I have my system running in OpenShift 3.11.
I have to implement an https/REST integration with a legacy Java 1.6 system, which supports SSLv3 only.
Thus I had to enable SSLv3 encryption on my web server and I'm using passthrough mode for my OpenShift routes.
When I'm running openssl s_client -connect localhost:4430 -ssl3 inside my pod's terminal to test SSLv3 connection, everything's fine:
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 CN = Test Root CA 2
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 CN = Test Root CA 2
verify return:1
depth=1 DC = ru, DC = sbrf, DC = ca, CN = Sberbank Test Issuing CA 2
verify return:1
depth=0 C = RU, ST = Some-State, L = Moscow, O = Sberbank, OU = MMB, CN = ift-spod.apps.test-ose.ca.sbrf.ru, emailAddress = Melnikov.D.Alek#sberbank.ru
verify return:1
---
Certificate chain
0 s:C = RU, ST = Some-State, L = Moscow, O = Sberbank, OU = MMB, CN = ift-spod.apps.test-ose.ca.sbrf.ru, emailAddress = Melnikov.D.Alek#sberbank.ru
i:DC = ru, DC = sbrf, DC = ca, CN = Sberbank Test Issuing CA 2
1 s:DC = ru, DC = sbrf, DC = ca, CN = Sberbank Test Issuing CA 2
i:CN = Test Root CA 2
2 s:CN = Test Root CA 2
i:CN = Test Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGlTCCBH2gAwIBAgIKK+85IAABAABHwDANBgkqhkiG9w0BAQsFADBjMRIwEAYK
CZImiZPyLGQBGRYCcnUxFDASBgoJkiaJk/IsZAEZFgRzYnJmMRIwEAYKCZImiZPy
LGQBGRYCY2ExIzAhBgNVBAMTGlNiZXJiYW5rIFRlc3QgSXNzdWluZyBDQSAyMB4X
DTE5MTEyOTA5NDAyMloXDTIyMDMwMjA5NTAyMlowgawxCzAJBgNVBAYTAlJVMRMw
EQYDVQQIEwpTb21lLVN0YXRlMQ8wDQYDVQQHEwZNb3Njb3cxETAPBgNVBAoTCFNi
ZXJiYW5rMQwwCgYDVQQLEwNNTUIxKjAoBgNVBAMTIWlmdC1zcG9kLmFwcHMudGVz
dC1vc2UuY2Euc2JyZi5ydTEqMCgGCSqGSIb3DQEJARYbTWVsbmlrb3YuRC5BbGVr
QHNiZXJiYW5rLnJ1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzSxN50/1A
vSwAaiUxYAR6o/6TPR4XdZPB5wqkmYg9813Sz1pShNrcf/ZXmxCzM1/E3WPwCJGT
YLJI8UzNy1Txj/GoC4sFMhqb4o+Wd42xB8FsYxMxuhtHQQlSFxsSCtgHLX7sXade
0HGdgH9Bn+pMvuw3YSCTdnd3+r2fBU1HCQIDAQABo4ICgzCCAn8wHQYDVR0OBBYE
FKa+/qrCaeji3EoR8aM4GP0hsWwbMB8GA1UdIwQYMBaAFFFf6r4mHk0gWLyLSxqv
9gWMoXUyMIIBbAYDVR0fBIIBYzCCAV8wggFboIIBV6CCAVOGRWh0dHA6Ly9wa2ku
c2JlcmJhbmsucnUvcGtpL2NkcC9TYmVyYmFuayUyMFRlc3QlMjBJc3N1aW5nJTIw
Q0ElMjAyLmNybIaBwGxkYXA6Ly8vQ049U2JlcmJhbmslMjBUZXN0JTIwSXNzdWlu
ZyUyMENBJTIwMixDTj1UVi1DRVJULVVCLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl
MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxEQz1VbmF2YWlsYWJsZUNvbmZpZ0ROP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
cmlidXRpb25Qb2ludIZHaHR0cDovL2ludHBraS5jYS5zYnJmLnJ1L3BraS9jZHAv
U2JlcmJhbmslMjBUZXN0JTIwSXNzdWluZyUyMENBJTIwMi5jcmwwgb4GCCsGAQUF
BwEBBIGxMIGuMFQGCCsGAQUFBzAChkhodHRwOi8vcGtpLnNiZXJiYW5rLnJ1L3Br
aS9haWEvU2JlcmJhbmslMjBUZXN0JTIwSXNzdWluZyUyMENBJTIwMigxKS5jcnQw
VgYIKwYBBQUHMAKGSmh0dHA6Ly9pbnRwa2kuY2Euc2JyZi5ydS9wa2kvYWlhL1Ni
ZXJiYW5rJTIwVGVzdCUyMElzc3VpbmclMjBDQSUyMDIoMSkuY3J0MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQELBQADggIBACmeFCWueax33BfBpOAykyZsKoAe2hNM
UZX8nbomw49w06KKjqfKdYtJfvW1rBpbUWyWr3980vpUjuqjdF3OyIO5BP1URmoU
6pc5M9WxZNHZbLwh6qtGUYB1za6ghVFmVlteKoONnPv74DDWA76Zc3pdzvkiyW5V
/V5iLsreUdoiUItBUETwJQcvDmHoQ1Y55saSHoJGKxLyclGjT79yZZFau6LWgDfd
OOpyI07SvrCvsV+TIv5Pp6oYLLMVJ2j8vWk6A0q/zfX5nMAwehNF8PY7i5SGr4Pe
q1EFpf1ja1cRyjaZhAjqLmFmcd3uFyCqRDqphRuDVc11RTfvTOybjoRCYx1MtkwW
VEdJBR1UX7bvoVCqWikiG9VU5earB7lcJAtTZthchpQZ36hAitD9PhaclByXVCyT
p+3/l4ZJx0haJruOYXb0EoeUSpH4sSkW7A1T6ue8rdI9xOpKAJLhuXcWVKzzWYPs
