I'd like to know if there's a way -- programmatic, config, environment -- that I can get detailed print of what goes on during a handshake at the client or the server? Below is the output from Apache Tomcat as an example of the level of details i'm looking for:
http-442-1, READ: TLSv1 Handshake, length = 73 *** ClientHello, TLSv1 RandomCookie: GMT: 1269551866 bytes = { 178, 23, 135, 211, 154, 110, 144, 59, 9 9, 139, 224, 45, 156, 231, 232, 123, 36, 95, 187, 165, 56, 121, 211, 63, 117, 43 , 7, 82 } Session ID: {} Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_S HA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS _WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_ CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA _WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, Unknown 0x0:0xff] Compression Methods: { 0 } Unsupported extension type_35, data: *** %% Created: [Session-1, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA] *** ServerHello, TLSv1 RandomCookie: GMT: 1269551766 bytes = { 32, 121, 10, 209, 123, 137, 160, 183, 1 86, 107, 255, 108, 79, 16, 190, 91, 180, 86, 18, 136, 232, 108, 249, 191, 90, 17 6, 87, 231 } Session ID: {76, 172, 211, 150, 251, 114, 230, 220, 75, 218, 174, 105, 134, 185 , 144, 119, 92, 182, 1, 58, 247, 172, 121, 90, 212, 100, 58, 220, 93, 76, 97, 11 1} Cipher Suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Compression Method: 0 *** Cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA *** Certificate chain chain [0] = [ [ Version: V1 Subject: OU=Tomcat, O=ACME, emailaddress=tom...@acme.com, C=CA, CN=localhost Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 512 bits modulus: 973285574783538290665814718553460486271776249697428968977460338357983 ... public exponent: 65537 Validity: [From: Mon Jun 21 14:33:25 EDT 2010, To: Tue Jun 21 14:33:25 EDT 2011] Issuer: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA, CN=ACME Systems Root CA SerialNumber: [ 02] ] Algorithm: [SHA1withRSA] Signature: 0000: A5 A9 E6 5F BE 51 75 E5 E3 25 9D 92 AB 45 FA 1E ..._.Qu..%...E.. ... ] *** *** Diffie-Hellman ServerKeyExchange DH Modulus: { 233, 230, 66, 89, 157, 53, 95, 55, 201, 127, 253, 53, 103, 18, 11 ... } DH Base: { 48, 71, 10, 213, 160, 5, 251, 20, 206, 45, 157, 205, 135, 227, 139, ... } Server DH Public Key: { 159, 193, 69, 114, 138, 167, 128, 50, 5, 51, 77, 127, 2 ...} Signed with a DSA or RSA public key *** CertificateRequest Cert Types: RSA, DSS Cert Authorities: <OU=Root CA, O=ACME Systems Inc., C=CA, CN=ACME Systems Root CA> <OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA, CN=ACME Systems Root CA> <CN=TESTCA, OU=CA, O=TEST> *** ServerHelloDone http-442-1, WRITE: TLSv1 Handshake, length = 1544 http-442-1, READ: TLSv1 Handshake, length = 3309 *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=fd0172c2-3f02-432e-8317-097b8fabff7d, OU=Windows/1.00, O=instance Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 1024 bits modulus: 128531339772544414974300233324968135333513753311766363920169114394683 ... public exponent: 65537 Validity: [From: Tue Oct 05 17:49:02 EDT 2010, To: Wed Oct 05 17:49:02 EDT 2011] Issuer: CN=TESTActivationCA, OU=Activation CA, O=TEST ACTIVATION SerialNumber: [ 012b7e5e 79df] [2]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ CN=guest, OU=ACME PC Client, O=instance ] [3]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment Key_Agreement ] [4]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] ] Algorithm: [SHA256withRSA] Signature: 0000: 97 32 64 63 D4 DA ED AF CD 7F EC 77 A6 7C 72 85 .2dc.......w..r. ... ] chain [1] = [ [ Version: V3 Subject: CN=TESTActivationCA, OU=Activation CA, O=TEST ACTIVATION Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 241401315179803415263681113133745704037912047640810783616090692543408 ... public exponent: 65537 Validity: [From: Wed Jun 09 14:04:45 EDT 2010, To: Thu Jun 09 14:04:45 EDT 2011] Issuer: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA, CN=ACME Systems Root CA SerialNumber: [ 01] Certificate Extensions: 6 [1]: ObjectId: 2.5.29.30 Criticality=true NameConstraints: [ Permitted: GeneralSubtrees: [ GeneralSubtree: [ GeneralName: O=instance Minimum: 0 Maximum: undefined ] ] ] [2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 7C FB 2B 96 C9 0D 37 89 01 83 D9 5A 67 41 3B 3C ..+...7....ZgA;< 0010: E7 45 81 43 .E.C ] ] [3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 70 8F 22 BC D7 55 20 6E 00 D7 3A D3 70 40 F5 49 p."..U n..:....@.i 0010: 91 20 90 60 . .` ] [OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA, CN=ACME Systems Root CA] SerialNumber: [ 00] ] [4]: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: https://www.ACME.com/crl/revocation.crl] ]] [5]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] [6]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:0 ] ] Algorithm: [SHA256withRSA] Signature: 0000: 14 2C 81 0C 77 A1 50 79 F3 01 72 9A 35 C7 C1 B9 .,..w.Py..r.5... ... ] chain [2] = [ [ Version: V3 Subject: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA, CN=ACME Systems Root CA Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 ... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org