0
I'm having a problem, which I'm trying to fix from last few days.
We have a production server, which has a cert and it supports TLS1, TSL1.1, TLS1.2. We also have a staging server, which is used for testing some devices, which runs only TLS1.1 and TLS1.2
From what I noticed, all the certificate change everything looks identical
Issue :
When we connect our device to production , it works well.
When we connect our device to stage, it does not connect
stage one which closes the connection.
openssl s_client -connect xxxx.bac.com:443 -status -state -quiet
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = BM, O = ABC Limited, CN = ABCDF Root CA 2
verify return:1
depth=1 C = US, O = AAAB , CN = CCDE SSL ICA G2
verify return:1
depth=0 C = CA, ST = ME, L = CCC, O = "xxxx.", CN = xxxx.bac.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify
Prod which below which works fine.
openssl s_client -connect prod.bac.com:443 -quiet -state -status
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = BM, O = ABSC, CN = ABSC Root CA 2
verify return:1
depth=1 C = US, O = DFFFF, CN = DDFF SSL ICA G2
verify return:1
depth=0 C = CA, ST = ME, L = LEEE, O = "BAC", CN = prod.bac.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
What could be the problem here, I'm suspecting it could be because of TLS_FALLBACK
connection to prod- which works.
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-GCM-SHA256
Session-ID: B5B4E0FECC197987CAB113484FC33305B257F18F
Session-ID-ctx:
Master-Key: 5EA2D034F4EF9E0F583B58F1437593F1162269C181EF922B2647A796F813C6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1567782512
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Connection to stage-bac.com not working one.
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 8055139B925BED1F834E141ED740A2762254213C0DD3
Session-ID-ctx:
Master-Key: 4041914ACE614C18EC696960FD08057E9E348538A2D448184FE3FE18432
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
Anyidea on where could be the problem, why it could not establish the connection.
Sendhil Kumar
Posted 2019-09-10T10:01:24.737
Reputation: 1
It looks like stage is exclusively accepting some TLS or cipher version and does not show the usual behavior when the client requests something it doesn't support (like downgrading or sending SSL alert) but instead just closes the connection. I don't know what is stage, but perhaps upgrading openssl may help. – harrymc – 2019-09-10T10:28:46.563
1This isn’t about the certificates. It’s about everything else: Ciphers, extensions, ... – Daniel B – 2019-09-10T10:33:11.073