Openssl

Have you ever wondered what happens behind the scenes when your browser looks at a secure webpage?

$ openssl s_client -connect http://www.example.com:443

Here we will try hotmail as an example:

$ openssl s_client -connect www.hotmail.com:443 CONNECTED(00000003) depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=MSN/CN=cb1.msn.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=MSN/CN=cb1.msn.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft/OU=MSN/CN=cb1.msn.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=MSN/CN=cb1.msn.com i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority --- Server certificate -BEGIN CERTIFICATE- MIIFjjCCBHagAwIBAgIKSOvxGgACAAAtLDANBgkqhkiG9w0BAQUFADCBizETMBEG CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMDUwNDMw MDMwMTE3WhcNMDYwNDMwMDMwMTE3WjBsMQswCQYDVQQGEwJVUzETMBEGA1UECBMK V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0 MQwwCgYDVQQLEwNNU04xFDASBgNVBAMTC2NiMS5tc24uY29tMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQDNTaMus+hYIJypJj3UcArNFPCNsDUnZwgkNm5P7y5x 0ld6NLHiuOsXIYWxdbKoxWyiB/yHtriceBOtvtqxNgTwBq7u89e+dvf9B8Vh6/q7 ahb4CoRiTLwg4oZiXyPVzjctemSg1muGyLsfbwHEL8vc2tQb6i0QoYU3aDYYtC6p rQIDAQABo4IClDCCApAwCwYDVR0PBAQDAgWgMEQGCSqGSIb3DQEJDwQ3MDUwDgYI KoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0D BzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFJ1mnREr 4FHM4l6YYm/hK+La5PSlMB8GA1UdIwQYMBaAFN8sIdPjGXO8S2ETHGDqS73mriBE MIGvBgNVHR8EgacwgaQwgaGggZ6ggZuGVmh0dHA6Ly9jcmwubWljcm9zb2Z0LmNv bS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBB dXRob3JpdHkoMikuY3JshkFodHRwOi8vY29ycHBraS9jcmwvTWljcm9zb2Z0JTIw U2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDIpLmNybDCBvwYIKwYBBQUHAQEE gbIwga8wXgYIKwYBBQUHMAKGUmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kv bXNjb3JwL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSgy KS5jcnQwTQYIKwYBBQUHMAKGQWh0dHA6Ly9jb3JwcGtpL2FpYS9NaWNyb3NvZnQl MjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoMikuY3J0MD8GCSsGAQQBgjcV BwQyMDAGKCsGAQQBgjcVCIPPiU2t8gKFoZ8MgvrKfYHh+3SBT4PC7YUIjqnShWMC AWQCAQUwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATAN BgkqhkiG9w0BAQUFAAOCAQEAstqN970Zjy6CqACmankJP8PTRzeGX2AvCqff6h70 rZ/ueBJqsF9IooGLkEkIdR+EHFU8oy9hYLjfW0fIOIIsZXthodaEO01zy9LulYrQ B5GUJjyTMlS6B7GL9ujcLn0mnEpIzb9gCiWiwiWvbEvTWpstukklo3rM402SohaE lIo7UlA/HXOla9LO5TnUz1vnq+xDpaCob6Mfaccf1olh1MiM1C2d2AJgNTAgh/G5 fkMYwdhZrfC7gqN4ToyIAyc4rzUOBerWUy78wg/JE1xYBSKspigbGg2xR3xVWFk6 HaXj37Upal4RzKNBjQT7YR0rM+Ua6/rnYqDUFcwmAO7VCg== -END CERTIFICATE- subject=/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=MSN/CN=cb1.msn.com issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority --- No client certificate CA names sent --- SSL handshake has read 1562 bytes and written 324 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher   : RC4-MD5 Session-ID: C11400002AAB613AD6C75370910E17EF8343200B966B5E96D1DA80F62109C5BC Session-ID-ctx: Master-Key: 4847F9E69D0C2314BC7206318E3A6E2F0932BB9847BD352F8594148CA1970560971338DCE0C756D02D317AC881A801DC Key-Arg  : None Start Time: 1173414130 Timeout  : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ---

There are some very interesting findings in this example, specifically the errors which are highlighted in bold. What this means in summary is that you were not able to verify the first certificate, Microsoft has implemented SSL incorrectly. This is not to fault them, many companies do not implement it properly. SSL requires that the certificate CN must be the exact same as the website address. In this case even though we're trying to go to www.hotmail.com, which is what the CN should say, it says cb1.msn.com as you can see above. It does make one wonder about the security of a company that can't get something like SSL implemented properly.

What happens when you try Hotmail's Secure weblogin in your browser now? Did you see these errors, were you prompted to accept the certificate manually? Were you outright denied, or did you end up on a hotmail webpage without an errors meaning your browser permitted them?