SSL Problems
Identifying
and Solving Certificate Problems
Identifying
and Solving ACLFile Problems
- If you are experiencing problems during SSL connect/accept, the problem
maybe related to your
certificates and/or your ACLFile. All these
files should be located in the nettest/release/ folder,
where the lblnettest executable is run.
- To turn on debugging information for SSL, edit the file nettest/src/common/securetcp.cc
Change the debugging level in the constructor to
something greater than zero( eg. 5 ).
SecureTcp::SecureTcp()
: MyDebug("SecureTcp:
", 5), func( NULL ),
mCertfilename( "nettest.pem" ), mKeyfilename( "key.pem" )
{
}
1.
Identifying and Solving Certificate Problems:
- First Check if your CA.pem and Certificates are valid
%openssl verify -CAfile CA.pem CA.pem
CA.pem: OK
%openssl verify -CAfile CA.pem nettest.pem
nettest.pem: OK
%openssl verify -CAfile CA.pem client.pem
client.pem: OK
- You can examine the text of the certificate and check the validity
field. If you have more
than one CA in the CA.pem file make sure your looking
at text of the right one.
%openssl x509 -text -in CA.pem | more
- If there is a problem you will need to generate new certificates.
Using OpenSSL
Example output of Invalid Cerficate
Master/Server Side
boverhof@scott(7)%Llblnettest -s
Opening connect to netlog message server host scott.lbl.gov,
port 14830
connect: Connection refused
NetLoggerOpen(); NetLogOpen failed
Enter Your Passphrase:
SecureTcp: : In init and mIsServer = 1
SecureTcp: : Set the verify variable
SecureTcp: : Finished setting ssl algorithms
SecureTcp: : Certificate file name is nettest.pem
SecureTcp: : key file name is key.pem
SecureTcp: : At the end of init remoteHost =
----------------------------------------------------
Reporting Results
By default
results are printed on the screen
and NetLogger
recording is disabled
----------------------------------------------------
Enter [y] to specify test output or return [] for defaults:
****************************************
Iperf Netlogger output: 0
print
output: 1
Ping Netlogger output: 0
print
output: 1
****************************************
SecureTcp: : Called accept with infinite timeout
SecureTcp: : SecureTcp::doAccept()--calling select()
SecureTcp: : SecureTcp::doAccept--select() returned 1
SecureTcp: : SecureTcp::doAccept--calling accept()
SecureTcp: : mNewsock= 4
SecureTcp: : SecureTcp::doAccept--calling SSL_new(mCtx_p)
SecureTcp: : SecureTcp::doAccept--SSL_new(mCtx_p) returned
mCon_p = 0x812dc10
SecureTcp: : SecureTcp::doAccept()--calling SSL_set_fd()
SecureTcp: : SSL connection using (NONE)
ERROR - SecureTcp: : didn't get the peer certificate
host: requestcoordcon Accept failed
boverhof@scott(8)%
|
Requestor/Client Side
boverhof@snidely(127)%Llblnettest -h scott -c client.pem
-k client.key
Opening connect to netlog message server host snidely,
port 14830
Enter Your Passphrase:
SecureTcp: : In init and mIsServer = 0
SecureTcp: : Set the verify variable
SecureTcp: : Finished setting ssl algorithms
SecureTcp: : Certificate file name is client.pem
SecureTcp: : key file name is client.key
SecureTcp: : At the end of init remoteHost = scott
----------------------------------------------------
Reporting Results
By default
results are printed on the screen
and NetLogger
recording is disabled
----------------------------------------------------
Enter [y] to specify test output or return [] for defaults:
****************************************
Iperf Netlogger output: 0
print
output: 1
Ping Netlogger output: 0
print
output: 1
****************************************
SecureTcp: : SecureTcp::doConnect--calling SSL_new(mCtx_p)
SecureTcp: : SecureTcp::doConnect--SSL_new(mCtx_p) returned
mCon_p = 0x812d240
SecureTcp: : SecureTcp::doConnect()--calling SSL_set_fd()
SecureTcp: : mySock.getSock = 4
SecureTcp: : SSL_set_fd
SecureTcp: : SecureTcp::doConnect()--calling SSL_connect()
SecureTcp: : SSL_connect
SecureTcp: : **after connect err=-1
SSL_ERROR_SSL
ERROR: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
SSL_connect: Success
boverhof@snidely(128)%
|
2. Identifying and Solving ACLFile Problems:
- Compare each certificate's Subject line with the ACLFile entries.
One should match, if not
you'll need to create a new entry in the ACLFile.
