Guide to SSL

What is EPP?:

EPP is the Extensible Provisioning Protocol. EPP (defined in RFC 5730 and others) is an application layer client-server protocol for the provisioning and management of objects stored in a shared central repository. Specified in XML, the protocol defines generic object management operations and an extensible framework that maps protocol operations to objects.
Connecting to EPP using OpenSSL:   

OpenSSL command:

The openSSL command is as follows

$ openssl s_client –connect epp.ote.donuts.co:700 –key /path/to/key.pem –cert /path/to/cert.pem –CAfile /path/to/intermediateCA.pem

Response on successful connection:

If your command was completed successfully, you should receive the following response:

CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Washington, L = Bellevue, O = Donuts Inc., CN = epp.donuts.co
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Bellevue/O=Donuts Inc./CN=epp.donuts.co
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGyjCCBbKgAwIBAgIQMOf9bRPKsnUruUdzbwSSqzANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDUyMzAwMDAwMFoX
DTE5MDcyMjIzNTk1OVowYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0
b24xETAPBgNVBAcMCEJlbGxldnVlMRQwEgYDVQQKDAtEb251dHMgSW5jLjEWMBQG
A1UEAwwNZXBwLmRvbnV0cy5jbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALRQFRGMwqHlRuOIns+7g7qTwMn6JedZc3b9Pq0KwPPXcNQaojO+a79hR+1j
spW18zHmP9kJeDyJI7w2Atl9CW6eiElIOOV4WjQnnnnRKDcfOZaU0wFDv6+vY8ql
6xw2arCSPzsi8ML65aqbaCrImcoG/pWM3oIJQIUhRl52K8JEFK9BT2u6555LFGa8
6TiSNv0EurEZQi/sCpVy0miifj6Db7Jhsji4j9OZO0WjwDvvmTR1MRcE6sbVQpLi
Eldn8ez4P/uHLLLO423sn7Ol4XZBVmHQokUsq4PyN6J103YG92n9YFqBclLnjTxr
I9y4Nhrj1X5Q5br5NkqLhdSN4p0CAwEAAaOCA10wggNZMBgGA1UdEQQRMA+CDWVw
cC5kb251dHMuY28wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQw
IjAgoB6gHIYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcmwwYQYDVR0gBFowWDBW
BgZngQwBAgIwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMw
JQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFF9gz2GQVd+EQxSKYCqy
9Xr0QxjvMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3NzLnN5
bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcnQw
ggH3BgorBgEEAdZ5AgQCBIIB5wSCAeMB4QB1AN3rHSt6DU+mIIuBrYFocH4ujp0B
1VyIjT0RxM227L7MAAABVN/vlw8AAAQDAEYwRAIgCLhrCCs8HfvHR1dKPy3un3Y6
T/Pak4OpFwPZ6DNKVj4CIALyBp4Ts9P8cYspILvPtkvxVSLVFWp6bcyVsLwajLDN
AHcApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFU3++XTwAABAMA
SDBGAiEA3LqM70TsY/2BtQTIDhvvlTVBruKfLVw5ns+Vd2LeMMMCIQC6Qsk9oj/i
SMA28+aNH0/TMMy5dBoAr/BrPubOLikw5gB2AGj2mPgfZIK+OozuuSgdTPxxUV1n
k9RE0QpnrLtPT/vEAAABVN/vlzUAAAQDAEcwRQIhANIKQSLDLnWSSnsWUBIU7txF
