From owner-freebsd-questions@freebsd.org Fri Jun 30 02:35:35 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C9C6DAAF17 for ; Fri, 30 Jun 2017 02:35:35 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 1F3A37C8A6 for ; Fri, 30 Jun 2017 02:35:35 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: by mailman.ysv.freebsd.org (Postfix) id 1E78BDAAF16; Fri, 30 Jun 2017 02:35:35 +0000 (UTC) Delivered-To: questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1E186DAAF15 for ; Fri, 30 Jun 2017 02:35:35 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C90A97C8A5 for ; Fri, 30 Jun 2017 02:35:34 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (localhost [127.0.0.1]) by mail.cs.ait.ac.th (Postfix) with ESMTP id CA3D6D7887 for ; Fri, 30 Jun 2017 09:35:31 +0700 (ICT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.ait.ac.th; h= content-type:content-type:mime-version:message-id:date:date :subject:subject:from:from:received:received:received; s= selector1; t=1498790131; x=1500604532; bh=CITacXEGH5PQWvTu7a3J93 qawig4sTkEw8zBHDNqJUM=; b=lQ4CPh3z56Es971hknOjcXDi5nu0DbsXvUc4d4 xvHVkLhHhvNBH9hvYh/zXy3kUDOzehXDcHTRmDpL9n5RpeBt+Y3M05Uilbre94Cc cWERUw92enG5Z3ZIyoX7Onxb2XdM+5KzvHMF7s1AOsnJPg4x2kl1NYLAMEa0GzS6 zpj7o= X-Virus-Scanned: amavisd-new at cs.ait.ac.th Received: from mail.cs.ait.ac.th ([127.0.0.1]) by mail.cs.ait.ac.th (mail.cs.ait.ac.th [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oVdzTQTqrViO for ; Fri, 30 Jun 2017 09:35:31 +0700 (ICT) Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.cs.ait.ac.th (Postfix) with ESMTPS id 43035D7885 for ; Fri, 30 Jun 2017 09:35:31 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.15.2/8.15.2/Submit) id v5U2ZUTO063961; Fri, 30 Jun 2017 09:35:30 +0700 (ICT) (envelope-from on@banyan.cs.ait.ac.th) From: Olivier To: questions@freebsd.org Subject: Inconsistencies in openssl s_client Date: Fri, 30 Jun 2017 09:35:30 +0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2017 02:35:35 -0000 Hi, I am running openssl s_client from various FreeBSD systems, to the same target, and get varying answers: -- Machine 1 -- $ uname -a FreeBSD banyan.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #8 r314131: Tue Feb 28 15:14:01 ICT 2017 root@banyan.cs.ait.ac.th:/usr/obj/usr/src/sys/CSIM amd64 $ openssl s_client -showcerts -connect www.cs.ait.ac.th:443 [ lot of studd deleted ] --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: A201BE4B96B0BCFE648C7392AC579AD974DC098188962583929DFEA49245C4C7 Session-ID-ctx: Master-Key: 00DB3B00AC0CA6A0F6A9AC4B6EE32819A7C0F4400C12CFCA898CE5D1715EBE56108720E7812CF6936ACB5C1B969DA022 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 49 62 08 8c b2 20 f1 e6-c9 55 dd 56 ef 13 42 70 Ib... ...U.V..Bp 0010 - 62 55 e1 43 68 a7 20 e7-63 04 c3 b0 0e 36 dd 80 bU.Ch. .c....6.. 0020 - 92 8b a3 89 35 a7 36 1f-d4 21 c1 3f 2c b2 cf d5 ....5.6..!.?,... 0030 - ff fc 42 22 ea 45 24 bf-ab 05 0e a8 28 00 28 d3 ..B".E$.....(.(. 0040 - 9f 69 27 dc 26 77 83 76-e6 c8 58 63 ed cd 51 af .i'.&w.v..Xc..Q. 0050 - 75 3d d2 96 90 02 7d 5c-33 fa e9 47 97 34 cb a4 u=....}\3..G.4.. 0060 - ce b5 8e 2d 74 b1 d9 57-b3 9d 14 8f 56 ca cf 2a ...-t..W....V..* 0070 - 8e a5 4d 2b 3e 3c 8b c3-77 58 59 b5 cb 2b 13 df ..M+><..wXY..+.. 0080 - d4 b0 85 af 04 38 c7 25-8a 13 b0 c0 12 58 44 32 .....8.%.....XD2 0090 - eb 68 f4 5a 1a 86 2c 9d-43 63 25 e1 22 d3 9e 2c .h.Z..,.Cc%.".., 00a0 - c5 1a 9b 42 4a 13 b9 2f-c7 07 e5 33 e3 cf be 3e ...BJ../...3...> 00b0 - 1c 2e 96 b1 e2 b7 fd 2b-4e 1d 25 d8 2a 60 20 c0 .......+N.%.*` . Start Time: 1498789404 Timeout : 300 (sec) Verify return code: 0 (ok) --- This one worked fine. -- Machine 2 -- $ uname -a FreeBSD sysl.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #14 r314329: Tue Feb 28 10:51:32 ICT 2017 root@sysl.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC i386 $ openssl s_client -showcerts -connect www.cs.ait.ac.th:443 [ lot of studd deleted, same exact contents as above ] [ everything is the same except the Session-IS, Session-Ticket and Master-Key, as expected ] Start Time: 1498789404 Timeout : 300 (sec) Verify return code: 0 (ok) --- This one also worked fine. -- Machine 3 -- $ uname -a FreeBSD ldap.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #5 r314483: Thu Mar 2 13:04:10 ICT 2017 root@ldap.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC i386 $ openssl s_client -showcerts -connect www.cs.ait.ac.th:443 [ lot of studd deleted, same exact contents as above ] [ everything is the same except the Session-IS, Session-Ticket and Master-Key, as expected ] expected ] Start Time: 1498789329 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- That one failed. -- Machine 4 -- $ uname -a FreeBSD ldap.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #5 r314483: Thu Mar 2 13:04:10 ICT 2017 root@ldap.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC i386 $ openssl s_client -showcerts -connect www.cs.ait.ac.th:443 [ lot of studd deleted, same exact contents as above ] [ everything is the same except the Session-IS, Session-Ticket and Master-Key, as expected ] expected ] Start Time: 1498789709 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- This one failed too. -- Why? -- Why do machine 3 and 4 differ from machine 1 and 2 (and all my other machines I have tested?) What could be the difference? Machine 3 and 4 are almost clones (I am trying to migrate FreeRadius from 2.2 to 3.0, so I clones the machine). I could see that ca_root_nss is newer on 3 and 4 (3.31, compared to 3.30 on 1 and 3.29 on 2). I am comp[letely at lost and help would be greatly welcome. TIA, Olivier --