Home > Enterprise >  OpenSSL s_client -connect incompatibility issue
OpenSSL s_client -connect incompatibility issue

Time:12-09

I am currently facing a problem that puzzles me. When i use this command from a machine with RHEL 7 with OpenSSL 1.0.2k:

openssl s_client -connect name.name.somename:9093

I get the result i wanted. I can see the cert, the cert chain and etc..

CONNECTED(00000003)
depth=1 CN = XXXXXXX
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/CN=*XXXXXXX
   i:/CN=XXXXXXX
 1 s:/CN=XXXXXXX
   i:/CN=XXXXXXX
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=/xxxxxxxxxxxxxxxxxx
issuer=/xxxxxxxxxxxxxxxxxx
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 3294 bytes and written 479 bytes
---
New, TLSv1/SSLv3, Cipher is xxxxxxxxxxxxxxxxxx
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : xxxxxxxxxxxxxxxxxx
    Session-ID: xxxxxxxxxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1638952814
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

But whenever i try the same command from a machine running newer version of OpenSSL i get this error:

CONNECTED(00000003)
139685857744704:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Is there any compatibility issues or some new command or conf file for the newer version?|

Adding all ciphers:

Obtaining cipher list from OpenSSL 1.1.1k 25 Mar 2021.
Testing TLS_AES_256_GCM_SHA384...NO (SSL_CTX_set_cipher_list)
Testing TLS_CHACHA20_POLY1305_SHA256...NO (SSL_CTX_set_cipher_list)
Testing TLS_AES_128_GCM_SHA256...NO (SSL_CTX_set_cipher_list)
Testing ECDHE-ECDSA-AES256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-RSA-AES256-GCM-SHA384...NO (wrong version number)
Testing DHE-DSS-AES256-GCM-SHA384...YES
Testing DHE-RSA-AES256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-ECDSA-CHACHA20-POLY1305...NO (wrong version number)
Testing ECDHE-RSA-CHACHA20-POLY1305...NO (wrong version number)
Testing DHE-RSA-CHACHA20-POLY1305...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-CCM8...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-CCM...NO (wrong version number)
Testing DHE-RSA-AES256-CCM8...NO (wrong version number)
Testing DHE-RSA-AES256-CCM...NO (wrong version number)
Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-ARIA256-GCM-SHA384...NO (wrong version number)
Testing DHE-DSS-ARIA256-GCM-SHA384...NO (wrong version number)
Testing DHE-RSA-ARIA256-GCM-SHA384...NO (wrong version number)
Testing ADH-AES256-GCM-SHA384...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-RSA-AES128-GCM-SHA256...NO (wrong version number)
Testing DHE-DSS-AES128-GCM-SHA256...YES
Testing DHE-RSA-AES128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-CCM8...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-CCM...NO (wrong version number)
Testing DHE-RSA-AES128-CCM8...NO (wrong version number)
Testing DHE-RSA-AES128-CCM...NO (wrong version number)
Testing ECDHE-ECDSA-ARIA128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-ARIA128-GCM-SHA256...NO (wrong version number)
Testing DHE-DSS-ARIA128-GCM-SHA256...NO (wrong version number)
Testing DHE-RSA-ARIA128-GCM-SHA256...NO (wrong version number)
Testing ADH-AES128-GCM-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-SHA384...NO (wrong version number)
Testing ECDHE-RSA-AES256-SHA384...NO (wrong version number)
Testing DHE-RSA-AES256-SHA256...NO (wrong version number)
Testing DHE-DSS-AES256-SHA256...YES
Testing ECDHE-ECDSA-CAMELLIA256-SHA384...NO (wrong version number)
Testing ECDHE-RSA-CAMELLIA256-SHA384...NO (wrong version number)
Testing DHE-RSA-CAMELLIA256-SHA256...NO (wrong version number)
Testing DHE-DSS-CAMELLIA256-SHA256...NO (wrong version number)
Testing ADH-AES256-SHA256...NO (wrong version number)
Testing ADH-CAMELLIA256-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-SHA256...NO (wrong version number)
Testing ECDHE-RSA-AES128-SHA256...NO (wrong version number)
Testing DHE-RSA-AES128-SHA256...NO (wrong version number)
Testing DHE-DSS-AES128-SHA256...YES
Testing ECDHE-ECDSA-CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-RSA-CAMELLIA128-SHA256...NO (wrong version number)
Testing DHE-RSA-CAMELLIA128-SHA256...NO (wrong version number)
Testing DHE-DSS-CAMELLIA128-SHA256...NO (wrong version number)
Testing ADH-AES128-SHA256...NO (wrong version number)
Testing ADH-CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-AES256-SHA...NO (wrong version number)
Testing ECDHE-RSA-AES256-SHA...NO (wrong version number)
Testing DHE-RSA-AES256-SHA...NO (wrong version number)
Testing DHE-DSS-AES256-SHA...YES
Testing DHE-RSA-CAMELLIA256-SHA...NO (wrong version number)
Testing DHE-DSS-CAMELLIA256-SHA...NO (wrong version number)
Testing AECDH-AES256-SHA...NO (wrong version number)
Testing ADH-AES256-SHA...NO (wrong version number)
Testing ADH-CAMELLIA256-SHA...NO (wrong version number)
Testing ECDHE-ECDSA-AES128-SHA...NO (wrong version number)
Testing ECDHE-RSA-AES128-SHA...NO (wrong version number)
Testing DHE-RSA-AES128-SHA...NO (wrong version number)
Testing DHE-DSS-AES128-SHA...YES
Testing DHE-RSA-SEED-SHA...NO (wrong version number)
Testing DHE-DSS-SEED-SHA...NO (wrong version number)
Testing DHE-RSA-CAMELLIA128-SHA...NO (wrong version number)
Testing DHE-DSS-CAMELLIA128-SHA...NO (wrong version number)
Testing AECDH-AES128-SHA...NO (wrong version number)
Testing ADH-AES128-SHA...NO (wrong version number)
Testing ADH-SEED-SHA...NO (wrong version number)
Testing ADH-CAMELLIA128-SHA...NO (wrong version number)
Testing RSA-PSK-AES256-GCM-SHA384...NO (wrong version number)
Testing DHE-PSK-AES256-GCM-SHA384...NO (wrong version number)
Testing RSA-PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing DHE-PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing ECDHE-PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing DHE-PSK-AES256-CCM8...NO (wrong version number)
Testing DHE-PSK-AES256-CCM...NO (wrong version number)
Testing RSA-PSK-ARIA256-GCM-SHA384...NO (wrong version number)
Testing DHE-PSK-ARIA256-GCM-SHA384...NO (wrong version number)
Testing AES256-GCM-SHA384...NO (wrong version number)
Testing AES256-CCM8...NO (wrong version number)
Testing AES256-CCM...NO (wrong version number)
Testing ARIA256-GCM-SHA384...NO (wrong version number)
Testing PSK-AES256-GCM-SHA384...NO (wrong version number)
Testing PSK-CHACHA20-POLY1305...NO (wrong version number)
Testing PSK-AES256-CCM8...NO (wrong version number)
Testing PSK-AES256-CCM...NO (wrong version number)
Testing PSK-ARIA256-GCM-SHA384...NO (wrong version number)
Testing RSA-PSK-AES128-GCM-SHA256...NO (wrong version number)
Testing DHE-PSK-AES128-GCM-SHA256...NO (wrong version number)
Testing DHE-PSK-AES128-CCM8...NO (wrong version number)
Testing DHE-PSK-AES128-CCM...NO (wrong version number)
Testing RSA-PSK-ARIA128-GCM-SHA256...NO (wrong version number)
Testing DHE-PSK-ARIA128-GCM-SHA256...NO (wrong version number)
Testing AES128-GCM-SHA256...NO (wrong version number)
Testing AES128-CCM8...NO (wrong version number)
Testing AES128-CCM...NO (wrong version number)
Testing ARIA128-GCM-SHA256...NO (wrong version number)
Testing PSK-AES128-GCM-SHA256...NO (wrong version number)
Testing PSK-AES128-CCM8...NO (wrong version number)
Testing PSK-AES128-CCM...NO (wrong version number)
Testing PSK-ARIA128-GCM-SHA256...NO (wrong version number)
Testing AES256-SHA256...NO (wrong version number)
Testing CAMELLIA256-SHA256...NO (wrong version number)
Testing AES128-SHA256...NO (wrong version number)
Testing CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing ECDHE-PSK-AES256-CBC-SHA...NO (wrong version number)
Testing SRP-DSS-AES-256-CBC-SHA...NO (wrong version number)
Testing SRP-RSA-AES-256-CBC-SHA...NO (wrong version number)
Testing SRP-AES-256-CBC-SHA...NO (wrong version number)
Testing RSA-PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing DHE-PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing RSA-PSK-AES256-CBC-SHA...NO (wrong version number)
Testing DHE-PSK-AES256-CBC-SHA...NO (wrong version number)
Testing ECDHE-PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing RSA-PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing DHE-PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing AES256-SHA...NO (wrong version number)
Testing CAMELLIA256-SHA...NO (wrong version number)
Testing PSK-AES256-CBC-SHA384...NO (wrong version number)
Testing PSK-AES256-CBC-SHA...NO (wrong version number)
Testing PSK-CAMELLIA256-SHA384...NO (wrong version number)
Testing ECDHE-PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing ECDHE-PSK-AES128-CBC-SHA...NO (wrong version number)
Testing SRP-DSS-AES-128-CBC-SHA...NO (wrong version number)
Testing SRP-RSA-AES-128-CBC-SHA...NO (wrong version number)
Testing SRP-AES-128-CBC-SHA...NO (wrong version number)
Testing RSA-PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing DHE-PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing RSA-PSK-AES128-CBC-SHA...NO (wrong version number)
Testing DHE-PSK-AES128-CBC-SHA...NO (wrong version number)
Testing ECDHE-PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing RSA-PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing DHE-PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing AES128-SHA...NO (wrong version number)
Testing SEED-SHA...NO (wrong version number)
Testing CAMELLIA128-SHA...NO (wrong version number)
Testing IDEA-CBC-SHA...NO (wrong version number)
Testing PSK-AES128-CBC-SHA256...NO (wrong version number)
Testing PSK-AES128-CBC-SHA...NO (wrong version number)
Testing PSK-CAMELLIA128-SHA256...NO (wrong version number)
Testing ECDHE-ECDSA-NULL-SHA...NO (wrong version number)
Testing ECDHE-RSA-NULL-SHA...NO (wrong version number)
Testing AECDH-NULL-SHA...NO (wrong version number)
Testing NULL-SHA256...NO (wrong version number)
Testing ECDHE-PSK-NULL-SHA384...NO (wrong version number)
Testing ECDHE-PSK-NULL-SHA256...NO (wrong version number)
Testing ECDHE-PSK-NULL-SHA...NO (wrong version number)
Testing RSA-PSK-NULL-SHA384...NO (wrong version number)
Testing RSA-PSK-NULL-SHA256...NO (wrong version number)
Testing DHE-PSK-NULL-SHA384...NO (wrong version number)
Testing DHE-PSK-NULL-SHA256...NO (wrong version number)
Testing RSA-PSK-NULL-SHA...NO (wrong version number)
Testing DHE-PSK-NULL-SHA...NO (wrong version number)
Testing NULL-SHA...NO (wrong version number)
Testing NULL-MD5...NO (wrong version number)
Testing PSK-NULL-SHA384...NO (wrong version number)
Testing PSK-NULL-SHA256...NO (wrong version number)
Testing PSK-NULL-SHA...NO (wrong version number

)

CodePudding user response:

Testing DHE-DSS-AES256-GCM-SHA384...YES

It looks like the server supports only DSS ciphers, which is very unusual. As can be seen from the changelog such ciphers were removed from the default cipher list with OpenSSL 1.1.0. This means one explicitly need to enable the cipher, i.e.

$ openssl s_client -cipher 'DHE-DSS-AES256-GCM-SHA384' ...
  • Related