RPWQ7BHvGvDblzzYLfM4AiA1XNJ9I2ZBxKXaxSdNp5mIdVIAxutGQTxnmigHOYMA
0AB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABVN/vmWwAAAQD
AEgwRgIhAK5X6E+81kaD3vRqugYSO+mcUNhD7HTbZO5gnTxzXLy5AiEAq4cN2Zkf
ROHeCkv3mjcvUvYACQdJgF0OfFc3Mazqd9EwDQYJKoZIhvcNAQELBQADggEBAF+x
9kUe50ZvwFK5skt+EJN0JHArmrbNsmC0uiUJKFgyAz/ENrAV7TJX3no3i+7mXk2g
iil4ecKhPshcnJcexD7CwjfPLjUwiZ6mf18GprOedmwd0eDMHWYOpN01rPrr2Ps5
u5BppcBOy9wMC8zFTk5G8Nf33ct7Zc2gadlhnvDV4VmgZYsplt43sfdhvbyOIphP
faupM2DUCjLhjf3n9Tk1bq6j3hGc4dWm6YsSgv4bl2ZbXEGmUkzVBTfnHIMuKxxw
yqibMxvevSkTPc3RwOpTiKdvv+xLjzfML5v1QUCKqkGtN5/EaUNHLPSNBAnDUcnT
7YDsHaB4lpmSN7cr49s=
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Bellevue/O=Donuts Inc./CN=epp.donuts.co
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
Client Certificate Types: RSA sign
Requested Signature Algorithms: RSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512
---
SSL handshake has read 4535 bytes and written 5177 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA
    Session-ID: 6B56A72A4392E14F18AFBB09EEB3CAE1667623C546A69A6D91644B2956EDB7B3
    Session-ID-ctx:
    Master-Key: 8975199B667C6237F67EAC02B0118C311E8E052BDA8383970599A9AD6B146E6BCCBFE82CB9E720995A630FB720069079
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1505485076
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
<?xml version="1.0" encoding="utf-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
  <greeting>
    <svID>EPP Registration Server</svID>
    <svDate>2017-09-15T14:17:56.803Z</svDate>
    <svcMenu>
      <version>1.0</version>
      <lang>en</lang>
      <objURI>urn:ietf:params:xml:ns:domain-1.0</objURI>
      <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
      <objURI>urn:ietf:params:xml:ns:contact-1.0</objURI>
      <objURI>http://www.unitedtld.com/epp/finance-1.0</objURI>
      <svcExtension>
        <extURI>http://www.unitedtld.com/epp/charge-1.0</extURI>
        <extURI>urn:ietf:params:xml:ns:allocationToken-1.0</extURI>
        <extURI>urn:ietf:params:xml:ns:idn-1.0</extURI>
        <extURI>urn:ietf:params:xml:ns:launch-1.0</extURI>
        <extURI>urn:ietf:params:xml:ns:rgp-1.0</extURI>
        <extURI>urn:ietf:params:xml:ns:secDNS-1.1</extURI>
      </svcExtension>
    </svcMenu>
    <dcp>
      <access>
        <all />
      </access>
      <statement>
        <purpose>
          <admin />
          <other />
          <prov />
        </purpose>
        <recipient>
          <ours />
          <public />
          <unrelated />
        </recipient>
        <retention>
          <indefinite />
        </retention>
      </statement>
    </dcp>
  </greeting>
</epp>

