SungHoon_Kim

How to check what protocol the server supports and if you can successfully connect using specific protocol

Blog Post created by SungHoon_Kim Employee on Dec 9, 2015

If you have an LDAP server and you want to connect using TLS1, and your connection is failing. What do you do next?

 

It doesn't matter if it is LDAP or HTTP.

You can use openssl to connect to it with specific protocol and see which one is successful and which one is not.

 

openssl s_client -connect <server:port> [-ssl2|-ssl3|-tls1] [-CAfile <CA Certificate>]

 

Following is a sample  output when trying to connect to www.google.com:443 using 3 different protocols.

SSLv2 was rejected.

SSLv3 was accepted

TLSv1 was accepted

 

You can see the server replying what protocol it will accept.

 

Connections -ssl2 -ssl3 -tls1

C:\> openssl s_client -connect www.google.com:443 -ssl2

Loading 'screen' into random state - done

CONNECTED(000001A4)

6020:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:.\ssl\s2_pkt.c:428:

C:\>openssl s_client -connect www.google.com:443 -ssl3

Loading 'screen' into random state - done

CONNECTED(000001A4)

 

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

   i:/C=US/O=Google Inc/CN=Google Internet Authority G2

1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2

   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIEgDCCA2igAwIBAgIIPdT6GgLd9RowDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE

BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl

cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUxMTI1MjM1ODIyWhcNMTYwMjIzMDAwMDAw

WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN

TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3

Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCLAOQm

O2VgGU0aOmmePDlf5iQlv0QNVP6njfkUl7Fn7elhqY/e+EK+hOpuQzMxif6fdx9n

f38ElikpyWGtEmq2edfDjNcVHaq0KRg3QQs/LdEcKgQVm+hjiLN7DSDxOfwU2zll

yxR7RaszXWd1pYqDFMqjlt4E9h1YRAr5ydgkahUpJhmf1yUuT6La2WKa/r6XMyJ9

GZdu0Y2HOO5YVPeOyCxFSq66abWq/xKtxMuGi+sJGoW4aXN5mbemBn0aF0Us1k3u

GgiRnQfCuWjUkMbNR97WNqES/IJXD6GuLVH7jZVhOeXso8g66DAxzFOzFM+P5ihy

qo8RdyyNY8ao8LDRAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI

KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE

XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0

MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G

A1UdDgQWBBTRwgCCdfWJaxML7yIFzOuB25yrozAMBgNVHRMBAf8EAjAAMB8GA1Ud

IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW

eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n

bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAJSSBOqxtVR9aQlHk

w1ijGVuMmaeVnrv6DcUZK+O1y2+HbKEZ6c84l2TScJpTkif1XORwSq50g6OEmmB0

lLKY/shlk/5Ywf+8W+h1moTw4TXEI8ASpG7hzKfkKAl7qhfv1K1Zh6cPx0zHmJkh

JdcK9uSt91XzxzQJvvFWM52ywlEdsCHyTzNJrhy8oeMvae8EqYq8u923b6gvMDP7

w8gZQdNHv8Q2L7Bo6Ud3C7e2FMXnEgbElpiYwlYJ5ZX5l2L/9a7xyh6DbpxcS1dO

CB32HWKmBs8SZ5HibLaqNhpV0b9nKlyJZiKpHKWYhIjK285QTFBZx3QfKVNKMV1d

5S+LyA==

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

---

No client certificate CA names sent

---

SSL handshake has read 3245 bytes and written 424 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-SHA

Server public key is 2048 bit

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : SSLv3

    Cipher    : RC4-SHA

    Session-ID: 51FB4F7B6C9356C3B9660C6F21FCA95129A29EA97B241EEFAB4AB6B3445F9CF7

    Session-ID-ctx:

