My SSL handshake (using the openssl s_client -connect host:port) show this output:
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1631731107
Timeout : 300 (sec)
Verify return code: 0 (ok)
It is showing return code 0 (ok), start time etc. Does this mean a SSL session is established here? Why does it not show other things like cipher, session-id etc which I normally see with other SSL sessions?
This output means that the handshake was not successful at all. There is usually an error somewhere in the output preceding this, like here:
$ openssl s_client -connect example.com:80
CONNECTED(00000003)
140501726137216:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number:ssl_pkt.c:386:
....
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
...
Verify return code: 0 (ok)
In this example a TLS connection was attempted to a server which does not speak TLS at all but instead speaks only plain HTTP (since I've connected to the plain HTTP port). There is a clear error showing some kind of TLS problem, which in this case is caused by trying to interpret a plain HTTP response as TLS.
From https://www.virtuesecurity.com/kb/null-ciphers-supported/:
Cipher Name (IANA) Cipher Name (OpenSSL) Value
TLS_NULL_WITH_NULL_NULL N/A 0x00,0x00
See also https://en.wikipedia.org/wiki/Null_cipher.
Just don't use it,there's no encryption.
Related
while running the below command
openssl s_client -host example.xyz -port 9093
I get the following error.
139810559764296:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1259:SSL alert number 42
39810559764296:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
But at the end i get "Verify return code: 0 (ok)" message. My question is what does the above alert signify, and if the SSL was actually successful. Thanks a lot for the help in advance.
SSL handshake has read 6648 bytes and written 354 bytes
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 57EC2E221A6CDDEDB95F27F826A2CF310010200A645D17F818FB0D35EF4DF12A
Session-ID-ctx:
Master-Key:
7C4BA05C349558BAD487B270F74B5040B9FC746A6D15BF2D8E223949E9A1F343A0FED9E154BE53C7
EB52F996C1494101
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1475096098
Timeout : 300 (sec)
Verify return code: 0 (ok)
I am trying to establish ssl connection with rabbitmq broker.
I follow this page to help me and I find my bug, but I don't know who to resolve it. I am stuck at the test connection with the broker :
openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1470206187
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
And I have no log but I need accepting AMQP connection.
#Rabbimq.conf
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,".../testca/cacert.pem"},
{certfile,".../server/cert.pem"},
{keyfile,".../server/key.pem"},
{ciphers, [{rsa,aes_256_cbc,sha256}]},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].
The certificates that I use are validated, verified and created with the doc.
I think is this issue that does not allow me to perform a ssl connection.
Thanks
Edit: I created the certificates at /var/lib/rabbitmq with the user rabbitmq and like this permissions goes right and the server can access to the certs.
Everything worked for me after I replaced in rabbitmq.config
{certfile,".../server/cert.pem"},
to full file path.
{certfile,"/data/server/cert.pem"}
The rabbitmq says nothing when it can't find or can't read certificate file.
Check permissions for certificate files!
I'm performing this command in order to check whether I'm able to create a SSL connection:
openssl s_client -connect private-server:5000
private-server is a server I've set up with a self-generated certificate.
The output is:
CONNECTED(00000003)
140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1467812448
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
What I need to get the connection right?
Thanks.
SSL handshake has read 0 bytes and written 308 bytes
The client has started with the SSL handshake but the server has closed the connection without sending anything back. There might be a lot of reasons for this like a firewall blocking the connection, various configuration errors on the server, server not expecting TLS at all, server expecting SNI ...
Unfortunately it can not be said from the information you provide which exactly is the cause of the problem. You might try with different clients (browser) to find out, if the problem is more at the server or middlebox site (i.e. none of the clients work) or if it is more a problem which can maybe fixed on the client site (some clients work, others not).
I have an Android app that has some trouble with a site's certificate when connecting via https. As I'm experiencing trouble even when using a custom keystore with the certificates ("No peer certificate") I'm trying to get more information about the connection, handshake and certificates actually given by the server.
The version of openssl is follows:
$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
When I just try to get info about the certificates I get this response:
$ openssl s_client -showcerts -connect [hostname]:443 </dev/null
CONNECTED(00000003)
3069977808:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
This is how Chrome describes the connection (sorry for the Norwegian text, but you get an idea of the connection and encryption type:
Based on the info from Chrome I've tried different commands to get the certificates, but they all seem to fail. My top candidate was this one:
$ openssl s_client -showcerts -connect [hostname]:443 -tls1_2 -cipher RC4-MD5
CONNECTED(00000003)
3069396176:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
3069396176:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1414399499
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Anyone got any hints based on the info given?
This might be an SNI issue, where the server has no default certificate defined for non-SNI clients. Android included a version of Apaches httpclient which is known to not support SNI and your openssl s_client command also does not use SNI.
Please try openssl s_client -servername hostname -connect ... to use SNI and see if this helps.
I need configure connect to server via SSL protocol. I got from server owners 2 files - CA root certificate (ca.pem) and test certificate request (test.csr file).
I am try to test connect via openssl s_connect utility and i give strange result (xxx - masked values) :
openssl s_client -connect MYURL -CAfile ca.pem
CONNECTED(00000003)
xxx verify return:1
xxx verify return:1
3074332296:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1193:SSL alert number 40
3074332296:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
But, after handshake alert and print certificate data i see :
SSL handshake has read yyy bytes and written yyy bytes
New, xxx, Cipher is xxx
Server public key is xxx bit
Compression: xxx
Expansion: xxx
SSL-Session:
Protocol : xxx
Cipher : xxx
Session-ID:
Session-ID-ctx:
Master-Key: xxx
Key-Arg : xxx
PSK identity: xxx
PSK identity hint: xxx
Compression: xxx
Start Time: xxx
Timeout : xxx (sec)
Verify return code: 0 (ok)
What's mean verify return code is 0 (ok) ? How it possible if handshake error/alert are occured ?
You are receiving a handshake failure alert from the server, which means that some other error is occurring, it is not the certificate validation that fails. You should look at the server side logs for clues about what has failed.