Re: lynx-dev Problems with URL--please help

[clemens fischer]

Doug Kaufman <address@hidden>:

> 3. What to you get in the file s_client.trace if you type:
> "echo quit | openssl s_client -ssl3 -connect hod.dol.state.ga.us:443 
> >s_client.trace"

  p1$ openssl s_client -tls1 -crlf -state -connect hod.dol.state.ga.us:443
  CONNECTED(00000005)
  SSL_connect:before/connect initialization
  SSL_connect:SSLv3 write client hello A
  GET / HTTP/1.0

tls1 is the only protocol leading to a connect, ie. not leading to a
verification error, but from then on the connection hangs.
question:  it should be possible to disallow use of ssl2/3 or make
tls1 the preferred way:  shouldn't this allow me to connect?

there are ssl states missing from the handshake above:

SSL_connect:SSLv2 read server hello A
SSL_connect:SSLv2 write client master key A
SSL_connect:SSLv2 client start encryption
SSL_connect:SSLv2 write client finished A
SSL_connect:SSLv2 read server verify A
SSL_connect:SSLv2 read server finished A

is what seems to be expected, but this doesn't happen with `-tls1' on
the above connect.  funny thing is:  s_clients proceeds much further
with `-ssl2', and the log shows:

  p1$ openssl s_client -ssl2 -crlf -verify 5 -state -connect 
hod.dol.state.ga.us:443
  verify depth is 5
  CONNECTED(00000005)
  SSL_connect:before/connect initialization
  SSL_connect:SSLv2 write client hello A
  depth=0 /C=US/ST=Georgia/L=Atlanta/O=Georgia Department of 
Labor/OU=Information Systems Support/CN=hod.dol.state.ga.us
  verify error:num=20:unable to get local issuer certificate
  verify return:1
  depth=0 /C=US/ST=Georgia/L=Atlanta/O=Georgia Department of 
Labor/OU=Information Systems Support/CN=hod.dol.state.ga.us
  verify error:num=27:certificate not trusted
  verify return:1
  depth=0 /C=US/ST=Georgia/L=Atlanta/O=Georgia Department of 
Labor/OU=Information Systems Support/CN=hod.dol.state.ga.us
  verify error:num=21:unable to verify the first certificate
  verify return:1
  SSL_connect:SSLv2 read server hello A
  SSL_connect:SSLv2 write client master key A
  SSL_connect:SSLv2 client start encryption
  SSL_connect:SSLv2 write client finished A
  SSL_connect:SSLv2 read server verify A
  SSL_connect:SSLv2 read server finished A
  ---
  Server certificate
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
  subject=/C=US/ST=Georgia/L=Atlanta/O=Georgia Department of 
Labor/OU=Information Systems Support/CN=hod.dol.state.ga.us
  issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification 
Authority
  ---
  No client certificate CA names sent
  ---
  Ciphers common between both SSL endpoints:
  EXP-RC2-CBC-MD5
  ---
  SSL handshake has read 964 bytes and written 189 bytes
  ---
  New, SSLv2, Cipher is EXP-RC2-CBC-MD5
  Server public key is 512 bit
  SSL-Session:
      Protocol  : SSLv2
      Cipher    : EXP-RC2-CBC-MD5
      Session-ID: 31501664429803D561C85C22064985F9
      Session-ID-ctx:
      Master-Key: A770C76F0332FD93FD88810D431F509E
      Key-Arg   : EB786D5E6587328D
      Start Time: 1046868110
      Timeout   : 300 (sec)
      Verify return code: 21 (unable to verify the first certificate)
  ---

this shows also that the far end makes use of MD5, patent issues or
not.

(shrug)  i'm really no SSL guru.  could somebody
comment?

  clemens

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden