Ping a Specific Port

Question

Virtuose

Asked: 2016-08-20 08:37:54 +0800 CST2016-08-20 08:37:54 +0800 CST 2016-08-20 08:37:54 +0800 CST

ssl handshake hanging on certificate chain from CentOS 5.8 with openssl 0.9.8e

772

We have some servers running CentOS 5.8 with OpenSSL 0.9.8e

openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

When trying to establish the connection to an LDAPS on port 636 from these servers (our servers are ssl clients here), the ssl exchange hangs when the remote server is presenting the certificate chain:

openssl s_client -connect 192.168.127.18:636 -state -nbio
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv3 read server hello A
SSL_connect:error in SSLv3 read server hello A
read R BLOCK
SSL_connect:error in SSLv3 read server hello A
read R BLOCK


openssl s_client -connect 192.168.127.18:636 -debug

[…]
1220 - 6c 75 74 69 6f 6e 73 2c-20 49 6e 63 2e 31 23 30   lutions, Inc.1#0
1230 - 21 06 03 55 04 03 13 1a-47 54 45 20 43 79 62 65   !..U....GTE Cybe
1240 - 72 54 72 75 73 74 20 47-6c 6f 62 61 6c 20 52 6f   rTrust Global Ro
1250 - 6f 74 00 63 30 61 31 0b-30 09 06 03 55 04 06 13   ot.c0a1.0...U...
1260 - 02 55 53 31 15 30 13 06-03 55 04 0a 13 0c 44 69   .US1.0...U....Di
1270 - 67 69 43 65 72 74 20 49-6e 63 31 19 30 17 06 03   giCert Inc1.0...
1280 - 55 04 0b 13 10 77 77 77-2e                        U....www.

I took a packet capture when trying to establish the connection

packetcapture1.pcap

1   0.000000   10.12.0.70 → 192.168.127.18 TCP 74 58171→636 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=3234347727 TSecr=0 WS=128
2   0.047751 192.168.127.18 → 10.12.0.70   TCP 74 636→58171 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1200 WS=256 SACK_PERM=1 TSval=203188744 TSecr=3234347727
3   0.047766   10.12.0.70 → 192.168.127.18 TCP 66 58171→636 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSval=3234347775 TSecr=203188744
4   0.049056   10.12.0.70 → 192.168.127.18 SSLv2 187 Client Hello
5   0.095966 192.168.127.18 → 10.12.0.70   TCP 66 636→58171 [ACK] Seq=1 Ack=122 Win=66304 Len=0 TSval=203188744 TSecr=3234347776
6   0.097828 192.168.127.18 → 10.12.0.70   TCP 1254 [TCP segment of a reassembled PDU]
7   0.097838 192.168.127.18 → 10.12.0.70   TCP 1254 [TCP segment of a reassembled PDU]
8   0.097842 192.168.127.18 → 10.12.0.70   TCP 1254 [TCP segment of a reassembled PDU]
9   0.097845 192.168.127.18 → 10.12.0.70   TCP 1254 [TCP segment of a reassembled PDU]
10   0.097884   10.12.0.70 → 192.168.127.18 TCP 66 58171→636 [ACK] Seq=122 Ack=1189 Win=8320 Len=0 TSval=3234347825 TSecr=203188744
11   0.097893   10.12.0.70 → 192.168.127.18 TCP 66 58171→636 [ACK] Seq=122 Ack=2377 Win=10624 Len=0 TSval=3234347825 TSecr=203188744
12   0.097900   10.12.0.70 → 192.168.127.18 TCP 66 58171→636 [ACK] Seq=122 Ack=3565 Win=13056 Len=0 TSval=3234347825 TSecr=203188744
13   0.097905   10.12.0.70 → 192.168.127.18 TCP 66 58171→636 [ACK] Seq=122 Ack=4753 Win=15360 Len=0 TSval=3234347825 TSecr=203188744
14  11.904578   10.12.0.70 → 192.168.127.18 TCP 66 58171→636 [FIN, ACK] Seq=122 Ack=4753 Win=15360 Len=0 TSval=3234359632 TSecr=203188744
15  12.152238   10.12.0.70 → 192.168.127.18 TCP 66 [TCP Spurious Retransmission] 58171→636 [FIN, ACK] Seq=122 Ack=4753 Win=15360 Len=0 TSval=3234359879 TSecr=203188744
16  12.646227   10.12.0.70 → 192.168.127.18 TCP 66 [TCP Spurious Retransmission] 58171→636 [FIN, ACK] Seq=122 Ack=4753 Win=15360 Len=0 TSval=3234360373 TSecr=203188744
17  13.634171   10.12.0.70 → 192.168.127.18 TCP 66 [TCP Spurious Retransmission] 58171→636 [FIN, ACK] Seq=122 Ack=4753 Win=15360 Len=0 TSval=3234361361 TSecr=203188744

