SSL Problems
Identifying and Solving Certificate Problems
Identifying and Solving ACLFile Problems
 

- If you are experiencing problems during SSL connect/accept, the problem maybe related to your
    certificates and/or your ACLFile.  All these files should be located in the nettest/release/  folder,
    where the lblnettest executable is run.
- To turn on debugging information for SSL, edit the file nettest/src/common/securetcp.cc
    Change the debugging level in the constructor to something greater than zero( eg. 5 ).

    SecureTcp::SecureTcp()
        : MyDebug("SecureTcp: ", 5), func( NULL ),
          mCertfilename( "nettest.pem" ), mKeyfilename( "key.pem" )
    {
    }

1.  Identifying and Solving Certificate Problems:
- First Check if your CA.pem and Certificates are valid

%openssl verify -CAfile CA.pem CA.pem
CA.pem: OK

%openssl verify -CAfile CA.pem nettest.pem
nettest.pem: OK

%openssl verify -CAfile CA.pem client.pem
client.pem: OK

- You can examine the text of the certificate and check the validity field.  If you have more
    than one CA in the CA.pem file make sure your looking at text of the right one.
%openssl x509 -text -in CA.pem | more

- If there is a problem you will need to generate new certificates. Using OpenSSL
 

Example output of Invalid Cerficate
Master/Server Side
 

boverhof@scott(7)%Llblnettest -s
Opening connect to netlog message server host scott.lbl.gov, port 14830
connect: Connection refused
NetLoggerOpen(); NetLogOpen failed
Enter Your Passphrase: 
SecureTcp: : In init and mIsServer = 1
SecureTcp: : Set the verify variable
SecureTcp: : Finished setting ssl algorithms
SecureTcp: : Certificate file name is nettest.pem
SecureTcp: : key file name is key.pem
SecureTcp: : At the end of init remoteHost = 

----------------------------------------------------
   Reporting Results 
        By default results are printed on the screen 
        and NetLogger recording is disabled 

----------------------------------------------------

Enter [y] to specify test output or return [] for defaults:

****************************************
  Iperf  Netlogger output:  0
         print     output:  1
  Ping   Netlogger output:  0
         print     output:  1
****************************************

SecureTcp: : Called accept with infinite timeout
SecureTcp: : SecureTcp::doAccept()--calling  select()
SecureTcp: : SecureTcp::doAccept--select() returned 1
SecureTcp: : SecureTcp::doAccept--calling accept()
SecureTcp: : mNewsock= 4
SecureTcp: : SecureTcp::doAccept--calling SSL_new(mCtx_p)
SecureTcp: : SecureTcp::doAccept--SSL_new(mCtx_p) returned mCon_p = 0x812dc10
SecureTcp: : SecureTcp::doAccept()--calling SSL_set_fd()
SecureTcp: : SSL connection using (NONE)
ERROR - SecureTcp: : didn't get the peer certificate
host: requestcoordcon Accept failed
boverhof@scott(8)%
 
 
 
 
 
 
 
 
 
 
 

 


Requestor/Client Side
 

boverhof@snidely(127)%Llblnettest -h scott -c client.pem -k  client.key
Opening connect to netlog message server host snidely, port 14830
Enter Your Passphrase: 
SecureTcp: : In init and mIsServer = 0
SecureTcp: : Set the verify variable
SecureTcp: : Finished setting ssl algorithms
SecureTcp: : Certificate file name is client.pem
SecureTcp: : key file name is client.key
SecureTcp: : At the end of init remoteHost = scott

----------------------------------------------------
   Reporting Results 
        By default results are printed on the screen 
        and NetLogger recording is disabled 

----------------------------------------------------

Enter [y] to specify test output or return [] for defaults:

****************************************
  Iperf  Netlogger output:  0
         print     output:  1
  Ping   Netlogger output:  0
         print     output:  1
****************************************

SecureTcp: : SecureTcp::doConnect--calling SSL_new(mCtx_p)
SecureTcp: : SecureTcp::doConnect--SSL_new(mCtx_p) returned mCon_p = 0x812d240
SecureTcp: : SecureTcp::doConnect()--calling SSL_set_fd()
SecureTcp: : mySock.getSock = 4
SecureTcp: : SSL_set_fd
SecureTcp: : SecureTcp::doConnect()--calling SSL_connect()
SecureTcp: : SSL_connect
SecureTcp: : **after connect err=-1
SSL_ERROR_SSL
ERROR: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL_connect: Success
boverhof@snidely(128)%
 
 
 
 
 
 
 
 
 
 
 
 
 

 


2.  Identifying and Solving ACLFile Problems:
- Compare each certificate's Subject line with the ACLFile entries.  One should match, if not
    you'll need to create a new entry in the ACLFile.  This entry needs to match the line in
    bold in the Example output: Failure to have relevant permission in ACLFile.

