[TBD]Useful ssl info

Openssl config

Troubleshooting

Method to view PEM certificate

Use openssl x509

Display PEM X509 certificate info

deepakk$ openssl x509 -in client_rsa_512.pem -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 41 (0x29)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=IN, ST=KAR, O=Citrix R&D Pvt Ltd, CN=Citrix

Validity

Not Before: Sep 22 09:12:57 2008 GMT

Not After : Feb 8 09:12:57 2036 GMT

Subject: C=IN, ST=KAR, O=Citrix

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (512 bit)

Modulus:

00:b0:52:cd:25:5d:17:8f:dd:ed:f4:9a:44:0f:41:

f8:82:10:38:da:07:74:e9:79:85:65:b4:17:8e:4f:

84:ab:22:bc:d8:b3:aa:8b:0f:03:f9:3b:e1:f9:e7:

35:30:f8:a9:7f:8a:b2:2f:67:4c:43:eb:1f:d7:7c:

3b:1a:07:57:87

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Cert Type:

SSL Client, S/MIME

X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment

Netscape Comment:

NetScaler Generated Certificate

X509v3 Subject Key Identifier:

37:E4:E9:CA:3C:37:1E:88:12:3B:A4:5E:B1:EF:E4:33:8C:77:42:79

X509v3 Authority Key Identifier:

keyid:6B:69:EA:D7:36:62:80:2F:09:29:45:A9:C4:72:0A:CE:ED:95:CC:7F

DirName:/C=IN/ST=KAR/O=Citrix R&D Pvt Ltd/CN=Citrix

serial:00

Signature Algorithm: sha1WithRSAEncryption

a5:c2:07:68:a4:ff:8f:19:5a:b0:14:e4:a4:36:bf:71:24:3c:

cd:02:6f:21:f8:0c:f3:7c:51:36:45:07:f7:da:05:6c:cc:f1:

6c:c6:03:50:26:19:1b:d9:a0:92:b5:de:c2:8e:7b:97:d1:ee:

58:72:a2:9c:ed:a8:3c:14:30:36:f9:39:11:56:34:87:32:02:

21:e1:e2:5a:d2:ee:04:f4:b6:c4:b5:1d:af:9c:89:ef:fe:71:

4d:91:0d:c4:73:32:17:aa:28:6f:c1:30:a1:53:e6:fa:3b:2b:

64:e5:9a:74:5d:89:c9:01:11:ea:a5:69:df:fa:fa:e7:4e:73:

db:88

-----BEGIN CERTIFICATE-----

MIICmDCCAgGgAwIBAgIBKTANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJJTjEM

MAoGA1UECBMDS0FSMRswGQYDVQQKFBJDaXRyaXggUiZEIFB2dCBMdGQxDzANBgNV

BAMTBkNpdHJpeDAeFw0wODA5MjIwOTEyNTdaFw0zNjAyMDgwOTEyNTdaMCwxCzAJ

BgNVBAYTAklOMQwwCgYDVQQIEwNLQVIxDzANBgNVBAoTBkNpdHJpeDBcMA0GCSqG

SIb3DQEBAQUAA0sAMEgCQQCwUs0lXReP3e30mkQPQfiCEDjaB3TpeYVltBeOT4Sr

IrzYs6qLDwP5O+H55zUw+Kl/irIvZ0xD6x/XfDsaB1eHAgMBAAGjgfAwge0wCQYD

VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMC4GCWCGSAGG

+EIBDQQhFh9OZXRTY2FsZXIgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW

BBQ35OnKPDceiBI7pF6x7+QzjHdCeTBxBgNVHSMEajBogBRraerXNmKALwkpRanE

cgrO7ZXMf6FNpEswSTELMAkGA1UEBhMCSU4xDDAKBgNVBAgTA0tBUjEbMBkGA1UE

ChQSQ2l0cml4IFImRCBQdnQgTHRkMQ8wDQYDVQQDEwZDaXRyaXiCAQAwDQYJKoZI

hvcNAQEFBQADgYEApcIHaKT/jxlasBTkpDa/cSQ8zQJvIfgM83xRNkUH99oFbMzx

bMYDUCYZG9mgkrXewo57l9HuWHKinO2oPBQwNvk5EVY0hzICIeHiWtLuBPS2xLUd

r5yJ7/5xTZENxHMyF6oob8EwoVPm+jsrZOWadF2JyQER6qVp3/r6505z24g=

-----END CERTIFICATE-----

deepakk$

Useful link:http://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate/

Method to decode RSA private key info

use openssl rsa

Decode RSA Private key

root@ip-10-0-0-47:/etc/kubernetes# cat /tmp/key

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAuqFGm++8yJU9hErtI12fzKejTdf/1H7ZId30imF1KfUf0ION

