Bug 2211475
| Summary: | OpenSSL v 3.0.7 will not connect to Citi Bank using tls 1.3 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jeffrey G. <nycitykpop> |
| Component: | openssl | Assignee: | Dmitry Belyavskiy <dbelyavs> |
| Status: | CLOSED WORKSFORME | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.2 | CC: | cllang |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-06-01 10:20:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I am having the same problem outside of the VPN as well: # traceroute -I www.citi.com traceroute to www.citi.com (23.73.247.240), 30 hops max, 60 byte packets 1 * * * 2 67.59.249.61 (67.59.249.61) 15.556 ms 15.623 ms 15.658 ms 3 ool-4353e29e.dyn.optonline.net (67.83.226.158) 17.140 ms 17.120 ms 17.082 ms 4 64.15.8.174 (64.15.8.174) 18.617 ms 18.594 ms 18.574 ms 5 451be0e6.cst.lightpath.net (65.19.126.230) 21.231 ms 21.416 ms 21.436 ms 6 65.19.102.207 (65.19.102.207) 27.249 ms 18.794 ms 18.789 ms 7 * * * 8 * * * 9 * * * 10 a23-73-247-240.deploy.static.akamaitechnologies.com (23.73.247.240) 14.120 ms 12.338 ms 11.634 ms # openssl s_client -connect www.citi.com:443 CONNECTED(00000003) 806BCC7DAE7F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1600:SSL alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 267 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- I am having the same problem with bing as well:
openssl s_client -connect www.citi.com:443
CONNECTED(00000003)
806BCC7DAE7F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1600:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 267 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
[root@[censored]]# openssl s_client -connect www.bing.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 267 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
[root@[censored]]# nano /etc/crypto-policies/back-ends/opensslcnf.config
[root@[censored]]# nano /etc/crypto-policies/back-ends/opensslcnf.config
[root@[censored]]# openssl s_client -connect www.bing.com:443
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02
verify return:1
depth=0 CN = www.bing.com
verify return:1
---
Certificate chain
0 s:CN = www.bing.com
i:C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 16 03:47:45 2023 GMT; NotAfter: Aug 16 03:47:45 2023 GMT
1 s:C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02
i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 21 23:00:00 2020 GMT; NotAfter: Oct 8 07:00:00 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIINWzCCC0OgAwIBAgITLQAyeHIT+oSuUyAXDAAAADJ4cjANBgkqhkiG9w0BAQsF
ADBPMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
MSAwHgYDVQQDExdNaWNyb3NvZnQgUlNBIFRMUyBDQSAwMjAeFw0yMzAyMTYwMzQ3
NDVaFw0yMzA4MTYwMzQ3NDVaMBcxFTATBgNVBAMTDHd3dy5iaW5nLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKfKPJlaAWMFAUJONROReQ16ehri
pUxl0aOx+UoHP5QKZzOiMINOTMwNxRXaHXOkPwqJL8SI0yf3HGTetL/Rs1ubxOoX
Nw2GA69FM1I2d6FH11tPb2DHfTAFnokmuQN3U1ZcA+AqREMal4HA8+un8RNJLkRZ
oBEQJ0TIsr8W1uV9PRLqM4m5F6bLR3V+K14oQvSKRvLUuhH2lRKGfu5z1RfDQB9t
uXHI+q5G67Vs81IJFd8RLYuPo+lZ4aJB5Ud/N7E4GqWxI0a1JBczu5PoY8GIT6li
64VoVXnatdW6OvoFEpLFwczDS9pajc5aazp8OpPu7b7G3IcvpDYlc5cSdEECAwEA
AaOCCWYwggliMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgDoPtDaPvUGNTLn
Vyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYZYXxVPAAAEAwBHMEUCIAelJV7+NY0t
DK84cYbIYRIcDM8XwrnGFIGgH5fyhDQcAiEAtAhhbi2FqkHj0uqqXXdb/bVNIuRp
lFKgZEXdNUbrO3sAdwB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAA
AYZYXxVmAAAEAwBIMEYCIQC+khwV+bT518dNlwF8MYOTr7uLEJBeqoUC2aKDjdtF
IgIhAKox3yx9rWBGUcCZW3p67c2mSovadhIrwaUaIGYGdX64AHYAs3N3B+GEUPhj
htYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAGGWF8WOAAABAMARzBFAiB1hJRKy1KD
sZhDJxm1JPrRU4r/bSNAJ3yp9fLv/7YbzAIhANIhzsSiEKWZfBIMvH7eAd3UYxUW
YxyU2YboFo+GG0x3MCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwEwCgYIKwYB
BQUHAwIwPgYJKwYBBAGCNxUHBDEwLwYnKwYBBAGCNxUIh9qGdYPu2QGCyYUbgbWe
YYX062CBXYWGjkGHwphQAgFkAgEnMIGHBggrBgEFBQcBAQR7MHkwUwYIKwYBBQUH
MAKGR2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL01pY3Jvc29m
dCUyMFJTQSUyMFRMUyUyMENBJTIwMDIuY3J0MCIGCCsGAQUFBzABhhZodHRwOi8v
b2NzcC5tc29jc3AuY29tMB0GA1UdDgQWBBTrdmpsJdVus0rmxoXKf84ZhYav/jAO
BgNVHQ8BAf8EBAMCBLAwggVtBgNVHREEggVkMIIFYIIMd3d3LmJpbmcuY29tghBk
aWN0LmJpbmcuY29tLmNughMqLnBsYXRmb3JtLmJpbmcuY29tggoqLmJpbmcuY29t
gghiaW5nLmNvbYIWaWVvbmxpbmUubWljcm9zb2Z0LmNvbYITKi53aW5kb3dzc2Vh
cmNoLmNvbYIZY24uaWVvbmxpbmUubWljcm9zb2Z0LmNvbYIRKi5vcmlnaW4uYmlu
Zy5jb22CDSoubW0uYmluZy5uZXSCDiouYXBpLmJpbmcuY29tghhlY24uZGV2LnZp
cnR1YWxlYXJ0aC5uZXSCDSouY24uYmluZy5uZXSCDSouY24uYmluZy5jb22CEHNz
bC1hcGkuYmluZy5jb22CEHNzbC1hcGkuYmluZy5uZXSCDiouYXBpLmJpbmcubmV0
gg4qLmJpbmdhcGlzLmNvbYIPYmluZ3NhbmRib3guY29tghZmZWVkYmFjay5taWNy
b3NvZnQuY29tghtpbnNlcnRtZWRpYS5iaW5nLm9mZmljZS5uZXSCDnIuYmF0LmJp
bmcuY29tghAqLnIuYmF0LmJpbmcuY29tghIqLmRpY3QuYmluZy5jb20uY26CDyou
ZGljdC5iaW5nLmNvbYIOKi5zc2wuYmluZy5jb22CECouYXBwZXguYmluZy5jb22C
FioucGxhdGZvcm0uY24uYmluZy5jb22CDXdwLm0uYmluZy5jb22CDCoubS5iaW5n
LmNvbYIPZ2xvYmFsLmJpbmcuY29tghF3aW5kb3dzc2VhcmNoLmNvbYIOc2VhcmNo
Lm1zbi5jb22CESouYmluZ3NhbmRib3guY29tghkqLmFwaS50aWxlcy5kaXR1Lmxp
dmUuY29tgg8qLmRpdHUubGl2ZS5jb22CGCoudDAudGlsZXMuZGl0dS5saXZlLmNv
bYIYKi50MS50aWxlcy5kaXR1LmxpdmUuY29tghgqLnQyLnRpbGVzLmRpdHUubGl2
ZS5jb22CGCoudDMudGlsZXMuZGl0dS5saXZlLmNvbYIVKi50aWxlcy5kaXR1Lmxp
dmUuY29tggszZC5saXZlLmNvbYITYXBpLnNlYXJjaC5saXZlLmNvbYIUYmV0YS5z
ZWFyY2gubGl2ZS5jb22CFWNud2ViLnNlYXJjaC5saXZlLmNvbYIMZGV2LmxpdmUu
Y29tgg1kaXR1LmxpdmUuY29tghFmYXJlY2FzdC5saXZlLmNvbYIOaW1hZ2UubGl2
ZS5jb22CD2ltYWdlcy5saXZlLmNvbYIRbG9jYWwubGl2ZS5jb20uYXWCFGxvY2Fs
c2VhcmNoLmxpdmUuY29tghRsczRkLnNlYXJjaC5saXZlLmNvbYINbWFpbC5saXZl
LmNvbYIRbWFwaW5kaWEubGl2ZS5jb22CDmxvY2FsLmxpdmUuY29tgg1tYXBzLmxp
dmUuY29tghBtYXBzLmxpdmUuY29tLmF1gg9taW5kaWEubGl2ZS5jb22CDW5ld3Mu
bGl2ZS5jb22CHG9yaWdpbi5jbndlYi5zZWFyY2gubGl2ZS5jb22CFnByZXZpZXcu
bG9jYWwubGl2ZS5jb22CD3NlYXJjaC5saXZlLmNvbYISdGVzdC5tYXBzLmxpdmUu
Y29tgg52aWRlby5saXZlLmNvbYIPdmlkZW9zLmxpdmUuY29tghV2aXJ0dWFsZWFy
dGgubGl2ZS5jb22CDHdhcC5saXZlLmNvbYISd2VibWFzdGVyLmxpdmUuY29tghN3
ZWJtYXN0ZXJzLmxpdmUuY29tghV3d3cubG9jYWwubGl2ZS5jb20uYXWCFHd3dy5t
YXBzLmxpdmUuY29tLmF1MIGwBgNVHR8EgagwgaUwgaKggZ+ggZyGTWh0dHA6Ly9t
c2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMFJT
QSUyMFRMUyUyMENBJTIwMDIuY3JshktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v
cGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwUlNBJTIwVExTJTIwQ0ElMjAwMi5j
cmwwVwYDVR0gBFAwTjBCBgkrBgEEAYI3KgEwNTAzBggrBgEFBQcCARYnaHR0cDov
L3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3BzMAgGBmeBDAECATAfBgNV
HSMEGDAWgBT/L3/hBvQ48y3tJY2Ywv4O9mz8+jAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAB90Ztbxookrcxg9u8bqEIwz
nqic68yunm3A8Z0mJJpAuBculB/U/EUXw3k0/cOPcMVWDuhAsX0G5ekt9qJyHicc
o9I/d6iukbuMyM54R0p5ESRH3juqBlbwFvd/QEl6dfpKmBA+csyAa0QtjXLVZLVz
FvAVuST+Yo8PzKhNa9FA889pSUGpMSxDy+uNF/GOUcbiO2RYCvcrLLU4xqky2i5y
AVAl/p2yhduXzSs99AGaCKXi//qileBLdGS0hcvhSKD5vbSe6Qu5Wx1YSxxeFwQh
aj0iByCH1TRbhrPO+GqdFHMGhlRPZaOcjcMOX3sF8Ggn+M2sKz0lYGKp7Yw3AqFq
01bQRdR7SGOs05GVoianxMky8wOWqwcHKi8pbRh/NVnSmYpTEO8i04uzBQAxR1Kl
ih0LWqxpcKS985e3cpZ5chLkOfm9uusFYQcGXOMoVF2M+dCfQofeeWnKmcxv3aZe
EpOTwCkDA9j1wgso8ULKCQ7wB6Z9kGIByUpjzG7esHHSGyDJ396Wu037o6rwDNkh
gFhakxrm9fOiq4Cw3u1ZNtOjbMKxAv31oZewVsTbk05QpPOOdF2wUZ0O3r1axG6p
mDkYVDqTEGhCNOCbLY7v4QHq2xuMPmfiGcMbAObda/JKBQyjrcAflpggGu2LVFyv
VMjSmfFOT20R+uffeE6F
-----END CERTIFICATE-----
subject=CN = www.bing.com
issuer=C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 5615 bytes and written 451 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 040E839C57A73C72BF80E6E35F1E3B1647C933764B607FF0A195F576AA8E4590
Session-ID-ctx:
Master-Key: DB604958484D863B67004BC80A84416819E0DCFD02012605D63D9932451FE9EFD89463E0EEA670A8222FAAD957A644C8
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 36000 (seconds)
TLS session ticket:
0000 - 00 00 00 00 24 15 54 8a-cd 5b 96 46 93 81 3c 60 ....$.T..[.F..<`
0010 - ea cd 71 2d 23 fa 2d 33-94 cc 07 55 92 81 9c d8 ..q-#.-3...U....
0020 - ec af ff 8b a8 c7 33 41-ab 11 c0 9d 32 43 92 f1 ......3A....2C..
0030 - 79 8b 02 96 83 04 9e a6-b2 ff 55 c5 3f 28 c1 58 y.........U.?(.X
0040 - 9e 6f 23 f4 73 aa 0b 0c-49 07 b7 97 9e cb 2a 98 .o#.s...I.....*.
0050 - fa b3 06 d4 35 40 b4 12-d0 f2 ea 5d 3f 5f 89 4e ....5@.....]?_.N
0060 - 2c 4d 53 e5 89 ec 06 05-fd a9 c8 0c 07 7f bc 8c ,MS.............
0070 - a1 d6 d3 d8 1f 19 4a 9c-a0 5a 5e ce 30 18 41 e6 ......J..Z^.0.A.
0080 - f1 da 15 ff 62 f9 c6 26-4c 9d c7 64 06 94 39 2a ....b..&L..d..9*
0090 - c7 bb 6c 15 dc 03 4e 07-a7 ab 1a 71 ec 56 a0 49 ..l...N....q.V.I
00a0 - f9 8c b8 73 4e 8b 27 fb-b3 87 4f 98 7e 9f 4c 94 ...sN.'...O.~.L.
00b0 - b3 8f 4a 9a 89 f9 15 15-16 dc d3 06 42 75 a6 72 ..J.........Bu.r
00c0 - d7 ed d9 c1 5a 7d 09 34-c6 30 f3 73 47 27 14 37 ....Z}.4.0.sG'.7
00d0 - d9 9e b5 ec 39 2d 6c be-65 4b e2 f8 4a a6 d7 9a ....9-l.eK..J...
00e0 - 97 18 d3 da 5c c9 52 da-86 0e 3f 23 19 76 01 85 ....\.R...?#.v..
00f0 - 7c fa 9f 30 cd 76 7f 4a-4a 2d a2 c2 d0 b5 a7 38 |..0.v.JJ-.....8
0100 - 9a b7 1f ad 05 b1 ab 7d-29 bf a4 b2 34 1b e6 49 .......})...4..I
0110 - a7 9f 7b 93 ..{.
Start Time: 1685558912
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
# ping www.bing.com
PING dual-a-0001.a-msedge.net (13.107.21.200) 56(84) bytes of data.
64 bytes from 13.107.21.200 (13.107.21.200): icmp_seq=1 ttl=120 time=12.4 ms
64 bytes from 13.107.21.200 (13.107.21.200): icmp_seq=2 ttl=120 time=11.1 ms
64 bytes from 13.107.21.200 (13.107.21.200): icmp_seq=3 ttl=120 time=9.51 ms
This is outside of the vpn. I am directly connected to the internet. The strange part is that I can easily connect to https://bugzilla.redhat.com using tls 1.3 - strange huh? Could you please use openssl s_client -connect host:port -trace for more information? # openssl s_client -connect www.citi.com:443 -trace
CONNECTED(00000003)
Sent Record
Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 262
ClientHello, Length=258
client_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0x9F78E201
random_bytes (len=28): F0325AC87AAD499457069C1E0666C9EE2999EC9C112502065FC51699
session_id (len=32): 09C79A508A9ECC1FE1D952B4E4C69ACFBFEC2696B664C29B4E83DEC1AFE3F70B
cipher_suites (len=4)
{0x13, 0x02} TLS_AES_256_GCM_SHA384
{0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression_methods (len=1)
No Compression (0x00)
extensions, length = 181
extension_type=server_name(0), length=17
0000 - 00 0f 00 00 0c 77 77 77-2e 63 69 74 69 2e 63 .....www.citi.c
000f - 6f 6d om
extension_type=ec_point_formats(11), length=4
uncompressed (0)
ansiX962_compressed_prime (1)
ansiX962_compressed_char2 (2)
extension_type=supported_groups(10), length=18
secp256r1 (P-256) (23)
secp521r1 (P-521) (25)
secp384r1 (P-384) (24)
ffdhe2048 (256)
ffdhe3072 (257)
ffdhe4096 (258)
ffdhe6144 (259)
ffdhe8192 (260)
extension_type=session_ticket(35), length=0
extension_type=encrypt_then_mac(22), length=0
extension_type=extended_master_secret(23), length=0
extension_type=signature_algorithms(13), length=26
ecdsa_secp256r1_sha256 (0x0403)
ecdsa_secp384r1_sha384 (0x0503)
ecdsa_secp521r1_sha512 (0x0603)
rsa_pss_pss_sha256 (0x0809)
rsa_pss_pss_sha384 (0x080a)
rsa_pss_pss_sha512 (0x080b)
rsa_pss_rsae_sha256 (0x0804)
rsa_pss_rsae_sha384 (0x0805)
rsa_pss_rsae_sha512 (0x0806)
rsa_pkcs1_sha256 (0x0401)
rsa_pkcs1_sha384 (0x0501)
rsa_pkcs1_sha512 (0x0601)
extension_type=supported_versions(43), length=3
TLS 1.3 (772)
extension_type=psk_key_exchange_modes(45), length=2
psk_dhe_ke (1)
extension_type=key_share(51), length=71
NamedGroup: secp256r1 (P-256) (23)
key_exchange: (len=65): 043F325D9CFE4CD5D50CEFC0980F0A0D7C07B1A8EB5E450C109C3DC28786BF874E6840E66D8E941BF2154D9C4B577A101E9B2172624134A79AF2EDF41D9EE22EB8
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Alert (21)
Length = 2
Level=fatal(2), description=protocol version(70)
804B8A23787F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1600:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 267 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Here is my opensslcfg.config file: CipherString = @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSAPSK:-kRSA:-aDSS:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:> #Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 Ciphersuites = TLS_AES_256_GCM_SHA384 TLS.MinProtocol = TLSv1.3 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1.3 DTLS.MaxProtocol = DTLSv1.3 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_r> [openssl_init] providers = provider_sect # legacy = legacy_sect # fips = fips_sect [provider_sect] legacy = legacy_sect [legacy_sect] #activate = 1 # [fips_sect] Sorry the previous post was cut off by nano. Here is a cat of the file: ***************************************************************************** ***************************************************************************** cat /etc/crypto-policies/back-ends/opensslcnf.config CipherString = @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSAPSK:-kRSA:-aDSS:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 #Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 Ciphersuites = TLS_AES_256_GCM_SHA384 TLS.MinProtocol = TLSv1.3 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1.3 DTLS.MaxProtocol = DTLSv1.3 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 [openssl_init] providers = provider_sect # legacy = legacy_sect # fips = fips_sect [provider_sect] legacy = legacy_sect [legacy_sect] #activate = 1 # [fips_sect] If I change opensslcfg.config file to tls 1.2 I get this:
TLS 1.2 OUTPUT:
****************************************************************************************
****************************************************************************************
****************************************************************************************
[root@research3 ~]# openssl s_client -connect www.citi.com:443 -trace
CONNECTED(00000003)
Sent Record
Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 288
ClientHello, Length=284
client_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0x4D20ECB7
random_bytes (len=28): CB0771451A9A6A678176A1E06003F781D3735091B9CC3D36836933B3
session_id (len=32): 0510F9FA28781095E9394455D10AD1B56D5D554691571AD3F5287364793F1BCE
cipher_suites (len=24)
{0x13, 0x02} TLS_AES_256_GCM_SHA384
{0xC0, 0x2C} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
{0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
{0xC0, 0xAD} TLS_ECDHE_ECDSA_WITH_AES_256_CCM
{0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
{0xC0, 0x2F} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
{0xC0, 0xAC} TLS_ECDHE_ECDSA_WITH_AES_128_CCM
{0x00, 0x9F} TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
{0xC0, 0x9F} TLS_DHE_RSA_WITH_AES_256_CCM
{0x00, 0x9E} TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
{0xC0, 0x9E} TLS_DHE_RSA_WITH_AES_128_CCM
{0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression_methods (len=1)
No Compression (0x00)
extensions, length = 187
extension_type=server_name(0), length=17
0000 - 00 0f 00 00 0c 77 77 77-2e 63 69 74 69 2e 63 .....www.citi.c
000f - 6f 6d om
extension_type=ec_point_formats(11), length=4
uncompressed (0)
ansiX962_compressed_prime (1)
ansiX962_compressed_char2 (2)
extension_type=supported_groups(10), length=18
secp256r1 (P-256) (23)
secp521r1 (P-521) (25)
secp384r1 (P-384) (24)
ffdhe2048 (256)
ffdhe3072 (257)
ffdhe4096 (258)
ffdhe6144 (259)
ffdhe8192 (260)
extension_type=session_ticket(35), length=0
extension_type=encrypt_then_mac(22), length=0
extension_type=extended_master_secret(23), length=0
extension_type=signature_algorithms(13), length=30
ecdsa_secp256r1_sha256 (0x0403)
ecdsa_secp384r1_sha384 (0x0503)
ecdsa_secp521r1_sha512 (0x0603)
rsa_pss_pss_sha256 (0x0809)
rsa_pss_pss_sha384 (0x080a)
rsa_pss_pss_sha512 (0x080b)
rsa_pss_rsae_sha256 (0x0804)
rsa_pss_rsae_sha384 (0x0805)
rsa_pss_rsae_sha512 (0x0806)
rsa_pkcs1_sha256 (0x0401)
rsa_pkcs1_sha384 (0x0501)
rsa_pkcs1_sha512 (0x0601)
ecdsa_sha224 (0x0303)
rsa_pkcs1_sha224 (0x0301)
extension_type=supported_versions(43), length=5
TLS 1.3 (772)
TLS 1.2 (771)
extension_type=psk_key_exchange_modes(45), length=2
psk_dhe_ke (1)
extension_type=key_share(51), length=71
NamedGroup: secp256r1 (P-256) (23)
key_exchange: (len=65): 041B796095988C5E33D1942A80876C74D547D9AF3371E8600E0D526D9979F972EE6371E8F88463B4977267257158A65CE29A320C8654B95055980D6D7278423DD7
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 65
ServerHello, Length=61
server_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0x1B279202
random_bytes (len=28): 1A5C542590B420B39516499E2F39333A801C8A8C513BD3A2435FD053
session_id (len=0):
cipher_suite {0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
compression_method: No Compression (0x00)
extensions, length = 21
extension_type=renegotiate(65281), length=1
<EMPTY>
extension_type=server_name(0), length=0
extension_type=ec_point_formats(11), length=4
uncompressed (0)
ansiX962_compressed_prime (1)
ansiX962_compressed_char2 (2)
extension_type=session_ticket(35), length=0
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 3332
Certificate, Length=3328
certificate_list, length=3325
ASN.1Cert, length=2109
------details-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
09:4c:4e:6a:cb:b9:9d:ad:35:cf:bc:59:49:40:79:b0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
Validity
Not Before: Nov 10 00:00:00 2022 GMT
Not After : Dec 4 23:59:59 2023 GMT
Subject: jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2154254, C = US, ST = New York, L = New York, O = Citigroup Inc., CN = www.citi.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c6:1c:25:01:51:50:3f:6c:d6:81:06:6a:99:4e:
1e:ce:5c:2d:d2:9f:42:3d:a9:c0:6f:5e:13:f1:6e:
a5:44:e4:6f:53:11:e3:3e:c1:c4:a7:d4:d9:a9:36:
f9:a9:f5:fd:cf:b9:69:54:5e:53:a6:e6:ba:13:37:
46:81:28:cf:b1:57:15:0e:a4:7e:24:1f:5c:7e:71:
cf:75:c4:d9:1c:09:f0:f4:02:c5:a4:14:0c:44:f2:
54:ff:4f:49:ce:8b:46:81:31:66:11:9a:93:da:4e:
1e:3b:0b:d2:fb:ef:c3:5f:4c:af:86:71:c9:5a:9e:
07:8e:8b:4c:8c:50:57:2e:95:ca:54:71:a0:45:06:
38:31:97:a3:97:41:7b:a8:77:05:e9:5c:a7:39:e0:
63:b0:8e:14:9b:73:6a:fe:e3:d5:4b:bd:bc:d6:7b:
88:26:78:86:da:f0:52:31:27:a4:79:2d:e7:80:1f:
88:e8:e6:df:c5:65:3b:4e:b8:7b:e3:03:7a:b4:a3:
24:32:1e:57:2b:c9:2f:6b:db:7f:0d:0c:5d:f0:f6:
37:99:f1:fe:c4:3a:1b:20:97:98:a5:91:02:60:3b:
32:c8:59:de:8d:c1:96:bb:f6:9f:02:18:5e:61:25:
5e:72:15:33:56:8b:d9:96:db:2d:ba:21:73:fe:32:
48:ed
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
3D:D3:50:A5:D6:A0:AD:EE:F3:4A:60:0A:65:D3:21:D4:F8:F8:D6:0F
X509v3 Subject Key Identifier:
36:97:19:71:8E:2F:4C:5D:A7:E7:95:6F:A0:38:36:49:0F:ED:BC:2C
X509v3 Subject Alternative Name:
DNS:www.citi.com, DNS:prod.report.nacustomerexperience.citi.com, DNS:www2.citibank.com, DNS:www1.citibank.com, DNS:www.creditcards.citi.com, DNS:www.citiretailservices.com, DNS:www.citigroup.com, DNS:www.citibank.com, DNS:www.citibank.co.uk, DNS:oncampus.citi.com, DNS:icg.citi.com, DNS:creditcards.citi.com, DNS:ccsi.citi.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/sha2-ev-server-g3.crl
Full Name:
URI:http://crl4.digicert.com/sha2-ev-server-g3.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.2.1
Policy: 2.23.140.1.1
CPS: http://www.digicert.com/CPS
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt
X509v3 Basic Constraints:
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
Timestamp : Nov 10 03:34:30.367 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:B6:87:18:FF:C8:35:4B:81:F3:25:12:
BD:75:30:D6:26:A3:80:B2:25:99:33:48:A4:62:78:3B:
5B:1A:2B:95:F2:02:21:00:E0:EB:2A:D7:49:16:04:FE:
A7:4E:8F:9A:08:A3:49:33:30:19:FB:E1:BE:4F:17:67:
51:05:73:D3:12:E8:C7:A3
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B3:73:77:07:E1:84:50:F8:63:86:D6:05:A9:DC:11:09:
4A:79:2D:B1:67:0C:0B:87:DC:F0:03:0E:79:36:A5:9A
Timestamp : Nov 10 03:34:30.355 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:6C:B9:4E:58:CD:3A:69:C3:73:7B:CF:82:
88:E4:BD:CD:40:6F:A3:11:B1:D7:5F:3E:FF:5E:88:1A:
74:40:D0:A7:02:20:27:D3:EE:EF:10:33:AC:60:FB:3E:
AC:3C:BE:8D:72:33:AE:54:7D:E0:C0:B0:96:CE:FD:42:
99:7D:A5:37:E5:BF
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Timestamp : Nov 10 03:34:30.294 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:C8:77:95:75:DB:AD:A6:6A:1C:DD:B2:
6B:0F:59:27:92:39:CF:AA:39:18:47:4C:BB:B9:02:8D:
4A:AE:6D:78:14:02:20:47:14:05:C6:F9:65:BA:D7:A4:
57:A9:A5:95:D0:7C:08:3A:A6:34:60:15:13:D1:DD:32:
B8:75:B8:26:65:CD:38
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
84:92:d7:98:ca:05:b1:dc:62:2e:34:b4:82:b0:fc:0e:76:80:
af:51:4d:69:b8:dc:90:b0:12:7f:39:1f:a7:f6:20:8c:01:0f:
91:34:94:b8:1f:83:f3:54:32:3f:50:af:32:68:2e:d8:da:6e:
81:04:5e:52:c4:ab:5b:66:be:dc:d0:ee:45:5e:d3:a6:e7:17:
cc:5d:b8:9d:ad:da:bf:80:96:e3:87:56:51:3b:be:46:55:2d:
7c:78:29:b6:84:60:16:cf:08:38:39:10:f8:37:fb:94:fa:6f:
39:4f:81:98:51:ab:31:6c:f5:05:0b:88:85:03:a2:f4:14:b3:
8b:d2:bf:01:24:b8:c8:1c:f9:56:ae:d9:60:d7:19:e5:6a:a3:
cf:ca:d7:b2:6a:d3:22:e1:ed:db:a8:d1:1b:58:13:b6:47:df:
32:d4:d3:cc:97:de:b1:c2:8a:10:58:ec:22:5d:29:99:67:25:
ed:f1:76:5e:b2:58:82:ae:3d:d2:d0:42:4d:d6:48:53:5e:e5:
2d:59:63:a8:60:4f:c1:08:93:d0:35:7f:ff:21:a1:9a:5a:c6:
55:a4:f3:13:15:f2:b3:12:46:95:0a:f1:f4:5c:d6:5d:b8:7f:
1c:e3:ed:12:ec:d9:54:cb:cb:f3:12:d5:9a:22:32:e9:40:d7:
33:af:4e:45
-----BEGIN CERTIFICATE-----
MIIIOTCCByGgAwIBAgIQCUxOasu5na01z7xZSUB5sDANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTIyMTExMDAwMDAwMFoXDTIzMTIwNDIz
NTk1OVowgcQxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMI
RGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQF
EwcyMTU0MjU0MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNV
BAcTCE5ldyBZb3JrMRcwFQYDVQQKEw5DaXRpZ3JvdXAgSW5jLjEVMBMGA1UEAxMM
d3d3LmNpdGkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxhwl
AVFQP2zWgQZqmU4ezlwt0p9CPanAb14T8W6lRORvUxHjPsHEp9TZqTb5qfX9z7lp
VF5Tpua6EzdGgSjPsVcVDqR+JB9cfnHPdcTZHAnw9ALFpBQMRPJU/09JzotGgTFm
EZqT2k4eOwvS++/DX0yvhnHJWp4HjotMjFBXLpXKVHGgRQY4MZejl0F7qHcF6Vyn
OeBjsI4Um3Nq/uPVS7281nuIJniG2vBSMSekeS3ngB+I6ObfxWU7Trh74wN6tKMk
Mh5XK8kva9t/DQxd8PY3mfH+xDobIJeYpZECYDsyyFnejcGWu/afAhheYSVechUz
VovZltstuiFz/jJI7QIDAQABo4IEczCCBG8wHwYDVR0jBBgwFoAUPdNQpdagre7z
SmAKZdMh1Pj41g8wHQYDVR0OBBYEFDaXGXGOL0xdp+eVb6A4NkkP7bwsMIIBIQYD
VR0RBIIBGDCCARSCDHd3dy5jaXRpLmNvbYIpcHJvZC5yZXBvcnQubmFjdXN0b21l
cmV4cGVyaWVuY2UuY2l0aS5jb22CEXd3dzIuY2l0aWJhbmsuY29tghF3d3cxLmNp
dGliYW5rLmNvbYIYd3d3LmNyZWRpdGNhcmRzLmNpdGkuY29tghp3d3cuY2l0aXJl
dGFpbHNlcnZpY2VzLmNvbYIRd3d3LmNpdGlncm91cC5jb22CEHd3dy5jaXRpYmFu
ay5jb22CEnd3dy5jaXRpYmFuay5jby51a4IRb25jYW1wdXMuY2l0aS5jb22CDGlj
Zy5jaXRpLmNvbYIUY3JlZGl0Y2FyZHMuY2l0aS5jb22CDWNjc2kuY2l0aS5jb20w
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1
BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1l
di1zZXJ2ZXItZzMuY3JsMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
c2hhMi1ldi1zZXJ2ZXItZzMuY3JsMEoGA1UdIARDMEEwCwYJYIZIAYb9bAIBMDIG
BWeBDAEBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzCBiAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
bS9EaWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5jcnQwCQYD
VR0TBAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHcA6D7Q2j71BjUy51co
vIlryQPTy9ERa+zraeF3fW0GvW4AAAGEX5p63wAABAMASDBGAiEAtocY/8g1S4Hz
JRK9dTDWJqOAsiWZM0ikYng7WxorlfICIQDg6yrXSRYE/qdOj5oIo0kzMBn74b5P
F2dRBXPTEujHowB1ALNzdwfhhFD4Y4bWBancEQlKeS2xZwwLh9zwAw55NqWaAAAB
hF+aetMAAAQDAEYwRAIgbLlOWM06acNze8+CiOS9zUBvoxGx118+/16IGnRA0KcC
ICfT7u8QM6xg+z6sPL6NcjOuVH3gwLCWzv1CmX2lN+W/AHYAtz77JN+cTbp18jnF
ulj0bF38Qs96nzXEnh0JgSXttJkAAAGEX5p6lgAABAMARzBFAiEAyHeVddutpmoc
3bJrD1knkjnPqjkYR0y7uQKNSq5teBQCIEcUBcb5ZbrXpFeppZXQfAg6pjRgFRPR
3TK4dbgmZc04MA0GCSqGSIb3DQEBCwUAA4IBAQCEkteYygWx3GIuNLSCsPwOdoCv
UU1puNyQsBJ/OR+n9iCMAQ+RNJS4H4PzVDI/UK8yaC7Y2m6BBF5SxKtbZr7c0O5F
XtOm5xfMXbidrdq/gJbjh1ZRO75GVS18eCm2hGAWzwg4ORD4N/uU+m85T4GYUasx
bPUFC4iFA6L0FLOL0r8BJLjIHPlWrtlg1xnlaqPPyteyatMi4e3bqNEbWBO2R98y
1NPMl96xwooQWOwiXSmZZyXt8XZesliCrj3S0EJN1khTXuUtWWOoYE/BCJPQNX//
IaGaWsZVpPMTFfKzEkaVCvH0XNZduH8c4+0S7NlUy8vzEtWaIjLpQNczr05F
-----END CERTIFICATE-----
------------------
ASN.1Cert, length=1210
------details-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:79:a9:44:b0:8c:11:95:20:92:61:5f:e2:6b:1d:83
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
Validity
Not Before: Oct 22 12:00:00 2013 GMT
Not After : Oct 22 12:00:00 2028 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d7:53:a4:04:51:f8:99:a6:16:48:4b:67:27:aa:
93:49:d0:39:ed:0c:b0:b0:00:87:f1:67:28:86:85:
8c:8e:63:da:bc:b1:40:38:e2:d3:f5:ec:a5:05:18:
b8:3d:3e:c5:99:17:32:ec:18:8c:fa:f1:0c:a6:64:
21:85:cb:07:10:34:b0:52:88:2b:1f:68:9b:d2:b1:
8f:12:b0:b3:d2:e7:88:1f:1f:ef:38:77:54:53:5f:
80:79:3f:2e:1a:aa:a8:1e:4b:2b:0d:ab:b7:63:b9:
35:b7:7d:14:bc:59:4b:df:51:4a:d2:a1:e2:0c:e2:
90:82:87:6a:ae:ea:d7:64:d6:98:55:e8:fd:af:1a:
50:6c:54:bc:11:f2:fd:4a:f2:9d:bb:7f:0e:f4:d5:
be:8e:16:89:12:55:d8:c0:71:34:ee:f6:dc:2d:ec:
c4:87:25:86:8d:d8:21:e4:b0:4d:0c:89:dc:39:26:
17:dd:f6:d7:94:85:d8:04:21:70:9d:6f:6f:ff:5c:
ba:19:e1:45:cb:56:57:28:7e:1c:0d:41:57:aa:b7:
b8:27:bb:b1:e4:fa:2a:ef:21:23:75:1a:ad:2d:9b:
86:35:8c:9c:77:b5:73:ad:d8:94:2d:e4:f3:0c:9d:
ee:c1:4e:62:7e:17:c0:71:9e:2c:de:f1:f9:10:28:
19:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: https://www.digicert.com/CPS
X509v3 Subject Key Identifier:
3D:D3:50:A5:D6:A0:AD:EE:F3:4A:60:0A:65:D3:21:D4:F8:F8:D6:0F
X509v3 Authority Key Identifier:
B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9d:b6:d0:90:86:e1:86:02:ed:c5:a0:f0:34:1c:74:c1:8d:76:
cc:86:0a:a8:f0:4a:8a:42:d6:3f:c8:a9:4d:ad:7c:08:ad:e6:
b6:50:b8:a2:1a:4d:88:07:b1:29:21:dc:e7:da:c6:3c:21:e0:
e3:11:49:70:ac:7a:1d:01:a4:ca:11:3a:57:ab:7d:57:2a:40:
74:fd:d3:1d:85:18:50:df:57:47:75:a1:7d:55:20:2e:47:37:
50:72:8c:7f:82:1b:d2:62:8f:2d:03:5a:da:c3:c8:a1:ce:2c:
52:a2:00:63:eb:73:ba:71:c8:49:27:23:97:64:85:9e:38:0e:
ad:63:68:3c:ba:52:81:58:79:a3:2c:0c:df:de:6d:eb:31:f2:
ba:a0:7c:6c:f1:2c:d4:e1:bd:77:84:37:03:ce:32:b5:c8:9a:
81:1a:4a:92:4e:3b:46:9a:85:fe:83:a2:f9:9e:8c:a3:cc:0d:
5e:b3:3d:cf:04:78:8f:14:14:7b:32:9c:c7:00:a6:5c:c4:b5:
a1:55:8d:5a:56:68:a4:22:70:aa:3c:81:71:d9:9d:a8:45:3b:
f4:e5:f6:a2:51:dd:c7:7b:62:e8:6f:0c:74:eb:b8:da:f8:bf:
87:0d:79:50:91:90:9b:18:3b:91:59:27:f1:35:28:13:ab:26:
7e:d5:f7:7a
-----BEGIN CERTIFICATE-----
MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowdTEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTE0MDIGA1UEAxMrRGlnaUNlcnQgU0hBMiBFeHRlbmRlZCBW
YWxpZGF0aW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANdTpARR+JmmFkhLZyeqk0nQOe0MsLAAh/FnKIaFjI5j2ryxQDji0/XspQUY
uD0+xZkXMuwYjPrxDKZkIYXLBxA0sFKIKx9om9KxjxKws9LniB8f7zh3VFNfgHk/
LhqqqB5LKw2rt2O5Nbd9FLxZS99RStKh4gzikIKHaq7q12TWmFXo/a8aUGxUvBHy
/Urynbt/DvTVvo4WiRJV2MBxNO723C3sxIclho3YIeSwTQyJ3DkmF93215SF2AQh
cJ1vb/9cuhnhRctWVyh+HA1BV6q3uCe7seT6Ku8hI3UarS2bhjWMnHe1c63YlC3k
8wyd7sFOYn4XwHGeLN7x+RAoGTMCAwEAAaOCAUkwggFFMBIGA1UdEwEB/wQIMAYB
Af8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
Z2ljZXJ0LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2Vy
dC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2
MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j
b20vQ1BTMB0GA1UdDgQWBBQ901Cl1qCt7vNKYApl0yHU+PjWDzAfBgNVHSMEGDAW
gBSxPsNpA/i/RwHUmCYaCALvY2QrwzANBgkqhkiG9w0BAQsFAAOCAQEAnbbQkIbh
hgLtxaDwNBx0wY12zIYKqPBKikLWP8ipTa18CK3mtlC4ohpNiAexKSHc59rGPCHg
4xFJcKx6HQGkyhE6V6t9VypAdP3THYUYUN9XR3WhfVUgLkc3UHKMf4Ib0mKPLQNa
2sPIoc4sUqIAY+tzunHISScjl2SFnjgOrWNoPLpSgVh5oywM395t6zHyuqB8bPEs
1OG9d4Q3A84ytciagRpKkk47RpqF/oOi+Z6Mo8wNXrM9zwR4jxQUezKcxwCmXMS1
oVWNWlZopCJwqjyBcdmdqEU79OX2olHdx3ti6G8MdOu42vi/hw15UJGQmxg7kVkn
8TUoE6smftX3eg==
-----END CERTIFICATE-----
------------------
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify return:1
depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2154254, C = US, ST = New York, L = New York, O = Citigroup Inc., CN = www.citi.com
verify return:1
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 333
ServerKeyExchange, Length=329
KeyExchangeAlgorithm=ECDHE
named_curve: secp256r1 (P-256) (23)
point (len=65): 04C30E5693386C6185A93567F4C11A9DD5E5EE55ECCF6D92CB6268E6B55B3522B4D60AA0775B843457C6C97BABB8A697264DA7257FB7500D7547B648552D6F87EB
Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
Signature (len=256): AF19DAB33BAE06912AC6F61275A705A470C7CFBBDA7CADB637ACF946ED2B31F441B5E7AEF74573031031CB73D1C3AA34D855E07B1D99DAFD44004764B670890FD7220129116BAAC25BBBE0E4C9EF9178F1E75A56BAFC179BA214AD9E56F160173F448469A39D251769EE8DE9D5585150A5757CB87C6CC7431EDBDFCFF39AC9F39CD379C14EE58A02E6F13F592A998BB6505FB74DE77CC39FC2E1B7DB25EBF67AAD6ECA66448984B512C1C58BE9837297BDA5B8CE45C9B26154C8330CEE4D6C193D60AE41EE26C83BB75D080DBFF35DC79F5578CD464EB1F3A6941E8583B70C9C20E47FF9384997624C7368056A5B418F125D83A685D03AA7626D45B17F5F1A0E
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 4
ServerHelloDone, Length=0
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 70
ClientKeyExchange, Length=66
KeyExchangeAlgorithm=ECDHE
ecdh_Yc (len=65): 04BD0A19E8B015785675E5D4389881A23BD894A71088C0377FACA16B4966817424CC51C79AC4D16DE6356944162E924F99EAE66761255B754F449BA985CD86CFC0
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ChangeCipherSpec (20)
Length = 1
change_cipher_spec (1)
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 40
Finished, Length=12
verify_data (len=12): FEF871750C539EE59E0961B2
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 186
NewSessionTicket, Length=182
ticket_lifetime_hint=83100
ticket (len=176): 00004250D994A5657DCA783FC58194C06541F0C7DE7F53030A461CA238FDF9A1ACAF953419EB4CF689C656A5C1D6DAEB87E1E7FAA4ABF4202D08E960B6F008FF49BDD27242FAEFFE8486DA3C8527069C40C3EF33D53E2CF7E2ECBDDD077E09D155D542FADA75E7A404FC49276D5CF0815F7CDCC73C9AD01F843BCE59A04376706851375F1C5AA379A1B35EF89EF8B39936C4622BB742F36979DA1B43D9720A7A7F0F04A290289837AA55B45700F1ED41
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ChangeCipherSpec (20)
Length = 1
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 40
Finished, Length=12
verify_data (len=12): 4F2518EFF8D9A384B66DA5A1
---
Certificate chain
0 s:jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2154254, C = US, ST = New York, L = New York, O = Citigroup Inc., CN = www.citi.com
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 10 00:00:00 2022 GMT; NotAfter: Dec 4 23:59:59 2023 GMT
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 22 12:00:00 2013 GMT; NotAfter: Oct 22 12:00:00 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIOTCCByGgAwIBAgIQCUxOasu5na01z7xZSUB5sDANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTIyMTExMDAwMDAwMFoXDTIzMTIwNDIz
NTk1OVowgcQxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMI
RGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQF
EwcyMTU0MjU0MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNV
BAcTCE5ldyBZb3JrMRcwFQYDVQQKEw5DaXRpZ3JvdXAgSW5jLjEVMBMGA1UEAxMM
d3d3LmNpdGkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxhwl
AVFQP2zWgQZqmU4ezlwt0p9CPanAb14T8W6lRORvUxHjPsHEp9TZqTb5qfX9z7lp
VF5Tpua6EzdGgSjPsVcVDqR+JB9cfnHPdcTZHAnw9ALFpBQMRPJU/09JzotGgTFm
EZqT2k4eOwvS++/DX0yvhnHJWp4HjotMjFBXLpXKVHGgRQY4MZejl0F7qHcF6Vyn
OeBjsI4Um3Nq/uPVS7281nuIJniG2vBSMSekeS3ngB+I6ObfxWU7Trh74wN6tKMk
Mh5XK8kva9t/DQxd8PY3mfH+xDobIJeYpZECYDsyyFnejcGWu/afAhheYSVechUz
VovZltstuiFz/jJI7QIDAQABo4IEczCCBG8wHwYDVR0jBBgwFoAUPdNQpdagre7z
SmAKZdMh1Pj41g8wHQYDVR0OBBYEFDaXGXGOL0xdp+eVb6A4NkkP7bwsMIIBIQYD
VR0RBIIBGDCCARSCDHd3dy5jaXRpLmNvbYIpcHJvZC5yZXBvcnQubmFjdXN0b21l
cmV4cGVyaWVuY2UuY2l0aS5jb22CEXd3dzIuY2l0aWJhbmsuY29tghF3d3cxLmNp
dGliYW5rLmNvbYIYd3d3LmNyZWRpdGNhcmRzLmNpdGkuY29tghp3d3cuY2l0aXJl
dGFpbHNlcnZpY2VzLmNvbYIRd3d3LmNpdGlncm91cC5jb22CEHd3dy5jaXRpYmFu
ay5jb22CEnd3dy5jaXRpYmFuay5jby51a4IRb25jYW1wdXMuY2l0aS5jb22CDGlj
Zy5jaXRpLmNvbYIUY3JlZGl0Y2FyZHMuY2l0aS5jb22CDWNjc2kuY2l0aS5jb20w
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1
BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1l
di1zZXJ2ZXItZzMuY3JsMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
c2hhMi1ldi1zZXJ2ZXItZzMuY3JsMEoGA1UdIARDMEEwCwYJYIZIAYb9bAIBMDIG
BWeBDAEBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzCBiAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
bS9EaWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5jcnQwCQYD
VR0TBAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHcA6D7Q2j71BjUy51co
vIlryQPTy9ERa+zraeF3fW0GvW4AAAGEX5p63wAABAMASDBGAiEAtocY/8g1S4Hz
JRK9dTDWJqOAsiWZM0ikYng7WxorlfICIQDg6yrXSRYE/qdOj5oIo0kzMBn74b5P
F2dRBXPTEujHowB1ALNzdwfhhFD4Y4bWBancEQlKeS2xZwwLh9zwAw55NqWaAAAB
hF+aetMAAAQDAEYwRAIgbLlOWM06acNze8+CiOS9zUBvoxGx118+/16IGnRA0KcC
ICfT7u8QM6xg+z6sPL6NcjOuVH3gwLCWzv1CmX2lN+W/AHYAtz77JN+cTbp18jnF
ulj0bF38Qs96nzXEnh0JgSXttJkAAAGEX5p6lgAABAMARzBFAiEAyHeVddutpmoc
3bJrD1knkjnPqjkYR0y7uQKNSq5teBQCIEcUBcb5ZbrXpFeppZXQfAg6pjRgFRPR
3TK4dbgmZc04MA0GCSqGSIb3DQEBCwUAA4IBAQCEkteYygWx3GIuNLSCsPwOdoCv
UU1puNyQsBJ/OR+n9iCMAQ+RNJS4H4PzVDI/UK8yaC7Y2m6BBF5SxKtbZr7c0O5F
XtOm5xfMXbidrdq/gJbjh1ZRO75GVS18eCm2hGAWzwg4ORD4N/uU+m85T4GYUasx
bPUFC4iFA6L0FLOL0r8BJLjIHPlWrtlg1xnlaqPPyteyatMi4e3bqNEbWBO2R98y
1NPMl96xwooQWOwiXSmZZyXt8XZesliCrj3S0EJN1khTXuUtWWOoYE/BCJPQNX//
IaGaWsZVpPMTFfKzEkaVCvH0XNZduH8c4+0S7NlUy8vzEtWaIjLpQNczr05F
-----END CERTIFICATE-----
subject=jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2154254, C = US, ST = New York, L = New York, O = Citigroup Inc., CN = www.citi.com
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3996 bytes and written 419 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7F0CAB8DE4017EB3DF747BB440D1709AA3532807B7C2752416AD90438099E90C
Session-ID-ctx:
Master-Key: C1E24AE588EE2925B04992C0FBD27997D39647C70CA5E8C4770588DD8392D1A2882F84D85D276D6193B2D17D9A4A4FEC
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 83100 (seconds)
TLS session ticket:
0000 - 00 00 42 50 d9 94 a5 65-7d ca 78 3f c5 81 94 c0 ..BP...e}.x?....
0010 - 65 41 f0 c7 de 7f 53 03-0a 46 1c a2 38 fd f9 a1 eA....S..F..8...
0020 - ac af 95 34 19 eb 4c f6-89 c6 56 a5 c1 d6 da eb ...4..L...V.....
0030 - 87 e1 e7 fa a4 ab f4 20-2d 08 e9 60 b6 f0 08 ff ....... -..`....
0040 - 49 bd d2 72 42 fa ef fe-84 86 da 3c 85 27 06 9c I..rB......<.'..
0050 - 40 c3 ef 33 d5 3e 2c f7-e2 ec bd dd 07 7e 09 d1 @..3.>,......~..