    Master-Key: EA56764B14C836380F3A3AAB74F69B7BDC6B872BCE619E79DA511D71167804A43BEF4FFD7207BDC10B6362EDC25F40D8

    Key-Arg   : None

    Start Time: 1449628122

    Timeout   : 7200 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

C:\>openssl s_client -connect www.google.com:443 -tls1

Loading 'screen' into random state - done

CONNECTED(000001A4)

 

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

   i:/C=US/O=Google Inc/CN=Google Internet Authority G2

1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2

   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIEgDCCA2igAwIBAgIIPdT6GgLd9RowDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE

BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl

cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUxMTI1MjM1ODIyWhcNMTYwMjIzMDAwMDAw

WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN

TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3

Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCLAOQm

O2VgGU0aOmmePDlf5iQlv0QNVP6njfkUl7Fn7elhqY/e+EK+hOpuQzMxif6fdx9n

f38ElikpyWGtEmq2edfDjNcVHaq0KRg3QQs/LdEcKgQVm+hjiLN7DSDxOfwU2zll

yxR7RaszXWd1pYqDFMqjlt4E9h1YRAr5ydgkahUpJhmf1yUuT6La2WKa/r6XMyJ9

GZdu0Y2HOO5YVPeOyCxFSq66abWq/xKtxMuGi+sJGoW4aXN5mbemBn0aF0Us1k3u

GgiRnQfCuWjUkMbNR97WNqES/IJXD6GuLVH7jZVhOeXso8g66DAxzFOzFM+P5ihy

qo8RdyyNY8ao8LDRAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI

KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE

XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0

MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G

A1UdDgQWBBTRwgCCdfWJaxML7yIFzOuB25yrozAMBgNVHRMBAf8EAjAAMB8GA1Ud

IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW

eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n

bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAJSSBOqxtVR9aQlHk

w1ijGVuMmaeVnrv6DcUZK+O1y2+HbKEZ6c84l2TScJpTkif1XORwSq50g6OEmmB0

lLKY/shlk/5Ywf+8W+h1moTw4TXEI8ASpG7hzKfkKAl7qhfv1K1Zh6cPx0zHmJkh

JdcK9uSt91XzxzQJvvFWM52ywlEdsCHyTzNJrhy8oeMvae8EqYq8u923b6gvMDP7

w8gZQdNHv8Q2L7Bo6Ud3C7e2FMXnEgbElpiYwlYJ5ZX5l2L/9a7xyh6DbpxcS1dO

CB32HWKmBs8SZ5HibLaqNhpV0b9nKlyJZiKpHKWYhIjK285QTFBZx3QfKVNKMV1d

5S+LyA==

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

---

No client certificate CA names sent

---

SSL handshake has read 3233 bytes and written 414 bytes

---

New, TLSv1/SSLv3, Cipher is AES128-SHA

Server public key is 2048 bit

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES128-SHA

    Session-ID: 3D9FC8E43F4215A8E4D014E98A531C92DF71CBED07BAF26645D668B4AC416F0B

    Session-ID-ctx:

    Master-Key: 150ED15765714B4AE1F6E21265BE6D452220580E5ABD82CD00BC9D4FE011336569DE730E3128B081B31A2BF09326E3EA

    Key-Arg   : None

    Start Time: 1449628146

    Timeout   : 7200 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

 

You can also capture network and follow the TCP stream that shows "Client Hello" and see which protocol it was attempting.

The client will send a list of protocols it supports because it would not know which protocol the server supports until it actually makes connection to it.

Then the server would choose one protocol from the list that it prefers. This is where you will see "Server Hello" message in the network trace.


If you are getting "Server Hello" then the connection is established.

 

Next the client will have to perform "Server Authentication" aka 1 way SSL.

Client performs the following and if all passes then the server is authenticated.

 

1. Is the "Issuer" found in the local certificate store and trusted?

2. Does the server's FQHN match the "CN" (or SUBJECT) of the server certificate?

3. Is the server certificate still valid? (not expired?)

 

If the above does not pass, then you will see the client dropping (RESET) the connection.

If passed, then you will see the client encrypting the data and sending over to the server.

Outcomes