Un cas « rigolo » d’utilisation d’OpenSSL en client SSL (s_client) qui change de comportement selon l’activation du mode debug ou non… :
Sans mode -debug :(
openssl s_client -connect xxx.local:636 -CAfile ssl\ac_root.pem -showcerts -msg -state
Résultat :
CONNECTED(00000754) SSL_connect:before/connect initialization >>> TLS 1.0 Handshake [length 00cd], ClientHello SSL_connect:SSLv2/v3 write client hello A <<< TLS 1.0 Handshake [length 004a], ServerHello SSL_connect:SSLv3 read server hello A <<< TLS 1.0 Handshake [length 0b4a], Certificate depth=2 O = XXX, C = FR verify return:1 depth=1 O = XXX, C = FR verify return:1 depth=0 C = FR, O = XXX, CN = XXX verify return:1 SSL_connect:SSLv3 read server certificate A <<< TLS 1.0 Handshake [length 0971], CertificateRequest SSL_connect:SSLv3 read server certificate request A <<< TLS 1.0 Handshake [length 0004], ServerHelloDone SSL_connect:SSLv3 read server done A >>> TLS 1.0 Handshake [length 0007], Certificate SSL_connect:SSLv3 write client certificate A >>> TLS 1.0 Handshake [length 0106], ClientKeyExchange SSL_connect:SSLv3 write client key exchange A >>> TLS 1.0 ChangeCipherSpec [length 0001] SSL_connect:SSLv3 write change cipher spec A >>> TLS 1.0 Handshake [length 0010], Finished SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:failed in SSLv3 read finished A 2052:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:177:
Une petite capture réseau :
(1 packet pour les handshakes de fin)
Avec mode -debug :)
openssl s_client -connect xxx.local:636 -CAfile ssl\ac_root.pem -showcerts -msg -state -debug
Résultat :
CONNECTED(00000754) SSL_connect:before/connect initialization write to 0xaa4918 [0xaa8f00] (210 bytes => 210 (0xD2)) >>> TLS 1.0 Handshake [length 00cd], ClientHello SSL_connect:SSLv2/v3 write client hello A read from 0xaa4918 [0xaae460] (7 bytes => 7 (0x7)) read from 0xaa4918 [0xaae46a] (5383 bytes => 5383 (0x1507)) <<< TLS 1.0 Handshake [length 004a], ServerHello SSL_connect:SSLv3 read server hello A <<< TLS 1.0 Handshake [length 0b4a], Certificate depth=2 O = XXX, C = FR verify return:1 depth=1 O = XXX, C = FR verify return:1 depth=0 C = FR, O = XXX, CN = XXX verify return:1 SSL_connect:SSLv3 read server certificate A <<< TLS 1.0 Handshake [length 0971], CertificateRequest SSL_connect:SSLv3 read server certificate request A <<< TLS 1.0 Handshake [length 0004], ServerHelloDone SSL_connect:SSLv3 read server done A >>> TLS 1.0 Handshake [length 0007], Certificate write to 0xaa4918 [0xab6e68] (12 bytes => 12 (0xC)) SSL_connect:SSLv3 write client certificate A >>> TLS 1.0 Handshake [length 0106], ClientKeyExchange write to 0xaa4918 [0xab6e68] (267 bytes => 267 (0x10B)) SSL_connect:SSLv3 write client key exchange A >>> TLS 1.0 ChangeCipherSpec [length 0001] write to 0xaa4918 [0xab6e68] (6 bytes => 6 (0x6)) SSL_connect:SSLv3 write change cipher spec A >>> TLS 1.0 Handshake [length 0010], Finished write to 0xaa4918 [0xab6e68] (37 bytes => 37 (0x25)) SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data read from 0xaa4918 [0xaae463] (5 bytes => 5 (0x5)) read from 0xaa4918 [0xaae468] (1 bytes => 1 (0x1)) <<< TLS 1.0 ChangeCipherSpec [length 0001] read from 0xaa4918 [0xaae463] (5 bytes => 5 (0x5)) read from 0xaa4918 [0xaae468] (32 bytes => 32 (0x20)) <<< TLS 1.0 Handshake [length 0010], Finished SSL_connect:SSLv3 read finished A
Une petite capture réseau :
(2 packets pour les handshakes de fin)
Résultats :
OpenSSL : mauvais point ! Les packets envoyés par OpenSSL en mode debug ne sont pas ordonnancés de la même manière qu’en mode « normal » !!!
Windows 2000 : TRES mauvais point, les certificats en 1024 bits fonctionnent quelque soit le mode de trace d’OpenSSL, contrairement à ceux en 2048 bits
Windows 2003 fonctionne, lui, normalement.
Pour le moment : Juniper / OpenSSL : 1 ; Windows 2000 : 0