<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16915" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left>
<TABLE cellPadding=5 border=2 sizset="30" sizcache="0">
<TBODY sizset="30" sizcache="0">
<TR sizset="85" sizcache="0">
<TD vAlign=baseline align=left sizset="85" sizcache="0"><A
name=1040353></A><TT>SSL_ERROR_BAD_MAC_ALERT</TT></TD>
<TD vAlign=baseline align=left>-12272</TD>
<TD vAlign=baseline align=left sizset="86" sizcache="0"><A
name=1040355></A>"SSL peer reports incorrect Message Authentication Code."
<P sizset="87" sizcache="0"><A name=1040356></A>The remote system has
reported that it received a message with a bad Message Authentication Code
from the local system. This may indicate that an attack on that server is
underway.</P></TD></TR></TBODY></TABLE></DIV>
<DIV> </DIV><!-- Converted from text/rtf format -->
<P><I><SPAN lang=en-us><FONT face="Arial Narrow" size=2><SPAN
class=076243517-18112009>The trace shows "cipher-change-request" as last capture
before Error reported.</SPAN></FONT></SPAN></I></P>
<P><I><SPAN lang=en-us><FONT face="Arial Narrow"
size=2></FONT></SPAN></I> </P>
<P><I><SPAN lang=en-us><FONT face="Arial Narrow" size=2>From: Julius
Adewumi</FONT></SPAN></I> <BR><I><SPAN lang=en-us><FONT face="Arial Narrow"
size=2>@GDC4S.com</FONT></SPAN></I> <BR><I><SPAN lang=en-us><FONT
face="Arial Narrow" size=2>Ph:480-441-6768</FONT></SPAN></I> <BR><I><SPAN
lang=en-us><FONT face="Arial Narrow" size=2>Contract
Corp:MTSI</FONT></SPAN></I><SPAN lang=en-us></SPAN> </P>
<DIV> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> John Dorovski
[mailto:johndorovski@googlemail.com] <BR><B>Sent:</B> Wednesday, November 18,
2009 7:34 AM<BR><B>To:</B> Chandrasekar Kannan<BR><B>Cc:</B> Adewumi,
Julius-p99373; pki-users@redhat.com<BR><B>Subject:</B> Re: [Pki-users]
(forwarded) Help needed on dogtag<BR></FONT><BR></DIV>
<DIV></DIV>Here are the two certs ssltap captured.<BR><BR><BR>
<DIV class=gmail_quote>On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski <SPAN
dir=ltr><<A
href="mailto:johndorovski@googlemail.com">johndorovski@googlemail.com</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">Here
is my ssltap output:<BR><BR>[root@rd1 linux-i386]# ssltap -sfxl
localhost.localdomain:9545<BR><HTML><HEAD><TITLE>SSLTAP
output</TITLE></HEAD><BR><BODY><PRE><BR>Looking up
"localhost.localdomain"...<BR>Proxy socket ready and
listening<BR><p><HR><H2>Connection #1 [Wed Nov 18 09:14:56
2009]<BR></H2>Connected to localhost.localdomain:9545<BR>-->
[<BR><font color=blue>(120 bytes of 115)<BR>SSLRecord { [Wed Nov 18
09:14:56 2009]<BR> 0: 16 03 01 00
73
| ....s<BR> type = 22
(handshake)<BR> version = { 3,1 }<BR> length =
115 (0x73)<BR> handshake {<BR> 0: 01 00 00
6f
| ...o<BR> type = 1
(client_hello)<BR> length = 111
(0x00006f)<BR> ClientHelloV3
{<BR>
client_version = {3,
1}<BR>
random = {...}<BR> 0: 4b 04 01 60 3e dd 86 f2 6c 26 cb
29 b3 a4 eb 26 | K..`>...l&.)...&<BR>
