§2023-008-02
- Generating the X.509 Certificates
- Generate a X.509 Certificate for hc4MnMin.yushei.net, 192.168.48.239
¶ Go ot orgpi5Arch.yushei.net
[alexlai@orpi5Arch ~]$ mkdir x.509 && cd $_
[alexlai@orpi5Arch x.509]$ pwd
/opt/xfs/home/alexlai/x.509
$ ./genCertificate.sh hc4MnMin.yushei.net
....
Certificate request self-signature ok
subject=C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = hc4MnMin.yushei.net
Enter pass phrase for mongoCA.key:
[alexlai@orpi5Arch x.509]$ ls
genCertificate.sh hc4Jammy.yushei.net.pem mongoCA.crt mongoCA.srl orgpi5Jammy.yushei.net.pem
h2Jammy.yushei.net.pem hc4MnMin.yushei.net.pem mongoCA.key orgpi5Arch.yushei.net.pem
¶Step 2. move keys into /opt/xfs/mongodb/x.509 directory
As a convention,
- /opt/xfs/mongodb/data/ will store database, i.e.
- /opt/xfs/mongodb/data/data-2799/ is the directory holding mongod instance on port 2799
- data-2799 has to be created first and owned by mongodb:mongodb
- /opt/xfs/mongodb/log/ is the directory holding all log files
- /opt/xfs/mongodb/log/mongod-27999.log is for mongod running on port 2799
sudo touch /opt/xfs/mongodb/log/mongod-27999.logand chown
- /opt/xfs/mongodb/x.509/
[alexlai@hc4MnMin ~]$ sudo mkdir /opt/xfs/mongodb/data/data-27999
[alexlai@hc4MnMin ~]$ sudo chown mongodb:mongodb /opt/xfs/mongodb/data/data-27999/
[alexlai@hc4MnMin ~]$ sudo ls -l /opt/xfs/mongodb/data/
total 0
drwxr-xr-x 2 mongodb mongodb 6 Aug 2 04:47 data-27999
[alexlai@hc4MnMin ~]$ sudo touch /opt/xfs/mongodb/log/mongod-27999.log
[alexlai@hc4MnMin ~]$ sudo chown mongodb:mongodb /opt/xfs/mongodb/log/mongod-27999.log
[alexlai@hc4MnMin ~]$ sudo ls -l /opt/xfs/mongodb/log/
total 0
-rw-r--r-- 1 mongodb mongodb 0 Aug 2 04:50 mongod-27999.log
$ sudo mkdir /opt/xfs/mongodb/x.509
$ sudo chown mongodb:mongodb /opt/xfs/mongodb/x.509/
$ ls -l /opt/xfs/mongodb/
total 0
drwxr-xr-x 2 mongodb mongodb 6 Aug 1 10:11 data
drwxr-xr-x 2 mongodb mongodb 6 Aug 1 10:11 log
drwxr-xr-x 2 mongodb mongodb 6 Aug 2 04:33 x.509
¶Step 3. get X.509 from orgPi5Arch.yushei.net
[alexlai@hc4MnMin ~]$ pwd
/home/alexlai
$ scp orgpi5Arch.yushei.net:/opt/xfs/home/alexlai/x.509/mongoCA.crt ./
$ scp orgpi5Arch.yushei.net:/opt/xfs/home/alexlai/x.509/hc4MnMin.yushei.net.pem ./
$ sudo mv mongoCA.crt /opt/xfs/mongodb/x.509/
$ sudo mv hc4MnMin.yushei.net.pem /opt/xfs/mongodb/x.509/
$ sudo chown mongodb:mongodb /opt/xfs/mongodb/x.509/*
$ ls -l /opt/xfs/mongodb/x.509/*
-rw-r--r-- 1 mongodb mongodb 6004 Aug 2 04:39 /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem
-rw-r--r-- 1 mongodb mongodb 3601 Aug 2 04:38 /opt/xfs/mongodb/x.509/mongoCA.crt
¶Step 4. /etc/mongodb-27999.conf
# mongodb-27999.conf
# MuneTakaHome replicationSet
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /opt/xfs/mongodb/log/mongod-27999.log