lsxRSEbxFOlZILSOJl2UCgOIdrbM9vh/J+lYw26NAC616uiF7bBuwOp2W4YopJmB

Q5oEw/hM6Qqhn64OQMQBx7Y4frU49jlaCw4tCEglV8bDFOKJZPFSaV4JJ7rRVFWl

JKqscJY9PI2G5sQaXlHTxRWkYqJbSZBHj68KuLcDKRkJg/LbXxSLCNz+OdaUnptV

YkJ+Vgn3WqIO5g/0RUkw2DXKsQ0nhXq9mU9XGHNSbzSyO7dOLCMHJMmYCorUpor5

5tlKGyatuwjeuzPlnCTRwTFZaAL7E9zDvRHIuQIDAQABAoIBAFAgN7lxRyLy+BNZ

O9CoPJhYDMO6DctEnqJssbXLu8rEw+D46gwpMmiOlKi+upZRDoqoOIvIEomtV/hc

nfMbuxFE4GKIq2/sXru6uQI4Z5JJ2h85DIdik9MzQon3F4b/6nyh6oW81SqJUahc

3SzL7EeW+flii5Tm4cgl15UHW3Tjgp7/AXgGbkJFmHbWCHcirzZ1HeZtawdXEKNv

/KTOWWHZA2UyONAjvq10KJ//OftRg/bfgEg/yz+6tHW8dkRVyxQrV6hWBx4KBKOp

wV/xQFiE/XHJR6JdVEiTkB9WNnyjYpasSR9bduGHWatt2MWY0eJE7XAlOsHdTDwD

xiDNvcUCgYEA8d/Pk8HkN6nMMEjQCvZGyYb0/YW1qL+hL9bpDg73SqcXlw7CWmxa

RJ5FoWMJ5e9cmLp2d0UHWOKiPZKQelkElr/GiWqcVL9z2ler0gs3HwhBQf6+f/Gr

wvcc6PhupaQBDQanALjip1MVJmUD5SPIDtygp76m3TLNrXhMY5hsxmMCgYEAxYeG

QTctSHO9reODaBzTCYSg4VC2pkvnwhyfauGiI9bmAUcBfwEQQH1vwJ82IWletF2X

8SjGsS2oYHWHfFLsdFl/c/Y0bboyo4QX5cfFuxcuFqx3v5lKvnolN/7JqDbKkSb7

272VoI/EDfKt1p0J5A7kU75MHfBn8+UrYfd2oTMCgYEAtu1a01f3nvWHHRlkZnX9

8VplHPwr+HT9le3GksBU3JvkpnUeHj8GQhElfjol+UV/VW7oO6n0NZApvcGEDVQX

uV9O6wy7MQkeuIpHw3KB/LFEkYH1V1RSYAB+V9/T5uhTdyOJ2Gz71ipqu3/4Yysd

mcfYpST2lCJhFYn+0/AqjBsCgYAEWKEJmk8ywukvhEwF5Gx4TyTDEGWUbyMgUETp

syFALKBO8uMDimBzKs9kq5wjTBA7Y7vOIJmOmHSV+sAKakCtprJ5OLeamng2xNdJ

xQWCwlXPReg0nQjZ/BIJk1+YhewbGYJ9KUS7ja5AqFBO4pGvJOy9Mvi1x+5hnW9A

7pL7pQKBgQCSvOpstjzVZIPibVFABX//rfdm3CRhnL3P15slVlpIJsPBNc9gcHzI

WzwExjWz9k/KVdoCuZ/rDWreR7NnHdRrkFRVyoO5069UoFxEX/45RVCjjY9C+1kg

pYlLJLIEs0gfGu20+fLqCOsSKBlA9CaO7sIHuo3bF4Bj3ChBky8TDg==

-----END RSA PRIVATE KEY-----

root@ip-10-0-0-47:/etc/kubernetes# openssl rsa -in /tmp/key -text

Private-Key: (2048 bit)

modulus:

00:ba:a1:46:9b:ef:bc:c8:95:3d:84:4a:ed:23:5d:

9f:cc:a7:a3:4d:d7:ff:d4:7e:d9:21:dd:f4:8a:61:

75:29:f5:1f:d0:83:8d:96:cc:51:48:46:f1:14:e9:

59:20:b4:8e:26:5d:94:0a:03:88:76:b6:cc:f6:f8:

7f:27:e9:58:c3:6e:8d:00:2e:b5:ea:e8:85:ed:b0:

6e:c0:ea:76:5b:86:28:a4:99:81:43:9a:04:c3:f8:

4c:e9:0a:a1:9f:ae:0e:40:c4:01:c7:b6:38:7e:b5:

38:f6:39:5a:0b:0e:2d:08:48:25:57:c6:c3:14:e2:

89:64:f1:52:69:5e:09:27:ba:d1:54:55:a5:24:aa:

ac:70:96:3d:3c:8d:86:e6:c4:1a:5e:51:d3:c5:15:

a4:62:a2:5b:49:90:47:8f:af:0a:b8:b7:03:29:19:

09:83:f2:db:5f:14:8b:08:dc:fe:39:d6:94:9e:9b:

55:62:42:7e:56:09:f7:5a:a2:0e:e6:0f:f4:45:49:

30:d8:35:ca:b1:0d:27:85:7a:bd:99:4f:57:18:73:

52:6f:34:b2:3b:b7:4e:2c:23:07:24:c9:98:0a:8a:

d4:a6:8a:f9:e6:d9:4a:1b:26:ad:bb:08:de:bb:33:

e5:9c:24:d1:c1:31:59:68:02:fb:13:dc:c3:bd:11:

c8:b9

publicExponent: 65537 (0x10001)

privateExponent:

50:20:37:b9:71:47:22:f2:f8:13:59:3b:d0:a8:3c:

98:58:0c:c3:ba:0d:cb:44:9e:a2:6c:b1:b5:cb:bb:

ca:c4:c3:e0:f8:ea:0c:29:32:68:8e:94:a8:be:ba:

96:51:0e:8a:a8:38:8b:c8:12:89:ad:57:f8:5c:9d:

....

Useful link: https://support.citrix.com/article/CTX122930/

How to fire ssl request with custom version (sslv3/tls1.0)

Use openssl s_client option

openssl command for acting as client

root@ubuntu:/# openssl s_client -connect 10.102.53.236:6443 -tls1_2

CONNECTED(00000003)

depth=0 CN = kube-apiserver

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = kube-apiserver

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/CN=kube-apiserver

i:/CN=kubernetes

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIDVjCCAj6gAwIBAgIITZRAtUmmOeEwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE

AxMKa3ViZXJuZXRlczAeFw0xNzExMzAxOTMzMzdaFw0xODExMzAxOTMzMzdaMBkx

FzAVBgNVBAMTDmt1YmUtYXBpc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A

MIIBCgKCAQEAwCtRgvftATDIzLVEng1ubC2ro8T1h+2PrNkosDIl9r+yqqiZ4Dwa

iKWY36RKDTlhLISt38E7lhXRgTHhwaIJ3tjA+FhhG/PKRxisnpQCEH+oFPFbqsnC

5Ayj43y7CUDbCOLYkA0gW8zMO/DwVcKGSpLYlBbgmCzIBWhVq5EsyGkjRkkVVDty

4vv8K27BAG9SlrQB3pdPH5W0ZUcPXGQ5SVdXm8BZNL6Ze4efUFhu5TV6DbdfptcG

7ylRf98m99bH1Lbz2XOAgoa7LsDpPOu+zPoKrOwSq27VpovRZHeUlAc6r4b1NLvl

rnaNYO5qIlkKAVWU7OT+6RjcS9sudyy36wIDAQABo4GlMIGiMA4GA1UdDwEB/wQE

AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATB7BgNVHREEdDByggZtYXN0ZXKCCmt1

YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0

LnN2Y4Ika3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FshwQKYAAB

hwQKZjXsMA0GCSqGSIb3DQEBCwUAA4IBAQCnMjICFa9Yn5Rz9TwLsWi+Lmf4+Gph

1B4ESPf1GuvcZn4jMXOLf4sVjGf48yQa39g/0WiD4Np4lripeGqOwQEVrYs+WEdE

UHVaOUa6IQNAg/F/WrLP6/whTwgjxXP4MhcYqfI8k5iFG3r+Je0SALsfRozeiH/F

j34mukRGxqkVeHUJoU4ide0GUILkOkoRSzP96rmSowW0P5S2rCh0uOdJ5riy+7W3

rgxEJMqQdN+aX7pgGmJmjcqZ/U3b6fBF1zVfeaRy7CFp3FDiK+OuxiWai2NzEsxV

cbQGOZDQb5ia0j6weCS4HyQwubf3SIgiIl5djqoMPjafx8J+/Rbea8Pj

-----END CERTIFICATE-----

subject=/CN=kube-apiserver

issuer=/CN=kubernetes

---

Acceptable client certificate CA names

/CN=kubernetes

Client Certificate Types: RSA sign, ECDSA sign

Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1

Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1

Peer signing digest: SHA384

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 1542 bytes and written 443 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES128-GCM-SHA256

Session-ID: 926BF39CEFDC6C592670EF9BBD757F58496951004F614E8C8315D7AD54F34769

Session-ID-ctx:

Master-Key: 7EC43B281FCB97DEFD324F19E494177157FB3BD7832C02148B85078BE09C41D6F60216E616069B61560A0C2BCA453856

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket:

0000 - 10 47 46 e2 dc c4 01 aa-01 72 94 8a 92 ca ec 65 .GF......r.....e

0010 - 84 ed 05 09 15 52 1d c1-1b 6b f5 5c 42 f1 30 a1 .....R...k.\B.0.

0020 - 25 86 f2 ab 95 8e 39 dc-55 47 6e 6b 02 ff a4 18 %.....9.UGnk....

0030 - 32 fb 6b af e6 92 4a ed-4f 56 7e fd 80 6e 76 38 2.k...J.OV~..nv8

0040 - d6 3e be b9 47 cc 2f e2-07 74 fd e8 3e fa 07 58 .>..G./..t..>..X

0050 - 5b aa b8 ae d0 03 88 ea-66 86 f7 79 68 0c 70 94 [.......f..yh.p.

0060 - 61 51 5a b0 b0 46 65 0d-1d a9 da ba 6d 01 1d c7 aQZ..Fe.....m...

0070 - 4f 54 18 75 8a f5 82 ac- OT.u....

Start Time: 1514962741

Timeout : 7200 (sec)

Verify return code: 21 (unable to verify the first certificate)

---

GET /

HTTP/1.1 400 Bad Request

Content-Type: text/plain; charset=utf-8

Connection: close

400 Bad Requestclosed

root@ubuntu:/# openssl s_client -connect 10.102.53.236:6443 -tls1_3

unknown option -tls1_3

usage: s_client args

Useful link: https://security.stackexchange.com/questions/70733/how-do-i-use-openssl-s-client-to-test-for-absence-of-sslv3-support

Reference

Page updated

Google Sites

Report abuse