[Bug 1728608] [NEW] "bad record mac" error with openssl 1.0.2g
Simon Toledano
1728608 at bugs.launchpad.net
Mon Oct 30 14:21:36 UTC 2017
Public bug reported:
Using openssl 1.0.2g inside a docker container generated from
ubuntu:xenial, it seems impossible to connect to a SSL socket. The
client side always report a "bad record mac" and closes the connection.
The following information should help to reproduce the issue:
####################################################
#################### versions ####################
####################################################
root at 1f333b094ef7:/# lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
root at 1f333b094ef7:/# dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==================================-======================-======================-=========================================================================
ii openssl 1.0.2g-1ubuntu4.8 amd64 Secure Sockets Layer toolkit - cryptographic utility
#####################################################
#################### server side ####################
#####################################################
root at 1f333b094ef7:/# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................+++
...........................................+++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:test.net
Email Address []:test at test.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16174644247892487387 (0xe077e13f1bf26cdb)
Validity
Not Before: Oct 30 14:00:19 2017 GMT
Not After : Oct 29 14:00:19 2020 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = test
commonName = test.net
emailAddress = test at test.net
X509v3 extensions:
X509v3 Subject Key Identifier:
DC:89:14:B3:92:B6:6E:1F:E4:15:D7:C2:1D:67:29:25:86:9E:69:5E
X509v3 Authority Key Identifier:
keyid:DC:89:14:B3:92:B6:6E:1F:E4:15:D7:C2:1D:67:29:25:86:9E:69:5E
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Oct 29 14:00:19 2020 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
root at 1f333b094ef7:/# cat demoCA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16174644247892487387 (0xe077e13f1bf26cdb)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, OU=test, CN=test.net/emailAddress=test at test.net
Validity
Not Before: Oct 30 14:00:19 2017 GMT
Not After : Oct 29 14:00:19 2020 GMT
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, OU=test, CN=test.net/emailAddress=test at test.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:46:58:87:71:cf:dc:1e:e2:c7:4f:b3:aa:3c:
a7:6e:42:38:b6:e8:0d:e0:fa:c7:89:70:34:db:e5:
8e:df:95:a9:e7:65:5b:6f:99:80:46:2f:45:be:5b:
7c:6d:c4:df:4e:0f:cd:80:a4:ab:be:a9:af:ca:31:
02:03:ca:f9:40:a5:7c:02:40:d2:8e:62:be:74:c1:
