Here are the   two certs ssltap captured.
On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski
<johndorovski(a)googlemail.com>wrote:
 Here is my ssltap output:
 [root@rd1 linux-i386]# ssltap -sfxl  localhost.localdomain:9545
 <HTML><HEAD><TITLE>SSLTAP output</TITLE></HEAD>
 <BODY><PRE>
 Looking up "localhost.localdomain"...
 Proxy socket ready and listening
 <p><HR><H2>Connection #1 [Wed Nov 18 09:14:56 2009]
 </H2>Connected to localhost.localdomain:9545
 --> [
 <font color=blue>(120 bytes of 115)
 SSLRecord { [Wed Nov 18 09:14:56 2009]
    0: 16 03 01 00  73                                     | ....s
    type    = 22 (handshake)
    version = { 3,1 }
    length  = 115 (0x73)
    handshake {
    0: 01 00 00 6f                                         | ...o
       type = 1 (client_hello)
       length = 111 (0x00006f)
          ClientHelloV3 {
             client_version = {3, 1}
             random = {...}
    0: 4b 04 01 60  3e dd 86 f2  6c 26 cb 29  b3 a4 eb 26  |
 K..`>...l&.)...&
   10: c0 17 f1 8e  24 0a 75 79  03 91 78 40  7b 58 5e 7b  | ....$.uy..x@
 {X^{
             session ID = {
                 length = 0
                 contents = {...}
             }
             cipher_suites[18] = {
                 (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
                 (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
                 (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
                 (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
                 (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
                 (0x0035) TLS/RSA/AES256-CBC/SHA
                 (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
                 (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
                 (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
                 (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
                 (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
                 (0x0004) SSL3/RSA/RC4-128/MD5
                 (0x0005) SSL3/RSA/RC4-128/SHA
                 (0x002f) TLS/RSA/AES128-CBC/SHA
                 (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                 (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                 (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                 (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
             }
             compression[1] = { 00 }
             extensions[34] = {
               extension type server_name, length [26] = {
    0: 00 18 00 00  15 6c 6f 63  61 6c 68 6f  73 74 2e 6c  |
 .....localhost.l
   10: 6f 63 61 6c  64 6f 6d 61  69 6e                     | ocaldomain
               }
               extension type session_ticket, length [0]
             }
          }
    }
 }
 </font>]
 <-- [
 <font color=red>(1903 bytes of 1898)
 SSLRecord { [Wed Nov 18 09:14:56 2009]
    0: 16 03 01 07  6a                                     | ....j
    type    = 22 (handshake)
    version = { 3,1 }
    length  = 1898 (0x76a)
    handshake {
    0: 02 00 00 46                                         | ...F
       type = 2 (server_hello)
       length = 70 (0x000046)
          ServerHello {
             server_version = {3, 1}
             random = {...}
    0: 4b 04 01 60  d1 86 09 69  01 8d c2 5e  1a 9c 99 16  |
 K..`...i...^....
   10: de 0e bd 27  b6 c5 be 57  23 f1 1e 03  69 40 55 9d  |
 ...'...W#...i@U.
             session ID = {
                 length = 32
                 contents = {...}
    0: 67 66 c6 7f  f7 ac d6 98  45 f2 6d 9f  c6 84 e1 df  | gf.
 ....E.m.....
   10: ff ff c0 87  d8 e9 97 f9  f6 37 8b 6e  09 d9 2b 25  |
 .........7.n..+%
             }
             cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
             compression method = 00
          }
    0: 0b 00 07 18                                         | ....
       type = 11 (certificate)
       length = 1816 (0x000718)
          CertificateChain {
             chainlength = 1813 (0x0715)
             Certificate {
                size = 890 (0x037a)
                data = { saved in file 'cert.001' }
             }
             Certificate {
                size = 917 (0x0395)
                data = { saved in file 'cert.002' }
             }
          }
    0: 0e 00 00 00                                         | ....
       type = 14 (server_hello_done)
       length = 0 (0x000000)
    }
 }
 </font>]
 --> [
 <font color=blue>(310 bytes of 262, with 43 left over)
 SSLRecord { [Wed Nov 18 09:14:56 2009]
    0: 16 03 01 01  06                                     | .....
