SSL Certificate cache

673 views
Skip to first unread message

Sharanagoud B D

unread,
Oct 9, 2012, 6:24:39 AM10/9/12
to
How to check in Linux client device whether the certificate used is cached or it's from the server? I am using openssl s_client to establish http connection.

Thanks,
Sharan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Dave Thompson

unread,
Oct 10, 2012, 3:48:10 PM10/10/12
to
> From: owner-ope...@openssl.org On Behalf Of Sharanagoud B D
> Sent: Tuesday, 09 October, 2012 06:25

> How to check in Linux client device whether the certificate
> used is cached or it's from the server? I am using openssl
> s_client to establish http connection.
>
By "the certificate used" do you mean the server's cert?
That must always be sent by the server; even if the client
has a copy already, the client does not know which one it is.
(It is *not* required that the same server name, or address,
always use the same key+cert, and some don't.)

If you mean chain certs above entity and below root:
- you can see what the server sends with -showcerts on s_client
- s_client uses openssl's standard truststore, a file and/or
directory in specified or default locations. You can look at
that file and/or directory to see what certs are in it.
- verification is the same either way; so it shouldn't matter,
unless there are multiple certs for the same CA subject. Public
CAs generally change subject for new generation etc., but sometimes
reuse subject to lengthen validity of an existing subtree or provide
an alternate (or just changed) trust path to a subtree.

If the server sends the root cert for its cert, openssl client
including s_client doesn't use it. openssl only trusts roots
in its local truststore.

OTOH if you mean a *client* cert -- used for client auth, which
is rare -- s_client uses only a cert explicitly specified on
the command line, and you know what you specified.

Sharanagoud B D

unread,
Oct 11, 2012, 7:38:05 AM10/11/12
to
Thank you Dave.

My setup is:

Attacker Linux PC (Client)------ SSLFP-Firewall -------Victim Linux PC (Server)

Here, Firewall supports SSL certificate caching, So just wanted to know whether certificate cached from firewall can be viewed in Client PC. This firewall is SSL Forward proxy.
I think "-showcerts" in openssl shows the certificate which is cached right?

Thanks,
Sharan

Dave Thompson

unread,
Oct 11, 2012, 7:55:27 PM10/11/12
to
> From: owner-ope...@openssl.org On Behalf Of Sharanagoud B D
> Sent: Thursday, 11 October, 2012 07:38

> My setup is:
>
> Attacker Linux PC (Client)------ SSLFP-Firewall -------Victim
> Linux PC (Server)
>
> Here, Firewall supports SSL certificate caching, So just
> wanted to know whether certificate cached from firewall can
> be viewed in Client PC. This firewall is SSL Forward proxy.

What exactly is the firewall doing, and what do you mean by
"certificate caching"?

If it's just passthrough it can see initial handshake for each
session, and could save certs from them, but can't use those
certs for anything. In particular it can't modify any later
session's intial handshake, or even see a renegotiation
(unless negotiate eNULL then renegotiate, which is yucky).

If it's terminating SSL from the client and sending clear
to the server, it has whatever key+certs it's configured with,
or if it wants to fool the client by having the real server's
name(s?) in the cert -- I believe only for client using SNI,
which few if any do -- it must be generating those certs
(for a configured key or generated keys) on the fly
or have access to an online CA that does so.
Generated certs like that might be cached and re-used;
if so you can recognize when the client gets a server
(entity) cert it has seen before, or one it hasn't
(which doesn't prove it wasn't used elsewhere).

If it's terminating SSL from the client and initiating SSL
to the server, i.e. a real SSL-level (or higher) proxy,
it may be saving the server certs and related CA certs
somewhere, but your client can't see them, because the
cert and chain used to the client can't be the same.
If it's doing client-auth on the server side, similarly
it may have fixed or generated key+cert, but your client
can't see it. If it's accepting client-auth from your client,
which is rare, it may be saving that, but it can't use it
on the server side.

> I think "-showcerts" in openssl shows the certificate which
> is cached right?
>
-showcerts shows "additional" (chain) certs sent in the
handshake by the server. The protocol does not indicate
whether they were/are cached. Usually CA certs are static
and it doesn't matter where they came from. s_client always
shows the server=entity cert, if that's what you want.

In another message you ask about multiple connections.
To reduce traffic I am replying here.

I assume you mean from s_client because that was your question
earlier, although other clients are possible. If you mean serially,
i.e. connection 1 then connection 2 then connection 3, that's
trivial, so I assume that's not your question. If you mean
concurrently, yes, just run several instances of s_client
concurrently. It doesn't matter whether they are to the same
server or not, each process and SSL connection is separate.

You probably need to make their input interactive (thus each
on a separate pty, shell window, or similar) or piped from a
program that takes some time (like sleep 60) so you have time
to type multiple commands and look at the results.

If you want s_client connections to be in one SSL "session"
i.e. negotiated authentication and session keyset, which
nominally should be same client to same server, you can
do that with -sess_out and -sess_in . But that skips the only
usage of certs in the protocol, namely for authentication,
so it seems unlikely to be what you want.

Gaurav Joshi

unread,
Jul 16, 2021, 1:53:38 AM7/16/21
to
I am 100% sure that i can get https://gamingbeasts.com/ free games from here.

James Robert

unread,
Apr 15, 2022, 3:29:54 PMApr 15
to
Blackout Bingo Game - Play to Earn Money and Win Real Cash
Blackout Bingo Game 2022, previously called Blackout Blitz, is another game that is bingo-like developed by Big Run Studios Inc. It is also played using the Skillz stage series that provides cash prizes for betting on Bingo using devices such as Android, iPhone, or iPad. The game lets you play bingo with real money with a wide range of other players. Blackout Bingo is an excellent way to win huge prizes frequently! Become an expert in the field of Bingo as well as Cards and numerous other exciting games.
https://primesgaming.blogspot.com/2022/03/blackout-bingo-game-play-to-earn-money.html

Michał Nowak

unread,
Jun 23, 2022, 1:26:01 AMJun 23
to
This really working download and install PC games for this website https://install-game.com
Reply all
Reply to author
Forward
0 new messages