Log in
Registration
- Welcome, visitor !
- |
- Log In | Register
- 05/20 GParted 0.12.1-5
- 05/19 LuninuX 12.00-beta2
- Chris Lawrence: cnlmisc 0.2 for R
- 05/19 Dream Studio 12.04
- Matthew Garrett: Fixing Asus UX21e unexpected power off
- Thorsten Glaser: MirBSD goes webservice – manpages and WTF‽
- Jonathan McDowell: 6 months of GNOME Shell
- Ubuntu developers: Leo Iannacone: Forum ubuntu-it gets a new theme and a new engine
- Richard Hartmann: Mongolia
- Maemo developers: Do Not Track support in Epiphany
- Pietro Abate: how to create VMs with ganeti / xen and dnsmaq
- Disk encryption in ROSA Marathon 2012
- Ubuntu developers: Francisco Molinero: Zentyal on Galapinux
- 05/19 Extix 10
- 05/19 Clonezilla 1.2.12-58
Check SSL Services with OpenSSL s_client, Part III
SSL supports client-side certificates, too. If you are required to authenticate client systems you may utilize SSL client certificates that are to be verified at he server-side.
This article illustrates how to utilize client certificates and ‘openssl s_client‘ to connect services secured by SSL.
Part I of this article series contains some common hints how to utilize openssl when configuring and checking services that are running certificates issued by well-known Certificate Authorities (CA’s).
Part II illustrates how to do the same trick with custom CA certificates when verifying your SSL-based network services.
Contents
The OpenSSL Toolkit
The OpenSSL Project provides a number of powerful tools related to security, encryption and a variaty of network protocols. This article will give you some hints how to utilize the client implementation s_client that is part of the binary openssl to check details of SSL secured network services.
‘OpenSSL s_client‘ is a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It’s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library.
Requirements
All required tools and techniques to talk to servers utilizing custom certificats or certificates from well-knowns Certificate Authorities (CA) have been discussed in Part I and Part II of this article series.
This article concentrates on how to utilize client certificates when connectiong to SSL services.
To follow the steps illustrated in this article you are required to
- have installed OpenSSL
- run a SSL secured network service
- have your SSL service configured to request SSL client certificates
- have generated a client certificate
SSL Client Certificates
SSL client certificates are issued by a CA. When requesing a certificate you have to take care that the CN of the client certificate contains the same domain name as your server ceritificate!
If you are required to generate your own client certificates, please take a look at the article How to Create Self-Signed SSL Certificates with OpenSSL. For testing purposes you may create simple cerificates without any restrictions.
Examples
Connection Failure
The following command line session illustrates what will happen when your server requests client certificates and your client cannot provide any.
# connect to server without providing a client certificate $ openssl s_client -host messagegw-iat.noncd.db.de -port 443 -CAfile all-ca.pem CONNECTED(00000003) depth=2 C = DE, O = Deutsche Bahn, OU = PKI, O = DB Systel GmbH, CN = DB Trust Center (Root-CA 2009) verify return:1 depth=1 C = DE, O = Deutsche Bahn, OU = PKI, O = DB Systel GmbH, CN = DB Trust Center (Web2-CA 2009) verify return:1 depth=0 CN = messagegw-iat.noncd.db.de, OU = Dienste, O = DB Systel GmbH, O = Deutsche Bahn, C = DE verify return:1 --- Certificate chain 0 s:/CN=messagegw-iat.noncd.db.de/OU=Dienste/O=DB Systel GmbH/O=Deutsche Bahn/C=DE i:/C=DE/O=Deutsche Bahn/OU=PKI/O=DB Systel GmbH/CN=DB Trust Center (Web2-CA 2009) --- Server certificate -----BEGIN CERTIFICATE----- MIIEGDCCAwCgAwIBAgIIFj8YjByBtuwwDQYJKoZIhvcNAQEFBQAwdTELMAkGA1UE BhMCREUxFjAUBgNVBAoTDURldXRzY2hlIEJhaG4xDDAKBgNVBAsTA1BLSTEXMBUG A1UEChMOREIgU3lzdGVsIEdtYkgxJzAlBgNVBAMTHkRCIFRydXN0IENlbnRlciAo V2ViMi1DQSAyMDA5KTAeFw0xMTAzMDcwOTM0MDRaFw0xNTAzMDcwOTM0MDRaMHQx IjAgBgNVBAMMGW1lc3NhZ2Vndy1pYXQubm9uY2QuZGIuZGUxEDAOBgNVBAsMB0Rp ZW5zdGUxFzAVBgNVBAoMDkRCIFN5c3RlbCBHbWJIMRYwFAYDVQQKDA1EZXV0c2No ZSBCYWhuMQswCQYDVQQGEwJERTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAJD1JghgCkVxUEGae83R/Wov5QahVtfhmffGATnRfMHX4vZ65SXyrC/b3bjA eUrSLXQVzF2ep0Jc4wVJrpnc990Ph7loFbHw5Hxhbe6rLyb7d4QMnbRSwzdPNLg+ sOcMJg88oJuMhv+13eW/MJNqfGW4DLNwp3d/rPAkxUOWHpW5iWC+eESpky9+vF/b DclyOxc/BS37z+JNxs0TmmzAIW1rwGDY5dn7tXswTE1s7sIbq98Nnaec88mrV4Qy sqHmuRQsaQ49gRNZKV1ZcRnjhKHj9CyWxiBe3U8+E3julbpRSuLG7533tx7pEgI8 yXDDZlSMuAQHUYbfrv4H0BcMyMECAwEAAaOBrDCBqTAdBgNVHQ4EFgQUAm/a64jx Kv2l/QhjD6CS0bUE6jswDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSDtD4T9iH3 FNhfW3AzOEylHwfIWDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMCoGA1UdEQQjMCGBH0RCLklTVFAuUklTLVZNQGRldXRzY2hl YmFobi5jb20wDQYJKoZIhvcNAQEFBQADggEBAE61W2W1xEaNgZGJLjYndegMZjAx KSKNSRlDOrF8A9PjvJ2GWp88ZK71bYYHp1NoHJaIti81sOK7KKHLa/rwuuV5Op50 EJVfqp2KK3gpyh5eBqJ4peXRjpcW1synsGevQsXvSSERnBDIsedq67HyBFuUZAYm FQ+Ts6ypcq5AmKuPbzTozekTVQtfSxFMsW6yj2CAMOGdT4t9Qh64L4PIw4vqR9Mn 7dlepMT+vVtj+c5gDPGcDCDBMdU4cpyxTHlmNB5pmoGKO9RSC3KSFKnrjeIRjYE7 F2kQNQCoaGZm/gbEoNw0mK54zsGVg/I5qU1KXzt7zGUv75LXdWIaFJrz2Ck= -----END CERTIFICATE----- subject=/CN=messagegw-iat.noncd.db.de/OU=Dienste/O=DB Systel GmbH/O=Deutsche Bahn/C=DE issuer=/C=DE/O=Deutsche Bahn/OU=PKI/O=DB Systel GmbH/CN=DB Trust Center (Web2-CA 2009) --- No client certificate CA names sent --- SSL handshake has read 1744 bytes and written 407 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 4361648DAA586470E77B062A0899144D1618EB42C82708E5D35E1FE7261906A1 Session-ID-ctx: Master-Key: 86AD0067C2834299414C820DFB73E554EDC274420BC13ED97DF80C19F49AF79A3A2B56750D62044F6EABD69D54BA3B8C Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1311350043 Timeout : 300 (sec) Verify return code: 0 (ok) --- GET /service/interface depth=2 C = DE, O = Deutsche Bahn, OU = PKI, O = DB Systel GmbH, CN = DB Trust Center (Root-CA 2009) verify return:1 depth=1 C = DE, O = Deutsche Bahn, OU = PKI, O = DB Systel GmbH, CN = DB Trust Center (Web2-CA 2009) verify return:1 depth=0 CN = messagegw-iat.noncd.db.de, OU = Dienste, O = DB Systel GmbH, O = Deutsche Bahn, C = DE verify return:1 140673079531176:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1193:SSL alert number 40 140673079531176:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:1097:
Successfull Authentication
The following command line session illustrates how successfull SSL handshakes look like when your client is able to provide a valid certificate. (Secure renegotiation is utilized). As illustrated in Part II this example provides a set of custom CA certificates to be able to verify the server certificate.
# open a SSL connection and provide a client certificate $ openssl s_client -host messagegw-iat.noncd.db.de -port 443 -CAfile all-ca.pem -cert client-cert-s-bahn-dresden/s-bahn_dresden-client-messagegw.noncd.db.de.cert.pem -key client-cert-s-bahn-dresden/s-bahn_dresden-client-messagegw.noncd.db.de.key Enter pass phrase for client-cert-s-bahn-dresden/s-bahn_dresden-client-messagegw.noncd.db.de.key: CONNECTED(00000003) depth=2 C = DE, O = Deutsche Bahn, OU = PKI, O = DB Systel GmbH, CN = DB Trust Center (Root-CA 2009) verify return:1 depth=1 C = DE, O = Deutsche Bahn, OU = PKI, O = DB Systel GmbH, CN = DB Trust