I want to use OpenSSL or any native Linux command to grab the certificate of a SQL Server. I tried the same way as I do with an HTTP server but it doesn't work.
openssl s_client -showcerts -connect MY.MSSQL.SERVER:1433
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
This gist by github user lnattrass gives a python script that is "A terrible way to connect to MS SQL Server and dump the certificate as a PEM" (his wording) in python. Yes, that's not what you asked about, you asked about OpenSSL. But one of the comments says in part
I was able to get the same results using openssl like this: openssl s_client -showcerts -connect <hostname>:<port> </dev/null 2>/dev/null|openssl x509 -outform PEM >dbcertfile.pem as suggested somewhere.
(no clue where "somewhere" would have been.)
I've tried the openssl method but it failed for me:
rpresser#11MTLDEV-L11626:~$ openssl s_client -showcerts -connect mysqlserver.mydomain.com:1433 </dev/null 2>/dev/null|openssl x509 -outform PEM >dbcertfile.pem
unable to load certificate
140246796931520:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Perhaps this was because the self-signed cert (see below) was not trusted? I'm really not sure.
After fixing one indentation bug, the python method worked for me:
rpresser#11MTLDEV-L11626:/mnt/c/temp$ python3 get_tds_cert.py redacted.domain.COM 1433
# get_tdspacket: 0, tdspacket len: 43
# Header: {'type': 4, 'status': 1, 'length': 43, 'channel': 0, 'packet': 1, 'window': 0}
# Remaining tdspbuf length: 0
# Starting TLS handshake loop..
# Shaking (0/5)
# get_tdspacket: 0, tdspacket len: 894
# Header: {'type': 18, 'status': 1, 'length': 894, 'channel': 0, 'packet': 0, 'window': 0}
# Remaining tdspbuf length: 0
# Shaking (1/5)
# get_tdspacket: 0, tdspacket len: 67
# Header: {'type': 18, 'status': 1, 'length': 67, 'channel': 0, 'packet': 0, 'window': 0}
# Remaining tdspbuf length: 0
# Handshake completed, dumping certificates
-----BEGIN CERTIFICATE-----
MIIB+zCCAWSgAwIBAgIQYc0YElx/YYFF/Q0PIYETxDANBgkqhkiG9w0BAQUFADA7
MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
bABsAGIAYQBjAGswIBcNMjAwMjAyMDQ0NzA5WhgPMjA1MDAyMDIwNDQ3MDlaMDsx
OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
AGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAohSQbug4qZug
ji16iKuNpX4OzGc9DPAORaho8LB2AGinol+rEmcTGRofeIg9zeXMbiOwWbrCnT3/
RUDLOW6V4papZ7H/qIcmVIKdzNCezWMlfPd0h4S00kVovHDIbC1t2uhcDdfEIsh+
fbgzS34bkXNACurtV5t8kpPWYDsRwqsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBr
qfAph+/NF6Cgxisp7UHq9kjQ6sYNCIXfq9mJnRqX+I8H6nxSQfpDlljdvKN3GYeg
SL4jowNL11z5xjpJS9/KhLFwodicWKt0Go/CqusPWJKVJo0HgIn9a1hHPipRbR8w
3+QRy50kaPXm5VOoSg83+CjEg9ri7jfgtWLetq+xoQ==
-----END CERTIFICATE-----
I haven't bothered to redact the certificate because it is the SQL Server self-signed fallback, as displayed by SSLShopper Certificate Decoder
Certificate Information:
Common Name: SSL_Self_Signed_Fallback
Valid From: February 1, 2020
Valid To: February 1, 2050
Serial Number: 61cd18125c7f618145fd0d0f218113c4
Inspired by the https://gist.github.com/lnattrass/a4a91dbf439fc1719d69f7865c1b1791 with help from https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/1ef08b76-1594-40cf-8ce0-d2407133dd3d
Similar implementation in groovy (java 11) which returns certificate chain from sql server:
groovy sqlserver-cert.groovy <host> <port>
After looking for openssl solutions without sucesss and fighting with the python script without success too (both the initial and the fixed versions throwed an error) i resorted to use nmap, in this case it was quite easy:
nmap -v --script=ssl-cert -p 1433 server.example.com
In the output there should be a certificate such as this (selfsigned cert), you should be able to clean the formatting and use it where you need.
| SHA-1: dba1 14a3 d2c7 9410 0a7a bb8d d08e e1a0 d6a1 9e87
| -----BEGIN CERTIFICATE-----
| MIIB+zCCAWSgAwIBAgIQJW6eoEmJJJJDqpOSmq2W6TANBgkqhkiG9w0BAQUFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjMwMTE4MTEyOTQ5WhgPMjA1MzAxMTgxMTI5NDlaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKxXDgSq1++4
| yDSOmXDO5F2gDa1cW2x4USQOxXq5ux4RObhteo9pVOIDi2TfmKMUl9OTNUqfxiTl
| YJtHmBKP7aghWK5Z9p5VBDfbzmAG04tdII49piocKvdimy96veGWnPUGFdovx35k
| dEOT7+NpQTVIDscsIIDa8csQJmuwgdsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBV
| 0KzioJl5tcvpjG2VK/TTpfAdZnz4MZwhg/ThviRtcV3WLVkKbCOh0A1ljCoURgsX
| HIvYXBHn1XdJn4F8HHeh8B53tjwRYkvxg2jGWfKofr0nAu23rbMv3543UroSH6r2
| 3CeLkgsAwFUcXPUfYwae5L48FKlkD5V2TsOhmy8rvg==
|_-----END CERTIFICATE-----
Related
I am trying to run subscribe_publish_sample on device(ARM architecture). For this I have cross compiled the code and copied to device. Required certificates also copied to device. I am getting following error.
Please let me know for any mistake.
ERROR: iot_tls_connect L#164 failed
! mbedtls_net_connect returned -0x52
ERROR: main L#190 Error(-23) connecting to 215740087218.iot.ap-south-1.amazonaws.com:8883
Configurations :
#define AWS_IOT_MQTT_HOST "215740087218.iot.ap-south-1.amazonaws.com" ///< Customer specific MQTT HOST. The same will be used for Thing Shadow
#define AWS_IOT_MQTT_PORT 8883 ///< default port for MQTT/S
#define AWS_IOT_MQTT_CLIENT_ID "RaspberryPi" ///< MQTT client ID should be unique for every device
#define AWS_IOT_MY_THING_NAME "RaspberryPi" ///< Thing Name of the Shadow this device is associated with
#define AWS_IOT_ROOT_CA_FILENAME "rootCA.crt" ///< Root CA file name
#define AWS_IOT_CERTIFICATE_FILENAME "7256bcd191-certificate.pem.crt" ///< device signed certificate file name
#define AWS_IOT_PRIVATE_KEY_FILENAME "7256bcd191-private.pem.key" ///< Device private key filename
// =================================================
======================================================================================
Certificates copied to device :
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs# ls
7256bcd191-certificate.pem.crt 7256bcd191-private.pem.key 7256bcd191-public.pem.key README.txt rootCA.crt
ARN : arn:aws:iot:ap-south-1:215740087218:thing/RaspberryPi
Policy attached : arn:aws:iot:ap-south-1:215740087218:policy/RaspberrypiPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*"
}
]
}
==============================================================================
Debug Logs for sample :
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/samples/linux/subscribe_publish_sample# ./subscribe_publish_sample
AWS IoT SDK Version 3.0.1-
DEBUG: main L#159 rootCA /home/root/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/samples/linux/subscribe_publish_sample/../../../certs/rootCA.crt
DEBUG: main L#160 clientCRT /home/root/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/samples/linux/subscribe_publish_sample/../../../certs/7256bcd191-certificate.pem.crt
DEBUG: main L#161 clientKey /home/root/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/samples/linux/subscribe_publish_sample/../../../certs/7256bcd191-private.pem.key
Connecting...
DEBUG: iot_tls_connect L#130
. Seeding the random number generator...
DEBUG: iot_tls_connect L#138 . Loading the CA root certificate ...
DEBUG: iot_tls_connect L#144 ok (0 skipped)
DEBUG: iot_tls_connect L#146 . Loading the client cert. and key...
DEBUG: iot_tls_connect L#159 ok
DEBUG: iot_tls_connect L#161 . Connecting to 215740087218.iot.ap-south-1.amazonaws.com/8883...
ERROR: iot_tls_connect L#164 failed
! mbedtls_net_connect returned -0x52
ERROR: main L#190 Error(-23) connecting to 215740087218.iot.ap-south-1.amazonaws.com:8883
telnet logs :
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs# telnet 215740087218.iot.ap-south-1.amazonaws.com 8883
telnet: bad address '215740087218.iot.ap-south-1.amazonaws.com'
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs#
ping response:
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs# ping 215740087218.iot.ap-south-1.amazonaws.com
ping: bad address '215740087218.iot.ap-south-1.amazonaws.com'
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs#
Mosquitto_sub response :
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs# mosquitto_sub --cafile rootCA.crt --cert 7256bcd191-certifi
cate.pem.crt --key 7256bcd191-private.pem.key -h 215740087218.iot.ap-south-1.amazonaws.com -p 8883 -q 0 -d -t sdkTest/sub -i Raspberr
yPi
Unable to connect (Lookup error.).
root#RelySys:~/aws_iot/my_app/aws-iot-device-sdk-embedded-C-master/certs#
The host name you provided seems to be incorrect:
nslookup 215740087218.iot.ap-south-1.amazonaws.com
Server: 127.0.1.1
Address: 127.0.1.1#53
** server can't find 215740087218.iot.ap-south-1.amazonaws.com: NXDOMAIN
This is confirmed by the error as well (in net_socket.h from the SDK):
#define MBEDTLS_ERR_NET_UNKNOWN_HOST -0x0052 /**< Failed to get an IP address for the given hostname. */
Read AWS IoT Connecting Devices. You need to provide the endpoint specific to your account.
Ref. Build log
What do I do wrong?
That error is a red herring. The real issue is:
openssl pkcs12 -in [password redacted] -out cert.crt.pem -password pass:passwordHidden -passout pass:password
64991:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/crypto/asn1/tasn_dec.c:1344:
64991:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/crypto/asn1/tasn_dec.c:848:
64991:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/crypto/asn1/tasn_dec.c:768:Field=version, Type=PKCS12
Most likely there is an issue with your certificate. Probably a wrong password. Or a problem with the certificate itself.
At the moment my openssl version is
OpenSSL 1.0.2h 3 May 2016
I use an example code offered by openssl Simple_TLS_Server to start a server and use s_client to send tls handshake. The server returned error like this:
139629255337616:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1349
And the s_client returned:
CONNECTED(00000003)
140266915485328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1471879558
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
After reading this Manual:SSL_CTX_set1_curves(3), i modified some lines of the original:
if(!SSL_CTX_set_ecdh_auto(ctx, 1))
{
fprintf(stderr, "Error: SSL_CTX_set_ecdh_auto(ctx, 1)\n");
}
When i restarted the Simple_TLS_Server, it prints
Error: SSL_CTX_set_ecdh_auto(ctx, 1)
Also tried like this:
if(!SSL_CTX_set_ecdh_auto(ctx, 1))
{
ERR_print_errors_fp(stderr);
}
But there was no available error message.
Does anyone know how could this happen? If you require more information, please just let me know.
PS: i tried certificates and keys with s_server and s_client, that worked fine.
Does anyone know how could this happen?
According to the source code the only cases where SSL_CTX_set_ecdh_auto return 0 is when the openssl library was compiled without support for ECDH (OPENSSL_NO_ECDH) or without support for elliptic curves at all (OPENSSL_NO_EC).
while converting some certificates from keystore to openssl/pem I noticed for the first time that there are "Bag Attributes" prepended to the certs.
The look like this:
Bag Attributes
friendlyName: CN=PositiveSSL CA,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
subject=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
Do they serve any function?
I noticed that I like them because they make my chain-files (a concatenation of certificates) more clear. Sadly the ca certs I download don't have them.
So how do I generate them?
To be exact, you apparently mean converting (or just reading) with the openssl pkcs12 (import) utility a PKCS#12 file, which can be supported by Java as a keystore but was not the default (update) until Java9 in 2017. PKCS#12 was designed and normally is used for a privatekey and the cert(s) (usually multiple) for that key, although the format is flexible enough to allow lone cert(s). OpenSSL commandline pkcs12 -export requires a privatekey, although it will add "extra" certs, and a program calling the API can apparently do no privatekey. In my experience, Java didn't support lone cert(s) in PKCS#12 before version 8, and in my 8 and 9 has two attributes: pkcs9.friendlyName and 2.16.840.1.113894.746875.1.1 which is apparently an Oracle-defined trustedKeyUsage. Most lone certs are not stored, or downloaded, as PKCS#12.
PKCS#12 is defined in terms of several (slightly different) "bag" structures that contain various things, primarily privatekeys and certs with optional attributes attached that are unsurprisingly called "bag attributes"; your case (apparently) has only cert(s). These attributes follow the now-conventional structure of an arbitrary number of pairs of OID plus value depending on the OID. Note in your display only friendlyName is a bag attribute, indicated because it is indented under the heading.
The subject= and issuer= lines are fields from the cert itself which the openssl pkcs12 (import) utility extracts and prints for convenience. If that is sufficient, you can display them for any cert with the x509 utility; in particular if you want to have them before the PEM-encoded cert "blob" in the way pkcs12 output does, use openssl x509 -in infile -subject -issuer -out outfile. This does one cert, so if you have a chain in a PEM file you need to split it apart and do each cert separately, and possibly combine again afterwards; for example something like
# split into files cert_1, cert_2, etc.
$ awk <chain.pem -va="openssl x509 -subject -issuer >cert_"
'/^-----BEGIN/{b=a (++n);x=1}x{print|b}/^-----END/{close(b);x=0}'
# output entire "bag" to stdout (with blank lines between certs)
$ awk <chain.pem -va="openssl x509 -subject -issuer" \
'/^-----BEGIN/{b=a;x=1}x{print|b}/^-----END/{close(b);x=0;print""}'
As a comparison, openssl s_client -showcerts does something very similar: it outputs subject and issuer with each cert blob from the received chain, labelling them with a level number, "s:" and "i:".
I'm trying to write a secure client/server program in C with OpenSSL.
I've found a code sample at http://www.rtfm.com/openssl-examples/ but I get this error:
server: SSL read problem
client: Certificate doesn't verify
I think the problem is with the certificate generation, but I cannot find it.
Any idea?
Thanks
I downloaded the example and verified the error:
"10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired"
With this command:
openssl x509 -in client.pem -noout -text
I got this output:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 258 (0x102)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=RTFM, Inc., OU=Widgets Division, CN=Test CA20010517
Validity
Not Before: May 17 16:11:36 2001 GMT
Not After : Mar 6 16:11:36 2004 GMT
Subject: C=US, O=RTFM, Inc., OU=Widgets Division, CN=client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:87:35:64:a8:36:1e:a6:b1:4c:18:18:67:7b:4d:
84:03:b1:d4:86:d1:aa:3a:41:76:98:8e:4f:bb:f1:
9c:8c:41:e6:54:06:ed:9d:64:58:c6:e3:09:f3:90:
ac:2b:0f:8a:e9:fc:9e:4f:2d:1f:40:77:14:7b:da:
56:fd:01:ab:c4:38:a2:f6:50:31:c9:1a:cb:1c:66:
41:95:c3:f6:f3:65:bc:6b:28:5d:ab:bd:da:59:4a:
f2:8f:d4:e8:55:d4:c3:9d:b3:f5:93:a5:19:b5:81:
c9:95:4a:85:79:bc:b3:8c:a9:58:f3:8c:7a:31:43:
ff:b5:ce:98:f3:33:15:8b:d3
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
24:c9:85:14:79:b6:ff:00:ed:d7:39:fb:39:8a:47:54:3f:8b:
ca:84:dc:ca:e7:9a:9f:cc:39:71:df:5f:e8:9f:27:fc:3e:b7:
0a:1c:ff:27:78:12:7f:bb:a6:bf:a1:1a:c8:93:a1:f7:2d:d4:
93:99:0d:6f:40:92:af:d9:1a:ed:7e:36:95:51:4f:b0:b0:e7:
71:1d:33:0a:62:ec:0a:f0:64:0b:0b:21:40:6c:28:0e:d0:98:
b4:db:77:08:d4:e5:2e:d6:95:9d:b8:7b:28:19:1f:2a:99:ac:
ae:05:7b:0f:89:bb:39:45:92:4a:08:14:80:c2:7e:29:f2:cf:
6e:26
Not After : Mar 6 16:11:36 2004 GMT
shows that was valid until 2004
You have to create a new certificate to use this example.
You can check those sites:
http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s02.html#cert2-fig
http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html
http://blog.taragana.com/index.php/archive/openssl-how-to-create-self-signed-certificate/
http://sandbox.rulemaker.net/ngps/m2/howto.ca.html
http://novosial.org/openssl/ca
Get the value returned by SSL_get_verify_result(ssl) and compare it to the list of results in the Diagnostics section of OpenSSL's verify page. This will tell you the exact error.