Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
TLS Client Hello
592 views
Skip to first unread message
sdu...@gmail.com
Jul 9, 2015, 6:18:20 AM7/9/15
to
I've been trying to implement HAProxy as an HA LDAPS load balancer for MS Active Directory LDAP - terminating the initial SSL session at the proxy with a trusted cert and re-encrypting between the proxy and AD/DC with the MSCA cert. If I set the haproxy server 'verify none' (--insecure) option the solution works, suggesting that I have an SSL issue. The same solution with an OpenLDAP backend works fine with 'verify required'.
The ldapsearch utility successfully connects directly to either AD/LDAP or OpenLDAP. It appears that ldapsearch is using GNUTLS rather than OpenSSL.
I wasn't able to find an open-source reverse proxy solution capable of handling TCP/SSL (LDAPS), which didn't use OpenSSL so I couldn't do an end-to-end comparison.
Looking at packet traces comparing haproxied AD/LDAP, OpenLDAP and direct ldapsearch - it appears that the haproxied AD/LDAP connection exchanges Client Hello / Server Hello and resets with a TLS Rec Layer-1 Encryption Alert.
To simplify, I tested with openssl s_client (1.0.1f and 1.0.2c) and gnutls-cli and restricted the connection to a single cipher.
GNUTLS:
gnutls-cli --insecure -p 636 --no-dane --no-local-dns --no-tofu --no-ocsp --disable-extensions --starttls-proto=ldap -VVVV --priority "NONE:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL" ldap.example.com
Processed 0 CA certificate(s).
Resolving 'ldap.example.com'...
Connecting to '10.0.0.1:636'...
unknown protocol ldap
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- X.509 Certificate Information:
Version: 3
Validity:
Not Before: Wed Apr 29 00:00:00 UTC 2015
Not After: Thu Apr 28 23:59:59 UTC 2016
Subject Public Key Algorithm: RSA
Extensions:
Subject Alternative Name (not critical):
DNSname: ldap1.example.com
DNSname: ldap2.example.com
Signature Algorithm: RSA-SHA1
Other Information:
SHA1 fingerprint:
SHA256 fingerprint:
- Certificate[1] info:
- X.509 Certificate Information:
Version: 3
Validity:
Not Before: Tue Aug 23 00:00:00 UTC 2011
Not After: Sun Aug 22 23:59:59 UTC 2021
Subject Public Key Algorithm: RSA
Extensions:
Subject Alternative Name (not critical):
directoryName: CN=VeriSign
Signature Algorithm: RSA-SHA1
Other Information:
SHA1 fingerprint:
SHA256 fingerprint:
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
- Successfully sent 0 certificate(s) to server.
- Description: (TLS1.0)-(RSA)-(AES-256-CBC)-(SHA1)
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
- Options: safe renegotiation,
- Channel binding 'tls-unique': 534de9e3d989b8f91230f1a1
- Handshake was completed
- Simple Client Mode:
GNUTLS Client Hello Packet (decoded by MS NetMon3.4):
TLS: TLS Rec Layer-1 HandShake: Client Hello.
TlsRecordLayer: TLS Rec Layer-1 HandShake:
ContentType: HandShake:
Version: TLS 1.0 { 0x3, 0x1 }
Length: 56 (0x38)
SSLHandShake: SSL HandShake ClientHello (0x01)
HandShakeType: ClientHello (0x01)
Length: 52 (0x34)
Client Hello: TLS 1.2
Version: TLS 1.2 { 0x3, 0x3 }
RandomBytes:
TimeStamp: 07/09/2015, 07:34:10 .0000 UTC
RandomBytes: Binary Large Object (28 Bytes)
SessionIDLength: 0 (0x0)
CipherSuitesLength: 2
TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x35 }
CompressionMethodsLength: 1 (0x1)
CompressionMethods: 0 (0x0)
ExtensionsLength: 9 (0x9)
ClientHelloExtension: Unknown Extension Type
ExtensionType: Unknown Extension Type
ExtensionLength: 0 (0x0)
ClientHelloExtension: Renegotiation Info (0xFF01)
ExtensionType: Renegotiation Info (0xFF01)
ExtensionLength: 1 (0x1)
Data: Binary Large Object (1 Bytes)
Or:
16 03 01 00 38 01 00 00 34 03 03 55 9E 23 F2 16 C4 5E 94 B4 24 EC 03 86 DE 3B BE 30 D4 3F FE 8B 22 14 03 FF C4 9C 04 94 24 E3 E9 00 00 02 00 35 01 00 00 09 00 16 00 00 FF 01 00 01 00
OpenSSL:
openssl s_client -msg -debug -state -no_ticket -connect ldap.example.com:636 -tls1_2 -cipher AES256-SHA
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7f0e90 [0x7fa9c3] (95 bytes => 95 (0x5F))
0000 - 16 03 01 00 5a 01 00 00-56 03 03 41 30 a4 ee 9a ....Z...V..A0...