ba:a7:a9:fc:82:b9:f9:6b:48:70:ad:fd:1a:91:08:
fc:24:85:e1:e7:46:3b:5b:e8:d7:02:c0:98:87:d8:
37:5e:b8:a4:54:7d:3f:6d:04:10:ee:de:af:48:d6:
00:2d:85:93:a5:a2:6f:22:6b:29:cd:ac:38:87:4b:
06:5a:6b:0a:f2:75:63:95:13:2b:1e:2d:f7:d6:b6:
4f:fe:c2:67:73:27:b0:50:86:c2:b8:02:8c:41:59:
50:48:8b:36:72:09:38:9c:2e:30:3b:59:7e:a4:ff:
d1:b4:0a:5c:d3:57:8a:d3:18:f4:ba:e0:0d:42:26:
96:18:0b:4c:ba:eb:03:4f:fc:b4:20:d9:94:d5:53:
a7:ff:84:ac:df:2a:db:c7:57:1d:d9:bf:22:fc:75:
2b:e3:26:71:31:2b:0b:6c:6c:5c:22:87:49:d7:0d:
85:e9:19:9b:78:72:c8:d6:1e:0c:09:ea:89:94:89:
8e:b7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DC:89:14:B3:92:B6:6E:1F:E4:15:D7:C2:1D:67:29:25:86:9E:69:5E
X509v3 Authority Key Identifier:
keyid:DC:89:14:B3:92:B6:6E:1F:E4:15:D7:C2:1D:67:29:25:86:9E:69:5E
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
71:90:7c:bd:7b:39:5d:9c:7e:39:48:bf:08:b8:93:bd:68:be:
a8:6e:2d:a9:3d:e8:51:64:2b:48:7e:d0:49:9e:9d:69:6d:b0:
5f:43:3a:7b:bd:51:8a:65:5b:4a:fa:ce:5e:26:4d:bc:6f:45:
c7:8b:08:ee:55:2a:a5:c4:92:a6:f0:52:e3:1b:1a:b9:d0:ce:
3c:93:a3:49:50:28:09:73:a2:86:0f:a0:c4:0b:36:48:df:bb:
f9:3a:a6:38:4a:12:65:2f:40:0f:32:59:7e:b9:22:96:ce:f9:
e4:d0:8a:03:cd:94:fe:2b:31:f6:53:b6:a4:e9:48:41:69:b2:
10:19:e9:86:33:bd:ad:7e:99:d9:c4:ec:c7:5a:f7:9a:bd:6f:
3b:75:c0:94:4e:d3:ee:de:02:a4:4b:74:26:c4:54:8e:21:1a:
01:83:a3:fc:b7:83:d2:d4:ea:22:6d:4d:ab:5b:d2:4c:73:46:
88:b8:6a:0e:9a:fd:2f:0a:d4:51:24:a8:07:15:23:1b:90:68:
92:80:ae:99:87:91:61:03:5a:2b:4b:c8:44:d7:e0:a7:19:3b:
6c:1f:33:42:03:29:ba:a1:70:30:a5:bf:10:eb:79:c0:22:b5:
4c:cf:c6:42:c1:c5:2b:77:3f:82:6a:93:4d:cf:2c:92:cc:ce:
41:54:27:43
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAOB34T8b8mzbMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg
V2lkZ2l0cyBQdHkgTHRkMQ0wCwYDVQQLDAR0ZXN0MREwDwYDVQQDDAh0ZXN0Lm5l
dDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0Lm5ldDAeFw0xNzEwMzAxNDAwMTla
Fw0yMDEwMjkxNDAwMTlaMIGFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1T
dGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ0wCwYDVQQL
DAR0ZXN0MREwDwYDVQQDDAh0ZXN0Lm5ldDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0
ZXN0Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNGWIdxz9we
4sdPs6o8p25COLboDeD6x4lwNNvljt+VqedlW2+ZgEYvRb5bfG3E304PzYCkq76p
r8oxAgPK+UClfAJA0o5ivnTBuqep/IK5+WtIcK39GpEI/CSF4edGO1vo1wLAmIfY
N164pFR9P20EEO7er0jWAC2Fk6WibyJrKc2sOIdLBlprCvJ1Y5UTKx4t99a2T/7C
Z3MnsFCGwrgCjEFZUEiLNnIJOJwuMDtZfqT/0bQKXNNXitMY9LrgDUImlhgLTLrr
A0/8tCDZlNVTp/+ErN8q28dXHdm/Ivx1K+MmcTErC2xsXCKHSdcNhekZm3hyyNYe
DAnqiZSJjrcCAwEAAaNQME4wHQYDVR0OBBYEFNyJFLOStm4f5BXXwh1nKSWGnmle
MB8GA1UdIwQYMBaAFNyJFLOStm4f5BXXwh1nKSWGnmleMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAHGQfL17OV2cfjlIvwi4k71ovqhuLak96FFkK0h+
