Openssl

From Hackepedia
Jump to: navigation, search

Have you ever wondered what happens behind the scenes when your browser looks at a secure webpage?

$ openssl s_client -connect http://www.example.com:443

Here we will try hotmail as an example:

$ openssl s_client -connect www.hotmail.com:443
CONNECTED(00000003)
depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=MSN/CN=cb1.msn.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=MSN/CN=cb1.msn.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=MSN/CN=cb1.msn.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=MSN/CN=cb1.msn.com
   i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFjjCCBHagAwIBAgIKSOvxGgACAAAtLDANBgkqhkiG9w0BAQUFADCBizETMBEG
CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG
CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD
VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDUwNDMw
MDMwMTE3WhcNMDYwNDMwMDMwMTE3WjBsMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0
MQwwCgYDVQQLEwNNU04xFDASBgNVBAMTC2NiMS5tc24uY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDNTaMus+hYIJypJj3UcArNFPCNsDUnZwgkNm5P7y5x
0ld6NLHiuOsXIYWxdbKoxWyiB/yHtriceBOtvtqxNgTwBq7u89e+dvf9B8Vh6/q7
ahb4CoRiTLwg4oZiXyPVzjctemSg1muGyLsfbwHEL8vc2tQb6i0QoYU3aDYYtC6p
rQIDAQABo4IClDCCApAwCwYDVR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYI
KoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0D
BzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFJ1mnREr
4FHM4l6YYm/hK+La5PSlMB8GA1UdIwQYMBaAFN8sIdPjGXO8S2ETHGDqS73mriBE
MIGvBgNVHR8EgacwgaQwgaGggZ6ggZuGVmh0dHA6Ly9jcmwubWljcm9zb2Z0LmNv
bS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBB
dXRob3JpdHkoMikuY3JshkFodHRwOi8vY29ycHBraS9jcmwvTWljcm9zb2Z0JTIw
U2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDIpLmNybDCBvwYIKwYBBQUHAQEE
gbIwga8wXgYIKwYBBQUHMAKGUmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kv
bXNjb3JwL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSgy
KS5jcnQwTQYIKwYBBQUHMAKGQWh0dHA6Ly9jb3JwcGtpL2FpYS9NaWNyb3NvZnQl
MjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoMikuY3J0MD8GCSsGAQQBgjcV
BwQyMDAGKCsGAQQBgjcVCIPPiU2t8gKFoZ8MgvrKfYHh+3SBT4PC7YUIjqnShWMC
AWQCAQUwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATAN
BgkqhkiG9w0BAQUFAAOCAQEAstqN970Zjy6CqACmankJP8PTRzeGX2AvCqff6h70
rZ/ueBJqsF9IooGLkEkIdR+EHFU8oy9hYLjfW0fIOIIsZXthodaEO01zy9LulYrQ
B5GUJjyTMlS6B7GL9ujcLn0mnEpIzb9gCiWiwiWvbEvTWpstukklo3rM402SohaE
lIo7UlA/HXOla9LO5TnUz1vnq+xDpaCob6Mfaccf1olh1MiM1C2d2AJgNTAgh/G5
fkMYwdhZrfC7gqN4ToyIAyc4rzUOBerWUy78wg/JE1xYBSKspigbGg2xR3xVWFk6
HaXj37Upal4RzKNBjQT7YR0rM+Ua6/rnYqDUFcwmAO7VCg==
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=MSN/CN=cb1.msn.com
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
---
No client certificate CA names sent
---
SSL handshake has read 1562 bytes and written 324 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
   Protocol  : TLSv1
   Cipher    : RC4-MD5
   Session-ID: C11400002AAB613AD6C75370910E17EF8343200B966B5E96D1DA80F62109C5BC
   Session-ID-ctx: 
   Master-Key: 4847F9E69D0C2314BC7206318E3A6E2F0932BB9847BD352F8594148CA1970560971338DCE0C756D02D317AC881A801DC
   Key-Arg   : None
   Start Time: 1173414130
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)
---


There are some very interesting findings in this example, specifically the errors which are highlighted in bold. What this means in summary is that you were not able to verify the first certificate, Microsoft has implemented SSL incorrectly. This is not to fault them, many companies do not implement it properly. SSL requires that the certificate CN must be the exact same as the website address. In this case even though we're trying to go to www.hotmail.com, which is what the CN should say, it says cb1.msn.com as you can see above. It does make one wonder about the security of a company that can't get something like SSL implemented properly.

What happens when you try Hotmail's Secure weblogin in your browser now? Did you see these errors, were you prompted to accept the certificate manually? Were you outright denied, or did you end up on a hotmail webpage without an errors meaning your browser permitted them?