# Where and how to store data.
storage:
dbPath: /opt/xfs/mongodb/data/data-27999/
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
# network interfaces
net:
port: 27999
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
ssl:
mode: preferSSL
PEMKeyFile: /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem
CAFile: /opt/xfs/mongodb/x.509/mongoCA.crt
allowInvalidCertificates: false
allowInvalidHostnames: false
# clusterFile: /var/lib/mongodb/x.509/orgpi5Arch.yushei.net.pem
# PEMKeyPassword: TxxxxYxxLxx#1nnn
# clusterPassword: TxxxxYxxLxx#1nnn
# For new installation, security is turn off first
# security:
# authorization: enabled
# clusterAuthMode: x509
#operationProfiling:
replication:
replSetName: "MuneTakaHome"
#sharding:
## Enterprise-Only Options
#auditLog:
#snmp:
¶Step 4, /etc/systemd/system/Mongodb-27999.service
[Unit]
Description=MongoDB Database Server, port 27999, MuneTakaHome
Documentation=https://docs.mongodb.org/manual
After=network-online.target
Wants=network-online.target
[Service]
TimeoutStartSec=infinity
User=mongodb
Group=mongodb
Environment="OPTIONS=-f /etc/mongodb-27999.conf"
Environment="MONGODB_CONFIG_OVERRIDE_NOFORK=1"
ExecStart=/usr/local/bin/mongod $OPTIONS
RuntimeDirectory=mongodb
# file size
LimitFSIZE=infinity
# cpu time
LimitCPU=infinity
# virtual memory size
LimitAS=infinity
# open files
LimitNOFILE=64000
# processes/threads
LimitNPROC=64000
# locked memory
LimitMEMLOCK=infinity
# total threads (user+kernel)
TasksMax=infinity
TasksAccounting=false
# Recommended limits for mongod as specified in
# https://docs.mongodb.com/manual/reference/ulimit/#recommended-ulimit-settings
[Install]
WantedBy=multi-user.target
¶Step 5, test run
$ sudo systemctl daemon-reload
$ sudo systemctl start Mongodb-27999.sercice
$ sudo systemctl status Mongodb-27999.sercice
If not running
- `journalctl -xfu Mongodb-27999.service
sudo less /opt/xfs/mongodb/log/mongod-27999.log
$ sudo cat /opt/xfs/mongodb/log/mongod-27999.log
{"t":{"$date":"2023-08-02T05:00:28.233+08:00"},"s":"I", "c":"CONTROL", "id":20698, "ctx":"main","msg":"***** SERVER RESTARTED *****"}
{"t":{"$date":"2023-08-02T05:00:28.236+08:00"},"s":"I", "c":"NETWORK", "id":4915701, "ctx":"main","msg":"Initialized wire specification","attr":{"spec":{"incomingExternalClient":{"minWireVersion":0,"maxWireVersion":21},"incomingInternalClient":{"minWireVersion":0,"maxWireVersion":21},"outgoing":{"minWireVersion":6,"maxWireVersion":21},"isInternalClient":true}}}
{"t":{"$date":"2023-08-02T05:00:28.241+08:00"},"s":"E", "c":"NETWORK", "id":23248, "ctx":"main","msg":"Cannot read certificate file","attr":{"keyFile":"/opt/xfs/mogodb/x.509/hc4MnMin.yushei.net.pem","error":"error:FFFFFFFF80000002:system library::No such file or directory"}}
{"t":{"$date":"2023-08-02T05:00:28.242+08:00"},"s":"F", "c":"CONTROL", "id":20574, "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Can not set up PEM key file."}}}
[alexlai@hc4MnMin ~]$
[alexlai@hc4MnMin ~]$ mongosh mongodb://localhost:27999
¶Step5 using mongoSh to fine tune mongod
[alexlai@hc4MnMin ~]$ mongosh mongodb://localhost:27999
