Python SSL Socket certificate-private keys mismatch doesn't give error?
Question:
enthusiasts!
Short version:
I can change the private keys so that they do not match the certificates and the ssl handshake and messages still go through.
Long version:
I have set up a simple client-server python ssl socket. The client is on a laptop and the server is on a NUC (Next Unit of Computing). I wanted to make sure that the client verifies the server through certificates and the other way around so that the server verify the client through certificates. This means we have generated two sets of certificate-private key pairs.
The certificate-private key pairs where both generated with below Openssl code, the config file is just used to specify the IP-address:
sudo openssl req -x509 -days 730 -newkey rsa:2048 -keyout key_ip_client.pem -out cert_ip_client.pem -config san_client_cert.cnf -nodes
And so we have the client with the code below:
import socket
import ssl
import json
ssl.match_hostname = lambda cert, hostname: True
HOST = "forum_hidden"
PORT = forum_hidden
client_key = 'key_ip_client.pem'
client_cert = "cert_ip_client.pem"
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
#context.load_verify_locations("./selfsigned.crt")
context.load_verify_locations("./cert_ip.pem") #Check server certificate against this
context.load_cert_chain(certfile=client_cert, keyfile=client_key)
# Below follow a message represented as a dictionary where we have "security_level" which can be
# COSMIC_TOP_SECRET, NATO_SECRET, NATO_CONFIDENTIAL, NATO_RESTRICTED, NATO_UNCLASSIFIED
# And the message itself.
m = {"security_classification": "COSMIC_TOP_SECRET", "message": "Here comes something cosmically secret!"} # a real dict.
class_data = json.dumps(m)
class_data_bytes = bytes(class_data, 'utf-8')
print("Data to be sent is: "+class_data)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
with context.wrap_socket(s, server_hostname="192.168.0.14") as ssock:
ssock.connect((HOST,PORT))
ssock.sendall(class_data_bytes)
data = ssock.recv(1024)
print(f"Recieved {data!r}")
data_decoded = data.decode('utf-8')
print(f"Recieved decoded {data_decoded!r}")
load_dict = json.loads(data_decoded)
print(load_dict["security_classification"])
And we have the server code below:
import socket
import ssl
HOST = "hidden_in_forum"
#HOST = socket.gethostname()
print(f"The given host name to server is: {HOST}")
PORT = hidden_in_forum
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain(certfile="cert_ip.pem", keyfile="key_ip.pem", password=None)
context.load_verify_locations(cafile="cert_ip_client.pem") #Verify client certificate against this
#context.load_cert_chain("public.pem",keyfile="private.pem",password=None)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.bind((HOST,PORT))
s.listen()
with context.wrap_socket(s, server_side=True) as ssock:
conn, addre = ssock.accept()
with conn:
print(f"Connected by {addre}")
while True:
data = conn.recv(1024)
if not data:
break
print(f"Recieved message: {data}")
conn.sendall(data)
NOW! If we change the keyfile (the private key of the certificate) of either the server or client so that it is a private key of another certificate (newly generated for test purpose), the message still goes through!
I thought the private key was needed to make sure the handshake worked but when I look at wireshark, see included image, it seem like a handshake is still made..
What have I missed? I now assume that my "secure SSL" channel is actually not that secure!
Thanks a lot!
Update:
By request from Steffen Ulrich I will supply with the certificates I used. To clarify, somehow, I now get the mismatch error when I have the old certificate and a new private key so that is good BUT. On the server side I tried to have the old certificate and the old private key but I modified the old private key by just one letter a g to a G and then it still works.. I will show you below but firstly the client and server certificates and keys:
Client Certficate:
-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIUQslic8rw21j+s4oFX7EPXN7XAPgwDQYJKoZIhvcNAQEL
BQAweDELMAkGA1UEBhMCWFgxDDAKBgNVBAgMA04vQTEMMAoGA1UEBwwDTi9BMSAw
HgYDVQQKDBdTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTErMCkGA1UEAwwiMTIwLjAu
MC4xOiBTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTAeFw0yMjA5MTQxNzM0MDRaFw0y
NDA5MTMxNzM0MDRaMHgxCzAJBgNVBAYTAlhYMQwwCgYDVQQIDANOL0ExDDAKBgNV
BAcMA04vQTEgMB4GA1UECgwXU2VsZi1zaWduZWQgY2VydGlmaWNhdGUxKzApBgNV
BAMMIjEyMC4wLjAuMTogU2VsZi1zaWduZWQgY2VydGlmaWNhdGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc78JI7H/kjI4y6DgF1mIbla2dgzCF4f2n
EJDSbr6NRD9cD/gpNuNE4kLGgIAL2WwoxD9DJ7k5BQKT9DtYsL/aGssGpu3bZ5hT
L2atOU+BGigoLio9LddEPjiNm204QFbivXIZO2PeTqQ9EnyKEntT8VfiJoCXxIeF
vnnVgMm/+8GZTDKx8KmXL+pSvbdAsoncXaU0sgzxtgfEOqJg9GTdYgbxxtmnwWDa
U24fg9dYKLJ9thjWR+EsBg4IGwOCMBedl72GQ29ToNkG9w5pfhYoVM3JSg5LvPtd
58iT//fwxGWfH6Zw/ltlE/JATvDFRqdUdZA81AxFDVOznvbYtAuDAgMBAAGjMjAw
MA8GA1UdEQQIMAaHBMCoAAUwHQYDVR0OBBYEFKjoWvQH/nmPQnJOhw9cdBCRpHu7
MA0GCSqGSIb3DQEBCwUAA4IBAQA4FkMY+Q9ymiZDU+XBYKls20kewb1rcNEYDquG
TzyDQbFshwsePzASn1ezyADghiv1kW9zYHl3PC/UCxyG+VAzUbqkQh/gYgSuuFMW
1XMdho5Lph1OI3foGe0wGDHaT8zsSVg7bgQyvtDLzVwIcCsocvyYM/PW9pwRXmJh
11m4HzDTcGwrqqMn2UVtrCzxG4HISf6J1IcNxTV34htgpqG8leibn/kHQBFwOOA8
GHyyryDXVdqARa+p0P0BvxUPUGaGbgYzFK4fnPNY3/CbmkIof9anPrfJcFAT2MbR
oshbw8n+3rBd7XQ94vBCDz3lH/bW5sd4U/ZuNXg9nT2yho24
-----END CERTIFICATE-----
Client private key:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCc78JI7H/kjI4y
6DgF1mIbla2dgzCF4f2nEJDSbr6NRD9cD/gpNuNE4kLGgIAL2WwoxD9DJ7k5BQKT
9DtYsL/aGssGpu3bZ5hTL2atOU+BGigoLio9LddEPjiNm204QFbivXIZO2PeTqQ9
EnyKEntT8VfiJoCXxIeFvnnVgMm/+8GZTDKx8KmXL+pSvbdAsoncXaU0sgzxtgfE
OqJg9GTdYgbxxtmnwWDaU24fg9dYKLJ9thjWR+EsBg4IGwOCMBedl72GQ29ToNkG
9w5pfhYoVM3JSg5LvPtd58iT//fwxGWfH6Zw/ltlE/JATvDFRqdUdZA81AxFDVOz
nvbYtAuDAgMBAAECggEAGC4Ct7ykmeCkGijYVOHqnMhrhwzLAZ3HuKFfRuTkPBzL
TFJzkFoSGy9nTXFICUtXFFLkUmMA8U2Zz5T+PdSBwseFB4HZvQfRmuN/ROpDGyee
D07JmEKDW9LgYMUVR2j2WhoJReT2Jq7kNDqwcI+Xa+AQA9qdzoRrwwoNeH1O2GLi
az4ivbAta6GFm95+H/Vz2y8sofptVWazKdohsshHMnW4SNGErboDluvXuh9l11RN
8P0ZjHpFvh0LvpLSofRL6msjIgoWRHDVHZIY6Uml9WtPEaGMvqWFdmj6IWeRuNbW
QaZSzJtZPX6RuSDqVCjKBPBYusl/k5cNxLh6wPpSKQKBgQDP6TwluVZIL+2putcS
Wnkr8LBspoUzYZE2462tGsz16Z9KfNwvCiz5ggnzIopYMNYHXT4bBOWvn9Y8V/M6
8lbT1ZKz0tvCWKqLqDYw9BRphsvOd4eQPxv6LLHs52yXglvzgM36itLaNIh2QPdI
RZjxdOPpYhQrz6hPcWGQU6j2GQKBgQDBPDysCgKDr2oTVCSbR3Z8CUm3PU+WhZve
/1JKWPql77gRsR810lWCDkIwDw+HeesvIajE8xg72z4B8bQRZ/uyepqBC2/h2lfb
wQP2NLX+I3lkmvnDwHzZSeSTcmyIcLntYlauEYt7SVHDX42FdZKNlPjB486vsLEH
J5m18D7p+wKBgAuBofWIg1Dtbh7Fm1+FqE0ZPfpVYOvOC4ZZJWR+Jje53Tn3HQxx
aLnKS5isIbHtyfqQW36NT9TfaLDgQTLS9KE2oa7YDZd85rth7NXavEJ21lKv5M3D
4F2BGbu9txHPgh1A1KV4B2FSJPc+czEJwQQj7vUcm3ctP+hdowOkzaYJAoGAUvh2
ZLh3k+uB9IKwpSvuKBwk1tUwk0UTRJEE2H+UQCPKOW6AJDAIHyvYJ6KP3G/xF++v
88EdqrXcziDmXIL1hBE4vigXBjcmemlKNjEz48d/nD8e93pzISmlR9pd18fvTYpo
BZ3q8ijtPqKMtb1iDADnPvl+CdooaRYL3h8mJHkCgYEAklY+nvcwmKldPyM3fHH+
iQHozupMVwSdDG/aKU3qDgpAaENGsSmrNZooM0vbkU4VqBq0cSKEboAYoM9vv2cp
fyxu8nd5k3LMk4k2rXllaGJDxJkXYiNUAxxjnhqXyaSq2KU1r9Ymk6rQgj6Oiif3
zs6G8ulY5mzd/P4nO1pPU2E=
-----END PRIVATE KEY-----
And the server certificate:
-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIUWlkrLG6iMBqWyXAAbeSWjfJ46F4wDQYJKoZIhvcNAQEL
BQAweDELMAkGA1UEBhMCWFgxDDAKBgNVBAgMA04vQTEMMAoGA1UEBwwDTi9BMSAw
HgYDVQQKDBdTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTErMCkGA1UEAwwiMTIwLjAu
MC4xOiBTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTAeFw0yMjA5MDgxNDQ2NDBaFw0y
NDA5MDcxNDQ2NDBaMHgxCzAJBgNVBAYTAlhYMQwwCgYDVQQIDANOL0ExDDAKBgNV
BAcMA04vQTEgMB4GA1UECgwXU2VsZi1zaWduZWQgY2VydGlmaWNhdGUxKzApBgNV
BAMMIjEyMC4wLjAuMTogU2VsZi1zaWduZWQgY2VydGlmaWNhdGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR5/Th+AAxyt0O7rsg44ei5dBKfnsVbZy0
INpgKPes0jXECt8q1cPaobWUJzwJv2RQpgqgCXW6O5yTKm9qkLibt5QYEHYSO+HK
pJCzPCF2FU1JkCec9Hk18smqnFhmEkh9SvZxk+VjV1i6q/PT6evZRiL9UmioZaOK
nIsugLT5quJLJ8CZ/WI8t+4eL8kz40ktQ0onmYDtFGqFI34qlssg/EEEe9WMgjMm
9TNY93uEGzMW3Qbzr72FYFri5fhwmdAlgk3vQN7V0s+aULqD+NpWW++pkXcPa4pH
+YdUfhbY3+3eKBtX1sDSH/x+FaNFWWyGRzBZWu33/tJJuoKNFywLAgMBAAGjMjAw
MA8GA1UdEQQIMAaHBMCoAA4wHQYDVR0OBBYEFNlWF0nuzzV4ds0hKyTpStlMcYBq
MA0GCSqGSIb3DQEBCwUAA4IBAQBHMy3IDHVXtfdXhQj7PD5nn5eWNVwuHXgnnJBN
