I was tinkering with a script that I'd written to test HTTPS endpoints: -
…
test.sh
(echo -ne "GET /DecisionService/ws/HelloWorldProject/1.0/HelloWorld?WSDL HTTP/1.0\r\nHost: example.com\r\n\r\n" ; cat) | openssl s_client -connect localhost:443
Specifically it gets a WSDL from an HTTPS endpoint, but that's not important right now.
When I ran it on a macOS Sierra box: -
(echo -ne "GET /index.html HTTP/1.0\r\nHost: example.com\r\n\r\n" ; cat) | openssl s_client -connect spapc.uk.ibm.com:8443
I saw this: -
CONNECTED(00000003)
33208:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.30.2/src/ssl/s23_clnt.c:618:
The target box is running IBM HTTP Server, and is configured only support TLS 1.2, as per this: -
33208:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.30.2/src/ssl/s23_clnt.c:618:
The target box is running IBM HTTP Server, and is configured only support TLS 1.2, as per this: -
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 8443
<VirtualHost *:8443>
SSLProtocolEnable TLSv12
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
SSLEnable
</VirtualHost>
KeyFile /opt/ibm/HTTPServer/BPM/ssl/keystore.kdb
SSLDisable
Listen 8443
<VirtualHost *:8443>
SSLProtocolEnable TLSv12
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
SSLEnable
</VirtualHost>
KeyFile /opt/ibm/HTTPServer/BPM/ssl/keystore.kdb
SSLDisable
and I was seeing this: -
[Thu Dec 29 15:52:11 2016] [warn] [client 10.0.0.1] [7fd354031c20] [4204] SSL0222W: SSL Handshake Failed, No ciphers specified (no shared ciphers or no shared protocols). [10.0.0.1:50171 -> 10.41.0.148:8443] [15:52:11.000508812] 0ms
in the IHS error_log.
Alas, it seems that the openssl client on macOS doesn't support TLS 1.2, only 1.0, as per this: -
openssl s_client -connect
usage: s_client args
-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-verify depth - turn on peer certificate verification
-cert arg - certificate file to use, PEM format assumed
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private key file to use, in cert file if
not specified but cert file is.
-keyform arg - key format (PEM or DER) PEM default
-pass arg - private key file pass phrase source
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-reconnect - Drop and re-make the connection with the same Session-ID
-pause - sleep(1) after each read(2) and write(2) system call
-showcerts - show all certificates in the chain
-debug - extra output
-msg - Show protocol messages
-nbio_test - more ssl protocol testing
-state - print the 'ssl' states
-nbio - Run with non-blocking IO
-crlf - convert LF from terminal into CRLF
-quiet - no s_client output
-ign_eof - ignore input eof (default when -quiet)
-no_ign_eof - don't ignore input eof
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
...
-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-verify depth - turn on peer certificate verification
-cert arg - certificate file to use, PEM format assumed
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private key file to use, in cert file if
not specified but cert file is.
-keyform arg - key format (PEM or DER) PEM default
-pass arg - private key file pass phrase source
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-reconnect - Drop and re-make the connection with the same Session-ID
-pause - sleep(1) after each read(2) and write(2) system call
-showcerts - show all certificates in the chain
-debug - extra output
-msg - Show protocol messages
-nbio_test - more ssl protocol testing
-state - print the 'ssl' states
-nbio - Run with non-blocking IO
-crlf - convert LF from terminal into CRLF
-quiet - no s_client output
-ign_eof - ignore input eof (default when -quiet)
-no_ign_eof - don't ignore input eof
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
...
If I compare this to a RHEL 6.6 box, I can see that TLS 1.2 *is* supported by later versions of the openssl client: -
openssl s_client -connect
…
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
…
-ssl3 - just use SSLv3
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
…
On the Mac, I have this version of openssl : -
openssl version
OpenSSL 0.9.8zh 14 Jan 2016
whereas on RHEL, I have this version: -
openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
In other words, a more recent version but an older date :-(
For the record, when I run my test on the RHEL box, it does what I'd expect :-)
So, c'mon, Apple, please update openssl :-)