Date: Fri, 30 Jun 2017 09:35:30 +0700 From: Olivier <Olivier.Nicole@cs.ait.ac.th> To: questions@freebsd.org Subject: Inconsistencies in openssl s_client Message-ID: <wu7efu2cidp.fsf@banyan.cs.ait.ac.th>
next in thread | raw e-mail | index | archive | help
Hi,
I am running openssl s_client from various FreeBSD systems, to the same
target, and get varying answers:
-- Machine 1 --
$ uname -a
FreeBSD banyan.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #8 r314131: Tue Feb 28 15:14:01 ICT 2017 root@banyan.cs.ait.ac.th:/usr/obj/usr/src/sys/CSIM amd64
$ openssl s_client -showcerts -connect www.cs.ait.ac.th:443
[ lot of studd deleted ]
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A201BE4B96B0BCFE648C7392AC579AD974DC098188962583929DFEA49245C4C7
Session-ID-ctx:
Master-Key: 00DB3B00AC0CA6A0F6A9AC4B6EE32819A7C0F4400C12CFCA898CE5D1715EBE56108720E7812CF6936ACB5C1B969DA022
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 49 62 08 8c b2 20 f1 e6-c9 55 dd 56 ef 13 42 70 Ib... ...U.V..Bp
0010 - 62 55 e1 43 68 a7 20 e7-63 04 c3 b0 0e 36 dd 80 bU.Ch. .c....6..
0020 - 92 8b a3 89 35 a7 36 1f-d4 21 c1 3f 2c b2 cf d5 ....5.6..!.?,...
0030 - ff fc 42 22 ea 45 24 bf-ab 05 0e a8 28 00 28 d3 ..B".E$.....(.(.
0040 - 9f 69 27 dc 26 77 83 76-e6 c8 58 63 ed cd 51 af .i'.&w.v..Xc..Q.
0050 - 75 3d d2 96 90 02 7d 5c-33 fa e9 47 97 34 cb a4 u=....}\3..G.4..
0060 - ce b5 8e 2d 74 b1 d9 57-b3 9d 14 8f 56 ca cf 2a ...-t..W....V..*
0070 - 8e a5 4d 2b 3e 3c 8b c3-77 58 59 b5 cb 2b 13 df ..M+><..wXY..+..
0080 - d4 b0 85 af 04 38 c7 25-8a 13 b0 c0 12 58 44 32 .....8.%.....XD2
0090 - eb 68 f4 5a 1a 86 2c 9d-43 63 25 e1 22 d3 9e 2c .h.Z..,.Cc%."..,
00a0 - c5 1a 9b 42 4a 13 b9 2f-c7 07 e5 33 e3 cf be 3e ...BJ../...3...>
00b0 - 1c 2e 96 b1 e2 b7 fd 2b-4e 1d 25 d8 2a 60 20 c0 .......+N.%.*` .
Start Time: 1498789404
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
This one worked fine.
-- Machine 2 --
$ uname -a
FreeBSD sysl.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #14 r314329: Tue Feb 28 10:51:32 ICT 2017 root@sysl.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC i386
$ openssl s_client -showcerts -connect www.cs.ait.ac.th:443
[ lot of studd deleted, same exact contents as above ]
[ everything is the same except the Session-IS, Session-Ticket and
Master-Key, as expected ]
Start Time: 1498789404
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
This one also worked fine.
-- Machine 3 --
$ uname -a
FreeBSD ldap.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #5 r314483: Thu Mar 2 13:04:10 ICT 2017 root@ldap.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC i386
$ openssl s_client -showcerts -connect www.cs.ait.ac.th:443
[ lot of studd deleted, same exact contents as above ]
[ everything is the same except the Session-IS, Session-Ticket and
Master-Key, as expected ]
expected ]
Start Time: 1498789329
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
That one failed.
-- Machine 4 --
$ uname -a
FreeBSD ldap.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #5 r314483: Thu Mar 2 13:04:10 ICT 2017 root@ldap.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC i386
$ openssl s_client -showcerts -connect www.cs.ait.ac.th:443
[ lot of studd deleted, same exact contents as above ]
[ everything is the same except the Session-IS, Session-Ticket and
Master-Key, as expected ]
expected ]
Start Time: 1498789709
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
This one failed too.
-- Why? --
Why do machine 3 and 4 differ from machine 1 and 2 (and all my other
machines I have tested?) What could be the difference?
Machine 3 and 4 are almost clones (I am trying to migrate FreeRadius
from 2.2 to 3.0, so I clones the machine).
I could see that ca_root_nss is newer on 3 and 4 (3.31, compared to 3.30
on 1 and 3.29 on 2).
I am comp[letely at lost and help would be greatly welcome.
TIA,
Olivier
--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?wu7efu2cidp.fsf>