0010 - 4d c1 8e 29 e5 0f 3e e3-00 05 e2 08 16 84 b3 e7 M..)..>.........
0020 - fb 11 ee 1c 22 32 cb 06-e5 91 bb 00 00 04 00 35 ...."2.........5
0030 - 00 ff 01 00 00 29 00 0d-00 20 00 1e 06 01 06 02 .....)... ......
0040 - 06 03 05 01 05 02 05 03-04 01 04 02 04 03 03 01 ................
0050 - 03 02 03 03 02 01 02 02-02 03 00 0f 00 01 01 ...............
>>> TLS 1.2 Handshake [length 005a], ClientHello
01 00 00 56 03 03 41 30 a4 ee 9a 4d c1 8e 29 e5
0f 3e e3 00 05 e2 08 16 84 b3 e7 fb 11 ee 1c 22
32 cb 06 e5 91 bb 00 00 04 00 35 00 ff 01 00 00
29 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05
02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02
01 02 02 02 03 00 0f 00 01 01
SSL_connect:SSLv3 write client hello A
read from 0x7f0e90 [0x7f6473] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 51 ....Q
write to 0x7f0e90 [0x7fff10] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 46 ......F
>>> TLS 1.0 Alert [length 0002], fatal protocol_version
02 46
SSL3 alert write:fatal:protocol version
SSL_connect:error in SSLv3 read server hello A
140677224212128:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1436430215
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
OpenSSL Client Hello Packet (decoded by MS NetMon3.4):
TLS: TLS Rec Layer-1 HandShake: Client Hello.
TlsRecordLayer: TLS Rec Layer-1 HandShake:
ContentType: HandShake:
Version: TLS 1.0 { 0x3, 0x1 }
Length: 90 (0x5A)
SSLHandShake: SSL HandShake ClientHello (0x01)
HandShakeType: ClientHello (0x01)
Length: 86 (0x56)
Client Hello: TLS 1.2
Version: TLS 1.2 { 0x3, 0x3 }
RandomBytes:
TimeStamp: 08/28/2004, 15:29:50 .0000 UTC
RandomBytes: Binary Large Object (28 Bytes)
SessionIDLength: 0 (0x0)
CipherSuitesLength: 4
TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x35 }
TLSCipherSuites: Unknown Cipher { 0xFF }
CompressionMethodsLength: 1 (0x1)
CompressionMethods: 0 (0x0)
ExtensionsLength: 41 (0x29)
ClientHelloExtension: Signature Algorithms (0x000D)
ExtensionType: Signature Algorithms (0x000D)
ExtensionLength: 32 (0x20)
Data: Binary Large Object (32 Bytes)
ClientHelloExtension: Unknown Extension Type
ExtensionType: Unknown Extension Type
ExtensionLength: 1 (0x0)
Data: Binary Large Object (1 Bytes)
Or:
16 03 01 00 5A 01 00 00 56 03 03 41 30 A4 EE 9A 4D C1 8E 29 E5 0F 3E E3 00 05 E2 08 16 84 B3 E7 FB 11 EE 1C 22 32 CB 06 E5 91 BB 00 00 04 00 35 00 FF 01 00 00 29 00 0D 00 20 00 1E 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00 0F 00 01 01
The SSL HandShake ServerHello response in both scenarios was identical, but OpenSSL immediately issues a Layer-1 Encrypted Alert (0x2 0x46), where GNUTLS continued negotiation.
Now, I don't really know what any of this means, but can make a few observations:
-Both clients should be offering a single cipher (based on the cli parameters), but the CipherSuitesLength with OpenSSL is 2 bytes longer.
-The second TLSCipherSuite with OpenSSL = 0x00, 0xFF (reserved for private use), followed by CompressionMethodsLength 0x01.
-The OpenSSL client hello doesn't have the renegotiation extension 0xFF01.
-The OpenSSL client hello has an extra 'Unknown Extension Type' 0x000F. (heatbeat)
-The OpenSSL client hello includes the 'Signature Algorithms' extension 0x000D.
-The GNUTLS client hello has an extra 'Unknown Extension Type' 0x0016. (encrypt_then_mac)
-The RandomBytes timestamp for OpenSSL is random/invalid.
Does the OpenSSL Client Hello appear to be malformed? Why are there two cipher suites? Why isn't the renegotiation extension set? Why is the timestamp on the random data incorrect?
Any ideas appreciated.
-Steve
The ldapsearch utility successfully connects directly to either AD/LDAP or OpenLDAP. It appears that ldapsearch is using GNUTLS rather than OpenSSL.
I wasn't able to find an open-source reverse proxy solution capable of handling TCP/SSL (LDAPS), which didn't use OpenSSL so I couldn't do an end-to-end comparison.
Looking at packet traces comparing haproxied AD/LDAP, OpenLDAP and direct ldapsearch - it appears that the haproxied AD/LDAP connection exchanges Client Hello / Server Hello and resets with a TLS Rec Layer-1 Encryption Alert.
To simplify, I tested with openssl s_client (1.0.1f and 1.0.2c) and gnutls-cli and restricted the connection to a single cipher.
GNUTLS:
gnutls-cli --insecure -p 636 --no-dane --no-local-dns --no-tofu --no-ocsp --disable-extensions --starttls-proto=ldap -VVVV --priority "NONE:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+AES-256-CBC:+SHA1:+RSA:+COMP-NULL" ldap.example.com
Processed 0 CA certificate(s).
Resolving 'ldap.example.com'...
Connecting to '10.0.0.1:636'...
unknown protocol ldap
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- X.509 Certificate Information:
Version: 3
Validity:
Not Before: Wed Apr 29 00:00:00 UTC 2015
Not After: Thu Apr 28 23:59:59 UTC 2016
Subject Public Key Algorithm: RSA
Extensions:
Subject Alternative Name (not critical):
DNSname: ldap1.example.com
DNSname: ldap2.example.com
Signature Algorithm: RSA-SHA1
Other Information:
SHA1 fingerprint:
SHA256 fingerprint:
- Certificate[1] info:
- X.509 Certificate Information:
Version: 3
Validity:
Not Before: Tue Aug 23 00:00:00 UTC 2011
Not After: Sun Aug 22 23:59:59 UTC 2021
Subject Public Key Algorithm: RSA
Extensions:
Subject Alternative Name (not critical):
directoryName: CN=VeriSign
Signature Algorithm: RSA-SHA1
Other Information:
SHA1 fingerprint:
SHA256 fingerprint:
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
- Successfully sent 0 certificate(s) to server.
- Description: (TLS1.0)-(RSA)-(AES-256-CBC)-(SHA1)
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
- Options: safe renegotiation,
- Channel binding 'tls-unique': 534de9e3d989b8f91230f1a1
- Handshake was completed
- Simple Client Mode:
GNUTLS Client Hello Packet (decoded by MS NetMon3.4):
TLS: TLS Rec Layer-1 HandShake: Client Hello.
TlsRecordLayer: TLS Rec Layer-1 HandShake:
ContentType: HandShake:
Version: TLS 1.0 { 0x3, 0x1 }
Length: 56 (0x38)
SSLHandShake: SSL HandShake ClientHello (0x01)
HandShakeType: ClientHello (0x01)
Length: 52 (0x34)
Client Hello: TLS 1.2
Version: TLS 1.2 { 0x3, 0x3 }
RandomBytes:
TimeStamp: 07/09/2015, 07:34:10 .0000 UTC
RandomBytes: Binary Large Object (28 Bytes)
SessionIDLength: 0 (0x0)
CipherSuitesLength: 2
TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x35 }
CompressionMethodsLength: 1 (0x1)
CompressionMethods: 0 (0x0)
ExtensionsLength: 9 (0x9)
ClientHelloExtension: Unknown Extension Type
ExtensionType: Unknown Extension Type
ExtensionLength: 0 (0x0)
ClientHelloExtension: Renegotiation Info (0xFF01)
ExtensionType: Renegotiation Info (0xFF01)
ExtensionLength: 1 (0x1)
Data: Binary Large Object (1 Bytes)
Or:
16 03 01 00 38 01 00 00 34 03 03 55 9E 23 F2 16 C4 5E 94 B4 24 EC 03 86 DE 3B BE 30 D4 3F FE 8B 22 14 03 FF C4 9C 04 94 24 E3 E9 00 00 02 00 35 01 00 00 09 00 16 00 00 FF 01 00 01 00
OpenSSL:
openssl s_client -msg -debug -state -no_ticket -connect ldap.example.com:636 -tls1_2 -cipher AES256-SHA
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 0x7f0e90 [0x7fa9c3] (95 bytes => 95 (0x5F))
0000 - 16 03 01 00 5a 01 00 00-56 03 03 41 30 a4 ee 9a ....Z...V..A0...
0010 - 4d c1 8e 29 e5 0f 3e e3-00 05 e2 08 16 84 b3 e7 M..)..>.........
0020 - fb 11 ee 1c 22 32 cb 06-e5 91 bb 00 00 04 00 35 ...."2.........5
0030 - 00 ff 01 00 00 29 00 0d-00 20 00 1e 06 01 06 02 .....)... ......
0040 - 06 03 05 01 05 02 05 03-04 01 04 02 04 03 03 01 ................
0050 - 03 02 03 03 02 01 02 02-02 03 00 0f 00 01 01 ...............
>>> TLS 1.2 Handshake [length 005a], ClientHello
01 00 00 56 03 03 41 30 a4 ee 9a 4d c1 8e 29 e5
0f 3e e3 00 05 e2 08 16 84 b3 e7 fb 11 ee 1c 22
32 cb 06 e5 91 bb 00 00 04 00 35 00 ff 01 00 00
29 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05
02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02
01 02 02 02 03 00 0f 00 01 01
SSL_connect:SSLv3 write client hello A
read from 0x7f0e90 [0x7f6473] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 51 ....Q
write to 0x7f0e90 [0x7fff10] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 46 ......F
>>> TLS 1.0 Alert [length 0002], fatal protocol_version
02 46
SSL3 alert write:fatal:protocol version
SSL_connect:error in SSLv3 read server hello A
140677224212128:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1436430215
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
OpenSSL Client Hello Packet (decoded by MS NetMon3.4):
TLS: TLS Rec Layer-1 HandShake: Client Hello.
TlsRecordLayer: TLS Rec Layer-1 HandShake:
ContentType: HandShake:
Version: TLS 1.0 { 0x3, 0x1 }
Length: 90 (0x5A)
SSLHandShake: SSL HandShake ClientHello (0x01)
HandShakeType: ClientHello (0x01)
Length: 86 (0x56)
Client Hello: TLS 1.2
Version: TLS 1.2 { 0x3, 0x3 }
RandomBytes:
TimeStamp: 08/28/2004, 15:29:50 .0000 UTC
RandomBytes: Binary Large Object (28 Bytes)
SessionIDLength: 0 (0x0)
CipherSuitesLength: 4
TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x35 }
TLSCipherSuites: Unknown Cipher { 0xFF }
CompressionMethodsLength: 1 (0x1)
CompressionMethods: 0 (0x0)
ExtensionsLength: 41 (0x29)
ClientHelloExtension: Signature Algorithms (0x000D)
ExtensionType: Signature Algorithms (0x000D)
ExtensionLength: 32 (0x20)
Data: Binary Large Object (32 Bytes)
ClientHelloExtension: Unknown Extension Type
ExtensionType: Unknown Extension Type
ExtensionLength: 1 (0x0)
Data: Binary Large Object (1 Bytes)
Or:
16 03 01 00 5A 01 00 00 56 03 03 41 30 A4 EE 9A 4D C1 8E 29 E5 0F 3E E3 00 05 E2 08 16 84 B3 E7 FB 11 EE 1C 22 32 CB 06 E5 91 BB 00 00 04 00 35 00 FF 01 00 00 29 00 0D 00 20 00 1E 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00 0F 00 01 01
The SSL HandShake ServerHello response in both scenarios was identical, but OpenSSL immediately issues a Layer-1 Encrypted Alert (0x2 0x46), where GNUTLS continued negotiation.
Now, I don't really know what any of this means, but can make a few observations:
-Both clients should be offering a single cipher (based on the cli parameters), but the CipherSuitesLength with OpenSSL is 2 bytes longer.
-The second TLSCipherSuite with OpenSSL = 0x00, 0xFF (reserved for private use), followed by CompressionMethodsLength 0x01.
-The OpenSSL client hello doesn't have the renegotiation extension 0xFF01.
-The OpenSSL client hello has an extra 'Unknown Extension Type' 0x000F. (heatbeat)
-The OpenSSL client hello includes the 'Signature Algorithms' extension 0x000D.
-The GNUTLS client hello has an extra 'Unknown Extension Type' 0x0016. (encrypt_then_mac)
-The RandomBytes timestamp for OpenSSL is random/invalid.
Does the OpenSSL Client Hello appear to be malformed? Why are there two cipher suites? Why isn't the renegotiation extension set? Why is the timestamp on the random data incorrect?
Any ideas appreciated.
-Steve
0 new messages