Current Mongosh Log ID: 64c99184be140a8aa7dd9a71
Connecting to: mongodb://localhost:27999/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.10.1
Using MongoDB: 7.0.0-rc8
Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
------
The server generated these startup warnings when booting
2023-08-02T07:12:18.078+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting
2023-08-02T07:12:20.571+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
2023-08-02T07:12:20.571+08:00: vm.max_map_count is too low
------
Ask chatGPT
[alexlai@orpi5Arch x.509]$ ls
genCertificate.sh mongoCA.crt mongoCA.srl mongoCA.key openssl.cnf
And openssl.cnf has
[alexlai@orpi5Arch x.509]$ diff openssl.cnf /etc/ssl/openssl.cnf
164c164
< req_extensions = v3_req # The extensions to add to a certificate request
---
> # req_extensions = v3_req # The extensions to add to a certificate request
232,242d231
<
< # subjectAltName = @alt_names
<
< [ alt_names ]
< DNS.1 = orgPi5Arch.yushei.net
< DNS.2 = orgPi5Jammy.yushei.net
< DNS.3 = hc4MnMin.yushei.net
< DNS.4 = n2Mnjaro.yushei.net
And genCertificate.sh
#!/bin/bash
if [ "$1" = "" ]; then
echo 'hostname is fully qualified name, i.e. orgPi5Arch.yushei.net'
echo 'Please enter your hostname (CN):'
exit 1
fi
HOST_NAME="$1"
SUBJECT="/C=Tw/ST=Taiwan/L=Taichung/O=yushei.net/OU=ComputerDepartment/CN=$HOST_NAME"
# Generate the CSR with the SAN extension
openssl req -new -nodes -newkey rsa:4096 -subj "$SUBJECT" -keyout "$HOST_NAME.key" -out "$HOST_NAME.csr" -config openssl.cnf
# Sign the certificate with the SAN extension
openssl x509 -CA mongoCA.crt -CAkey mongoCA.key -CAcreateserial -req -days 395 -in "$HOST_NAME.csr" -out "$HOST_NAME.crt" -extensions v3_req -extfile openssl.cnf
# Concatenate the key and certificate into a PEM file
cat "$HOST_NAME.key" "$HOST_NAME.crt" > "$HOST_NAME.pem"
# Clean up temporary files
rm "$HOST_NAME.key" "$HOST_NAME.crt" "$HOST_NAME.csr"
And
[alexlai@orpi5Arch x.509]$ ./genCertificate.sh hc4MnMin.yushei.net
alexlai@orpi5Arch x.509]$ ls
genCertificate.sh h2Jammy.yushei.net.pem hc4MnMajaro.yushei.net.pem mongoCA.crt mongoCA.srl orgpi5Arch.yushei.net.pem
genCertificate.sh.ori hc4Jammy.yushei.net.pem hc4MnMin.yushei.net.pem mongoCA.key openssl.cnf orgpi5Jammy.yushei.net.pem
[ale
$ mongosh mongodb://localhost:27999
Current Mongosh Log ID: 64c9b2ef9f247a0e8c044a5c
Connecting to: mongodb://localhost:27999/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.10.1
Using MongoDB: 7.0.0-rc8
Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
------
The server generated these startup warnings when booting
2023-08-02T09:27:00.875+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting
2023-08-02T09:27:03.390+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
2023-08-02T09:27:03.391+08:00: vm.max_map_count is too low
------
test>
The mongoCA.key was generated by $ openssl genrsa -out mongoCA.key -aes256 8192. And mongoCA.crt eas generated by openssl req -x509 -new -extensions v3_ca -key mongoCA.key -days 395 -out mongoCA.crt.
How to solve Server certificate has no compatible Subject Alternative Name.
