Thanks a lot for your time and explanation!
For me all this ws-security/ws-policy and such stuff is like a black box
and its hard to get a "deep" understanding of that all because I rarely
get in touch with this.
Thus I'm very glad if one takes the time and try to explain how the
things work.
Martin
Am 27.10.2016 um 11:19 schrieb Colm O hEigeartaigh:
It's a little bit ambiguous. The designer of the service probably meant the
AlgorithmSuite in the SymmetricBinding to apply to the message level
security, and not the AlgorithmSuite of the TransportBinding. However, CXF
does not interpret the policies in this way, as *all* of the policies must
be valid (you are not using policy alternatives). In a nutshell, yes
including two different AlgorithmSuite policies is a contradiction in
terms, or at least that's how CXF sees it.
Colm.
On Thu, Oct 27, 2016 at 10:12 AM, Martin Fernau <[email protected]
wrote:
So, how can I interpret this situation? Is it a clear mistake (or
misconfiguration) of the remote service?
Although it's no problem to change the wsdl to overcome this problem (in
this case) - I dislike such an approach because we (my company) _must_ use
their service and we need to pay for the acceptance of our client using it.
And we've other problems with other methods (you know the topic about the
encrypted header) where I currently can't say if its not another problem
with their possible misconfiguration.
Is the following correct?
- The communication use a symmetric key which is generated by my client
(CXF)
- For the key generated by me the Basic128Rsa15 AlgorithmSuite in
SymmetricBinding applies which means a key of 128 bit length
- Because the key itself is 128 bit the derived keys can't be higher
encrypted and thus are 128 bit (?)
- For the replies this means that the keys are still 128 bit
If the above conclusion of myself is correct and if I interpret this side
[1] correct (where your previous comment is confirmed that Basic256 means
that signature needs to be 192 and encryption needs to be 256 bit) then
Basic256 as the AlgorithmSuite in TransportBinding and Basic128Rsa15 as the
AlgorithmSuite in SymmetricBinding must be a contradiction in terms?
Thanks
Martin
[1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws
-securitypolicy-1.2-spec-os.html#_Toc161826547
Am 26.10.2016 um 21:39 schrieb Colm O hEigeartaigh:
The problem is that all of the policies must be enforced. CXF is rejecting
the Basic256 policy, as the signature derivation key lengths in the
message
do not match it.
As the TransportBinding policy is only being used here to require that TLS
is used, I would just omit the AlgorithmSuite altogether from the
TransportBinding policy and it should work.
Colm.
On Wed, Oct 26, 2016 at 5:39 PM, Martin Fernau <
[email protected]>
wrote:
Sure, but the WSDL is somewhat complex.
For that reason I truncated the WSDL to the related parts:
--cut
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="ServiceCustomer" targetNamespace="http://tempur
i.org/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; xmlns:xsd="
http://www.w3.org/2001/XMLSchema";
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-2004
01-wss-wssecurity-utility-1.0.xsd"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"; xmlns:tns="
http://tempuri.org/";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";
xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy";
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsa10="http://www.w3.org/2005/08/addressing";
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";>
<wsp:Policy wsu:Id="CustomBinding_IServiceCustomer_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/
securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/
securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<sp:TransportBinding xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="CustomBinding_IService
Customer_GetContractsByCustomerID_Input_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2
005/08/addressing"/>
<sp:Header Name="From" Namespace="
http://www.w3.org/2
005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="
http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
[... several Policy-Types more ...]
<wsdl:types>
[...]
</wsdl:types>
<wsdl:message name="IServiceCustomer_GetCont
ractsByCustomerID_InputMessage">
<wsdl:part name="parameters" element="tns:GetContractsByCus
tomerID"/>
</wsdl:message>
<wsdl:message name="IServiceCustomer_GetCont
ractsByCustomerID_OutputMessage">
<wsdl:part name="parameters" element="tns:GetContractsByCus
tomerIDResponse"/>
</wsdl:message>
[... several Message-Types more ...]
<wsdl:portType name="IServiceCustomer">
<wsdl:operation name="GetContractsByCustomerID">
<wsdl:input wsaw:Action="http://tempuri.or
g/IServiceCustomer/GetContractsByCustomerID"
message="tns:IServiceCustomer_GetContractsByCustomerID_InputMessage"/>
<wsdl:output
wsaw:Action="http://tempuri.org/IServiceCustomer/GetContract
sByCustomerIDResponse"
message="tns:IServiceCustomer_GetContractsByCustomerID_OutputMessage"/>
</wsdl:operation>
[...]
</wsdl:portType>
<wsdl:binding name="CustomBinding_IServiceCustomer"
type="tns:IServiceCustomer">
<wsp:PolicyReference URI="#CustomBinding_IServiceCu
stomer_policy"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http
"/>
<wsdl:operation name="GetContractsByCustomerID">
<soap:operation
soapAction="http://tempuri.org/IServiceCustomer/GetContractsByCustomerID
"
style="document"/>
<wsdl:input>
<wsp:PolicyReference
URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI
D_Input_policy"/>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<wsp:PolicyReference
URI="#CustomBinding_IServiceCustomer_GetContractsByCustomerI
D_output_policy"/>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
[...]
</wsdl:binding>
<wsdl:service name="ServiceCustomer">
<wsdl:port name="CustomBinding_IServiceCustomer"
binding="tns:CustomBinding_IServiceCustomer">
<soap:address
location="[...]"/>
<wsa10:EndpointReference>
<wsa10:Address>[...]</wsa10:Address>
<Identity xmlns="http://schemas.xmlsoap.
org/ws/2006/02/addressingidentity">
<Dns>localhost</Dns>
</Identity>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
--cut
Am 26.10.2016 um 17:48 schrieb Colm O hEigeartaigh:
For Basic256, the signature derived key length must be 192 bits (and 256
for encryption). However in the sample message it is just using 128 bits
for both. Let's see the full security policy configuration, where is it
getting the information from to secure the message? Above it's just the
TransportBinding configuration.
Colm.
On Wed, Oct 26, 2016 at 4:34 PM, Martin Fernau <
[email protected]>
wrote:
Yes it does.
For simplicity I paste the whole response after these lines.
--cut
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:a="
http://www.w3.org/2005/08/addressing"; xmlns:u="http://docs.oasis-ope
n.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_6">http://tempuri.org/I
ServiceCustomer/GetContractsByCustomerIDResponse</a:Action>
<a:RelatesTo u:Id="_7">urn:uuid:9f796ce4-41
51-4720-9911-6f533112b4fa</a:RelatesTo>
<o:Security xmlns:o="http://docs.oasis-ope
n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
s:mustUnderstand="1">
<u:Timestamp u:Id="uuid-eb38523b-3459-439a-
8576-47af2ed4b522-470">
<u:Created>2016-10-26T15:32:20.723Z</u:Created>
<u:Expires>2016-10-26T15:37:20.723Z</u:Expires>
</u:Timestamp>
<c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa
p.org/ws/2005/02/sc"
u:Id="_0">
<o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-soap-
message-security-1.1#EncryptedKey">
<o:KeyIdentifier ValueType="http://docs.oasis-o
pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>16</c:Length>
<c:Nonce>nwdUEQxC0ErM+Ksf07uXjg==</c:Nonce>
</c:DerivedKeyToken>
<c:DerivedKeyToken xmlns:c="http://schemas.xmlsoa
p.org/ws/2005/02/sc"
u:Id="_3">
<o:SecurityTokenReference xmlns:k="http://docs.oasis-ope
n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-soap-
message-security-1.1#EncryptedKey">
<o:KeyIdentifier ValueType="http://docs.oasis-o
pen.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-
200401-wss-soap-message-security-1.0#Base64Binary">/vaenfbIz
pR6zUN7nL+LjSc6jeY=</o:KeyIdentifier>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>16</c:Length>
<c:Nonce>Xu4KRD3co7K0Y9JpAXdBFA==</c:Nonce>
</c:DerivedKeyToken>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
<e:DataReference URI="#_5"/>
</e:ReferenceList>
<k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_1"
Value="nFxAQYQAA1DzkfjPLsnLlqJjYmE="/>
<k:SignatureConfirmation xmlns:k="http://docs.oasis-ope
n.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" u:Id="_2"
Value="xT8BJzHchJQ7oDTyeOtKhG9GCmiMB+MbUrXgc2fAJvrHZ9pDSf/
dvT/SYZfd11N5HWIdDwrcKA42Qt5QF/XpFrL2Y1GOd1bJdfflNX+AjFVqDvt
l1rlbaPIR4ucxj1nmqn+YkcFQoupw0Za7VEk169Foo4HQd+49f5HiK7xS44X
p1nj8sNNkYPXfmq/4FyG9ihat7Auho6OfQPVD+lKV0O/ZAQhiou80afmxTXZ
GwD0cNSyhuzNV8i53AIJx6+E8pvx0fxqYAzalbDJ4xVXhsOa0n86OSGqB9gL
r4TzdQl4DTV+HgCu/OHfXPm6GzNHfAtU+w040h9cL9QO59flMsA=="/>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>a4dYMJM7glapET2aPCKJJ4NGnR8=</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>rAxMEQpS8qPAFIurOtChX3ass68=</DigestValue>
</Reference>
<Reference URI="#_7">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>IzophB2+Qc8xSA2CKkPGKPR3M2I=</DigestValue>
</Reference>
<Reference URI="#uuid-eb38523b-3459-439a-
8576-47af2ed4b522-470">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>sgl2yTvuUtX7/iciMd4dDL/VBfI=</DigestValue>
</Reference>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>XxnP8jkVV7mtOJFBv99oltRAMB4=</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2
001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2
000/09/xmldsig#sha1"/>
<DigestValue>F6TMlU1+cOlyQtdwiw+fIgAJ3PE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>neRfuTWOFEYVTmK+fkHHyy1KzS4=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmls
oap.org/ws/2005/02/sc/dk" URI="#_0"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_4">
<e:EncryptedData xmlns:e="http://www.w3.org/2001/04/xmlenc#";
Id="_5"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<e:EncryptionMethod Algorithm="http://www.w3.org/2
001/04/xmlenc#aes128-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-ope
n.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference ValueType="http://schemas.xmls
oap.org/ws/2005/02/sc/dk" URI="#_3"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>Q5Ll1pdTDB6OnZTKyFfmcQsAZSpyTL19skP8lz3DfNRbC
iuHjV6e5ZnN8L5hnHfksrQL94xnhSUIk9FFVwM+u3MJct8iFRadB9d87o/7y
sTlQDolAtUUnKNmeq4eiJ4IbDnHZg7hKwO0PMgrCRa2an2qd70vljFS0sYUM
V/GKQ+fvF7tNaoheFvvmr0hGeXVnR9qLk1u/B7agv5P4m0S9vXTSUvBVvayI
p4BwHRUmIl/aoAhhj+i3bzVaAp5RvIMcGwAqNMMIoi/99jqRTNw+4GLEB8Ol
xGJz4wzKhLPXh5tQkYpwWpGK4lW4nlA3FQhQCOibeTe3PSy2473Z0fzWrf9o
dBSZjjgCgUdKF3X5mCleb+oiNnHetbkTwWbzdKmWep1buhRZhEwkB1F9Icrq
B4/BaLgxTbO3tNmdgwKqH2rZfMo69G1rBZYoGjTLj1DIz2BdQDYTwLkS9kVk
s/IkJwdJ50GDdhrg4yrFbmiiEZTHqoVxYUIy4qPc7S2Pyz/2eFG3L/6wuiSn
yF7jajAqR1Renr2ouWMwMHc8CX+eLEisT+z0Ba2FuagG7fPEranVAjeQK
72MiqGPxugUn1EQyygSXn5Edso4B/TUxeSBV8RPFU7zTBaUVdFDamqehu0oo
SCdd79xMig+9loiEulj6L4PSjMvZe3oueMKZmhEv17ZZwLB1W85rjI0R7y1G
qAqrtx5fzoPN/kmk9W2AVVPIB+lCqLBeX2QAnuardVDaCQ9lDoMPLig+f9fB
HFo69tSdUE5OZwPqmKwSuQsF52L35STWoS47AHmuE59dVNbXESU+0OT3bARM
YpYdXvfUNMPRoh6uzgQ/JmlUyO1vuJOJRmVwkM9h4/or7n29z5hhg=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
--cut
Am 26.10.2016 um 17:30 schrieb Colm O hEigeartaigh:
The error message seems to be referring to derivation key length. Does
the
message contain a security header containing a Signature and derived
keys?
