git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Difficulties with testing TLS 1.3


Hi Dennis,

moving to dev@, more suited I think here.

On Fri, Jun 15, 2018 at 3:06 AM, Dennis Clarke <dclarke@xxxxxxxxxxxxx> wrote:
>
> Hello Apache folks :
>
>     So the process of testing TLS 1.3 shouldn't be black magic but here
> I am wondering what is wrong. I have a beta site up running Apache trunk
> build and OpenSSL 1.1.1-pre7 ( the latest atm ) and everything seems to
> be just fine.  I have Mozilla beta browser with security.tls.* settings
> ready to handle TLS 1.3 and I can reach, render and see the test site at
> https://tls13.crypto.mozilla.org/ just fine. It claims TLS 1.3 (draft
> 28) using NSS whereas my site https://beta.tls13.net can not be "seen"
> via the same browser. The openssl s_client has no issues contacting both
> sites and in both cases I do see TLS 1.3 protocol as supported however
> cipher suite ( see https://wiki.mozilla.org/Security/Server_Side_TLS )
> may be the issue. Not sure.
>
> Here is what I see when using "s_client" to access the mozilla site :
>
> $ openssl s_client -connect tls13.crypto.mozilla.org:443 -tls1_3
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = tls13.crypto.mozilla.org
> verify return:1
> ---
> Certificate chain
>  0 s:CN = tls13.crypto.mozilla.org
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFEzCCA/ugAwIBAgISBPOVEnB/CqyqLondZWg55Uz8MA0GCSqGSIb3DQEBCwUA
> .
> .<snip>
> .
> Ad+yYggR2Q==
> -----END CERTIFICATE-----
> subject=CN = tls13.crypto.mozilla.org
>
> issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2974 bytes and written 316 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> SSL-Session:
>     Protocol  : TLSv1.3
>     Cipher    : TLS_AES_128_GCM_SHA256
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
> 7A97B0747961C13DDF4A533C8174262F9500157007EED04A98B5BCAA314D56A5
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1529024212
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
> ---
> read R BLOCK
> GET
> HTTP/1.1 400 Bad Request
> Date: Fri, 15 Jun 2018 00:57:36 GMT
> Server: Apache
> Strict-Transport-Security: max-age=63072000; includeSubdomains;
> Content-Length: 226
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>400 Bad Request</title>
> </head><body>
> <h1>Bad Request</h1>
> <p>Your browser sent a request that this server could not understand.<br />
> </p>
> </body></html>
> closed
> tls13 $
>
>
> All looks fine. The nice 400 error message is very okay.
>
>
> The exact same thing to my test trunk Apache server claims odd
> results :
>
>
> $ openssl s_client -connect beta.tls13.net:443 -tls1_3
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = *.tls13.net
> verify return:1
> ---
> Certificate chain
>  0 s:CN = *.tls13.net
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGAjCCBOqgAwIBAgISA3lbcjYuS0tUnszwWevJIyQaMA0GCSqGSIb3DQEBCwUA
> .
> .<snip>
> .
> PrK8bh7S
> -----END CERTIFICATE-----
> subject=CN = *.tls13.net
>
> issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 3281 bytes and written 322 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> SSL-Session:
>     Protocol  : TLSv1.3
>     Cipher    : TLS_AES_256_GCM_SHA384
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
> 42F400653B4C20603D96D1180E345439B941F696160A0B7BD7FF23077A111A1A899A6A43BCEE6172D00641597111FF39
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1529024399
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
> ---
> read:errno=0
> $
>
>
> Well other than cipher what is the difference here ?  Nothing obvious.
>
> The ssl error_log ( set at level debug ) isn't helping here :
>
>
> [Fri Jun 15 00:59:59.753533 2018] [ssl:info] [pid 2250:tid 27] [client
> 68.179.116.201:34466] AH01964: Connection to child 152 established (server
> beta.tls13.net:443)
>
> [Fri Jun 15 00:59:59.755714 2018] [ssl:debug] [pid 2250:tid 27]
> ssl_engine_kernel.c(2297): [client 68.179.116.201:34466] AH02043: SSL
> virtual host for servername beta.tls13.net found
>
> [Fri Jun 15 00:59:59.788701 2018] [ssl:debug] [pid 2250:tid 27]
> ssl_engine_kernel.c(2222): [client 68.179.116.201:34466] AH02041: Protocol:
> TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
>
> [Fri Jun 15 00:59:59.788742 2018] [ssl:error] [pid 2250:tid 27] [client
> 68.179.116.201:34466] AH02042: rejecting client initiated renegotiation
>
> [Fri Jun 15 00:59:59.789151 2018] [ssl:debug] [pid 2250:tid 27]
> ssl_engine_io.c(1400): (130)Software caused connection abort: [client
> 68.179.116.201:34466] AH02007: SSL handshake interrupted by system [Hint:
> Stop button pressed in browser?!]
>
> [Fri Jun 15 00:59:59.789341 2018] [ssl:info] [pid 2250:tid 27] [client
> 68.179.116.201:34466] AH01998: Connection closed to child 152 with abortive
> shutdown (server beta.tls13.net:443)
> beta #
>
>
> Weird.
>
>
> Any thoughts would be greatly appreciated.
>
>
> Dennis
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/apache2-users/msg02750.html on line 310
Call Stack
#TimeMemoryFunctionLocation
10.0008372744{main}( ).../msg02750.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/apache2-users/msg02750.html on line 310
Call Stack
#TimeMemoryFunctionLocation
10.0008372744{main}( ).../msg02750.html:0