On 11/18/2009 09:38 AM, Adewumi, Julius-p99373 wrote:The trace shows "cipher-change-request" as last capture before Error reported.
Just FYI. we noticed a similar message during dogtag 1.2.0
development but with a different HSM(nethsm). That issue
was fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=495597
FWIW, we have never tried with the mentioned
Safenet Protectserver Gold HSM....
From: Julius Adewumi
@GDC4S.com
Ph:480-441-6768
Contract Corp:MTSI
Here are the two certs ssltap captured.
From: John Dorovski [mailto:johndorovski@googlemail.com]
Sent: Wednesday, November 18, 2009 7:34 AM
To: Chandrasekar Kannan
Cc: Adewumi, Julius-p99373; pki-users@redhat.com
Subject: Re: [Pki-users] (forwarded) Help needed on dogtag
On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski <johndorovski@googlemail.com> wrote:
Here is my ssltap output:
[root@rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545
<HTML><HEAD><TITLE>SSLTAP output</TITLE></HEAD>
<BODY><PRE>
Looking up "localhost.localdomain"...
Proxy socket ready and listening
<p><HR><H2>Connection #1 [Wed Nov 18 09:14:56 2009]
</H2>Connected to localhost.localdomain:9545
--> [
<font color=blue>(120 bytes of 115)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 01 00 73 | ....s
type = 22 (handshake)
version = { 3,1 }
length = 115 (0x73)
handshake {
0: 01 00 00 6f | ...o
type = 1 (client_hello)
length = 111 (0x00006f)
ClientHelloV3 {
client_version = {3, 1}
random = {...}
0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 | K..`>...l&.)...&
10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b | ....$.uy..x@{X^{
session ID = {
length = 0
contents = {...}
}
cipher_suites[18] = {
(0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
(0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
(0x0039) TLS/DHE-RSA/AES256-CBC/SHA
(0x0038) TLS/DHE-DSS/AES256-CBC/SHA
(0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
(0x0035) TLS/RSA/AES256-CBC/SHA
(0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
(0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
(0x0033) TLS/DHE-RSA/AES128-CBC/SHA
(0x0032) TLS/DHE-DSS/AES128-CBC/SHA
(0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
(0x0004) SSL3/RSA/RC4-128/MD5
(0x0005) SSL3/RSA/RC4-128/SHA
(0x002f) TLS/RSA/AES128-CBC/SHA
(0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
}
compression[1] = { 00 }
extensions[34] = {
extension type server_name, length [26] = {
0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c | .....localhost.l
10: 6f 63 61 6c 64 6f 6d 61 69 6e | ocaldomain
}
extension type session_ticket, length [0]
}
}
}
}
</font>]
<-- [
<font color=red>(1903 bytes of 1898)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 01 07 6a | ....j
type = 22 (handshake)
version = { 3,1 }
length = 1898 (0x76a)
handshake {
0: 02 00 00 46 | ...F
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 1}
random = {...}
0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 | K..`...i...^....
10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d | ...'...W#...i@U.
session ID = {
length = 32
contents = {...}
0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf. ....E.m.....
10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 | .........7.n..+%
}
cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
compression method = 00
}
0: 0b 00 07 18 | ....
type = 11 (certificate)
length = 1816 (0x000718)
CertificateChain {
chainlength = 1813 (0x0715)
Certificate {
size = 890 (0x037a)
data = { saved in file 'cert.001' }
}
Certificate {
size = 917 (0x0395)
data = { saved in file 'cert.002' }
}
}
0: 0e 00 00 00 | ....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
</font>]
--> [
<font color=blue>(310 bytes of 262, with 43 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 01 01 06 | .....
type = 22 (handshake)
version = { 3,1 }
length = 262 (0x106)
handshake {
0: 10 00 01 02 | ....
type = 16 (client_key_exchange)
length = 258 (0x000102)
ClientKeyExchange {
message = {...}
}
}
}
(310 bytes of 1, with 37 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 14 03 01 00 01 | .....
type = 20 (change_cipher_spec)
version = { 3,1 }
length = 1 (0x1)
0: 01 | .
}
(310 bytes of 32)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 01 00 20 | ....
type = 22 (handshake)
version = { 3,1 }
length = 32 (0x20)
< encrypted >
}
</font>]
ssltap: Error -5961: TCP connection reset by peer.: error on server-side socket.
