I'd like to know if there's a way -- programmatic, config, environment
-- that I can get detailed print of what goes on during a handshake at
the client or the server? Below is the output from Apache Tomcat as an
example of the level of details i'm looking for:
http-442-1, READ: TLSv1 Handshake, length = 73
*** ClientHello, TLSv1
RandomCookie: GMT: 1269551866 bytes = { 178, 23, 135, 211, 154, 110,
144, 59, 9
9, 139, 224, 45, 156, 231, 232, 123, 36, 95, 187, 165, 56, 121, 211, 63,
117, 43
, 7, 82 }
Session ID: {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_S
HA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS
_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_
CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA
_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, Unknown 0x0:0xff]
Compression Methods: { 0 }
Unsupported extension type_35, data:
***
%% Created: [Session-1, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie: GMT: 1269551766 bytes = { 32, 121, 10, 209, 123, 137,
160, 183, 1
86, 107, 255, 108, 79, 16, 190, 91, 180, 86, 18, 136, 232, 108, 249,
191, 90, 17
6, 87, 231 }
Session ID: {76, 172, 211, 150, 251, 114, 230, 220, 75, 218, 174, 105,
134, 185
, 144, 119, 92, 182, 1, 58, 247, 172, 121, 90, 212, 100, 58, 220, 93,
76, 97, 11
1}
Cipher Suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Compression Method: 0
***
Cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: OU=Tomcat, O=ACME, emailaddress=tom...@acme.com, C=CA,
CN=localhost
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 512 bits
modulus:
973285574783538290665814718553460486271776249697428968977460338357983
...
public exponent: 65537
Validity: [From: Mon Jun 21 14:33:25 EDT 2010,
To: Tue Jun 21 14:33:25 EDT 2011]
Issuer: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA
SerialNumber: [ 02]
]
Algorithm: [SHA1withRSA]
Signature:
0000: A5 A9 E6 5F BE 51 75 E5 E3 25 9D 92 AB 45 FA 1E ..._.Qu..%...E..
...
]
***
*** Diffie-Hellman ServerKeyExchange
DH Modulus: { 233, 230, 66, 89, 157, 53, 95, 55, 201, 127, 253, 53,
103, 18, 11
... }
DH Base: { 48, 71, 10, 213, 160, 5, 251, 20, 206, 45, 157, 205, 135,
227, 139,
... }
Server DH Public Key: { 159, 193, 69, 114, 138, 167, 128, 50, 5, 51,
77, 127, 2
...}
Signed with a DSA or RSA public key
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<OU=Root CA, O=ACME Systems Inc., C=CA, CN=ACME Systems Root CA>
<OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA>
<CN=TESTCA, OU=CA, O=TEST>
*** ServerHelloDone
http-442-1, WRITE: TLSv1 Handshake, length = 1544
http-442-1, READ: TLSv1 Handshake, length = 3309
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=fd0172c2-3f02-432e-8317-097b8fabff7d, OU=Windows/1.00,
O=instance
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 1024 bits
modulus:
128531339772544414974300233324968135333513753311766363920169114394683
...
public exponent: 65537
Validity: [From: Tue Oct 05 17:49:02 EDT 2010,
To: Wed Oct 05 17:49:02 EDT 2011]
Issuer: CN=TESTActivationCA, OU=Activation CA, O=TEST ACTIVATION
SerialNumber: [ 012b7e5e 79df]
[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=guest, OU=ACME PC Client, O=instance
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
Key_Agreement
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 97 32 64 63 D4 DA ED AF CD 7F EC 77 A6 7C 72 85 .2dc.......w..r.
...
]
chain [1] = [
[
Version: V3
Subject: CN=TESTActivationCA, OU=Activation CA, O=TEST ACTIVATION
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus:
241401315179803415263681113133745704037912047640810783616090692543408
...
public exponent: 65537
Validity: [From: Wed Jun 09 14:04:45 EDT 2010,
To: Thu Jun 09 14:04:45 EDT 2011]
Issuer: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA
SerialNumber: [ 01]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.30 Criticality=true
NameConstraints: [
Permitted: GeneralSubtrees:
[
GeneralSubtree: [
GeneralName: O=instance
Minimum: 0 Maximum: undefined ]
]
]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7C FB 2B 96 C9 0D 37 89 01 83 D9 5A 67 41 3B 3C ..+...7....ZgA;<
0010: E7 45 81 43 .E.C
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 70 8F 22 BC D7 55 20 6E 00 D7 3A D3 70 40 F5 49 p."..U n..:....@.i
0010: 91 20 90 60 . .`
]
[OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA]
SerialNumber: [ 00]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: https://www.ACME.com/crl/revocation.crl]
]]
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 14 2C 81 0C 77 A1 50 79 F3 01 72 9A 35 C7 C1 B9 .,..w.Py..r.5...
...
]
chain [2] = [
[
Version: V3
Subject: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
...
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