VMz0mjFeKQ74Pt5ZY0MW9OOeRmTwMMagquHZwvd6rLCfdEvK4k0hCJ3pYfg4LK08
6jWOAYquslhXOp5UUjnk1Lev+9mqelDda0vcN3QETMz6WAr/gXmwn0UU6bchfVTD
WSDwPyhE+/iId3AyHk8sn2B3tPifLfRbeUR0Dz3Qjs0rquakChaL8CaF/9ZA+2vE
OM0d6zMnefVwLPOFgM8Vqqr3OF3R7gNJe6RJuOYNs6B3hOPACX6WMvIyX7xkONjx
0iicFaH1ndzSWnqgT7A+SL8N6nn042h4XbfKJSGpxwR4Z0CY
-----END CERTIFICATE-----
And the server private key:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCR5/Th+AAxyt0O
7rsg44ei5dBKfnsVbZy0INpgKPes0jXECt8q1cPaobWUJzwJv2RQpgqgCXW6O5yT
Km9qkLibt5QYEHYSO+HKpJCzPCF2FU1JkCec9Hk18smqnFhmEkh9SvZxk+VjV1i6
q/PT6evZRiL9UmioZaOKnIsugLT5quJLJ8CZ/WI8t+4eL8kz40ktQ0onmYDtFGqF
I34qlssg/EEEe9WMgjMm9TNY93uEGzMW3Qbzr72FYFri5fhwmdAlgk3vQN7V0s+a
ULqD+NpWW++pkXcPa4pH+YdUfhbY3+3eKBtX1sDSH/x+FaNFWWyGRzBZWu33/tJJ
uoKNFywLAgMBAAECggEAGV2Tj6NfWUi01K9BPg8AWhwM8Z56hHepahFaFaSZpmRn
L31aXeaK5Zv+ZtLJV8J7zJ+JMlhirK1HY7hZZVPinEO2jdZyyGm7r9CbTWWzRYWf
iZ3znRBNcEkUsUH8BkbAbnPVU1qMYxBg3xcczScaNww/8f1dL4V4AJWFhuCeVdcR
tJIWFvGZ9akUiHqR7xB0HUPL8S6pLH9MUGp9KfH4XOb+QWwwkZig9R1zTzXyD/Gj
lPGkmff9qPCy0F7ooYftOmHr0EGcUgOTG60s9faezkR96Y86PsJVlFMskhKLdSI0
t0xoCp3ZzNWcpyOhj/scVEglH7cYGlmfQnYicKslwQKBgQC3Xye9kxScpQJ3iHeZ
qmqhnr4BwMVmm6OPKEuiC4jFv6v87C+EociCmxZDgfEgYVYll7Z/HFnFr7o/JM5h
tBIUYBXuQpAao81hK0XBSHCQUd8qTiFa/P2aBTeOM6YaC25k0MCVXYAchtsGwdQa
FGqDeGGjWng0E1kYgWlcIR7HSwKBgQDLsgBKAXetMlm6uHoEHNvidyTJBpG4tZ6K
XleBET6dS6r9+KEdNZwkSimXd0dlwT/9svs4gDL7JnkNasLTHKPNeEL4ZF1ZQ0p8
qYXui6Hi7rgyf7u+mfi7nMj8XpjWfStkAx9BbLJUBP/soTsPcMwfGDMDvGgG/EHW
Z/M1qP52QQKBgEytEWUH93p41Us+WSR8ShJC2pjJDsIVGpNl+hpMUGi/+R7NdCE1
tS5Hw0t/LmCn0untQnZsWG19SZfVwCbCsTyr4P+7/Z3mGJ8lBQoJTGhMk9CQ0wnE
+BZLUCu6FR6W4RZu49iRPFyxVyzAJ/yvxMossEcqMVE1NfA1TOUlREV5AoGBAMcg
XL38D0VmOmeZndZVa/NIq9JFNMFP8wurTHmlJQPaC++5Va9bUCf9xAkJFuf3choO
FR7X3H6+zon6Ozjr/4mGrllqrALuEGwrwP1AzWIuIi1jx2J93LVzgNuNknXj6T4c
+zoXC4GtXY6y0yy2BSXEn2JglYV2ptn1xsFHUnLBAoGAV0ms5DF4tuSX6S7yzHYP
1/uJ9zQiTUvv/7ZeZsoNCnC8+JJ8GkfEW4PwAv3fQyHRV5lcSyv1vaoxiveCCSUG
lqMGkGpKWFzamJu2qAgwTVtd/suXxO0M8Q36ycG/xMMR36Yzg6QclLUapDyEdsPg
tk9BEpc7Tc/GMykTW1j6fHo=
-----END PRIVATE KEY-----
And the newly generated private key that now, as expected throws a mismatch error:
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCm52KSBKzjxntf
bXSsCDW0MyASDZMTgKPovPbGI3BWN80qhhPtmmOsFf0J2tyLPVJeXR2ytNZdiAvG
JOWVepSd96UYMsbJ9uZGT7VdxvoTccWMM6x6r5WOL2Qes4XBuSDq0GXsPZ9sQ0eS
XIT+FxUD0RPyyikneOC/znTg+i7cs4fRivuslRjbsiyyN32u6LqRrrFdAbXAZgE+
ymZDTRwdxKEtgU3RcYPwgOf3AXuAZZK1orjK/4cV38ZWQ3NKJJO6LNhl1goN8hWW
u46x7IG1GaIxBmeeLDDlH6FQX7sZCxX9ZT79CMJcYUMGKxN1j37Rc7cVUdHJgDvC
fNl/FajHAgMBAAECggEABKZCJF0wT8a8sxjX0jRcV/ZrTfVw2Rnmoa956bpyVlnc
Q53+j3TokpJTko21Qm+6jARotQy9Qq0X3t+HlxVrbxxx+JhEL2YgXhRkXLC+pgIF
BcspYoriTgFbTFD7SJKWrH6SXaAN1onn7teC9kJrBHMzl2TdpqAtv/TJZBG0HSkb
j6OtlxaQ83dgTTPJzaNYQO12KuGf4XzYBfD9VeszsEBhS+WXWjNGCjz1NaoxswWC
CQuhPgyPMs0zwEBVjkb0nvN9yh6i+ZUi/duFBxbtX+cdffdEKhU4QHykOUFEuWIT
FFowrOlo14kRDfBY3ncib209CgpP+LGbWV9UfUesKQKBgQC2/MSRjDt14rNfaesA
UKaPeTyH+CE2e3shL7offMCWBCACltBzSeqWbYLvfjhTXdIDApaa2CJuX5cSeiN/
jrB167saEoFLxMpoMu6AjpjHC6JcWHlDNoPXtA/usLfUCgw9TkYuvn7oi3BvAj/f
WP9dmlHHt5xoLyv+z1ImzkN0YwKBgQDpf8Q7dwhZQfVwg5m0dnMTFEd5UdX3kIlB
W1fMR84/+NJBWTIOrL0RGm7VeBMksVdB8Ds8+6HLWhn6SBWaRyMg835+TFqGoiJQ
qBx78MJ8nSau0Iu4wiQSR7LpL1Cv3BN83y4QOuF6VQsbez0e3ulHUvFCVr3e9+qw
6sBttYTtTQKBgQCfgic3WK5cTIlfmsynMaZ/WodRXxJUk775ZskvuWeHXYEpwJ1k
YgKDrmJ8seIXiakPxqnRwKYC4ICoMp/PCWr438vxJkBe8+QcgIk2txamK5YUOWs7
E8JJvURGJPWZeEjDCABVruihfSs9GRDkeIfh6CtxlLRafQQ00jQib5qNUQKBgCaz
JGTur5WLlxBU327Hiv8Ih2gWJi5n6DfK2dxjsk1sAf0OuXsxKgzhoqkCw7l7Iwks
tcS/t+sqPc/7jokJbUsS0E5CfWZ/DMztb/sixjk9GqIyslWm56+X7pEzZF4hTaGO
o+XQvHo4CiU94b1yGJvXpWDnW4TO9jjoT4hfY26pAoGBAJHa3u0oqIlJ9crGIPzE
yKsfmCboktLjrbMeJgYcqO/doK2ZNNqJLQgTn/Hkpqn1MiotL8YVKg47XA/qlGWA
kGsi5BmISt/TlNDe0ZsPfAp/zrljeRKxSTjYXREuwDM/Gf7utdvgi1WgAuyM/2BU
iDNvRRwe5UbsQ9XrKUoM8smh
-----END PRIVATE KEY-----
And the modification of the servers private key (shown above) where the second from last lines "g" has been replace with a "G". This does not throw a mismatch error on the server side! So it seem like the private key can be altered in a small way and still work?
