I am trying a TLS connection to aws_iot core using openssl s_client.
openssl s_client -connect ajvldjdsdggr-ats.iot.us-east-1.amazonaws.com:8883 -CAfile AmazonRootCA1.crt
cert 6fceaadfd6a-certificate.pem.crt -key 6fceaadfd6a-private.pem.key
OUTPUT RECIEVED
CONNECTED(00000003)
And it is stuck at this point.
Can anyone please explain what might be the issue?
Related
I generated a ca-certificate, server-certificate and client-certificate using the guidelines of rabbitmq (https://www.rabbitmq.com/ssl.html#manual-certificate-generation)
But I keep getting an error Hostname mismatch when checking the certs with openssl s_server.
openssl s_server -accept 8443 -cert server_certificate.pem -key private_key.pem -CAfile ca_certificate.pem
openssl s_client -connect localhost:8443 -cert client_certificate -key private_key.pem -CAfile ca_certificate.pem -verify 8 -verify_hostname CN_NAME
RESULT:
Verify return code: 62 (Hostname mismatch)
When I read the hostnames, they both show the same..?
openssl x509 -in server_certificate -subject -noout
subject=CN = MyTestCA, O = server
openssl x509 -in client_certificate -subject -noout
subject=CN = MyTestCA, O = client
So I'm stuck why I'm getting the error 'Hostname mismatch'?
I'm dealing with an issue where python can't connect to a specific server over ssl due to openssl not being able to complete the handshake. Curl and my browser work. I've tried a couple of different openssl versions and solutions, but can't seem to connect.
Here is what I've tried on both of the following platforms. The output is printed slightly different on OpenSSL 1.0.1e, but it's still the same errors.
Mac OSX Yosemite - OpenSSL 0.9.8zg 14 July 2015
Debian GNU/Linux 7 (wheezy) - OpenSSL 1.0.1e 11 Feb 2013
Without specifying which version of
openssl s_client -connect www.uk-recruitment.net:443
openssl s_client -connect www.uk-recruitment.net:443 -cipher 'DEFAULT:!ECDH'
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem -cipher 'DEFAULT:!ECDH'
openssl s_client -connect www.uk-recruitment.net:443 -CAfile cacert.pem -cipher 'DEFAULT:!ECDH' -servername uk-recruitment.net
but I always get the same result
CONNECTED(00000003)
66716:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593:
If I add -tls1, -tls1_1 or -tls1_2 with all the same options, I get a slightly different error:
openssl s_client -connect www.uk-recruitment.net:443 -tls1
CONNECTED(00000003)
66750:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s3_pkt.c:1145:SSL alert number 80
66750:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s3_pkt.c:566:
The sites requires Server Name Indication (SNI) and SSL handshakes not using SNI will cause failure:
$ openssl s_client -connect www.uk-recruitment.net:443
CONNECTED(00000003)
139999237719712:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:
With SNI instead it looks much better:
$ openssl s_client -connect www.uk-recruitment.net:443 -servername www.uk-recruitment.net
CONNECTED(00000003)
...
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
It might be that the -servername option is not available with OpenSSL 0.9.8, but it should be with OpenSSL 1.0.1.
I try to enable SSL for dovecot. So I generate/installed the certificates with openssl. But when I try to test the conncection the client reports errors. Maybe somebody could help me resp. point me into the right direction?
Command Line Input: openssl s_client -connect localhost:pop3s
Result/Error:
CONNECTED(00000003)
47751153546184:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
Dovecot version: 2.0.9
Openssl version: 1.0.1e-fips 11 Feb 2013
Dovecot config for SSL:
ssl = yes
ssl_cert = /etc/pki/dovecot/certs/dovecot.pem
ssl_key = /etc/pki/dovecot/private/dovecot.pem
OpenSSL comand line how the certs has been generated:
openssl req -new -x509 -newkey rsa:2048 -keyout private/dovecot.pem -out certs/dovecot.pem -days 365
Any hints are welcome. Thanks oyu in advance.
regards
Mark
For a more detailed error report that may help you debug the problem, try
openssl s_client -connect localhost:pop3s -debug
Can someone explain this behavior:
If I run an s_server with:
openssl s_server -key privateKey.key -cert certificate.crt -msg -no_tls1_1
And an s_client with:
openssl s_client -connect localhost:4433 -msg -no_tls1
I receive on the client:
3073448136:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:697:
And just Error on the server.
I find this very strange since they should be able to communicate over some other protocol except tls1 and tls1.1, for example ssl3 should work.
I am currently running OpenSSL 1.0.1 from 14 March 2012 (it's old I know, but is this really a bug, it feels like something I have not understood about OpenSSL)
i am trying to do push notification in my app and following this link
http://www.raywenderlich.com/3443/apple-push-notification-services-tutorial-part-12
my system has been successfully connected with telnet but when i enter the query for connecting ssl certificate and private key then found a error
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev-cert.pem -key apns-dev-key.pem
unable to load client certificate private key file
1301:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
any one can tell me what type of error and what's the solution of it?
Thanks in advance
The following command is good enough to verify the key/cert:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert push_development.pem
The key part is to select both certificate and private key when exporting the .p12 from Keychain Access (you will be asked for 3 passwords, one for the .p12, one for the cert, one for the private key).
To convert .p12 to .pem, follow the instruction from Apple:
openssl pkcs12 -in CertificateName.p12 -out CertificateName.pem -nodes
At first i was facing this problem too.
We have two files
1) one is aps_development.cer from apple
2) Another 1 is from the keychain access with the common name that we just created.
After that, both convert it to .pem files.
For example, cert.pem and key.pem.
After that combine this two files using below command
cat cert.pem key.pem > ck.pem
At first I openssl using below command.
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert cert.pem -key key.pem
Which returns me the error you mentioned.
After that I try using
openssl s_client -connect gateway.sandbox.push.apple.com:2195
-cert cert.pem -key ck.pem
Then its working already. Hope this helps.
I was facing the same issue while I was generating a PEM file for Enterprise Distribution, but i figured out later that I generated a p12 file against the iPhone Distribution Certificate key though i should had generated the p12 against Apple Production iOS Push Servies key. Hope this may resolve the issue if any one had used the Distribution key.
Hello Please follow below commands.
step1
openssl pkcs12 -clcerts -nokeys -out developer_key.pem -in developer_key.p12
Note: just drag the file path on terminal...
step2
openssl pkcs12 -nocerts -out apns_key.pem -in apns_key.p12
step3
openssl pkcs12 -in developer_key.p12 -out developer_key.pem -nodes -clcerts
step4
openssl pkcs12 -in apns_key.p12 -out apns_key.pem -nodes -clcerts
step 5
cat apns_key.pem developer_ket.pem >developer.pem
DO the same step For Distribution certificates
After creating developer.pem and distribution.pem
Please verify both file in to below commands.
Step6
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert developer.pem -debug -showcerts -CAfile "Entrust.net.Certification Authority (2048).pem
A Notice is Pass Phrase must longer than 3 characters.
I have just fixed with pass Phrase is 1234 :D