0EmenWltsF9DOnu9UYplW0r6zl4mTbxvRceLCO5VKqXEkqbwUuMbGrnQzjyTo0lQ
KAlzooYPoMQLNkjfu/k6pjhKEmUvQA8yWX65IpbO+eTQigPNlP4rMfZTtqTpSEFp
shAZ6YYzva1+mdnE7Mda95q9bzt1wJRO0+7eAqRLdCbEVI4hGgGDo/y3g9LU6iJt
Tatb0kxzRoi4ag6a/S8K1FEkqAcVIxuQaJKArpmHkWEDWitLyETX4KcZO2wfM0ID
KbqhcDClvxDrecAitUzPxkLBxSt3P4Jqk03PLJLMzkFUJ0M=
-----END CERTIFICATE-----
root at 1f333b094ef7:/# cat demoCA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIBiR6vaApZAQCAggA
MBQGCCqGSIb3DQMHBAgjdu4G9q1j0QSCBMgEXwm73hlrSHUSfcDWJEsvTqHLMZqB
/Ybc/POFmIbJhveL2LgozVcNVzfB6X/La/F50WRTZoxZVkeM54Z58e9vtYXUWD9u
W6ECwFUa1djQpKw5UEq9tOTDzX4BGbcgb/HJScYyAYHflgzKMHZ7y4taTNfhLRyn
14h1/yg2M6MUrF9Gk354MUu5Jq0CO3CihXwvXVqxJCZ7lH+zAyNSv6E5YJ2P6ZSF
to1roArQ1Mywvdqwh+LC4lQjI0a/ak0zs0rT546Lw99BuTCThhbkrlf1BRI4KpmD
EJ1naQC7vJneXkSBsSLDoKBVNmI239xwpVqFDjbo+5pXH+S4vliBOeuQbpuPtfWo
DKVSoVdMA8ag7vfD0dpj+mteDpih7grfuAPZsJ2xKCr7/HDacUTYAUOcFyeCFltm
1uAnGVRjFHm9YWEk6rkLuRRAsCRKmIsPhJpvmh+R/RBuPaTFMOl2H7kNQ7BR8JYm
d4pd7fW+c1pXDTBS3wCm0IXfd4/Dwr0F9gcnDoQnFYUmI4oz0hUpHq/akiY5gTJF
GbdpOJ9yrIWLbm7cTxe3U/0GsZhMZayPLfKQDP2qc6FUKcFVezR2ND9J3AugQg+h
IvB5s5HHN2xZaWawtbFTsynz5IG7zSii2U9/4eTNI5YlqN5mX/COkQxVNKz2upkP
jWKqXKbLGSGdNGq6/RJBTdkTkITB6nj/hT3CzpBfIq0cScDPuRJZP0uWQxp+eod9
uQ+WAMw17ZWE1dkv86nDQG6ysHGEVxbdlxwIonCnu7zDbdlLKy1HqPLQOSqfwdCX
gOeoi977lJHgzfnCkJir1TDXfzjkJxmOzJOO4hJq7G8IjlCaOnBAIFqHS/OKDlDB
BSdJxXOIsoIvEFswDag/y0haEHwknTO5Ns0631YQ+1njeWs5M/xJ4+NMAP55tIZ5
lQJaTcukC+Li+UfMjfZJ9ib22BKZ4Rx04qxRIoCyy8dFqQN2hY1ZbsdzT8M3sf+1
EyrZOS0u858vtwwxdADb0795n6CKUy90WscyDYtClqG0PaZxWs998czyHZcMYx9Y
ape04s5ceTrybPWizd+1lxRlswqOVeNHWZBCMv9P6P6HOn8CrTAEw2BA7b9ELWIt
xJWwbJ1LpLDE09TSC8Z+afKEeHU+NarIpNZTHCTiOFXCq4dv80wU4dTWEJ+q7ATP
ZUN7ESOD6vRexxMzrJKJpQbhYIVjBbCHczcKTnS9GR/LVWD0aaQbjjSpWsa0gk9i
haITjk67UoqkcKXQPkcnccMEfHEkU26T5VLAaKvnnv07ugEguWr0QvtkiN3ZWiFh
Ea2VJdHFgi2+Wgdv03YZv4/wAXRMyiTNHugKZN/JGoI9LxU8x52ZETz55EVcyuBc
H+b13dWLMco1USExTBKopycxCdqsvt2O14Tolv8pnqXgfLdSlTr8UUPJAtAJJDi5
t8VArwcBIDYM7esGrkzPORWRbDjoz+emWLUOo43hUTCxO9d257qBx6RbyZojROZ4
IiSm4R2JUPwqa7JkASHCoRdtQCETxdloZRs5ealG9CXUssIxXwUn0jKxwA5V6VIx
meC5u+2F0wkBwD30DuPe2fUCn90SqenyowlFyNMRQNtXxRk41pPbIsbG4h03ZHeF
nOY=
-----END ENCRYPTED PRIVATE KEY-----
root at 1f333b094ef7:/# openssl s_server -accept 8443 -cert ./demoCA/cacert.pem -key ./demoCA/private/cakey.pem -CAfile ./demoCA/cacert.pem
Enter pass phrase for ./demoCA/private/cakey.pem:
Using default temp DH parameters
ACCEPT
ERROR
139708666742424:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:532:
shutting down SSL
CONNECTION CLOSED
ACCEPT
^C
root at 1f333b094ef7:/#
#####################################################
#################### client side ####################
#####################################################
root at 1f333b094ef7:/# openssl s_client -connect 127.0.0.1:8443
CONNECTED(00000003)
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, OU = test, CN = test.net, emailAddress = test at test.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, OU = test, CN = test.net, emailAddress = test at test.net
verify return:1
140716880438936:error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac:s3_pkt.c:1487:SSL alert number 20
140716880438936:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=test/CN=test.net/emailAddress=test at test.net
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=test/CN=test.net/emailAddress=test at test.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAOB34T8b8mzbMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg
V2lkZ2l0cyBQdHkgTHRkMQ0wCwYDVQQLDAR0ZXN0MREwDwYDVQQDDAh0ZXN0Lm5l
dDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0Lm5ldDAeFw0xNzEwMzAxNDAwMTla
Fw0yMDEwMjkxNDAwMTlaMIGFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1T
dGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ0wCwYDVQQL
DAR0ZXN0MREwDwYDVQQDDAh0ZXN0Lm5ldDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0
ZXN0Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNGWIdxz9we
4sdPs6o8p25COLboDeD6x4lwNNvljt+VqedlW2+ZgEYvRb5bfG3E304PzYCkq76p
r8oxAgPK+UClfAJA0o5ivnTBuqep/IK5+WtIcK39GpEI/CSF4edGO1vo1wLAmIfY
N164pFR9P20EEO7er0jWAC2Fk6WibyJrKc2sOIdLBlprCvJ1Y5UTKx4t99a2T/7C
Z3MnsFCGwrgCjEFZUEiLNnIJOJwuMDtZfqT/0bQKXNNXitMY9LrgDUImlhgLTLrr
A0/8tCDZlNVTp/+ErN8q28dXHdm/Ivx1K+MmcTErC2xsXCKHSdcNhekZm3hyyNYe
DAnqiZSJjrcCAwEAAaNQME4wHQYDVR0OBBYEFNyJFLOStm4f5BXXwh1nKSWGnmle
MB8GA1UdIwQYMBaAFNyJFLOStm4f5BXXwh1nKSWGnmleMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAHGQfL17OV2cfjlIvwi4k71ovqhuLak96FFkK0h+
0EmenWltsF9DOnu9UYplW0r6zl4mTbxvRceLCO5VKqXEkqbwUuMbGrnQzjyTo0lQ
KAlzooYPoMQLNkjfu/k6pjhKEmUvQA8yWX65IpbO+eTQigPNlP4rMfZTtqTpSEFp
shAZ6YYzva1+mdnE7Mda95q9bzt1wJRO0+7eAqRLdCbEVI4hGgGDo/y3g9LU6iJt
Tatb0kxzRoi4ag6a/S8K1FEkqAcVIxuQaJKArpmHkWEDWitLyETX4KcZO2wfM0ID
KbqhcDClvxDrecAitUzPxkLBxSt3P4Jqk03PLJLMzkFUJ0M=
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=test/CN=test.net/emailAddress=test at test.net
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=test/CN=test.net/emailAddress=test at test.net
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1435 bytes and written 126 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 07E08399EF69458280DBAFF1C28D4A2D42E95009DA76F84F868C86CC7570C772BF2336880D105140054A6D82EE118360
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1509372388
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
root at 1f333b094ef7:/# echo $?
