Re: Help diagnosing SSL connection problem needed
Your client is saying that it's failing the certificate verification of the server certificate. It's probably not using the CAfile that you passed to openssl s_client. -Kyle H On 8/5/2014 12:19 PM, Ted Byers wrote: I have Perl code, which uses a library that in turn uses openssl for HTTPS connections. I have been trying to use Wireshark to diagnose this, but I have yet to find a way to have it tell me what steps in the SSL handshaking are happening at a given time (client hello, server hello, c.). Thus, I am having trouble seeing whether the problem is in my client not doing something right or the server not doing something right. I have not yet figured out how to have it export everything in a capture file in plain text so that I could copy/paste it in a note like this so you could see for yourself what is happening. I did get openssl s_client to connect properly, and here is the output from that (sanitized of the server operator's ID): ted@linux-jp04:~/Work/Projects/FirstData openssl s_client -CAfile server-test.pem -cert client_test.pem -key client_test.key -connect n.n.n.n:8443 CONNECTED(0003) depth=1 C = LV, ST = Latvia, L = Riga, O = xx, CN = server-test, emailAddress = webmas...@xx.xxx verify return:1 depth=0 C = LV, O = FDL, CN = lv-rtps-proxy-test.ne.1dc.com verify return:1 --- Certificate chain 0 s:/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com i:/C=LV/ST=Latvia/L=Riga/O=xx/CN=server-test/emailAddress=webmas...@xx.xxx 1 s:/C=LV/ST=Latvia/L=Riga/O=xx/CN=server-test/emailAddress=webmas...@xx.xxx i:/C=LV/ST=Latvia/L=Riga/O=xx/CN=server-test/emailAddress=webmas...@xx.xxx --- Server certificate -BEGIN CERTIFICATE- DELETED -END CERTIFICATE- subject=/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com issuer=/C=LV/ST=Latvia/L=Riga/O=xx/CN=server-test/emailAddress=webmas...@xx.xxx --- Acceptable client certificate CA names /C=LV/ST=Latvia/L=Riga/O=xx/CN=server-test/emailAddress=webmas...@xx.xxx /C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com --- SSL handshake has read 3690 bytes and written 3700 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 53E0DE54D7D7E928F177883E10447786C15133386DA3F0489796845673C70DEA Session-ID-ctx: Master-Key: DELETED Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1407245906 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed ted@linux-jp04:~/Work/Projects/FirstData Now, here is the output I get from my Perl client (also sanitized): $url = https://n.n.n.n:8443/ $scheme = https $self-{ssl_set} = 0 $self-{ca_cert_dir} = . $self-{ca_cert_file} = server-test.pem $LWP::VERSION = 6.05 Setting cert dir and file if available $self-{ssl_set} = 1 DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 26349088 DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:528: socket connected DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:586: not using SNI because hostname is unknown DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce timeout=180 DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26317968 DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26323136 DEBUG: .../IO/Socket/SSL.pm:1539: scheme=www cert=26323136 DEBUG: .../IO/Socket/SSL.pm:1549: identity=n.n.n.n cn=lv-rtps-proxy-test.ne.1dc.com alt= DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1 DEBUG: .../IO/Socket/SSL.pm:1757: SSL connect attempt failed DEBUG: .../IO/Socket/SSL.pm:653: fatal SSL error: SSL connect attempt failed error:14090086:SSL
Re: Help diagnosing SSL connection problem needed
Hi Kyle, Thanks See below On Thu, Aug 7, 2014 at 4:47 PM, Kyle Hamilton aerow...@gmail.com wrote: Your client is saying that it's failing the certificate verification of the server certificate. It's probably not using the CAfile that you passed to openssl s_client. -Kyle H Actually, I can confirm that it is using the same CAfile that is used by my call to openssl s_client. But, it doesn't get that far, as it appears the server is not sending it's certificate. I assume Wireshark can be helpful, but I an very new to using it. Can you tell me how to tell it to look at any traffic on port 8443 (or between my workstation and a specific ip address), as well as to let me see the data in plain text rather than hex? Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Help diagnosing SSL connection problem needed
From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton Sent: Thursday, August 07, 2014 16:48 Your client is saying that it's failing the certificate verification of the server certificate. It's probably not using the CAfile that you passed to openssl s_client. -Kyle H On 8/5/2014 12:19 PM, Ted Byers wrote: I have Perl code, which uses a library that in turn uses openssl for HTTPS connections. I have been trying to use Wireshark to diagnose this, but I have yet to find a way to have it tell me what steps in the SSL handshaking are happening at a given time (client hello, server hello, c.). Thus, I am having trouble seeing whether the problem is in my client not doing something right or the server not doing something right. I have not yet figured out how to have it export everything in a capture file in plain text so that I could copy/paste it in a note like this so you could see for yourself what is happening. About Wireshark: first make sure you have only the desired packets displayed: filter the display unless you previously filtered the capture or you were (very) lucky and nothing else happened during the capture. For everything, which is a lot (usually too much), File / Print plainText toFile (and specify filename), range: Allpackets Displayed, format: summary on, details on all expanded, bytes off. For just which handshake steps have occurred, same except details off. I did get openssl s_client to connect properly, and here is the output from that (sanitized of the server operator's ID): ted@linux-jp04:~/Work/Projects/FirstData openssl s_client -CAfile server-test.pem -cert client_test.pem -key client_test.key -connect n.n.n.n:8443 snip except Server certificate -BEGIN CERTIFICATE- DELETED -END CERTIFICATE- subject=/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com Now, here is the output I get from my Perl client (also sanitized): $url = https://n.n.n.n:8443/ $scheme = https $self-{ssl_set} = 0 $self-{ca_cert_dir} = . $self-{ca_cert_file} = server-test.pem $LWP::VERSION = 6.05 Setting cert dir and file if available $self-{ssl_set} = 1 Are you setting the client keycert/chain? This doesn't indicate it. The s_client command did provide them, and the server did request a client cert; if the server *requires* client cert and client doesn't provide one, the server will normally reject the connection. DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 26349088 DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:528: socket connected DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:586: not using SNI because hostname is unknown DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce timeout=180 DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL wants a read first This appears to be sent CHello, nonblocking expect SHello,Cert...SDone DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL wants a read first These two look like partial reads therefore expecting more DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26317968 DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26323136 Those look like verify-callback; verify of the cert looks okay. DEBUG: .../IO/Socket/SSL.pm:1539: scheme=www cert=26323136 DEBUG: .../IO/Socket/SSL.pm:1549: identity=n.n.n.n cn=lv-rtps-proxy-test.ne.1dc.com alt= Those look like hostname check, which openssl doesn't do yet (1.0.2 will) but your perl library probably adds. If you used an IP form URL as indicated above https://a.b.c.d:8443/ and the cert has only domainname as is common and indicated here, then this should fail. It is requirement of HTTPS (and some other *S protocols but not SSL/TLS by itself) that the authority field in the URL matches *a* name in the cert. That doesn't necessarliy mean only one name; the/a cert name can be a wildcard that matches multiple hostnames but yours isn't; there can be multiple names in the cert using Subject Alternative Names, but I take alt= here to mean yours doesn't. DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect - -1 DEBUG: .../IO/Socket/SSL.pm:1757: SSL