Re^9: Can Log4Perl integrated with LWP log SSL/TLS handshaking?

It's hard to get just from the number of bytes and the frame number what the difference is. IO::Socket::SSL announces less ciphers then s_client to work around bugs in older F5 appliances, which might explain the difference in the packets from clint to server. And the server sends more data on successful connection because it sends the certificate. Another difference might be that IO::Socket::SSL tries SNI whereas s_client not. You might switch off SNI with setting SSL_hostname to ''. If this does not help it might be better to contact me directly at sullr AT cpan.org and send me the full packet dump for successful and unsuccessful connection.

Comment on Re^9: Can Log4Perl integrated with LWP log SSL/TLS handshaking?

Replies are listed 'Best First'.
Re^10: Can Log4Perl integrated with LWP log SSL/TLS handshaking? by ted.byers (Monk) on Aug 07, 2014 at 15:26 UTC
Thanks! How can I tell IO::Socket::SSL to use more ciphers; those used by openssl s_client? AND, is it a good idea to do so? That is, does doing so introduce vulnerabilities when connecting to Tomcat? (I don't even know what an F5 appliance is.) Or does it only use the best ciphers available to it? Or does it even matter when the client and server are going to negotiate the cipher to use anyway? I did turn off SNI, but it made no difference except to get rid of the reference to SNI in the output. I'll send my Wireshark logs directly. I assume that's what you're talking about in your reference to a full packet dump. I just started using Wireshark last Friday, and am still having difficulty making sense of it, or even how to have it actually show me the data (I have all the keys and certificates that would be used in the SSL handshaking, but I don't know if I need to tell Wireshark about them, or how to do so if so). Thanks Ted	[reply]

Replies are listed 'Best First'.

Re^10: Can Log4Perl integrated with LWP log SSL/TLS handshaking?
by ted.byers (Monk) on Aug 07, 2014 at 15:26 UTC

Thanks!

How can I tell IO::Socket::SSL to use more ciphers; those used by openssl s_client? AND, is it a good idea to do so? That is, does doing so introduce vulnerabilities when connecting to Tomcat? (I don't even know what an F5 appliance is.) Or does it only use the best ciphers available to it? Or does it even matter when the client and server are going to negotiate the cipher to use anyway?

I did turn off SNI, but it made no difference except to get rid of the reference to SNI in the output.

I'll send my Wireshark logs directly. I assume that's what you're talking about in your reference to a full packet dump. I just started using Wireshark last Friday, and am still having difficulty making sense of it, or even how to have it actually show me the data (I have all the keys and certificates that would be used in the SSL handshaking, but I don't know if I need to tell Wireshark about them, or how to do so if so).

Thanks

Ted

[reply]