• # Debug handshake

    Posté par (site web personnel) . En réponse au message LDAP over TLS - unsupported extended operation. Évalué à 1.

    On m'a posé la question du handshake, mais la commande openssl en utilisant -prexit ou -msg ou même en spécifiant -tls1 ou -ssl3, rien n'y fait/ne m'aide.

    root@DB:/etc/ldap/cert_old# openssl s_client -msg -connect db.m0le.net:636 -state [7/1449]
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
     TLS 1.2 Handshake [length 012f], ClientHello
     01 00 01 2b 03 03 54 11 5b 69 88 a4 ed 83 60 e6
     c3 0e ef 18 e7 24 70 b1 b6 cf 97 12 dd 80 dd 91
     8c cb 65 15 f3 52 00 00 92 c0 30 c0 2c c0 28 c0
     24 c0 14 c0 0a 00 a3 00 9f 00 6b 00 6a 00 39 00
     38 00 88 00 87 c0 32 c0 2e c0 2a c0 26 c0 0f c0
     05 00 9d 00 3d 00 35 00 84 c0 12 c0 08 00 16 00
     13 c0 0d c0 03 00 0a c0 2f c0 2b c0 27 c0 23 c0
     13 c0 09 00 a2 00 9e 00 67 00 40 00 33 00 32 00
     9a 00 99 00 45 00 44 c0 31 c0 2d c0 29 c0 25 c0
     0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 11 c0
     07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00
     14 00 11 00 08 00 06 00 03 00 ff 02 01 00 00 6f
     00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e
     00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16
     00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05
     00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11
     00 23 00 00 00 0d 00 22 00 20 06 01 06 02 06 03
     05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02
     03 03 02 01 02 02 02 03 01 01 00 0f 00 01 01
    SSL_connect:unknown state
    140182464599720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 308 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---

    de même

    root@DB:/etc/ldap/cert_old# openssl s_client -prexit -connect db.m0le.net:636 -state
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:unknown state
    140642600560296:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 308 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 308 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---
    root@DB:/etc/ldap/cert_old# openssl s_client -tls1 -connect db.m0le.net:636 -state [32/1540]
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv3 write client hello A
    SSL_connect:failed in SSLv3 read server hello A
    140083957143208:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 0 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
     Protocol : TLSv1
     Cipher : 0000
     Session-ID:
     Session-ID-ctx:
     Master-Key:
     Key-Arg : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1410423787
     Timeout : 7200 (sec)
     Verify return code: 0 (ok)
    ---
    root@DB:/etc/ldap/cert_old# openssl s_client -ssl3 -connect db.m0le.net:636 -state [1/1540]
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv3 write client hello A
    SSL_connect:failed in SSLv3 read server hello A
    140624822658728:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 0 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
     Protocol : SSLv3
     Cipher : 0000
     Session-ID:
     Session-ID-ctx:
     Master-Key:
     Key-Arg : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1410423801
     Timeout : 7200 (sec)
     Verify return code: 0 (ok)
    ---

    Donc, pas vraiment d'idée :/