Ich habe eine Verbindung zu einem Dienst mit Client-Authentifizierung schwer. Der Dienst ("SecureService") ist auf AWS. Die Clients befinden sich auf einer Linux-VM auf meinem Mac. Nginx auf SecureService erzwingt die Client-Authentifizierung für die Ressource, auf die ich über Port 443 zugreife. Ich kann eine erfolgreiche Antwort von derselben VM auf denselben SecureService erhalten, indem ich eine eigenständige Java-Standalone-Anwendung (openjdk 1.8.0_60) oder andere Clients verwendet (wget, openssl), aber nicht von demselben Java-Code, der auf Websphere AS gehostet wird (wobei er sich auf ältere Bibliotheken und IBM J9 VM, Build 2.6, JRE 1.6.0 verlässt). Bei der Neuzuordnung des SecureService-Hostnamens zu 127.0.0.1 in/etc/hosts wird derselbe Java-Code für Websphere AS erfolgreich mit einem lokalen openSSL-Server verbunden, der eine Clientauthentifizierung von derselben Zertifizierungsstelle erfordert. Die Antwort von SecureServer in der fehlgeschlagenen Verbindung meldet "400 Kein erforderliches SSL-Zertifikat wurde gesendet" ... "400 Ungültige Anforderung", aber tcpdump Paket-Captures zeigen, dass es KEINE Zertifikatsanforderung sendet, während es in allen anderen Fällen ist. Das ist rätselhaft und führt mich zu der Annahme, dass die ClientHallo-Nachricht etwas enthält, was der Server nicht mag, obwohl ClientHello-Nachrichten bei erfolgreichen und fehlerhaften Verbindungen sehr ähnlich sind.SSL-Verbindung fehlgeschlagen mit keine Zertifikatsanforderung vom Server, Verbindung zu Nginx auf AWS von einer lokalen Websphere AS unter Java 6
Ein ziemlich seltsames Detail ist auch, dass tcpdump nie das erste TCP-SYN-Paket von meinem Client auf den Server in der fehlerhaften Kommunikation erfasst, während es den Rest erfasst (SYN + ACK vom Server, dann ACK vom Client) und alle Pakete (SYN, SYN + ACK, ACK) auf allen anderen Kommunikationen.
Alle Kommunikation verwenden TLSv1.2 in allen ihren Teilen.
Failing Verbindung:
(client <--> server) <-- SYN, ACK --> ACK --> Client Hello <-- ACK <-- Server Hello, Certificate, Server Hello Done --> ACK --> Client Key Exchange <-- ACK --> Change Cypher Spec <-- ACK --> Encrypted Handshake Message <-- ACK <-- Change Cypher Spec, Encrypted Handshake Message --> Application Data ...
Erfolgreiche Verbindung von Proof of Concept Java App: (Client < -> Server)
--> SYN <-- SYN, ACK --> ACK --> Client Hello <-- ACK <-- Server Hello <-- Certificate <-- Certificate Request, Server Hello Done --> ACK --> ACK --> [TCP segment of a reassembled PDU] --> Certificate, Client Key Exchange <-- ACK --> Certificate Verify --> Change Cypher Spec --> Hello Request, Hello Request <-- ACK <-- Change Cypher Spec, Encrypted Handshake Message --> Application Data ...
Erfolgreiche Verbindung von Websphere AS zu lokalem openSSL: (Client < -> Server)
--> SYN <-- SYN, ACK --> ACK --> Client Hello <-- ACK <-- Server Hello, Certificate, Certificate Request, Server Hello Done --> ACK --> Certificate, Client Key Exchange <-- ACK --> Certificate Verify --> Change Cypher Spec --> Encrypted Handshake Message <-- ACK <-- Change Cypher Spec, Encrypted Handshake Message --> Application Data ...
Failing Kunde Hallo:
Frame 3: 332 bytes on wire (2656 bits), 332 bytes captured (2656 bits) Encapsulation type: Linux cooked-mode capture (25) Arrival Time: Feb 25, 2016 13:29:15.353437000 GMT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1456406955.353437000 seconds [Time delta from previous captured frame: 0.004839000 seconds] [Time delta from previous displayed frame: 0.004839000 seconds] [Time since reference or first frame: 0.004868000 seconds] Frame Number: 3 Frame Length: 332 bytes (2656 bits) Capture Length: 332 bytes (2656 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: sll:ethertype:ip:tcp:ssl] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Linux cooked capture Packet type: Sent by us (4) Link-layer address type: 1 Link-layer address length: 6 Source: CadmusCo_67:0a:c1 (08:00:27:67:0a:c1) Protocol: IPv4 (0x0800) Internet Protocol Version 4, Src: (OMITTED FOR SECURITY REASONS), Dst: (OMITTED FOR SECURITY REASONS) 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 316 Identification: 0xf29d (62109) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0xc7f8 [validation disabled] [Good: False] [Bad: False] Source: (OMITTED FOR SECURITY REASONS) Destination: (OMITTED FOR SECURITY REASONS) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 51512 (51512), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 276 Source Port: 51512 Destination Port: 443 [Stream index: 0] [TCP Segment Len: 276] Sequence number: 1 (relative sequence number) [Next sequence number: 277 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header Length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: *******AP***] Window size value: 14600 [Calculated window size: 14600] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x8054 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 [SEQ/ACK analysis] [Bytes in flight: 276] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 271 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 267 Version: TLS 1.2 (0x0303) Random GMT Unix Time: Feb 25, 2016 13:29:15.000000000 GMT Random Bytes: 2ca99e72b66289fcd3f11bf2dc3ef464709b197e6dd6cdd5... Session ID Length: 32 Session ID: 28eef056a41440e760eaa9e3358a9cd56d8823fa130e9100... Cipher Suites Length: 128 Cipher Suites (64 suites) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066) Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: SSL_RSA_FIPS_WITH_DES_CBC_SHA (0xfefe) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001) Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002) Cipher Suite: TLS_RSA_WITH_NULL_SHA256 (0x003b) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 66 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 24 Elliptic Curves Length: 22 Elliptic curves (11 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp192r1 (0x0013) Elliptic curve: secp224r1 (0x0015) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Elliptic curve: secp160k1 (0x000f) Elliptic curve: secp160r1 (0x0010) Elliptic curve: secp160r2 (0x0011) Elliptic curve: secp192k1 (0x0012) Elliptic curve: secp224k1 (0x0014) Elliptic curve: secp256k1 (0x0016) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 28 Signature Hash Algorithms Length: 26 Signature Hash Algorithms (13 algorithms) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0303 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0301 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0402 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0101 Signature Hash Algorithm Hash: MD5 (1) Signature Hash Algorithm Signature: RSA (1)
Erfolgreiche Kunde Hallo von Proof of Concept Secure:
Frame 62: 306 bytes on wire (2448 bits), 306 bytes captured (2448 bits) on interface 0 Interface id: 0 (en0) Encapsulation type: Ethernet (1) Arrival Time: Feb 24, 2016 17:20:21.803009000 GMT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1456334421.803009000 seconds [Time delta from previous captured frame: 0.119948000 seconds] [Time delta from previous displayed frame: 0.119948000 seconds] [Time since reference or first frame: 17.897514000 seconds] Frame Number: 62 Frame Length: 306 bytes (2448 bits) Capture Length: 306 bytes (2448 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:ssl] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Apple_bc:c7:11 (a4:5e:60:bc:c7:11), Dst: CiscoInc_76:28:80 (a4:4c:11:76:28:80) Destination: CiscoInc_76:28:80 (a4:4c:11:76:28:80) Address: CiscoInc_76:28:80 (a4:4c:11:76:28:80) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Apple_bc:c7:11 (a4:5e:60:bc:c7:11) Address: Apple_bc:c7:11 (a4:5e:60:bc:c7:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: (OMITTED FOR SECURITY REASONS), Dst: (OMITTED FOR SECURITY REASONS) 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 292 Identification: 0xa8b7 (43191) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x279c [validation disabled] [Good: False] [Bad: False] Source: (OMITTED FOR SECURITY REASONS) Destination: (OMITTED FOR SECURITY REASONS) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 62197 (62197), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 240 Source Port: 62197 Destination Port: 443 [Stream index: 9] [TCP Segment Len: 240] Sequence number: 1 (relative sequence number) [Next sequence number: 241 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header Length: 32 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: *******AP***] Window size value: 4122 [Calculated window size: 131904] [Window size scaling factor: 32] Checksum: 0xc3c5 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 928661973, TSecr 546145009 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 928661973 Timestamp echo reply: 546145009 [SEQ/ACK analysis] [iRTT: 0.016102000 seconds] [Bytes in flight: 240] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 235 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 231 Version: TLS 1.2 (0x0303) Random GMT Unix Time: Feb 24, 2016 17:20:21.000000000 GMT Random Bytes: fbb67137e8cde6609cb570685f6c9b5a62eefbc12973b545... Session ID Length: 0 Cipher Suites Length: 58 Cipher Suites (29 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 132 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 52 Elliptic Curves Length: 50 Elliptic curves (25 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: sect163k1 (0x0001) Elliptic curve: sect163r2 (0x0003) Elliptic curve: secp192r1 (0x0013) Elliptic curve: secp224r1 (0x0015) Elliptic curve: sect233k1 (0x0006) Elliptic curve: sect233r1 (0x0007) Elliptic curve: sect283k1 (0x0009) Elliptic curve: sect283r1 (0x000a) Elliptic curve: secp384r1 (0x0018) Elliptic curve: sect409k1 (0x000b) Elliptic curve: sect409r1 (0x000c) Elliptic curve: secp521r1 (0x0019) Elliptic curve: sect571k1 (0x000d) Elliptic curve: sect571r1 (0x000e) Elliptic curve: secp160k1 (0x000f) Elliptic curve: secp160r1 (0x0010) Elliptic curve: secp160r2 (0x0011) Elliptic curve: sect163r1 (0x0002) Elliptic curve: secp192k1 (0x0012) Elliptic curve: sect193r1 (0x0004) Elliptic curve: sect193r2 (0x0005) Elliptic curve: secp224k1 (0x0014) Elliptic curve: sect239k1 (0x0008) Elliptic curve: secp256k1 (0x0016) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 26 Signature Hash Algorithms Length: 24 Signature Hash Algorithms (12 algorithms) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0303 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0301 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0101 Signature Hash Algorithm Hash: MD5 (1) Signature Hash Algorithm Signature: RSA (1) Extension: server_name Type: server_name (0x0000) Length: 36 Server Name Indication extension Server Name list length: 34 Server Name Type: host_name (0) Server Name length: 31 Server Name: (OMITTED FOR SECURITY REASONS - IT CORRESPONDS TO THE DESTINATION HOSTNAME)
Tcpdump Befehlszeile:
sudo tcpdump -s 0 -n "port 443" -w /Repo/security/capture.cap -i any
Hat jemand eine Ahnung, was los sein könnte falsch? Ich habe momentan keine Administrationsrechte oder sogar einen Account, um mich auf dem Server anzumelden.