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCR5/Th+AAxyt0O
7rsg44ei5dBKfnsVbZy0INpgKPes0jXECt8q1cPaobWUJzwJv2RQpgqgCXW6O5yT
Km9qkLibt5QYEHYSO+HKpJCzPCF2FU1JkCec9Hk18smqnFhmEkh9SvZxk+VjV1i6
q/PT6evZRiL9UmioZaOKnIsugLT5quJLJ8CZ/WI8t+4eL8kz40ktQ0onmYDtFGqF
I34qlssg/EEEe9WMgjMm9TNY93uEGzMW3Qbzr72FYFri5fhwmdAlgk3vQN7V0s+a
ULqD+NpWW++pkXcPa4pH+YdUfhbY3+3eKBtX1sDSH/x+FaNFWWyGRzBZWu33/tJJ
uoKNFywLAgMBAAECggEAGV2Tj6NfWUi01K9BPg8AWhwM8Z56hHepahFaFaSZpmRn
L31aXeaK5Zv+ZtLJV8J7zJ+JMlhirK1HY7hZZVPinEO2jdZyyGm7r9CbTWWzRYWf
iZ3znRBNcEkUsUH8BkbAbnPVU1qMYxBg3xcczScaNww/8f1dL4V4AJWFhuCeVdcR
tJIWFvGZ9akUiHqR7xB0HUPL8S6pLH9MUGp9KfH4XOb+QWwwkZig9R1zTzXyD/Gj
lPGkmff9qPCy0F7ooYftOmHr0EGcUgOTG60s9faezkR96Y86PsJVlFMskhKLdSI0
t0xoCp3ZzNWcpyOhj/scVEglH7cYGlmfQnYicKslwQKBgQC3Xye9kxScpQJ3iHeZ
qmqhnr4BwMVmm6OPKEuiC4jFv6v87C+EociCmxZDgfEgYVYll7Z/HFnFr7o/JM5h
tBIUYBXuQpAao81hK0XBSHCQUd8qTiFa/P2aBTeOM6YaC25k0MCVXYAchtsGwdQa
FGqDeGGjWng0E1kYgWlcIR7HSwKBgQDLsgBKAXetMlm6uHoEHNvidyTJBpG4tZ6K
XleBET6dS6r9+KEdNZwkSimXd0dlwT/9svs4gDL7JnkNasLTHKPNeEL4ZF1ZQ0p8
qYXui6Hi7rgyf7u+mfi7nMj8XpjWfStkAx9BbLJUBP/soTsPcMwfGDMDvGgG/EHW
Z/M1qP52QQKBgEytEWUH93p41Us+WSR8ShJC2pjJDsIVGpNl+hpMUGi/+R7NdCE1
tS5Hw0t/LmCn0untQnZsWG19SZfVwCbCsTyr4P+7/Z3mGJ8lBQoJTGhMk9CQ0wnE
+BZLUCu6FR6W4RZu49iRPFyxVyzAJ/yvxMossEcqMVE1NfA1TOUlREV5AoGBAMcg
XL38D0VmOmeZndZVa/NIq9JFNMFP8wurTHmlJQPaC++5Va9bUCf9xAkJFuf3choO
FR7X3H6+zon6Ozjr/4mGrllqrALuEGwrwP1AzWIuIi1jx2J93LVzgNuNknXj6T4c
+zoXC4GtXY6y0yy2BSXEn2JglYV2ptn1xsFHUnLBAoGAV0ms5DF4tuSX6S7yzHYP
1/uJ9zQiTUvv/7ZeZsoNCnC8+JJ8GkfEW4PwAv3fQyHRV5lcSyv1vaoxiveCCSUG
lqMGkGpKWFzamJu2qAgwTVtd/suXxO0M8Q36ycG/xMMR36Yzg6QclLUapDyEdsPG
tk9BEpc7Tc/GMykTW1j6fHo=
-----END PRIVATE KEY-----
And so I wonder is this natural, that we can tamper with the private key and still make it work?
Thanks!
Cheers
E
Answers:
Short version: I can change the private keys so that they do not match the certificates and the ssl handshake and messages still go through.
This is a misleading summary. What was actually done based on the updated question were not arbitrary changes to the private keys, but a very specific change:
And the modification of the servers private key (shown above) where the second from last lines "g" has been replace with a "G". This does not throw a mismatch error on the server side!
Looking at the details with openssl rsa -in key.pem -text one can see that the change was done in the coefficient of the key. But, this part might not even be used, depending on the implementation. To cite from an answer in Can an altered RSA private key still work as the original?:
… most RSA implementations won’t actually use all the values in the private key file. In particular, most RSA implementations using the CRT (Chinese remainder theorem) won’t actually use the or values in the key file for decryption, since they don’t need them. And conversely, any implementations that use straight modular exponentiation will generally only use and and ignore the rest.
In this specific case and were not changed, only CRT.
So it seem like the private key can be altered in a small way and still work?
Some changes might be possible, i.e. on places which are not used for computation in the specific implementation. But this does not mean that arbitrary changes are possible.
enthusiasts!
