RE: Getting detailed ssl-handshake debug output

2010-10-11 Thread Jeff Saremi
 I received the answer in a direct email and just wanted to share it
here too:

- command line:

openssl s_client -state -debug -connect host:port

- programmatic:

One can look in the callback mechanism used in the above, specifically in 
apps/s_cb.c
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Getting detailed ssl-handshake debug output

2010-10-08 Thread Jeff Saremi
 I'd like to know if there's a way -- programmatic, config, environment
-- that I can get detailed print of what goes on during a handshake at
the client or the server? Below is the output from Apache Tomcat as an
example of the level of details i'm looking for:

http-442-1, READ: TLSv1 Handshake, length = 73
*** ClientHello, TLSv1
RandomCookie:  GMT: 1269551866 bytes = { 178, 23, 135, 211, 154, 110,
144, 59, 9
9, 139, 224, 45, 156, 231, 232, 123, 36, 95, 187, 165, 56, 121, 211, 63,
117, 43
, 7, 82 }
Session ID:  {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_S
HA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS
_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_
CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA
_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, Unknown 0x0:0xff]
Compression Methods:  { 0 }
Unsupported extension type_35, data:
***
%% Created:  [Session-1, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1269551766 bytes = { 32, 121, 10, 209, 123, 137,
160, 183, 1
86, 107, 255, 108, 79, 16, 190, 91, 180, 86, 18, 136, 232, 108, 249,
191, 90, 17
6, 87, 231 }
Session ID:  {76, 172, 211, 150, 251, 114, 230, 220, 75, 218, 174, 105,
134, 185
, 144, 119, 92, 182, 1, 58, 247, 172, 121, 90, 212, 100, 58, 220, 93,
76, 97, 11
1}
Cipher Suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Compression Method: 0
***
Cipher suite:  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V1
  Subject: OU=Tomcat, O=ACME, emailaddress=tom...@acme.com, C=CA,
CN=localhost
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
 
  Key:  Sun RSA public key, 512 bits
  modulus:
973285574783538290665814718553460486271776249697428968977460338357983
...
  public exponent: 65537
  Validity: [From: Mon Jun 21 14:33:25 EDT 2010,
   To: Tue Jun 21 14:33:25 EDT 2011]
  Issuer: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA
  SerialNumber: [02]
 
]
  Algorithm: [SHA1withRSA]
  Signature:
: A5 A9 E6 5F BE 51 75 E5   E3 25 9D 92 AB 45 FA 1E  ..._.Qu..%...E..
...
 
]
***
*** Diffie-Hellman ServerKeyExchange
DH Modulus:  { 233, 230, 66, 89, 157, 53, 95, 55, 201, 127, 253, 53,
103, 18, 11
... }
DH Base:  { 48, 71, 10, 213, 160, 5, 251, 20, 206, 45, 157, 205, 135,
227, 139,
... }
Server DH Public Key:  { 159, 193, 69, 114, 138, 167, 128, 50, 5, 51,
77, 127, 2
...}
Signed with a DSA or RSA public key
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
OU=Root CA, O=ACME Systems Inc., C=CA, CN=ACME Systems Root CA
OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA
CN=TESTCA, OU=CA, O=TEST
*** ServerHelloDone
http-442-1, WRITE: TLSv1 Handshake, length = 1544
http-442-1, READ: TLSv1 Handshake, length = 3309
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=fd0172c2-3f02-432e-8317-097b8fabff7d, OU=Windows/1.00,
O=instance
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
 
  Key:  Sun RSA public key, 1024 bits
  modulus:
128531339772544414974300233324968135333513753311766363920169114394683
...
 
  public exponent: 65537
  Validity: [From: Tue Oct 05 17:49:02 EDT 2010,
   To: Wed Oct 05 17:49:02 EDT 2011]
  Issuer: CN=TESTActivationCA, OU=Activation CA, O=TEST ACTIVATION
  SerialNumber: [012b7e5e 79df]

[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  CN=guest, OU=ACME PC Client, O=instance
]
 
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Key_Agreement
]
 
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]
 
]
  Algorithm: [SHA256withRSA]
  Signature:
: 97 32 64 63 D4 DA ED AF   CD 7F EC 77 A6 7C 72 85  .2dc...w..r.
...
 
]
chain [1] = [
[
  Version: V3
  Subject: CN=TESTActivationCA, OU=Activation CA, O=TEST ACTIVATION
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
 
  Key:  Sun RSA public key, 2048 bits
  modulus:
241401315179803415263681113133745704037912047640810783616090692543408
...
  public exponent: 65537
  Validity: [From: Wed Jun 09 14:04:45 EDT 2010,
   To: Thu Jun 09 14:04:45 EDT 2011]
  Issuer: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA,
CN=ACME Systems Root CA
  SerialNumber: [01]
 
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.30 Criticality=true
NameConstraints: [
Permitted:   GeneralSubtrees:
[
   GeneralSubtree: [
GeneralName: O=instance
Minimum: 0  Maximum: undefined]
]
   ]
 
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 7C FB 2B 96 C9 0D 37 89   01 83 D9 5A 67 41 3B 3C  ..+...7ZgA;
0010: E7 45 81 43.E.C
]
]
 
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
: 70 8F 22 BC D7 55 20 6E   

RE: Getting detailed ssl-handshake debug output

2010-10-08 Thread Dave Thompson
 From: owner-openssl-us...@openssl.org On Behalf Of Jeff Saremi
 Sent: Thursday, 07 October, 2010 15:15

  I'd like to know if there's a way -- programmatic, config, 
 environment
 -- that I can get detailed print of what goes on during a handshake at
 the client or the server? Below is the output from Apache Tomcat as an
 example of the level of details i'm looking for:
 
Not in OpenSSL, I'm pretty sure.

If you can install other software on the same machine, 
or (usually?) another machine on the same LAN, WireShark from 
www.wireshark.org can display it on screen, or save a trace file 
which you can open and re-display later. I haven't found a way to 
capture the formatted display (except screen print on Windows).

This will only work for initial negotiation, since renegotiation 
is encrypted (unless the initial/current ciphersuite is eNULL). 
ssldump might work in that case, but I haven't tried it.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org