tRwAAAW+BJ+YIAAAEAwBHMEUCIFEbm4HlAS/fj9aoCnKolonGVZC5yIAX
kNO3Smv+/ucaAiEA9tqLub1MS/WrfzfHaAjxNJhGEifgBhc4BQRfHw5kKJQAdgBv
U3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAW+BJ+XzAAAEAwBHMEUC
IQC503n1RahJsOd9nW08GXH8zlSVIvlEGlPyOsAcjc/5FgIgNw3T2xFMCVlcL6uQ
7VsYpxj1jqGoIqAwU/hkCN9c5+cAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39d
xoNcbuIPAgAAAW+BJ+X6AAAEAwBHMEUCIBivWtakqnt5/XH3sAOh8nwVSxHEwhcQ
oRZBLtDyUknrAiEAmE7+3gU5noWr3cc4es6RynhimaoqdKRi2PS4xhoAMUQwDQYJ
KoZIhvcNAQELBQADggEBAC33OaSdXlB7zs/vfc5KjJI7CUbh6U/qsV+3DZwXU8Kk
YzGMG+Jaq1p38EilDSADvahSfmzGiV1P3Dgb5mSbvb0dLMe28GzomV783qqEMu49
7kPfJh3u/kssYnCY5fzZQvkwLp3RZ7nO2ZBlYmqUKXh8u2TWtObLyO8YTLesYRFX
oSx3SaJf8JTmn400FQKiCvnCm6hT9QNnr814Pn6kWhS/Bh+I6Ou0MtR4If14CJN3
ckcAwfb5k3/FaK2A+5XbfSHmff7qftbTQGEmf4QF9ClxF+SiDO1SuL53ps4+Molh
URcdU1/h4k/wFyAiJu5TvRDAcFp1rez6IHLq12+AjEg=
-----END CERTIFICATE-----
subject=/C=FR/postalCode=14000/ST=Calvados/L=CAEN/street=22 RUE DE BRETAGNE/O=TBS CERTIFICATS/OU=0002 440443810/CN=*.pitux.com
issuer=/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
---
Acceptable client certificate CA names
/O=Autorite Consulaire/CN=CSF
/C=FR/O=Dhimyotis/CN=Certigna
/C=FR/O=Dhimyotis/OU=0002 48146308100036/CN=Certigna Root CA
/C=FR/O=ChamberSign France/OU=0002 433702479/CN=ChamberSign France
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=FR/O=ChamberSign France/OU=0002 433702479/CN=ChamberSign France - AC 2 \xC3\xA9toiles
/O=Autorite Consulaire/OU=Certification Professionnelle/CN=CSF - Classe III - Sign et Crypt
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA persona 2
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA persona 2.1
/C=FR/O=DHIMYOTIS/OU=0002 48146308100036/2.5.4.97=NTRFR-48146308100036/CN=Certigna Identity Plus CA
/C=FR/O=DHIMYOTIS/OU=0002 48146308100036/2.5.4.97=NTRFR-0002 48146308100036/CN=Certigna Identity CA
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Client Authentication and Secure Email CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA persona
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA business
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 7685 bytes and written 314 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: D7CEDC5FCC80C9AFB902C649458F8A1F5E85DEF64C5AE95A2589ED04E97F7883267A13975A2431305069BE6DF7E22270
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1592213514
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
A ce moment, il faut simuler la demande d'une page requierant un certificat client, dans notre exemple:
GET /php/testcrypto.php HTTP/1.1
HOST: testcert.pitux.com

Ce qui nous donne la fin de négociation:
Certificate chain
 0 s:/C=FR/postalCode=14000/ST=Calvados/L=CAEN/street=22 RUE DE BRETAGNE/O=TBS CERTIFICATS/OU=0002 440443810/CN=*.pitux.com
   i:/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
 1 s:/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG3DCCBcSgAwIBAgIQURVOdMVmFiQuyGnIrd99wTANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCRlIxETAPBgNVBAgTCENhbHZhZG9zMQ0wCwYDVQQHEwRDYWVu
