Difference between revisions of "Openssl"
From Teknologisk videncenter
m (→Debug) |
m (→Debug) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | [[openssl command]] | ||
=Debug= | =Debug= | ||
| Line 11: | Line 12: | ||
verify error:num=18:self signed certificate | verify error:num=18:self signed certificate | ||
..... | ..... | ||
| + | </source> | ||
| + | |||
| + | Where did it go wrong - see only SSL negotiation | ||
| + | <source lang=bash> | ||
| + | root@beaglebone:/home/debian/certs/ca# openssl s_client -state -nbio -connect 127.0.0.1:8883 | grep "^SSL" | ||
| + | SSL_connect:before SSL initialization | ||
| + | SSL_connect:SSLv3/TLS write client hello | ||
| + | SSL_connect:error in SSLv3/TLS write client hello | ||
| + | ... | ||
| + | 3069829136:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../ssl/record/rec_layer_s3.c:1544:SSL alert number 116 | ||
</source> | </source> | ||
On Mosquitto brokerside: | On Mosquitto brokerside: | ||
| Line 35: | Line 46: | ||
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca | error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca | ||
</source> | </source> | ||
| + | ==Checking SSL server TLS version and capabilities== | ||
| + | <source lang=bash> | ||
| + | root@beaglebone:/home/debian/certs/ca# nmap --script ssl-enum-ciphers -p 8883 127.0.0.1 | ||
| + | Starting Nmap 7.70 ( https://nmap.org ) at 2021-05-22 08:27 UTC | ||
| + | Nmap scan report for localhost (127.0.0.1) | ||
| + | Host is up (0.00037s latency). | ||
| + | |||
| + | PORT STATE SERVICE | ||
| + | 8883/tcp open secure-mqtt | ||
| + | | ssl-enum-ciphers: | ||
| + | | TLSv1.2: | ||
| + | | ciphers: | ||
| + | | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | ||
| + | | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | ||
| + | ... | ||
| + | </source> | ||
| + | Nmap done: 1 IP address (1 host up) scanned in 5.77 seconds | ||
| + | |||
[[Category:Security]] | [[Category:Security]] | ||
Latest revision as of 13:22, 14 November 2024
Debug
Example when debugging a tls connection to mosquitto MQTT broker.
root@beaglebone:/home/debian# openssl s_client -connect 127.0.0.1:8883
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = DK, ST = Denmark, L = Viborg, O = Mercantec, CN = beaglebone.localdomain, emailAddress = heth@mercantec.dk
verify error:num=18:self signed certificate
.....
Where did it go wrong - see only SSL negotiation
root@beaglebone:/home/debian/certs/ca# openssl s_client -state -nbio -connect 127.0.0.1:8883 | grep "^SSL"
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
...
3069829136:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../ssl/record/rec_layer_s3.c:1544:SSL alert number 116
On Mosquitto brokerside:
root@beaglebone:/home/debian# /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf -v
1621664904: mosquitto version 2.0.7 starting
1621664904: Config loaded from /etc/mosquitto/mosquitto.conf.
1621664904: Opening ipv4 listen socket on port 1883.
1621664904: Opening ipv6 listen socket on port 1883.
1621664904: Opening ipv4 listen socket on port 8883.
1621664904: Opening ipv6 listen socket on port 8883.
1621664904: mosquitto version 2.0.7 running
1621664907: New connection from 127.0.0.1:45026 on port 1883.
1621664907: Sending CONNACK to 127.0.0.1 (0, 5)
1621664907: Client <unknown> disconnected, not authorised.
1621665067: New connection from 127.0.0.1:54532 on port 8883.
1621665067: OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Error 14094418 - alert unknown ca
openssl errornumber to errorstring: (Just nice to know)
root@beaglebone:/home/debian/certs/ca# openssl errstr 14094418
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Checking SSL server TLS version and capabilities
root@beaglebone:/home/debian/certs/ca# nmap --script ssl-enum-ciphers -p 8883 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-05-22 08:27 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00037s latency).
PORT STATE SERVICE
8883/tcp open secure-mqtt
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
...
Nmap done: 1 IP address (1 host up) scanned in 5.77 seconds