failed handshake
Closed this issue · 12 comments
Hi Peter,
a problem which bites my testssl.sh (first example is openssl from a Linux distro, second yours:
prompt% openssl s_client -connect rechnung.dsl.o2online.de:443 -servername rechnung.dsl.o2online.de
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
[..]
Server certificate
-----BEGIN CERTIFICATE-----
[..]
-----END CERTIFICATE-----
[..]
SSL handshake has read 4355 bytes and written 648 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
[..]
prompt% echo $?
0
prompt%
now the one from you:
openssl64 s_client -connect rechnung.dsl.o2online.de:443 -servername rechnung.dsl.o2online.de
CONNECTED(00000003)
139757631698832:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 433 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
prompt% echo $?
1
prompt%
For some reason it fails here. Providing -tls1 would work.
That seems a showstopper for the next release of testssl.sh ;-/
Cheer, Dirk
Update: here's another IIS6 which has the same problem with the difference that openssl provided doesn't work either: mercernet.fr
But still I am wondering about the difference above
Hi @drwetter ,
Question: which build (commit) of 1.0.2-chacha do you use ?
This was an issue quite some commits (and time) ago. If I check I get the correct result:
echo Q| openssl s_client -connect rechnung.dsl
.o2online.de:443 -servername rechnung.dsl.o2online.de && echo $?
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 200
6 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primar
y Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
[snip]
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: EF1D000085FBD2A41F1361307D2A5E616BD59C1338AE7F9D00D9BDD5B49894F8
Session-ID-ctx:
Master-Key: 0114FDC02A3A779947866E549ADB0E944B534806AB90F19E89A1B4716E1CDFA67941FEBD33BCBE46DBBDEE5AEC2EB545
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1430975831
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
DONE
0
Cheers,
Peter
Hi Peter,
Am 7. Mai 2015 07:18:13 MESZ, schrieb Peter Mosmans notifications@github.com:
Hi @drwetter ,
Question: which build (commit) of 1.0.2-chacha do you use ?
This was an issue quite some commits (and time) ago. If I check I get
the correct result:echo Q| openssl s_client -connect rechnung.dsl
.o2online.de:443 -servername rechnung.dsl.o2online.de && echo $?
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 200
6 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
Public Primar
y Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0[snip]
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
EF1D000085FBD2A41F1361307D2A5E616BD59C1338AE7F9D00D9BDD5B49894F8
Session-ID-ctx:
Master-Key:
0114FDC02A3A779947866E549ADB0E944B534806AB90F19E89A1B4716E1CDFA67941FEBD33BCBE46DBBDEE5AEC2EB545
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1430975831
Timeout : 300 (sec)Verify return code: 20 (unable to get local issuer certificate)
DONE
0
Oh, ok! Sorry I missed that. Need to make new binaries then. Thx!
How is the other IIS6 server doing with your release?
The stupid thing is that testssl.sh needs a lot of workarounds -- only for broken IIS6/SChannel.
Cheers, Dirk
Dirk,
This seems like an issue with the server. My guess is a Cisco ASA SSL offloader of some kind.
openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Thu Mar 19 18:31:36 UTC 2015
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
echo Q| openssl s_client -connect mercernet.fr:443 -servername mercernet.fr ; echo $?
CONNECTED(00000003)
140413874202280:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 319 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
1
And with openssl-1.0.2-chacha:
OpenSSL 1.0.2-chacha (1.0.2b-dev)
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -static-libgcc -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/lib/ssl"
echo Q| ./openssl s_client -connect mercernet.fr:443 -servername mercernet.fr ; echo $?
CONNECTED(00000003)
140399680612008:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 421 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
1
Ha! Same line number! :)
:)
The guess with the ASA I'll like to research later (shodan). It would save me the workarounds -- did already some last night.
It's more of a non-friendly way of the openssl binary to tell you that the handshake failed, as in: I think that an application should be able to handle this. You can always 2>/dev/null and check the result value ($?)
"Handy" (cough) oneliner to test multiple openssl binaries and sites:
bins="/usr/bin/openssl /var/git/openssl/apps/openssl"; fqdns="rechnung.dsl.o2online.de mercernet.fr"
for os in $osbins; do for fqdn in $fqdns; do $os version; echo Q| $os s_client -connect $fqdn:443 -servername $fqdn ;echo $? ; done; done
Hi Peter,
Am 05/07/2015 um 11:44 AM schrieb Peter Mosmans:
It's more of a non-friendly way of the openssl binary to tell you that the handshake failed, as
in: I think that an application should be able to handle this. You can always 2>/dev/null and
check the result value ($?)"Handy" (cough) oneliner to test multiple openssl binaries and sites:
|bins="/usr/bin/openssl /var/git/openssl/apps/openssl"; fqdns="rechnung.dsl.o2online.de mercernet.fr"
for os in $osbins; do for fqdn in $fqdns; do $os version; echo Q| $os s_client -connect $fqdn:443 -servername$fqdn ;echo $ ? ; done; done
|
nah, it's not that easy.
-
s_client -connect mercernet.fr seems to not work at all without specifying a protocol,
independent of the
binary. Not sure yet whether it should be treated like "exception, don't care" -
two binaries is a mess to recode and also I am afraid on side effects.
I have currently over 100 instances in testssl.sh where $OPENSSL is being used.
Not KISS. -
I am relying in numerous places that s_client -connect always succeeds. I put
last night some logic in there (patch is not public yet) for freaking old farts
(like IIS6 which normally belong on the junk yard). The logic tests whether
it needs a protocol for a successful connect. If so, it does call some other
instances of OPENSSL with an additional parameter. If not, it is supposed not to
supply a protocol. This already is a bit shaky, as for the dying species of IIS6
it is a big workaround which needs to be tested thoroughly so that on EVERY
CIRCUMSTANCES it doesn't break the majority of other servers. Not KISS either...
Plan is to update the binaries to the recent ones and then see (previous was
0611a84 from Sat Mar 28)
Cheers, Dirk
HI Peter,
compiled new binaries but it's still the same:
First the one from the system:
prompt% echo Q| /usr/bin/openssl s_client -connect rechnung.dsl.o2online.de:443 -servername rechnung.dsl.o2online.de &>/dev/null ; echo $?
0
prompt% openssl64-1.0.2pm-static.chacha+poly version -a
OpenSSL 1.0.2-chacha (1.0.2b-dev)
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -static -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/ssl"
System:
prompt% echo Q| openssl64-1.0.2pm-static.chacha+poly s_client -connect rechnung.dsl.o2online.de:443 -servername rechnung.dsl.o2online.de &>/dev/null ; echo $?
1
prompt% /usr/bin/openssl version -a
OpenSSL 1.0.1k 8 Jan 2015
built on: Thu Mar 19 15:25:09 2015
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -fmessage-length=0 -grecord-gcc-switches -fstack-protector -O2 -Wall -D_FORTIFY_SOURCE=2 -funwind-tables -fasynchronous-unwind-tables -g -std=gnu99 -Wa,--noexecstack -fomit-frame-pointer -DTERMIO -DPURIFY -DSSL_FORBID_ENULL -D_GNU_SOURCE -Wall -fstack-protector -Wa,--noexecstack -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/ssl"
Any clues?
Cheers, Dirk
Hi Dirk,
Have you checked the output of a vanilla 1.0.2 build versus 1.0.1, to make sure it's not version (1.0.1 versus 1.0.2) related ?
If not, please let me know, then I'll do this myself.
Cheers,
Peter
Hi Peter,
thx, I have a script which configures and provides in the end a tested binary.
Here's the result:
me@myhost:~/openssl echo Q| openssl-1.0.1m/apps/openssl s_client -connect rechnung.dsl.o2online.de:443 -servername rechnung.dsl.o2online.de &>/dev/null ; echo $?
0
me@myhost:~/openssl echo Q| openssl-1.0.2/apps/openssl s_client -connect rechnung.dsl.o2online.de:443 -servername rechnung.dsl.o2online.de &>/dev/null ; echo $?
1
me@myhost:~/openssl
F.. :-/ I guess you were right. ;-) How come that this changed?
Cheers, Dirk
I'm glad that the 1.0.2-chacha code shows the same result as the vanilla build :)
It could be a number of reasons, eg. the increase in ciphers. In the next week or so I will be doing some tests with my test_ssl_handshake script, to see if I can find the culprit.
However, I'm going to close this issue if you don't mind, as it is not 1.0.2-chacha related.
Sure. Still I am scratching my head because of this change, any clues?