Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Is the SSL handshake successful?


    I use curl to test access to a service through a proxy server. The curl output is pasted below with only the url replaced with **** for my companies security. I am getting a 403 error.

    myserver11:~> curl -I -v -x 10.57.76.73:80 https://**********.net/api/import/user
    * About to connect() to proxy 10.57.76.73 port 80 (#0)
    * Trying 10.57.76.73... connected
    * Connected to 10.57.76.73 (10.57.76.73) port 80 (#0)
    * Establish HTTP proxy tunnel to **********.net:443
    > CONNECT **********.net:443 HTTP/1.1
    > Host: **********.net:443
    > User-Agent: curl/7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.3 libidn/1.10
    > Proxy-Connection: Keep-Alive
    >
    < HTTP/1.1 200 Connection Established
    HTTP/1.1 200 Connection Established
    <

    * Proxy replied OK to CONNECT request
    * successfully set certificate verify locations:
    * CAfile: none
    CApath: /etc/ssl/certs/
    * SSLv3, TLS handshake, Client hello (1):
    * SSLv3, TLS handshake, Server hello (2):
    * SSLv3, TLS handshake, CERT (11):
    * SSLv3, TLS handshake, Server key exchange (12):
    * SSLv3, TLS handshake, Server finished (14):
    * SSLv3, TLS handshake, Client key exchange (16):
    * SSLv3, TLS change cipher, Client hello (1):
    * SSLv3, TLS handshake, Finished (20):
    * SSLv3, TLS change cipher, Client hello (1):
    * SSLv3, TLS handshake, Finished (20):
    * SSL connection using ECDHE-RSA-AES256-SHA
    * Server certificate:
    * subject: CN=*.**********.net
    * start date: 2016-09-28 21:45:23 GMT
    * expire date: 2018-05-07 17:03:30 GMT
    * subjectAltName: **********.net matched
    * issuer: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; OU=Microsoft IT; CN=Microsoft IT SSL SHA2
    * SSL certificate verify ok.
    > HEAD /api/import/user HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.3 libidn/1.10
    > Host: **********.net
    > Accept: */*
    >
    * SSLv3, TLS handshake, Hello request (0):
    * SSLv3, TLS handshake, Client hello (1):
    * SSLv3, TLS handshake, Server hello (2):
    * SSLv3, TLS handshake, CERT (11):
    * SSLv3, TLS handshake, Server key exchange (12):
    * SSLv3, TLS handshake, Request CERT (13):
    * SSLv3, TLS handshake, Server finished (14):
    * SSLv3, TLS handshake, CERT (11):
    * SSLv3, TLS handshake, Client key exchange (16):
    * SSLv3, TLS change cipher, Client hello (1):
    * SSLv3, TLS handshake, Finished (20):
    * SSLv3, TLS change cipher, Client hello (1):
    * SSLv3, TLS handshake, Finished (20):
    < HTTP/1.1 403 Forbidden
    HTTP/1.1 403 Forbidden
    < Content-Length: 2399
    Content-Length: 2399
    < Content-Type: text/html
    Content-Type: text/html
    < Server: Microsoft-IIS/8.0
    Server: Microsoft-IIS/8.0
    < Date: Mon, 12 Jun 2017 18:34:15 GMT
    Date: Mon, 12 Jun 2017 18:34:15 GMT
    < Connection: close
    Connection: close

    <
    * Closing connection #0
    * SSLv3, TLS alert, Client hello (1):

    I have the following questions
    1. Just before the 403 error, I can see "SSLv3, TLS handshake, Finished (20)". Does this means that SSL handshake is already completed and successful ?
    2. I am also seeing this at the end
    "* Closing connection #0
    * SSLv3, TLS alert, Client hello (1):"
    what does it mean ?
    3. I know that the server required mutual authentication. This
    means that curl has to present a certificate. But I did not specify any in the command. Which certificate does curl use and where does it up ?
    4. 403 error normally means the service is stopped or I am not authorized to call the service (correct me if I am wrong). In this case, if the SSL handshake is completed successful, then it's probably me not authorized to use the service. If the SSL handshake is missing the cert from curl, could this result in the 403 ?

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    14,009
    You will find the certs in ~/.ssh or /root/.ssh
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •