RE: Certificate Problem / get_peer_certificate + ssldump

Tue, 23 Apr 2002 07:01:58 -0700 


        Ok I have some ssldump information for the amchine that doesn't
work. I am trying to get the dump on a machine
That does work now. The client and server are our own applications. As
one other person stated, we already do use 
SSL_CTX_set_verify (context, SSL_VERIFY_PEER, 0). 
        Just to give a better overview of what is happening. When the
client first connects it may not have a certificate so it connects
without one but with limited permissions for our server. They then get a
certificate/key (flame about this later please :) from the Server and do
a renegotiate with the server with the new certificate. The security we
implemented was to encrypt the key with a password that only the client
should know (human client). 
        

New TCP connection #1: XXXXXXX(12664) <-> XXXXX(6550)
1 1  1.9488 (1.9488)  C>S SSLv2 compatible client hello
  Version 3.1 
  cipher suites
  TLS_DHE_DSS_WITH_RC4_128_SHA  
  TLS_DHE_DSS_WITH_RC2_56_CBC_SHA  
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA  
  TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA  
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA  
  TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5  
  TLS_RSA_EXPORT1024_WITH_RC4_56_MD5  
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  
  TLS_DHE_RSA_WITH_DES_CBC_SHA  
  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  
  TLS_DHE_DSS_WITH_DES_CBC_SHA  
  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  
  TLS_RSA_WITH_3DES_EDE_CBC_SHA  
  TLS_RSA_WITH_DES_CBC_SHA  
  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA  
  TLS_RSA_WITH_IDEA_CBC_SHA  
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5  
  TLS_RSA_WITH_RC4_128_SHA  
  TLS_RSA_WITH_RC4_128_MD5  
  TLS_RSA_EXPORT_WITH_RC4_40_MD5  
  TLS_DH_anon_WITH_3DES_EDE_CBC_SHA  
  TLS_DH_anon_WITH_DES_CBC_SHA  
  TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA  
  TLS_DH_anon_WITH_RC4_128_MD5  
  TLS_DH_anon_EXPORT_WITH_RC4_40_MD5  
  SSL2_CK_RC464  
  SSL2_CK_3DES  
  SSL2_CK_DES  
  SSL2_CK_IDEA  
  SSL2_CK_RC2  
  SSL2_CK_RC2_EXPORT40  
  SSL2_CK_RC4  
  SSL2_CK_RC4_EXPORT40  
1 2  1.9495 (0.0007)  S>CV3.1(74)  Handshake
      ServerHello
        Version 3.1 
        random[32]=
          3c c5 66 c2 02 21 83 36 96 79 be e9 a8 9e 9f aa 
          ba 10 1c 25 c7 8e dd 34 ab e9 4d 65 9d c5 28 26 
        session_id[32]=
          ee ff 33 1f 7c 0d 2e f3 0b f8 f5 52 7a 47 88 16 
          2e 26 45 b0 a9 f0 ba 51 38 12 32 74 c9 9d 94 15 
        cipherSuite         TLS_DHE_DSS_WITH_RC4_128_SHA
        compressionMethod                   NULL
1 3  2.0982 (0.1487)  S>CV3.1(1844)  Handshake
      Certificate
1 4  2.0982 (0.0000)  S>CV3.1(315)  Handshake
      ServerKeyExchange
        params
          DH_p[128]=
            cd ab 52 93 93 f3 9b 9e 40 b6 98 77 2c c2 f7 a0 
            33 f2 18 e2 4b 7f 9f bd 5c 0f c7 ba f2 f9 d8 bc 
            ed b8 d5 be fc d8 36 69 d5 03 e3 d0 33 40 21 c5 
            03 93 ba 89 c1 6e 9f ab 66 82 26 97 b1 8f 9e 3c 
            ac d6 4e 4b a2 83 85 68 d2 6e 93 84 be 08 7d 9f 
            74 7e d9 d4 09 c1 81 45 df 31 8f 0f 73 cf a3 53 
            e9 bc 98 55 1a 89 6b 71 a0 09 5a c9 72 a8 55 58 
            3f fd 39 86 e7 69 70 14 58 61 6b f0 8e 3e ad 43 
          DH_g[1]=
            02 
          DH_Ys[128]=
            20 97 5e 55 34 17 03 8a 99 10 ee ef ce 6d 99 fd 
            4a 25 0c c5 71 4b ef 2f 15 54 8d d8 b0 6a 89 5d 
            a2 6e ca 43 19 ec 4b 80 52 4d e3 14 0e 84 42 50 
            d3 23 09 25 75 8b 2d a1 c1 31 04 af a8 bc a0 c2 
            5f bb 9e 6d 62 ef 1a b7 83 36 05 a9 f6 b8 b7 eb 
            60 af df 0f d7 bb 1d 89 68 01 ff a1 ca 05 dd 60 
            65 7c da 7f e0 ff d0 e5 5a 43 c6 e0 26 a5 96 8d 
            73 eb 1e 63 61 fd 96 2f 55 5c 03 1e b1 3d 12 b0 
        signature[46]=
          30 2c 02 14 36 07 a2 ed 67 83 2c f6 ac f4 7b 96 
          47 1f 91 04 2f e4 ea b3 02 14 3b 79 84 09 4d 56 
          e8 78 97 b8 ad 50 94 9c af 93 b6 70 23 6a 
1 5  2.0982 (0.0000)  S>CV3.1(15)  Handshake
      CertificateRequest
        certificate_types                   rsa_fixed_dh
        certificate_types                   dss_fixed_dh
        certificate_types                   rsa_sign
        certificate_types                   dss_sign
      ServerHelloDone
1 6  2.1419 (0.0436)  C>SV3.1(7)  Handshake
      Certificate
1 7  2.1419 (0.0000)  C>SV3.1(134)  Handshake
      ClientKeyExchange
        DiffieHellmanClientPublicValue[128]=
          5b 76 e1 13 5e 47 45 b0 74 01 88 63 f6 48 74 c9 
          7a 38 1e a6 09 08 94 46 6e 14 40 9b dc 32 f6 c7 
          02 b9 33 bc 5a de fc ba e9 40 57 5a a8 e4 c1 e1 
          e1 58 11 48 88 43 9a 06 24 0d 98 3f cd 0a 83 c9 
          96 43 84 cc 10 3d 93 78 94 95 57 58 50 d5 97 86 
          8f 6c 2a 64 ad 32 d3 60 da 03 6a a7 6a c5 89 8c 
          4d bd aa 61 37 b6 ed 2c 48 60 eb c2 1d 98 2e 19 
          93 ac c4 b9 46 7e f2 96 88 ae 98 fb dd a4 b9 4c 
1 8  2.1419 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 9  2.1419 (0.0000)  C>SV3.1(36)  Handshake
1 10 2.2448 (0.1029)  S>CV3.1(1)  ChangeCipherSpec
1 11 2.2448 (0.0000)  S>CV3.1(36)  Handshake
1 12 2.2465 (0.0017)  C>SV3.1(103)  application_data
1 13 2.2474 (0.0008)  S>CV3.1(40)  application_data
1 14 2.2485 (0.0010)  C>SV3.1(159)  application_data
1 15 2.2500 (0.0014)  S>CV3.1(52)  application_data
1 16 2.2508 (0.0008)  S>CV3.1(5200)  application_data