mongosh --tls --tlsCertificateKeyFile /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem
--tlsCAFile /opt/xfs/mongodb/x.509/mongoCA.crt
mongodb://hc4MnMin.yushei.net:27999
--authenticationDatabase '$external' \
--authenticationMechanism MONGODB-X509
My mongodb-27999.conf has
net:
port: 27999
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
tls:
mode: requireTLS
certificateKeyFile: /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem
CAFile: /opt/xfs/mongodb/x.509/mongoCA.crt
mongd started OK, but
[alexlai@hc4MnMin x.509]$ mongosh --tls --tlsCertificateKeyFile /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem \
--tlsCAFile /opt/xfs/mongodb/x.509/mongoCA.crt \
--authenticationDatabase '$external' \
--authenticationMechanism MONGODB-X509 \
mongodb://hc4MnMin.yushei.net:27999
Current Mongosh Log ID: 64c9bf6bd0f77fcecb9eee4e
Connecting to: mongodb://hc4MnMin.yushei.net:27999/?directConnection=true&tls=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Fhc4MnMin.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1
Using MongoDB: 7.0.0-rc8
Using Mongosh: 1.10.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
------
The server generated these startup warnings when booting
2023-08-02T10:19:15.676+08:00: Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting
2023-08-02T10:19:18.144+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
2023-08-02T10:19:18.144+08:00: vm.max_map_count is too low
------
test>
$ mongosh --tls --tlsCertificateKeyFile /opt/xfs/mongodb/x.509/hc4MnMin.yushei.net.pem
--tlsCAFile /opt/xfs/mongodb/x.509/mongoCA.crt
--authenticationDatabase '$external'
--authenticationMechanism MONGODB-X509
mongodb://hc4MnMin.yushei.net:27999
Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting
openssl x509 -text -noout -in hc4MnMin.yushei.net.crt
[alexlai@orpi5Arch x.509]$ openssl x509 -text -noout -in hc4MnMin.yushei.net.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
50:af:6d:e4:d7:38:46:72:0e:fe:c3:0c:b8:06:38:03:98:aa:00:9c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = TW, ST = Taiwan, L = Taichnug, O = "YuShei Ltd.,", OU = Computer Department, CN = orgpi5Arch.yushei.net, emailAddress = alexlai@munetaka.me
Validity
Not Before: Aug 2 02:49:53 2023 GMT
Not After : Aug 31 02:49:53 2024 GMT
Subject: C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = hc4MnMin.yushei.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
$ openssl s_client -connect hc4MnMin.yushei.net:27999 -CAfile /opt/xfs/mongodb/x.509/mongoCA.crt -tls1_2 -cipher AES256-SHA256
CONNECTED(00000003)
depth=1 C = TW, ST = Taiwan, L = Taichnug, O = "YuShei Ltd.,", OU = Computer Department, CN = orgpi5Arch.yushei.net, emailAddress = alexlai@munetaka.me
verify return:1