0060 - 55 d5 42 fa da 75 e7 a4-04 fc 49 27 6d 5c f0 81 U.B..u....I'm\..
0070 - 5f 7c dc c7 3c 9a d0 1f-84 3b ce 59 a0 43 76 70 _|..<....;.Y.Cvp
0080 - 68 51 37 5f 1c 5a a3 79-a1 b3 5e f8 9e f8 b3 99 hQ7_.Z.y..^.....
0090 - 36 c4 62 2b b7 42 f3 69-79 da 1b 43 d9 72 0a 7a 6.b+.B.iy..C.r.z
00a0 - 7f 0f 04 a2 90 28 98 37-aa 55 b4 57 00 f1 ed 41 .....(.7.U.W...A
Start Time: 1685564033
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Alert (21)
Length = 26
Level=warning(1), description=close notify(0)
closed
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Alert (21)
Length = 26
Level=warning(1), description=close notify(0)
[root@research3 ~]#
for some reason using tls 1.3, www.bing.com is working now. I haven't changed anything. Strange. www.citi.com is still refusing to connect via tls 1.3 Is the whole world working on their certificates all at the same time? Is there something going on that I don't know about? My openvpn is not working. www.outlook.com is giving me this: # openssl s_client -connect www.outlook.com:443 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 270 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) Here is the trace version:
*******************************************
*******************************************
# openssl s_client -connect www.outlook.com:443 -trace
CONNECTED(00000003)
Sent Record
Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 265
ClientHello, Length=261
client_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0x78BE7F96
random_bytes (len=28): C4E809F66312D9711B259FC4AA1F35A2BC7F65DE4BE8D0027F6737FD
session_id (len=32): 64529348A6091C8BBA2587DE8603C3F0381A7EA63660F73451A4F973831C94A4
cipher_suites (len=4)
{0x13, 0x02} TLS_AES_256_GCM_SHA384
{0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression_methods (len=1)
No Compression (0x00)
extensions, length = 184
extension_type=server_name(0), length=20
0000 - 00 12 00 00 0f 77 77 77-2e 6f 75 74 6c 6f 6f .....www.outloo
000f - 6b 2e 63 6f 6d k.com
extension_type=ec_point_formats(11), length=4
uncompressed (0)
ansiX962_compressed_prime (1)
ansiX962_compressed_char2 (2)
extension_type=supported_groups(10), length=18
secp256r1 (P-256) (23)
secp521r1 (P-521) (25)
secp384r1 (P-384) (24)
ffdhe2048 (256)
ffdhe3072 (257)
ffdhe4096 (258)
ffdhe6144 (259)
ffdhe8192 (260)
extension_type=session_ticket(35), length=0
extension_type=encrypt_then_mac(22), length=0
extension_type=extended_master_secret(23), length=0
extension_type=signature_algorithms(13), length=26
ecdsa_secp256r1_sha256 (0x0403)
ecdsa_secp384r1_sha384 (0x0503)
ecdsa_secp521r1_sha512 (0x0603)
rsa_pss_pss_sha256 (0x0809)
rsa_pss_pss_sha384 (0x080a)
rsa_pss_pss_sha512 (0x080b)
rsa_pss_rsae_sha256 (0x0804)
rsa_pss_rsae_sha384 (0x0805)
rsa_pss_rsae_sha512 (0x0806)
rsa_pkcs1_sha256 (0x0401)
rsa_pkcs1_sha384 (0x0501)
rsa_pkcs1_sha512 (0x0601)
extension_type=supported_versions(43), length=3
TLS 1.3 (772)
extension_type=psk_key_exchange_modes(45), length=2
psk_dhe_ke (1)
extension_type=key_share(51), length=71
NamedGroup: secp256r1 (P-256) (23)
key_exchange: (len=65): 04007B83E1447DE0347DB6571E8F19BF45A65A5E11F24264A8301B69219AC5D318BB04A84CAA999E5D7F34113C608ADB07FAF624AF7EC7E62DAB0A0841BE9C8E90
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 270 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
# ping www.outlook.com PING outlook.ha.office365.com (40.99.204.242) 56(84) bytes of data. 64 bytes from 40.99.204.242 (40.99.204.242): icmp_seq=1 ttl=245 time=346 ms 64 bytes from 40.99.204.242 (40.99.204.242): icmp_seq=2 ttl=245 time=123 ms 64 bytes from 40.99.204.242 (40.99.204.242): icmp_seq=3 ttl=245 time=333 ms 64 bytes from 40.99.204.242 (40.99.204.242): icmp_seq=4 ttl=245 time=117 ms ^C --- outlook.ha.office365.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 117.440/229.738/345.882/109.740 ms [root@research3 ~]# openssl s_client -connect outlook.ha.office365:443 -trace 80CB4709FA7F0000:error:10080002:BIO routines:BIO_lookup_ex:system lib:crypto/bio/bio_addr.c:738:Name or service not known connect:errno=0 I don't think it has anything to do with OpenSSL configuration in Red Hat, speaking frankly. I reproduced this using a separate copy of openssl 3.1.1 without patches compiled from upstream sources, and that also doesn't support TLS 1.3 with citi.com. Note that you do not have to edit the configuration file, you can choose to force TLS 1.3 using s_client on the command line by passing -tls1_3:
$ openssl s_client -connect www.citi.com:443 -servername www.citi.com -tls1_3 -trace
bing.com with TLS 1.3 works just fine for me, both on RHEL 9.2 and with my separate openssl 3.1.1.
In the traces, we can also clearly see that our openssl indicates support for TLS 1.3 in the ClientHello when connecting to citi.com:
extension_type=supported_versions(43), length=5
TLS 1.3 (772)
TLS 1.2 (771)
But the server at citi.com doesn't care and selects a TLS 1.2 cipher suite and does not send a supported_versions extension in its ServerHello:
ServerHello, Length=61
server_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0x1B279202
random_bytes (len=28): 1A5C542590B420B39516499E2F39333A801C8A8C513BD3A2435FD053
session_id (len=0):
cipher_suite {0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
compression_method: No Compression (0x00)
extensions, length = 21
extension_type=renegotiate(65281), length=1
<EMPTY>
extension_type=server_name(0), length=0
extension_type=ec_point_formats(11), length=4
uncompressed (0)
ansiX962_compressed_prime (1)
ansiX962_compressed_char2 (2)
extension_type=session_ticket(35), length=0
A server supporting TLS 1.3 would include:
extensions, length = …
extension_type=supported_versions(43), length=2
TLS 1.3 (772)
GnuTLS will also not establish a TLS 1.3 connection to citi.com:
[root@rhel-9-2-0-20230503-14 ~]# gnutls-cli --sni-hostname=citi.com citi.com
Processed 349 CA certificate(s).
Resolving 'citi.com:443'...
Connecting to '192.193.218.80:443'...
[…]
- Description: (TLS1.2-X.509)-(RSA)-(AES-128-GCM)
Then this is a new change by citi.com. I have been using them for my tls-1.3 tests for the past year. Thank you for your support. |
Description of problem: Cannot connect to www.citi.com using tls 1.3 I am able to connect to www.citi.com using tls 1.2 Have been using www.citi.com to test my tls 1.3 for the past year (so I know they support tls 1.3 (most banks do) I am using mullvad VPN to connect to the internet I have files a support ticket with them as well. Version-Release number of selected component (if applicable): # openssl version OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022) How reproducible: use openssl s_client from the commandline to connect to www.citi.com: # openssl s_client -connect www.citi.com:443 www.citi.com resolves to: # ping www.citi.com PING e16976.x.akamaiedge.net (23.197.159.164) 56(84) bytes of data. 64 bytes from a23-197-159-164.deploy.static.akamaitechnologies.com (23.197.159.164): icmp_seq=1 ttl=58 time=92.5 ms Steps to Reproduce: 1.edit /etc/crypto-policies/backends/opensslcfg.conf to change tls to 1.3 2.use openssl s_client to test 3.change opensslcfg.conf to tls 1.2 4. re-run openssl s_client test again Actual results: # openssl s_client -connect www.citi.com:443 CONNECTED(00000003) 808B1C10FB7F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1600:SSL alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 267 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- [root@[censored]]# nano /etc/crypto-policies/back-ends/opensslcnf.config [root@[censored]]# openssl s_client -connect www.citi.com:443 CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA verify return:1 depth=0 jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2154254, C = US, ST = New York, L = New York, O = Citigroup Inc., CN = www.citi.com verify return:1 --- Certificate chain 0 s:jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2154254, C = US, ST = New York, L = New York, O = Citigroup Inc., CN = www.citi.com i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Nov 10 00:00:00 2022 GMT; NotAfter: Dec 4 23:59:59 2023 GMT 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 22 12:00:00 2013 GMT; NotAfter: Oct 22 12:00:00 2028 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIIOTCCByGgAwIBAgIQCUxOasu5na01z7xZSUB5sDANBgkqhkiG9w0BAQsFADB1 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTIyMTExMDAwMDAwMFoXDTIzMTIwNDIz NTk1OVowgcQxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMI RGVsYXdhcmUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQF EwcyMTU0MjU0MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNV BAcTCE5ldyBZb3JrMRcwFQYDVQQKEw5DaXRpZ3JvdXAgSW5jLjEVMBMGA1UEAxMM d3d3LmNpdGkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxhwl AVFQP2zWgQZqmU4ezlwt0p9CPanAb14T8W6lRORvUxHjPsHEp9TZqTb5qfX9z7lp VF5Tpua6EzdGgSjPsVcVDqR+JB9cfnHPdcTZHAnw9ALFpBQMRPJU/09JzotGgTFm EZqT2k4eOwvS++/DX0yvhnHJWp4HjotMjFBXLpXKVHGgRQY4MZejl0F7qHcF6Vyn OeBjsI4Um3Nq/uPVS7281nuIJniG2vBSMSekeS3ngB+I6ObfxWU7Trh74wN6tKMk Mh5XK8kva9t/DQxd8PY3mfH+xDobIJeYpZECYDsyyFnejcGWu/afAhheYSVechUz VovZltstuiFz/jJI7QIDAQABo4IEczCCBG8wHwYDVR0jBBgwFoAUPdNQpdagre7z SmAKZdMh1Pj41g8wHQYDVR0OBBYEFDaXGXGOL0xdp+eVb6A4NkkP7bwsMIIBIQYD VR0RBIIBGDCCARSCDHd3dy5jaXRpLmNvbYIpcHJvZC5yZXBvcnQubmFjdXN0b21l cmV4cGVyaWVuY2UuY2l0aS5jb22CEXd3dzIuY2l0aWJhbmsuY29tghF3d3cxLmNp dGliYW5rLmNvbYIYd3d3LmNyZWRpdGNhcmRzLmNpdGkuY29tghp3d3cuY2l0aXJl dGFpbHNlcnZpY2VzLmNvbYIRd3d3LmNpdGlncm91cC5jb22CEHd3dy5jaXRpYmFu ay5jb22CEnd3dy5jaXRpYmFuay5jby51a4IRb25jYW1wdXMuY2l0aS5jb22CDGlj Zy5jaXRpLmNvbYIUY3JlZGl0Y2FyZHMuY2l0aS5jb22CDWNjc2kuY2l0aS5jb20w DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1 BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1l di1zZXJ2ZXItZzMuY3JsMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20v c2hhMi1ldi1zZXJ2ZXItZzMuY3JsMEoGA1UdIARDMEEwCwYJYIZIAYb9bAIBMDIG BWeBDAEBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQ UzCBiAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv bS9EaWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5jcnQwCQYD VR0TBAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHcA6D7Q2j71BjUy51co vIlryQPTy9ERa+zraeF3fW0GvW4AAAGEX5p63wAABAMASDBGAiEAtocY/8g1S4Hz JRK9dTDWJqOAsiWZM0ikYng7WxorlfICIQDg6yrXSRYE/qdOj5oIo0kzMBn74b5P F2dRBXPTEujHowB1ALNzdwfhhFD4Y4bWBancEQlKeS2xZwwLh9zwAw55NqWaAAAB hF+aetMAAAQDAEYwRAIgbLlOWM06acNze8+CiOS9zUBvoxGx118+/16IGnRA0KcC ICfT7u8QM6xg+z6sPL6NcjOuVH3gwLCWzv1CmX2lN+W/AHYAtz77JN+cTbp18jnF ulj0bF38Qs96nzXEnh0JgSXttJkAAAGEX5p6lgAABAMARzBFAiEAyHeVddutpmoc 3bJrD1knkjnPqjkYR0y7uQKNSq5teBQCIEcUBcb5ZbrXpFeppZXQfAg6pjRgFRPR 3TK4dbgmZc04MA0GCSqGSIb3DQEBCwUAA4IBAQCEkteYygWx3GIuNLSCsPwOdoCv UU1puNyQsBJ/OR+n9iCMAQ+RNJS4H4PzVDI/UK8yaC7Y2m6BBF5SxKtbZr7c0O5F XtOm5xfMXbidrdq/gJbjh1ZRO75GVS18eCm2hGAWzwg4ORD4N/uU+m85T4GYUasx bPUFC4iFA6L0FLOL0r8BJLjIHPlWrtlg1xnlaqPPyteyatMi4e3bqNEbWBO2R98y 1NPMl96xwooQWOwiXSmZZyXt8XZesliCrj3S0EJN1khTXuUtWWOoYE/BCJPQNX// IaGaWsZVpPMTFfKzEkaVCvH0XNZduH8c4+0S7NlUy8vzEtWaIjLpQNczr05F -----END CERTIFICATE----- subject=jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, serialNumber = 2154254, C = US, ST = New York, L = New York, O = Citigroup Inc., CN = www.citi.com issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 3996 bytes and written 419 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: A47108E8C2082933E332591F46C622834DE5BB03944E95163EC192120695333B Session-ID-ctx: Master-Key: 5C5EF7038CB6C62264C24B090C9D40D1AFAEEAF58B4D74DF108274B4F64278C5122642753A85BBE9EDA738CDAC59DC58 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 83100 (seconds) TLS session ticket: 0000 - 00 00 42 50 d9 94 a5 65-7d ca 78 3f c5 81 94 c0 ..BP...e}.x?.... 0010 - 97 7c 9f b5 b4 46 c0 33-e2 6e 68 1b b9 13 22 31 .|...F.3.nh..."1 0020 - fb 16 46 3c cb 63 97 39-2a d2 83 bc 67 83 bd fa ..F<.c.9*...g... 0030 - 1e 08 07 37 89 4e a2 60-62 a1 7c b5 2b 77 16 45 ...7.N.`b.|.+w.E 0040 - 03 38 68 09 21 a9 be 64-2a bb 8c ea 78 a7 c4 48 .8h.!..d*...x..H 0050 - 5b 3d 9d 07 c3 43 fa 53-cc 7f 3b a4 26 fd e6 e7 [=...C.S..;.&... 0060 - d3 21 cb c6 d5 4f d0 e3-f8 47 57 40 d4 ac 1c cf .!...O...GW@.... 0070 - 94 54 3b 2f c0 94 33 39-cc 35 29 0e 99 3c 10 54 .T;/..39.5)..<.T 0080 - 90 4e 03 e8 7b af 4e bf-9a 1e 6d b6 ca aa ae ed .N..{.N...m..... 0090 - 37 63 ae 85 09 be 98 81-d7 82 f6 a0 6c 16 d9 3b 7c..........l..; 00a0 - c7 15 a9 35 0e 68 5e 09-45 c1 c0 e7 77 cd fc 3c ...5.h^.E...w..< Start Time: 1685554475 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- closed [root@[censored]]# openssl --version Invalid command '--version'; type "help" for a list. [root@research3 aide_reports]# openssl version OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022) [root@[censored]]# dnf update openssl Updating Subscription Management repositories. Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 5.1 kB/s | 4.1 kB 00:00 Red Hat CodeReady Linux Builder for RHEL 9 x86_64 (RPMs) 6.3 kB/s | 4.5 kB 00:00 Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 6.0 kB/s | 4.5 kB 00:00 Dependencies resolved. Nothing to do. Complete! [root@[censored]]# ping www.citi.com PING e16976.x.akamaiedge.net (23.197.159.164) 56(84) bytes of data. 64 bytes from a23-197-159-164.deploy.static.akamaitechnologies.com (23.197.159.164): icmp_seq=1 ttl=58 time=92.5 ms ^C --- e16976.x.akamaiedge.net ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 92.486/92.486/92.486/0.000 ms Expected results: expect to see tls 1.3 connected with certificate displayed Additional info: Having many other problems with openvpn as well.