On Thu, Aug 7, 2014 at 5:29 PM, Dr. Stephen Henson <st...@openssl.org> wrote:
> On Thu, Aug 07, 2014, Jeffrey Walton wrote:
>
>> I'm trying to track down a client side issue with the use of HTTPS. I
>> suspect it has something to do with a server misconfiguration and
>> client side certificates.
>>
>> When running s_client:
>>
>> $ echo -e "GET / HTTP/1.1\nHost:example.com\n" | \
>> openssl s_client -connect example.com:443 -ssl3 -ign_eof -CAfile
>> ca-cert.pem
>>
>> Is there a message displayed that documents the server requesting a
>> client certificate?
>
> If the server disconnects without completing the handshake you wont actually
> see the certificate request and session details. Try the -prexit option which
> tries to print out session details even if the handshake doesn't complete.
>
> OpenSSL 1.0.2 has a trace output to available if you compile OpenSSL with
> enable-ssl-trace and use the -trace option to s_client.
Thanks Doctor.
In the output below, there is a second certificate chain dumped after
the session info.
Would that be related to client certificates? I don't recall seeing
that dump in the past. Is that what I am looking for if client certs
are being requested by the server?
Thanks again.
**********
riemann$ echo -e "GET / HTTP/1.1\nHost:example.com\n" | openssl
s_client -connect example.com:443 -ssl3 -ign_eof -prexit -CAfile
Equifax_Secure_Certificate_Authority.pem
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G2
verify return:1
depth=0 C = ES, ST = Malaga, L = Malaga, O = Example Co., CN =
www.example.com, OU = Example Co.
verify return:1
---
Certificate chain
0 s:/C=ES/ST=Malaga/L=Malaga/O=Example Co./CN=www.example.com/OU=Example Co.
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIExjCCA66gAwIBAgIQeee0uwSySeNXOkI+BUoMMzANBgkqhkiG9w0BAQUFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
...
doLsKI2R6RQA/7IcuTpKkvLF5wYKvmocPxYVg9FOoFvKV0wjWo6qlwsANPAVov+7
zFzZreROa7lBj8UH0IyYjLmBrbe1yMr/Cmg=
-----END CERTIFICATE-----
subject=/C=ES/ST=Malaga/L=Malaga/O=Example Co./CN=www.example.com/OU=Example Co.
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3417 bytes and written 489 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : RC4-SHA
Session-ID: 983300008E39694619E0354A9784315259838AC48A16DDF7708AA275B43A2B83
Session-ID-ctx:
Master-Key: BC233F93CEFEAC988058669EBD2614C377F754D661A357AD671D488388401475
B9EDB6C025114DD8C43C8939EF7D46AA
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1407447531
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G2
verify return:1
depth=0 C = ES, ST = Malaga, L = Malaga, O = Example Co., CN =
www.example.com, OU = Example Co.
verify return:1
read R BLOCK
HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /Login/Login
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 07 Aug 2014 21:38:25 GMT
Content-Length: 129
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Login/Login">here</a>.</h2>
</body></html>
^C
riemann$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