18YFekivgOcugYbux6yQo2fa8ekRP+z0lfEo4Pn+008HpGWhZKc+ZgsAa4bdecV7
fua4G1j5NXGn0r8kuaZnzUytdWza/It/TMZ6dTiKLCKKdEz9msRJk6HTOhakDfdM
SKJYworIrqa52CRFyIV3d39oNo0E1O6Y3X7uShJ7QVFRJj1vyqDdKKaYGwFWR+cr
oP19+obIZubH
-----END CERTIFICATE-----
subject=C = RU, ST = Some-State, L = Moscow, O = Sberbank, OU = MMB, CN = ift-spod.apps.test-ose.ca.sbrf.ru, emailAddress = Melnikov.D.Alek#sberbank.ru
issuer=DC = ru, DC = sbrf, DC = ca, CN = Sberbank Test Issuing CA 2
---
No client certificate CA names sent
---
SSL handshake has read 5893 bytes and written 270 bytes
Verification error: self signed certificate in certificate chain
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID: ED516AC9E327AECF04ACA14AEB9BD5D5FCDD4337DEB0D446E23A23063325A8B0
Session-ID-ctx:
Master-Key: 34B45454DA572634B1F1DD24CCF98BEE7CED7B878C16DB554E6D3AF1B1B43E8E1DE2598C2A90CA106137B603472E8BA8
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1576863631
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
But when I'm trying to connect by external interface (or from any other machine), I get:
openssl s_client -ssl3 -connect ift-spod.apps.test-ose.ca.sbrf.ru:443
CONNECTED(00000003)
140494325270400:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1536:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 58 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1576864292
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
Yes, got a confirmation from a team that managed OpenShift in my organization that HAProxy was blocking SSLv3.
Related
I am running openssl to check if web server supports tls 1.0. But looking at the response it seems it is not since SSL-Session ciper is 0000 but ssl session is established.
But when I am scanning my server through https://www.ssllabs.com/ it is saying that TLS version 1.0 is supported.
So not sure what exactly is happening.
Using apache for web server and already checked there and there tls v1.0 is disabled.
Also When running the same scan against another similar setup all things are working as expected and https://www.ssllabs.com/ also says TLS 1.0 is not supported.
C:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect test.server.cloud:443 -servername test.server.cloud -tls1
CONNECTED(00000140)
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.server.cloud
verify return:1
E81F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:ssl\statem\statem_clnt.c:2252:
---
Certificate chain
0 s:CN = *.server.cloud
i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 2 15:55:04 2022 GMT; NotAfter: Feb 27 07:09:10 2023 GMT
1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 3 07:00:00 2011 GMT; NotAfter: May 3 07:00:00 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
*********************************
*********************************
-----END CERTIFICATE-----
subject=CN = *.server.cloud
issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3350 bytes and written 148 bytes
Verification error: unable to get local issuer certificate
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID: 42430000BACE6D963C2154287E5949A5BCEA93B1E8895F656FD8AF82FAF41625
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1663242412
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
---
C:\Program Files\OpenSSL-Win64\bin>
To reach a target file, I must put specific Host Header in request, because server is using SNI.
