I'm playing around with openssl s_client and I tried sending various payloads with/without padding and analysing the stack trace output. One case I don't understand is when I send empty bytes without padding I see the following output:
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
write to 0x107ede0 [0x109a7f3] (24 bytes => 24 (0x18))
0000 - 17 03 03 00 13 a2 03 0c-67 c0 aa 77 08 7d 37 cb ........g..w.}7.
0010 - 39 82 68 19 ba a2 39 bd-
I used a 16-byte aead tag cipher and since the content type field is 1 byte I would expect the total payload size to be 16 + 1 = 17 bytes. However, as evident in the stack trace openssl wrote a record with header 17 03 03 00 13 or 0x13 = 19 bytes. Why was 19 bytes sent instead of the expected 17 bytes? What are these two bytes?
I have a WEB application deployed to Tomcat server. I connect to it with Chrome browser with HTTPS but I have decrypt error during TLS handshaking on the client side after ServerKeyExchange.
Certificates (3 levels):
Server certificate, signed by...
CA certificate, signed by...
Root certificate (self signed)
I validated certificates with openssl and they seem to be fine (chain.cer contains CA and root certificates):
$ openssl verify -verbose -CAfile chain.cer server.cer
server.cer: OK
If I test connection with OpenSSL I get error after client reads ServerKeyExchange:
openssl.exe s_client -CAfile chain.cer -showcerts -state -msg server.net:8443
output:
CONNECTED(00000004)
>>> ??? [length 0005]
16 03 01 01 4f
>>> TLS 1.3, Handshake [length 014f], ClientHello
01 00 01 4b 03 03 81 63 a4 15 45 bf 7f 9b 07 8f ...
<<< ??? [length 0005]
16 03 03 09 14
<<< TLS 1.3, Handshake [length 0055], ServerHello
02 00 00 51 03 03 60 ef d0 8b 1c d7 9a 78 2d d4 ...
<<< TLS 1.2, Handshake [length 07ee], Certificate
0b 00 07 ea 00 07 e7 00 07 e4 30 82 07 e0 30 82 ...
depth=2 O = Amadeus IT group SA, CN = amarootca2
verify return:1
depth=1 O = Amadeus IT group SA, CN = amacatech3
verify return:1
depth=0 C = FR, L = Nice, O = Amadeus Data Processing, OU = NIS, CN = nceiptapas04.nce.amadeus.net
verify return:1
<<< TLS 1.2, Handshake [length 00cd], ServerKeyExchange
0c 00 00 c9 03 00 17 41 04 82 07 58 e1 cd 42 40 ...
>>> ??? [length 0005]
15 03 03 00 02
>>> TLS 1.2, Alert [length 0002], fatal decrypt_error
02 33
34359738384:error:04091077:rsa routines:int_rsa_verify:wrong signature length:crypto/rsa/rsa_sign.c:132:
34359738384:error:1416D07B:SSL routines:tls_process_key_exchange:bad signature:ssl/statem/statem_clnt.c:2405:
---
Cannot client decrypt DH parameters sent by server? Why?
Here is Wireshark details from ServerKeyExchange:
Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
Signature Length: 128
I have another but properly working WEB application where I have the same Signature Algorithm but the Signature Length: 256. Or this length is irrelevant?
I am trying to implement a SSL client into my IoT project. I have copied the SSL_Client example I found in STM32Cube_FW_F7_V1.15.0 into my project and was able to compile succesfully. However the SSL handshake fails with -0x7780 MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE. I attach the console debug output:
. Seeding the random number generator... ok
. Loading the CA root certificate ... ok (1 skipped)
. Connecting to tcp/www.google.de/443... ok
. Setting up the SSL/TLS structure... ok
. Performing the SSL/TLS handshake...=> handshake
client state: 0
=> flush output
<= flush output
client state: 1
=> flush output
<= flush output
=> write client hello
client hello, max version: [3:3]
dumping 'client hello, random bytes' (32 bytes)
0000: 88 d9 c4 b1 4f 82 ef a2 74 80 5c 6e 3f c4 29 ca ....O...t.\n?.).
0010: a4 8d 61 2b f6 37 ec 93 39 cb 7d d0 39 5a 67 9b ..a+.7..9.}.9Zg.
client hello, session id len.: 0
dumping 'client hello, session id' (0 bytes)
client hello, add ciphersuite: c02b
client hello, add ciphersuite: c031
client hello, add ciphersuite: c02d
client hello, add ciphersuite: 00a8
client hello, got 4 ciphersuites (excluding SCSVs)
adding EMPTY_RENEGOTIATION_INFO_SCSV
client hello, compress len.: 1
client hello, compress alg.: 0
client hello, adding server name extension: mbed TLS Server 1
client hello, adding signature_algorithms extension
client hello, adding supported_elliptic_curves extension
client hello, adding supported_point_formats extension
client hello, adding encrypt_then_mac extension
client hello, adding extended_master_secret extension
client hello, total extension length: 62
=> write handshake message
=> write record
output record: msgtype = 22, version = [3:3], msglen = 117
dumping 'output record sent to network' (122 bytes)
0000: 16 03 03 00 75 01 00 00 71 03 03 88 d9 c4 b1 4f ....u...q......O
0010: 82 ef a2 74 80 5c 6e 3f c4 29 ca a4 8d 61 2b f6 ...t.\n?.)...a+.
0020: 37 ec 93 39 cb 7d d0 39 5a 67 9b 00 00 0a c0 2b 7..9.}.9Zg.....+
0030: c0 31 c0 2d 00 a8 00 ff 01 00 00 3e 00 00 00 16 .1.-.......>....
0040: 00 14 00 00 11 6d 62 65 64 20 54 4c 53 20 53 65 .....mbed TLS Se
0050: 72 76 65 72 20 31 00 0d 00 0a 00 08 04 03 04 01 rver 1..........
0060: 03 03 03 01 00 0a 00 04 00 02 00 17 00 0b 00 02 ................
0070: 01 00 00 16 00 00 00 17 00 00 ..........
=> flush output
message length: 122, out_left: 122
ssl->f_send() returned 122 (-0xffffff86)
<= flush output
<= write record
<= write handshake message
<= write client hello
client state: 2
=> flush output
<= flush output
=> parse server hello
=> read record
=> fetch input
in_left: 0, nb_want: 5
in_left: 0, nb_want: 5
ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
<= fetch input
dumping 'input record header' (5 bytes)
0000: 15 03 03 00 02 .....
input record: msgtype = 21, version = [3:3], msglen = 2
=> fetch input
in_left: 5, nb_want: 7
in_left: 5, nb_want: 7
ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)
<= fetch input
dumping 'input record from network' (7 bytes)
0000: 15 03 03 00 02 02 28 ......(
got an alert message, type: [2:40]
is a fatal alert message (msg 40)
mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)
mbedtls_ssl_read_record() returned -30592 (-0x7780)
<= handshake
failed
! mbedtls_ssl_handshake returned -0x7780
I am thankfull for every hint in the right direction.
client hello, adding server name extension: mbed TLS Server 1
The client is using the SNI extension to indicate that it wants to talk to mbed TLS Server 1. The server on port 443 of www.google.de can respond as www.google.de, google.de and a bunch of other names that Google controls, but it does know about mbed TLS Server 1, so it sends a fatal alert indicating that it cannot complete the handshake.
You can use the sample client as is to talk to the sample server whose source code should be next to it. To contact another server, you need to change or remove the call to mbedtls_ssl_set_hostname.
I have a Redis cluster that I wish to setup stunnel on for the purpose of encrypting traffic to and from each master/slave, and to and from the HAproxy layer above redis. I have configured stunnel with the following configuration file:
pid=/var/stunnel-redis.pid
foreground = yes
debug = info
output = stunnel.log
sslVersion = all
#options = NO_SSLv2
fips = no
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[redis-server]
cert = /etc/stunnel/cert.pem
key = /etc/stunnel/key.pem
TIMEOUTclose = 0
accept = 0.0.0.0:7001
connect = 127.0.0.1:7002
[redis-client]
client = yes
accept = 127.0.0.1:7002
connect = 127.0.0.1:6379
CAfile = /etc/stunnel/redis.pem
verify = 0
EDIT I should explain how each service is setup, network-wise.
redis-server binds 127.0.0.1:6379
stunnel redis-server binds 0.0.0.0:7001
stunnel redis-client binds 127.0.0.1:7002
A redis client connection will connect to stunnel's redis-server on 0.0.0.0:7001. Stunnel will then connect to the redis-client on 127.0.0.1:7002, and stunnel's redis-client will connect to the redis server on 127.0.0.1:6379.
