How to Check for SSL Renegotiation

By | 2011/11/03

To check if a server allows SSL Renegotiation, you can use the openssl command. I’ll show you how!


The commands are as follows:

$ openssl s_client -connect yourdomain.com:443

Then after the regular ssl cert info displays, enter the following:

GET / HTTP/1.0

R

If the server allows renegotiation, it will then have something similar to the following (look for certificate info to be provided again – reestablishing the connection):

RENEGOTIATING
depth=1 C = US, O = xxxxxx, OU = xxxxxxx
verify return:1
blah
blah


If the server does not allow renegotiation, it will have an output similar to this:

RENEGOTIATING
140735300143548:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:

Full example output:

$ openssl s_client -connect scottlinux.com:443
CONNECTED(00000003)
depth=0 CN = li166-66.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li166-66.members.linode.com
verify return:1
---
Certificate chain
 0 s:/CN=li166-66.members.linode.com
   i:/CN=li166-66.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBwzCCASwCCQDq0eIRQD71bTANBgkqhkiG9w0BAQUFADAmMSQwIgYDVQQDExts
aTE2Ni02Ni5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTAwNzI0MjAwOTE0WhcNMjAw
NzIxMjAwOTE0WjAmMSQwIgYDVQQDExtsaTE2Ni02Ni5tZW1iZXJzLmxpbm9kZS5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOOxaSrBkgHACSBgKtZOECOH
s5VwnUfdghEJrgtmyqeUw78pNZX/wq3BGnmkUsB+cYd+YNMbdkxAHjMTi21u+/T3
Id7tjSDNzLIop4joUUdUkmIxZqp+8RmOq0+6FHTAF761qBr3Mgc64G96ToiGZopv
9Uo5adbdcfgCbA71u+zZAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEA1vgLRRsL7Mmp
oVadISEvjWrV/eePuW2ylWi9NQJua863ouwObN6GKRs+nIaPESc6hSIcGs2zOXIm
1e/eGyqYzQVUZDvKT11TKQp3SioYLwatjwpftM8sRykqSNZgiUSwxa3Q9vS/ZzbQ
wILdu9Dk8yCkDVPbbZK087oSfHIFbvw=
-----END CERTIFICATE-----
subject=/CN=li166-66.members.linode.com
issuer=/CN=li166-66.members.linode.com
---
No client certificate CA names sent
---
SSL handshake has read 1205 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: E94F5D1CB4CD23EFEB64DD869FD9E0120043C788AFA706DF106905E54E6C7163
    Session-ID-ctx: 
    Master-Key: 212EC6D6BB98CF4766B4AD42142F5C3283EFF2564172710EE26415D50FF99B7DC197B1CAC552A18D7674490A224CBF92
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 45 af 98 09 0a 81 dd c7-60 dd e3 97 d1 5d a9 68   E.......`....].h
    0010 - 34 6f 09 06 13 95 41 e9-cf 21 8e 9b 68 8b 4a 11   4o....A..!..h.J.
    0020 - c5 f7 a8 ab 7d 50 0a d8-e6 17 84 a7 9a 9c f7 8d   ....}P..........
    0030 - d8 b3 0e c5 84 cc c9 44-39 4c 0d ce 75 73 26 fb   .......D9L..us&.
    0040 - 31 a5 fb ae b1 e5 d8 7d-7b f9 c7 66 83 1c 85 1f   1......}{..f....
    0050 - 60 de fa 77 ad 26 a4 30-9f f4 d7 3e be 91 10 72   `..w.&.0...>...r
    0060 - 3f 52 b5 38 47 0a c1 d0-0e aa a3 16 47 87 17 3f   ?R.8G.......G..?
    0070 - 8b 23 52 61 ae 6b 5f 28-08 ee 99 8e 01 19 89 3a   .#Ra.k_(.......:
    0080 - 2f 28 2d 71 20 2b 1d 2d-82 83 91 b4 50 90 d4 eb   /(-q +.-....P...
    0090 - 37 e7 eb c6 93 12 68 11-cb d3 f8 e3 d6 b6 ca 10   7.....h.........
    00a0 - cf 59 dd ff d4 b9 81 e4-35 80 99 25 1f 05 e1 04   .Y......5..%....
    00b0 - 4c 18 6a 8d 0c 0e 3d 88-63 cb 35 97 97 2b b9 a6   L.j...=.c.5..+..

    Compression: 1 (zlib compression)
    Start Time: 1320370833
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
GET / HTTP/1.0
R
RENEGOTIATING
140735300143548:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
:~$

2 thoughts on “How to Check for SSL Renegotiation

  1. Artur

    I’ve got tomcat 7.x with redirection to SSL on port 8443 .When i check

    openssl s_client -connect IP:8443

    i see that i ve got RENEGOTIATION in ON .

    after senetence
    GET / HTTP/1.0
    R
    RENEGOTIATING
    there is :
    verify return:1

    OpenSSL on server is 1.0.1e.

    How to switch off ?

    Reply
    1. Scott Miller Post author

      I would typically suggest running tomcat behind nginx. Then nginx can take care of all of the SSL stuff, and more.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.