Re: SSL_Certificate Validation ( Server Authentication): Please Help
Since 5 days i have not received any response. It could be a silly questions to you guys. But i need the answer. Waiting for a nice reply. Best Regards, S S Rout -- View this message in context: http://old.nabble.com/SSL_Certificate-Validation-%28-Server-Authentication%29%3A-Please-Help-tp33873598p33897202.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_Certificate Validation ( Server Authentication): Please Help
Hey Crypto guys, I have a basic questions regarding Certificate validation. Basically in a Server Authentication a TLS client should validate the CN/SN with Host portion of the ACS.URL. If it matches then handshake will succeed else will fail. Am I right ? e.g. if Host.Url=x.x.x.x then CN (in both subject issuer field should be x.x.x.x ) for self-signed certificate. Issuer: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=www.https.com Subject: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=www.https.com if Host.Url=x.x.x.x then CN (in subject field should be x.x.x.x ) for CA-Signed certificate Issuer: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=Veisign Subject: C=IN, ST=Karnataka, L=Bangalore, O=AN, CN=10.204.4.69 CN validation using self-signed certificate. SN validation: 1) Using CA signed certificate : using Subject name as HostURL 2) Using CA signed certificate : using subAltname as HostUrl Method for CN validation: 1) Keep the same Self-signed cert at both side (FAP Server) Method for SN validation: 1) Keep ROOT cert at FAP and server cert (signed cert) at Server. Am I right guys ? Please let me know. Best Regards, S S rout -- View this message in context: http://old.nabble.com/SSL_Certificate-Validation-%28-Server-Authentication%29%3A-Please-Help-tp33873598p33873598.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Please Help: Certificate Validation using subjectAltName extension
Thanks Dave for explanation. One doubt regarding sentence If a subjectAltName extension of type dNSName is present, that MUST be used as the identity(RFC 2818) What does this line means ? Does it says if a certificate have different CN in issuer subject field but SubAltname: x.x.x.x which matches with HOST.URL (server) then will handshake goes through ? i.e. [ certificate_extensions ] basicConstraints = CA:false subjectAltName = DNS:x.x.x.x DNS:localhost [ req_distinguished_name ] countryName= US stateOrProvinceName= Chems localityName = Washington organizationName = Sercomm commonName = Verisign [ req_extensions ] basicConstraints = CA:true subjectAltName = DNS:x.x.x.x,DNS:localhost Am i correct ? Please help. Best Regards, S S rout -- View this message in context: http://old.nabble.com/Please-Help%3A-Certificate-Validation-using-subjectAltName-extension-tp32906983p33873612.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: TLS Handshake is Failing. cipher=DHE-RSA-AES128-SHA
Dear Dave T, Thanks a lot for your nice explanation. Please see my reply and let me know if i am wrong. 1) Yes the Openssl version is very old on our server side. I did not find any information regarding SSL log on server side apart from connection information. Probably we may need some other way to get rid of this. 2) About the word 'resume'. Yes you are absolutely right. Actually my client-server both are doing successful TLS handshake when i set these below ciphers RC4-MD5, RC4-SHA, AES128-SHA, AES256-SHA DES-CBC3-SHA. But handshake is failing with other ciphers. I am bit surprised:( However my TLS client sends below ciphers in Client.Hello message. Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034) Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) 3) OK. Is there impact on TLS call flow if i use self-signed DSA type certificates(keep the same on client server side as well) ? Please clarify Dave. Best Regards. S S Rout Dave Thompson-5 wrote: From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout Sent: Friday, 11 May, 2012 03:50 Please help me out in debugging this cipher negotiation issue. My client supports OpensslV1.0 and my server supports Openssl0.9.7. I used self-signed RSA type certificate on both server client. But my Handshake is failing. A Snippet from SSLdump: 3 1 0.0100 (0.0100) CSV3.1(101) Handshake ClientHello Version 3.1 random[32]= 4f ac c2 65 e1 fc 67 9b c3 06 9b 2a 74 34 4d a8 5b a0 2b 85 8a bd d8 06 99 c8 48 31 37 46 9b d4 resume [32]= 96 a6 be fa ec ac 21 f4 c9 ec 9b 5c c5 e9 5c bf 38 71 1c ef 87 ce f3 b6 b0 6d 11 f2 72 71 11 d7 cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA Unknown value 0x2f Unknown value 0x35 Unknown value 0x34 Unknown value 0x3a Unknown value 0x33 Unknown value 0x39 TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xff compression methods NULL 3 2 0.0106 (0.0006) SCV3.1(2) Alert level fatal value handshake_failure 30.0107 (0.0001) SC TCP FIN The question are: 1) Why TLS handshake is failing on both client server support the cipher=DHE-RSA-AES128-SHA All we can see on the wire is the server doesn't like something. Does the server have any log, or debug options, you can look at? 0.9.7a is very old. I think it did implement extensions, but not all, although it can/should negotiate away unknown ones. I don't recall what other features it doesn't have, and it definitely doesn't have a lot of recent fixes. 2) Why i am seeing unknown as my ciphers in client hello message ( on ssldump) ? Your ssldump is apparently also very old. It doesn't know the AES suites, or the fake suite (SCSV) for secure-renegotiation. It isn't showing any ClientHello extensions, but for 1.0.0 client there should be some. I don't know if ssldump is being maintained; if so get a current version. Or get www.wireshark.org (on Windows or MacX) instead; it functionally replaces ssldump and is definitely up to date. I'm also concerned it shows data in 'resume', which from the position I believe means sess-id for resumption. If this client hasn't been able to complete a handshake with this server, it shouldn't have a sess-id to resume; if it has, why did the previous one work and this one fail? 3) Is it has anything to do with RSA self-signed-certificate ? Almost certainly not. That might cause your client to refuse to trust the server, depending on your client's configuration (and code), but it wouldn't cause the server to give an error. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/TLS-Handshake-is-Failing.-cipher%3DDHE-RSA-AES128-SHA-tp33770194p33848696.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
TLS/SSL Negative Scenarios
Hi Folks, In RFC-2246 there are various ways of Handshake failure. Alert Descriptions === unexpected message 10 bad record mac 20 decryption failed 21 record overflow 22 decompression failure 30 unsupported certificate 43 certificate revoked 44 certificate unknown 46 illegal parameter 47 access denied 49 decode error 50 decrypt error 51 export restriction 60 protocol version 70 insufficient security 71 internal error 80 user cancelled 90 no renegotiation 100 Is there anyway to simulate these scenarios ? If yes please let me know. Thanks in advance. Best Regards, S S Rout -- View this message in context: http://old.nabble.com/TLS-SSL-Negative-Scenarios-tp33831528p33831528.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
TLS Handshake is Failing. cipher=DHE-RSA-AES128-SHA
Hi All, Please help me out in debugging this cipher negotiation issue. My client supports OpensslV1.0 and my server supports Openssl0.9.7. I used self-signed RSA type certificate on both server client. But my Handshake is failing. My client sends these ciphers in client hello message. Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) OpenSSL 0.9.7a Feb 19 2003 OpenSSL OpenSSL ciphers DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:DHE-DSS-RC4-SHA:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:RC4-64-MD5:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5 A Snippet from SSLdump: 3 1 0.0100 (0.0100) CSV3.1(101) Handshake ClientHello Version 3.1 random[32]= 4f ac c2 65 e1 fc 67 9b c3 06 9b 2a 74 34 4d a8 5b a0 2b 85 8a bd d8 06 99 c8 48 31 37 46 9b d4 resume [32]= 96 a6 be fa ec ac 21 f4 c9 ec 9b 5c c5 e9 5c bf 38 71 1c ef 87 ce f3 b6 b0 6d 11 f2 72 71 11 d7 cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA Unknown value 0x2f Unknown value 0x35 Unknown value 0x34 Unknown value 0x3a Unknown value 0x33 Unknown value 0x39 TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xff compression methods NULL 3 2 0.0106 (0.0006) SCV3.1(2) Alert level fatal value handshake_failure 30.0107 (0.0001) SC TCP FIN The question are: 1) Why TLS handshake is failing on both client server support the cipher=DHE-RSA-AES128-SHA 2) Why i am seeing unknown as my ciphers in client hello message ( on ssl dump) ? 3) Is it has anything to do with RSA self-signed-certificate ? Please clarify. Thanks in advance. Best regards, S S Rout -- View this message in context: http://old.nabble.com/TLS-Handshake-is-Failing.-cipher%3DDHE-RSA-AES128-SHA-tp33770194p33770194.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
A Question on Cipher Format.