When attempting to run redis-cli -h my_remote_stunnel_ip -p 7001 I receive the following error in the logs:
2017.01.31 09:45:11 LOG3[16062]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017.01.31 09:45:11 LOG5[16062]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
I have tried disabling the redis-client section in the config, I have tried changing sslVersion to sslVersion = TLSv1, sslVersion = TLSv1.2. When I change sslVersion to sslVersion = TLSv1 I receive the following error upon attempting connection:
2017.01.31 09:38:33 LOG3[15830]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Is this due to a version mismatch? And if so, how? Both daemons are running on the same host.
EDIT:
Output of openssl s_client -connect :7001 -tls1:
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2452 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 0A05C63AA7596D37B4D18B5CF377213A0B245B681E3E1CD28506E877311A862A
Session-ID-ctx:
Master-Key: 54EE658224A3BB08E25416F05CBCAB5D58EA075E7C157AEE31B94D2AA289CE694558CDF27B3EA0B8FB90738C3EEE4EE8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 12 55 cd c7 bc ab e8 6c-c7 e7 ca 9c 05 bf 5b dd .U.....l......[.
0010 - bb 17 b9 d5 68 e0 be 54-a1 b6 06 00 0a fe db 17 ....h..T........
0020 - 4a 89 93 6b 95 18 1e be-45 f9 cb a8 6c 07 5b 45 J..k....E...l.[E
0030 - ef 47 60 b7 0d 7e 51 95-ca 68 48 5f 03 5b d9 0e .G`..~Q..hH_.[..
0040 - 62 0b f5 33 bb b6 ce 03-6d d7 d3 69 12 de 3a 63 b..3....m..i..:c
0050 - db 8d 98 ba ac e6 e1 f8-9a f1 b1 50 5e 63 1a 24 ...........P^c.$
0060 - 9c ad 1d a8 ef 85 9d 64-9a 00 d7 76 b3 77 73 05 .......d...v.ws.
0070 - dc 04 94 ae c3 c7 89 3e-26 c1 25 d7 a7 f2 45 97 .......>&.%...E.
0080 - f8 2d e9 21 cc 7c 44 e2-a8 3d 93 00 e5 09 d0 38 .-.!.|D..=.....8
0090 - 53 4f 22 fd 75 52 37 f8-3d c5 0e 22 5a 55 b4 8b SO".uR7.=.."ZU..
Start Time: 1485881728
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=104
I have been struggling with the configuration of WSO2 ESB for a few days now when trying to access an https web service. I have followed numerous pieces of advice and what I have done so far is to
import the web service client certificate into client-truststore.jks in repostory/resources/security
added proxy access parameters to repository/conf/axis2/axis2.xml (because the ESB is behind corporate firewall)
added AllowAll parameter to transportSender https in axis2.xml
restarted esb and still get the exception
http-nio-9443-exec-50, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http-nio-9443-exec-50, WRITE: TLSv1 Alert, length = 2
http-nio-9443-exec-50, called closeSocket()
http-nio-9443-exec-50, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching my.domain.com found
http-nio-9443-exec-50, WRITE: TLSv1 Application Data, length = 1
http-nio-9443-exec-50, WRITE: TLSv1 Application Data, length = 154
I am using jdk1.6_34 and tried with WSO2 ESB 4.5.1 and 4.6 with the same results.
The logging is showing the ssl handshake being started but then ends with the error above. All the googling suggests that the hostnameverifier parameter should do the trick but clearly doesn't. Is there somewhere else I should be configuring this or if this parameter is being overridden somewhere else? I have run out of options and places to look with this.
Edit:
I have had another attempt at this and by setting the host name in my hosts file to the CN specified in the client certificate I can now get a bit further but I am now getting another error which I can't seem to fathom out.
The specific error is "... no IV used for this cipher", but with the debug trace being
Found trusted certificate:
[
[
Version: V1
Subject: CN=mydomain.com, O=my o, ST=INTERFACES, C=GB
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:#### loads of numbers here ####
public exponent: 65537
Validity: [From: Mon Apr 22 14:26:25 BST 2013,
To: Tue Apr 22 14:26:25 BST 2014]
Issuer: CN=ath-st2-API-a, O=Northgate IS, ST=INTERFACES, C=GB
SerialNumber: [ a4cf31a6 9c0d920d]
]
Algorithm: [SHA1withRSA]
Signature:
### signature here ###
]
http-nio-9443-exec-13, READ: SSLv3 Handshake, length = 98
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=mydomain.com, O=my o, ST=INTERFACES, C=GB>
*** ServerHelloDone
http-nio-9443-exec-13, SEND SSLv3 ALERT: warning, description = no_certificate
http-nio-9443-exec-13, WRITE: SSLv3 Alert, length = 2
*** ClientKeyExchange, RSA PreMasterSecret, SSLv3
http-nio-9443-exec-13, WRITE: SSLv3 Handshake, length = 132
SESSION KEYGEN:
PreMaster Secret:
###master secret here ####
CONNECTION KEYGEN:
Client Nonce:
0000: 52 45 86 22 10 B0 E2 EF 19 10 B1 04 ED C9 6F B0 RE."..........o.
0010: C3 8E BC D6 2C C9 5E D0 CA 8E 88 6B 22 53 1D B0 ....,.^....k"S..
Server Nonce:
0000: 52 45 86 23 B0 56 30 EC 84 F0 48 C1 F7 31 0C 5C RE.#.V0...H..1.\
0010: 43 B3 CB 25 DA 19 4C 0E B1 71 CB 17 8E 0C 62 04 C..%..L..q....b.
Master Secret:
0000: C3 F4 6B 9B EB 50 67 BD 6C A8 F0 63 88 A1 5A C7 ..k..Pg.l..c..Z.
0010: E5 CD A4 9A 46 95 3F B3 13 2D 4E BF 77 2C 64 86 ....F.?..-N.w,d.
0020: 44 D2 89 B5 09 EE 96 E5 8B 8D E2 30 04 09 F2 D3 D..........0....
Client MAC write Secret:
0000: F7 76 83 C9 16 F5 CB 33 E3 43 3F 7B 68 2E 8A 6F .v.....3.C?.h..o
Server MAC write Secret:
0000: CC FB 14 CE 21 AD C8 BC 20 C1 A5 2B 0B 2B 83 35 ....!... ..+.+.5
Client write key:
0000: 9C 9E FA A5 68 6E 27 2C E0 6E 80 9D ED C9 1C 01 ....hn',.n......
Server write key:
0000: B7 5A 24 DD 6F 65 5A 7E C8 AD 4A 29 E4 09 08 6D .Z$.oeZ...J)...m
... no IV used for this cipher
http-nio-9443-exec-13, WRITE: SSLv3 Change Cipher Spec, length = 1
*** Finished
verify_data: { 174, 247, 182, 190, 5, 104, 242, 127, 216, 79, 94, 15, 215, 236, 236, 211, 30, 51, 116, 56, 138, 144, 19, 125, 0, 54, 52, 114, 173, 138, 170, 166, 24, 67, 108, 102 }
***
http-nio-9443-exec-13, WRITE: SSLv3 Handshake, length = 56
http-nio-9443-exec-13, READ: SSLv3 Alert, length = 2
http-nio-9443-exec-13, RECV SSLv3 ALERT: fatal, handshake_failure
http-nio-9443-exec-13, called closeSocket()
http-nio-9443-exec-13, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert
: handshake_failure
http-nio-9443-exec-13, WRITE: TLSv1 Application Data, length = 1
http-nio-9443-exec-13, WRITE: TLSv1 Application Data, length = 154
http-nio-9443-ClientPoller-0, called closeOutbound()
http-nio-9443-ClientPoller-0, closeOutboundInternal()
http-nio-9443-ClientPoller-0, SEND TLSv1 ALERT: warning, description = close_notify
http-nio-9443-ClientPoller-0, WRITE: TLSv1 Alert, length = 32
Finalizer, called close()
Finalizer, called closeInternal(true)
I have tried passing https.protocols=SSLv3,SSLv2Hello or https.protocols=SSLv3 in the axis2 config file as a to the https sender transport but this doesn't help either.
Suggestions welcome.
thanks
Conrad