Colm.
On Wed, Oct 26, 2016 at 4:22 PM, Martin Fernau <
[email protected]>
wrote:
Hi,
I've a wsdl with the following partial content:
--cut
<sp:TransportBinding xmlns:sp="http://schemas.xmlso
ap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
--cut
If I call this service the response from the server gets rejected by
CXF:
--cut
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException:
These
policy alternatives can not be satisfied:
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}AlgorithmSuite
:
The
signature derived key length does not match the requirement
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Basic256
at org.apache.cxf.jaxws.JaxWsClie
ntProxy.invoke(JaxWsClientProx
y.java:161)
at com.sun.proxy.$Proxy51.getContractsByCustomerID(Unknown
Source)
at de.dmsserver.plugin.ford.test.
fhdsales.TestComm.testGetContr
actsByCustomerID(TestComm.java:135)
at de.dmsserver.plugin.ford.test.
fhdsales.TestComm.main(TestCom
m.java:128)
--cut
If I change above "<sp:Basic256/>" to "<sp:Basic128/>" the message is
accepted.
Is this a problem with the remote service or with CXF?
AFAIK TransportBinding applies to the connection which is SSL
encrypted.
If I check the SSL Certificate with "openssl s_client -showcerts
-connect
[server]:443" I get:
--cut
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign
Root
CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
Validation CA - SHA256 - G2
verify return:1
depth=0 C = XX, ST = XX, L = XX, O = XX, CN = XX
verify return:1
---
Certificate chain
0 s:/C=XX/ST=XX/L=XX/O=XX/CN=XX
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization
Validation
CA -
SHA256 - G2
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization
Validation
CA -
SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=XX/ST=XX/L=XX/O=XX/CN=XX
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation
CA
-
SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3072 bytes and written 471 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: CD4B00002CD328917F89C4AF9010C5
145C745FD134466567345539C6AA1BE676
Session-ID-ctx:
Master-Key: 11B433DDEF0B003A6F261390EA6D50
F1D881A9ADA2A40ABD3EC99F732C1132CD70CB17E19C4E6645B94CA25ACE798591
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1477495032
Timeout : 300 (sec)
Verify return code: 0 (ok)
--cut
Thanks
Martin
--
FERNAUSOFT GmbH
Gartenstraße 42 - 37269 Eschwege
Telefon (0 56 51) 95 99-0
Telefax (0 56 51) 95 99-90
eMail [email protected]
Internet http://www.fernausoft.de
Handelsregister Eschwege, HRB 1585
Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau
Steuernummer 025 233 00041
USt-ID-Nr. DE 178 554 622
--
FERNAUSOFT GmbH
Gartenstraße 42 - 37269 Eschwege
Telefon (0 56 51) 95 99-0
Telefax (0 56 51) 95 99-90
eMail [email protected]
Internet http://www.fernausoft.de
Handelsregister Eschwege, HRB 1585
Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau
Steuernummer 025 233 00041
USt-ID-Nr. DE 178 554 622