My server's ip is 172.1.1.61 and mydomain.com is target host which can give me a file.
I tried to use a curl like that with no success:
curl -I --resolve mydomain.com:443:172.1.1.61 https://172.1.1.61:443/FederationMetadata/2007-06/FederationMetadata.xml -v
* Added mydomain.com:443:172.1.1.61 to DNS cache
* About to connect() to 172.1.1.61 port 443 (#0)
* Trying 172.1.1.61...
* Connected to 172.1.1.61 (172.1.1.61) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer
Also I tried to use an openssl client:
openssl s_client -connect 172.1.1.61:443 -servername mydomain.com
And it has showed me a valid certificate, related to mydomain.com:
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = mydomain.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=mydomain.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
some moar strings
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTkwNDAzMDQyODE3Wh==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=mydomain.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4609 bytes and written 438 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9B020000BE0E627BF16F61C924ED4B90FF698F1868168A0467E0F359F98DE1FA
Session-ID-ctx:
Master-Key: (hidden)
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1602236714
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
But the last string is read:errno=104 what is equal to Connection Reset error.
As my last hope I'd installed a Modify Header Value plugin on my Chrome browser and made settings like that:
But still no connection:
What I did wrong?
openssl s_client -connect 172.1.1.61:443 -servername mydomain.com
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
...
But the last string is read:errno=104 what is equal to Connection Reset error.
The error you see here means that the connection reset happens in the final stages or directly after the TLS handshake. In this stage SNI is already used to select the certificate and the HTTP request with the Host header is not yet sent. This means that neither SNI nor the Host header are the actual problem here.
This means one can exclude wrong SNI and Host header as the possible reasons for the connection reset. A shared cipher is also found so this is also not a problem. It might be for example a missing client certificate or something else. Maybe the server logs will show.
I was previously able to access the site roughly a week or two ago. Lately, no matter what browser, computer, or device I use to access dmv.ca.gov from inside my network the SSL handshake fails and the site gives an empty response. I can access other sites, including ca.gov, but just not dmv.ca.gov. The handshake fails, I think, because I get no response from the server.
When I run openssl from my ubuntu box I get the following output:
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv2/v3 read server hello A
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531959808
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
However, what I would expect is the following (same command on an AWS instance I have:
ubuntu#ip-10-0-144-141:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:unknown state
SSL_connect:error in unknown state
SSL_connect:error in unknown state
read R BLOCK
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, postalCode = 95814, ST = CA, L = Sacramento, street = "1325 J Street, Suite 1600", O = State of California, OU = Department of Motor Vehicles, OU = Hosted by State of California, OU = Multi-Domain SSL, CN = www.dmv.ca.gov
verify return:1
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:error in unknown state
read R BLOCK
SSL_connect:error in unknown state
read R BLOCK
SSL_connect:unknown state