Connection 1 Complete [Wed Nov 18 09:14:56 2009]
<p><HR><H2>Connection #2 [Wed Nov 18 09:14:56 2009]
</H2>Connected to localhost.localdomain:9545
--> [
<font color=blue>recordLen = 81 bytes
(81 bytes of 81)
[Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 54 (0x36)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
(0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
(0x000039) TLS/DHE-RSA/AES256-CBC/SHA
(0x000038) TLS/DHE-DSS/AES256-CBC/SHA
(0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
(0x000035) TLS/RSA/AES256-CBC/SHA
(0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
(0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
(0x000033) TLS/DHE-RSA/AES128-CBC/SHA
(0x000032) TLS/DHE-DSS/AES128-CBC/SHA
(0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
(0x000004) SSL3/RSA/RC4-128/MD5
(0x000005) SSL3/RSA/RC4-128/SHA
(0x00002f) TLS/RSA/AES128-CBC/SHA
(0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
}
session-id = { }
challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742 0xf716 }
}
</font>]
<-- [
<font color=red>(1903 bytes of 1898)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 00 07 6a | ....j
type = 22 (handshake)
version = { 3,0 }
length = 1898 (0x76a)
handshake {
0: 02 00 00 46 | ...F
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 0}
random = {...}
0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | K..`U..3... .t..
10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 | ...&!.....$..N.Q
session ID = {
length = 32
contents = {...}
0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b | gfP..m.8}...C.W.
10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 | .......x..U&....
}
cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
compression method = 00
}
0: 0b 00 07 18 | ....
type = 11 (certificate)
length = 1816 (0x000718)
CertificateChain {
chainlength = 1813 (0x0715)
Certificate {
size = 890 (0x037a)
data = { saved in file 'cert.003' }
}
Certificate {
size = 917 (0x0395)
data = { saved in file 'cert.004' }
}
}
0: 0e 00 00 00 | ....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
</font>]
--> [
<font color=blue>(332 bytes of 260, with 67 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 00 01 04 | .....
type = 22 (handshake)
version = { 3,0 }
length = 260 (0x104)
handshake {
0: 10 00 01 00 | ....
type = 16 (client_key_exchange)
length = 256 (0x000100)
ClientKeyExchange {
message = {...}
}
}
}
(332 bytes of 1, with 61 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 14 03 00 00 01 | .....
type = 20 (change_cipher_spec)
version = { 3,0 }
length = 1 (0x1)
0: 01 | .
}
(332 bytes of 56)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 00 00 38 | ....8
type = 22 (handshake)
version = { 3,0 }
length = 56 (0x38)
< encrypted >
}
</font>]
ssltap: Error -5961: TCP connection reset by peer.: error on server-side socket.
Connection 2 Complete [Wed Nov 18 09:14:56 2009]
On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan <ckannan@redhat.com> wrote:
On 11/17/2009 01:09 PM, John Dorovski wrote:Ok. one idea would be to run the utility "ssltap" as a proxyIt was not a typo. I did use the port number 9545.
and using your browser to connect to the "ssltap" port and
pasting the output here so folks can see what's happening
during the SSL handshake.
http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
On a Fedora 10 system, its packaged with nss-tools rpm.
Run ssltap like this...
ssltap -sfxl CA_HOSTNAME:CA_PORT
in your case, it will be
ssltap -sfxl localhost:9545
Then use a browser and connect to ssltap. ssltap
listens on port 1924. So on the browser type..
https://localhost.localdomain:1924
ssltap will capture the results of the ssl handshake.
Copy and paste it here so we can tell what's happening
during that phase while you get the bad mac alert.
Thanks,
--Chandra
John
On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 <Julius.Adewumi@gdc4s.com> wrote:
Unless it's a typo on your part, the two port numbers are different...
Could that be the problem?
8445 vs 9545
From: Julius Adewumi
@GDC4S.com
Ph:480-441-6768
Contract Corp:MTSI
-----Original Message-----
From: pki-users-bounces@redhat.com [mailto:pki-users-bounces@redhat.com]
On Behalf Of Christina Fu
Sent: Tuesday, November 17, 2009 12:56 PM
To: pki-users@redhat.com
Cc: johndorovski@googlemail.com
Subject: [Pki-users] (forwarded) Help needed on dogtag
I might have messed up when managing pki-users and this did not come
through. Hence the forward.
Christina
Subject:
Help needed on dogtag
From:
John Dorovski <johndorovski@googlemail.com>
Date:
Tue, 17 Nov 2009 10:58:18 -0500
To:
pki-users@redhat.com
Hi,
I just installed a dogtag (1.2.0) instance on my Fedora 10 system.
I used a SafeNet ProtectServer Gold HSM as keystore.
The dogtag system installation and configuration were fine. No error was
reported.
All keys and certificates were generated inside the HSM.
But when I tried to access the secure admin interface at
https://localhost:localdomain:9545
I got error message:
Secure Connection Failed
An error occurred during a connection to localhost.localdomain:8445
SSL peer reports incorrect Message Authentication Code.
(Error code: ssl_error_bad_mac_alert)
I checked the server certificate (viewed it with IE on a Windows box).
It seems fine.
Does any body know what is wrong and how can I fix it?
Thanks,
John
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users