> The 'openssl ciphers' program will dump out a list of cipher suites;
firstly
> check that binaries linked with both libssl/libcrypto libraries support an
> intersecting set.
openssl ciphers
EDH-RSA-DES-CBC3-SHA:
EDH-DSS-DES-CBC3-SHA:
DES-CBC3-SHA:
DES-CBC3-MD5:
DHE-DSS-RC4-SHA:
RC4-SHA:RC4-MD5:
RC2-CBC-MD5:
RC4-MD5:
RC4-64-MD5:
EXP1024-DHE-DSS-RC4-SHA:
EXP1024-RC4-SHA:
EXP1024-DHE-DSS-DES-CBC-SHA:
EXP1024-DES-CBC-SHA:
EXP1024-RC2-CBC-MD5:
EXP1024-RC4-MD5:
EDH-RSA-DES-CBC-SHA:
EDH-DSS-DES-CBC-SHA:
DES-CBC-SHA:
DES-CBC-MD5:
EXP-EDH-RSA-DES-CBC-SHA:
EXP-EDH-DSS-DES-CBC-SHA:
EXP-DES-CBC-SHA:
EXP-RC2-CBC-MD5:
EXP-RC4-MD5:
EXP-RC2-CBC-MD5:
EXP-RC4-MD5
The perl script:
use IO::Socket::SSL;
my $ssl = new IO::Socket::SSL("localhost:636");
print "SSL Cipher: " . $ssl->get_cipher() . "\n";
outputs:
SSL Cipher: DES-CBC3-SHA
So it should fit....
> Another thing to try is the openssl command-line client against the LDAPS
> port.
>
> openssl s_client -connect hostname:636 -debug
>
This produces:
openssl s_client -connect localhost:636 -debug
CONNECTED(00000003)
write to 0814C020 [0814C068] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q... .....
<SNIP!!!>
0070 - 4f c8 a2 f7 a7 74 77 8d-01 a4 8d 5e O....tw....^
read from 0814C020 [081515C8] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 4a 02 ....J.
0007 - <SPACES/NULS>
read from 0814C020 [081515CF] (72 bytes => 72 (0x48))
0000 - 00 46 03 01 40 6a c9 5e-69 68 4f 99 cb 1b 06 6d [EMAIL PROTECTED]
<SNIP!!!>
0040 - 42 ed 3d aa 95 00 0a B.=....
0048 - <SPACES/NULS>
read from 0814C020 [081515C8] (5 bytes => 5 (0x5))
0000 - 16 03 01 03 36 ....6
read from 0814C020 [081515CD] (822 bytes => 822 (0x336))
0000 - 0b 00 03 32 00 03 2f 00-03 2c 30 82 03 28 30 82 ...2../..,0..(0.
<SNIP!!!>
0320 - d5 0c 5e 78 1b e4 77 2c-b9 d5 1b 00 ad f2 bc c0 ..^x..w,........
0330 - 10 d9 8f 23 ec 3d ...#.=
depth=0 /C=NL/ST=ZH/L=Zoetermeer/O=Kennisnet/CN=myfqdn
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=NL/ST=ZH/L=Zoetermeer/O=Kennisnet/CN=myfqdn
verify error:num=21:unable to verify the first certificate
verify return:1
read from 0814C020 [081515C8] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 04 .....
read from 0814C020 [081515CD] (4 bytes => 4 (0x4))
0000 - 0e .
0004 - <SPACES/NULS>
write to 0814C020 [0815B660] (139 bytes => 139 (0x8B))
0000 - 16 03 01 00 86 10 00 00-82 00 80 ac e7 66 1e 71 .............f.q
<SNIP!!!>
0080 - b0 4c 58 22 8e e1 35 93-b6 31 fb .LX"..5..1.
write to 0814C020 [0815B660] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
write to 0814C020 [0815B660] (45 bytes => 45 (0x2D))
0000 - 16 03 01 00 28 59 47 0a-f3 a4 be 20 be 7c 52 e5 ....(YG.... .|R.
<SNIP!!!>
0020 - 17 18 e3 56 09 f8 a9 e2-28 15 f7 e7 d5 ...V....(....
read from 0814C020 [081515C8] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 0814C020 [081515CD] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0814C020 [081515C8] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 28 ....(
read from 0814C020 [081515CD] (40 bytes => 40 (0x28))
0000 - 88 05 06 b2 03 36 c3 19-d3 f3 56 29 d0 57 16 15 .....6....V).W..
<SNIP!!!>
0020 - 6f 6c 8d 4e a3 72 85 9c- ol.N.r..
---
Certificate chain
0 s:/C=NL/ST=ZH/L=Zoetermeer/O=Kennisnet/CN=myfqdn
i:/C=NL/ST=ZH/L=Zoetermeer/O=Kennisnet/CN=myfqdn
---
Server certificate
-----BEGIN CERTIFICATE-----
<SNIP!!!!!>
-----END CERTIFICATE-----
subject=/C=NL/ST=ZH/L=Zoetermeer/O=Kennisnet/CN=myfqdn
issuer=/C=NL/ST=ZH/L=Zoetermeer/O=Kennisnet/CN=myfqdn
---
No client certificate CA names sent
---
SSL handshake has read 966 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID:
BCBC289E20F14703ACEBA9B5FAACD2D69682595C632CDBD8573CE042ED3DAA95
Session-ID-ctx:
Master-Key: <SNIP!!!>
Key-Arg : None
Start Time: 1080740190
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
It is a self signed cert.... But I have tried with verify->'none' and it
still does not work...
-D