Dear All, What is the significance of each phrase in the below cipher suite ? Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA May be this is a dump question. But i am interested to know each phrase. Best Regards, Siba Shankar Rout -- View this message in context: http://old.nabble.com/A-Question-on-Cipher-Format.-tp33772869p33772869.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Difference b/w TLS Connection and TLS Session
Dave all, We have fixed the Segment lost issue which was causing Packet drop. But we are still seeing the Encryption Alert again. I am attaching one more packet capture which has all the information. Due to my limited knowledge i request would you please explain me the exact reason for this Error message. Thanks in Advance. Yours Sincerely S S Rout http://old.nabble.com/file/p33525390/Encryption%2BAlert.cap Encryption+Alert.cap -- View this message in context: http://old.nabble.com/Difference-b-w-TLS--Connection-and-TLS-Session-tp32780649p33525390.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL/TLS Testing Specification Suite
Dear Folks, I am looking for What are the possible TLS/SSL testing suite? Is there any link/docs which i can follow to get an idea about what are the possible TLS/SSL Testing specification ? Thanks in Advance. Best Regards, S S Rout -- View this message in context: http://old.nabble.com/SSL-TLS-Testing-Specification-Suite-tp33518542p33518542.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Verify intermediate certificate
Hi Johannes Bauer If I have a certificate chain Root - A - B - Leaf where Leaf is the certificate of a webserver (https) and Root is av self-signed certificate. If you donot mind would you please mention what are the Openssl commands you used to create this chain ? Please help me on this. Thanks in advance. Best Regards, S S Rout -- View this message in context: http://old.nabble.com/Verify-intermediate-certificate-tp33129488p33479981.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to create own Chained Based Server Certifciate ?
I am doing Server Authentication where i keep ROOT cert are my client and Server cert ( could be Selfsigned or chained cert). The issue here is i am facing the below error when ever i am using 2-level-CA cert even more. Alert Level: Fatal, Description: Unable to verify leaf signature (21) Due to my limited knowledge hence I am not sure whether I am using correct command to generate Chained Hirerchy. Please guide me or suggest me. I am creating a 3-Level-CA like this : rootCA--- ServerCA--- ServerCA1- Server. i.e. server cert intermediate CA1 intermediate CA2 root CA Here are the commands OPENSSL req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem -config root.cnf OPENSSL x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions certificate_extensions -signkey rootkey.pem -out rootcert.pem CAT rootcert.pem rootkey.pem root.pem OPENSSL req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out serverCAreq.pem -config serverCA.cnf OPENSSL x509 -req -in serverCAreq.pem -sha1 -extfile serverCA.cnf -extensions certificate_extensions -CA root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem CAT serverCAcert.pem serverCAkey.pem rootcert.pem serverCA.pem OPENSSL req -newkey rsa:1024 -sha1 -keyout serverCAkey1.pem -out serverCAreq1.pem -config serverCA1.cnf OPENSSL x509 -req -in serverCAreq1.pem -sha1 -extfile serverCA1.cnf -extensions certificate_extensions -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial -out serverCAcert1.pem CAT serverCAcert1.pem serverCAkey1.pem serverCAcert.pem rootcert.pem serverCA1.pem OPENSSL req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem -config server.cnf -reqexts req_extensions OPENSSL x509 -req -in serverreq.pem -sha1 -extfile server.cnf -extensions certificate_extensions -CA serverCA1.pem -CAkey serverCA1.pem -CAcreateserial -out servercert.pem CAT servercert.pem serverkey.pem serverCAcert1.pem serverCAcert.pem rootcert.pem server.pem I used root.pem at Client Side and Server.pem at Server Side. But i am seeing the error Alert Level: Fatal, Description: Unable to verify leaf signature (21) Please help me . Best Regards, S S Rout -- View this message in context: http://old.nabble.com/How-to-create-own-Chained-Based-Server-Certifciate---tp33478099p33478099.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please Clarify : Unable to verify leaf signature (21)
