security - Is it possible to use custom random sources directly in gnutls or in openssl clients?

06
2014-04
  • user2284570

    I've only saw the -rand option in openssl which is used to seed their custom random number generator. The help page are divided, so it is easy to miss an option.

    I couldn't get a list of options for certtool.

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    OpenSSL force client to use specific protocol
  • Ex Umbris

    When subversion attempts to connect to an https URL, the underlying protocol library (openssl) attempts to start the secure protocol negotiation at the most basic level, plain SSL.

    Unfortunately, I have to connect to a server that requires SSL3 or TLS1, and refuses to respond to SSL or SSL2.

    I’ve done some troubleshooting using s_client and confirmed that if I let s_client start with the default protocol the server never responds to the CLIENT HELLO:

    $ openssl s_client -connect server.domain.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

    Watching this in Wireshark I see:

    Client                Server
    -------syn---------->
    <------ack-----------
    ---CLIENT HELLO----->
    <------ack-----------
      [60 second pause]
    <------rst-----------

    If I tell s_client to use ssl2 the server immediately closes the connection. Only ssl3 and tls1 work.

    Is there any way to configure openssl to skip SSL and SSL2, and start the negotiation with TLS or SSL3? I've found the OpenSSL config file, but that seems to control only certificate generation.


    • Related Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.