To reach a target file, I must put specific Host Header in request, because server is using SNI.
My server's ip is 172.1.1.61 and mydomain.com is target host which can give me a file.
I tried to use a curl like that with no success:
curl -I --resolve mydomain.com:443:172.1.1.61 https://172.1.1.61:443/FederationMetadata/2007-06/FederationMetadata.xml -v
* Added mydomain.com:443:172.1.1.61 to DNS cache
* About to connect() to 172.1.1.61 port 443 (#0)
* Trying 172.1.1.61...
* Connected to 172.1.1.61 (172.1.1.61) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer
Also I tried to use an openssl client:
openssl s_client -connect 172.1.1.61:443 -servername mydomain.com
And it has showed me a valid certificate, related to mydomain.com:
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = mydomain.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=mydomain.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
some moar strings
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTkwNDAzMDQyODE3Wh==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=mydomain.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4609 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9B020000BE0E627BF16F61C924ED4B90FF698F1868168A0467E0F359F98DE1FA
Session-ID-ctx:
Master-Key: (hidden)
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1602236714
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
But the last string is read:errno=104 what is equal to Connection Reset error.
As my last hope I'd installed a Modify Header Value plugin on my Chrome browser and made settings like that:
But still no connection:
What I did wrong?
openssl s_client -connect 172.1.1.61:443 -servername mydomain.com
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
...
But the last string is read:errno=104 what is equal to Connection Reset error.
The error you see here means that the connection reset happens in the final stages or directly after the TLS handshake. In this stage SNI is already used to select the certificate and the HTTP request with the Host header is not yet sent. This means that neither SNI nor the Host header are the actual problem here.
This means one can exclude wrong SNI and Host header as the possible reasons for the connection reset. A shared cipher is also found so this is also not a problem. It might be for example a missing client certificate or something else. Maybe the server logs will show.
Related
I have created a private mail server using iRedMail & Nginx. I have installed SSL certificates and keys into Nginx and iRedMail itself at the below locations. The server runs great and everything works via web mail. The browser agrees that the SSL certificate is valid and HTTPS works.
The issue is when I add the mail account to my email client, I get an invalid certificate error, and the same issue when using CalDav. It still works, but this makes me think that I'm missing some certificate install somewhere. Any suggestions? Thank you!
/etc/ssl/certs/iRedMail.crt
/etc/ssl/private/iRedMail.key
Here is the output of openssl s_client -showcerts -connect mail.bragsdale.dev:993
CONNECTED(00000003)
depth=0 CN = bragsdale.dev
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = bragsdale.dev
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=bragsdale.dev
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
...CERTIFICATE HERE...
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=bragsdale.dev
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2064 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3DD2E8B607CF5B4ACECDB995078FDAE80C210097372B80CD1409E90A0A523E0A
Session-ID-ctx:
Master-Key: F1953ABEAC1024279DA6D0E17D26E3305E7C2A9589976FDFD2DBF22E4B6280415BC271E5228045B7D0C5E8A0B3921B11
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
....DATA HERE...
Start Time: 1551664367
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready
Fixed it. The problem was I wasn't using my intermediary certificate. See this answer for details.
A note, when I cat'ed the certificates together it was malformed, with the END CERTIFICATE/BEGIN CERTIFICATE being on one line. Easily fixed with a text editor.
I was previously able to access the site roughly a week or two ago. Lately, no matter what browser, computer, or device I use to access dmv.ca.gov from inside my network the SSL handshake fails and the site gives an empty response. I can access other sites, including ca.gov, but just not dmv.ca.gov. The handshake fails, I think, because I get no response from the server.
