[openssl-users] OpenSSL 1.1.1 pre-7 or pre-8 connect to 1.1.1 pre-9 oddity?
Dennis Clarke
dclarke at blastwave.org
Fri Aug 24 02:03:36 UTC 2018
I find it interesting that openssl 1.1.1-pre7 can not connect to a
server which has openssl 1.1.1-pre9 in place. Nor can Firefox nightly.
$ /usr/local/bin/openssl version
OpenSSL 1.1.1-pre7 (beta) 29 May 2018
$ /usr/local/bin/openssl s_client -connect 68.179.116.201:443 -tls1_3
CONNECTED(00000003)
4294967296:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:ssl/record/rec_layer_s3.c:1569:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 242 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1535074652
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
$
Looks similar to a system with OpenSSL 1.1.1-pre8 :
$ /usr/local/bin/openssl version
OpenSSL 1.1.1-pre8 (beta) 20 Jun 2018
$ /usr/local/bin/openssl s_client -connect 68.179.116.201:443 -tls1_3
CONNECTED(00000003)
4294967296:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:ssl/record/rec_layer_s3.c:1556:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 242 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1535074764
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
$
However a client with OpenSSL 1.1.1-pre9 has much more to say :
min_$ /usr/local/bin/openssl version
OpenSSL 1.1.1-pre9 (beta) 21 Aug 2018
min_$ /usr/local/bin/openssl s_client -connect 68.179.116.201:443 -tls1_3
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.tls13.net
verify return:1
---
Certificate chain
0 s:CN = *.tls13.net
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGAjCCBOqgAwIBAgISA3lbcjYuS0tUnszwWevJIyQaMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MjgwNjAzNDBaFw0x
ODA4MjYwNjAzNDBaMBYxFDASBgNVBAMMCyoudGxzMTMubmV0MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsBAe67Fo6plfaNkcKLwN9t9YqT0K56RHZ8U2
3AdLG3P56jPfZJ72JmVZB7GcxIQJL02DOmgLEv2Z2YCJyMqkSZFRpDEVR/Y5URN6
DXqxLr5GTX421aTgBY10+9psJnoBgeV5PlEipZ6cQEg9CrF+RYZcOn/FzEQL1eXC
/G4K03X0r8YOn5zPWj8NXhHptC9qRImy6REnivWs3CEEQLg5+tzQwjYt8V/IiRrl
SbMCZlpAYxVMOeAtvhQXffbXYIgnm6ypmaBzSWM+z/25yPgwhXUDyktn6r6k6mRH
D5mnjPoVg0Xk0SgqE0oHAONfCwRnP0ZYtYUp40sSc2k3BygceQIDAQABo4IDFDCC
AxAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS9g2YSl7BF5PPZD7xb8hOxBrQJXDAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw
LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MBYGA1UdEQQPMA2CCyoudGxzMTMubmV0MIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIB
MIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRz
ZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBt
YXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9u
bHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91
bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wggEFBgor
BgEEAdZ5AgQCBIH2BIHzAPEAdwApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTl
RUf0eAAAAWOlj0izAAAEAwBIMEYCIQC5o0yxNe2SY1sA6ZvPhHCEo6J4itPKKQ0s
EnCgEWq1gQIhAPsDEFYOPxHrii5/B8pDtTvQGuj9HfPFqiDES9QJ73XMAHYAb1N2
rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFjpY9JuwAABAMARzBFAiEA
g0nicYbN9QLQbprHPQUdzFVDFt1L1XAn9Z3NvFY8OH4CIC+gq3Bb1C/TMWhDrcCb
4W+BzWQup0B1GGdIGKC+N8zcMA0GCSqGSIb3DQEBCwUAA4IBAQBurQFuNye9qk4W
hsIYfRh3zDyB3oW0x9XZFxeWVS5Lyk05DE9cgTku1roZ2d+OMNOOOeUhhUWZfGQO
/C/972Am/4gT5QyiiEXZjeASQz5zvrbur0b5qI4nhAUdQ54be7D+vvqMjSN5BH0F
0+7Y7DxIIvUWmWPtyfA3mQI0anbA3WelnDoon/HiAwvdzj130fABl4M81PUN3GVf
ySsGXKitxY8HofArokYLygbwFVe3A1H4cyWwLQk+vHXDyYJWqh78UFhXS2A6kjwg
1vNRzOHTLCQfYIoWw8CePPeKTbxc7sr3zRBhNCYN/5rhzniBymc72wDcPOXpXSB3
PrK8bh7S
-----END CERTIFICATE-----
subject=CN = *.tls13.net
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3277 bytes and written 318 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
28BDFEE2BCCD4A96147F0896C2140A6F011904108294FF4E1BD777CCFFCD65AA
Session-ID-ctx:
Resumption PSK:
2942321AF1EAC0C009D578AD3F33707B0715A28A734296AEE627D3924A5FEE4BA5D57EAA3422401460D14AB2EC66784C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 29 2d 6e a5 eb f0 24 15-09 4b a7 c7 80 61 21 12 )-n...$..K...a!.
