[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [openssl-gost] Re: Bug#898823: does not work for cryptopro test servers
On Tue, 22 May 2018 13:01:46 +0300
Wartan Hachaturow <wartan.hachaturow@gmail.com> wrote:
>
> On 2018-05-16T12:29:34+0300, Dmitry Eremin-Solenikov wrote:
>
> > Package: libengine-gost-openssl1.1
> > Version: 1.1.0.1-1
> > Severity: normal
>
> > Connecting to CryptoPro test servers does not seem to work. No
> > additional configuration was done to openssl.cnf.
>
> > $ openssl s_client -engine gost -connect
> > tlsgost-2001.cryptopro.ru:443 engine "gost" set.
> > CONNECTED(00000003)
> > 140418489987264:error:141710F8:SSL
> > routines:tls_process_server_hello:unknown cipher
Странно. Там должно быть:
engine "gost" set.
CONNECTED(00000003)
depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_2001noauth
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_2001noauth
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=id-GostR3410-2001-CryptoPro-XchA-ParamSet_2001noauth
i:/emailAddress=support@cryptopro.ru/C=RU/L=Moscow/O=CRYPTO-PRO LLC/CN=CRYPTO-PRO Test Center 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDiTCCAzigAwIBAgITEgAnODsBYvTgqoJ+kQAAACc4OzAIBgYqhQMCAgMwfzEj
MCEGCSqGSIb3DQEJARYUc3VwcG9ydEBjcnlwdG9wcm8ucnUxCzAJBgNVBAYTAlJV
MQ8wDQYDVQQHEwZNb3Njb3cxFzAVBgNVBAoTDkNSWVBUTy1QUk8gTExDMSEwHwYD
VQQDExhDUllQVE8tUFJPIFRlc3QgQ2VudGVyIDIwHhcNMTgwMzMxMTk1MDIzWhcN
MTgwNjMwMjAwMDIzWjA/MT0wOwYDVQQDDDRpZC1Hb3N0UjM0MTAtMjAwMS1Dcnlw
dG9Qcm8tWGNoQS1QYXJhbVNldF8yMDAxbm9hdXRoMGMwHAYGKoUDAgITMBIGByqF
AwICJAAGByqFAwICHgEDQwAEQEVqMEvyRSYwpCvfAz3gzMsdMc85fhK5ieOIvws4
Y+m0NAbTK/2ULuiWbfPQ4oJMaQr/UXqzGb7uVHxC33EFBAijggHJMIIBxTATBgNV
HSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwWgYDVR0RBFMwUYIZdGxzZ29z
dC0yMDAxLmNyeXB0b3Byby5ydYIcdGxzZ29zdC12Ni0yMDAxLmNyeXB0b3Byby5y
dYcEwSWdVocQIALBJZ1WAAAAAAAAwSWdVjAdBgNVHQ4EFgQUSD2Gl0I4zIqRrm5M
O2w9bEqroyYwHwYDVR0jBBgwFoAUFTF8sI0a3mbXFZxJUpcXJLkBeoMwWQYDVR0f
BFIwUDBOoEygSoZIaHR0cDovL3Rlc3RjYS5jcnlwdG9wcm8ucnUvQ2VydEVucm9s
bC9DUllQVE8tUFJPJTIwVGVzdCUyMENlbnRlciUyMDIuY3JsMIGpBggrBgEFBQcB
AQSBnDCBmTBhBggrBgEFBQcwAoZVaHR0cDovL3Rlc3RjYS5jcnlwdG9wcm8ucnUv
Q2VydEVucm9sbC90ZXN0LWNhLTIwMTRfQ1JZUFRPLVBSTyUyMFRlc3QlMjBDZW50
ZXIlMjAyLmNydDA0BggrBgEFBQcwAYYoaHR0cDovL3Rlc3RjYS5jcnlwdG9wcm8u
cnUvb2NzcC9vY3NwLnNyZjAIBgYqhQMCAgMDQQDloK6gpakDhfiLfwWCJRvlpOgR
aao7Na6WT7K9/L62k16nAGd0TAi3az72YCuwKgR8knvXwC91hH6uTt/Mxg9b
-----END CERTIFICATE-----
subject=/CN=id-GostR3410-2001-CryptoPro-XchA-ParamSet_2001noauth
issuer=/emailAddress=support@cryptopro.ru/C=RU/L=Moscow/O=CRYPTO-PRO LLC/CN=CRYPTO-PRO Test Center 2
---
No client certificate CA names sent
---
SSL handshake has read 1040 bytes and written 396 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : GOST2012-GOST8912-GOST8912
Session-ID: BA10F4E127B7C5F5B50BF35B8ABD10A003A3EB5A4908FF8F7767ECF3D1DD67A9
Session-ID-ctx:
Master-Key: 4DEF74E5BA30D4198019DA8B767FAA00A0ABDA098C852B641AFC9D9201A4FDF957D561144C4A98BB22C4DDB46C647252
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1526985064
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
Это у меня stable,
openssl version -a
OpenSSL 1.1.0f 25 May 2017
built on: reproducible build, date unspecified
platform: debian-amd64
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/x86_64-linux-gnu/engines-1.1\""
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"