MRUwEwYDVQQKEwxUQlMgSU5URVJORVQxGDAWBgNVBAsTD1RCUyBJTlRFUk5FVCBD
QTEfMB0GA1UEAxMWVEJTIFg1MDkgQ0EgYnVzaW5lc3MgMjAeFw0yMDAxMDcwMDAw
MDBaFw0yMjAyMDQyMzU5NTlaMIGlMQswCQYDVQQGEwJGUjEOMAwGA1UEERMFMTQw
MDAxETAPBgNVBAgTCENhbHZhZG9zMQ0wCwYDVQQHEwRDQUVOMRswGQYDVQQJExIy
MiBSVUUgREUgQlJFVEFHTkUxGDAWBgNVBAoTD1RCUyBDRVJUSUZJQ0FUUzEXMBUG
A1UECxMOMDAwMiA0NDA0NDM4MTAxFDASBgNVBAMMCyoucGl0dXguY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu2QxZBbDn078IWyW4aZyR2NK/ra/
PxNAFa+r1+SEZLEuFruOehFs5j6f0sec/EhUM5Fb2gQGB4fl+U7ics5h3XS36m8l
ZU5LmfUEw5kPdnSW4z/zfTb0BRQcsmN5+fCOpf6fzYTgN/32ulKmw+N/knhvyP0P
3y1rRUJutQefESteb/+qcV29s6KJ2e7FmsjUVk1fZPtIw4LW7be04luVJDVf78uN
LlGEPyyhSKF9zoltX59P0q+tSser3/VfVcSQZpSdjW7BU9jtUssgZzpScejhRi+e
19ZD/In3Sq9CsWbdZKizpNLZNOEVuu1QSkMqiSY0eTg6J1Nj5tOJ80RDrQIDAQAB
o4IDKDCCAyQwHwYDVR0jBBgwFoAUcfILqaPtywNKDDwBO75MRG3rKvgwHQYDVR0O
BBYEFKRL936V0NoJHZbRtrqMnDBkL+RnMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMB
Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBB
MDUGCisGAQQB5TcCAQEwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly9jcHMudXNlcnRy
dXN0LmNvbTAIBgZngQwBAgIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NybC51
c2VydHJ1c3QuY29tL1RCU1g1MDlDQWJ1c2luZXNzMi5jcmwwcgYIKwYBBQUHAQEE
ZjBkMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVEJTWDUw
OUNBYnVzaW5lc3MyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRy
dXN0LmNvbTAhBgNVHREEGjAYggsqLnBpdHV4LmNvbYIJcGl0dXguY29tMIIBfgYK
KwYBBAHWeQIEAgSCAW4EggFqAWgAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiF
q/L8cP5tRwAAAW+BJ+YIAAAEAwBHMEUCIFEbm4HlAS/fj9aoCnKolonGVZC5yIAX
kNO3Smv+/ucaAiEA9tqLub1MS/WrfzfHaAjxNJhGEifgBhc4BQRfHw5kKJQAdgBv
U3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAW+BJ+XzAAAEAwBHMEUC
IQC503n1RahJsOd9nW08GXH8zlSVIvlEGlPyOsAcjc/5FgIgNw3T2xFMCVlcL6uQ
7VsYpxj1jqGoIqAwU/hkCN9c5+cAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39d
xoNcbuIPAgAAAW+BJ+X6AAAEAwBHMEUCIBivWtakqnt5/XH3sAOh8nwVSxHEwhcQ
oRZBLtDyUknrAiEAmE7+3gU5noWr3cc4es6RynhimaoqdKRi2PS4xhoAMUQwDQYJ
KoZIhvcNAQELBQADggEBAC33OaSdXlB7zs/vfc5KjJI7CUbh6U/qsV+3DZwXU8Kk
YzGMG+Jaq1p38EilDSADvahSfmzGiV1P3Dgb5mSbvb0dLMe28GzomV783qqEMu49
7kPfJh3u/kssYnCY5fzZQvkwLp3RZ7nO2ZBlYmqUKXh8u2TWtObLyO8YTLesYRFX
oSx3SaJf8JTmn400FQKiCvnCm6hT9QNnr814Pn6kWhS/Bh+I6Ou0MtR4If14CJN3
ckcAwfb5k3/FaK2A+5XbfSHmff7qftbTQGEmf4QF9ClxF+SiDO1SuL53ps4+Molh
URcdU1/h4k/wFyAiJu5TvRDAcFp1rez6IHLq12+AjEg=
-----END CERTIFICATE-----
subject=/C=FR/postalCode=14000/ST=Calvados/L=CAEN/street=22 RUE DE BRETAGNE/O=TBS CERTIFICATS/OU=0002 440443810/CN=*.pitux.com
issuer=/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
---
Acceptable client certificate CA names
/O=Autorite Consulaire/CN=CSF
/C=FR/O=Dhimyotis/CN=Certigna
/C=FR/O=Dhimyotis/OU=0002 48146308100036/CN=Certigna Root CA
/C=FR/O=ChamberSign France/OU=0002 433702479/CN=ChamberSign France
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=FR/O=ChamberSign France/OU=0002 433702479/CN=ChamberSign France - AC 2 \xC3\xA9toiles
/O=Autorite Consulaire/OU=Certification Professionnelle/CN=CSF - Classe III - Sign et Crypt
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA persona 2
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA persona 2.1
/C=FR/O=DHIMYOTIS/OU=0002 48146308100036/2.5.4.97=NTRFR-48146308100036/CN=Certigna Identity Plus CA
/C=FR/O=DHIMYOTIS/OU=0002 48146308100036/2.5.4.97=NTRFR-0002 48146308100036/CN=Certigna Identity CA
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Client Authentication and Secure Email CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA persona
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA business
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 7685 bytes and written 314 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 7A8A21E0ECEF8CA588D7858CA194749386245D1866A3C327C3164F4514CF7472BC0E74C123A6A47DC59AEE1B4F8A9EC2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1592213528
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
Ce qui nous intéresse est la section Acceptable client certificate CA names:
/O=Autorite Consulaire/CN=CSF
/C=FR/O=Dhimyotis/CN=Certigna
/C=FR/O=Dhimyotis/OU=0002 48146308100036/CN=Certigna Root CA
/C=FR/O=ChamberSign France/OU=0002 433702479/CN=ChamberSign France
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=FR/O=ChamberSign France/OU=0002 433702479/CN=ChamberSign France - AC 2 \xC3\xA9toiles
/O=Autorite Consulaire/OU=Certification Professionnelle/CN=CSF - Classe III - Sign et Crypt
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA persona 2
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA persona 2.1
/C=FR/O=DHIMYOTIS/OU=0002 48146308100036/2.5.4.97=NTRFR-48146308100036/CN=Certigna Identity Plus CA
/C=FR/O=DHIMYOTIS/OU=0002 48146308100036/2.5.4.97=NTRFR-0002 48146308100036/CN=Certigna Identity CA
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Client Authentication and Secure Email CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA persona
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA business
Notez aussi l'affichage de
SSL alert number 40
qui indique que le serveur refuse la connexion car on n'a pas présenté de certificat client (il faut compléter la ligne de commande).

Il est possible d'utiliser openssl pour vérifier la présentation d'un certificat client auprès d'un serveur qui en requiert. Il suffit alors de spécifier le certificat client et la clef privée avec les paramètres -cert et -key.

openssl s_client -port 443 -CApath /usr/share/ssl/certs/ -host testcert.pitux.com -prexit -cert votre.certificat.client.cert -key votre.clef.privee.key
Voila ce que cela donne en présentant un certificat:
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Calvados, L = Caen, O = TBS INTERNET, OU = TBS INTERNET CA, CN = TBS X509 CA business 2
verify return:1
depth=0 C = FR, postalCode = 14000, ST = Calvados, L = CAEN, street = 22 RUE DE BRETAGNE, O = TBS CERTIFICATS, OU = 0002 440443810, CN = *.pitux.com
verify return:1
---
Certificate chain
 0 s:/C=FR/postalCode=14000/ST=Calvados/L=CAEN/street=22 RUE DE BRETAGNE/O=TBS CERTIFICATS/OU=0002 440443810/CN=*.pitux.com
