openssl s_client -connect 10.168.20.109:443 -cipher NULL
CONNECTED(00000003)
140587511035720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 61 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Cool, we don't accept Null ciphers
Let's try now with low ciphers
openssl s_client -connect 10.168.20.109:443 -cipher LOW
CONNECTED(00000003)oops, we do. Incidentally, I think the error (unable to verify the first certificate) is due to the linux box not trusting TESTAuthority.
depth=0 C = US, ST = York, L = York, O = York, OU = York, CN = crmdevbox.dev.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = York, L = York, O = York, OU = York, CN = crmdevbox.dev.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = York, L = York, O = York, OU = York, CN = crmdevbox.dev.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=York/L=York/O=York/OU=York/CN=crmdevbox.dev.com
i:/DC=com/DC=dev/CN=TESTAuthority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFgDCCBGigAwIBAgIKIkXHKgAAAAAAJzANBgkqhkiG9w0BAQUFADBCMRMwEQYK
CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDZGV2MRYwFAYDVQQDEw1U
RVNUQXV0aG9yaXR5MB4XDTExMTAyNTA4NTUwOFoXDTEzMTAyNDA4NTUwOFowajEL
MAkGA1UEBhMCVVMxEjAQBgNVBAgTCVlvcmtzaGlyZTESMBAGA1UEBxMJU2hlZmZp
ZWxkMQswCQYDVQQKEwJIUDELMAkGA1UECxMCSFAxGTAXBgNVBAMTEGRoejMwNzAx
LmRldi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANNYoEklD7Rgnoq0
Ld1+YkKNVcMy9CLb40kmQ0E5f+7SXPDMqNS12yk81k21PQoioOVPSKG2+pAls/vw
QhbjMBeRXeYkrH6V5+nuBYogRVZil0xMeK5+lOJYwig+rHkd5bo8OU/ep+m0VaPj
k2k9+Ns3ZZ1FwlRf+s0KiT1iKVY1AgMBAAGjggLSMIICzjALBgNVHQ8EBAMCBaAw
RAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCA
MAcGBSsOAwIHMAoGCCqGSIb3DQMHMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1Ud
DgQWBBS6N5Bqj8MOTu9CmsXJXcE+sWRDlDAfBgNVHSMEGDAWgBQiuWOMgDSyXO0d
pdlFswWLTcSM+TCB9gYDVR0fBIHuMIHrMIHooIHloIHihoGtbGRhcDovLy9DTj1U
RVNUQXV0aG9yaXR5LENOPW1hcnMsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNl
cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9ZGV2LERDPWNv
bT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JM
RGlzdHJpYnV0aW9uUG9pbnSGMGh0dHA6Ly9tYXJzLmRldi5jb20vQ2VydEVucm9s
bC9URVNUQXV0aG9yaXR5LmNybDCCAQYGCCsGAQUFBwEBBIH5MIH2MIGoBggrBgEF
BQcwAoaBm2xkYXA6Ly8vQ049VEVTVEF1dGhvcml0eSxDTj1BSUEsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz1kZXYsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0
aWZpY2F0aW9uQXV0aG9yaXR5MEkGCCsGAQUFBzAChj1odHRwOi8vbWFycy5kZXYu
Y29tL0NlcnRFbnJvbGwvbWFycy5kZXYuY29tX1RFU1RBdXRob3JpdHkuY3J0MCEG
CSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJKoZIhvcNAQEFBQAD
ggEBAKPrAW4nxI8AaNWpWHGnEHsUBy9C9jFEVLLXxP7jyawmfEgcBBpl+osxH1hG
FSFxYRa5ZVMhj6wMBMHlleftDZ7y5TunKFkOMqHhB027/SmYoqWw/XyWJxW8/EUq
9i3L5Aw1PV+/oF6Nm05VehXRlXF0ngHcwC4EYFCjt4R+/f7prMZHdvIZUq9VhtcV
VHdOl2NE7QizXdebrlyU5cIoS98XySgDuSjGeIOYY/z03jFghKv62qK5ituqQWYY
S17m516w5fSebBYhVfL5YZoCg5OXo346iZU320a6i5dZWHDDq89GkNp3i8aPxSZL
GyHRoPJzDBzo6WR+212a4j3zTEE=
-----END CERTIFICATE-----
subject=/C=US/ST=York/L=York/O=York/OU=York/CN=crmdevbox.dev.com
issuer=/DC=com/DC=dev/CN=TESTAuthority
---
No client certificate CA names sent
---
SSL handshake has read 1556 bytes and written 251 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC-SHA
Session-ID: B51700000B4CA5D162B9D228487DCCC53694945999BBE6F50BF1332ED8DA3D28
Session-ID-ctx:
Master-Key: E477BEE6E2A4D51D5FCAFB9AC385F89ED3FFDE06F4EEC5860A5080D655D18EDA3E483D7FA0CCE0EEDD454E9C3A847367
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1322229571
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
So we did a little bit of hardening, which I'll post about separately, and now when we try again:
openssl s_client -connect 10.168.20.109:443 -cipher LOW
CONNECTED(00000003)
140587511035720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 61 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Result.
You can try with Medium or High ciphers too.
No comments:
Post a Comment