read R BLOCK
---
Certificate chain
0 s:/C=US/postalCode=95814/ST=CA/L=Sacramento/street=1325 J Street, Suite 1600/O=State of California/OU=Department of Motor Vehicles/OU=Hosted by State of California/OU=Multi-Domain SSL/CN=www.dmv.ca.gov
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIINzCCBx+gAwIBAgIRAJ2VHzZ23HIPwp3suYpAPogwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTgwNDI3MDAwMDAwWhcNMjAwNDI2MjM1OTU5WjCCAQQxCzAJ
BgNVBAYTAlVTMQ4wDAYDVQQREwU5NTgxNDELMAkGA1UECBMCQ0ExEzARBgNVBAcT
ClNhY3JhbWVudG8xIjAgBgNVBAkTGTEzMjUgSiBTdHJlZXQsIFN1aXRlIDE2MDAx
HDAaBgNVBAoTE1N0YXRlIG9mIENhbGlmb3JuaWExJTAjBgNVBAsTHERlcGFydG1l
bnQgb2YgTW90b3IgVmVoaWNsZXMxJjAkBgNVBAsTHUhvc3RlZCBieSBTdGF0ZSBv
ZiBDYWxpZm9ybmlhMRkwFwYDVQQLExBNdWx0aS1Eb21haW4gU1NMMRcwFQYDVQQD
Ew53d3cuZG12LmNhLmdvdjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANICIjcwXvW6kwMzboV0jD0eTSfH6ZXTZWRW6cDCHKV+cn2Ut4AVjLduJ++3GH3T
XzGlBFKTjccs+CB3lZJCk/8CbCr0zWuxVvIn+EQlTU5bjxK8hpZxGMk4Xqck8UOQ
k3slP/DeQ6e59bxBiNXXfDSlMIti75oVN6Q9IKMNRSY78xOtIyath8EGS0QxeHmU
AlLvtreKPsi/s1zwc9sCi6o+KLthiQOBV0tBcaMwH3O0zWU6izo4urOZnGdtcEto
3WClQIODfDey2oMtJIZg7zi9U2PjInJHX/NHLbDTT/50C6gEuTsVDUecc51tlkuX
5/PPh7qBQeffLqeACCbi0AUCAwEAAaOCBA0wggQJMB8GA1UdIwQYMBaAFJrzK9rP
rU+2L7sqSEgqErcbQsEkMB0GA1UdDgQWBBQCpbBSuY1+fz9cPVBsP2qXDy7OgzAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwUAYDVR0gBEkwRzA7BgwrBgEEAbIxAQIBAwQwKzApBggrBgEF
BQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQICMFoG
A1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JT
QU9yZ2FuaXphdGlvblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYsGCCsG
AQUFBwEBBH8wfTBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5jb21vZG9jYS5jb20v
Q09NT0RPUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMIHJBgNVHREE
gcEwgb6CDnd3dy5kbXYuY2EuZ292ggpkbXYuY2EuZ292gg5lZGwuZG12LmNhLmdv
doIRZWRsYXBwLmRtdi5jYS5nb3aCEXJlYWxpZC5kbXYuY2EuZ292ghFzdXJ2ZXku
ZG12LmNhLmdvdoISd3d3LmVkbC5kbXYuY2EuZ292ghV3d3cuZWRsYXBwLmRtdi5j
YS5nb3aCFXd3dy5yZWFsaWQuZG12LmNhLmdvdoIVd3d3LnN1cnZleS5kbXYuY2Eu
Z292MIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwDuS723dc5guuFCaR+r4Z5m
ow9+X7By2IMAxHuJeqj9ywAAAWMJf5JMAAAEAwBIMEYCIQClJmCF9j3SuP7g9By5
MtBXlmWmJkyVbdWi6kke6bhWcwIhAJwe9WqgMawyVYZ832Kf9av6pqqdTG/gSlM+
c3XXkeWaAHcAXqdz+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFjCX+U
YgAABAMASDBGAiEA1icqpmdKyGl4Wj1iYjxzt52uDsVlKR7m8VqEnd5ke4wCIQCp
9zFllGV53sreB5FvPv8R51l91/JSlup21Sf3me+ugQB2AFWB1MIWkDYBSuoLm1c8
U/DA5Dh4cCUIFy+jqh0HE9MMAAABYwl/kmwAAAQDAEcwRQIgfYoeUJVqJm6+hVwT
IJIxsIuOrBHOT9qCALxHknWXRqoCIQCZStG+T0f+FTPhbhmpmSTRv5cccuuxHEIh
iVo/R+hHMzANBgkqhkiG9w0BAQsFAAOCAQEAYzW4ZehiSJGiEAd+yg3pvYlzD3E7
WYbU8zzBXzo6CoPlpV5Ev4XHUXqawZ5tQO9H03yFHhoSjymLsnIa5URhday0z81s
yIasFymBYGwyccRgzX4Qd6V3tiArY7zDY9Hf00/yp9SSJe6a4KX/aCibsGnX/DIq
91RJNdGfOjd/94jMz9X/umrlvLWJ9ZqVMZYycLO9hkgGdYJQjYDf0wFd+jQ+c+b5
BjVOuO0HHWMfkE+CprcwNSJFzcKHuRUX0gn7EmiYebOLf2P5sRpMN51NQBD0RCSg
ZPOqG1ImhxRaWREfMm4uXJIYZeFU+Xt1NS+gCw752lm4tibJnn3wG1lVYg==
-----END CERTIFICATE-----
subject=/C=US/postalCode=95814/ST=CA/L=Sacramento/street=1325 J Street, Suite 1600/O=State of California/OU=Department of Motor Vehicles/OU=Hosted by State of California/OU=Multi-Domain SSL/CN=www.dmv.ca.gov
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5576 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 789084EE893DD466F4A9A06493691CAF46BCFC14728AF6FBB2A5D6AFEFAEE9CE
Session-ID-ctx:
Master-Key: F88F1EF27749B19B08AC56049072A8C69534D0157E0642CB73952DA1A1F66371C3C32C05AEA248A9272D16D6766483CB
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1531959941
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
DIG gives me the same dns records, so I know I'm connecting to the correct server.
At this point I'm running out of ideas. So, I ask of you all, what can I look at or test next?
I've got an actiontec router provided by Verizon, if there are any settings located on that device I need to check.
EDIT: With tls and curl and wget:
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov -tls1_2
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
write R BLOCK
SSL_connect:error in unknown state
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532398652
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
captain#HARM01NGINX01:~$ openssl s_client -state -nbio -connect dmv.ca.gov:443 -servername dmv.ca.gov -tls1
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:unknown state
SSL_connect:error in unknown state
write R BLOCK
SSL_connect:error in unknown state
read:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1532398670
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
captain#HARM01NGINX01:~$ curl dmv.ca.gov
curl: (56) Recv failure: Connection reset by peer
captain#HARM01NGINX01:~$ wget dmv.ca.gov
--2018-07-23 19:18:52-- http://dmv.ca.gov/
Resolving dmv.ca.gov (dmv.ca.gov)... 107.162.129.29
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:18:57-- (try: 2) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:19:03-- (try: 3) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
--2018-07-23 19:19:10-- (try: 4) http://dmv.ca.gov/
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:80... connected.
HTTP request sent, awaiting response... ^C
captain#HARM01NGINX01:~$ wget https://dmv.ca.gov
--2018-07-23 19:19:21-- https://dmv.ca.gov/
Resolving dmv.ca.gov (dmv.ca.gov)... 107.162.129.29
Connecting to dmv.ca.gov (dmv.ca.gov)|107.162.129.29|:443... connected.
Unable to establish SSL connection.
I've enabled SSL for a distributed database (cassandra), where each of the peers have the same keystore and trustore files. I've imported the Comodo signed certificate into the keystore, and also the intermediate and root certificates provided by Comodo. Into the truststore I've uploaded the root certificate and the intermediates. Below is the output I'm getting when I run a openssl s_client. I'm getting the below mentioned error:
139810559764296:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate:s3_pkt.c:1259:SSL alert number 42
139810559764296:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:
At the end of the message however I get "Verify return code: 0 (ok)".
The cluster seems fine and the peers are able to recognize each other though.
openssl s_client -host example.xyz -port 10145
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network,
CN = AddTrust External CA Root
verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford,
O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford,
O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure
Server CA
verify return:1 depth=0 C = US, postalCode = *****, ST = **, L =
*****, street = ****, O = ****, OU = dvrci1, OU = ******, OU = ******, CN = hostname
verify return:1140115008423752:error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1259:SSL
alert number 42 140115008423752:error:140790E5:SSL
routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: SSL
handshake has read 6648 bytes and written 354 bytes New, TLSv1/SSLv3,
Cipher is AES128-SHA Server public key is 2048 bit Secure
Renegotiation IS supported Compression: NONE Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 57EBD44A5F04D45A44137682F375F1BFE2C45B27182927FC23F7255FC0B37226
Session-ID-ctx:
Master-Key: A771BCAFB4DD8CC3D8C476F9DBA542998EC5CE926ADB4612C433668D515F03C38D519D6CE2434F52
4273320CF24476FC
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1475080428
Timeout : 300 (sec)
Verify return code: 0 (ok)
I have a problem between logstash-forward and logstash, i have installed correctly the SSL certificate but i have this error:
Failed to tls handshake with 111.111.111.111 read tcp 111.111.111.111:5000: i/o timeout
If i check SSL with openssl command work perfectly:
# openssl s_client -connect 111.111.111.111:5000
CONNECTED(00000003)
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify return:1
---
Certificate chain
0 s:/C=XX/L=Default City/O=Default Company Ltd
i:/C=XX/L=Default City/O=Default Company Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd
issuer=/C=XX/L=Default City/O=Default Company Ltd
---
No client certificate CA names sent
Server Temp Key: DH, 768 bits
---
SSL handshake has read 1677 bytes and written 413 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 5512D461475996E5795A8F65F7C73A7047D6A99D9BBF30871FD91EA80BF110FE
Session-ID-ctx:
Master-Key: C2FDF6944017E05247F103B106BA7313917C5B9BC516BFA05F875D4D8C0D294E797015FFA3E7BA5F744EF2D1E8925FB2
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1427297377
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
closed
Where is the problem?
Thanks
I have found the problem: is a different version of logstash between istance. After upgrade to same version it's work.