*Guys, good afternoon!*
*1) SO' informations*
*Server*
------
CentOS release 5.2
OpenSSL 0.9.8k 25 Mar 2009
Apache 2.2
JBoss-4.2.2
*Client*
------
CentOS release 5.2
OpenSSL 0.9.8b 04 May 2006 (Library: OpenSSL 0.9.8h 28 May 2008)
Both have certificate files.
*2) Problem and tests*
I have the system based in comunication between client and server, in this
system is possible send commands from the server to the client, for example,
send log files - And the files from the cliente are sending to the server.
But, I have had some problems with the OpenSSL. I think that the problem is
the OpenSSL, because before some errors, I tried to communicate the server
with the client only with OpenSSL (the command below) :
*
openssl s_client -debug -msg -ssl3 -connect 192.168.13.57:60002*
---------------------------------------------------------------
CONNECTED(00000003)
write to 0x8738c20 [0x87518a0] (94 bytes => 94 (0x5E))
0000 - 16 03 00 00 59 01 00 00-55 03 00 4a ce 18 7c 78 ....Y...U..J..|x
0010 - 4f a4 1e f0 17 58 7a a8-8d ec a7 d0 0f 86 b8 68 O....Xz........h
0020 - 2e 86 1f d6 c5 6c ca 4f-51 15 64 00 00 28 00 39 .....l.OQ.d..(.9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5.......3.2./
0040 - 00 07 00 05 00 04 00 15-00 12 00 09 00 14 00 11 ................
0050 - 00 08 00 06 00 03 01 00-00 04 00 23 ...........#
005e - <SPACES/NULS>
>>> SSL 3.0 Handshake [length 0059], ClientHello
01 00 00 55 03 00 4a ce 18 7c 78 4f a4 1e f0 17
58 7a a8 8d ec a7 d0 0f 86 b8 68 2e 86 1f d6 c5
6c ca 4f 51 15 64 00 00 28 00 39 00 38 00 35 00
16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00
04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00
03 01 00 00 04 00 23 00 00
read from 0x8738c20 [0x874d090] (5 bytes => -1 (0xFFFFFFFF))
write:errno=104
*openssl s_client -debug -msg -ssl2 -connect 192.168.13.57:60002*
---------------------------------------------------------------
CONNECTED(00000003)
write to 0x8945d90 [0x895c729] (48 bytes => 48 (0x30))
0000 - 80 2e 01 00 02 00 15 00-00 00 10 07 00 c0 05 00 ................
0010 - 80 03 00 80 01 00 80 06-00 40 04 00 80 02 00 80 .........@......
0020 - 06 c8 b3 16 3f fb a8 85-75 8c aa 90 9a a1 db 8c ....?...u.......
>>> SSL 2.0 [length 002e], CLIENT-HELLO
01 00 02 00 15 00 00 00 10 07 00 c0 05 00 80 03
00 80 01 00 80 06 00 40 04 00 80 02 00 80 06 c8
b3 16 3f fb a8 85 75 8c aa 90 9a a1 db 8c
read from 0x8945d90 [0x8954720] (2 bytes => -1 (0xFFFFFFFF))
write:errno=104
*
openssl s_client -debug -msg -ssl3 -connect 192.168.13.57:443*
-------------------------------------------------------------
connect: Connection refused
connect:errno=29
*
openssl s_client -debug -msg -ssl2 -connect 192.168.13.57:443*
-------------------------------------------------------------
connect: Connection refused
connect:errno=29
*
Error : Apache*
--------------
[Thu Oct 08 17:12:39 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL:
Write: SSL negotiation finished successfully
[Thu Oct 08 17:12:39 2009] [info] [client 192.168.13.57] SSL library error 1
reading data
[Thu Oct 08 17:12:39 2009] [info]* SSL Library Error: 336130329
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac*
[Thu Oct 08 17:12:39 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL:
Write: SSL negotiation finished successfully
[Thu Oct 08 17:12:39 2009] [info] [client 192.168.13.57] Connection closed
to child 0 with standard shutdown (server sslejmtransfer.hst.br:443)
There are a diference between the OpenSSL Client and Server, version and
ciphers :
- I tried changing the version of the OpenSSL on the server, but even
changing it, the error didn't change.
- My keys are 1024, and I saw that there are a diference between the ciphers
on the server and client. Below, we can see that there are 5 ciphers
disabled on the server (include/openssl/tls1.h), don't appear on the list
(openssl ciphers -v).
*Server*
------
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DES-CBC3-MD5
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
IDEA-CBC-SHA
IDEA-CBC-MD5
RC2-CBC-MD5
RC4-SHA
RC4-MD5
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
DES-CBC-MD5
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP-RC4-MD5
*Client*
------
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
TLS_DHE_DSS_WITH_RC4_128_SHA
*tls1.h*
------
tls1.h:#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060
tls1.h:#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061
tls1.h:#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062
tls1.h:#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063
tls1.h:#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064
tls1.h:#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065
tls1.h:#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5
"EXP1024-RC4-MD5"
tls1.h:#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
"EXP1024-RC2-CBC-MD5"
tls1.h:#define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA
"EXP1024-DES-CBC-SHA"
tls1.h:#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
"EXP1024-DHE-DSS-DES-CBC-SHA"
tls1.h:#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA
"EXP1024-RC4-SHA"
tls1.h:#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
"EXP1024-DHE-DSS-RC4-SHA"
I want to do the test with these ciphers. So, *I NEED TO KNOW HOW I CAN
ENABLE THESE CIPHERS?*
Somone can help me???
Thanks for your attetion and help.
*
Best regards,
Mariana Hoffart Dias *
