It's easy to get the ssl certificate of HTTPS port (443 by default)
But how about ssl on tcp port?
Live example:
205.185.198.226:1194
This is vpn (openvpn server) running on port 1194
IP 205.185.198.226 using ssl/tls on port 1194 to proccess client authentication methods based on certificates
As Steffen Ullrich Said:
OpenVPN is not plain SS but it packs the SSL stream inside their own protocol, see https://openvpn.net/index.php/open-source/documentation/security-overview.html Thus you have to speak the encapsulation protocol before you get to the TLS stream which then includes the certificate.
So, Does it really possible to get the ssl certificate of the openvpn server on the tcp port? Any example code? (PHP, C or Perl)
After generating certificates and keys on the Command Window, you can find the certificates and keys in the %ProgramFiles%\OpenVPN\easy-rsa (e.g. D:\OpenVPN\easy-rsa).
By default the OpenVPN Access Server comes configured with OpenVPN daemons that listen on port 1194 UDP, and OpenVPN daemons that listen on port 443 TCP. While the best connection for an OpenVPN tunnel is via the UDP port, we implement TCP 443 as a fallback method.
OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate, and the server must authenticate the client certificate before mutual trust is established.
$url = "tcp://198.203.28.44:2018";
I don't know what protocol is spoken on this ip:port, but either it is not SSL or the server does not accept common parameters inside the SSL handshake.
$ openssl s_client -connect 198.203.28.44:2018 -debug
CONNECTED(00000003)
write to 0x17e1490 [0x17e1a20] (295 bytes => 295 (0x127))
...
read from 0x17e1490 [0x17e6f80] (7 bytes => 0 (0x0))
...SSL routines:SSL23_WRITE:ssl handshake failure:...
The clients starts the SSL handhake with the ClientHello (295 bytes). The server only closes the connection instead of replying with the handshake (0 bytes).
Since no successful SSL handshake is done you cannot get the certificate for the connection, i.e. nothing is send back by the server which also means no certificate was sent.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With