   i:/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
 1 s:/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG3DCCBcSgAwIBAgIQURVOdMVmFiQuyGnIrd99wTANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCRlIxETAPBgNVBAgTCENhbHZhZG9zMQ0wCwYDVQQHEwRDYWVu
MRUwEwYDVQQKEwxUQlMgSU5URVJORVQxGDAWBgNVBAsTD1RCUyBJTlRFUk5FVCBD
QTEfMB0GA1UEAxMWVEJTIFg1MDkgQ0EgYnVzaW5lc3MgMjAeFw0yMDAxMDcwMDAw
MDBaFw0yMjAyMDQyMzU5NTlaMIGlMQswCQYDVQQGEwJGUjEOMAwGA1UEERMFMTQw
MDAxETAPBgNVBAgTCENhbHZhZG9zMQ0wCwYDVQQHEwRDQUVOMRswGQYDVQQJExIy
MiBSVUUgREUgQlJFVEFHTkUxGDAWBgNVBAoTD1RCUyBDRVJUSUZJQ0FUUzEXMBUG
A1UECxMOMDAwMiA0NDA0NDM4MTAxFDASBgNVBAMMCyoucGl0dXguY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu2QxZBbDn078IWyW4aZyR2NK/ra/
PxNAFa+r1+SEZLEuFruOehFs5j6f0sec/EhUM5Fb2gQGB4fl+U7ics5h3XS36m8l
ZU5LmfUEw5kPdnSW4z/zfTb0BRQcsmN5+fCOpf6fzYTgN/32ulKmw+N/knhvyP0P
3y1rRUJutQefESteb/+qcV29s6KJ2e7FmsjUVk1fZPtIw4LW7be04luVJDVf78uN
LlGEPyyhSKF9zoltX59P0q+tSser3/VfVcSQZpSdjW7BU9jtUssgZzpScejhRi+e
19ZD/In3Sq9CsWbdZKizpNLZNOEVuu1QSkMqiSY0eTg6J1Nj5tOJ80RDrQIDAQAB
o4IDKDCCAyQwHwYDVR0jBBgwFoAUcfILqaPtywNKDDwBO75MRG3rKvgwHQYDVR0O
BBYEFKRL936V0NoJHZbRtrqMnDBkL+RnMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMB
Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBB
MDUGCisGAQQB5TcCAQEwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly9jcHMudXNlcnRy
dXN0LmNvbTAIBgZngQwBAgIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NybC51
c2VydHJ1c3QuY29tL1RCU1g1MDlDQWJ1c2luZXNzMi5jcmwwcgYIKwYBBQUHAQEE
ZjBkMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVEJTWDUw
OUNBYnVzaW5lc3MyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRy
dXN0LmNvbTAhBgNVHREEGjAYggsqLnBpdHV4LmNvbYIJcGl0dXguY29tMIIBfgYK
KwYBBAHWeQIEAgSCAW4EggFqAWgAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiF
q/L8cP5tRwAAAW+BJ+YIAAAEAwBHMEUCIFEbm4HlAS/fj9aoCnKolonGVZC5yIAX
kNO3Smv+/ucaAiEA9tqLub1MS/WrfzfHaAjxNJhGEifgBhc4BQRfHw5kKJQAdgBv
U3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAW+BJ+XzAAAEAwBHMEUC
IQC503n1RahJsOd9nW08GXH8zlSVIvlEGlPyOsAcjc/5FgIgNw3T2xFMCVlcL6uQ
7VsYpxj1jqGoIqAwU/hkCN9c5+cAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39d
xoNcbuIPAgAAAW+BJ+X6AAAEAwBHMEUCIBivWtakqnt5/XH3sAOh8nwVSxHEwhcQ
oRZBLtDyUknrAiEAmE7+3gU5noWr3cc4es6RynhimaoqdKRi2PS4xhoAMUQwDQYJ
KoZIhvcNAQELBQADggEBAC33OaSdXlB7zs/vfc5KjJI7CUbh6U/qsV+3DZwXU8Kk
YzGMG+Jaq1p38EilDSADvahSfmzGiV1P3Dgb5mSbvb0dLMe28GzomV783qqEMu49
7kPfJh3u/kssYnCY5fzZQvkwLp3RZ7nO2ZBlYmqUKXh8u2TWtObLyO8YTLesYRFX
oSx3SaJf8JTmn400FQKiCvnCm6hT9QNnr814Pn6kWhS/Bh+I6Ou0MtR4If14CJN3
ckcAwfb5k3/FaK2A+5XbfSHmff7qftbTQGEmf4QF9ClxF+SiDO1SuL53ps4+Molh
URcdU1/h4k/wFyAiJu5TvRDAcFp1rez6IHLq12+AjEg=
-----END CERTIFICATE-----
subject=/C=FR/postalCode=14000/ST=Calvados/L=CAEN/street=22 RUE DE BRETAGNE/O=TBS CERTIFICATS/OU=0002 440443810/CN=*.pitux.com
issuer=/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
---
Acceptable client certificate CA names
/O=Autorite Consulaire/CN=CSF
/C=FR/O=Dhimyotis/CN=Certigna
/C=FR/O=Dhimyotis/OU=0002 48146308100036/CN=Certigna Root CA
/C=FR/O=ChamberSign France/OU=0002 433702479/CN=ChamberSign France