boverhof@wile(120)%openssl x509 -text -in client.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 4 (0x4)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, ST=CA, L=Berkeley, O=LBNL, OU=DSD, CN=CA
        Validity
            Not Before: Jan  4 16:49:05 2001 GMT
            Not After : Apr  4 16:49:05 2001 GMT
        Subject: C=US, ST=CA, L=Berkeley, O=LBNL, OU=DSD, CN=Client

- Entries in ACLFile:  An entry in this file must contain the client certificate's subject line in the
    format below.

boverhof@taz(7)%more ACLFile
name /C=US/ST=CA/L=Berkeley/O=LBNL/OU=DSD/CN=Client
rights read, write, execute
 

Example ouput: Failure to have relevant permissions in ACLFile
Master/Server Side
 

boverhof@taz(407)%lblnettest -s
Opening connect to netlog message server host taz, port 14830
connect: Connection refused
NetLoggerOpen(); NetLogOpen failed
Enter Your Passphrase: 
SecureTcp: : In init and mIsServer = 1
SecureTcp: : Set the verify variable
SecureTcp: : Finished setting ssl algorithms
SecureTcp: : Certificate file name is nettest.pem
SecureTcp: : key file name is key.pem
SecureTcp: : At the end of init remoteHost = 

----------------------------------------------------
   Reporting Results 
        By default results are printed on the screen 
        and NetLogger recording is disabled 

----------------------------------------------------

Enter [y] to specify test output or return [] for defaults:

****************************************
  Iperf  Netlogger output:  0
         print     output:  1
  Ping   Netlogger output:  0
         print     output:  1
****************************************

SecureTcp: : Called accept with infinite timeout
SecureTcp: : SecureTcp::doAccept()--calling  select()
SecureTcp: : SecureTcp::doAccept--select() returned 1
SecureTcp: : SecureTcp::doAccept--calling accept()
SecureTcp: : mNewsock= 5
SecureTcp: : SecureTcp::doAccept--calling SSL_new(mCtx_p)
SecureTcp: : SecureTcp::doAccept--SSL_new(mCtx_p) returned mCon_p = 184e80
SecureTcp: : SecureTcp::doAccept()--calling SSL_set_fd()
SecureTcp: : SSL connection using DES-CBC3-SHA
SecureTcp: : Client certificate:
SecureTcp: :     subject: /C=US/ST=CA/L=Berkeley/O=LBNL/OU=DSD/CN=Client
SecureTcp: :     issuer: /C=US/ST=CA/L=Berkeley/O=LBNL/OU=DSD/CN=CA
SecureTcp: : securetcp  sslDN: /C=US/ST=CA/L=Berkeley/O=LBNL/OU=DSD/CN=Client  str: /C=US/ST=CA/L=Berkeley/O=LBNL/OU=DSD/CN=CA
SecureTcp: : Authorizer returned
SecureTcp: : Return is: 0
ERROR: SecureTcp::doAccept--ACL authorization failed
host: requestcoordcon Accept failed
boverhof@taz(408)%
 
 
 
 
 
 

 

Requestor/Client Side
 

boverhof@wile(110)%lblnettest -h taz -c client.pem -k client.key
Opening connect to netlog message server host wile, port 14830
connect: Connection refused
NetLoggerOpen(); NetLogOpen failed
Enter Your Passphrase: 
SecureTcp: : In init and mIsServer = 0
SecureTcp: : Set the verify variable
SecureTcp: : Finished setting ssl algorithms
SecureTcp: : Certificate file name is client.pem
SecureTcp: : key file name is client.key
SecureTcp: : At the end of init remoteHost = taz

----------------------------------------------------
   Reporting Results 
        By default results are printed on the screen 
        and NetLogger recording is disabled 

----------------------------------------------------

Enter [y] to specify test output or return [] for defaults:

****************************************
  Iperf  Netlogger output:  0
         print     output:  1
  Ping   Netlogger output:  0
         print     output:  1
****************************************

SecureTcp: : SecureTcp::doConnect--calling SSL_new(mCtx_p)
SecureTcp: : SecureTcp::doConnect--SSL_new(mCtx_p) returned mCon_p = 1802d0
SecureTcp: : SecureTcp::doConnect()--calling SSL_set_fd()
SecureTcp: : mySock.getSock = 4
SecureTcp: : SSL_set_fd
SecureTcp: : SecureTcp::doConnect()--calling SSL_connect()
SecureTcp: : SSL_connect
SecureTcp: : **after connect err=1
SecureTcp: : SecureTcp::doConnect()-- SSL_connect() returned err 1
SecureTcp: : SSL connection using DES-CBC3-SHA
SecureTcp: : inside SecureTcp::read
SecureTcp: : inside SecureTcp::write
ERROR: Request to connect=
boverhof@wile(111)%
 
 
 
 
 
 
 
 
 
 
 
 

 

TOP
HOME