This entry needs to match the line in
bold in the Example output: Failure to have relevant
permission in ACLFile.
boverhof@wile(120)%openssl x509 -text -in client.pem
Certificate:
Data:
Version: 1
(0x0)
Serial Number:
4 (0x4)
Signature
Algorithm: md5WithRSAEncryption
Issuer: C=US,
ST=CA, L=Berkeley, O=LBNL, OU=DSD, CN=CA
Validity
Not Before: Jan 4 16:49:05 2001 GMT
Not After : Apr 4 16:49:05 2001 GMT
Subject: C=US,
ST=CA, L=Berkeley, O=LBNL, OU=DSD, CN=Client
- Entries in ACLFile: An entry in this file must contain the client
certificate's subject line in the
format below.
boverhof@taz(7)%more ACLFile
name /C=US/ST=CA/L=Berkeley/O=LBNL/OU=DSD/CN=Client
rights read, write, execute
Example ouput: Failure to have relevant permissions
in ACLFile
Master/Server Side
boverhof@taz(407)%lblnettest -s
Opening connect to netlog message server host taz, port
14830
connect: Connection refused
NetLoggerOpen(); NetLogOpen failed
Enter Your Passphrase:
SecureTcp: : In init and mIsServer = 1
SecureTcp: : Set the verify variable
SecureTcp: : Finished setting ssl algorithms
SecureTcp: : Certificate file name is nettest.pem
SecureTcp: : key file name is key.pem
SecureTcp: : At the end of init remoteHost =
----------------------------------------------------
Reporting Results
By default
results are printed on the screen
and NetLogger
recording is disabled
----------------------------------------------------
Enter [y] to specify test output or return [] for defaults:
****************************************
Iperf Netlogger output: 0
print
output: 1
Ping Netlogger output: 0
print
output: 1
****************************************
SecureTcp: : Called accept with infinite timeout
SecureTcp: : SecureTcp::doAccept()--calling select()
SecureTcp: : SecureTcp::doAccept--select() returned 1
SecureTcp: : SecureTcp::doAccept--calling accept()
SecureTcp: : mNewsock= 5
SecureTcp: : SecureTcp::doAccept--calling SSL_new(mCtx_p)
SecureTcp: : SecureTcp::doAccept--SSL_new(mCtx_p) returned
mCon_p = 184e80
SecureTcp: : SecureTcp::doAccept()--calling SSL_set_fd()
SecureTcp: : SSL connection using DES-CBC3-SHA
SecureTcp: : Client certificate:
SecureTcp: : subject: /C=US/ST=CA/L=Berkeley/O=LBNL/OU=DSD/CN=Client
SecureTcp: : issuer: /C=US/ST=CA/L=Berkeley/O=LBNL/OU=DSD/CN=CA
SecureTcp: : securetcp sslDN: /C=US/ST=CA/L=Berkeley/O=LBNL/OU=DSD/CN=Client
str: /C=US/ST=CA/L=Berkeley/O=LBNL/OU=DSD/CN=CA
SecureTcp: : Authorizer returned
SecureTcp: : Return is: 0
ERROR: SecureTcp::doAccept--ACL authorization failed
host: requestcoordcon Accept failed
boverhof@taz(408)%
|
Requestor/Client Side
boverhof@wile(110)%lblnettest -h taz -c client.pem -k
client.key
Opening connect to netlog message server host wile, port
14830
connect: Connection refused
NetLoggerOpen(); NetLogOpen failed
Enter Your Passphrase:
SecureTcp: : In init and mIsServer = 0
SecureTcp: : Set the verify variable
SecureTcp: : Finished setting ssl algorithms
SecureTcp: : Certificate file name is client.pem
SecureTcp: : key file name is client.key
SecureTcp: : At the end of init remoteHost = taz
----------------------------------------------------
Reporting Results
By default
results are printed on the screen
and NetLogger
recording is disabled
----------------------------------------------------
Enter [y] to specify test output or return [] for defaults:
****************************************
Iperf Netlogger output: 0
print
output: 1
Ping Netlogger output: 0
print
output: 1
****************************************
SecureTcp: : SecureTcp::doConnect--calling SSL_new(mCtx_p)
SecureTcp: : SecureTcp::doConnect--SSL_new(mCtx_p) returned
mCon_p = 1802d0
SecureTcp: : SecureTcp::doConnect()--calling SSL_set_fd()
SecureTcp: : mySock.getSock = 4
SecureTcp: : SSL_set_fd
SecureTcp: : SecureTcp::doConnect()--calling SSL_connect()
SecureTcp: : SSL_connect
SecureTcp: : **after connect err=1
SecureTcp: : SecureTcp::doConnect()-- SSL_connect() returned
err 1
SecureTcp: : SSL connection using DES-CBC3-SHA
SecureTcp: : inside SecureTcp::read
SecureTcp: : inside SecureTcp::write
ERROR: Request to connect=
boverhof@wile(111)%
|
TOP
HOME