When I run openssl from my ubuntu box I get the following output:
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv2/v3 read server hello A
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531959808
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
However, what I would expect is the following (same command on an AWS instance I have:
ubuntu#ip-10-0-144-141:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:unknown state
SSL_connect:error in unknown state
SSL_connect:error in unknown state
read R BLOCK
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, postalCode = 95814, ST = CA, L = Sacramento, street = "1325 J Street, Suite 1600", O = State of California, OU = Department of Motor Vehicles, OU = Hosted by State of California, OU = Multi-Domain SSL, CN = www.dmv.ca.gov
verify return:1
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:error in unknown state
read R BLOCK
SSL_connect:error in unknown state
read R BLOCK
SSL_connect:unknown state
read R BLOCK
---
Certificate chain
0 s:/C=US/postalCode=95814/ST=CA/L=Sacramento/street=1325 J Street, Suite 1600/O=State of California/OU=Department of Motor Vehicles/OU=Hosted by State of California/OU=Multi-Domain SSL/CN=www.dmv.ca.gov
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIINzCCBx+gAwIBAgIRAJ2VHzZ23HIPwp3suYpAPogwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTgwNDI3MDAwMDAwWhcNMjAwNDI2MjM1OTU5WjCCAQQxCzAJ
BgNVBAYTAlVTMQ4wDAYDVQQREwU5NTgxNDELMAkGA1UECBMCQ0ExEzARBgNVBAcT
ClNhY3JhbWVudG8xIjAgBgNVBAkTGTEzMjUgSiBTdHJlZXQsIFN1aXRlIDE2MDAx
HDAaBgNVBAoTE1N0YXRlIG9mIENhbGlmb3JuaWExJTAjBgNVBAsTHERlcGFydG1l
bnQgb2YgTW90b3IgVmVoaWNsZXMxJjAkBgNVBAsTHUhvc3RlZCBieSBTdGF0ZSBv
ZiBDYWxpZm9ybmlhMRkwFwYDVQQLExBNdWx0aS1Eb21haW4gU1NMMRcwFQYDVQQD
Ew53d3cuZG12LmNhLmdvdjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANICIjcwXvW6kwMzboV0jD0eTSfH6ZXTZWRW6cDCHKV+cn2Ut4AVjLduJ++3GH3T
XzGlBFKTjccs+CB3lZJCk/8CbCr0zWuxVvIn+EQlTU5bjxK8hpZxGMk4Xqck8UOQ
k3slP/DeQ6e59bxBiNXXfDSlMIti75oVN6Q9IKMNRSY78xOtIyath8EGS0QxeHmU
AlLvtreKPsi/s1zwc9sCi6o+KLthiQOBV0tBcaMwH3O0zWU6izo4urOZnGdtcEto
3WClQIODfDey2oMtJIZg7zi9U2PjInJHX/NHLbDTT/50C6gEuTsVDUecc51tlkuX
5/PPh7qBQeffLqeACCbi0AUCAwEAAaOCBA0wggQJMB8GA1UdIwQYMBaAFJrzK9rP
rU+2L7sqSEgqErcbQsEkMB0GA1UdDgQWBBQCpbBSuY1+fz9cPVBsP2qXDy7OgzAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwUAYDVR0gBEkwRzA7BgwrBgEEAbIxAQIBAwQwKzApBggrBgEF
BQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQICMFoG
A1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JT
QU9yZ2FuaXphdGlvblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYsGCCsG
AQUFBwEBBH8wfTBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5jb21vZG9jYS5jb20v
Q09NT0RPUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMIHJBgNVHREE
gcEwgb6CDnd3dy5kbXYuY2EuZ292ggpkbXYuY2EuZ292gg5lZGwuZG12LmNhLmdv
doIRZWRsYXBwLmRtdi5jYS5nb3aCEXJlYWxpZC5kbXYuY2EuZ292ghFzdXJ2ZXku
ZG12LmNhLmdvdoISd3d3LmVkbC5kbXYuY2EuZ292ghV3d3cuZWRsYXBwLmRtdi5j
YS5nb3aCFXd3dy5yZWFsaWQuZG12LmNhLmdvdoIVd3d3LnN1cnZleS5kbXYuY2Eu
Z292MIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwDuS723dc5guuFCaR+r4Z5m
ow9+X7By2IMAxHuJeqj9ywAAAWMJf5JMAAAEAwBIMEYCIQClJmCF9j3SuP7g9By5
MtBXlmWmJkyVbdWi6kke6bhWcwIhAJwe9WqgMawyVYZ832Kf9av6pqqdTG/gSlM+
c3XXkeWaAHcAXqdz+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFjCX+U
YgAABAMASDBGAiEA1icqpmdKyGl4Wj1iYjxzt52uDsVlKR7m8VqEnd5ke4wCIQCp
9zFllGV53sreB5FvPv8R51l91/JSlup21Sf3me+ugQB2AFWB1MIWkDYBSuoLm1c8
U/DA5Dh4cCUIFy+jqh0HE9MMAAABYwl/kmwAAAQDAEcwRQIgfYoeUJVqJm6+hVwT
IJIxsIuOrBHOT9qCALxHknWXRqoCIQCZStG+T0f+FTPhbhmpmSTRv5cccuuxHEIh
iVo/R+hHMzANBgkqhkiG9w0BAQsFAAOCAQEAYzW4ZehiSJGiEAd+yg3pvYlzD3E7
WYbU8zzBXzo6CoPlpV5Ev4XHUXqawZ5tQO9H03yFHhoSjymLsnIa5URhday0z81s
yIasFymBYGwyccRgzX4Qd6V3tiArY7zDY9Hf00/yp9SSJe6a4KX/aCibsGnX/DIq
91RJNdGfOjd/94jMz9X/umrlvLWJ9ZqVMZYycLO9hkgGdYJQjYDf0wFd+jQ+c+b5
BjVOuO0HHWMfkE+CprcwNSJFzcKHuRUX0gn7EmiYebOLf2P5sRpMN51NQBD0RCSg
ZPOqG1ImhxRaWREfMm4uXJIYZeFU+Xt1NS+gCw752lm4tibJnn3wG1lVYg==
-----END CERTIFICATE-----
subject=/C=US/postalCode=95814/ST=CA/L=Sacramento/street=1325 J Street, Suite 1600/O=State of California/OU=Department of Motor Vehicles/OU=Hosted by State of California/OU=Multi-Domain SSL/CN=www.dmv.ca.gov
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5576 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 789084EE893DD466F4A9A06493691CAF46BCFC14728AF6FBB2A5D6AFEFAEE9CE
