How to debug OpenSSL based Orbix 6.3 client and server applications?

Dominique Sacre · 2013-05-17T17:43:00+00:00

Summary This article provides an overview of debugging OpenSSL based Orbix 6.3 applications. Article Number 28248 Environment Orbix 6.3 All Supported Operating Systems Question/Problem Description How to debug OpenSSL based Orbix 6.3 client and server applications?What tools are available for debugging security issues?Does OpenSSL provide debugging tools? Clarifying Information Error Message Defect/Enhancement Number Cause Resolution Orbix ships a version of the OpenSSL, a publicly available implementation of the SSL protocol, including the openssl utilities.The opensslutility included with Orbix 6.3 provides two powerful tools for debugging SSL/TLS client and server applications, as follows: openssl s_client - an SSL/TLS test client, which can be used to test secure Orbix servers. The test client can connect to a secure port, while providing a detailed log of the steps performed during the SSL/TLS handshake. openssl s_server - an SSL/TLS test server, which can be used to test secure Orbix clients. The test server can simulate a bare bones SSL/TLS server (handshake only). Additionally, by supplying the -WWW switch, the test server can also simulate a simple secure Web server. In order to debug a secure server run the openssl test client e.g. as follows in order to connect to the secure server: openssl s_client -connect localhost:2955 -ssl3 -cert admin.pem where-connect host:port Open a secure connection to the specified host and port. -ssl3 This option configures the client to initiate the handshake using SSL v3 (the default is SSL v2). To see which SSL version (or versions) the target server is configured to use, check the value of the policies:mechanism_policy:protocol_version variable in the Orbix configuration file. Orbix servers can also be configured to use TLS v1, for which the corresponding openssl command switch is -tls1. -cert admin.pem Specifies admin.pem as the test client’s own certificate. The PEM file should contain only application certificate and the application certificate’s private key. The PEM file should not contain a complete certificate chain. If your server is not configured to require a client certificate, you can omit the -cert switch. The openssl s_client command also supports the switches "-state" and "-debug", both of which log extra details to the command console during the handshake.For complete details of the openssl s_client and the openssl s_server commands, see the following OpenSSL documentation pages:- http://www.openssl.org/docs/apps/s_client.html- http://www.openssl.org/docs/apps/s_server.htmlFor further details on Orbix security please see:Orbix Security GuideThe above guide is available from the Orbix Product documentation page:http://supportline.microfocus.com/Documentation/books/Orbix/635/security guide.pdf Workaround Notes Attachment Created date: 01 February 2012 Last Modified: 12 February 2013 Last Published: 28 January 2013 First Published date: 01 February 2012 #Orbix#KnowledgeDocs

Forum|Forum|12 years ago
May 17, 2013
0 replies
0 views

D

Dominique Sacre
Rocketeer

Summary	This article provides an overview of debugging OpenSSL based Orbix 6.3 applications.
Article Number	28248
Environment	Orbix 6.3 All Supported Operating Systems
Question/Problem Description	How to debug OpenSSL based Orbix 6.3 client and server applications? What tools are available for debugging security issues? Does OpenSSL provide debugging tools?
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution	Orbix ships a version of the OpenSSL, a publicly available implementation of the SSL protocol, including the openssl utilities. The opensslutility included with Orbix 6.3 provides two powerful tools for debugging SSL/TLS client and server applications, as follows: openssl s_client - an SSL/TLS test client, which can be used to test secure Orbix servers. The test client can connect to a secure port, while providing a detailed log of the steps performed during the SSL/TLS handshake. openssl s_server - an SSL/TLS test server, which can be used to test secure Orbix clients. The test server can simulate a bare bones SSL/TLS server (handshake only). Additionally, by supplying the -WWW switch, the test server can also simulate a simple secure Web server. In order to debug a secure server run the openssl test client e.g. as follows in order to connect to the secure server: openssl s_client -connect localhost:2955 -ssl3 -cert admin.pem where -connect host:port Open a secure connection to the specified host and port. -ssl3 This option configures the client to initiate the handshake using SSL v3 (the default is SSL v2). To see which SSL version (or versions) the target server is configured to use, check the value of the policies:mechanism_policy:protocol_version variable in the Orbix configuration file. Orbix servers can also be configured to use TLS v1, for which the corresponding openssl command switch is -tls1. -cert admin.pem Specifies admin.pem as the test client’s own certificate. The PEM file should contain only application certificate and the application certificate’s private key. The PEM file should not contain a complete certificate chain. If your server is not configured to require a client certificate, you can omit the -cert switch. The openssl s_client command also supports the switches "-state" and "-debug", both of which log extra details to the command console during the handshake. For complete details of the openssl s_client and the openssl s_server commands, see the following OpenSSL documentation pages: - http://www.openssl.org/docs/apps/s_client.html - http://www.openssl.org/docs/apps/s_server.html For further details on Orbix security please see: Orbix Security Guide The above guide is available from the Orbix Product documentation page: http://supportline.microfocus.com/Documentation/books/Orbix/635/security guide.pdf
Workaround
Notes
Attachment