download:
1 26 73.8719 (0.0414)  C>SV3.1(115)  Handshake
1 27 73.8729 (0.0009)  S>CV3.1(94)  Handshake
1 28 73.9787 (0.1058)  S>CV3.1(1864)  Handshake
1 29 73.9789 (0.0002)  S>CV3.1(336)  Handshake
1 30 73.9789 (0.0000)  S>CV3.1(35)  Handshake
1 31 74.0222 (0.0433)  C>SV3.1(954)  Handshake
1 32 74.0234 (0.0011)  S>CV3.1(22)  Alert
1    74.0244 (0.0009)  S>C  TCP FIN
1 33 74.0255 (0.0011)  C>SV3.1(154)  Handshake
1 34 74.0255 (0.0000)  C>SV3.1(73)  Handshake
1 35 74.0255 (0.0000)  C>SV3.1(21)  ChangeCipherSpec
1 36 74.0255 (0.0000)  C>SV3.1(36)  Handshake
1    74.0256 (0.0001)  C>S  TCP FIN

- 
Andrew T. Finnell
Active Solutions L.L.C
[EMAIL PROTECTED] 

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Rescorla
> Sent: Monday, April 22, 2002 12:36 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Certificate Problem / get_peer_certificate
> 
> 
> "Andrew T. Finnell" <[EMAIL PROTECTED]> writes:
> >     I do not know. I do not have access to these machines 
> they are at our 
> > client's location. I suppose we could try and get them to install 
> > ssldump and run it. Although I am not sure this is an option.
> ssldump can read data captured with 'tcpdump -s 8192 -w' if 
> that helps at all.
> 
> In general, this sort of thing is very difficult to diagnose 
> without either ssldump traces or OpenSSL logging info.
> 
> -Ekr
> 
> -- 
> [Eric Rescorla                                   [EMAIL PROTECTED]]
>                 http://www.rtfm.com/ 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
> 


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to