Session-ID-ctx:
Master-Key: F88F1EF27749B19B08AC56049072A8C69534D0157E0642CB73952DA1A1F66371C3C32C05AEA248A9272D16D6766483CB
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531959941
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
DIG gives me the same dns records, so I know I'm connecting to the correct server.
At this point I'm running out of ideas. So, I ask of you all, what can I look at or test next?
I've got an actiontec router provided by Verizon, if there are any settings located on that device I need to check.
EDIT: With tls and curl and wget:
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov -tls1_2
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
write R BLOCK
SSL_connect:error in unknown state
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532398652
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov -tls1
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
write R BLOCK
SSL_connect:error in unknown state
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532398670
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
captain#HARM01NGINX01:~$ curl dmv.ca.gov
curl: (56) Recv failure: Connection reset by peer
captain#HARM01NGINX01:~$ wget dmv.ca.gov
--2018-07-23 19:18:52-- http://dmv.ca.gov/
Resolving dmv.ca.gov (dmv.ca.gov)... 107.162.129.29
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:18:57-- (try: 2) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:19:03-- (try: 3) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:19:10-- (try: 4) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... ^C
captain#HARM01NGINX01:~$ wget https://dmv.ca.gov
--2018-07-23 19:19:21-- https://dmv.ca.gov/
Resolving dmv.ca.gov (dmv.ca.gov)... 107.162.129.29
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:443... connected.
Unable to establish SSL connection.
I have a website hosted on a VPS running CentOS 6 and running fine. Now I have to make it accesible with SSL, so I configured /etc/httpd/conf/httpd.confand /etc/httpd/conf.d/ssl.conf to make httpd listen to port 443, then binding the virtualhost related to the website to the same port.
The apparent result of the whole configuration may be resumed by the following diagnostics that also resumes some tests I performed (I masked data where necessary, and my.site.com is dummy):
# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
# httpd -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443 my.site.com (/etc/httpd/conf.d/ssl.conf:74)
*:80 my.site.com (/etc/httpd/conf/httpd.conf:1022)
*:8888 my.site.com (/etc/httpd/conf/httpd.conf:1045)
Syntax OK
# openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=2 O = [Some authority here], CN = [Some authority here] Root CA X3
verify return:1
depth=1 C = US, O = [Some authority here], CN = [Some authority here] X3
verify return:1
depth=0 CN = my.site.com
verify return:1
---
Certificate chain
0 s:/CN=my.site.com
i:/C=US/O=[some authority here]/CN=[some authority here] X3
1 s:/C=US/O=[some authority here]/CN=[some authority here] X3
i:/O=[some authority here]/CN=[Some authority here] Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[some certificate codes here]
-----END CERTIFICATE-----
subject=/CN=my.site.com
issuer=/C=US/O=[some authority here]/CN=[some authority here] X3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3672 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: [some coding here]
Session-ID-ctx:
Master-Key:
[some coding here]
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
[other codes here]
Start Time: 1483709215
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
# openssl s_client -connect [my.site.com's IP] -state -nbio 2>&1 | grep "^SSL"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
SSL handshake has read 3672 bytes and written 373 bytes
SSL-Session:
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify
# iptables -L -v | grep https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
# netstat -lnp | grep 443
tcp 0 0 :::443 :::* LISTEN 22682/httpd
Now, the website is still responding via the usual browser http://my.site.com address, while it return ERR_CONNECTION_TIMED_OUT if trying https://my.site.com.
Furthermore, accessing by remote I obtain:
# openssl s_client -connect [my.site.com's IP:443]
connect: No route to host
connect:errno=113
So, what is the problem or how can I investigate its origin?
Thanks in advance for your help.
I've enabled SSL for a distributed database (cassandra), where each of the peers have the same keystore and trustore files. I've imported the Comodo signed certificate into the keystore, and also the intermediate and root certificates provided by Comodo. Into the truststore I've uploaded the root certificate and the intermediates. Below is the output I'm getting when I run a openssl s_client. I'm getting the below mentioned error:
139810559764296:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate:s3_pkt.c:1259:SSL alert number 42
139810559764296:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:
At the end of the message however I get "Verify return code: 0 (ok)".
The cluster seems fine and the peers are able to recognize each other though.
openssl s_client -host example.xyz -port 10145
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network,
CN = AddTrust External CA Root
verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford,
O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford,
O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure
Server CA
verify return:1 depth=0 C = US, postalCode = *****, ST = **, L =
*****, street = ****, O = ****, OU = dvrci1, OU = ******, OU = ******, CN = hostname
verify return:1140115008423752:error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1259:SSL
alert number 42 140115008423752:error:140790E5:SSL
routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: SSL
handshake has read 6648 bytes and written 354 bytes New, TLSv1/SSLv3,
Cipher is AES128-SHA Server public key is 2048 bit Secure
Renegotiation IS supported Compression: NONE Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 57EBD44A5F04D45A44137682F375F1BFE2C45B27182927FC23F7255FC0B37226
Session-ID-ctx:
Master-Key: A771BCAFB4DD8CC3D8C476F9DBA542998EC5CE926ADB4612C433668D515F03C38D519D6CE2434F52
4273320CF24476FC
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1475080428
Timeout : 300 (sec)
Verify return code: 0 (ok)
I am working with the example apps in the "Networking Security with OpenSSL" book and up until now have been able to get client/server examples 1,2,3 to work. But now I'm trying to connect to an in-house tool but I'm getting the error "error 18:self signed certificate". Despite this error when I run my app (essentially client3), when I use s_client with the very same credentials...it works.
I suspect that it has something to do with the ssl/tls api combination that I use in my 'client3' app.
Here's the command and output for s_client that connects to the in-house tool which works:
~/tls/client$ openssl s_client -connect 192.168.1.99:16001 -CAfile ../_security/SipInspector/certificate.pem -key ../_security/client.pem
Enter pass phrase for ../_security/client.pem:
CONNECTED(00000003)
depth=0 C = CA, ST = Ontario, L = Ottawa, O = SIP Inspector Ltd, OU = Development, CN = 192.168.1.99
verify return:1
---
Certificate chain
0 s:/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development/CN=192.168.1.99
i:/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development/CN=192.168.1.99
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFxTCCA62gAwIBAgIJALKQ3J5SEyjPMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
BAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2ExGjAYBgNV
BAoMEVNJUCBJbnNwZWN0b3IgTHRkMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEVMBMG
A1UEAwwMMTkyLjE2OC4xLjk5MB4XDTE2MDUyNzE4NDEyM1oXDTE3MDUyNzE4NDEy
M1oweTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDzANBgNVBAcMBk90
dGF3YTEaMBgGA1UECgwRU0lQIEluc3BlY3RvciBMdGQxFDASBgNVBAsMC0RldmVs
b3BtZW50MRUwEwYDVQQDDAwxOTIuMTY4LjEuOTkwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQC2iZxPwl3McyfpNqhsNX6yqccHjBMvr6hVwnYI8jokmUJq
/X6nUEiamvQmMR9EaO4VgY7pMZSiDYAOEnWT6y8KiKES1AQu1d6Yzi+GJwbQYcyt
Mr8h+YkmW091F/xPB4RLABHqmZWC3QCoZ6yP4UGkKpJnvGSWvgKjG2OJGi8gaKkp
WlOscWQRlHq85i+ekaha127q4f8YkWXjt5fyU7BH8xk4E/OQ5zJyFrD/GL5LM/wh
XlPBrxB+A3Nm570EzhVFNjaG8PRIKnPpcoMUbslgZX6veEgYq3JcEUh+qIHTZqBB
ebiU5XsIwsKfdO1GZ6mFwnysRWrGymA6cTGVrhTtrsV1knWuV9citwaurysyW9S3
KMr5Ubj6uXQoWkt+yk2l9jtcxr/K0swXSxqvvhKSu8WaZd09SLyfkYA/wJ+LB//u
gE7bXVI2LRr8N4C1mVm3vFETcW1wjxCRSfLFSDsryhGp+6fXKI28KRQCU4ZZe53P
GFREj0VQfjsuSKDJX0M0PC9eNLNYTkPWsLCCcohEIuUgIaiQcILW/3bsgHyxQRz9
ljVkjQV0r5YBLIBXMbV4dH8ZKs/2A/oFXQ6UhH0oAm7o9ti65NdaG5/k904bhvOx
XFJzmYgSaN8KXZg30vE35ouA34DEVkb6pHY2qLxokKG5pacAb35+5aVu/AaH0QID
AQABo1AwTjAdBgNVHQ4EFgQUZ78GCtQa4uhoka8uC0hPdw8/I1AwHwYDVR0jBBgw
FoAUZ78GCtQa4uhoka8uC0hPdw8/I1AwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAgEAViIHJNe36qRjb/gOWdaqJtvPv3wAx/y7fZuMZhYQQVs7EKuKpPoI
nD+n6lluLn/cMQxN2qSLSsaGh2e3I4TThWu4D6pQkz+4DVCvAkKK5BfLpzAhbPla
ojSwPmu5ekl754FhJuiDy6WSRtWyKhReCF6tlbwRE2/DsWXeDnn08XtwGE27gwiR
I69wygaQFMXppXrQGWFmHobHYuVBJ1xHj4+i3TdmKli0PobASu3ley8KT6sKvx8F
VKJt8a+cVWj+6ctGPSWvFVJsNNdS8al/7GPnRdMFr+KSC9htjvM9orWV+YrOMPzb
YFauf3FHV23btZxD7OcXFdxLSFxTG3VHV4utKGmDd8IJ/JF4Z7Kkfci+7qbCDxaf
520p531E9H4C0UkccqRavvBsfBJbX0u6Ry/l4glaJSAA2vnGjjh7gMYJnmL1mOKy
BOLYvCkbMqrX/BQBXI44zI0BCeMyXngvvhE+aE3XFmfSYDaMWqma8KsKSxSHUbrK
CacCgoJJbXSqv/Clu5KEM4n2/GPFE9ZhXVJt3MKvTEC0rf3mBQnU6S+NpwLvqBKg
pt/q5/gKqRFbjyL0LDNz49vaSUYvbu3mgF2480Or4X+GPwemwdxJaF1pQw4C1WaF
RyfVjDrLNhTvv+zKCbEPyrjXCweNVRVcp8lZ8R0HmXwfgevlCNz/GQo=
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development/CN=192.168.1.99
issuer=/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development/CN=192.168.1.99
---
No client certificate CA names sent
---
SSL handshake has read 2309 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-DES-CBC3-SHA
Session-ID: 5755C781D91CF3177DF624EA3599EE430DAB4790F325FAD9378FEAE7731C4497
Session-ID-ctx:
Master-Key: D149008E43E29D658D29418C9F770B3D6018B1D7CA2F493027B0AC7C3BA8E53B572B68C371153568B8988A1E5F351839
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1465239425
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Here's the command and output when I run my app that tries to connect to the same in-house tool which fails:
carl#ubuntu:~/tls/client$ ./client3 192.168.1.99
Enter PEM pass phrase:
connecting to 192.168.1.99:16001
-Error with certificate at depth: 0
issuer = /C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development /CN=192.168.1.99
subject = /C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector Ltd/OU=Development/CN=192.168.1.99
err 18:self signed certificate
** client3.c:94 Error connecting SSL object
139788992993088:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1180:
carl#ubuntu:~/tls/client$
Here are the api's I call in the my app that utilize the same credentials used by the s_client command:
SSL_CTX_new(SSLv23_method());
SSL_CTX_load_verify_locations(ctx, "../_security/SipInspector/certificate.pem", NULL)
SSL_CTX_use_PrivateKey_file(ctx, "../_security/client.pem", SSL_FILETYPE_PEM)
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
SSL_CTX_set_verify_depth(ctx, 4);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
And also I used the openssl verify command to double check the certificate against itself (not sure if this really does anything).
Any help would be appreciated.
Problem solved. Turned out to be the certificate check routine was checking against incorrect information in the received certificate.