When we specify ssl2 with openssl, the ssl exchange is correctly negotiated.

packetcapture2.pcap

openssl s_client  -connect 192.168.127.18:636 -ssl2

SSL-Session:
Protocol  : SSLv2
Cipher    : DES-CBC3-MD5
Session-ID: 67230000B3D8F8E135F4491CACBE5546
Session-ID-ctx:
Master-Key:
Key-Arg   : 6CA6AB4BCAA3A8B3
Krb5 Principal: None
Start Time: 1471624893
Timeout   : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

16   7.060533   10.12.0.70 → 192.168.127.18 TCP 74 36082→636 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=3235617155 TSecr=0 WS=128
17   7.108438 192.168.127.18 → 10.12.0.70   TCP 74 636→36082 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1200 WS=256 SACK_PERM=1 TSval=203315683 TSecr=3235617155
18   7.108456   10.12.0.70 → 192.168.127.18 TCP 66 36082→636 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSval=3235617203 TSecr=203315683
19   7.109678   10.12.0.70 → 192.168.127.18 SSLv2 111 Client Hello
20   7.156685 192.168.127.18 → 10.12.0.70   TCP 66 636→36082 [ACK] Seq=1 Ack=46 Win=66304 Len=0 TSval=203315683 TSecr=3235617204
21   7.157436 192.168.127.18 → 10.12.0.70   TCP 1254 [TCP segment of a reassembled PDU]
22   7.157492   10.12.0.70 → 192.168.127.18 TCP 66 36082→636 [ACK] Seq=46 Ack=1189 Win=8320 Len=0 TSval=3235617252 TSecr=203315683
23   7.157541 192.168.127.18 → 10.12.0.70   SSLv2 300 Server Hello
24   7.157592   10.12.0.70 → 192.168.127.18 TCP 66 36082→636 [ACK] Seq=46 Ack=1423 Win=10624 Len=0 TSval=3235617252 TSecr=203315688
25   7.158199   10.12.0.70 → 192.168.127.18 SSLv2 342 Client Master Key
26   7.211382 192.168.127.18 → 10.12.0.70   SSLv2 109 Encrypted Data
27   7.211440   10.12.0.70 → 192.168.127.18 SSLv2 109 Encrypted Data
28   7.259050 192.168.127.18 → 10.12.0.70   SSLv2 109 Encrypted Data
29   7.299348   10.12.0.70 → 192.168.127.18 TCP 66 36082→636 [ACK] Seq=365 Ack=1509 Win=10624 Len=0 TSval=3235617393 TSecr=203315698
30   9.400611   10.12.0.70 → 192.168.127.18 SSLv2 93 Encrypted Data
31   9.448256 192.168.127.18 → 10.12.0.70   TCP 60 636→36082 [RST, ACK] Seq=1509 Ack=392 Win=0 Len=0

1) I don't understand why I don't see the Server Hello in the pcap (same behavior when enabling subdissector to reassemble TCP Stream) It looks like also that the server is presenting the certificate chain before the ServerHello (packet #21 in packetcapture2.pcap and #6, #7, #8, #9), I don’t understand this behaviour as well.

2) We don't see this behavior when using CentOS 6

Thank you in advance for your help,

1 Answers

Voted

submitvinahost · Answer 1 · 2016-08-25T20:23:01+08:00

submitvinahost

2016-08-25T20:23:01+08:002016-08-25T20:23:01+08:00

The problem was in the SSLCipherSuite, to resolve the poodle bug, as suggested, I had to disable the SSL protocol and modify the SSLCipherSuite. The used SSLCipherSuite miss the Windows mobile and explorer 11 code, so i resolved using an updated SSLCipherSuite.

In the linked article mozilla suggest 3 different SSLCipherSuite based on browsers legacy compatibility.

Server Vietnam | Server Vietnam

0

ssl handshake hanging on certificate chain from CentOS 5.8 with openssl 0.9.8e

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?