Bizarreries LDAPS Windows 2000 et OpenSSL :/

Un cas « rigolo » d’utilisation d’OpenSSL en client SSL (s_client) qui change de comportement selon l’activation du mode debug ou non… :

Sans mode -debug :(

openssl s_client -connect xxx.local:636 -CAfile ssl\ac_root.pem -showcerts -msg -state

Résultat :

CONNECTED(00000754)
SSL_connect:before/connect initialization
>>> TLS 1.0 Handshake [length 00cd], ClientHello
SSL_connect:SSLv2/v3 write client hello A
<<< TLS 1.0 Handshake [length 004a], ServerHello
SSL_connect:SSLv3 read server hello A
<<< TLS 1.0 Handshake [length 0b4a], Certificate
depth=2 O = XXX, C = FR
verify return:1
depth=1 O = XXX, C = FR
verify return:1
depth=0 C = FR, O = XXX, CN = XXX
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< TLS 1.0 Handshake [length 0971], CertificateRequest
SSL_connect:SSLv3 read server certificate request A
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
SSL_connect:SSLv3 read server done A
>>> TLS 1.0 Handshake [length 0007], Certificate
SSL_connect:SSLv3 write client certificate A
>>> TLS 1.0 Handshake [length 0106], ClientKeyExchange
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.0 ChangeCipherSpec [length 0001]
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.0 Handshake [length 0010], Finished
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:failed in SSLv3 read finished A
2052:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:177:

Une petite capture réseau :
windows_2000_ldaps_2048_nodebug_ko
(1 packet pour les handshakes de fin)

Avec mode -debug :)

openssl s_client -connect xxx.local:636 -CAfile ssl\ac_root.pem -showcerts -msg -state -debug

Résultat :

CONNECTED(00000754)
SSL_connect:before/connect initialization
write to 0xaa4918 [0xaa8f00] (210 bytes => 210 (0xD2))
>>> TLS 1.0 Handshake [length 00cd], ClientHello
SSL_connect:SSLv2/v3 write client hello A
read from 0xaa4918 [0xaae460] (7 bytes => 7 (0x7))
read from 0xaa4918 [0xaae46a] (5383 bytes => 5383 (0x1507))
<<< TLS 1.0 Handshake [length 004a], ServerHello
SSL_connect:SSLv3 read server hello A
<<< TLS 1.0 Handshake [length 0b4a], Certificate
depth=2 O = XXX, C = FR
verify return:1
depth=1 O = XXX, C = FR
verify return:1
depth=0 C = FR, O = XXX, CN = XXX
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< TLS 1.0 Handshake [length 0971], CertificateRequest
SSL_connect:SSLv3 read server certificate request A
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
SSL_connect:SSLv3 read server done A
>>> TLS 1.0 Handshake [length 0007], Certificate
write to 0xaa4918 [0xab6e68] (12 bytes => 12 (0xC))
SSL_connect:SSLv3 write client certificate A
>>> TLS 1.0 Handshake [length 0106], ClientKeyExchange
write to 0xaa4918 [0xab6e68] (267 bytes => 267 (0x10B))
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.0 ChangeCipherSpec [length 0001]
write to 0xaa4918 [0xab6e68] (6 bytes => 6 (0x6))
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.0 Handshake [length 0010], Finished
write to 0xaa4918 [0xab6e68] (37 bytes => 37 (0x25))
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 0xaa4918 [0xaae463] (5 bytes => 5 (0x5))
read from 0xaa4918 [0xaae468] (1 bytes => 1 (0x1))
<<< TLS 1.0 ChangeCipherSpec [length 0001]
read from 0xaa4918 [0xaae463] (5 bytes => 5 (0x5))
read from 0xaa4918 [0xaae468] (32 bytes => 32 (0x20))
<<< TLS 1.0 Handshake [length 0010], Finished
SSL_connect:SSLv3 read finished A

Une petite capture réseau :
windows_2000_ldaps_2048_debug_ok
(2 packets pour les handshakes de fin)

Résultats :

OpenSSL : mauvais point ! Les packets envoyés par OpenSSL en mode debug ne sont pas ordonnancés de la même manière qu’en mode « normal » !!!
Windows 2000 : TRES mauvais point, les certificats en 1024 bits fonctionnent quelque soit le mode de trace d’OpenSSL, contrairement à ceux en 2048 bits
Windows 2003 fonctionne, lui, normalement.

Pour le moment : Juniper / OpenSSL : 1 ; Windows 2000 : 0

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.