Thanks Dave. I request you please give more information regarding this error. What exactly it means to me ? I am doing Server Authentication where i keep ROOT cert are my client and Server cert ( could be Selfsigned or chained cert). The issue here is i am facing the below error when ever i am using 2-level-CA cert even more. Alert Level: Fatal, Description: Unable to verify leaf signature (21) Due to my limited knowledge hence I am not sure whether I am using correct command to generate Chained Hirerchy. Please guide me or suggest me. I am creating a 3-Level-CA like this : rootCA--- ServerCA--- ServerCA1- Server. i.e. server cert intermediate CA1 intermediate CA2 root CA Here are the commands OPENSSL req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem -config root.cnf OPENSSL x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions certificate_extensions -signkey rootkey.pem -out rootcert.pem CAT rootcert.pem rootkey.pem root.pem OPENSSL req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out serverCAreq.pem -config serverCA.cnf OPENSSL x509 -req -in serverCAreq.pem -sha1 -extfile serverCA.cnf -extensions certificate_extensions -CA root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem CAT serverCAcert.pem serverCAkey.pem rootcert.pem serverCA.pem OPENSSL req -newkey rsa:1024 -sha1 -keyout serverCAkey1.pem -out serverCAreq1.pem -config serverCA1.cnf OPENSSL x509 -req -in serverCAreq1.pem -sha1 -extfile serverCA1.cnf -extensions certificate_extensions -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial -out serverCAcert1.pem CAT serverCAcert1.pem serverCAkey1.pem serverCAcert.pem rootcert.pem serverCA1.pem OPENSSL req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem -config server.cnf -reqexts req_extensions OPENSSL x509 -req -in serverreq.pem -sha1 -extfile server.cnf -extensions certificate_extensions -CA serverCA1.pem -CAkey serverCA1.pem -CAcreateserial -out servercert.pem CAT servercert.pem serverkey.pem serverCAcert1.pem serverCAcert.pem rootcert.pem server.pem I used root.pem at Client Side and Server.pem at Server Side. But i am seeing the error Alert Level: Fatal, Description: Unable to verify leaf signature (21) Please help me . Best Regards, S S Rout -- View this message in context: http://old.nabble.com/Please-Clarify-%3A-Unable-to-verify-leaf-signature-%2821%29-tp33457025p33476139.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Please Clarify : Unable to verify leaf signature (21)
Dear Folks, While setting up the TLS session i am facing below error. TLS Alert Level: Fatal, Description: Unable to verify leaf signature (21) I created the Chained certfificate like below : ROOTCAServerCA-ServerCert I kept ROOTCA at my TLS client and cancatenated version of all the above certs (cat ROOTCA.pem ServerCA.pem Servercert.pem server.pem Can somebody please clarify my doubts. I am just confused and wondering what to do? Note: When its 2nd level chained certs then i am facing the issue where as for 1-level chained (i.e. CA signed cert) i donot see this issue. Please clarify. Best Regards, Mr Rout -- View this message in context: http://old.nabble.com/Please-Clarify-%3A-Unable-to-verify-leaf-signature-%2821%29-tp33457025p33457025.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Please Clarify.Intermediate certificate verification ?
Folks, Can somebody clarify my doubts on below questions 1) what is intermediate certificate validation ? 2) Is it required to keep chained certificate or End user certificate at Server Side 3) How to generate intermediate certificate using Openssl command ? Please clarify. Thanks in advance. Best Regards, Mr. Rout -- View this message in context: http://old.nabble.com/Please-Clarify.Intermediate-certificate-verification---tp33452742p33452742.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Please Help me out- SSL ERROR
Dear Folks, I am seeing the below errors during the certificate validation. Not sure what is wrong with the certificate. error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate Here is the output for Openssl S_client root@1143726:/usr/bin# openssl s_client -connect 10.204.4.69:7003 WARNING: can't open config file: /usr/ssl/openssl.cnf CONNECTED(0003) depth=0 C = IN, ST = Karnataka, L = Bangalore, O = Airvana, CN = 10.204.4.69 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = IN, ST = Karnataka, L = Bangalore, O = Airvana, CN = 10.204.4.69 verify error:num=27:certificate not trusted verify return:1 depth=0 C = IN, ST = Karnataka, L = Bangalore, O = Airvana, CN = 10.204.4.69 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=10.204.4.69 i:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=Root CA --- Server certificate -BEGIN CERTIFICATE- MIICXDCCAcWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJJTjES MBAGA1UECBMJS2FybmF0YWthMRIwEAYDVQQHEwlCYW5nYWxvcmUxEDAOBgNVBAoT -END CERTIFICATE- subject=/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=10.204.4.69 issuer=/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=Root CA --- No client certificate CA names sent --- SSL handshake has read 770 bytes and written 408 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES128-SHA Session-ID: CA45FE6316F318B9D854C509DA9E5A900E528514360E1206F1BD3C96A304B26B Session-ID-ctx: Master-Key: 2732D99F3A8752A9974800E81371BCA63AD5793AB7602F9CC2B3714FB0524317B43D1D820CBEA28CD1B1D552E89C Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1326850926 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- My Set up looks like this. e.g. Certificate Chain would be , ROOT- Server ( I keep ROOT at CLIENT and Server cert at SERVER). Am I right ? [root@squidpc TEST]# openssl x509 -in root.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IN, ST=Karnataka, L=Bangalore, O=Airvana, CN=Root CA Validity Not Before: Dec 21 05:49:21 2011 GMT Not After : Jan 20 05:49:21 2012 GMT Subject: C=IN, ST=Karnataka, L=Bangalore, O=Airvana, CN=Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d6:98:6d:ca:df:4d:47:4a:2c:24:da:ee:2c:e1: 5f:42:fd:cc:b6:eb:fd:68:9d:9e:f3:0e:2e:39:95: 26:c2:e3:b0:60:6a:51:f9:25:2f:a6:9a:97:db:1a: af:23:3b:0f:a3:1a:53:f7:e3:f8:e9:57:ec:05:7b: 38:70:b3:2d:5c:82:aa:ed:06:ea:d7:00:9e:9d:ec: aa:8b:81:60:bb:52:30:5e:c8:9c:bf:79:eb:ac:ad: 7a:9d:e8:b2:13:ae:04:27:c5:16:4a:51:81:02:a0: e5:12:70:c2:64:8d:c5:da:88:8b:eb:3c:f4:89:b9: 2f:56:0c:dd:46:f7:2a:2d:bf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:TRUE [root@squidpc TEST]# openssl x509 -in server.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IN, ST=Karnataka, L=Bangalore, O=Airvana, CN=Root CA Validity Not Before: Dec 21 05:49:54 2011 GMT Not After : Jan 20 05:49:54 2012 GMT Subject: C=IN, ST=Karnataka, L=Bangalore, O=Airvana, CN=10.204.4.69 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d8:97:58:a3:f2:86:35:ba:d9:d0:7d:b9:7e:95: 32:e5:bd:3a:e9:24:5e:f0:14:6d:23:ad:c5:07:bb: 72:63:86:b7:4f:aa:24:38:c7:8c:fd:7c:2e:6b:d8: ad:97:35:32:10:0b:a6:ba:25:53:70:8a:72:2c:08: a2:32:fc:a7:96:7c:a6:eb:d4:02:7b:95:56:69:68: 95:90:ea:c6:d9:e7:0f:90:22:be:79:14:71:dd:58: b7:d3:c7:9f:dc:3b:46:17:59:9f:aa:6a:c8:7d:b9: 59:0e:ee:89:5e:5a:a6:3e:6f:4d:22:e3:79:c5:94: 75:5e:59:8b:c7:47:5f:29:d1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Please let me know what is missing here why i am getting the above error. Best regards, S S Rout -- View this message in context:
Help in Understanding
Hi Folks, Can somebody please clarify my silly questions ? I need to understand the behavior of TLS client. 1. How do I verify that TLS Client send connection close without sending Closure alert ? 2. Is there any way to decrypt Application data (HTTP data) on wireshark itself ? 3. How would I know whether any memory leak during handshakes on TLS client ? 4. Is it required both side need to send TLS Alert for a failure handshake ? 5. What is Incomplete Close and Pre-mature close ? Thanks in advance. Regards, Rout -- View this message in context: http://old.nabble.com/Help-in-Understanding-tp32906990p32906990.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Please Help: Certificate Validation using subjectAltName extension
Dear All, My TLS client can validate both CN and SN i need to test both the scenario. I don't know how to create certificate with “subjectAltName extension” using openssl commands. In the RFC-2818 , there are two ways of Certificate Validation for Host name 1) CN (Common Name) 2) SN( Subject Name) If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. I created Self-signed certificate using open-ssl commands and my certificate chain looks like below where CN=10.204.4.69 openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt My Certificate chain === 0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Home Inc/OU=TLS/CN=10.204.4.69/emailAddress=ssr...@www.https.com i:/C=IN/ST=Karnataka/L=Bangalore/O=Home Inc/OU=TLS/CN=10.204.4.69/emailAddress=ssr...@www.https.com Please tell how to create certificate with “subjectAltName extension” using openssl commands ? Thanks in advance. Regards, Rout -- View this message in context: http://old.nabble.com/Please-Help%3A-Certificate-Validation-using-subjectAltName-extension-tp32906983p32906983.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
TLS Overhead
Dear All, Actually in large TLS client deployment network what are the Silence points we need to take into consideration to have a healthy handshakes with data traffic without any issues? i.e. to avoid TLS server overload If my TLS client does not support Session Resumption(means every time it does Full handshakes) then what would be the consequence on System point of view as well as network-traffic point of view. Is it possible to use same socket for all TLS connection TLS session ? If so how would i able to do. Please clarify. Best Regards, Rout -- View this message in context: http://old.nabble.com/TLS-Overhead-tp32834379p32834379.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Difference b/w TLS Connection and TLS Session
Thanks a lot Dave for a Wonderful explanation. Best Regards, Rout -- View this message in context: http://old.nabble.com/Difference-b-w-TLS--Connection-and-TLS-Session-tp32780649p32831085.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Difference B/W Session-ID and Session Ticket TLS overhead
Dear All, Actually in large TLS client deployment network what are the Silence points we need to take into consideration to have a healthy handshakes with data traffic without any issues? If my TLS client does not support Session Resumption(means every time it does Full handshakes) then what would be the consequence on System point of view as well as network-traffic point of view. Please clarify. Best Regards, Rout -- View this message in context: http://old.nabble.com/Difference-B-W-Session-ID-and-Session-Ticket-tp32785275p32831836.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Difference b/w TLS Connection and TLS Session
Thanks Wim Richard. But still i donot understand why I am seeing Encryption Alert ? My TLS Client is 10.220.4.50 My TLS Server is 10.204.4.69. If you see the packets #16,#31,#50 then an Encryption Alert is being sent by TLS Client. As of this Connection is getting closed and new handshake establishes. Please clarify this to me. http://old.nabble.com/file/p32788729/Handsakes.jpg Please see the snapshot for the same. Best Regards, RoUt -- View this message in context: http://old.nabble.com/Difference-b-w-TLS--Connection-and-TLS-Session-tp32780649p32788729.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Difference B/W Session-ID and Session Ticket
Dear ALL, While understanding the TLS Resumption i got some questions. Can any body please explain this to me ? 1) What should i see in Client Hello message if i say my TLS client Support TLS-Resumption ? 2) If i donot see any TLS extension then what would be the real impact on Secure communication? 3) The basic difference b/w Session-ID caching and Session-Ticket Caching mechanism? Which is used where ? Any help would be great for me. Thanks in Advance. Best Regards, Rout -- View this message in context: http://old.nabble.com/Difference-B-W-Session-ID-and-Session-Ticket-tp32785275p32785275.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Help in Generating Chained ROOT Certificate
Thanks a lot RAM MICHEL for giving your precious time to answer my query. Best Regards, Rout ramaswamy.bm wrote: Try this...if you need some extensions you can add those in openssl.cnf. export OPENSSL_CONF=./openssl.cnf PATH=.:$PATH # Root Certificate openssl genrsa -out ROOT.key 2048 openssl req -new -x509 -key ROOT.key -sha1 -out ROOT.cert.pem -extensions root_cert -days 7400 openssl asn1parse -in ROOT.cert.pem -out ROOT.cer -noout openssl genrsa -out endcert_key.key 2048 #openssl req -new -key endcert_key -sha1 -out end_cert.cert.pem.unsigned -days 1 openssl req -new -key endcert_key.key -out end_cert.cert.pem.unsigned -days 7400 cp ROOT.cert.pem demoCA/cacert.pem cat /dev/null demoCA/index.txt openssl ca -in end_cert.cert.pem.unsigned -keyfile ROOT.key -extensions end_cert -out end_cert.cert.pem -notext You can add these lines in openssl.cnf [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs# Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database= $dir/index.txt# database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE= $dir/private/.rand# private random number file x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions= crl_ext default_days= 7400 # how long to certify for default_crl_days= 30# how long before next CRL # Changed by Bhupendra #default_md = md5 # which md to use. default_md = sha1 # which md to use. preserve= no# keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = optional organizationName= optional organizationalUnitName = optional commonName = optional #countryName= match [root_cert] keyUsage=critical, keyCertSign, cRLSign subjectKeyIdentifier=hash basicConstraints= critical, DER:30:06:01:01:ff:02:01:01 [end_cert] keyUsage=critical, keyCertSign, cRLSign subjectKeyIdentifier=hash #authorityKeyIdentifier=keyid:always,issuer:always authorityKeyIdentifier=keyid:always #basicConstraints= critical, CA:TRUE, pathLenConstraint:0 basicConstraints= critical, DER:30:06:01:01:ff:02:01:00 Regards Ram -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mr.Rout Sent: Thursday, November 03, 2011 10:28 AM To: openssl-users@openssl.org Subject: RE: Help in Generating Chained ROOT Certificate Thanks Dave. Probably i have not understood the things properly. After surfing through Google i got confused. Actually I am doing TLS Client Testing which authenticate the Server(www.https.com in my example). Steps I followed to achieve this: 1) Created a Self signed Certificate where Issuer Subject are having Same CN i.e. www.https.com 2) Then i import Server.pem file on TLS Client and same at Server also. Here are the Openssl Commands to generate Self-Signed-Certificate. openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Question here is : Can we create Certficate Hirearchy ? Like ROOT( Issuer=X Subect=X) --- SubCA(Issuer=X Subect=Y) Please help me in generating this hierarchies . Thanks in advance . -Best Regards, Rout Dave Thompson-5 wrote: From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout Sent: Monday, 31 October, 2011 13:43 I am newbie to Openssl. I am confused about Chained ROOT certificates? Could someone please guide me the step by step approach for generating Chained ROOT certificate? e.g. My Server name is www.https.com ( I successfully generated Self-signed SSL certificate where i put CN=www.https.com ) But wondering how would i able to generate ROOT certificate ? Awaiting for a nice reply with lucid explanation. You'll have to ask a lucid question first. Root certificates aren't chained; if they were they wouldn't be roots. A self-signed certificate is its own root; it never chains to anything. __ OpenSSL Project http://www.openssl.org User
RE: Help in Generating Chained ROOT Certificate
Thanks Dave. Probably i have not understood the things properly. After surfing through Google i got confused. Actually I am doing TLS Client Testing which authenticate the Server(www.https.com in my example). Steps I followed to achieve this: 1) Created a Self signed Certificate where Issuer Subject are having Same CN i.e. www.https.com 2) Then i import Server.pem file on TLS Client and same at Server also. Here are the Openssl Commands to generate Self-Signed-Certificate. openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Question here is : Can we create Certficate Hirearchy ? Like ROOT( Issuer=X Subect=X) --- SubCA(Issuer=X Subect=Y) Please help me in generating this hierarchies . Thanks in advance . -Best Regards, Rout Dave Thompson-5 wrote: From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout Sent: Monday, 31 October, 2011 13:43 I am newbie to Openssl. I am confused about Chained ROOT certificates? Could someone please guide me the step by step approach for generating Chained ROOT certificate? e.g. My Server name is www.https.com ( I successfully generated Self-signed SSL certificate where i put CN=www.https.com ) But wondering how would i able to generate ROOT certificate ? Awaiting for a nice reply with lucid explanation. You'll have to ask a lucid question first. Root certificates aren't chained; if they were they wouldn't be roots. A self-signed certificate is its own root; it never chains to anything. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Help-in-Generating-Chained-ROOT-Certificate-tp32753985p32770603.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
HTTPS Testing for TLS Client
Dear All, I am doing HTTPS Testing using Openssl Squid proxy. We are implemented TLS client which supports TLSv1.0 only. Can some body please suggest me What are the Silence points we need to verify for HTTPS Testing?. Any comments would help me a lot. -Regards, Rout -- View this message in context: http://old.nabble.com/HTTPS-Testing-for--TLS-Client-tp32757295p32757295.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Help in Generating Chained ROOT Certificate
Dear All, I am newbie to Openssl. I am confused about Chained ROOT certificates? Could someone please guide me the step by step approach for generating Chained ROOT certificate? e.g. My Server name is www.https.com ( I successfully generated Self-signed SSL certificate where i put CN=www.https.com ) But wondering how would i able to generate ROOT certificate ? Awaiting for a nice reply with lucid explanation. -Regards, Rout -- View this message in context: http://old.nabble.com/Help-in-Generating-Chained-ROOT-Certificate-tp32753985p32753985.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org