Response on failed connection - no greeting message returned:

CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Washington, L = Bellevue, O = Donuts Inc., CN = epp.donuts.co
verify return:1
140700250965664:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
140700250965664:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Bellevue/O=Donuts Inc./CN=epp.donuts.co
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGyjCCBbKgAwIBAgIQMOf9bRPKsnUruUdzbwSSqzANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDUyMzAwMDAwMFoX
DTE5MDcyMjIzNTk1OVowYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0
b24xETAPBgNVBAcMCEJlbGxldnVlMRQwEgYDVQQKDAtEb251dHMgSW5jLjEWMBQG
A1UEAwwNZXBwLmRvbnV0cy5jbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALRQFRGMwqHlRuOIns+7g7qTwMn6JedZc3b9Pq0KwPPXcNQaojO+a79hR+1j
spW18zHmP9kJeDyJI7w2Atl9CW6eiElIOOV4WjQnnnnRKDcfOZaU0wFDv6+vY8ql
6xw2arCSPzsi8ML65aqbaCrImcoG/pWM3oIJQIUhRl52K8JEFK9BT2u6555LFGa8
6TiSNv0EurEZQi/sCpVy0miifj6Db7Jhsji4j9OZO0WjwDvvmTR1MRcE6sbVQpLi
Eldn8ez4P/uHLLLO423sn7Ol4XZBVmHQokUsq4PyN6J103YG92n9YFqBclLnjTxr
I9y4Nhrj1X5Q5br5NkqLhdSN4p0CAwEAAaOCA10wggNZMBgGA1UdEQQRMA+CDWVw
cC5kb251dHMuY28wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQw
IjAgoB6gHIYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcmwwYQYDVR0gBFowWDBW
BgZngQwBAgIwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMw
JQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFF9gz2GQVd+EQxSKYCqy
9Xr0QxjvMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3NzLnN5
bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcnQw
ggH3BgorBgEEAdZ5AgQCBIIB5wSCAeMB4QB1AN3rHSt6DU+mIIuBrYFocH4ujp0B
1VyIjT0RxM227L7MAAABVN/vlw8AAAQDAEYwRAIgCLhrCCs8HfvHR1dKPy3un3Y6
T/Pak4OpFwPZ6DNKVj4CIALyBp4Ts9P8cYspILvPtkvxVSLVFWp6bcyVsLwajLDN
AHcApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFU3++XTwAABAMA
SDBGAiEA3LqM70TsY/2BtQTIDhvvlTVBruKfLVw5ns+Vd2LeMMMCIQC6Qsk9oj/i
SMA28+aNH0/TMMy5dBoAr/BrPubOLikw5gB2AGj2mPgfZIK+OozuuSgdTPxxUV1n
k9RE0QpnrLtPT/vEAAABVN/vlzUAAAQDAEcwRQIhANIKQSLDLnWSSnsWUBIU7txF
RPWQ7BHvGvDblzzYLfM4AiA1XNJ9I2ZBxKXaxSdNp5mIdVIAxutGQTxnmigHOYMA
0AB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABVN/vmWwAAAQD
AEgwRgIhAK5X6E+81kaD3vRqugYSO+mcUNhD7HTbZO5gnTxzXLy5AiEAq4cN2Zkf
ROHeCkv3mjcvUvYACQdJgF0OfFc3Mazqd9EwDQYJKoZIhvcNAQELBQADggEBAF+x
9kUe50ZvwFK5skt+EJN0JHArmrbNsmC0uiUJKFgyAz/ENrAV7TJX3no3i+7mXk2g
iil4ecKhPshcnJcexD7CwjfPLjUwiZ6mf18GprOedmwd0eDMHWYOpN01rPrr2Ps5
u5BppcBOy9wMC8zFTk5G8Nf33ct7Zc2gadlhnvDV4VmgZYsplt43sfdhvbyOIphP
faupM2DUCjLhjf3n9Tk1bq6j3hGc4dWm6YsSgv4bl2ZbXEGmUkzVBTfnHIMuKxxw
yqibMxvevSkTPc3RwOpTiKdvv+xLjzfML5v1QUCKqkGtN5/EaUNHLPSNBAnDUcnT
7YDsHaB4lpmSN7cr49s=
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Bellevue/O=Donuts Inc./CN=epp.donuts.co
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
Client Certificate Types: RSA sign
Requested Signature Algorithms: RSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512
---
SSL handshake has read 4467 bytes and written 2287 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA
    Session-ID: 6B56A72A43925BC718AFBB09EEB3C9E186A8BF59A6750EA391644B2956EDA8BE
    Session-ID-ctx:
    Master-Key: B1F958EB9AF510C2E56E5537683FDD0F16933BD25B9EED2091E1352FE1EC6884EFFC691A4805D7FE36DA40B6CF551824
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1505485337
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Most common issue for failed connection attempts:

1. Expired certificate:

$ openssl  x509 –in PATH/cert_name –noout –dates

Output:

notBefore=Jan 30 14:06:37 2014 GMT
notAfter=Jan 30 14:06:37 2015 GMT

2. Unsupported client certificate – the EPP server is configured only to accept certain types of certificates

The supported certificates can be found here
 
3. Missing intermediate certificates in certificate chain:

Following command should be used to verify that you have all intermediate certificates:

$ openssl s_client -connect epp.ote.donuts.co:700 -cert PATH/cert -key PATH/key -CAfile PATH/intermediate

Please note that intermediate certificates should be passed in separate file.

Even if you have all the necessary certificates and they are all included in the certificate file, the OpenSSL will not connect, the error message:

Verify return code: 19 (self signed certificate in certificate chain)

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk