Re: Help diagnosing SSL connection problem needed
Your client is saying that it's failing the certificate verification of
the server certificate. It's probably not using the CAfile that you
passed to openssl s_client.
-Kyle H
On 8/5/2014 12:19 PM, Ted Byers wrote:
I have Perl code, which uses a library that in turn uses openssl for
HTTPS connections. I have been trying to use Wireshark to diagnose
this, but I have yet to find a way to have it tell me what steps in
the SSL handshaking are happening at a given time (client hello,
server hello, c.). Thus, I am having trouble seeing whether the
problem is in my client not doing something right or the server not
doing something right. I have not yet figured out how to have it
export everything in a capture file in plain text so that I could
copy/paste it in a note like this so you could see for yourself what
is happening.
I did get openssl s_client to connect properly, and here is the output
from that (sanitized of the server operator's ID):
ted@linux-jp04:~/Work/Projects/FirstData openssl s_client -CAfile
server-test.pem -cert client_test.pem -key client_test.key -connect
n.n.n.n:8443
CONNECTED(0003)
depth=1 C = LV, ST = Latvia, L = Riga, O = xx, CN =
server-test, emailAddress = webmas...@xx.xxx
verify return:1
depth=0 C = LV, O = FDL, CN = lv-rtps-proxy-test.ne.1dc.com
verify return:1
---
Certificate chain
0 s:/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com
i:/C=LV/ST=Latvia/L=Riga/O=xx/CN=server-test/emailAddress=webmas...@xx.xxx
1
s:/C=LV/ST=Latvia/L=Riga/O=xx/CN=server-test/emailAddress=webmas...@xx.xxx
i:/C=LV/ST=Latvia/L=Riga/O=xx/CN=server-test/emailAddress=webmas...@xx.xxx
---
Server certificate
-BEGIN CERTIFICATE-
DELETED
-END CERTIFICATE-
subject=/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com
issuer=/C=LV/ST=Latvia/L=Riga/O=xx/CN=server-test/emailAddress=webmas...@xx.xxx
---
Acceptable client certificate CA names
/C=LV/ST=Latvia/L=Riga/O=xx/CN=server-test/emailAddress=webmas...@xx.xxx
/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com
---
SSL handshake has read 3690 bytes and written 3700 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher: EDH-RSA-DES-CBC3-SHA
Session-ID:
53E0DE54D7D7E928F177883E10447786C15133386DA3F0489796845673C70DEA
Session-ID-ctx:
Master-Key: DELETED
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1407245906
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
ted@linux-jp04:~/Work/Projects/FirstData
Now, here is the output I get from my Perl client (also sanitized):
$url = https://n.n.n.n:8443/
$scheme = https
$self-{ssl_set} = 0
$self-{ca_cert_dir} = .
$self-{ca_cert_file} = server-test.pem
$LWP::VERSION = 6.05
Setting cert dir and file if available
$self-{ssl_set} = 1
DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 26349088
DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:528: socket connected
DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:586: not using SNI because hostname is unknown
DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce
timeout=180
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL
wants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL
wants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL
wants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26317968
DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26323136
DEBUG: .../IO/Socket/SSL.pm:1539: scheme=www cert=26323136
DEBUG: .../IO/Socket/SSL.pm:1549: identity=n.n.n.n
cn=lv-rtps-proxy-test.ne.1dc.com alt=
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1
DEBUG: .../IO/Socket/SSL.pm:1757: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:653: fatal SSL error: SSL connect attempt
failed error:14090086:SSL
Re: Help diagnosing SSL connection problem needed
Hi Kyle, Thanks See below On Thu, Aug 7, 2014 at 4:47 PM, Kyle Hamilton aerow...@gmail.com wrote: Your client is saying that it's failing the certificate verification of the server certificate. It's probably not using the CAfile that you passed to openssl s_client. -Kyle H Actually, I can confirm that it is using the same CAfile that is used by my call to openssl s_client. But, it doesn't get that far, as it appears the server is not sending it's certificate. I assume Wireshark can be helpful, but I an very new to using it. Can you tell me how to tell it to look at any traffic on port 8443 (or between my workstation and a specific ip address), as well as to let me see the data in plain text rather than hex? Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Help diagnosing SSL connection problem needed
From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton
Sent: Thursday, August 07, 2014 16:48
Your client is saying that it's failing the certificate verification of
the server certificate. It's probably not using the CAfile that you
passed to openssl s_client.
-Kyle H
On 8/5/2014 12:19 PM, Ted Byers wrote:
I have Perl code, which uses a library that in turn uses openssl for
HTTPS connections. I have been trying to use Wireshark to diagnose
this, but I have yet to find a way to have it tell me what steps in
the SSL handshaking are happening at a given time (client hello,
server hello, c.). Thus, I am having trouble seeing whether the
problem is in my client not doing something right or the server not
doing something right. I have not yet figured out how to have it
export everything in a capture file in plain text so that I could
copy/paste it in a note like this so you could see for yourself what
is happening.
About Wireshark: first make sure you have only the desired packets
displayed: filter the display unless you previously filtered the capture
or you were (very) lucky and nothing else happened during the capture.
For everything, which is a lot (usually too much), File / Print
plainText toFile (and specify filename), range: Allpackets Displayed,
format: summary on, details on all expanded, bytes off.
For just which handshake steps have occurred, same except details off.
I did get openssl s_client to connect properly, and here is the output
from that (sanitized of the server operator's ID):
ted@linux-jp04:~/Work/Projects/FirstData openssl s_client -CAfile
server-test.pem -cert client_test.pem -key client_test.key -connect
n.n.n.n:8443
snip except
Server certificate
-BEGIN CERTIFICATE-
DELETED
-END CERTIFICATE-
subject=/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com
Now, here is the output I get from my Perl client (also sanitized):
$url = https://n.n.n.n:8443/
$scheme = https
$self-{ssl_set} = 0
$self-{ca_cert_dir} = .
$self-{ca_cert_file} = server-test.pem
$LWP::VERSION = 6.05
Setting cert dir and file if available
$self-{ssl_set} = 1
Are you setting the client keycert/chain? This doesn't indicate it.
The s_client command did provide them, and the server did request
a client cert; if the server *requires* client cert and client doesn't
provide one, the server will normally reject the connection.
DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 26349088
DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:528: socket connected
DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:586: not using SNI because hostname is
unknown
DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce
timeout=180
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL
wants a read first
This appears to be sent CHello, nonblocking expect SHello,Cert...SDone
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL
wants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL
wants a read first
These two look like partial reads therefore expecting more
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26317968
DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26323136
Those look like verify-callback; verify of the cert looks okay.
DEBUG: .../IO/Socket/SSL.pm:1539: scheme=www cert=26323136
DEBUG: .../IO/Socket/SSL.pm:1549: identity=n.n.n.n
cn=lv-rtps-proxy-test.ne.1dc.com alt=
Those look like hostname check, which openssl doesn't do yet
(1.0.2 will) but your perl library probably adds. If you used an IP form
URL as indicated above https://a.b.c.d:8443/ and the cert has only
domainname as is common and indicated here, then this should fail.
It is requirement of HTTPS (and some other *S protocols but not
SSL/TLS by itself) that the authority field in the URL matches *a*
name in the cert. That doesn't necessarliy mean only one name;
the/a cert name can be a wildcard that matches multiple hostnames
but yours isn't; there can be multiple names in the cert using Subject
Alternative Names, but I take alt= here to mean yours doesn't.
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1
DEBUG: .../IO/Socket/SSL.pm:1757: SSL