1
root at 1f333b094ef7:/#
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1728608
Title:
"bad record mac" error with openssl 1.0.2g
Status in openssl package in Ubuntu:
New
Bug description:
Using openssl 1.0.2g inside a docker container generated from
ubuntu:xenial, it seems impossible to connect to a SSL socket. The
client side always report a "bad record mac" and closes the
connection.
The following information should help to reproduce the issue:
####################################################
#################### versions ####################
####################################################
root at 1f333b094ef7:/# lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
root at 1f333b094ef7:/# dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==================================-======================-======================-=========================================================================
ii openssl 1.0.2g-1ubuntu4.8 amd64 Secure Sockets Layer toolkit - cryptographic utility
#####################################################
#################### server side ####################
#####################################################
root at 1f333b094ef7:/# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................+++
...........................................+++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:test.net
Email Address []:test at test.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16174644247892487387 (0xe077e13f1bf26cdb)
Validity
Not Before: Oct 30 14:00:19 2017 GMT
Not After : Oct 29 14:00:19 2020 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = test
commonName = test.net
emailAddress = test at test.net
X509v3 extensions:
X509v3 Subject Key Identifier:
DC:89:14:B3:92:B6:6E:1F:E4:15:D7:C2:1D:67:29:25:86:9E:69:5E
X509v3 Authority Key Identifier:
keyid:DC:89:14:B3:92:B6:6E:1F:E4:15:D7:C2:1D:67:29:25:86:9E:69:5E
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Oct 29 14:00:19 2020 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
root at 1f333b094ef7:/# cat demoCA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16174644247892487387 (0xe077e13f1bf26cdb)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, OU=test, CN=test.net/emailAddress=test at test.net
Validity
Not Before: Oct 30 14:00:19 2017 GMT
Not After : Oct 29 14:00:19 2020 GMT
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, OU=test, CN=test.net/emailAddress=test at test.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:46:58:87:71:cf:dc:1e:e2:c7:4f:b3:aa:3c:
a7:6e:42:38:b6:e8:0d:e0:fa:c7:89:70:34:db:e5:
8e:df:95:a9:e7:65:5b:6f:99:80:46:2f:45:be:5b:
7c:6d:c4:df:4e:0f:cd:80:a4:ab:be:a9:af:ca:31:
02:03:ca:f9:40:a5:7c:02:40:d2:8e:62:be:74:c1:
ba:a7:a9:fc:82:b9:f9:6b:48:70:ad:fd:1a:91:08:
fc:24:85:e1:e7:46:3b:5b:e8:d7:02:c0:98:87:d8:
37:5e:b8:a4:54:7d:3f:6d:04:10:ee:de:af:48:d6:
00:2d:85:93:a5:a2:6f:22:6b:29:cd:ac:38:87:4b:
06:5a:6b:0a:f2:75:63:95:13:2b:1e:2d:f7:d6:b6:
4f:fe:c2:67:73:27:b0:50:86:c2:b8:02:8c:41:59:
50:48:8b:36:72:09:38:9c:2e:30:3b:59:7e:a4:ff:
d1:b4:0a:5c:d3:57:8a:d3:18:f4:ba:e0:0d:42:26:
96:18:0b:4c:ba:eb:03:4f:fc:b4:20:d9:94:d5:53:
a7:ff:84:ac:df:2a:db:c7:57:1d:d9:bf:22:fc:75:
2b:e3:26:71:31:2b:0b:6c:6c:5c:22:87:49:d7:0d:
85:e9:19:9b:78:72:c8:d6:1e:0c:09:ea:89:94:89:
8e:b7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DC:89:14:B3:92:B6:6E:1F:E4:15:D7:C2:1D:67:29:25:86:9E:69:5E
X509v3 Authority Key Identifier:
keyid:DC:89:14:B3:92:B6:6E:1F:E4:15:D7:C2:1D:67:29:25:86:9E:69:5E
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
71:90:7c:bd:7b:39:5d:9c:7e:39:48:bf:08:b8:93:bd:68:be:
a8:6e:2d:a9:3d:e8:51:64:2b:48:7e:d0:49:9e:9d:69:6d:b0:
5f:43:3a:7b:bd:51:8a:65:5b:4a:fa:ce:5e:26:4d:bc:6f:45:
c7:8b:08:ee:55:2a:a5:c4:92:a6:f0:52:e3:1b:1a:b9:d0:ce:
3c:93:a3:49:50:28:09:73:a2:86:0f:a0:c4:0b:36:48:df:bb:
f9:3a:a6:38:4a:12:65:2f:40:0f:32:59:7e:b9:22:96:ce:f9:
e4:d0:8a:03:cd:94:fe:2b:31:f6:53:b6:a4:e9:48:41:69:b2:
10:19:e9:86:33:bd:ad:7e:99:d9:c4:ec:c7:5a:f7:9a:bd:6f:
3b:75:c0:94:4e:d3:ee:de:02:a4:4b:74:26:c4:54:8e:21:1a:
01:83:a3:fc:b7:83:d2:d4:ea:22:6d:4d:ab:5b:d2:4c:73:46:
88:b8:6a:0e:9a:fd:2f:0a:d4:51:24:a8:07:15:23:1b:90:68:
92:80:ae:99:87:91:61:03:5a:2b:4b:c8:44:d7:e0:a7:19:3b:
6c:1f:33:42:03:29:ba:a1:70:30:a5:bf:10:eb:79:c0:22:b5:
4c:cf:c6:42:c1:c5:2b:77:3f:82:6a:93:4d:cf:2c:92:cc:ce:
41:54:27:43
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAOB34T8b8mzbMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg
V2lkZ2l0cyBQdHkgTHRkMQ0wCwYDVQQLDAR0ZXN0MREwDwYDVQQDDAh0ZXN0Lm5l
dDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0Lm5ldDAeFw0xNzEwMzAxNDAwMTla
Fw0yMDEwMjkxNDAwMTlaMIGFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1T
dGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ0wCwYDVQQL
DAR0ZXN0MREwDwYDVQQDDAh0ZXN0Lm5ldDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0
ZXN0Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNGWIdxz9we
4sdPs6o8p25COLboDeD6x4lwNNvljt+VqedlW2+ZgEYvRb5bfG3E304PzYCkq76p
r8oxAgPK+UClfAJA0o5ivnTBuqep/IK5+WtIcK39GpEI/CSF4edGO1vo1wLAmIfY
N164pFR9P20EEO7er0jWAC2Fk6WibyJrKc2sOIdLBlprCvJ1Y5UTKx4t99a2T/7C
Z3MnsFCGwrgCjEFZUEiLNnIJOJwuMDtZfqT/0bQKXNNXitMY9LrgDUImlhgLTLrr
A0/8tCDZlNVTp/+ErN8q28dXHdm/Ivx1K+MmcTErC2xsXCKHSdcNhekZm3hyyNYe
DAnqiZSJjrcCAwEAAaNQME4wHQYDVR0OBBYEFNyJFLOStm4f5BXXwh1nKSWGnmle
MB8GA1UdIwQYMBaAFNyJFLOStm4f5BXXwh1nKSWGnmleMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAHGQfL17OV2cfjlIvwi4k71ovqhuLak96FFkK0h+
0EmenWltsF9DOnu9UYplW0r6zl4mTbxvRceLCO5VKqXEkqbwUuMbGrnQzjyTo0lQ
KAlzooYPoMQLNkjfu/k6pjhKEmUvQA8yWX65IpbO+eTQigPNlP4rMfZTtqTpSEFp
shAZ6YYzva1+mdnE7Mda95q9bzt1wJRO0+7eAqRLdCbEVI4hGgGDo/y3g9LU6iJt
Tatb0kxzRoi4ag6a/S8K1FEkqAcVIxuQaJKArpmHkWEDWitLyETX4KcZO2wfM0ID
KbqhcDClvxDrecAitUzPxkLBxSt3P4Jqk03PLJLMzkFUJ0M=
-----END CERTIFICATE-----
root at 1f333b094ef7:/# cat demoCA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIBiR6vaApZAQCAggA
MBQGCCqGSIb3DQMHBAgjdu4G9q1j0QSCBMgEXwm73hlrSHUSfcDWJEsvTqHLMZqB
/Ybc/POFmIbJhveL2LgozVcNVzfB6X/La/F50WRTZoxZVkeM54Z58e9vtYXUWD9u
W6ECwFUa1djQpKw5UEq9tOTDzX4BGbcgb/HJScYyAYHflgzKMHZ7y4taTNfhLRyn
14h1/yg2M6MUrF9Gk354MUu5Jq0CO3CihXwvXVqxJCZ7lH+zAyNSv6E5YJ2P6ZSF
to1roArQ1Mywvdqwh+LC4lQjI0a/ak0zs0rT546Lw99BuTCThhbkrlf1BRI4KpmD
EJ1naQC7vJneXkSBsSLDoKBVNmI239xwpVqFDjbo+5pXH+S4vliBOeuQbpuPtfWo
DKVSoVdMA8ag7vfD0dpj+mteDpih7grfuAPZsJ2xKCr7/HDacUTYAUOcFyeCFltm
1uAnGVRjFHm9YWEk6rkLuRRAsCRKmIsPhJpvmh+R/RBuPaTFMOl2H7kNQ7BR8JYm
d4pd7fW+c1pXDTBS3wCm0IXfd4/Dwr0F9gcnDoQnFYUmI4oz0hUpHq/akiY5gTJF
GbdpOJ9yrIWLbm7cTxe3U/0GsZhMZayPLfKQDP2qc6FUKcFVezR2ND9J3AugQg+h
IvB5s5HHN2xZaWawtbFTsynz5IG7zSii2U9/4eTNI5YlqN5mX/COkQxVNKz2upkP
jWKqXKbLGSGdNGq6/RJBTdkTkITB6nj/hT3CzpBfIq0cScDPuRJZP0uWQxp+eod9
uQ+WAMw17ZWE1dkv86nDQG6ysHGEVxbdlxwIonCnu7zDbdlLKy1HqPLQOSqfwdCX
gOeoi977lJHgzfnCkJir1TDXfzjkJxmOzJOO4hJq7G8IjlCaOnBAIFqHS/OKDlDB
BSdJxXOIsoIvEFswDag/y0haEHwknTO5Ns0631YQ+1njeWs5M/xJ4+NMAP55tIZ5
lQJaTcukC+Li+UfMjfZJ9ib22BKZ4Rx04qxRIoCyy8dFqQN2hY1ZbsdzT8M3sf+1
EyrZOS0u858vtwwxdADb0795n6CKUy90WscyDYtClqG0PaZxWs998czyHZcMYx9Y
ape04s5ceTrybPWizd+1lxRlswqOVeNHWZBCMv9P6P6HOn8CrTAEw2BA7b9ELWIt
xJWwbJ1LpLDE09TSC8Z+afKEeHU+NarIpNZTHCTiOFXCq4dv80wU4dTWEJ+q7ATP
ZUN7ESOD6vRexxMzrJKJpQbhYIVjBbCHczcKTnS9GR/LVWD0aaQbjjSpWsa0gk9i
haITjk67UoqkcKXQPkcnccMEfHEkU26T5VLAaKvnnv07ugEguWr0QvtkiN3ZWiFh
Ea2VJdHFgi2+Wgdv03YZv4/wAXRMyiTNHugKZN/JGoI9LxU8x52ZETz55EVcyuBc
H+b13dWLMco1USExTBKopycxCdqsvt2O14Tolv8pnqXgfLdSlTr8UUPJAtAJJDi5
t8VArwcBIDYM7esGrkzPORWRbDjoz+emWLUOo43hUTCxO9d257qBx6RbyZojROZ4
IiSm4R2JUPwqa7JkASHCoRdtQCETxdloZRs5ealG9CXUssIxXwUn0jKxwA5V6VIx
meC5u+2F0wkBwD30DuPe2fUCn90SqenyowlFyNMRQNtXxRk41pPbIsbG4h03ZHeF
nOY=
-----END ENCRYPTED PRIVATE KEY-----
root at 1f333b094ef7:/# openssl s_server -accept 8443 -cert ./demoCA/cacert.pem -key ./demoCA/private/cakey.pem -CAfile ./demoCA/cacert.pem
Enter pass phrase for ./demoCA/private/cakey.pem:
Using default temp DH parameters
ACCEPT
ERROR
139708666742424:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:532:
shutting down SSL
CONNECTION CLOSED
ACCEPT
^C
root at 1f333b094ef7:/#
#####################################################
#################### client side ####################
#####################################################
root at 1f333b094ef7:/# openssl s_client -connect 127.0.0.1:8443
CONNECTED(00000003)
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, OU = test, CN = test.net, emailAddress = test at test.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, OU = test, CN = test.net, emailAddress = test at test.net
verify return:1
140716880438936:error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac:s3_pkt.c:1487:SSL alert number 20
140716880438936:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=test/CN=test.net/emailAddress=test at test.net
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=test/CN=test.net/emailAddress=test at test.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAOB34T8b8mzbMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg
V2lkZ2l0cyBQdHkgTHRkMQ0wCwYDVQQLDAR0ZXN0MREwDwYDVQQDDAh0ZXN0Lm5l
dDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0Lm5ldDAeFw0xNzEwMzAxNDAwMTla
Fw0yMDEwMjkxNDAwMTlaMIGFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1T
dGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ0wCwYDVQQL
DAR0ZXN0MREwDwYDVQQDDAh0ZXN0Lm5ldDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0
ZXN0Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNGWIdxz9we
4sdPs6o8p25COLboDeD6x4lwNNvljt+VqedlW2+ZgEYvRb5bfG3E304PzYCkq76p
r8oxAgPK+UClfAJA0o5ivnTBuqep/IK5+WtIcK39GpEI/CSF4edGO1vo1wLAmIfY
N164pFR9P20EEO7er0jWAC2Fk6WibyJrKc2sOIdLBlprCvJ1Y5UTKx4t99a2T/7C
Z3MnsFCGwrgCjEFZUEiLNnIJOJwuMDtZfqT/0bQKXNNXitMY9LrgDUImlhgLTLrr
A0/8tCDZlNVTp/+ErN8q28dXHdm/Ivx1K+MmcTErC2xsXCKHSdcNhekZm3hyyNYe
DAnqiZSJjrcCAwEAAaNQME4wHQYDVR0OBBYEFNyJFLOStm4f5BXXwh1nKSWGnmle
MB8GA1UdIwQYMBaAFNyJFLOStm4f5BXXwh1nKSWGnmleMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAHGQfL17OV2cfjlIvwi4k71ovqhuLak96FFkK0h+
0EmenWltsF9DOnu9UYplW0r6zl4mTbxvRceLCO5VKqXEkqbwUuMbGrnQzjyTo0lQ
KAlzooYPoMQLNkjfu/k6pjhKEmUvQA8yWX65IpbO+eTQigPNlP4rMfZTtqTpSEFp
shAZ6YYzva1+mdnE7Mda95q9bzt1wJRO0+7eAqRLdCbEVI4hGgGDo/y3g9LU6iJt
Tatb0kxzRoi4ag6a/S8K1FEkqAcVIxuQaJKArpmHkWEDWitLyETX4KcZO2wfM0ID
KbqhcDClvxDrecAitUzPxkLBxSt3P4Jqk03PLJLMzkFUJ0M=
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=test/CN=test.net/emailAddress=test at test.net
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=test/CN=test.net/emailAddress=test at test.net
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1435 bytes and written 126 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 07E08399EF69458280DBAFF1C28D4A2D42E95009DA76F84F868C86CC7570C772BF2336880D105140054A6D82EE118360
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1509372388
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
root at 1f333b094ef7:/# echo $?
1
root at 1f333b094ef7:/#
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1728608/+subscriptions
More information about the foundations-bugs
mailing list