depth=0 C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = hc4MnMin.yushei.net
verify return:1
---
Certificate chain
0 s:C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = hc4MnMin.yushei.net
i:C = TW, ST = Taiwan, L = Taichnug, O = "YuShei Ltd.,", OU = Computer Department, CN = orgpi5Arch.yushei.net, emailAddress = alexlai@munetaka.me
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 2 02:44:21 2023 GMT; NotAfter: Aug 31 02:44:21 2024 GMT
1 s:C = TW, ST = Taiwan, L = Taichnug, O = "YuShei Ltd.,", OU = Computer Department, CN = orgpi5Arch.yushei.net, emailAddress = alexlai@munetaka.me
i:C = TW, ST = Taiwan, L = Taichnug, O = "YuShei Ltd.,", OU = Computer Department, CN = orgpi5Arch.yushei.net, emailAddress = alexlai@munetaka.me
a:PKEY: rsaEncryption, 8192 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 29 02:04:32 2023 GMT; NotAfter: Aug 27 02:04:32 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHtDCCA5wCFFCvbeTXOEZyDv7DDLgGOAOYqgCbMA0GCSqGSIb3DQEBCwUAMIGq
MQswCQYDVQQGEwJUVzEPMA0GA1UECAwGVGFpd2FuMREwDwYDVQQHDAhUYWljaG51
ZzEVMBMGA1UECgwMWXVTaGVpIEx0ZC4sMRwwGgYDVQQLDBNDb21wdXRlciBEZXBh
cnRtZW50MR4wHAYDVQQDDBVvcmdwaTVBcmNoLnl1c2hlaS5uZXQxIjAgBgkqhkiG
9w0BCQEWE2FsZXhsYWlAbXVuZXRha2EubWUwHhcNMjMwODAyMDI0NDIxWhcNMjQw
ODMxMDI0NDIxWjCBgTELMAkGA1UEBhMCVHcxDzANBgNVBAgMBlRhaXdhbjERMA8G
A1UEBwwIVGFpY2h1bmcxEzARBgNVBAoMCnl1c2hlaS5uZXQxGzAZBgNVBAsMEkNv
bXB1dGVyRGVwYXJ0bWVudDEcMBoGA1UEAwwTaGM0TW5NaW4ueXVzaGVpLm5ldDCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKPmVhr0nyy/vMbgKEEre5gh
WlMS1mkZtgTEpheE6C8803BUT2f4p7ysRO5IYEO2zDdqJOWGd2RLHHkVkoOPmfOd
Sq/JEGjqAqch31jaRXxD6pdQJzOMiAJm7fJ0F+Irg8NcA6lfRS9cInwvt5wzzUnF
Hl7Iuj/Oq3pSn8VWtG4mAgT29BCfsA7wW313sy0/r60KiAqzzgeAm6XACnQB9NbX
DKn8FiiwxtyBUgWVHxB8/jWfJ6MlXvG1zLvFYA9tEQLvZlKKDAeuLg7EcA9wTSg+
7x+n1W6T+TTYiWQ1iFBrZ6CGsUR5SU7coyqmrt51wetL/E5/7mXtY3oQADYfcdin
/HhRqhTesOB71ziqf6aoKjEEgABhBybn8iTmXr59ZLD997bIR3SUhRshgvj6+7W6
Crmba5q4sgUNtKhr6Dz3r55MW7UY2c1PqJ66s4Wk7xAezSrnZDYx38bYI7iSVZ1F
GtGGlqyt3sX0TxRu0CGQ/lZ0jDzdgYFc2fmw5RaMMxGA89UxYyelnXtE4N539SOy
/agZFL3rmFieUdNgKB5pzwgzcxY8CsqjArdaUJOI4tsYnmIgpgE888Dlw+2FIAIb
7O3+mDtt87virR8cPOGs0dmzKAi1UeHdDLcW7lbfgwaDFBvxCgVvYkxLrQKG7a0E
c9TpIdZUpmndC2BahUHXAgMBAAEwDQYJKoZIhvcNAQELBQADggQBADY0q9UQeQch
a/YRmXKx4wuAaOnqVGJvkCHsMHIFV1FePNFrOgRwBmFmQE2dV5VsJvWcyQ1AL0+c
eUzXY8imch9jt0BAiwtal+K72pdy8WvyayteUQhi8gPCmT68HzVp7/GQx3G7UIPG
Jkuc5akTNd+a7SDVOYZmo5buv+RlpczIzQ7gHLqYDXVRC2dA/oi1zPH+d8kFscL4
IQiYRMnpM1KMxp1vLMzNEldwLTZd8symO7ZfISpm7Xz3X4CNn2q7Ey4SxWq56HD7
VDVaxdAwUdSOqvga+0ioNaTGRmdNAJH3ddrJ0jpB3Y1nUTL0kBBYqlNMjLhjjsPK
pZHzEIXGn5ooSh9ep37hLMEmF33x4Pb1xktvD0XQmy168GhZ9y5fS4QhTFM7CST2
MksXM2dmTrnhvfwlj+j+ZI3AkSW+vMmsEL3wg4T5EP7MASKLqNpImp2zVU/LCTnM
DuC5F9ixLxB345c7aHjoszqHN/Xac+zVKh+mqipnK2K/tPF/2M6N6S2LC0+R7xTG
MCB6PMTNJRpuYybcufiVS24xfjDVwSQ1ZTr+fgvVhKnUA8Xdk0XRF5WnLuIjQ+d3
