In the section, we will learn how to debug common SSL-related issues:
nmap
utility as shown:root@bash :/home/ubuntu# nmap --script ssl-cert,ssl-enum-ciphers -p 443 10.0.0.106 Starting Nmap 6.40 ( http://nmap.org ) at 2015-08-03 16:49 UTC Nmap scan report for ip-10-0-0-106.ap-southeast-1.compute.internal (10.0.0.106) Host is up (0.000067s latency). PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=ip-10-0-0-106/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU | Issuer: commonName=ip-10-0-0-106/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU | Public Key type: rsa | Public Key bits: 2048 | Not valid before: 2015-07-28T14:43:45+00:00 | Not valid after: 2016-07-27T14:43:45+00:00 | MD5: 9ba5 0ea9 14b2 0793 7fe6 9329 08ce fab3 |_SHA-1: 1604 27b6 4f1c a838 9a9d db67 3136 88de effb f881 | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL |_ least strength: strong
nmap
output shows the server supports TLSv1.2 and one cipher suite. If the client connects with other SSL protocols or cipher suites the server doesn't support, the server will return with handshake failure. For example, connecting the same server with TLSv1.1 will return an error:rootbash # curl -k --tlsv1.1 https://10.0.0.106 curl: (35) Unknown SSL protocol error in connection to 10.0.0.106:443
root@bash # curl -k --ciphers EXP-RC2-CBC-MD5 https://10.0.0.106 curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
unknown_ca
error check the following find the hash value from the certificate, private key and CSR file use the following commands:bash $ openssl x509 -noout -modulus -in server.crt | openssl md5 f637e8d51413ff7fa8d609e21cb27244 bash $ openssl rsa -noout -modulus -in server.key | openssl md5 f637e8d51413ff7fa8d609e21cb27244 bash $ openssl req -noout -modulus -in server.csr | openssl f637e8d51413ff7fa8d609e21cb27244
The md5 hash value of csr
, cer
, and the private key will be the same, if csr
is generated with the client private key, though the certificate is generated by using the CA (Intermediate CA) private key.
If the md5 file is the same, then verify that the certificate issued by the CA matches its path:
bash $ openssl verify -verbose -CAfile cacert.pem server.crt bash $ openssl verify -verbose -CAfile cacert.pem client.crt
3.143.235.23