Center (Web2-CA 2009) verify return:1 depth=0 CN = messagegw-iat.noncd.db.de, OU = Dienste, O = DB Systel GmbH, O = Deutsche Bahn, C = DE verify return:1 --- Certificate chain 0 s:/CN=messagegw-iat.noncd.db.de/OU=Dienste/O=DB Systel GmbH/O=Deutsche Bahn/C=DE i:/C=DE/O=Deutsche Bahn/OU=PKI/O=DB Systel GmbH/CN=DB Trust Center (Web2-CA 2009) --- Server certificate -----BEGIN CERTIFICATE----- MIIEGDCCAwCgAwIBAgIIFj8YjByBtuwwDQYJKoZIhvcNAQEFBQAwdTELMAkGA1UE BhMCREUxFjAUBgNVBAoTDURldXRzY2hlIEJhaG4xDDAKBgNVBAsTA1BLSTEXMBUG A1UEChMOREIgU3lzdGVsIEdtYkgxJzAlBgNVBAMTHkRCIFRydXN0IENlbnRlciAo V2ViMi1DQSAyMDA5KTAeFw0xMTAzMDcwOTM0MDRaFw0xNTAzMDcwOTM0MDRaMHQx IjAgBgNVBAMMGW1lc3NhZ2Vndy1pYXQubm9uY2QuZGIuZGUxEDAOBgNVBAsMB0Rp ZW5zdGUxFzAVBgNVBAoMDkRCIFN5c3RlbCBHbWJIMRYwFAYDVQQKDA1EZXV0c2No ZSBCYWhuMQswCQYDVQQGEwJERTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAJD1JghgCkVxUEGae83R/Wov5QahVtfhmffGATnRfMHX4vZ65SXyrC/b3bjA eUrSLXQVzF2ep0Jc4wVJrpnc990Ph7loFbHw5Hxhbe6rLyb7d4QMnbRSwzdPNLg+ sOcMJg88oJuMhv+13eW/MJNqfGW4DLNwp3d/rPAkxUOWHpW5iWC+eESpky9+vF/b DclyOxc/BS37z+JNxs0TmmzAIW1rwGDY5dn7tXswTE1s7sIbq98Nnaec88mrV4Qy sqHmuRQsaQ49gRNZKV1ZcRnjhKHj9CyWxiBe3U8+E3julbpRSuLG7533tx7pEgI8 yXDDZlSMuAQHUYbfrv4H0BcMyMECAwEAAaOBrDCBqTAdBgNVHQ4EFgQUAm/a64jx Kv2l/QhjD6CS0bUE6jswDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSDtD4T9iH3 FNhfW3AzOEylHwfIWDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMCoGA1UdEQQjMCGBH0RCLklTVFAuUklTLVZNQGRldXRzY2hl YmFobi5jb20wDQYJKoZIhvcNAQEFBQADggEBAE61W2W1xEaNgZGJLjYndegMZjAx KSKNSRlDOrF8A9PjvJ2GWp88ZK71bYYHp1NoHJaIti81sOK7KKHLa/rwuuV5Op50 EJVfqp2KK3gpyh5eBqJ4peXRjpcW1synsGevQsXvSSERnBDIsedq67HyBFuUZAYm FQ+Ts6ypcq5AmKuPbzTozekTVQtfSxFMsW6yj2CAMOGdT4t9Qh64L4PIw4vqR9Mn 7dlepMT+vVtj+c5gDPGcDCDBMdU4cpyxTHlmNB5pmoGKO9RSC3KSFKnrjeIRjYE7 F2kQNQCoaGZm/gbEoNw0mK54zsGVg/I5qU1KXzt7zGUv75LXdWIaFJrz2Ck= -----END CERTIFICATE----- subject=/CN=messagegw-iat.noncd.db.de/OU=Dienste/O=DB Systel GmbH/O=Deutsche Bahn/C=DE issuer=/C=DE/O=Deutsche Bahn/OU=PKI/O=DB Systel GmbH/CN=DB Trust Center (Web2-CA 2009) --- No client certificate CA names sent --- SSL handshake has read 1744 bytes and written 407 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: DABF00ADEFCF768DE667C955A385F194A0272DE107D87439DF414069B6FDBFF7 Session-ID-ctx: Master-Key: 4DD5D7853241E85B292D15AD1C3ACEDE679B9FD5A0C028315D325F84CAFBCCDC8F54D0F2579469D6013902B9C1D14683 Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1311349703 Timeout : 300 (sec) Verify return code: 0 (ok) --- GET /service/frontend depth=2 C = DE, O = Deutsche Bahn, OU = PKI, O = DB Systel GmbH, CN = DB Trust Center (Root-CA 2009) verify return:1 depth=1 C = DE, O = Deutsche Bahn, OU = PKI, O = DB Systel GmbH, CN = DB Trust Center (Web2-CA 2009) verify return:1 depth=0 CN = messagegw-iat.noncd.db.de, OU = Dienste, O = DB Systel GmbH, O = Deutsche Bahn, C = DE verify return:1 read R BLOCK status=OK duration=0 time=2011-07-22_17:48:41 hostname=message-201v swversion=1.0.0.12 hostaddress=10.182.164.16 instance=MessageGateway-001 startup=2011-07-05_11:29:44 mem_total=129761280 mem_free=104862048 closed
Releated articles:
- Check SSL Services with OpenSSL s_client, Part I – overview and basics
- Check SSL Services with OpenSSL s_client, Part II – custom CA certificates
- How to Create Self-Signed SSL Certificates with OpenSSL
Related resources:
Incoming search terms:
- openssl s_client -connect
- ssl alert number 40
- echo |\ openssl s_client -connect
- routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt c:1193:ssl alert number 40
- openssl s_client close connection
- openssl s_client connect
- openssl s_client no verify
- db trust center
- ssl ca2009
- steps verify server identity s_client