Short version:
I can change the private keys so that they do not match the certificates and the ssl handshake and messages still go through.
Long version:
I have set up a simple client-server python ssl socket. The client is on a laptop and the server is on a NUC (Next Unit of Computing). I wanted to make sure that the client verifies the server through certificates and the other way around so that the server verify the client through certificates. This means we have generated two sets of certificate-private key pairs.
The certificate-private key pairs where both generated with below Openssl code, the config file is just used to specify the IP-address:
sudo openssl req -x509 -days 730 -newkey rsa:2048 -keyout key_ip_client.pem -out cert_ip_client.pem -config san_client_cert.cnf -nodes
And so we have the client with the code below:
import socket
import ssl
import json
ssl.match_hostname = lambda cert, hostname: True
HOST = "forum_hidden"
PORT = forum_hidden
client_key = 'key_ip_client.pem'
client_cert = "cert_ip_client.pem"
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
#context.load_verify_locations("./selfsigned.crt")
context.load_verify_locations("./cert_ip.pem") #Check server certificate against this
context.load_cert_chain(certfile=client_cert, keyfile=client_key)
# Below follow a message represented as a dictionary where we have "security_level" which can be
# COSMIC_TOP_SECRET, NATO_SECRET, NATO_CONFIDENTIAL, NATO_RESTRICTED, NATO_UNCLASSIFIED
# And the message itself.
m = {"security_classification": "COSMIC_TOP_SECRET", "message": "Here comes something cosmically secret!"} # a real dict.
class_data = json.dumps(m)
class_data_bytes = bytes(class_data, 'utf-8')
print("Data to be sent is: "+class_data)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
with context.wrap_socket(s, server_hostname="192.168.0.14") as ssock:
ssock.connect((HOST,PORT))
ssock.sendall(class_data_bytes)
data = ssock.recv(1024)
print(f"Recieved {data!r}")
data_decoded = data.decode('utf-8')
print(f"Recieved decoded {data_decoded!r}")
load_dict = json.loads(data_decoded)
print(load_dict["security_classification"])
And we have the server code below:
import socket
import ssl
HOST = "hidden_in_forum"
#HOST = socket.gethostname()
print(f"The given host name to server is: {HOST}")
PORT = hidden_in_forum
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain(certfile="cert_ip.pem", keyfile="key_ip.pem", password=None)
context.load_verify_locations(cafile="cert_ip_client.pem") #Verify client certificate against this
#context.load_cert_chain("public.pem",keyfile="private.pem",password=None)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.bind((HOST,PORT))
s.listen()
with context.wrap_socket(s, server_side=True) as ssock:
conn, addre = ssock.accept()
with conn:
print(f"Connected by {addre}")
while True:
data = conn.recv(1024)
if not data:
break
print(f"Recieved message: {data}")
conn.sendall(data)
NOW! If we change the keyfile (the private key of the certificate) of either the server or client so that it is a private key of another certificate (newly generated for test purpose), the message still goes through!
I thought the private key was needed to make sure the handshake worked but when I look at wireshark, see included image, it seem like a handshake is still made..
What have I missed? I now assume that my "secure SSL" channel is actually not that secure!
Thanks a lot!
Update:
By request from Steffen Ulrich I will supply with the certificates I used. To clarify, somehow, I now get the mismatch error when I have the old certificate and a new private key so that is good BUT. On the server side I tried to have the old certificate and the old private key but I modified the old private key by just one letter a g to a G and then it still works.. I will show you below but firstly the client and server certificates and keys:
Client Certficate:
-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIUQslic8rw21j+s4oFX7EPXN7XAPgwDQYJKoZIhvcNAQEL
BQAweDELMAkGA1UEBhMCWFgxDDAKBgNVBAgMA04vQTEMMAoGA1UEBwwDTi9BMSAw
HgYDVQQKDBdTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTErMCkGA1UEAwwiMTIwLjAu
MC4xOiBTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTAeFw0yMjA5MTQxNzM0MDRaFw0y
NDA5MTMxNzM0MDRaMHgxCzAJBgNVBAYTAlhYMQwwCgYDVQQIDANOL0ExDDAKBgNV
BAcMA04vQTEgMB4GA1UECgwXU2VsZi1zaWduZWQgY2VydGlmaWNhdGUxKzApBgNV
BAMMIjEyMC4wLjAuMTogU2VsZi1zaWduZWQgY2VydGlmaWNhdGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc78JI7H/kjI4y6DgF1mIbla2dgzCF4f2n
EJDSbr6NRD9cD/gpNuNE4kLGgIAL2WwoxD9DJ7k5BQKT9DtYsL/aGssGpu3bZ5hT
L2atOU+BGigoLio9LddEPjiNm204QFbivXIZO2PeTqQ9EnyKEntT8VfiJoCXxIeF
vnnVgMm/+8GZTDKx8KmXL+pSvbdAsoncXaU0sgzxtgfEOqJg9GTdYgbxxtmnwWDa
U24fg9dYKLJ9thjWR+EsBg4IGwOCMBedl72GQ29ToNkG9w5pfhYoVM3JSg5LvPtd
58iT//fwxGWfH6Zw/ltlE/JATvDFRqdUdZA81AxFDVOznvbYtAuDAgMBAAGjMjAw
MA8GA1UdEQQIMAaHBMCoAAUwHQYDVR0OBBYEFKjoWvQH/nmPQnJOhw9cdBCRpHu7
MA0GCSqGSIb3DQEBCwUAA4IBAQA4FkMY+Q9ymiZDU+XBYKls20kewb1rcNEYDquG
TzyDQbFshwsePzASn1ezyADghiv1kW9zYHl3PC/UCxyG+VAzUbqkQh/gYgSuuFMW
1XMdho5Lph1OI3foGe0wGDHaT8zsSVg7bgQyvtDLzVwIcCsocvyYM/PW9pwRXmJh
11m4HzDTcGwrqqMn2UVtrCzxG4HISf6J1IcNxTV34htgpqG8leibn/kHQBFwOOA8
GHyyryDXVdqARa+p0P0BvxUPUGaGbgYzFK4fnPNY3/CbmkIof9anPrfJcFAT2MbR
oshbw8n+3rBd7XQ94vBCDz3lH/bW5sd4U/ZuNXg9nT2yho24
-----END CERTIFICATE-----
Client private key:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCc78JI7H/kjI4y
6DgF1mIbla2dgzCF4f2nEJDSbr6NRD9cD/gpNuNE4kLGgIAL2WwoxD9DJ7k5BQKT
9DtYsL/aGssGpu3bZ5hTL2atOU+BGigoLio9LddEPjiNm204QFbivXIZO2PeTqQ9
EnyKEntT8VfiJoCXxIeFvnnVgMm/+8GZTDKx8KmXL+pSvbdAsoncXaU0sgzxtgfE
OqJg9GTdYgbxxtmnwWDaU24fg9dYKLJ9thjWR+EsBg4IGwOCMBedl72GQ29ToNkG
9w5pfhYoVM3JSg5LvPtd58iT//fwxGWfH6Zw/ltlE/JATvDFRqdUdZA81AxFDVOz
nvbYtAuDAgMBAAECggEAGC4Ct7ykmeCkGijYVOHqnMhrhwzLAZ3HuKFfRuTkPBzL
TFJzkFoSGy9nTXFICUtXFFLkUmMA8U2Zz5T+PdSBwseFB4HZvQfRmuN/ROpDGyee
D07JmEKDW9LgYMUVR2j2WhoJReT2Jq7kNDqwcI+Xa+AQA9qdzoRrwwoNeH1O2GLi
az4ivbAta6GFm95+H/Vz2y8sofptVWazKdohsshHMnW4SNGErboDluvXuh9l11RN
8P0ZjHpFvh0LvpLSofRL6msjIgoWRHDVHZIY6Uml9WtPEaGMvqWFdmj6IWeRuNbW
QaZSzJtZPX6RuSDqVCjKBPBYusl/k5cNxLh6wPpSKQKBgQDP6TwluVZIL+2putcS
Wnkr8LBspoUzYZE2462tGsz16Z9KfNwvCiz5ggnzIopYMNYHXT4bBOWvn9Y8V/M6
8lbT1ZKz0tvCWKqLqDYw9BRphsvOd4eQPxv6LLHs52yXglvzgM36itLaNIh2QPdI
RZjxdOPpYhQrz6hPcWGQU6j2GQKBgQDBPDysCgKDr2oTVCSbR3Z8CUm3PU+WhZve
/1JKWPql77gRsR810lWCDkIwDw+HeesvIajE8xg72z4B8bQRZ/uyepqBC2/h2lfb
wQP2NLX+I3lkmvnDwHzZSeSTcmyIcLntYlauEYt7SVHDX42FdZKNlPjB486vsLEH
J5m18D7p+wKBgAuBofWIg1Dtbh7Fm1+FqE0ZPfpVYOvOC4ZZJWR+Jje53Tn3HQxx
aLnKS5isIbHtyfqQW36NT9TfaLDgQTLS9KE2oa7YDZd85rth7NXavEJ21lKv5M3D
4F2BGbu9txHPgh1A1KV4B2FSJPc+czEJwQQj7vUcm3ctP+hdowOkzaYJAoGAUvh2
ZLh3k+uB9IKwpSvuKBwk1tUwk0UTRJEE2H+UQCPKOW6AJDAIHyvYJ6KP3G/xF++v
88EdqrXcziDmXIL1hBE4vigXBjcmemlKNjEz48d/nD8e93pzISmlR9pd18fvTYpo
BZ3q8ijtPqKMtb1iDADnPvl+CdooaRYL3h8mJHkCgYEAklY+nvcwmKldPyM3fHH+
iQHozupMVwSdDG/aKU3qDgpAaENGsSmrNZooM0vbkU4VqBq0cSKEboAYoM9vv2cp
fyxu8nd5k3LMk4k2rXllaGJDxJkXYiNUAxxjnhqXyaSq2KU1r9Ymk6rQgj6Oiif3
zs6G8ulY5mzd/P4nO1pPU2E=
-----END PRIVATE KEY-----
And the server certificate:
-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIUWlkrLG6iMBqWyXAAbeSWjfJ46F4wDQYJKoZIhvcNAQEL
BQAweDELMAkGA1UEBhMCWFgxDDAKBgNVBAgMA04vQTEMMAoGA1UEBwwDTi9BMSAw
HgYDVQQKDBdTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTErMCkGA1UEAwwiMTIwLjAu
MC4xOiBTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTAeFw0yMjA5MDgxNDQ2NDBaFw0y
NDA5MDcxNDQ2NDBaMHgxCzAJBgNVBAYTAlhYMQwwCgYDVQQIDANOL0ExDDAKBgNV
BAcMA04vQTEgMB4GA1UECgwXU2VsZi1zaWduZWQgY2VydGlmaWNhdGUxKzApBgNV
BAMMIjEyMC4wLjAuMTogU2VsZi1zaWduZWQgY2VydGlmaWNhdGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR5/Th+AAxyt0O7rsg44ei5dBKfnsVbZy0
INpgKPes0jXECt8q1cPaobWUJzwJv2RQpgqgCXW6O5yTKm9qkLibt5QYEHYSO+HK
pJCzPCF2FU1JkCec9Hk18smqnFhmEkh9SvZxk+VjV1i6q/PT6evZRiL9UmioZaOK
nIsugLT5quJLJ8CZ/WI8t+4eL8kz40ktQ0onmYDtFGqFI34qlssg/EEEe9WMgjMm
9TNY93uEGzMW3Qbzr72FYFri5fhwmdAlgk3vQN7V0s+aULqD+NpWW++pkXcPa4pH
+YdUfhbY3+3eKBtX1sDSH/x+FaNFWWyGRzBZWu33/tJJuoKNFywLAgMBAAGjMjAw
MA8GA1UdEQQIMAaHBMCoAA4wHQYDVR0OBBYEFNlWF0nuzzV4ds0hKyTpStlMcYBq
MA0GCSqGSIb3DQEBCwUAA4IBAQBHMy3IDHVXtfdXhQj7PD5nn5eWNVwuHXgnnJBN