10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b |
....$.uy..x@{X^{<BR>
session ID =
{<BR>
length =
0<BR>
contents =
{...}<BR>
}<BR>
cipher_suites[18] = {
<BR>
(0x0088)
TLS/DHE-RSA/CAMELLIA256-CBC/SHA<BR>
(0x0087)
TLS/DHE-DSS/CAMELLIA256-CBC/SHA<BR>
(0x0039)
TLS/DHE-RSA/AES256-CBC/SHA<BR>
(0x0038)
TLS/DHE-DSS/AES256-CBC/SHA<BR>
(0x0084)
TLS/RSA/CAMELLIA256-CBC/SHA<BR>
(0x0035)
TLS/RSA/AES256-CBC/SHA<BR>
(0x0045)
TLS/DHE-RSA/CAMELLIA128-CBC/SHA<BR>
(0x0044)
TLS/DHE-DSS/CAMELLIA128-CBC/SHA<BR>
(0x0033)
TLS/DHE-RSA/AES128-CBC/SHA<BR>
(0x0032)
TLS/DHE-DSS/AES128-CBC/SHA<BR>
(0x0041)
TLS/RSA/CAMELLIA128-CBC/SHA<BR>
(0x0004)
SSL3/RSA/RC4-128/MD5<BR>
(0x0005)
SSL3/RSA/RC4-128/SHA<BR>
(0x002f)
TLS/RSA/AES128-CBC/SHA<BR>
(0x0016)
SSL3/DHE-RSA/3DES192EDE-CBC/SHA<BR>
(0x0013)
SSL3/DHE-DSS/DES192EDE3CBC/SHA<BR>
(0xfeff)
SSL3/RSA-FIPS/3DESEDE-CBC/SHA<BR>
(0x000a)
SSL3/RSA/3DES192EDE-CBC/SHA<BR>
}<BR>
compression[1] = { 00
}<BR>
extensions[34] =
{<BR>
extension type server_name, length [26] = {<BR> 0: 00 18 00
00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c |
.....localhost.l<BR> 10: 6f 63 61 6c 64 6f 6d 61 69
6e
|
ocaldomain<BR>
}<BR>
extension type session_ticket, length
[0]<BR>
}<BR> }<BR>
}<BR>}<BR></font>]<BR><-- [<BR><font color=red>(1903 bytes of
1898)<BR>SSLRecord { [Wed Nov 18 09:14:56 2009]<BR> 0: 16 03 01
07
6a
| ....j<BR> type = 22
(handshake)<BR> version = { 3,1 }<BR> length =
1898 (0x76a)<BR> handshake {<BR> 0: 02 00 00
46
| ...F<BR> type = 2
(server_hello)<BR> length = 70
(0x000046)<BR> ServerHello
{<BR>
server_version = {3,
1}<BR>
random = {...}<BR> 0: 4b 04 01 60 d1 86 09 69 01 8d c2
5e 1a 9c 99 16 | K..`...i...^....<BR> 10: de 0e bd 27
b6 c5 be 57 23 f1 1e 03 69 40 55 9d |
...'...W#...i@U.<BR>
session ID =
{<BR>
length =
32<BR>
contents = {...}<BR> 0: 67 66 c6 7f f7 ac d6 98 45 f2
6d 9f c6 84 e1 df | gf. ....E.m.....<BR> 10: ff ff c0
87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 |
.........7.n..+%<BR>
}<BR>
cipher_suite = (0x0004)
SSL3/RSA/RC4-128/MD5<BR>
compression method = 00<BR>
}<BR> 0: 0b 00 07
18
| ....<BR> type = 11
(certificate)<BR> length = 1816
(0x000718)<BR>
CertificateChain
{<BR>
chainlength = 1813
(0x0715)<BR>
Certificate
{<BR>
size = 890
(0x037a)<BR>
data = { saved in file 'cert.001'
}<BR>
}<BR>
Certificate
{<BR>
size = 917
(0x0395)<BR>
data = { saved in file 'cert.002'
}<BR>
}<BR> }<BR> 0: 0e
00 00
00
| ....<BR> type = 14
(server_hello_done)<BR> length = 0
(0x000000)<BR> }<BR>}<BR></font>]<BR>--> [<BR><font
color=blue>(310 bytes of 262, with 43 left over)<BR>SSLRecord { [Wed Nov 18
09:14:56 2009]<BR> 0: 16 03 01 01
06
| .....<BR> type = 22
(handshake)<BR> version = { 3,1 }<BR> length =
262 (0x106)<BR> handshake {<BR> 0: 10 00 01
02
| ....<BR> type = 16
(client_key_exchange)<BR> length = 258
(0x000102)<BR>
ClientKeyExchange
{<BR>
message = {...}<BR>
}<BR> }<BR>}<BR>(310 bytes of 1, with 37 left over)<BR>SSLRecord {
[Wed Nov 18 09:14:56 2009]<BR> 0: 14 03 01 00
01
| .....<BR> type = 20
(change_cipher_spec)<BR> version = { 3,1 }<BR>
length = 1 (0x1)<BR> 0:
01
| .<BR>}<BR>(310 bytes of 32)<BR>SSLRecord { [Wed Nov 18 09:14:56
2009]<BR> 0: 16 03 01 00
20
| .... <BR> type = 22
(handshake)<BR> version = { 3,1 }<BR> length =
32
(0x20)<BR>
< encrypted ><BR>}<BR></font>]<BR>ssltap: Error -5961: TCP
connection reset by peer.: error on server-side socket.<BR>Connection 1
Complete [Wed Nov 18 09:14:56 2009]<BR><p><HR><H2>Connection
#2 [Wed Nov 18 09:14:56 2009]<BR></H2>Connected to
localhost.localdomain:9545<BR>--> [<BR><font color=blue>recordLen =
81 bytes<BR>(81 bytes of 81)<BR> [Wed Nov 18 09:14:56 2009] [ssl2]
ClientHelloV2
{<BR> version =
{0x03, 0x00}<BR>
cipher-specs-length = 54
(0x36)<BR>
sid-length = 0
(0x00)<BR>
challenge-length = 16
(0x10)<BR>
cipher-suites = {
<BR>
(0x000088)
TLS/DHE-RSA/CAMELLIA256-CBC/SHA<BR>
(0x000087)
TLS/DHE-DSS/CAMELLIA256-CBC/SHA<BR>
(0x000039)
TLS/DHE-RSA/AES256-CBC/SHA<BR>
(0x000038)
TLS/DHE-DSS/AES256-CBC/SHA<BR>
(0x000084)
TLS/RSA/CAMELLIA256-CBC/SHA<BR>
(0x000035)
TLS/RSA/AES256-CBC/SHA<BR>
(0x000045)
TLS/DHE-RSA/CAMELLIA128-CBC/SHA<BR>
(0x000044)
TLS/DHE-DSS/CAMELLIA128-CBC/SHA<BR>
(0x000033)
TLS/DHE-RSA/AES128-CBC/SHA<BR>
(0x000032)
TLS/DHE-DSS/AES128-CBC/SHA<BR>
(0x000041)
TLS/RSA/CAMELLIA128-CBC/SHA<BR>
(0x000004)
SSL3/RSA/RC4-128/MD5<BR>
(0x000005)
SSL3/RSA/RC4-128/SHA<BR>
(0x00002f)
TLS/RSA/AES128-CBC/SHA<BR>
(0x000016)
SSL3/DHE-RSA/3DES192EDE-CBC/SHA<BR>
(0x000013)
SSL3/DHE-DSS/DES192EDE3CBC/SHA<BR>
(0x00feff)
SSL3/RSA-FIPS/3DESEDE-CBC/SHA<BR>
(0x00000a)
SSL3/RSA/3DES192EDE-CBC/SHA<BR>
}<BR> session-id =
{ }<BR> challenge
= { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742 0xf716
}<BR>}<BR></font>]<BR><-- [<BR><font color=red>(1903 bytes of
1898)<BR>SSLRecord { [Wed Nov 18 09:14:56 2009]<BR> 0: 16 03 00
07
6a
| ....j<BR> type = 22
(handshake)<BR> version = { 3,0 }<BR> length =
1898 (0x76a)<BR> handshake {<BR> 0: 02 00 00
46
| ...F<BR> type = 2
(server_hello)<BR> length = 70
(0x000046)<BR> ServerHello
{<BR>
server_version = {3,
0}<BR>
random = {...}<BR> 0: 4b 04 01 60 55 ce 82 33 ab d7 da
7f bc 74 ed ca | K..`U..3... .t..<BR> 10: 1e f3 95 26
21 fa db ce 83 94 24 0a bc 4e 89 51 |
...&!.....$..N.Q<BR>
session ID =
{<BR>
length =
32<BR>
contents = {...}<BR> 0: 67 66 50 ba 19 6d d9 38 7d 86
a9 e0 43 cb 57 0b | gfP..m.8}...C.W.<BR> 10: 19 d5 a7
e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 |
.......x..U&....<BR>
}<BR>
cipher_suite = (0x0004)
SSL3/RSA/RC4-128/MD5<BR>
compression method = 00<BR>
}<BR> 0: 0b 00 07
18
| ....<BR> type = 11
(certificate)<BR> length = 1816
(0x000718)<BR>
CertificateChain
{<BR>
chainlength = 1813
(0x0715)<BR>
Certificate
{<BR>
size = 890
(0x037a)<BR>
data = { saved in file 'cert.003'
}<BR>
}<BR>
Certificate
{<BR>
size = 917
(0x0395)<BR>
data = { saved in file 'cert.004'
}<BR>
}<BR> }<BR> 0: 0e
00 00
00
| ....<BR> type = 14