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=FR/O=ChamberSign France/OU=0002 433702479/CN=ChamberSign France - AC 2 \xC3\xA9toiles
/O=Autorite Consulaire/OU=Certification Professionnelle/CN=CSF - Classe III - Sign et Crypt
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA persona 2
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA persona 2.1
/C=FR/O=DHIMYOTIS/OU=0002 48146308100036/2.5.4.97=NTRFR-48146308100036/CN=Certigna Identity Plus CA
/C=FR/O=DHIMYOTIS/OU=0002 48146308100036/2.5.4.97=NTRFR-0002 48146308100036/CN=Certigna Identity CA
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Client Authentication and Secure Email CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA persona
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA business
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 9328 bytes and written 1972 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7BD60F042548B64EB0D9B77EBECD294D2159526DBEED47D349162B672F5ADDF9
    Session-ID-ctx: 
    Master-Key: B518D2C09141A26B1B4AF17156419B98FE6A87C2601CB01494C9B6AF0E3FC87096A12107A21747415DA4E6727998F2F4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    ...
    Start Time: 1592221660
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    ---
read:errno=0
---
Certificate chain
 0 s:/C=FR/postalCode=14000/ST=Calvados/L=CAEN/street=22 RUE DE BRETAGNE/O=TBS CERTIFICATS/OU=0002 440443810/CN=*.pitux.com
   i:/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
 1 s:/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG3DCCBcSgAwIBAgIQURVOdMVmFiQuyGnIrd99wTANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCRlIxETAPBgNVBAgTCENhbHZhZG9zMQ0wCwYDVQQHEwRDYWVu
MRUwEwYDVQQKEwxUQlMgSU5URVJORVQxGDAWBgNVBAsTD1RCUyBJTlRFUk5FVCBD
QTEfMB0GA1UEAxMWVEJTIFg1MDkgQ0EgYnVzaW5lc3MgMjAeFw0yMDAxMDcwMDAw
MDBaFw0yMjAyMDQyMzU5NTlaMIGlMQswCQYDVQQGEwJGUjEOMAwGA1UEERMFMTQw
MDAxETAPBgNVBAgTCENhbHZhZG9zMQ0wCwYDVQQHEwRDQUVOMRswGQYDVQQJExIy
MiBSVUUgREUgQlJFVEFHTkUxGDAWBgNVBAoTD1RCUyBDRVJUSUZJQ0FUUzEXMBUG
A1UECxMOMDAwMiA0NDA0NDM4MTAxFDASBgNVBAMMCyoucGl0dXguY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu2QxZBbDn078IWyW4aZyR2NK/ra/
PxNAFa+r1+SEZLEuFruOehFs5j6f0sec/EhUM5Fb2gQGB4fl+U7ics5h3XS36m8l
ZU5LmfUEw5kPdnSW4z/zfTb0BRQcsmN5+fCOpf6fzYTgN/32ulKmw+N/knhvyP0P
3y1rRUJutQefESteb/+qcV29s6KJ2e7FmsjUVk1fZPtIw4LW7be04luVJDVf78uN
LlGEPyyhSKF9zoltX59P0q+tSser3/VfVcSQZpSdjW7BU9jtUssgZzpScejhRi+e
19ZD/In3Sq9CsWbdZKizpNLZNOEVuu1QSkMqiSY0eTg6J1Nj5tOJ80RDrQIDAQAB
o4IDKDCCAyQwHwYDVR0jBBgwFoAUcfILqaPtywNKDDwBO75MRG3rKvgwHQYDVR0O
BBYEFKRL936V0NoJHZbRtrqMnDBkL+RnMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMB
Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBB
MDUGCisGAQQB5TcCAQEwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly9jcHMudXNlcnRy
dXN0LmNvbTAIBgZngQwBAgIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NybC51
c2VydHJ1c3QuY29tL1RCU1g1MDlDQWJ1c2luZXNzMi5jcmwwcgYIKwYBBQUHAQEE
ZjBkMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVEJTWDUw
OUNBYnVzaW5lc3MyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRy
dXN0LmNvbTAhBgNVHREEGjAYggsqLnBpdHV4LmNvbYIJcGl0dXguY29tMIIBfgYK
KwYBBAHWeQIEAgSCAW4EggFqAWgAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiF
q/L8cP5tRwAAAW+BJ+YIAAAEAwBHMEUCIFEbm4HlAS/fj9aoCnKolonGVZC5yIAX
kNO3Smv+/ucaAiEA9tqLub1MS/WrfzfHaAjxNJhGEifgBhc4BQRfHw5kKJQAdgBv
U3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAW+BJ+XzAAAEAwBHMEUC
IQC503n1RahJsOd9nW08GXH8zlSVIvlEGlPyOsAcjc/5FgIgNw3T2xFMCVlcL6uQ
7VsYpxj1jqGoIqAwU/hkCN9c5+cAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39d
xoNcbuIPAgAAAW+BJ+X6AAAEAwBHMEUCIBivWtakqnt5/XH3sAOh8nwVSxHEwhcQ
oRZBLtDyUknrAiEAmE7+3gU5noWr3cc4es6RynhimaoqdKRi2PS4xhoAMUQwDQYJ
KoZIhvcNAQELBQADggEBAC33OaSdXlB7zs/vfc5KjJI7CUbh6U/qsV+3DZwXU8Kk
YzGMG+Jaq1p38EilDSADvahSfmzGiV1P3Dgb5mSbvb0dLMe28GzomV783qqEMu49
7kPfJh3u/kssYnCY5fzZQvkwLp3RZ7nO2ZBlYmqUKXh8u2TWtObLyO8YTLesYRFX
oSx3SaJf8JTmn400FQKiCvnCm6hT9QNnr814Pn6kWhS/Bh+I6Ou0MtR4If14CJN3
ckcAwfb5k3/FaK2A+5XbfSHmff7qftbTQGEmf4QF9ClxF+SiDO1SuL53ps4+Molh
URcdU1/h4k/wFyAiJu5TvRDAcFp1rez6IHLq12+AjEg=
-----END CERTIFICATE-----
subject=/C=FR/postalCode=14000/ST=Calvados/L=CAEN/street=22 RUE DE BRETAGNE/O=TBS CERTIFICATS/OU=0002 440443810/CN=*.pitux.com
issuer=/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA business 2
---
Acceptable client certificate CA names
/O=Autorite Consulaire/CN=CSF
/C=FR/O=Dhimyotis/CN=Certigna
/C=FR/O=Dhimyotis/OU=0002 48146308100036/CN=Certigna Root CA
/C=FR/O=ChamberSign France/OU=0002 433702479/CN=ChamberSign France
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=FR/O=ChamberSign France/OU=0002 433702479/CN=ChamberSign France - AC 2 \xC3\xA9toiles
/O=Autorite Consulaire/OU=Certification Professionnelle/CN=CSF - Classe III - Sign et Crypt
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA persona 2
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=TBS INTERNET CA/CN=TBS X509 CA persona 2.1
/C=FR/O=DHIMYOTIS/OU=0002 48146308100036/2.5.4.97=NTRFR-48146308100036/CN=Certigna Identity Plus CA
/C=FR/O=DHIMYOTIS/OU=0002 48146308100036/2.5.4.97=NTRFR-0002 48146308100036/CN=Certigna Identity CA
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Client Authentication and Secure Email CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SHA-256 Client Authentication and Secure Email CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Client Authentication and Email
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA persona
/C=FR/ST=Calvados/L=Caen/O=TBS INTERNET/OU=Terms and Conditions: http://www.tbs-internet.com/CA/repository/OU=TBS INTERNET CA/CN=TBS X509 CA business
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 9328 bytes and written 2003 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7BD60F042548B64EB0D9B77EBECD294D2159526DBEED47D349162B672F5ADDF9
    Session-ID-ctx: 
    Master-Key: B518D2C09141A26B1B4AF17156419B98FE6A87C2601CB01494C9B6AF0E3FC87096A12107A21747415DA4E6727998F2F4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    ...
    Start Time: 1592221660
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no