AdrianVollmer
commented
7 years ago Can you show me the output of openssl s_client -connect 192.168.2.106:3389 < /dev/null?
Closed n1841175 closed 7 years ago
AdrianVollmer
commented
7 years ago Can you show me the output of openssl s_client -connect 192.168.2.106:3389 < /dev/null?
n1841175
commented
7 years ago openssl s_client -connect 192.168.2.106:3389 < /dev/null
CONNECTED(00000003)
depth=0 CN = WIN-CQ4FHA995O9
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = WIN-CQ4FHA995O9
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=WIN-CQ4FHA995O9
i:/CN=WIN-CQ4FHA995O9
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC4jCCAcqgAwIBAgIQJVIKOzPVSpRIaLq8EX43NDANBgkqhkiG9w0BAQUFADAa
MRgwFgYDVQQDEw9XSU4tQ1E0RkhBOTk1TzkwHhcNMTcwMzE5MDYwNTQ2WhcNMTcw
OTE4MDYwNTQ2WjAaMRgwFgYDVQQDEw9XSU4tQ1E0RkhBOTk1TzkwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKfUZ67CEU4V+8LAf/5dQftmiNmfqwdlem
yp4Z2QcUIwkBUNezTD/ueDwPA5qQqb+f0IhsRa3+/xihALBX0+MYOzshhCd4MlJO
EIK99WLUr796MJcXvMxLycbPbR0Z4W4AHIIICDMsUIG2qWUc/f8MGN57BOUikcJH
MO2ISwjx+emcCjHFxIhEIC3aI1gAPej23JVeKjtpqYs0nNqMl0uhkTElARJP+W0L
PGWnXnjUh7qImkSvfYFXo7AZiya/JlbUx9Fk3Xm8LmhLbnQ01q4W5ZFsD20G/tU8
6YpaaygXLzXfiDcDkSViHpukybri0njrZ1t5U65A+MEzf4SODYqtAgMBAAGjJDAi
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQUF
AAOCAQEAW1FJ9+opSA2Uqj7sK2alwEowXg3kjGKh+Ppj1yhk3cl6kvaLEGa4mxIV
jAfrl4Spr2R20KXG6kj9213c9xGUEFuzWpgKdZ7RNOWPPFmzqdlq/Og7Zb7LGfQA
CydsMv9Rr5u04Gw3YEjTeQWqfRObV7IZXjwL+jW5BI3PK0A3PWScLO+PAXG/OYxY
psK4uKFvIAtWKii4g2uVnsGsu7dJLEDc6SH/fRCsuc1WTpZWWy91VmjtZeekX0XS
lpj/QRvevSKyTQTCkXD6BnRjoJfp6urRarT8mdUTOkWRJxEVY+ShDvlY5u4HwRQ4
g+Yv2ZwtoFyOr6r5xlUpu7RMiK6r+g==
-----END CERTIFICATE-----
subject=/CN=WIN-CQ4FHA995O9
issuer=/CN=WIN-CQ4FHA995O9
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1236 bytes and written 310 bytes
Verification error: unable to verify the first certificate
---
New, SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 2E060000C1E17611253E62B0C2F3EB1149AA6247A024A2DC69E543BAD3334940
Session-ID-ctx:
Master-Key: E0947331176180A5ACAE139AE1F65F9D9AA62FFF442782022E3F73E23BE7BF824BC943FC69D46574C322ABA86C2B7BDE
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1490083718
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
DONENot sure why this happens, works fine on my end. Maybe your openssl version is older than mine and behaves differently. Either way, failing to clone a certificate shouldn't be a show stopper. It should just generate some self-signed certificate in that case.
jacm01
commented
5 years ago verify error:num=20:unable to get local issuer certificate verify error:num=21:unable to verify the first certificate
those error are because you don't have the Root CA cert and/or any other subordinated CA on your machine. once you install those you should see "verify return:1" without the 20 and 21 error.
to complete the chain you must have Root cert , any intermediate cert and server cert.
The error occurs when the "victim" () want connect to the RDP enabled server;