(server_hello_done)<BR> length = 0
(0x000000)<BR> }<BR>}<BR></font>]<BR>--> [<BR><font
color=blue>(332 bytes of 260, with 67 left over)<BR>SSLRecord { [Wed Nov 18
09:14:56 2009]<BR> 0: 16 03 00 01
04
| .....<BR> type = 22
(handshake)<BR> version = { 3,0 }<BR> length =
260 (0x104)<BR> handshake {<BR> 0: 10 00 01
00
| ....<BR> type = 16
(client_key_exchange)<BR> length = 256
(0x000100)<BR>
ClientKeyExchange
{<BR>
message = {...}<BR>
}<BR> }<BR>}<BR>(332 bytes of 1, with 61 left over)<BR>SSLRecord {
[Wed Nov 18 09:14:56 2009]<BR> 0: 14 03 00 00
01
| .....<BR> type = 20
(change_cipher_spec)<BR> version = { 3,0 }<BR>
length = 1 (0x1)<BR> 0:
01
| .<BR>}<BR>(332 bytes of 56)<BR>SSLRecord { [Wed Nov 18 09:14:56
2009]<BR> 0: 16 03 00 00
38
| ....8<BR> type = 22
(handshake)<BR> version = { 3,0 }<BR> length =
56
(0x38)<BR>
< encrypted ><BR>}<BR></font>]<BR>ssltap: Error -5961: TCP
connection reset by peer.: error on server-side socket.<BR>Connection 2
Complete [Wed Nov 18 09:14:56 2009]
<DIV>
<DIV></DIV>
<DIV class=h5><BR><BR><BR><BR>
<DIV class=gmail_quote>On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan
<SPAN dir=ltr><<A href="mailto:ckannan@redhat.com"
target=_blank>ckannan@redhat.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV text="#000000" bgcolor="#ffffff">
<DIV>On 11/17/2009 01:09 PM, John Dorovski wrote:
<BLOCKQUOTE type="cite">It was not a typo. I did use the port number
9545.<BR></BLOCKQUOTE><BR></DIV>Ok. one idea would be to run the utility
"ssltap" as a proxy<BR>and using your browser to connect to the "ssltap"
port and<BR>pasting the output here so folks can see what's
happening<BR>during the SSL handshake.<BR><A
href="http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html"
target=_blank>http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html</A><BR><BR><BR>On
a Fedora 10 system, its packaged with nss-tools rpm.<BR><BR>Run ssltap like
this...<BR><BR>ssltap -sfxl CA_HOSTNAME:CA_PORT<BR><BR>in your case, it will
be <BR><BR>ssltap -sfxl localhost:9545<BR><BR>Then use a browser and connect
to ssltap. ssltap<BR>listens on port 1924. So on the browser
type..<BR><BR> <A href="https://localhost.localdomain:1924"
target=_blank>https://localhost.localdomain:1924</A><BR><BR><BR>ssltap will
capture the results of the ssl handshake. <BR><BR>Copy and paste it here so
we can tell what's happening<BR>during that phase while you get the bad mac
alert.<BR><BR>Thanks,<BR>--Chandra
<DIV>
<DIV></DIV>
<DIV><BR><BR><BR><BR>
<BLOCKQUOTE type="cite"><BR><BR>John<BR><BR>
<DIV class=gmail_quote>On Tue, Nov 17, 2009 at 3:51 PM, Adewumi,
Julius-p99373 <SPAN dir=ltr><<A href="mailto:Julius.Adewumi@gdc4s.com"
target=_blank>Julius.Adewumi@gdc4s.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid"><BR>Unless
it's a typo on your part, the two port numbers are different...<BR>Could
that be the problem?<BR>8445 vs 9545<BR><BR>From: Julius
Adewumi<BR>@GDC4S.com<BR>Ph:480-441-6768<BR>Contract Corp:MTSI<BR>
<DIV><BR><BR>-----Original Message-----<BR>From: <A
href="mailto:pki-users-bounces@redhat.com"
target=_blank>pki-users-bounces@redhat.com</A> [mailto:<A
href="mailto:pki-users-bounces@redhat.com"
target=_blank>pki-users-bounces@redhat.com</A>]<BR>On Behalf Of
Christina Fu<BR>Sent: Tuesday, November 17, 2009 12:56 PM<BR>To: <A
href="mailto:pki-users@redhat.com"
target=_blank>pki-users@redhat.com</A><BR></DIV>
<DIV>
<DIV>Cc: <A href="mailto:johndorovski@googlemail.com"
target=_blank>johndorovski@googlemail.com</A><BR>Subject: [Pki-users]
(forwarded) Help needed on dogtag<BR><BR>I might have messed up when
managing pki-users and this did not come<BR>through. Hence the
forward.<BR>Christina<BR><BR>Subject:<BR>Help needed on
dogtag<BR>From:<BR>John Dorovski <<A
href="mailto:johndorovski@googlemail.com"
target=_blank>johndorovski@googlemail.com</A>><BR>Date:<BR>Tue, 17
Nov 2009 10:58:18 -0500<BR><BR>To:<BR><A
href="mailto:pki-users@redhat.com"
target=_blank>pki-users@redhat.com</A><BR><BR><BR>Hi,<BR><BR>I just
installed a dogtag (1.2.0) instance on my Fedora 10 system.<BR>I used a
SafeNet ProtectServer Gold HSM as keystore.<BR>The dogtag system
installation and configuration were fine. No error
was<BR>reported.<BR>All keys and certificates were generated inside the
HSM.<BR><BR>But when I tried to access the secure admin interface
at<BR> <A href="https://localhost:localdomain:9545"
target=_blank>https://localhost:localdomain:9545</A><BR>I got error
message:<BR> Secure Connection Failed<BR> An
error occurred during a connection to
localhost.localdomain:8445<BR> SSL peer reports incorrect
Message Authentication Code.<BR> (Error code:
ssl_error_bad_mac_alert)<BR><BR>I checked the server certificate (viewed
it with IE on a Windows box).<BR>It seems fine.<BR><BR>Does any body
know what is wrong and how can I fix
it?<BR><BR>Thanks,<BR><BR>John<BR><BR>_______________________________________________<BR>Pki-users
mailing list<BR><A href="mailto:Pki-users@redhat.com"
target=_blank>Pki-users@redhat.com</A><BR><A
href="https://www.redhat.com/mailman/listinfo/pki-users"
target=_blank>https://www.redhat.com/mailman/listinfo/pki-users</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR><PRE><FIELDSET></FIELDSET>
_______________________________________________
Pki-users mailing list
<A href="mailto:Pki-users@redhat.com" target=_blank>Pki-users@redhat.com</A>
<A href="https://www.redhat.com/mailman/listinfo/pki-users" target=_blank>https://www.redhat.com/mailman/listinfo/pki-users</A>
</PRE></BLOCKQUOTE><BR></DIV></DIV></DIV><BR>_______________________________________________<BR>Pki-users
mailing list<BR><A href="mailto:Pki-users@redhat.com"
target=_blank>Pki-users@redhat.com</A><BR><A
href="https://www.redhat.com/mailman/listinfo/pki-users"
target=_blank>https://www.redhat.com/mailman/listinfo/pki-users</A><BR><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></BODY></HTML>