Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 30 Jun 2017 09:35:30 +0700
From:      Olivier <Olivier.Nicole@cs.ait.ac.th>
To:        questions@freebsd.org
Subject:   Inconsistencies in openssl s_client
Message-ID:  <wu7efu2cidp.fsf@banyan.cs.ait.ac.th>

next in thread | raw e-mail | index | archive | help
Hi,

I am running openssl s_client from various FreeBSD systems, to the same
target, and get varying answers:

-- Machine 1 --

$ uname -a
FreeBSD banyan.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #8 r314131: Tue Feb 28 15:14:01 ICT 2017     root@banyan.cs.ait.ac.th:/usr/obj/usr/src/sys/CSIM  amd64
$ openssl s_client -showcerts -connect www.cs.ait.ac.th:443
[ lot of studd deleted ]
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A201BE4B96B0BCFE648C7392AC579AD974DC098188962583929DFEA49245C4C7
    Session-ID-ctx: 
    Master-Key: 00DB3B00AC0CA6A0F6A9AC4B6EE32819A7C0F4400C12CFCA898CE5D1715EBE56108720E7812CF6936ACB5C1B969DA022
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 49 62 08 8c b2 20 f1 e6-c9 55 dd 56 ef 13 42 70   Ib... ...U.V..Bp
    0010 - 62 55 e1 43 68 a7 20 e7-63 04 c3 b0 0e 36 dd 80   bU.Ch. .c....6..
    0020 - 92 8b a3 89 35 a7 36 1f-d4 21 c1 3f 2c b2 cf d5   ....5.6..!.?,...
    0030 - ff fc 42 22 ea 45 24 bf-ab 05 0e a8 28 00 28 d3   ..B".E$.....(.(.
    0040 - 9f 69 27 dc 26 77 83 76-e6 c8 58 63 ed cd 51 af   .i'.&w.v..Xc..Q.
    0050 - 75 3d d2 96 90 02 7d 5c-33 fa e9 47 97 34 cb a4   u=....}\3..G.4..
    0060 - ce b5 8e 2d 74 b1 d9 57-b3 9d 14 8f 56 ca cf 2a   ...-t..W....V..*
    0070 - 8e a5 4d 2b 3e 3c 8b c3-77 58 59 b5 cb 2b 13 df   ..M+><..wXY..+..
    0080 - d4 b0 85 af 04 38 c7 25-8a 13 b0 c0 12 58 44 32   .....8.%.....XD2
    0090 - eb 68 f4 5a 1a 86 2c 9d-43 63 25 e1 22 d3 9e 2c   .h.Z..,.Cc%."..,
    00a0 - c5 1a 9b 42 4a 13 b9 2f-c7 07 e5 33 e3 cf be 3e   ...BJ../...3...>
    00b0 - 1c 2e 96 b1 e2 b7 fd 2b-4e 1d 25 d8 2a 60 20 c0   .......+N.%.*` .

    Start Time: 1498789404
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

This one worked fine.


-- Machine 2 --

$ uname -a
FreeBSD sysl.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #14 r314329: Tue Feb 28 10:51:32 ICT 2017     root@sysl.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC  i386
$ openssl s_client -showcerts -connect www.cs.ait.ac.th:443
[ lot of studd deleted, same exact contents as above ]
[ everything is the same except the Session-IS, Session-Ticket and
Master-Key, as expected ]
    Start Time: 1498789404
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

This one also worked fine.


-- Machine 3 --

$ uname -a
FreeBSD ldap.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #5 r314483: Thu Mar  2 13:04:10 ICT 2017     root@ldap.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC  i386
$ openssl s_client -showcerts -connect www.cs.ait.ac.th:443
[ lot of studd deleted, same exact contents as above ]
[ everything is the same except the Session-IS, Session-Ticket and
Master-Key, as expected ]
expected ]
    Start Time: 1498789329
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

That one failed.


-- Machine 4 --

$ uname -a
FreeBSD ldap.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #5 r314483: Thu Mar  2 13:04:10 ICT 2017     root@ldap.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC  i386
$ openssl s_client -showcerts -connect www.cs.ait.ac.th:443
[ lot of studd deleted, same exact contents as above ]
[ everything is the same except the Session-IS, Session-Ticket and
Master-Key, as expected ]
expected ]
    Start Time: 1498789709
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

This one failed too.


-- Why? --

Why do machine 3 and 4 differ from machine 1 and 2 (and all my other
machines I have tested?) What could be the difference?

Machine 3 and 4 are almost clones (I am trying to migrate FreeRadius
from 2.2 to 3.0, so I clones the machine).

I could see that ca_root_nss is newer on 3 and 4 (3.31, compared to 3.30
on 1 and 3.29 on 2).

I am comp[letely at lost and help would be greatly welcome.

TIA,

Olivier
-- 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?wu7efu2cidp.fsf>