[Haskell-cafe] Taking the TLS package for a spin ... and failing

Mads Lindstrøm mads.lindstroem at gmail.com
Tue Dec 14 11:41:29 CET 2010


Hi Vincent,

I got it to work :) But there seems to be some bugs in the Haskell
server certificate handling. It seems that TLS do not transfer the ST
(state, as in California) parameter in the X509 subject field. It also
seems that the Haskell server do not send the email-address.

The reason for my suspicion is that when I connect my Java client to the
Haskell server, the client sees this certificate:

*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: OU=Head office, O=Mads Inc., C=DK, CN=192.168.1.6
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 2222747914719126678758768988   (the modulus is longer, but I cut it down).
  public exponent: 65537
  Validity: [From: Tue Dec 14 11:07:05 CET 2010,
               To: Fri Dec 13 11:07:05 CET 2013]
  Issuer: OU=Head office, O=Mads Inc., C=DK, CN=192.168.1.6
  SerialNumber: [    e11f077d a534af39]

]

Whereas, if I connect the Java client to the Java server I get this
certificate:

chain [0] = [
[
  Version: V3
  Subject: EMAILADDRESS=mads.lindstroem at gmail.com, CN=192.168.1.6, OU=Head office, O=Mads Inc., L=Copenhagen, ST=Denmark, C=DK
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 2222747914719126678758768988   (the modulus is longer, but I cut it down)
  public exponent: 65537
  Validity: [From: Tue Dec 14 11:07:05 CET 2010,
               To: Fri Dec 13 11:07:05 CET 2013]
  Issuer: EMAILADDRESS=mads.lindstroem at gmail.com, CN=192.168.1.6, OU=Head office, O=Mads Inc., L=Copenhagen, ST=Denmark, C=DK
  SerialNumber: [    e11f077d a534af39]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 F9 87 37 7D 80 53 2C   F4 B1 B2 05 43 24 21 51  ...7..S,....C$!Q
0010: FD 37 4C C8                                        .7L.
]
]


And without ST and/or email-address the Java client will not recognize
the certificate.

To avoid these problems I created a new certificate, using:

> openssl req -new -x509 -key privkey.pem -subj "/OU=Head office, O=Mads Inc., C=DK, CN=192.168.1.6" -out cacert.pem -days 1095

That is, without email and without ST parameter. I then recreated the
Java keystore. And now it works. Woohooo!

I have attached the modified Java client, if anybody is interested in
how to force SSL3 from Java.


/Mads





On Mon, 2010-12-13 at 08:51 +0000, Vincent Hanquez wrote:
> On Sun, Dec 12, 2010 at 08:13:59PM +0100, Mads Lindstrøm wrote:
> > Hi Haskellers,
> > 
> > 
> > I am trying to connect a Java client to a Haskell server using the
> > Haskell tls package, and things are not working out for me. There is a
> > lot of steps involved and I do not know what I am doing wrong, so this
> > is a long message. But first I create a private/public key-pair:
> 
> On Mon, Dec 13, 2010 at 01:22:17AM +0100, Mads Lindstrøm wrote:
> > Hi again,
> > 
> > I found a simpler way to test the server connection, but it is still not
> > working. Namely,
> > 
> > > openssl s_client -connect 192.168.1.6:8000
> 
> Hi Mads,
> 
> This one has to do with the fact that openssl try to send a SSLv2 hello
> message, which is not yet supported by TLS (and not in the supported Version
> list in the params if it was).
> 
> unfortunately lots of clients still do that for compatibility; even though
> that doesn't buy much since nobody should connect to a pure SSLv2 server.
> 
> For the openssl cmdline, you can add a simple -ssl3 flag or -tls1 flag to start
> negociating at the right version straight away.
> 
> > [snip]
> > main, WRITE: SSLv2 client hello message, length = 101
> > [snip]
> 
> This lines appears suspicious; I think that's exactly the same problem.  I
> suppose there's a way to instanciate your java SSL connection to SSL3 or TLS1
> 
> It would be nice to add support to the SSLv2 hello message directly though,
> but I don't have any timeline for that to happens.
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Client.java
Type: text/x-java
Size: 1298 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20101214/330ec898/attachment.java>


More information about the Haskell-Cafe mailing list