ntTh01sShu5jOIW/nuW+LxmCE3IZxMGWSD3Yf8mg1e6sD7KMIkPX/ZXc3eV2b6Ap
Sc+3p+j4T7+0yxrgIiZU7PIZwGRkgp7ZlhBH/mD5mcYAb+dysSOGRuBJrheBoURA
HSok3dtX8z6w4pdcuriQxhte+WwdY67ZEXRIYb17zAvvKSYgUWC1ezWhSrhgQDNQ
pDbZoUp3YElEQJ5xsvGciSZyZjfy4GAfoTWmw+T26sX6oFX7kOLtul63pmONlsQa
WpxAt145I1eOWrCTun1g2ur9OkrpMBcwEMfadDOTV1I3fGSuHBCtal91TFrfjxe3
IhFJyzWHtGYQiaqvPu+hKdu/IES0tpakvu6HVC71XRvGFksK2k5rC3xSmSNWugE2
7wVCdLy5R4FRGF0CU9/kq7xNzm4g4yow+l/57ljxyaxUXPMeC7XQw6YI61tkV6Jf
d+h9vWNcKHh240D+Byl0kO0//kv8jAZiK1JXWsRZaZIepVgT5KbmNSwFgO2VJKAH
Rg2XTFIQzhjMKwXvYgwhgdPZKRYkVO0n60WA+6tDwRd03NrVRorDkRiob9Yf7dFp
vpfKi4y58cZLusiQPBb8rMjbQx7M/upegbRlY3c2n7YN306aJXCFKdEw2JwX4QdF
FbIMDXwlqXtS/kiGdAnEgGm5g10zdBgEWjGRfbUsNCuuLwWIbMjtIzq8aQgyktTq
C7XabB3PCKuzrVH5YB8urSfbAgPygR5lJeWWRv4IT2oadsrYpao6htyB16RsrLND
e/4dzmiftSk=
-----END CERTIFICATE-----
subject=C = Tw, ST = Taiwan, L = Taichung, O = yushei.net, OU = ComputerDepartment, CN = hc4MnMin.yushei.net
issuer=C = TW, ST = Taiwan, L = Taichnug, O = "YuShei Ltd.,", OU = Computer Department, CN = orgpi5Arch.yushei.net, emailAddress = alexlai@munetaka.me
---
Acceptable client certificate CA names
C = TW, ST = Taiwan, L = Taichnug, O = "YuShei Ltd.,", OU = Computer Department, CN = orgpi5Arch.yushei.net, emailAddress = alexlai@munetaka.me
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
---
SSL handshake has read 5222 bytes and written 766 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES256-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID: 04AE09A99E3DB8F0C45CC9200FBD13CF6A46F25A8C21913623F565BC0D119F6C
Session-ID-ctx:
Master-Key: E8FCF820944DE137FE299AB269E7C816C9873EE828D96D4CE1F0649F7DE91A6BE7FBB7376E912D5157222B843C44E16C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 11 71 97 33 d3 b8 7d 72-22 f2 e1 76 81 fa 9c a9 .q.3..}r"..v....
0010 - f7 ec 39 20 4b 9e eb d4-84 e7 8b af d6 87 6a d3 ..9 K.........j.
0020 - bc 34 ba 69 0f 30 d9 9b-e0 43 b3 ed 33 ea 68 ae .4.i.0...C..3.h.
0030 - 04 70 a5 1b cf 24 1b a2-72 83 73 9d 4a d7 2d 18 .p...$..r.s.J.-.
0040 - 1d 0f 42 79 95 55 75 c5-e3 f3 e4 35 c2 70 42 48 ..By.Uu....5.pBH
0050 - f6 78 e3 39 9f ed b3 66-27 5d 6e b7 21 85 f8 c4 .x.9...f']n.!...
0060 - df a5 1c 36 72 c8 e7 38-83 d2 61 66 1b af 09 a9 ...6r..8..af....
0070 - a1 20 08 e6 93 84 89 14-c0 63 6b 79 af 68 83 59 . .......cky.h.Y
0080 - c8 1e d2 66 97 c4 07 46-a1 14 f2 b4 c2 31 c1 2f ...f...F.....1./
0090 - b5 4f 93 78 54 38 3e 6b-22 3e c9 07 37 22 99 6d .O.xT8>k">..7".m
00a0 - 53 e0 ce c8 c5 0f 87 ce-0a 74 ba 4d bd 8f ca 50 S........t.M...P
00b0 - d9 49 84 d8 50 0e 79 f0-88 8f 73 26 c9 51 7b 50 .I..P.y...s&.Q{P
Start Time: 1690952123
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
2090FD97FFFF0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:303: