RE: DCM SSL sha1 / sha256 cert issues -- MIDRANGE-L

I found some info on the open ssl client.

https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html

In our case.

QSH
openssl s_client -connect icomstest.pencor.com:443

Returns the below info.

I'm concerned about the verify error.
Correct SSL Protocol, SSL cypher are shown.
Cert is shown, but SHA needs to be interpreted.

CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Palmerton/O=Pencor Services/OU=Systems Administration/CN=*.pencor.com
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFCTCCA/GgAwIBAgIQbI5A6wYNQE4/yuTapzHTQzANBgkqhkiG9w0BAQsFADBE
Removed many lines.
SDUHE5328RYVJkk+oEzGJ9iGvRHgwmk3TICX/DOkOfxdR0p4O73uqFQVFMbk
-----END CERTIFICATE-----
subject=/C=US/ST=Pennsylvania/L=Palmerton/O=Pencor Services/OU=Systems Administration/CN=*.pencor.com
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3437 bytes and written 664 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: 9E5C21F90F2DA0000000000000004F7D
Session-ID-ctx:
Master-Key: 57529F242536B732DC19C476B3B6ECC46D04AD4A9C0166AE75175A93C696A8D1E425A5DA87DFE53A1028687FC25579B6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1480713293
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Peter Connell
Sent: Friday, December 02, 2016 3:53 PM
To: Midrange Systems Technical Discussion
Subject: RE: DCM SSL sha1 / sha256 cert issues

Brad,
Yes, I just thought I'd piggy back on the thread without de-railing it. I remembered that Scott wrote a UNIXCMD thing. I'm just googling stuff on connecting via OpenSSL now.
Peter

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Saturday, 3 December 2016 9:48 AM
To: Midrange Systems Technical Discussion
Subject: Re: DCM SSL sha1 / sha256 cert issues

Peter,

I believe Scott meant you could use OpenSSL to grab the certificate from a server and then with that tell what kinds it is.

We have something similar in our SSL documentation here:
http://docs.bvstools.com/home/ssl-documentation/openssl

Adding an openSSL hook to HTTPAPI and/or our GETURI product is also something that's been on my todo list for a while as I'm just not satisfied with the APIs much any more. I mean it's ok, but using openSSL would sure be a nice addition. I had to do the same thing with email years ago and one of my most used products was created. :)

Brad
www.bvstools.com

On Fri, Dec 2, 2016 at 2:21 PM, Peter Connell <Peter.Connell@xxxxxxxxxx>
wrote:

Hi Scott,
Could you point me at some material so that I might try writing a
program that connects to a 3rd part server via OpenSSL as an
alternative to HTTPAPI ?
Peter

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Scott Klement
Sent: Friday, 2 December 2016 6:23 PM
To: Midrange Systems Technical Discussion
Subject: Re: DCM SSL sha1 / sha256 cert issues

Paul,

For server-type applications, you could connect with the openssl
command-line client. It can tell you all sorts of info about the
certs that it receives.

The same tool can be used to analyze a certificate from a file (on
your PC or the IFS, etc). You'd probably have to export it from the
DCM, but you could use this to find out whether it uses SHA256

You could also use it to connect to various services (Central,
Database, et al) to see what they're running.

Just a thought.

On 12/1/2016 1:24 PM, Steinmetz, Paul wrote:

1) Within DCM, is there a method to see if a cert is SHA1 or SHA256?
I'm not seeing the sha details anywhere.

2) I need a tool or method to determine which cert is being used by
a

non HTTP SSL job/process.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

##############################################################
This correspondence is for the named person's use only. It may contain
confidential or legally privileged information, or both. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this correspondence in error, please immediately delete
it from your system and notify the sender. You must not disclose, copy
or rely on any part of this correspondence if you are not the intended
recipient. Any views expressed in this message are those of the
individual sender, except where the sender expressly, and with
authority, states them to be the views of Veda. If you need
assistance, please contact Veda :- Australia
http://www.veda.com.au/contact-us New Zealand
http://www.veda.co.nz/contact-veda
##############################################################

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

##############################################################
This correspondence is for the named person's use only. It may contain confidential or legally privileged information, or both. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this correspondence in error, please immediately delete it from your system and notify the sender. You must not disclose, copy or rely on any part of this correspondence if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of Veda. If you need assistance, please contact Veda :- Australia http://www.veda.com.au/contact-us New Zealand http://www.veda.co.nz/contact-veda
##############################################################

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.