<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 11/18/2009 09:49 AM, Chandrasekar Kannan wrote:
<blockquote cite="mid:4B04339F.6060203@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 11/18/2009 09:38 AM, Adewumi, Julius-p99373 wrote:
<blockquote
cite="mid:150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com"
type="cite">
<meta http-equiv="Content-Type"
content="text/html; charset=ISO-8859-1">
<meta content="MSHTML 6.00.6000.16915" name="GENERATOR">
<div dir="ltr" align="left">
<table sizset="30" sizcache="0" border="2" cellpadding="5">
<tbody sizset="30" sizcache="0">
<tr sizset="85" sizcache="0">
<td sizset="85" sizcache="0" valign="baseline" align="left"><a
moz-do-not-send="true" name="1040353"></a><tt>SSL_ERROR_BAD_MAC_ALERT</tt></td>
<td valign="baseline" align="left">-12272</td>
<td sizset="86" sizcache="0" valign="baseline" align="left"><a
moz-do-not-send="true" name="1040355"></a>"SSL peer reports incorrect
Message Authentication Code."
<p sizset="87" sizcache="0"><a moz-do-not-send="true"
name="1040356"></a>The remote system has reported that it received a
message with a bad Message Authentication Code from the local system.
This may indicate that an attack on that server is underway.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div> </div>
<!-- Converted from text/rtf format -->
<p><i><span lang="en-us"><font face="Arial Narrow" size="2"><span
class="076243517-18112009">The trace shows "cipher-change-request" as
last capture before Error reported.</span></font></span></i></p>
<p><i><span lang="en-us"></span></i> <br>
</p>
</blockquote>
<br>
Just FYI. we noticed a similar message during dogtag 1.2.0 <br>
development but with a different HSM(nethsm). That issue<br>
was fixed. <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://bugzilla.redhat.com/show_bug.cgi?id=495597">https://bugzilla.redhat.com/show_bug.cgi?id=495597</a><br>
<br>
FWIW, we have never tried with the mentioned <br>
Safenet Protectserver Gold HSM....<br>
</blockquote>
<br>
<br>
Can you check settings for this ..<br>
<br>
/var/lib/pki-ca/conf/server.xml<br>
Look for clientAuth="agent"<br>
<br>
If you see that can you replace that with<br>
clientAuth="true" and restart the CA<br>
and see if it addresses the bad mac problem..<br>
<br>
<br>
<blockquote cite="mid:4B04339F.6060203@redhat.com" type="cite"><br>
<br>
<blockquote
cite="mid:150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com"
type="cite">
<p><i><span lang="en-us"><font face="Arial Narrow" size="2">From:
Julius Adewumi</font></span></i> <br>
<i><span lang="en-us"><font face="Arial Narrow" size="2">@GDC4S.com</font></span></i>
<br>
<i><span lang="en-us"><font face="Arial Narrow" size="2">Ph:480-441-6768</font></span></i>
<br>
<i><span lang="en-us"><font face="Arial Narrow" size="2">Contract
Corp:MTSI</font></span></i><span lang="en-us"></span> </p>
<div> </div>
<br>
<div class="OutlookMessageHeader" dir="ltr" lang="en-us"
align="left">
<hr tabindex="-1"><font face="Tahoma" size="2"><b>From:</b> John
Dorovski [<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="mailto:johndorovski@googlemail.com">mailto:johndorovski@googlemail.com</a>]
<br>
<b>Sent:</b> Wednesday, November 18, 2009 7:34 AM<br>
<b>To:</b> Chandrasekar Kannan<br>
<b>Cc:</b> Adewumi, Julius-p99373; <a moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:pki-users@redhat.com">pki-users@redhat.com</a><br>
<b>Subject:</b> Re: [Pki-users] (forwarded) Help needed on dogtag<br>
</font><br>
</div>
Here are the two certs ssltap captured.<br>
<br>
<br>
<div class="gmail_quote">On Wed, Nov 18, 2009 at 9:20 AM, John
Dorovski <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:johndorovski@googlemail.com">johndorovski@googlemail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Here
is
my ssltap output:<br>
<br>
[root@rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545<br>
<HTML><HEAD><TITLE>SSLTAP
output</TITLE></HEAD><br>
<BODY><PRE><br>
Looking up "localhost.localdomain"...<br>
Proxy socket ready and listening<br>
<p><HR><H2>Connection #1 [Wed Nov 18 09:14:56 2009]<br>
</H2>Connected to localhost.localdomain:9545<br>
--> [<br>
<font color=blue>(120 bytes of 115)<br>
SSLRecord { [Wed Nov 18 09:14:56 2009]<br>
