Re: [openssl-users] Help with ssl error

2017-04-19 Thread Viktor Dukhovni 

> On Apr 19, 2017, at 12:48 PM, Joseph Southwell  
> wrote:
> 
> Sorry we did do that. It just didn’t look different so I didn’t send it 
> (pasted below). I also have asked for help from the server admin but it is a 
> non English speaking country and they don’t seem to be interested in talking 
> to me. I have another product supposedly using OpenSSL that is currently 
> working fine so it must be possible. That product is using 0.9.8something.

The "0.9.8something" releases support RC4, 3DES, export ciphers, ...
OpenSSL 1.1.0 does not by default include any of these.  You can
get RC4 and 3DES by compiling with weak ciphers enabled, the EXPORT
ciphers are expunged from the code.

> So specifying -cipher "AES128-SHA” will cause it to not use DHE?

Yes, it will offer just that single ciphersuite "0x002f" and nothing
else.  If that does not work, the claim that the server supports RSA
with AES-128-CBC is not credible.

To find out what it does support, build OpenSSL 1.0.2, and try connecting
with that version of "s_client".

Another thing to try is sending an SNI name (-servername ...), perhaps
the server wants to see that, though it seems very unlikely for FTP.

You could also try restricting the protocol to TLS 1.0, perhaps the
server mishandles TLS 1.2 and/or TLS 1.1:

... -no_tls1_2 -no_tls1_1

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Help with ssl error

2017-04-19 Thread Joseph Southwell 
Sorry we did do that. It just didn’t look different so I didn’t send it (pasted 
below). I also have asked for help from the server admin but it is a non 
English speaking country and they don’t seem to be interested in talking to me. 
I have another product supposedly using OpenSSL that is currently working fine 
so it must be possible. That product is using 0.9.8something. So specifying 
-cipher "AES128-SHA” will cause it to not use DHE?

openssl s_client -state -msg -cipher "ALL" -connect 
ftp.echannel.banksys.be:16370 -starttls ftp
CONNECTED(0104)
SSL_connect:before SSL initialization
>>> ??? [length 0005]
16 03 01 00 f7
>>> TLS 1.2Handshake [length 00f7], ClientHello
01 00 00 f3 03 03 da ac 89 55 94 51 e0 ce 4b 3b
ec ee 33 fd 31 1f 75 f1 50 1a 50 73 09 07 5a 0e
cf 7d c3 ac 54 03 00 00 84 c0 2c c0 30 00 a3 00
9f cc a9 cc a8 cc aa c0 af c0 ad c0 a3 c0 9f c0
2b c0 2f 00 a2 00 9e c0 ae c0 ac c0 a2 c0 9e c0
24 c0 28 00 6b 00 6a c0 73 c0 77 00 c4 00 c3 c0
23 c0 27 00 67 00 40 c0 72 c0 76 00 be 00 bd c0
0a c0 14 00 39 00 38 00 88 00 87 c0 09 c0 13 00
33 00 32 00 9a 00 99 00 45 00 44 00 9d c0 a1 c0
9d 00 9c c0 a0 c0 9c 00 3d 00 c0 00 3c 00 ba 00
35 00 84 00 2f 00 96 00 41 00 07 00 ff 01 00 00
46 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00
1d 00 17 00 19 00 18 00 23 00 00 00 0d 00 20 00
1e 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04
02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00
16 00 00 00 17 00 00
SSL_connect:SSLv3/TLS write client hello
<<< ??? [length 0005]
15 03 02 00 02
<<< TLS 1.2Alert [length 0002], fatal insufficient_security
02 47
SSL3 alert read:fatal:insufficient security
SSL_connect:error in SSLv3/TLS write client hello
2152:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient 
security:ssl\record\rec_layer_s3.c:1385:SSL alert number 71

> On Apr 19, 2017, at 11:43 AM, Viktor Dukhovni  
> wrote:
> 
> On Tue, Apr 18, 2017 at 05:06:40PM +, Viktor Dukhovni wrote:
> 
>> The ClientHello decodes via tshark as:
>> 
>> [...]
>>Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
>>Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>>Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
>>Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>> [...]
>> 
>> This is a modern ClientHello (OpenSSL 1.1.0 it seems) and should
>> be broadly interoperable.  The DEFAULT cipherlist includes only
>> AES, is there a chance that the server only supports RC4 and/or
>> 3DES?
>> 
>> Try:
>> 
>>$ openssl s_client -state -msg -cipher ALL \
>>-connect ftp.echannel.banksys.be:16370 -starttls ftp
>> 
>> Capture a PCAP file of the traffic with
>> 
>># tcpdump -s0 -w /some/file tcp port 16370
>> 
>> and post the the decode from:
>> 
>>$ tshark -r /tmp/p2 -d tcp.port==16370,ssl -V |
>>sed -ne '/^Secure Sockets Layer/,/^$/p'
>> 
>> Or just attach the PCAP file to your follow-up message.
> 
> On Wed, Apr 19, 2017 at 10:53:27AM -0400, Joseph Southwell wrote:
> 
>> Is there a way to enable one or both of those ciphers in OpenSSL?
>> 
>>> On Apr 18, 2017, at 1:28 PM, Jason Schultz  wrote:
>>> 
>>> RSA_With_AES_128_CBC_SHA and RSA_With_3DES_EDE_CBC_SHA
> 
> With so many different names for the underlying TLS ciphersuites
> one can only guess which ones are the same.  That said, I'd say
> that the first one on your list is enabled by default, and was used
> in your TLS ClientHello (TLS_RSA_WITH_AES_128_CBC_SHA 0x002f).
> 
> It is possible that (despite any claims to the contrary) the server
> only supports the 3DES ciphersuite above, in which case you need
> either OpenSSL 1.0.2 or a build of OpenSSL 1.1.0 with the Configure
> option "--enable-weak-ssl-ciphers".   The 3DES TLS ciphers are by
> default disabled at compile-time in OpenSSL 1.1.0 and later.
> 
> I did suggest the "-cipher ALL" option as a first place to start to
> find out what the server actually supports.  I'm puzzled as to why
> you've not tried that yet.
> 
> A more exotic scenario is that the server is configured with a weak
> DHE group and having chosen DHE decides that the group is too weak.
> In that case you could try just the purported AES cipher:
> 
>   -cipher "AES128-SHA"
> 
> The name was obtained via:
> 
>$ openssl ciphers -V ALL | grep 0x00,0x2F
>  0x00,0x2F - AES128-SHA  SSLv3 Kx=RSA  Au=RSA  
> Enc=AES(128)  Mac=SHA1
> 
> Finally, you really should ask for help from the server administrator
> they should have useful data in their logs.
> 
> -- 
>   Viktor.
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Help with ssl error

2017-04-19 Thread Viktor Dukhovni 
On Tue, Apr 18, 2017 at 05:06:40PM +, Viktor Dukhovni wrote:

> The ClientHello decodes via tshark as:
> 
> [...]
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> [...]
> 
> This is a modern ClientHello (OpenSSL 1.1.0 it seems) and should
> be broadly interoperable.  The DEFAULT cipherlist includes only
> AES, is there a chance that the server only supports RC4 and/or
> 3DES?
> 
> Try:
> 
> $ openssl s_client -state -msg -cipher ALL \
> -connect ftp.echannel.banksys.be:16370 -starttls ftp
> 
> Capture a PCAP file of the traffic with
> 
> # tcpdump -s0 -w /some/file tcp port 16370
> 
> and post the the decode from:
> 
> $ tshark -r /tmp/p2 -d tcp.port==16370,ssl -V |
> sed -ne '/^Secure Sockets Layer/,/^$/p'
> 
> Or just attach the PCAP file to your follow-up message.

On Wed, Apr 19, 2017 at 10:53:27AM -0400, Joseph Southwell wrote:

> Is there a way to enable one or both of those ciphers in OpenSSL?
> 
> > On Apr 18, 2017, at 1:28 PM, Jason Schultz  wrote:
> > 
> > RSA_With_AES_128_CBC_SHA and RSA_With_3DES_EDE_CBC_SHA

With so many different names for the underlying TLS ciphersuites
one can only guess which ones are the same.  That said, I'd say
that the first one on your list is enabled by default, and was used
in your TLS ClientHello (TLS_RSA_WITH_AES_128_CBC_SHA 0x002f).

It is possible that (despite any claims to the contrary) the server
only supports the 3DES ciphersuite above, in which case you need
either OpenSSL 1.0.2 or a build of OpenSSL 1.1.0 with the Configure
option "--enable-weak-ssl-ciphers".   The 3DES TLS ciphers are by
default disabled at compile-time in OpenSSL 1.1.0 and later.

I did suggest the "-cipher ALL" option as a first place to start to
find out what the server actually supports.  I'm puzzled as to why
you've not tried that yet.

A more exotic scenario is that the server is configured with a weak
DHE group and having chosen DHE decides that the group is too weak.
In that case you could try just the purported AES cipher:

-cipher "AES128-SHA"

The name was obtained via:

$ openssl ciphers -V ALL | grep 0x00,0x2F
  0x00,0x2F - AES128-SHA  SSLv3 Kx=RSA  Au=RSA  
Enc=AES(128)  Mac=SHA1

Finally, you really should ask for help from the server administrator
they should have useful data in their logs.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Help with ssl error

2017-04-19 Thread Joseph Southwell 
Is there a way to enable one or both of those ciphers in OpenSSL?

> On Apr 18, 2017, at 1:28 PM, Jason Schultz  wrote:
> 
> RSA_With_AES_128_CBC_SHA and RSA_With_3DES_EDE_CBC_SHA

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Help with ssl error

2017-04-18 Thread Jason Schultz 
>From the original question, it appears the server here only supports two 
>cipher suites:

RSA_With_AES_128_CBC_SHA and RSA_With_3DES_EDE_CBC_SHA

This would explain the alert 71, which is the sent because there are no cipher 
suites in common.


From: openssl-users <openssl-users-boun...@openssl.org> on behalf of Viktor 
Dukhovni <openssl-us...@dukhovni.org>
Sent: Tuesday, April 18, 2017 5:06 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Help with ssl error

On Tue, Apr 18, 2017 at 11:17:48AM -0400, Joseph Southwell wrote:

> It doesn’t look like it requested a client certificate to me.

Correct, the server alert was returned immediately in response
to the TLS ClientHello.

> $ openssl s_client -state -msg -connect ftp.echannel.banksys.be:16370 
> -starttls ftp
> CONNECTED(0104)
> SSL_connect:before SSL initialization
> >>> ??? [length 0005]
> 16 03 01 00 ab
> >>> TLS 1.2Handshake [length 00ab], ClientHello
> 01 00 00 a7 03 03 b1 9d 3b a7 9d c4 3f de 8a 20
> 59 07 1f d7 50 3e 20 cf 92 cb a6 7d 94 1d 2f b2
> 81 c0 d9 12 1c f9 00 00 38 c0 2c c0 30 00 9f cc
> a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00
> 6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0
> 13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 00
> ff 01 00 00 46 00 0b 00 04 03 00 01 02 00 0a 00
> 0a 00 08 00 1d 00 17 00 19 00 18 00 23 00 00 00
> 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05
> 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02
> 02 02 03 00 16 00 00 00 17 00 00
> SSL_connect:SSLv3/TLS write client hello
> <<< ??? [length 0005]
> 15 03 02 00 02
> <<< TLS 1.2Alert [length 0002], fatal insufficient_security
> 02 47
> SSL3 alert read:fatal:insufficient security
> SSL_connect:error in SSLv3/TLS write client hello
> 3252:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient 
> security:ssl\record\rec_layer_s3.c:1385:SSL alert number 71

The ClientHello decodes via tshark as:

Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 171
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 167
Version: TLS 1.2 (0x0303)
Random
GMT Unix Time: Jun  5, 2064 16:07:35.0 AEST
Random Bytes: 
9dc43fde8a2059071fd7503e20cf92cba67d941d2fb281c0...
Session ID Length: 0
Cipher Suites Length: 56
Cipher Suites (28 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: Unknown (0xcca9)
Cipher Suite: Unknown (0xcca8)
Cipher Suite: Unknown (0xccaa)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 70
Extension: ec_point_formats
Type: ec_point_formats (0x000b)

Re: [openssl-users] Help with ssl error

2017-04-18 Thread Viktor Dukhovni 
On Tue, Apr 18, 2017 at 11:17:48AM -0400, Joseph Southwell wrote:

> It doesn’t look like it requested a client certificate to me.

Correct, the server alert was returned immediately in response
to the TLS ClientHello.

> $ openssl s_client -state -msg -connect ftp.echannel.banksys.be:16370 
> -starttls ftp
> CONNECTED(0104)
> SSL_connect:before SSL initialization
> >>> ??? [length 0005]
> 16 03 01 00 ab
> >>> TLS 1.2Handshake [length 00ab], ClientHello
> 01 00 00 a7 03 03 b1 9d 3b a7 9d c4 3f de 8a 20
> 59 07 1f d7 50 3e 20 cf 92 cb a6 7d 94 1d 2f b2
> 81 c0 d9 12 1c f9 00 00 38 c0 2c c0 30 00 9f cc
> a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00
> 6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0
> 13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 00
> ff 01 00 00 46 00 0b 00 04 03 00 01 02 00 0a 00
> 0a 00 08 00 1d 00 17 00 19 00 18 00 23 00 00 00
> 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05
> 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02
> 02 02 03 00 16 00 00 00 17 00 00
> SSL_connect:SSLv3/TLS write client hello
> <<< ??? [length 0005]
> 15 03 02 00 02
> <<< TLS 1.2Alert [length 0002], fatal insufficient_security
> 02 47
> SSL3 alert read:fatal:insufficient security
> SSL_connect:error in SSLv3/TLS write client hello
> 3252:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient 
> security:ssl\record\rec_layer_s3.c:1385:SSL alert number 71

The ClientHello decodes via tshark as:

Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 171
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 167
Version: TLS 1.2 (0x0303)
Random
GMT Unix Time: Jun  5, 2064 16:07:35.0 AEST
Random Bytes: 
9dc43fde8a2059071fd7503e20cf92cba67d941d2fb281c0...
Session ID Length: 0
Cipher Suites Length: 56
Cipher Suites (28 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: Unknown (0xcca9)
Cipher Suite: Unknown (0xcca8)
Cipher Suite: Unknown (0xccaa)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 70
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 10
Elliptic Curves Length: 8
Elliptic curves (4 curves)
Elliptic curve: Unknown (0x001d)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp521r1

Re: [openssl-users] Help with ssl error

2017-04-18 Thread Joseph Southwell 
It doesn’t look like it requested a client certificate to me.

openssl110e>openssl s_client -state -msg -connect ftp.echannel.banksys.be:16370 
-starttls ftp
CONNECTED(0104)
SSL_connect:before SSL initialization
>>> ??? [length 0005]
16 03 01 00 ab
>>> TLS 1.2Handshake [length 00ab], ClientHello
01 00 00 a7 03 03 b1 9d 3b a7 9d c4 3f de 8a 20
59 07 1f d7 50 3e 20 cf 92 cb a6 7d 94 1d 2f b2
81 c0 d9 12 1c f9 00 00 38 c0 2c c0 30 00 9f cc
a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00
6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0
13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 00
ff 01 00 00 46 00 0b 00 04 03 00 01 02 00 0a 00
0a 00 08 00 1d 00 17 00 19 00 18 00 23 00 00 00
0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05
03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02
02 02 03 00 16 00 00 00 17 00 00
SSL_connect:SSLv3/TLS write client hello
<<< ??? [length 0005]
15 03 02 00 02
<<< TLS 1.2Alert [length 0002], fatal insufficient_security
02 47
SSL3 alert read:fatal:insufficient security
SSL_connect:error in SSLv3/TLS write client hello
3252:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient 
security:ssl\record\rec_layer_s3.c:1385:SSL alert number 71
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 88 bytes and written 186 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: 
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1492518024
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
 
> On Apr 14, 2017, at 2:49 PM, Viktor Dukhovni  
> wrote:
> 
> 
>> On Apr 14, 2017, at 9:48 AM, Joseph Southwell  
>> wrote:
>> 
>> Version 1.1 openssl
>> 
>> openssl.exe s_client -connect hostname:16370 -starttls ftp
>> 877788:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient 
>> security:ssl\record\rec_layer_s3.c:1385:SSL alert number 71
> 
> The remote host sent an "insufficient security" TLS alert.
> 
>> The host I am connecting to apparently only supports the following 2 ciphers:
>> RSA_With_AES_128_CBC_SHA and RSA_With_3DES_EDE_CBC_SHA
>> 
>> What should I do to make this work?
> 
> Perhaps it is expecting a client certificate?  Retry with:
> 
> $ openssl s_client -state -msg -connect hostname:16370 -starttls ftp
> 
> and see whether it solicited a client certificate.
> 
> -- 
>   Viktor.
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Help with ssl error

2017-04-14 Thread Viktor Dukhovni 

> On Apr 14, 2017, at 9:48 AM, Joseph Southwell  
> wrote:
> 
> Version 1.1 openssl
> 
> openssl.exe s_client -connect hostname:16370 -starttls ftp
> 877788:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient 
> security:ssl\record\rec_layer_s3.c:1385:SSL alert number 71

The remote host sent an "insufficient security" TLS alert.

> The host I am connecting to apparently only supports the following 2 ciphers:
> RSA_With_AES_128_CBC_SHA and RSA_With_3DES_EDE_CBC_SHA
> 
> What should I do to make this work?

Perhaps it is expecting a client certificate?  Retry with:

 $ openssl s_client -state -msg -connect hostname:16370 -starttls ftp

and see whether it solicited a client certificate.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users