Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Debugging issues

In the section, we will learn how to debug common SSL-related issues:

Know your SSL/TLS server. It's very important how the server is configured, which TLS version is used, and which cipher suites it supports. To do this, use the nmap utility as shown:

root@bash :/home/ubuntu# nmap --script ssl-cert,ssl-enum-ciphers -p 443 10.0.0.106
Starting Nmap 6.40 ( http://nmap.org ) at 2015-08-03 16:49 UTC
Nmap scan report for ip-10-0-0-106.ap-southeast-1.compute.internal (10.0.0.106)
Host is up (0.000067s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=ip-10-0-0-106/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Issuer: commonName=ip-10-0-0-106/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-07-28T14:43:45+00:00
| Not valid after:  2016-07-27T14:43:45+00:00
| MD5:   9ba5 0ea9 14b2 0793 7fe6 9329 08ce fab3
|_SHA-1: 1604 27b6 4f1c a838 9a9d db67 3136 88de effb f881
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

The nmap output shows the server supports TLSv1.2 and one cipher suite. If the client connects with other SSL protocols or cipher suites the server doesn't support, the server will return with handshake failure. For example, connecting the same server with TLSv1.1 will return an error:
```
rootbash # curl -k --tlsv1.1 https://10.0.0.106
curl: (35) Unknown SSL protocol error in connection to 10.0.0.106:443
```

Connecting with ciphers the server doesn't support will return a handshake error as shown:

root@bash # curl -k --ciphers  EXP-RC2-CBC-MD5  https://10.0.0.106
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Receiving the unknown_ca error check the following find the hash value from the certificate, private key and CSR file use the following commands:

bash $ openssl x509 -noout -modulus -in server.crt  | openssl md5
f637e8d51413ff7fa8d609e21cb27244
bash $ openssl rsa -noout -modulus -in  server.key | openssl md5
f637e8d51413ff7fa8d609e21cb27244
bash $ openssl req -noout -modulus -in  server.csr | openssl  f637e8d51413ff7fa8d609e21cb27244

The md5 hash value of csr, cer, and the private key will be the same, if csr is generated with the client private key, though the certificate is generated by using the CA (Intermediate CA) private key.

If the md5 file is the same, then verify that the certificate issued by the CA matches its path:

bash $ openssl verify -verbose -CAfile cacert.pem  server.crt
bash $ openssl verify -verbose -CAfile cacert.pem  client.crt

Note

Useful reference for SSL testing:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Debugging issues

Create new playlist

Sign In

Sign Up

Debugging issues

Note

Table of Contents for
Debugging issues