0: 16 03 01 00 73 | ....s<br>
type = 22 (handshake)<br>
version = { 3,1 }<br>
length = 115 (0x73)<br>
handshake {<br>
0: 01 00 00 6f | ...o<br>
type = 1 (client_hello)<br>
length = 111 (0x00006f)<br>
ClientHelloV3 {<br>
client_version = {3, 1}<br>
random = {...}<br>
0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 |
K..`>...l&.)...&<br>
10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b |
....$.uy..x@{X^{<br>
session ID = {<br>
length = 0<br>
contents = {...}<br>
}<br>
cipher_suites[18] = { <br>
(0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA<br>
(0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA<br>
(0x0039) TLS/DHE-RSA/AES256-CBC/SHA<br>
(0x0038) TLS/DHE-DSS/AES256-CBC/SHA<br>
(0x0084) TLS/RSA/CAMELLIA256-CBC/SHA<br>
(0x0035) TLS/RSA/AES256-CBC/SHA<br>
(0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA<br>
(0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA<br>
(0x0033) TLS/DHE-RSA/AES128-CBC/SHA<br>
(0x0032) TLS/DHE-DSS/AES128-CBC/SHA<br>
(0x0041) TLS/RSA/CAMELLIA128-CBC/SHA<br>
(0x0004) SSL3/RSA/RC4-128/MD5<br>
(0x0005) SSL3/RSA/RC4-128/SHA<br>
(0x002f) TLS/RSA/AES128-CBC/SHA<br>
(0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA<br>
(0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA<br>
(0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA<br>
(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA<br>
}<br>
compression[1] = { 00 }<br>
extensions[34] = {<br>
extension type server_name, length [26] = {<br>
0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c |
.....localhost.l<br>
10: 6f 63 61 6c 64 6f 6d 61 69 6e | ocaldomain<br>
}<br>
extension type session_ticket, length [0]<br>
}<br>
}<br>
}<br>
}<br>
</font>]<br>
<-- [<br>
<font color=red>(1903 bytes of 1898)<br>
SSLRecord { [Wed Nov 18 09:14:56 2009]<br>
0: 16 03 01 07 6a | ....j<br>
type = 22 (handshake)<br>
version = { 3,1 }<br>
length = 1898 (0x76a)<br>
handshake {<br>
0: 02 00 00 46 | ...F<br>
type = 2 (server_hello)<br>
length = 70 (0x000046)<br>
ServerHello {<br>
server_version = {3, 1}<br>
random = {...}<br>
0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 |
K..`...i...^....<br>
10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d |
...'...W#...i@U.<br>
session ID = {<br>
length = 32<br>
contents = {...}<br>
0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf.
....E.m.....<br>
10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 |
.........7.n..+%<br>
}<br>
cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5<br>
compression method = 00<br>
}<br>
0: 0b 00 07 18 | ....<br>
type = 11 (certificate)<br>
length = 1816 (0x000718)<br>
CertificateChain {<br>
chainlength = 1813 (0x0715)<br>
Certificate {<br>
size = 890 (0x037a)<br>
data = { saved in file 'cert.001' }<br>
}<br>
Certificate {<br>
size = 917 (0x0395)<br>
data = { saved in file 'cert.002' }<br>
}<br>
}<br>
0: 0e 00 00 00 | ....<br>
type = 14 (server_hello_done)<br>
length = 0 (0x000000)<br>
}<br>
}<br>
</font>]<br>
--> [<br>
<font color=blue>(310 bytes of 262, with 43 left over)<br>
SSLRecord { [Wed Nov 18 09:14:56 2009]<br>
0: 16 03 01 01 06 | .....<br>
type = 22 (handshake)<br>
version = { 3,1 }<br>
length = 262 (0x106)<br>
handshake {<br>
0: 10 00 01 02 | ....<br>
type = 16 (client_key_exchange)<br>
length = 258 (0x000102)<br>
ClientKeyExchange {<br>
message = {...}<br>
}<br>
}<br>
}<br>
(310 bytes of 1, with 37 left over)<br>
SSLRecord { [Wed Nov 18 09:14:56 2009]<br>
0: 14 03 01 00 01 | .....<br>
type = 20 (change_cipher_spec)<br>
version = { 3,1 }<br>
length = 1 (0x1)<br>
0: 01 | .<br>
}<br>
(310 bytes of 32)<br>
SSLRecord { [Wed Nov 18 09:14:56 2009]<br>
0: 16 03 01 00 20 | .... <br>
type = 22 (handshake)<br>
version = { 3,1 }<br>
length = 32 (0x20)<br>
< encrypted ><br>
}<br>
</font>]<br>
ssltap: Error -5961: TCP connection reset by peer.: error on
server-side socket.<br>
Connection 1 Complete [Wed Nov 18 09:14:56 2009]<br>
<p><HR><H2>Connection #2 [Wed Nov 18 09:14:56 2009]<br>
</H2>Connected to localhost.localdomain:9545<br>
--> [<br>
<font color=blue>recordLen = 81 bytes<br>
(81 bytes of 81)<br>
[Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 {<br>
version = {0x03, 0x00}<br>
cipher-specs-length = 54 (0x36)<br>
