Login/Register
get the ssl certificate of openvpn server on tcp port [closed]
Asked Answered
sslopenvpn
I

1

14

It's easy to get the ssl certificate of HTTPS port (443 by default)

But how about ssl on tcp port?

Live example:

205.185.198.226:1194

This is vpn (openvpn server) running on port 1194

IP 205.185.198.226 using ssl/tls on port 1194 to proccess client authentication methods based on certificates

As Steffen Ullrich Said:

OpenVPN is not plain SS but it packs the SSL stream inside their own protocol, see https://openvpn.net/index.php/open-source/documentation/security-overview.html Thus you have to speak the encapsulation protocol before you get to the TLS stream which then includes the certificate.

So, Does it really possible to get the ssl certificate of the openvpn server on the tcp port? Any example code? (PHP, C or Perl)

Iron answered 11/10, 2015 at 17:9 Comment(4)
What if you try to use ssl://198.293.28.44:2018 any difference?Toscana
@Toscana no difference.Iron
is there the possibility of calling openvpn from php, with some debugging switches?Extracurricular
Answered in serverfault.com/questions/708577/…Coloquintida
M
3
$url = "tcp://198.203.28.44:2018";

I don't know what protocol is spoken on this ip:port, but either it is not SSL or the server does not accept common parameters inside the SSL handshake.

$ openssl s_client -connect 198.203.28.44:2018 -debug
CONNECTED(00000003)
write to 0x17e1490 [0x17e1a20] (295 bytes => 295 (0x127))
...
read from 0x17e1490 [0x17e6f80] (7 bytes => 0 (0x0))
...SSL routines:SSL23_WRITE:ssl handshake failure:...

The clients starts the SSL handhake with the ClientHello (295 bytes). The server only closes the connection instead of replying with the handshake (0 bytes).

Since no successful SSL handshake is done you cannot get the certificate for the connection, i.e. nothing is send back by the server which also means no certificate was sent.

Mccartney answered 11/10, 2015 at 17:45 Comment(9)
To be more closer, this is vpn (openvpn server) running on port 2018Iron
@user2203703: OpenVPN is not plain SS but it packs the SSL stream inside their own protocol, see openvpn.net/index.php/open-source/documentation/…. Thus you have to speak the encapsulation protocol before you get to the TLS stream which then includes the certificate.Mccartney
So, you think it's hard or almost not possible to do that, right? i spent a lot of hours on searching and trying to find a good answer.Iron
@user2203703: how hard and how possible it is depends on your knowledge, experience with the OpenVPN protocol and time you have. It is definitely doable, otherwise OpenVPN would have problems to do it. I don't know if it is doable with PHP since I don't know if you get access to the low level functions of the OpenSSL library. But I'm sure it is not doable the simply high-level way you've tried.Mccartney
I wish if you are PHP programmer! do you think it's possible to get the certificates on udp ports too by following the same steps?Iron
@user2203703: there is no plain TLS on UDP (only DTLS). And with OpenVPN you will face the same issues, i.e. they have the TLS part embedded inside their own protocol. There is no general solutions to get the certificates if TLS is embedded into some other protocol.Mccartney
Thank you very much for helping me.Iron
No one was able to help me expect you, congrats, you got the bounty :)Iron
I have successfully used the approach with openssl s_client to connect to a Fortinet VPN Server and dump the server certificate. The issue here is specific to OpenVPN's server encapsulating communication in their own wrapper protocol.Oruntha

© 2022 - 2024 — McMap. All rights reserved.