Having the plan I decided to first check it locally on my host. As a first step I configured the apache2 on my Ubuntu 11.04 box as described: https://help.ubuntu.com/11.04/serverguide/C/httpd.html to support encryption. Next step was to use openssl (plus wireshark to be confident;)) to get the protocol version used in the handshake procedure.
SSL 3.0
 |
| Figure 1 SSL 3.0 handshake |
Now let's have a test connecting using the openssl to the local apache2 server supporting SSL 3.0.
# openssl s_client -ssl3 -connect 127.0.0.1:443
CONNECTED(00000003)
depth=0 /CN=krystianek
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=krystianek
verify return:1
---
Certificate chain
0 s:/CN=krystianek
i:/CN=krystianek
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICpjCCAY4CCQCXhncRWkNj1DANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpr
cnlzdGlhbmVrMB4XDTExMTEwMjE2MzgyOVoXDTIxMTAzMDE2MzgyOVowFTETMBEG
A1UEAxMKa3J5c3RpYW5lazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALU90KhdAKy4dBTGO8GLIpHLvO5L9DNZjLURgVoY2H8r1piYfvZzQ6sgNIrQzZjg
vGDTg2bUT7g4UQFJouSVGGRy8qk5afipoUFS+CxQEoWHkIQoRLdDSEtLxpYlQvk3
ID2qTzLGBeNm+YBSsvzg2e4sWBykKh1ePJ/TFxSdnW9+UZWbwytFlA6qNPVWA2Ks
lX4+N5xHIL1afd1+qGKUR85xJBcXXUbbZM7Fe+neGHmMqxuUXOmrU7uHE7igcHq7
UUXByIertkS33cgpV7QbWr9w+ip8ggKAUVkY/03NpaYfk40L06sef7jyWhMXFO8i
3TbnwDH0m/I3qxZqQZifYbECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAJ4BIrQ/U
KeJWsWQJsOAfJlpQ2giUiEYLDZyP8gnmhNCYnEdCBl9ltXxPIe1RIFK/O5dnAgV/
GLPYREW+jZ4tyip4cwWMIgixtcpyWyESJlH4vF4lKj6dP5C0xP5cyfbfvR9rlNxk
eejBsUv24FK9xCPN2V8IdkS+CNneGW06yAf+EQP9mF5weNXkbE7tX+yBwKuR8BgE
AUZ1qohBPz5OZqSV61HikVUf3RmqapnIo4lejilj/1uVhU8QJ1FxwJu2UyAJaiPj
qRSVvW4H7LSkz326DaKzoFFUylhAZPImEPN0LHv1ee0yzbWAzN8iEM6bzdNYJfJ2
fGQu5yAue2vxHQ==
-----END CERTIFICATE-----
subject=/CN=krystianek
issuer=/CN=krystianek
---
No client certificate CA names sent
---
SSL handshake has read 1413 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: 6C8A75631A4964A27410DF69CFD267C8C1EE6363A6FDED270BD0671B0DFAE99F
Session-ID-ctx:
Master-Key: FDA851ACE2E2320690D55C7766A51718FCD6B2A89ED6887A4368583D8EB2FF2D4559D2408135D60A3401711B9C5FC7A9
Key-Arg : None
Compression: 1 (zlib compression)
Start Time: 1320299309
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
GET /
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
closed
You have new mail in /var/mail/root
#
Ok, it works. In my case there was no client certificate sent towards the SSL server.
TLS 1.0
 |
| Figure 2 TLS 1.0 handshake |
# openssl s_client -tls1 -connect 127.0.0.1:443
CONNECTED(00000003)
depth=0 /CN=krystianek
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=krystianek
verify return:1
---
Certificate chain
0 s:/CN=krystianek
i:/CN=krystianek
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICpjCCAY4CCQCXhncRWkNj1DANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpr
cnlzdGlhbmVrMB4XDTExMTEwMjE2MzgyOVoXDTIxMTAzMDE2MzgyOVowFTETMBEG
A1UEAxMKa3J5c3RpYW5lazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALU90KhdAKy4dBTGO8GLIpHLvO5L9DNZjLURgVoY2H8r1piYfvZzQ6sgNIrQzZjg
vGDTg2bUT7g4UQFJouSVGGRy8qk5afipoUFS+CxQEoWHkIQoRLdDSEtLxpYlQvk3
ID2qTzLGBeNm+YBSsvzg2e4sWBykKh1ePJ/TFxSdnW9+UZWbwytFlA6qNPVWA2Ks
lX4+N5xHIL1afd1+qGKUR85xJBcXXUbbZM7Fe+neGHmMqxuUXOmrU7uHE7igcHq7
UUXByIertkS33cgpV7QbWr9w+ip8ggKAUVkY/03NpaYfk40L06sef7jyWhMXFO8i
3TbnwDH0m/I3qxZqQZifYbECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAJ4BIrQ/U
KeJWsWQJsOAfJlpQ2giUiEYLDZyP8gnmhNCYnEdCBl9ltXxPIe1RIFK/O5dnAgV/
GLPYREW+jZ4tyip4cwWMIgixtcpyWyESJlH4vF4lKj6dP5C0xP5cyfbfvR9rlNxk
eejBsUv24FK9xCPN2V8IdkS+CNneGW06yAf+EQP9mF5weNXkbE7tX+yBwKuR8BgE
AUZ1qohBPz5OZqSV61HikVUf3RmqapnIo4lejilj/1uVhU8QJ1FxwJu2UyAJaiPj
qRSVvW4H7LSkz326DaKzoFFUylhAZPImEPN0LHv1ee0yzbWAzN8iEM6bzdNYJfJ2
fGQu5yAue2vxHQ==
-----END CERTIFICATE-----
subject=/CN=krystianek
issuer=/CN=krystianek
---
No client certificate CA names sent
---
SSL handshake has read 1560 bytes and written 293 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 94FA2FB475C3FA47EDE2373C610F3F3C02CB2714F7344EC433B6B8ACEDC0AC43
Session-ID-ctx:
Master-Key: 958861A6AC4D901FA6263C0DA92E81F9430AEB201F82032D562813309957593E9E4259F8548AFBE2CB5A7145026135F5
Key-Arg : None
TLS session ticket:
0000 - 9a c9 2b 9c e9 54 7e e4-05 de 32 40 38 0a 6d b9 ..+..T~...2@8.m.
0010 - 6d 21 2c 2e c8 ba 6e b7-de 37 72 0f 5b 5c 69 a8 m!,...n..7r.[\i.
0020 - da 55 4a f6 73 31 59 4c-c4 3e 37 7b 9c 87 47 97 .UJ.s1YL.>7{..G.
0030 - 03 f4 c9 62 45 95 a9 ab-11 31 ab de bf c9 5d b4 ...bE....1....].
0040 - 50 75 ec 6b 54 c4 05 c8-bf 44 d3 14 41 d9 ea e9 Pu.kT....D..A...
0050 - 0a 57 c8 d1 89 4f 3b 20-c6 0b 1e f6 f4 19 af 8e .W...O; ........
0060 - ca f7 18 28 1c 7b c7 9f-d4 03 c1 3f bc 47 be a0 ...(.{.....?.G..
0070 - e0 74 0c c5 57 d6 16 4b-b3 a4 f5 c7 b7 10 7e 11 .t..W..K......~.
0080 - 03 6a 5b e6 06 aa d7 75-40 d1 fe b0 62 ae e9 aa .j[....u@...b...
0090 - bc 0e 2d 59 06 97 99 78-ac 69 3e 8e c4 7f 34 e8 ..-Y...x.i>...4.
00a0 - 84 89 c3 01 13 1b 01 b2-49 21 62 b8 4b e5 93 ea ........I!b.K...
00b0 - 88 09 bb d2 27 d2 ab cd-b6 94 67 0e a5 9b 7c fc ....'.....g...|.
Compression: 1 (zlib compression)
Start Time: 1320299341
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
GET /
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
closed
#
Posty
Brak komentarzy:
Prześlij komentarz