© 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
#CiscoLive
BRKEWN-2037
29
TLS Tunnel Setup Between Access Provider and IDP
Access Provider
Identity Provider
IDP
AAA
TLS Certificate ClientKeyExchange, Certificate
Verify, Change Cipher Spec, Finished
TCP SYN
TCP SYN ACK
TLS Server Hello, Server Certificate,
Certificate Request, ServerHelloDone
TLS Client Hello
TLS Change Cipher Spec, Finished
Connect
or
Connector verifies
Server certificate,
certificate chain,
validity, revocation, CN
vs AAA FQDN,
SubjectAltName vs
Realm
IDP AAA verifies Client
Certificate: certificate
chain, validity,
revocation, UID vs
Operator-ID (optional)
openssl s_client -connect idp.openroaming.net:2083 check SSL connection
CONNECTED(00000005)
depth=3 C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", OU = Openroaming, CN = openroaming.org, emailAddress = enb-
devops@cisco.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
140704668922688:error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate:/AppleInternal/Library/BuildRoots/97f6331a-
ba75-11ed-a4bc-863efbbaf80d/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/ssl_pkt.c:1008:SSL alert number 42
---
Certificate chain
0 s:/C=US/ST=CA/O=Cisco/CN=idp.openroaming.net
i:/C=US/O=Cisco Systems Inc./OU=DNASpaces/ST=California/CN=cisco.openroaming.org/L=San Jose
1 s:/C=US/O=Cisco Systems Inc./OU=DNASpaces/ST=California/CN=cisco.openroaming.org/L=San Jose
i:/C=SG/ST=Singapore/L=Singapore/O=Wireless Broadband Alliance/OU=WBA/CN=openroaming.org/dnQualifier=WBA WRIX ECC Policy
Intermediate CA-01
2 s:/C=SG/ST=Singapore/L=Singapore/O=Wireless Broadband Alliance/OU=WBA/CN=openroaming.org/dnQualifier=WBA WRIX ECC Policy
Intermediate CA-01
i:/C=US/ST=California/L=San
Jose/O=Cisco Systems, Inc./OU=Openroaming/C
N=openroaming.org/emailAddress
[email protected]3 s:/C=US/ST=California/L=San
Jose/O=Cisco Systems
, Inc./OU=Openroaming/CN=openroaming.
org/
[email protected]m
i:/C=US/ST=California/L=San
Jose/O=Cisco Systems, Inc./OU=Openroaming/C
N=openroaming.org/emailAddress
[email protected]---
Server certificate
subject=/C=US/ST=CA/O=Cisco/CN=idp.openroaming.net
issuer=/C=US/O=Cisco Systems Inc./OU=DNASpaces/ST=California/CN=cisco.openroaming.org/L=San Jose
---
Acceptable client certificate CA names
/C=US/ST=California/L=San Jose/O=Cisco Systems, Inc./OU=Openroaming/CN=openroaming.org/emailAddress=enb-devops@cisco.com
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6164 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9965F3B5DF5C740E7FEF85D01DB29FA2688237B007C46EDE537DF169031276B7
Session-ID-ctx:
Master-Key: 81A4848377685711A43018559E14CA4842A82FDC27017D1CCD6F32894DC32148219A91C5ED7F4E4865734CBF50417E6D
Start Time: 1683543981
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
openssl s_client -connect idp.openroaming.net:2083 -showcertsshow certificate chain(s)
openssl s_client -connect idp.openroaming.net:2083 -msg show all messages