RE: DCM SSL sha1 / sha256 cert issues

Brad,

I did verify the cert via browser with both IE and Chrome.
This only verifies port 443.
I was looking for test/verification for the non-HTTP apps listed in DCM with the cert assigned to them.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Bradley Stone
Sent: Friday, December 02, 2016 4:37 PM
To: Midrange Systems Technical Discussion
Subject: Re: DCM SSL sha1 / sha256 cert issues

No CAs in the chain? I've seen that once before for an FTP site using
SSL. I actually just imported that as a CA and it worked. Something odd
for sure

Self-signed certs in this case?

Another things you can do is enter the URL in your browser. I know chrome can return a LOT of information about your cert.

Brad
www.bvstools.com

On Fri, Dec 2, 2016 at 3:27 PM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>
wrote:

I found some info on the open ssl client.

https://www.feistyduck.com/library/openssl-cookbook/
online/ch-testing-with-openssl.html

In our case.

QSH
openssl s_client -connect icomstest.pencor.com:443

Returns the below info.

I'm concerned about the verify error.
Correct SSL Protocol, SSL cypher are shown.
Cert is shown, but SHA needs to be interpreted.

CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify
error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Palmerton/O=Pencor Services/OU=Systems
Administration/CN=*.pencor.com
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFCTCCA/GgAwIBAgIQbI5A6wYNQE4/yuTapzHTQzANBgkqhkiG9w0BAQsFADBE
Removed many lines.
SDUHE5328RYVJkk+oEzGJ9iGvRHgwmk3TICX/DOkOfxdR0p4O73uqFQVFMbk
-----END CERTIFICATE-----
subject=/C=US/ST=Pennsylvania/L=Palmerton/O=Pencor Services/OU=Systems
Administration/CN=*.pencor.com issuer=/C=US/O=GeoTrust
Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3437 bytes and written 664 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256 Server public key is 2048
bit Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: 9E5C21F90F2DA0000000000000004F7D
Session-ID-ctx:
Master-Key: 57529F242536B732DC19C476B3B6EC
C46D04AD4A9C0166AE75175A93C696A8D1E425A5DA87DFE53A1028687FC25579B6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1480713293
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate
chain)
---

Paul


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Peter Connell
Sent: Friday, December 02, 2016 3:53 PM
To: Midrange Systems Technical Discussion
Subject: RE: DCM SSL sha1 / sha256 cert issues

Brad,
Yes, I just thought I'd piggy back on the thread without de-railing
it. I remembered that Scott wrote a UNIXCMD thing. I'm just googling
stuff on connecting via OpenSSL now.
Peter

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Bradley Stone
Sent: Saturday, 3 December 2016 9:48 AM
To: Midrange Systems Technical Discussion
Subject: Re: DCM SSL sha1 / sha256 cert issues

Peter,

I believe Scott meant you could use OpenSSL to grab the certificate
from a server and then with that tell what kinds it is.

We have something similar in our SSL documentation here:
http://docs.bvstools.com/home/ssl-documentation/openssl

Adding an openSSL hook to HTTPAPI and/or our GETURI product is also
something that's been on my todo list for a while as I'm just not
satisfied with the APIs much any more. I mean it's ok, but using
openSSL would sure be a nice addition. I had to do the same thing
with email years ago and one of my most used products was created. :)

Brad
www.bvstools.com

On Fri, Dec 2, 2016 at 2:21 PM, Peter Connell
<Peter.Connell@xxxxxxxxxx>
wrote:

Hi Scott,
Could you point me at some material so that I might try writing a
program that connects to a 3rd part server via OpenSSL as an
alternative to HTTPAPI ?
Peter

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Scott Klement
Sent: Friday, 2 December 2016 6:23 PM
To: Midrange Systems Technical Discussion
Subject: Re: DCM SSL sha1 / sha256 cert issues

Paul,

For server-type applications, you could connect with the openssl
command-line client. It can tell you all sorts of info about the
certs that it receives.

The same tool can be used to analyze a certificate from a file (on
your PC or the IFS, etc). You'd probably have to export it from the
DCM, but you could use this to find out whether it uses SHA256

You could also use it to connect to various services (Central,
Database, et al) to see what they're running.

Just a thought.


On 12/1/2016 1:24 PM, Steinmetz, Paul wrote:

1) Within DCM, is there a method to see if a cert is SHA1 or SHA256?
I'm not seeing the sha details anywhere.

2) I need a tool or method to determine which cert is being used
by a

non HTTP SSL job/process.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at http://archive.midrange.com/

midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.


##############################################################
This correspondence is for the named person's use only. It may
contain confidential or legally privileged information, or both. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this correspondence in error, please immediately
delete it from your system and notify the sender. You must not
disclose, copy or rely on any part of this correspondence if you are
not the intended recipient. Any views expressed in this message are
those of the individual sender, except where the sender expressly,
and with authority, states them to be the views of Veda. If you need
assistance, please contact Veda :- Australia
http://www.veda.com.au/contact-us New Zealand
http://www.veda.co.nz/contact-veda
##############################################################

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.


##############################################################
This correspondence is for the named person's use only. It may contain
confidential or legally privileged information, or both. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this correspondence in error, please immediately delete
it from your system and notify the sender. You must not disclose, copy
or rely on any part of this correspondence if you are not the intended
recipient. Any views expressed in this message are those of the
individual sender, except where the sender expressly, and with
authority, states them to be the views of Veda. If you need
assistance, please contact Veda :- Australia http://www.veda.com.au/
contact-us New Zealand http://www.veda.co.nz/contact-veda
##############################################################

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.