sid-length = 0 (0x00)<br>
challenge-length = 16 (0x10)<br>
cipher-suites = { <br>
(0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA<br>
(0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA<br>
(0x000039) TLS/DHE-RSA/AES256-CBC/SHA<br>
(0x000038) TLS/DHE-DSS/AES256-CBC/SHA<br>
(0x000084) TLS/RSA/CAMELLIA256-CBC/SHA<br>
(0x000035) TLS/RSA/AES256-CBC/SHA<br>
(0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA<br>
(0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA<br>
(0x000033) TLS/DHE-RSA/AES128-CBC/SHA<br>
(0x000032) TLS/DHE-DSS/AES128-CBC/SHA<br>
(0x000041) TLS/RSA/CAMELLIA128-CBC/SHA<br>
(0x000004) SSL3/RSA/RC4-128/MD5<br>
(0x000005) SSL3/RSA/RC4-128/SHA<br>
(0x00002f) TLS/RSA/AES128-CBC/SHA<br>
(0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA<br>
(0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA<br>
(0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA<br>
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA<br>
}<br>
session-id = { }<br>
challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a
0x5742 0xf716 }<br>
}<br>
</font>]<br>
<-- [<br>
<font color=red>(1903 bytes of 1898)<br>
SSLRecord { [Wed Nov 18 09:14:56 2009]<br>
0: 16 03 00 07 6a | ....j<br>
type = 22 (handshake)<br>
version = { 3,0 }<br>
length = 1898 (0x76a)<br>
handshake {<br>
0: 02 00 00 46 | ...F<br>
type = 2 (server_hello)<br>
length = 70 (0x000046)<br>
ServerHello {<br>
server_version = {3, 0}<br>
random = {...}<br>
0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | K..`U..3...
.t..<br>
10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 |
...&!.....$..N.Q<br>
session ID = {<br>
length = 32<br>
contents = {...}<br>
0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b |
gfP..m.8}...C.W.<br>
10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 |
.......x..U&....<br>
}<br>
cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5<br>
compression method = 00<br>
}<br>
0: 0b 00 07 18 | ....<br>
type = 11 (certificate)<br>
length = 1816 (0x000718)<br>
CertificateChain {<br>
chainlength = 1813 (0x0715)<br>
Certificate {<br>
size = 890 (0x037a)<br>
data = { saved in file 'cert.003' }<br>
}<br>
Certificate {<br>
size = 917 (0x0395)<br>
data = { saved in file 'cert.004' }<br>
}<br>
}<br>
0: 0e 00 00 00 | ....<br>
type = 14 (server_hello_done)<br>
length = 0 (0x000000)<br>
}<br>
}<br>
</font>]<br>
--> [<br>
<font color=blue>(332 bytes of 260, with 67 left over)<br>
SSLRecord { [Wed Nov 18 09:14:56 2009]<br>
0: 16 03 00 01 04 | .....<br>
type = 22 (handshake)<br>
version = { 3,0 }<br>
length = 260 (0x104)<br>
handshake {<br>
0: 10 00 01 00 | ....<br>
type = 16 (client_key_exchange)<br>
length = 256 (0x000100)<br>
ClientKeyExchange {<br>
message = {...}<br>
}<br>
}<br>
}<br>
(332 bytes of 1, with 61 left over)<br>
SSLRecord { [Wed Nov 18 09:14:56 2009]<br>
0: 14 03 00 00 01 | .....<br>
type = 20 (change_cipher_spec)<br>
version = { 3,0 }<br>
length = 1 (0x1)<br>
0: 01 | .<br>
}<br>
(332 bytes of 56)<br>
SSLRecord { [Wed Nov 18 09:14:56 2009]<br>
0: 16 03 00 00 38 | ....8<br>
type = 22 (handshake)<br>
version = { 3,0 }<br>
length = 56 (0x38)<br>
< encrypted ><br>
}<br>
</font>]<br>
ssltap: Error -5961: TCP connection reset by peer.: error on
server-side socket.<br>
Connection 2 Complete [Wed Nov 18 09:14:56 2009]
<div>
<div class="h5"><br>
<br>
<br>
<br>
<div class="gmail_quote">On Tue, Nov 17, 2009 at 7:21 PM,
Chandrasekar Kannan <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ckannan@redhat.com" target="_blank">ckannan@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div text="#000000" bgcolor="#ffffff">
<div>On 11/17/2009 01:09 PM, John Dorovski wrote:
<blockquote type="cite">It was not a typo. I did use the port
number 9545.<br>
</blockquote>
<br>
</div>
Ok. one idea would be to run the utility "ssltap" as a proxy<br>
and using your browser to connect to the "ssltap" port and<br>
pasting the output here so folks can see what's happening<br>
during the SSL handshake.<br>
<a moz-do-not-send="true"
href="http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html"
target="_blank">http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html</a><br>
<br>
<br>
On a Fedora 10 system, its packaged with nss-tools rpm.<br>
<br>
Run ssltap like this...<br>
<br>
ssltap -sfxl CA_HOSTNAME:CA_PORT<br>
<br>
in your case, it will be <br>
<br>
ssltap -sfxl localhost:9545<br>
<br>
Then use a browser and connect to ssltap. ssltap<br>
listens on port 1924. So on the browser type..<br>
<br>
<a moz-do-not-send="true" href="https://localhost.localdomain:1924"
target="_blank">https://localhost.localdomain:1924</a><br>
<br>
<br>
ssltap will capture the results of the ssl handshake. <br>
<br>
Copy and paste it here so we can tell what's happening<br>
during that phase while you get the bad mac alert.<br>
<br>
Thanks,<br>
--Chandra
<div>
<div><br>
<br>
<br>
<br>
<blockquote type="cite"><br>
<br>
John<br>
<br>
<div class="gmail_quote">On Tue, Nov 17, 2009 at 3:51 PM,
Adewumi, Julius-p99373 <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:Julius.Adewumi@gdc4s.com" target="_blank">Julius.Adewumi@gdc4s.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Unless it's a typo on your part, the two port numbers are different...<br>
Could that be the problem?<br>
8445 vs 9545<br>
<br>
From: Julius Adewumi<br>
@GDC4S.com<br>
Ph:480-441-6768<br>
Contract Corp:MTSI<br>
<div><br>
<br>
-----Original Message-----<br>
From: <a moz-do-not-send="true"
href="mailto:pki-users-bounces@redhat.com" target="_blank">pki-users-bounces@redhat.com</a>
[mailto:<a moz-do-not-send="true"
href="mailto:pki-users-bounces@redhat.com" target="_blank">pki-users-bounces@redhat.com</a>]<br>
On Behalf Of Christina Fu<br>
Sent: Tuesday, November 17, 2009 12:56 PM<br>
To: <a moz-do-not-send="true" href="mailto:pki-users@redhat.com"
target="_blank">pki-users@redhat.com</a><br>
</div>
<div>
<div>Cc: <a moz-do-not-send="true"
href="mailto:johndorovski@googlemail.com" target="_blank">johndorovski@googlemail.com</a><br>
Subject: [Pki-users] (forwarded) Help needed on dogtag<br>
<br>
I might have messed up when managing pki-users and this did not come<br>
through. Hence the forward.<br>
Christina<br>
<br>
Subject:<br>
Help needed on dogtag<br>
From:<br>
John Dorovski <<a moz-do-not-send="true"
href="mailto:johndorovski@googlemail.com" target="_blank">johndorovski@googlemail.com</a>><br>
Date:<br>
Tue, 17 Nov 2009 10:58:18 -0500<br>
<br>
To:<br>
<a moz-do-not-send="true" href="mailto:pki-users@redhat.com"
target="_blank">pki-users@redhat.com</a><br>
<br>
<br>
Hi,<br>
<br>
I just installed a dogtag (1.2.0) instance on my Fedora 10 system.<br>
I used a SafeNet ProtectServer Gold HSM as keystore.<br>
The dogtag system installation and configuration were fine. No error was<br>
reported.<br>
All keys and certificates were generated inside the HSM.<br>
<br>
But when I tried to access the secure admin interface at<br>
<a moz-do-not-send="true" href="https://localhost:localdomain:9545"
target="_blank">https://localhost:localdomain:9545</a><br>
I got error message:<br>
Secure Connection Failed<br>
An error occurred during a connection to localhost.localdomain:8445<br>
SSL peer reports incorrect Message Authentication Code.<br>
(Error code: ssl_error_bad_mac_alert)<br>
<br>
I checked the server certificate (viewed it with IE on a Windows box).<br>
It seems fine.<br>
<br>
Does any body know what is wrong and how can I fix it?<br>
<br>
Thanks,<br>
<br>
John<br>
<br>
_______________________________________________<br>
Pki-users mailing list<br>
<a moz-do-not-send="true" href="mailto:Pki-users@redhat.com"
target="_blank">Pki-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pki-users"
target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<pre><fieldset></fieldset>
_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true" href="mailto:Pki-users@redhat.com"
target="_blank">Pki-users@redhat.com</a>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pki-users"
target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Pki-users mailing list<br>
<a moz-do-not-send="true" href="mailto:Pki-users@redhat.com"
target="_blank">Pki-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/pki-users"
target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Pki-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a>
</pre>
</blockquote>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a>
</pre>
</blockquote>
<br>
</body>
</html>