VMz0mjFeKQ74Pt5ZY0MW9OOeRmTwMMagquHZwvd6rLCfdEvK4k0hCJ3pYfg4LK08
6jWOAYquslhXOp5UUjnk1Lev+9mqelDda0vcN3QETMz6WAr/gXmwn0UU6bchfVTD
WSDwPyhE+/iId3AyHk8sn2B3tPifLfRbeUR0Dz3Qjs0rquakChaL8CaF/9ZA+2vE
OM0d6zMnefVwLPOFgM8Vqqr3OF3R7gNJe6RJuOYNs6B3hOPACX6WMvIyX7xkONjx
0iicFaH1ndzSWnqgT7A+SL8N6nn042h4XbfKJSGpxwR4Z0CY
-----END CERTIFICATE-----
And the server private key:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCR5/Th+AAxyt0O
7rsg44ei5dBKfnsVbZy0INpgKPes0jXECt8q1cPaobWUJzwJv2RQpgqgCXW6O5yT
Km9qkLibt5QYEHYSO+HKpJCzPCF2FU1JkCec9Hk18smqnFhmEkh9SvZxk+VjV1i6
q/PT6evZRiL9UmioZaOKnIsugLT5quJLJ8CZ/WI8t+4eL8kz40ktQ0onmYDtFGqF
I34qlssg/EEEe9WMgjMm9TNY93uEGzMW3Qbzr72FYFri5fhwmdAlgk3vQN7V0s+a
ULqD+NpWW++pkXcPa4pH+YdUfhbY3+3eKBtX1sDSH/x+FaNFWWyGRzBZWu33/tJJ
uoKNFywLAgMBAAECggEAGV2Tj6NfWUi01K9BPg8AWhwM8Z56hHepahFaFaSZpmRn
L31aXeaK5Zv+ZtLJV8J7zJ+JMlhirK1HY7hZZVPinEO2jdZyyGm7r9CbTWWzRYWf
iZ3znRBNcEkUsUH8BkbAbnPVU1qMYxBg3xcczScaNww/8f1dL4V4AJWFhuCeVdcR
tJIWFvGZ9akUiHqR7xB0HUPL8S6pLH9MUGp9KfH4XOb+QWwwkZig9R1zTzXyD/Gj
lPGkmff9qPCy0F7ooYftOmHr0EGcUgOTG60s9faezkR96Y86PsJVlFMskhKLdSI0
t0xoCp3ZzNWcpyOhj/scVEglH7cYGlmfQnYicKslwQKBgQC3Xye9kxScpQJ3iHeZ
qmqhnr4BwMVmm6OPKEuiC4jFv6v87C+EociCmxZDgfEgYVYll7Z/HFnFr7o/JM5h
tBIUYBXuQpAao81hK0XBSHCQUd8qTiFa/P2aBTeOM6YaC25k0MCVXYAchtsGwdQa
FGqDeGGjWng0E1kYgWlcIR7HSwKBgQDLsgBKAXetMlm6uHoEHNvidyTJBpG4tZ6K
XleBET6dS6r9+KEdNZwkSimXd0dlwT/9svs4gDL7JnkNasLTHKPNeEL4ZF1ZQ0p8
qYXui6Hi7rgyf7u+mfi7nMj8XpjWfStkAx9BbLJUBP/soTsPcMwfGDMDvGgG/EHW
Z/M1qP52QQKBgEytEWUH93p41Us+WSR8ShJC2pjJDsIVGpNl+hpMUGi/+R7NdCE1
tS5Hw0t/LmCn0untQnZsWG19SZfVwCbCsTyr4P+7/Z3mGJ8lBQoJTGhMk9CQ0wnE
+BZLUCu6FR6W4RZu49iRPFyxVyzAJ/yvxMossEcqMVE1NfA1TOUlREV5AoGBAMcg
XL38D0VmOmeZndZVa/NIq9JFNMFP8wurTHmlJQPaC++5Va9bUCf9xAkJFuf3choO
FR7X3H6+zon6Ozjr/4mGrllqrALuEGwrwP1AzWIuIi1jx2J93LVzgNuNknXj6T4c
+zoXC4GtXY6y0yy2BSXEn2JglYV2ptn1xsFHUnLBAoGAV0ms5DF4tuSX6S7yzHYP
1/uJ9zQiTUvv/7ZeZsoNCnC8+JJ8GkfEW4PwAv3fQyHRV5lcSyv1vaoxiveCCSUG
lqMGkGpKWFzamJu2qAgwTVtd/suXxO0M8Q36ycG/xMMR36Yzg6QclLUapDyEdsPg
tk9BEpc7Tc/GMykTW1j6fHo=
-----END PRIVATE KEY-----
And the newly generated private key that now, as expected throws a mismatch error:
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCm52KSBKzjxntf
bXSsCDW0MyASDZMTgKPovPbGI3BWN80qhhPtmmOsFf0J2tyLPVJeXR2ytNZdiAvG
JOWVepSd96UYMsbJ9uZGT7VdxvoTccWMM6x6r5WOL2Qes4XBuSDq0GXsPZ9sQ0eS
XIT+FxUD0RPyyikneOC/znTg+i7cs4fRivuslRjbsiyyN32u6LqRrrFdAbXAZgE+
ymZDTRwdxKEtgU3RcYPwgOf3AXuAZZK1orjK/4cV38ZWQ3NKJJO6LNhl1goN8hWW
u46x7IG1GaIxBmeeLDDlH6FQX7sZCxX9ZT79CMJcYUMGKxN1j37Rc7cVUdHJgDvC
fNl/FajHAgMBAAECggEABKZCJF0wT8a8sxjX0jRcV/ZrTfVw2Rnmoa956bpyVlnc
Q53+j3TokpJTko21Qm+6jARotQy9Qq0X3t+HlxVrbxxx+JhEL2YgXhRkXLC+pgIF
BcspYoriTgFbTFD7SJKWrH6SXaAN1onn7teC9kJrBHMzl2TdpqAtv/TJZBG0HSkb
j6OtlxaQ83dgTTPJzaNYQO12KuGf4XzYBfD9VeszsEBhS+WXWjNGCjz1NaoxswWC
CQuhPgyPMs0zwEBVjkb0nvN9yh6i+ZUi/duFBxbtX+cdffdEKhU4QHykOUFEuWIT
FFowrOlo14kRDfBY3ncib209CgpP+LGbWV9UfUesKQKBgQC2/MSRjDt14rNfaesA
UKaPeTyH+CE2e3shL7offMCWBCACltBzSeqWbYLvfjhTXdIDApaa2CJuX5cSeiN/
jrB167saEoFLxMpoMu6AjpjHC6JcWHlDNoPXtA/usLfUCgw9TkYuvn7oi3BvAj/f
WP9dmlHHt5xoLyv+z1ImzkN0YwKBgQDpf8Q7dwhZQfVwg5m0dnMTFEd5UdX3kIlB
W1fMR84/+NJBWTIOrL0RGm7VeBMksVdB8Ds8+6HLWhn6SBWaRyMg835+TFqGoiJQ
qBx78MJ8nSau0Iu4wiQSR7LpL1Cv3BN83y4QOuF6VQsbez0e3ulHUvFCVr3e9+qw
6sBttYTtTQKBgQCfgic3WK5cTIlfmsynMaZ/WodRXxJUk775ZskvuWeHXYEpwJ1k
YgKDrmJ8seIXiakPxqnRwKYC4ICoMp/PCWr438vxJkBe8+QcgIk2txamK5YUOWs7
E8JJvURGJPWZeEjDCABVruihfSs9GRDkeIfh6CtxlLRafQQ00jQib5qNUQKBgCaz
JGTur5WLlxBU327Hiv8Ih2gWJi5n6DfK2dxjsk1sAf0OuXsxKgzhoqkCw7l7Iwks
tcS/t+sqPc/7jokJbUsS0E5CfWZ/DMztb/sixjk9GqIyslWm56+X7pEzZF4hTaGO
o+XQvHo4CiU94b1yGJvXpWDnW4TO9jjoT4hfY26pAoGBAJHa3u0oqIlJ9crGIPzE
yKsfmCboktLjrbMeJgYcqO/doK2ZNNqJLQgTn/Hkpqn1MiotL8YVKg47XA/qlGWA
kGsi5BmISt/TlNDe0ZsPfAp/zrljeRKxSTjYXREuwDM/Gf7utdvgi1WgAuyM/2BU
iDNvRRwe5UbsQ9XrKUoM8smh
-----END PRIVATE KEY-----
And the modification of the servers private key (shown above) where the second from last lines "g" has been replace with a "G". This does not throw a mismatch error on the server side! So it seem like the private key can be altered in a small way and still work?
