LibreSSL can't connect while standard OpenSSL can
Below are two outputs: from standard OpenSSL 1.0.2m running on Mac OS 10.11 vs. LibreSSL 2.5.5 running on Alpine 3.6.2. Testing keys/certs are attached as well
= OpenSSL 1.0.2m ==
$ openssl s_server -accept 4444 -key server-key.pem -cert
server-cert.pem -CAfile ca-cert.pem &
[1] 58394
$ Using default temp DH parameters
ACCEPT
$
$ openssl s_client -connect localhost:4444
CONNECTED (00000003)
depth=1 CN = Home CA
verify error:num=19:self signed certificate in certificate chain
——BEGIN SSL SESSION PARAMETERS——
MFoCAQECAgMDBALALAQABDAfxJpI2IIROvO1Y1gJAXnTA5o3QijMKa+RqdOcTUM9
K/G2aK8ZfvBnjvEU106ViFOhBgIEWhotaqIEAgIBLKQGBAQBAAAAqwMEAQE=
——END SSL SESSION PARAMETERS——
Shared
ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256
Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats:
uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves:
P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283
Shared Elliptic curves:
P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283
CIPHER is ECDHE-ECDSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
—-
Certificate chain
0 s:/CN=nuc7i3
i:/CN=Home CA
1 s:/CN=Home CA
i:/CN=Home CA
—-
Server certificate
——BEGIN CERTIFICATE——
MIIBBjCBrgIBATAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdIb21lIENBMB4XDTE3
MTEyNjAyMTY0MFoXDTM3MTEyMTAyMTY0MFowETEPMA0GA1UEAwwGbnVjN2kzMFYw
EAYHKoZIzj0CAQYFK4EEAAoDQgAEho95Gx0WSLOLuU/8cE5JFJ5bHkWKuv7CpdkW
z7l1nQR6UoArO4Fcw5H5dG6huGYOKaumnprwmw9S0QAa8vV6GDAKBggqhkjOPQQD
AgNHADBEAiASFQR4zs1GT1/BE4hiMaJ+gz+w6tOo9UCrMoudyDoq5gIgSjEj4spm
un7XtbtM65BprDHmy5K7DuDfhh4VX/mzB74=
——END CERTIFICATE——
subject=/CN=nuc7i3
issuer=/CN=Home CA
—-
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
—-
SSL handshake has read 1117 bytes and written 443 bytes
—-
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID:
06EDB17A7F6F97CC6582853EC1DADAE20EC0474DF6027201AD768E558CF11F2A
Session-ID-ctx:
Master-Key:
1FC49A48D882113AF3B56358090179D3039A374228CC29AF91A9D39C4D433D2BF1B668AF197EF0678EF114D74E958853
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e5 70 a8 bc 7e ce 84 9c-2d 9c 0a 31 cf da a5 b1 .p..…-..1….Ha.}
0010 - 4c ad 0f 16 78 f9 66 95-f8 d3 db 78 db fa c6 93 L…x.f….x….
0020 - a1 aa 60 d0 10 e3 d9 37-6a 70 45 7e 48 61 c0 7d ..`….7jpE
0030 - 9c 81 ec 39 40 09 95 17-4d dc 93 4c af c4 08 1f …9@…M..L….
0040 - bb 32 98 13 4c 92 e9 70-7d a4 90 49 e4 a5 46 bf
.2..L..p}..I..F.
0050 - e4 54 89 5b 57 51 d2 66-23 fc 27 20 00 50 12 df .T.[WQ.f#.’
.P..
0060 - 9f 02 dc ef 12 c0 c7 aa-59 f7 d7 c1 65 25 a0 15 ……..Y…e%..
0070 - 3a d7 7d 60 69 9a 1f f1-a6 23 5e a5 4b 3a 7f 4a
:.}`i….#^.K:.J
0080 - 7c 85 42 1f 69 71 41 c1-1b 14 e2 46 88 c6 b4 2f |.B.iqA….F…/
0090 - 53 ac 72 0f d7 9f 2c b4-03 d2 93 57 54 19 e7 85 S.r…,….WT…
Compression: 1 (zlib compression)
Start Time: 1511665001
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
—-
^CERROR
shutting down SSL
CONNECTION CLOSED
ACCEPT
= LibreSSL 2.5.5 ==
nuc7i3:/certs# openssl s_server -accept 4444 -key server-key.pem
-cert server-cert.pem -CAfile ca-cert.pem &/certs# Using auto DH parameters
nuc7i3:
Using default temp ECDH parameters
ACCEPT
nuc7i3:~/certs# openssl s_client -connect localhost:4444
CONNECTED (00000003)
ERROR
119007018199948:error:140270C1:SSL
routines:ACCEPT_SR_CLNT_HELLO_C:no shared cipher:ssl_srvr.c:1024:
shutting down SSL
CONNECTION CLOSED
ACCEPT
132446194670476:error:14004410:SSL
routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake
failure:ssl_pkt.c:1205:SSL alert number 40
132446194670476:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl
handshake failure:ssl_pkt.c:585:
—-
no peer certificate available
—-
No client certificate CA names sent
—-
SSL handshake has read 7 bytes and written 0 bytes
—-
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1511664973
Timeout : 7200 (sec)
Verify return code: 0 (ok)
—-
(from redmine: issue id 8199, created on 2017-11-26)
- Uploads:
- certs.tgz All certs/keys for testing