s_client CKE protocol version is wrong?

[Gao Jinjun]

Hi all,

I have a confusion for s_client CKE premaster protocol version.
Can somebody help to explain it? Thanks!

I add -DSSL_DEBUG to do debug output when compiling.

Below is my test result:

Server side:
$./openssl s_server -tls1
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
Premaster Secret:
0000 - 03 03 bd b0 7c d3 65 1b-9c f2 80 91 f7 f3 74 b0   ....|.e.......t. <--- 
03 03(TLSv12)
0010 - 47 f4 5c fe f2 d4 68 b1-fc 74 75 53 7a 45 34 d4   G.\...h..tuSzE4.
0020 - 24 56 0f 3c af 8d bf bb-1e 4f af 83 8b 46 f0 8f   $V.<.....O...F..
Client Random:
0000 - a7 17 2c 08 39 2f ae b5-51 3e 7e 6c 95 46 a9 53   ..,.9/..Q>~l.F.S
0010 - 2a 84 1a a8 db b4 f6 94-d9 91 8a e3 99 5c 5a 97   *............\Z.
Server Random:
0000 - eb b2 e3 f8 7d fb b1 a3-75 e1 05 2b 5d 9f 25 03   ....}...u..+].%.
0010 - 29 73 2e 61 87 47 95 05-3d f3 f7 75 8f 6b 16 82   )s.a.G..=..u.k..
Master Secret:
0000 - 2d 42 3b a2 30 b6 49 60-9f 37 87 5d ee 75 f1 18   -B;.0.I`.7.].u..
0010 - 0b 7b b8 b7 6d 2b 60 7c-70 44 f7 00 e2 2e 57 e0   .{..m+`|pD....W.
0020 - e6 a0 8b 0b f7 5b a0 6c-26 23 3b 91 4c b8 c8 8e   .....[.l&#;.L...

Client side:
$ ./openssl s_client -connect 10.8.2.150:4433 -cipher RC4-SHA 
CONNECTED(00000003)
depth=0 C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test 
Server Cert
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test 
Server Cert
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test 
Server Cert
verify error:num=21:unable to verify the first certificate
verify return:1
Premaster Secret:
0000 - 03 03 bd b0 7c d3 65 1b-9c f2 80 91 f7 f3 74 b0   ....|.e.......t. <--- 
03 03(TLSv12) wrong?
0010 - 47 f4 5c fe f2 d4 68 b1-fc 74 75 53 7a 45 34 d4   G.\...h..tuSzE4.
0020 - 24 56 0f 3c af 8d bf bb-1e 4f af 83 8b 46 f0 8f   $V.<.....O...F..
Client Random:
0000 - a7 17 2c 08 39 2f ae b5-51 3e 7e 6c 95 46 a9 53   ..,.9/..Q>~l.F.S
0010 - 2a 84 1a a8 db b4 f6 94-d9 91 8a e3 99 5c 5a 97   *............\Z.
Server Random:
0000 - eb b2 e3 f8 7d fb b1 a3-75 e1 05 2b 5d 9f 25 03   ....}...u..+].%.
0010 - 29 73 2e 61 87 47 95 05-3d f3 f7 75 8f 6b 16 82   )s.a.G..=..u.k..
Master Secret:
0000 - 2d 42 3b a2 30 b6 49 60-9f 37 87 5d ee 75 f1 18   -B;.0.I`.7.].u..
0010 - 0b 7b b8 b7 6d 2b 60 7c-70 44 f7 00 e2 2e 57 e0   .{..m+`|pD....W.
0020 - e6 a0 8b 0b f7 5b a0 6c-26 23 3b 91 4c b8 c8 8e   .....[.l&#;.L...
..... certificate ignore .....
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
LOCAL PORT is 41469
SSL-Session:
    Protocol  : TLSv1                    <----------Negotiating TLSv1(03 01) as 
protocol version.
    Cipher    : RC4-SHA
    Session-ID: FA52422FEE594293111ABAB10129DCA3B8FB74F5958827FDD447DC657A08E6E3
    Session-ID-ctx: 
    Master-Key: 
2D423BA230B649609F37875DEE75F1180B7BB8B76D2B607C7044F700E22E57E0E6A08B0BF75BA06C26233B914CB8C88E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f0 89 3c ab 06 fc de cc-0f 94 cf be 2d 44 0d 25   ..<.........-D.%
    0010 - fb 08 8f 48 8b 18 07 a1-46 ab fd 8b 02 82 68 a3   ...H....F.....h.
    0020 - 0e f2 f6 6a d7 55 6b 0b-dd ed 8f ec ad 17 bb 3c   ...j.Uk........<
    0030 - 09 67 05 ae 77 45 0f a2-df de 33 b6 df 8d a4 92   .g..wE....3.....
    0040 - 02 8d a0 0b 22 be 26 a4-21 51 ff f9 9d dc 60 7b   ....".&.!Q....`{
    0050 - bb d3 c6 db e7 2e 54 11-8d 3c f3 0c 53 89 de 0d   ......T..<..S...
    0060 - 1f 6e 50 b5 05 d2 7e ec-48 75 42 42 10 ba 89 37   .nP...~.HuBB...7
    0070 - d6 62 5c c1 34 1c b3 0e-ba f8 46 13 05 13 bf fe   .b\.4.....F.....
    0080 - 54 2f 36 f5 d2 7c cf 92-43 2d 3b 3b c0 f7 f0 2d   T/6..|..C-;;...-
    0090 - 3d 58 a9 0c 98 c3 ed b6-37 b7 18 31 76 e8 40 c5   =X......7..1v.@.

    Start Time: 1405567904
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---


regards,
Jinjun

OpenSSL self-test report:

OpenSSL version:  1.0.1f
Last change:      Fix for TLS record tampering bug. A carefully crafted i...
Options:          --prefix=/home/gaojj/share 
--openssldir=/home/gaojj/share/openssl -Wa,--noexecstack no-ec_nistp_64_gcc_128 
no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-store 
no-zlib no-zlib-dynamic static-engine
OS (uname):       Linux array 3.2.0-4-rt-686-pae #1 SMP PREEMPT RT Debian 
3.2.46-1 i686 GNU/Linux
OS (config):      i686-whatever-linux2
Target (default): linux-elf
Target:           linux-elf
Compiler:         Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/i586-linux-gnu/4.9/lto-wrapper
Target: i586-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.9.0-7' 
--with-bugurl=file:///usr/share/doc/gcc-4.9/README.Bugs 
--enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr 
--program-suffix=-4.9 --enable-shared --enable-linker-build-id 
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix 
--with-gxx-include-dir=/usr/include/c++/4.9 --libdir=/usr/lib --enable-nls 
--with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug 
--enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap 
--enable-plugin --with-system-zlib --disable-browser-plugin 
--enable-java-awt=gtk --enable-gtk-cairo 
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.9-i386/jre --enable-java-home 
--with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.9-i386 
--with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.9-i386 
--with-arch-directory=i386 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar 
--enable-objc-gc --enable-targets=all --enable-multiarch --with-arch-32=i586 
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic 
--enable-checking=release --build=i586-linux-gnu --host=i586-linux-gnu 
--target=i586-linux-gnu
Thread model: posix
gcc version 4.9.0 (Debian 4.9.0-7) 

Test passed.