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCR5/Th+AAxyt0O
7rsg44ei5dBKfnsVbZy0INpgKPes0jXECt8q1cPaobWUJzwJv2RQpgqgCXW6O5yT
Km9qkLibt5QYEHYSO+HKpJCzPCF2FU1JkCec9Hk18smqnFhmEkh9SvZxk+VjV1i6
q/PT6evZRiL9UmioZaOKnIsugLT5quJLJ8CZ/WI8t+4eL8kz40ktQ0onmYDtFGqF
I34qlssg/EEEe9WMgjMm9TNY93uEGzMW3Qbzr72FYFri5fhwmdAlgk3vQN7V0s+a
ULqD+NpWW++pkXcPa4pH+YdUfhbY3+3eKBtX1sDSH/x+FaNFWWyGRzBZWu33/tJJ
uoKNFywLAgMBAAECggEAGV2Tj6NfWUi01K9BPg8AWhwM8Z56hHepahFaFaSZpmRn
L31aXeaK5Zv+ZtLJV8J7zJ+JMlhirK1HY7hZZVPinEO2jdZyyGm7r9CbTWWzRYWf
iZ3znRBNcEkUsUH8BkbAbnPVU1qMYxBg3xcczScaNww/8f1dL4V4AJWFhuCeVdcR
tJIWFvGZ9akUiHqR7xB0HUPL8S6pLH9MUGp9KfH4XOb+QWwwkZig9R1zTzXyD/Gj
lPGkmff9qPCy0F7ooYftOmHr0EGcUgOTG60s9faezkR96Y86PsJVlFMskhKLdSI0
t0xoCp3ZzNWcpyOhj/scVEglH7cYGlmfQnYicKslwQKBgQC3Xye9kxScpQJ3iHeZ
qmqhnr4BwMVmm6OPKEuiC4jFv6v87C+EociCmxZDgfEgYVYll7Z/HFnFr7o/JM5h
tBIUYBXuQpAao81hK0XBSHCQUd8qTiFa/P2aBTeOM6YaC25k0MCVXYAchtsGwdQa
FGqDeGGjWng0E1kYgWlcIR7HSwKBgQDLsgBKAXetMlm6uHoEHNvidyTJBpG4tZ6K
XleBET6dS6r9+KEdNZwkSimXd0dlwT/9svs4gDL7JnkNasLTHKPNeEL4ZF1ZQ0p8
qYXui6Hi7rgyf7u+mfi7nMj8XpjWfStkAx9BbLJUBP/soTsPcMwfGDMDvGgG/EHW
Z/M1qP52QQKBgEytEWUH93p41Us+WSR8ShJC2pjJDsIVGpNl+hpMUGi/+R7NdCE1
tS5Hw0t/LmCn0untQnZsWG19SZfVwCbCsTyr4P+7/Z3mGJ8lBQoJTGhMk9CQ0wnE
+BZLUCu6FR6W4RZu49iRPFyxVyzAJ/yvxMossEcqMVE1NfA1TOUlREV5AoGBAMcg
XL38D0VmOmeZndZVa/NIq9JFNMFP8wurTHmlJQPaC++5Va9bUCf9xAkJFuf3choO
FR7X3H6+zon6Ozjr/4mGrllqrALuEGwrwP1AzWIuIi1jx2J93LVzgNuNknXj6T4c
+zoXC4GtXY6y0yy2BSXEn2JglYV2ptn1xsFHUnLBAoGAV0ms5DF4tuSX6S7yzHYP
1/uJ9zQiTUvv/7ZeZsoNCnC8+JJ8GkfEW4PwAv3fQyHRV5lcSyv1vaoxiveCCSUG
lqMGkGpKWFzamJu2qAgwTVtd/suXxO0M8Q36ycG/xMMR36Yzg6QclLUapDyEdsPG
tk9BEpc7Tc/GMykTW1j6fHo=
-----END PRIVATE KEY-----
And so I wonder is this natural, that we can tamper with the private key and still make it work?
Thanks!
Cheers
E
Short version: I can change the private keys so that they do not match the certificates and the ssl handshake and messages still go through.
This is a misleading summary. What was actually done based on the updated question were not arbitrary changes to the private keys, but a very specific change:
And the modification of the servers private key (shown above) where the second from last lines "g" has been replace with a "G". This does not throw a mismatch error on the server side!
Looking at the details with openssl rsa -in key.pem -text one can see that the change was done in the coefficient of the key. But, this part might not even be used, depending on the implementation. To cite from an answer in Can an altered RSA private key still work as the original?:
… most RSA implementations won’t actually use all the values in the private key file. In particular, most RSA implementations using the CRT (Chinese remainder theorem) won’t actually use the or values in the key file for decryption, since they don’t need them. And conversely, any implementations that use straight modular exponentiation will generally only use and and ignore the rest.
In this specific case and were not changed, only CRT.
So it seem like the private key can be altered in a small way and still work?
Some changes might be possible, i.e. on places which are not used for computation in the specific implementation. But this does not mean that arbitrary changes are possible.