0010 - 55 21 07 47 d2 ad f8 73-fa 60 95 c4 d9 7e bf 69 U!.G...s.`...~.i
0020 - 8e a8 b5 3b 8d 58 10 8e-5e 21 67 7e 73 8d f7 49 ...;.X..^!g~s..I
0030 - 28 66 84 b9 96 b2 de 4a-f4 92 47 35 bf b9 19 b0 (f.....J..G5....
0040 - b9 5b 78 13 7a 9e e1 51-a6 ed e0 b0 09 14 91 5b .[x.z..Q.......[
0050 - c8 94 1c b9 ac d2 ce 1d-bf b4 47 63 77 49 75 71 ..........GcwIuq
0060 - 40 cc 01 d5 6f 77 0d b1-ea 96 81 48 5e 9d 89 da @...ow.....H^...
0070 - 30 d0 2e e8 a7 a7 1c 07-e2 1c f3 f5 aa 96 58 4c 0.............XL
0080 - f9 ba 8e 01 c7 ad 38 6e-da ee 15 ed 24 53 81 26 ......8n....$S.&
0090 - 9d 34 cd c2 c7 70 39 36-43 44 0d 40 05 3e 45 5f .4...p96CD. at .>E_
00a0 - d8 65 5f 6b 77 ab f2 fa-a5 ea 47 7e 5f 82 d8 db .e_kw.....G~_...
00b0 - 32 7d b5 8b 25 e9 83 23-fe 1a f0 79 d3 c8 52 23 2}..%..#...y..R#
00c0 - ec c8 76 a6 b6 c3 00 99-e8 21 91 cf 69 50 3c d0 ..v......!..iP<.
00d0 - b7 5f d7 ed 70 0b b3 02-34 d3 90 fb 4d 21 b8 1d ._..p...4...M!..
Start Time: 1535075008
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
D8D05B640BF1B476B096BA4DD5CD188DD25F2DCC7799A6C8ED39800BBC6C1D71
Session-ID-ctx:
Resumption PSK:
427A9747E8A65332AB7C61E556D3320995AE950ED35B162D4268BD8A909B268DA75F87B36A551344C534F3D2C63AD21E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 29 2d 6e a5 eb f0 24 15-09 4b a7 c7 80 61 21 12 )-n...$..K...a!.
0010 - 6d 59 da 8b 91 bb 5e c9-c9 4b c3 ec 45 9c ca 0c mY....^..K..E...
0020 - 45 65 32 38 da e4 e4 e7-8e f8 eb 43 08 8e 25 64 Ee28.......C..%d
0030 - 22 65 a3 f5 2f b3 e1 90-d2 8a 0c e4 94 a1 5d 9a "e../.........].
0040 - 22 f3 14 5d 08 6b 53 fa-0f 82 47 0d b5 ea be a0 "..].kS...G.....
0050 - e0 9c 58 7d 57 00 81 89-e7 1e df 25 cd 42 38 96 ..X}W......%.B8.
0060 - 93 56 1f 12 14 22 db 84-19 c0 23 de 16 4d 60 72 .V..."....#..M`r
0070 - 4c b8 33 96 68 a1 aa 10-45 69 ab 38 e0 c1 10 be L.3.h...Ei.8....
0080 - 7d cf 5e 86 8a 37 9a 41-f4 e5 f5 ab 82 04 59 42 }.^..7.A......YB
0090 - 50 a1 ad bb 45 c6 26 89-22 59 a3 72 6f e2 15 31 P...E.&."Y.ro..1
00a0 - fa 93 ed d4 f4 fc 17 bb-d8 4d ed 31 b2 85 a5 e0 .........M.1....
00b0 - b4 7e 6c 7f 94 4e ce d8-72 ac 97 28 61 bf bb 21 .~l..N..r..(a..!
00c0 - 79 74 8a 4b 28 5e ee 98-ef d1 0a 7b 4d bc e3 b3 yt.K(^.....{M...
00d0 - 7b 0c c5 3e a6 3c be 4b-03 16 5d d4 ce 83 dd d4 {..>.<.K..].....
Start Time: 1535075008
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
GET
HTTP/1.1 400 Bad Request
Date: Fri, 24 Aug 2018 01:43:34 GMT
Server: Apache/2.5.1-dev (Unix) OpenSSL/1.1.1-pre9
Strict-Transport-Security: max-age=31536000; includeSubdomains;
Last-Modified: Mon, 28 May 2018 19:03:30 GMT
ETag: "2b0-56d48c600191c"
Accept-Ranges: bytes
Content-Length: 688
Connection: close
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd" >
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Dennis Clarke at Blastwave and
GenUNIX with vi and coffee">
<meta name="CopyRight" content="Copyright 2002-2018 blastwave.org
Inc.">
<meta http-equiv="Pragma" content="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="Tue, 18 Mar 1997 00:00:00 GMT">
<meta http-equiv="Cache-Control" content="max-age=0, must-revalidate">
<title>error code 400 bad request</title>
</head>
<body>
error code 400 bad request ... that is all for now
</body>
</html>
closed
min_$
Seems to have been some interesting changes between pre7 and pre8
upwards to pre9. All systems have a full pile of CA cert data in
/usr/local/ssl/certs and similar openssl.cnf files. So this is odd or
fully expected?
Dennis
ps: https://www.tls13.net/ is running with OpenSSL 1.1.1-pre9
More information about the openssl-users
mailing list