    type    = 22 (handshake)
    version = { 3,1 }
    length  = 262 (0x106)
    handshake {
    0: 10 00 01 02                                         | ....
       type = 16 (client_key_exchange)
       length = 258 (0x000102)
          ClientKeyExchange {
             message = {...}
          }
    }
 }
 (310 bytes of 1, with 37 left over)
 SSLRecord { [Wed Nov 18 09:14:56 2009]
    0: 14 03 01 00  01                                     | .....
    type    = 20 (change_cipher_spec)
    version = { 3,1 }
    length  = 1 (0x1)
    0: 01                                                  | .
 }
 (310 bytes of 32)
 SSLRecord { [Wed Nov 18 09:14:56 2009]
    0: 16 03 01 00  20                                     | ....
    type    = 22 (handshake)
    version = { 3,1 }
    length  = 32 (0x20)
             < encrypted >
 }
 </font>]
 ssltap: Error -5961: TCP connection reset by peer.: error on server-side
 socket.
 Connection 1 Complete [Wed Nov 18 09:14:56 2009]
 <p><HR><H2>Connection #2 [Wed Nov 18 09:14:56 2009]
 </H2>Connected to localhost.localdomain:9545
 --> [
 <font color=blue>recordLen = 81 bytes
 (81 bytes of 81)
  [Wed Nov 18 09:14:56 2009] [ssl2]  ClientHelloV2 {
            version = {0x03, 0x00}
            cipher-specs-length = 54 (0x36)
            sid-length = 0 (0x00)
            challenge-length = 16 (0x10)
            cipher-suites = {
                 (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
                 (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
                 (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
                 (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
                 (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
                 (0x000035) TLS/RSA/AES256-CBC/SHA
                 (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
                 (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
                 (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
                 (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
                 (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
                 (0x000004) SSL3/RSA/RC4-128/MD5
                 (0x000005) SSL3/RSA/RC4-128/SHA
                 (0x00002f) TLS/RSA/AES128-CBC/SHA
                 (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                 (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                 (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                 (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
                 }
            session-id = { }
            challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742
 0xf716 }
 }
 </font>]
 <-- [
 <font color=red>(1903 bytes of 1898)
 SSLRecord { [Wed Nov 18 09:14:56 2009]
    0: 16 03 00 07  6a                                     | ....j
    type    = 22 (handshake)
    version = { 3,0 }
    length  = 1898 (0x76a)
    handshake {
    0: 02 00 00 46                                         | ...F
       type = 2 (server_hello)
       length = 70 (0x000046)
          ServerHello {
             server_version = {3, 0}
             random = {...}
    0: 4b 04 01 60  55 ce 82 33  ab d7 da 7f  bc 74 ed ca  | K..`U..3...
 .t..
   10: 1e f3 95 26  21 fa db ce  83 94 24 0a  bc 4e 89 51  |
 ...&!.....$..N.Q
             session ID = {
                 length = 32
                 contents = {...}
    0: 67 66 50 ba  19 6d d9 38  7d 86 a9 e0  43 cb 57 0b  |
 gfP..m.8}...C.W.
   10: 19 d5 a7 e0  90 99 e5 78  03 f6 55 26  c4 f1 bc 03  |
 .......x..U&....
             }
             cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
             compression method = 00
          }
    0: 0b 00 07 18                                         | ....
       type = 11 (certificate)
       length = 1816 (0x000718)
          CertificateChain {
             chainlength = 1813 (0x0715)
             Certificate {
                size = 890 (0x037a)
                data = { saved in file 'cert.003' }
             }
             Certificate {
                size = 917 (0x0395)
                data = { saved in file 'cert.004' }
             }
          }
    0: 0e 00 00 00                                         | ....
       type = 14 (server_hello_done)
       length = 0 (0x000000)
    }
 }
 </font>]
 --> [
 <font color=blue>(332 bytes of 260, with 67 left over)
 SSLRecord { [Wed Nov 18 09:14:56 2009]
    0: 16 03 00 01  04                                     | .....
    type    = 22 (handshake)
    version = { 3,0 }
    length  = 260 (0x104)
    handshake {
    0: 10 00 01 00                                         | ....
       type = 16 (client_key_exchange)
       length = 256 (0x000100)
          ClientKeyExchange {
             message = {...}
          }
    }
 }
 (332 bytes of 1, with 61 left over)
 SSLRecord { [Wed Nov 18 09:14:56 2009]
    0: 14 03 00 00  01                                     | .....
    type    = 20 (change_cipher_spec)
    version = { 3,0 }
    length  = 1 (0x1)
    0: 01                                                  | .
 }
 (332 bytes of 56)
 SSLRecord { [Wed Nov 18 09:14:56 2009]
    0: 16 03 00 00  38                                     | ....8
    type    = 22 (handshake)
    version = { 3,0 }
    length  = 56 (0x38)
             < encrypted >
 }
 </font>]
 ssltap: Error -5961: TCP connection reset by peer.: error on server-side
 socket.
 Connection 2 Complete [Wed Nov 18 09:14:56 2009]
 On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan <ckannan(a)redhat.com>wrote:
>  On 11/17/2009 01:09 PM, John Dorovski wrote:
>
> It was not a typo. I did use the port number 9545.
>
>
> Ok. one idea would be to run the utility "ssltap" as a proxy
> and using your browser to connect to the "ssltap" port and
> pasting the output here so folks can see what's happening
> during the SSL handshake.
> 
http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
>
>
> On a Fedora 10 system, its packaged with nss-tools rpm.
>
> Run ssltap like this...
>
> ssltap -sfxl CA_HOSTNAME:CA_PORT
>
> in your case, it will be
>
> ssltap -sfxl localhost:9545
>
> Then use a browser and connect to ssltap. ssltap
> listens on port 1924. So on the browser type..
>
>  
https://localhost.localdomain:1924
>
>
> ssltap will capture the results of the ssl handshake.
>
> Copy and paste it here so we can tell what's happening
> during that phase while you get the bad mac alert.
>
> Thanks,
> --Chandra
>
>
>
>
>
>
> John
>
> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 <
> Julius.Adewumi(a)gdc4s.com> wrote:
>
>>
>> Unless it's a typo on your part, the two port numbers are different...
>> Could that be the problem?
>> 8445  vs 9545
>>
>> From: Julius Adewumi
>> @GDC4S.com
>> Ph:480-441-6768
>> Contract Corp:MTSI
>>
>>
>> -----Original Message-----
>> From: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com]
>> On Behalf Of Christina Fu
>> Sent: Tuesday, November 17, 2009 12:56 PM
>> To: pki-users(a)redhat.com
>>  Cc: johndorovski(a)googlemail.com
>> Subject: [Pki-users] (forwarded) Help needed on dogtag
>>
>> I might have messed up when managing pki-users and this did not come
>> through.  Hence the forward.
>> Christina
>>
>> Subject:
>> Help needed on dogtag
>> From:
>> John Dorovski <johndorovski(a)googlemail.com>
>> Date:
>> Tue, 17 Nov 2009 10:58:18 -0500
>>
>> To:
>> pki-users(a)redhat.com
>>
>>
>> Hi,
>>
>> I just installed a dogtag (1.2.0) instance on my Fedora 10 system.
>> I used a SafeNet ProtectServer Gold HSM as keystore.
>> The dogtag system installation and configuration were fine. No error was
>> reported.
>> All keys and certificates were generated inside the HSM.
>>
>> But when I tried to access the secure admin interface at
>>     
https://localhost:localdomain:9545
>> I got error message:
>>    Secure Connection Failed
>>    An error occurred during a connection to localhost.localdomain:8445
>>    SSL peer reports incorrect Message Authentication Code.
>>    (Error code: ssl_error_bad_mac_alert)
>>
>> I checked the server certificate (viewed it with IE on a Windows box).
>> It seems fine.
>>
>> Does any body know what is wrong and how can I fix it?
>>
>> Thanks,
>>
>> John
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> 
https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
> _______________________________________________
> Pki-users mailing
listPki-users@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> 
https://www.redhat.com/mailman/listinfo/pki-users
>
>