Skip to content

SSL Cert, where none required. #77

Open
Open
SSL Cert, where none required.#77
@dinosn

Description

@dinosn
dinosn
opened on May 17, 2025

Hello !

Reporting one case that I have noticed recently. The enum process will work normally but guess will fail with the following error. Minor issue, maybe it can be just expected and caught when the endpoint will require a client cert.

server# rmg guess xx.xx.xx.xx 1099 
[+] Reading method candidates from internal wordlist rmg.txt
[+] 	752 methods were successfully parsed.
[+] Reading method candidates from internal wordlist rmiscout.txt
[+] 	2550 methods were successfully parsed.
[+]
[+] Starting Method Guessing on 3281 method signature(s).
[+]
[+] 	MethodGuesser is running:
[+] 		--------------------------------
[-] 		Caught unexpected java.rmi.ConnectIOException during method call.
[-] 		Please report this to improve rmg :)
[-] 		StackTrace:
java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: 
	javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
	at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:307)
	at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
	at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:343)
	at eu.tneitzel.rmg.networking.RMIEndpoint.guessingCall(RMIEndpoint.java:191)
	at eu.tneitzel.rmg.operations.RemoteObjectClient.guessingCall(RemoteObjectClient.java:364)
	at eu.tneitzel.rmg.operations.MethodGuesser$GuessingWorker.run(MethodGuesser.java:423)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:750)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
	at sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at sun.security.ssl.Alert.createSSLException(Alert.java:117)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
	at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392)
	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435)
	at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:813)
	at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
	at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1175)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
	at java.io.DataOutputStream.flush(DataOutputStream.java:123)
	at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:229)
	... 8 more
[-] 		Cannot continue from here.

server# openssl s_client -connect xx.xx.xx.xx:1099
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
server#

The endpoint will be

Endpoint: xx.xx.xx.xx:40002  CSF: SslRMIClientSocketFactory  ObjID: [-355d302d:196cccd5ddd:-7fff, 282863618043287405]

Which indeed requires a certificate

server# openssl s_client -connect xx.xx.xx.xx:40002
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = HP Device Manager, OU = RMI Service, O = HP Device Manager, L = SH, ST = SH, C = CN
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = HP Device Manager, OU = RMI Service, O = HP Device Manager, L = SH, ST = SH, C = CN
verify return:1
140508912178496:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1552:SSL alert number 42
---
Certificate chain
 0 s:CN = HP Device Manager, OU = RMI Service, O = HP Device Manager, L = SH, ST = SH, C = CN
   i:CN = HP Device Manager, OU = RMI Service, O = HP Device Manager, L = SH, ST = SH, C = CN
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDYzCCAkugAwIBAgIBATANBgkqhkiG9w0BAQsFADB1MRowGAYDVQQDDBFIUCBE
ZXZpY2UgTWFuYWdlcjEUMBIGA1UECwwLUk1JIFNlcnZpY2UxGjAYBgNVBAoMEUhQ
IERldmljZSBNYW5hZ2VyMQswCQYDVQQHDAJTSDELMAkGA1UECAwCU0gxCzAJBgNV
BAYTAkNOMB4XDTI1MDIyNDE5MzMwNFoXDTQ1MDIyNDE5MzMwNFowdTEaMBgGA1UE
... something ...
K19x9sTKxTOG6UNzL9R6vg/M+o4GG7HjV6q4mymdTxyesCotRrXAGPgt+cTQOcon
LYZHBHCUtweITRTZwkBR6e4GKamEuxpNcMIeg4z+sqV/XOjUk5lc6Gw0kCchCoPi
OwVPZvqzUBeLywCgPJOisU1ZbzXuX1+eOC7WAFyik0X2Yg7bbI/JKSct+ZAq3ioC
GVR4kKLNXZIL+R6wqjRirMPUiK1UGORRTGKnzV/zHR3mJCeUeQ7Q3T3zE5hzOYnX
0repvnlZ2w==
-----END CERTIFICATE-----
subject=CN = HP Device Manager, OU = RMI Service, O = HP Device Manager, L = SH, ST = SH, C = CN

issuer=CN = HP Device Manager, OU = RMI Service, O = HP Device Manager, L = SH, ST = SH, C = CN

---
Acceptable client certificate CA names
CN = HP Device Manager, OU = RMI Client, O = HP Device Manager, L = SH, ST = SH, C = CN
CN = HP Device Manager, OU = RMI Service, O = HP Device Manager, L = SH, ST = SH, C = CN
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA1:RSA+SHA1:DSA+SHA1:0x01+0x01
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1589 bytes and written 388 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: D9FCF169B4FE20DA32480ABE228727821EBBB947F15B6F2B3E3B
    Session-ID-ctx: 
    Master-Key: BBA9775AB2D834A04A3A992BD05B3FC6BDE3985D94BF61478F6FFCA3442B406CFE39924A11CC2438854
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1747491314
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---

Regards,
Nicolas

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions