From sean.veale at gdc4s.com Thu Nov 5 21:27:42 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Thu, 5 Nov 2009 16:27:42 -0500 Subject: [Pki-users] Crl Generation question Message-ID: <5E904A528F23FA469961CECAC5F41787020A0DF8@NDHMC4SXCH.gdc4s.com> Hi, Is is possible for to configure a CA so the CRLs are generated every X time (say every 1 day) but Next Update specified for a longer time, say every 5 days? If so, how do you do that? Thanks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Thu Nov 5 22:21:53 2009 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 05 Nov 2009 14:21:53 -0800 Subject: [Pki-users] Crl Generation question In-Reply-To: <5E904A528F23FA469961CECAC5F41787020A0DF8@NDHMC4SXCH.gdc4s.com> References: <5E904A528F23FA469961CECAC5F41787020A0DF8@NDHMC4SXCH.gdc4s.com> Message-ID: <4AF35001.5020000@redhat.com> On 11/05/09 13:27, Veale, Sean wrote: > > Hi, > > Is is possible for to configure a CA so the CRLs are generated every X > time (say every 1 day) but Next Update specified for a longer time, > say every 5 days? > > If so, how do you do that? > > Thanks > Sean > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > Yes, you can configure CA through CA console to "Update CRL ever: 1440 minutes" with "Next update grace period: 5760 minutes" or through CS.cfg . . . ca.crl..autoUpdateInterval=1440 . . . ca.crl..nextUpdateGracePeriod=5760 . . . Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Thu Nov 5 22:37:27 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Thu, 5 Nov 2009 17:37:27 -0500 Subject: [Pki-users] Crl Generation question In-Reply-To: <4AF35001.5020000@redhat.com> References: <5E904A528F23FA469961CECAC5F41787020A0DF8@NDHMC4SXCH.gdc4s.com> <4AF35001.5020000@redhat.com> Message-ID: <5E904A528F23FA469961CECAC5F41787020A0E14@NDHMC4SXCH.gdc4s.com> Great. Thanks Sean ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Andrew Wnuk Sent: Thursday, November 05, 2009 5:22 PM To: pki-users at redhat.com Subject: Re: [Pki-users] Crl Generation question On 11/05/09 13:27, Veale, Sean wrote: Hi, Is is possible for to configure a CA so the CRLs are generated every X time (say every 1 day) but Next Update specified for a longer time, say every 5 days? If so, how do you do that? Thanks Sean _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users Yes, you can configure CA through CA console to "Update CRL ever: 1440 minutes" with "Next update grace period: 5760 minutes" or through CS.cfg . . . ca.crl..autoUpdateInterval=1440 . . . ca.crl..nextUpdateGracePeriod=5760 . . . Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Fri Nov 6 15:07:27 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Fri, 6 Nov 2009 10:07:27 -0500 Subject: [Pki-users] Question about internal OCSP responder setup by the CA. Message-ID: <5E904A528F23FA469961CECAC5F41787020E30AC@NDHMC4SXCH.gdc4s.com> Hi, Is the port the OCSP responder is listening on always 9180, or is it whatever the unsecured port is setup when configuring the CA? Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Tue Nov 10 23:21:56 2009 From: awnuk at redhat.com (Andrew Wnuk) Date: Tue, 10 Nov 2009 15:21:56 -0800 Subject: [Pki-users] Question about internal OCSP responder setup by the CA. In-Reply-To: <5E904A528F23FA469961CECAC5F41787020E30AC@NDHMC4SXCH.gdc4s.com> References: <5E904A528F23FA469961CECAC5F41787020E30AC@NDHMC4SXCH.gdc4s.com> Message-ID: <4AF9F594.3080202@redhat.com> On 11/06/09 07:07, Veale, Sean wrote: > > Hi, > > Is the port the OCSP responder is listening on always 9180, or is it > whatever the unsecured port is setup when configuring the CA? > > Sean > It is the unsecured CA port. Andrew. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Wed Nov 11 21:41:19 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Wed, 11 Nov 2009 14:41:19 -0700 Subject: [Pki-users] Attribute Certificate Message-ID: <150446754087724BA4B8F287083846B205A1FA12@AZ25EXM04.gddsi.com> Can a Redhat CA profile be created for Attributes certificate? Has anyone tried this or what problems will not allow it to be usable? From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Wed Nov 11 21:44:26 2009 From: msauton at redhat.com (Marc Sauton) Date: Wed, 11 Nov 2009 13:44:26 -0800 Subject: [Pki-users] Attribute Certificate In-Reply-To: <150446754087724BA4B8F287083846B205A1FA12@AZ25EXM04.gddsi.com> References: <150446754087724BA4B8F287083846B205A1FA12@AZ25EXM04.gddsi.com> Message-ID: <4AFB303A.6040607@redhat.com> Yes, like with the default profile for enrolling CA certificates, caCACert.cfg It is possible to create custom profiles using caCACert.cfg as an example to start with. M. Adewumi, Julius-p99373 wrote: > > Can a Redhat CA profile be created for Attributes certificate? > Has anyone tried this or what problems will not allow it to be usable? > > /From: Julius Adewumi/ > /@GDC4S.com/ > /Ph:480-441-6768/ > /Contract Corp:MTSI/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6650 bytes Desc: S/MIME Cryptographic Signature URL: From msauton at redhat.com Wed Nov 11 22:40:36 2009 From: msauton at redhat.com (Marc Sauton) Date: Wed, 11 Nov 2009 14:40:36 -0800 Subject: [Pki-users] Attribute Certificate In-Reply-To: <4AFB303A.6040607@redhat.com> References: <150446754087724BA4B8F287083846B205A1FA12@AZ25EXM04.gddsi.com> <4AFB303A.6040607@redhat.com> Message-ID: <4AFB3D64.8020307@redhat.com> I may have misunderstood your initial question. If this is about rfc3281 for "Attribute Certificate", then no, there is currently no such support in Dogtag of Red Hat Certificate System. That could be a RFE. M. Marc Sauton wrote: > Yes, like with the default profile for enrolling CA certificates, > caCACert.cfg > It is possible to create custom profiles using caCACert.cfg as an > example to start with. > M. > > Adewumi, Julius-p99373 wrote: >> >> Can a Redhat CA profile be created for Attributes certificate? >> Has anyone tried this or what problems will not allow it to be usable? >> >> /From: Julius Adewumi/ >> /@GDC4S.com/ >> /Ph:480-441-6768/ >> /Contract Corp:MTSI/ >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6650 bytes Desc: S/MIME Cryptographic Signature URL: From cfu at redhat.com Tue Nov 17 19:56:08 2009 From: cfu at redhat.com (Christina Fu) Date: Tue, 17 Nov 2009 11:56:08 -0800 Subject: [Pki-users] (forwarded) Help needed on dogtag Message-ID: <4B02FFD8.9040702@redhat.com> I might have messed up when managing pki-users and this did not come through. Hence the forward. Christina Subject: Help needed on dogtag From: John Dorovski Date: Tue, 17 Nov 2009 10:58:18 -0500 To: pki-users at redhat.com Hi, I just installed a dogtag (1.2.0) instance on my Fedora 10 system. I used a SafeNet ProtectServer Gold HSM as keystore. The dogtag system installation and configuration were fine. No error was reported. All keys and certificates were generated inside the HSM. But when I tried to access the secure admin interface at https://localhost:localdomain:9545 I got error message: Secure Connection Failed An error occurred during a connection to localhost.localdomain:8445 SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert) I checked the server certificate (viewed it with IE on a Windows box). It seems fine. Does any body know what is wrong and how can I fix it? Thanks, John From Julius.Adewumi at gdc4s.com Tue Nov 17 20:51:59 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 17 Nov 2009 13:51:59 -0700 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: <4B02FFD8.9040702@redhat.com> References: <4B02FFD8.9040702@redhat.com> Message-ID: <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> Unless it's a typo on your part, the two port numbers are different... Could that be the problem? 8445 vs 9545 From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu Sent: Tuesday, November 17, 2009 12:56 PM To: pki-users at redhat.com Cc: johndorovski at googlemail.com Subject: [Pki-users] (forwarded) Help needed on dogtag I might have messed up when managing pki-users and this did not come through. Hence the forward. Christina Subject: Help needed on dogtag From: John Dorovski Date: Tue, 17 Nov 2009 10:58:18 -0500 To: pki-users at redhat.com Hi, I just installed a dogtag (1.2.0) instance on my Fedora 10 system. I used a SafeNet ProtectServer Gold HSM as keystore. The dogtag system installation and configuration were fine. No error was reported. All keys and certificates were generated inside the HSM. But when I tried to access the secure admin interface at https://localhost:localdomain:9545 I got error message: Secure Connection Failed An error occurred during a connection to localhost.localdomain:8445 SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert) I checked the server certificate (viewed it with IE on a Windows box). It seems fine. Does any body know what is wrong and how can I fix it? Thanks, John _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From johndorovski at googlemail.com Tue Nov 17 21:09:32 2009 From: johndorovski at googlemail.com (John Dorovski) Date: Tue, 17 Nov 2009 16:09:32 -0500 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> Message-ID: It was not a typo. I did use the port number 9545. John On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 < Julius.Adewumi at gdc4s.com> wrote: > > Unless it's a typo on your part, the two port numbers are different... > Could that be the problem? > 8445 vs 9545 > > From: Julius Adewumi > @GDC4S.com > Ph:480-441-6768 > Contract Corp:MTSI > > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] > On Behalf Of Christina Fu > Sent: Tuesday, November 17, 2009 12:56 PM > To: pki-users at redhat.com > Cc: johndorovski at googlemail.com > Subject: [Pki-users] (forwarded) Help needed on dogtag > > I might have messed up when managing pki-users and this did not come > through. Hence the forward. > Christina > > Subject: > Help needed on dogtag > From: > John Dorovski > Date: > Tue, 17 Nov 2009 10:58:18 -0500 > > To: > pki-users at redhat.com > > > Hi, > > I just installed a dogtag (1.2.0) instance on my Fedora 10 system. > I used a SafeNet ProtectServer Gold HSM as keystore. > The dogtag system installation and configuration were fine. No error was > reported. > All keys and certificates were generated inside the HSM. > > But when I tried to access the secure admin interface at > https://localhost:localdomain:9545 > I got error message: > Secure Connection Failed > An error occurred during a connection to localhost.localdomain:8445 > SSL peer reports incorrect Message Authentication Code. > (Error code: ssl_error_bad_mac_alert) > > I checked the server certificate (viewed it with IE on a Windows box). > It seems fine. > > Does any body know what is wrong and how can I fix it? > > Thanks, > > John > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckannan at redhat.com Wed Nov 18 00:21:53 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Tue, 17 Nov 2009 16:21:53 -0800 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> Message-ID: <4B033E21.9080306@redhat.com> On 11/17/2009 01:09 PM, John Dorovski wrote: > It was not a typo. I did use the port number 9545. Ok. one idea would be to run the utility "ssltap" as a proxy and using your browser to connect to the "ssltap" port and pasting the output here so folks can see what's happening during the SSL handshake. http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html On a Fedora 10 system, its packaged with nss-tools rpm. Run ssltap like this... ssltap -sfxl CA_HOSTNAME:CA_PORT in your case, it will be ssltap -sfxl localhost:9545 Then use a browser and connect to ssltap. ssltap listens on port 1924. So on the browser type.. https://localhost.localdomain:1924 ssltap will capture the results of the ssl handshake. Copy and paste it here so we can tell what's happening during that phase while you get the bad mac alert. Thanks, --Chandra > > > John > > On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 > > wrote: > > > Unless it's a typo on your part, the two port numbers are different... > Could that be the problem? > 8445 vs 9545 > > From: Julius Adewumi > @GDC4S.com > Ph:480-441-6768 > Contract Corp:MTSI > > > -----Original Message----- > From: pki-users-bounces at redhat.com > > [mailto:pki-users-bounces at redhat.com > ] > On Behalf Of Christina Fu > Sent: Tuesday, November 17, 2009 12:56 PM > To: pki-users at redhat.com > Cc: johndorovski at googlemail.com > Subject: [Pki-users] (forwarded) Help needed on dogtag > > I might have messed up when managing pki-users and this did not come > through. Hence the forward. > Christina > > Subject: > Help needed on dogtag > From: > John Dorovski > > Date: > Tue, 17 Nov 2009 10:58:18 -0500 > > To: > pki-users at redhat.com > > > Hi, > > I just installed a dogtag (1.2.0) instance on my Fedora 10 system. > I used a SafeNet ProtectServer Gold HSM as keystore. > The dogtag system installation and configuration were fine. No > error was > reported. > All keys and certificates were generated inside the HSM. > > But when I tried to access the secure admin interface at > https://localhost:localdomain:9545 > I got error message: > Secure Connection Failed > An error occurred during a connection to localhost.localdomain:8445 > SSL peer reports incorrect Message Authentication Code. > (Error code: ssl_error_bad_mac_alert) > > I checked the server certificate (viewed it with IE on a Windows box). > It seems fine. > > Does any body know what is wrong and how can I fix it? > > Thanks, > > John > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From johndorovski at googlemail.com Wed Nov 18 14:20:45 2009 From: johndorovski at googlemail.com (John Dorovski) Date: Wed, 18 Nov 2009 09:20:45 -0500 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: <4B033E21.9080306@redhat.com> References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> <4B033E21.9080306@redhat.com> Message-ID: Here is my ssltap output: [root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545 SSLTAP output 
Looking up "localhost.localdomain"...
Proxy socket ready and listening

Connection #1 [Wed Nov 18 09:14:56 2009]

Connected to localhost.localdomain:9545
--> [
(120 bytes of 115)
SSLRecord { [Wed Nov 18 09:14:56 2009]
   0: 16 03 01 00  73                                     | ....s
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 115 (0x73)
   handshake {
   0: 01 00 00 6f                                         | ...o
      type = 1 (client_hello)
      length = 111 (0x00006f)
         ClientHelloV3 {
            client_version = {3, 1}
            random = {...}
   0: 4b 04 01 60  3e dd 86 f2  6c 26 cb 29  b3 a4 eb 26  |
K..`>...l&.)...&
  10: c0 17 f1 8e  24 0a 75 79  03 91 78 40  7b 58 5e 7b  | ....$.uy..x@{X^{
            session ID = {
                length = 0
                contents = {...}
            }
            cipher_suites[18] = {
                (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
                (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
                (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
                (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
                (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
                (0x0035) TLS/RSA/AES256-CBC/SHA
                (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
                (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
                (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
                (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
                (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
                (0x0004) SSL3/RSA/RC4-128/MD5
                (0x0005) SSL3/RSA/RC4-128/SHA
                (0x002f) TLS/RSA/AES128-CBC/SHA
                (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
            }
            compression[1] = { 00 }
            extensions[34] = {
              extension type server_name, length [26] = {
   0: 00 18 00 00  15 6c 6f 63  61 6c 68 6f  73 74 2e 6c  | .....localhost.l
  10: 6f 63 61 6c  64 6f 6d 61  69 6e                     | ocaldomain
              }
              extension type session_ticket, length [0]
            }
         }
   }
}
]
<-- [
(1903 bytes of 1898)
SSLRecord { [Wed Nov 18 09:14:56 2009]
   0: 16 03 01 07  6a                                     | ....j
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 1898 (0x76a)
   handshake {
   0: 02 00 00 46                                         | ...F
      type = 2 (server_hello)
      length = 70 (0x000046)
         ServerHello {
            server_version = {3, 1}
            random = {...}
   0: 4b 04 01 60  d1 86 09 69  01 8d c2 5e  1a 9c 99 16  | K..`...i...^....
  10: de 0e bd 27  b6 c5 be 57  23 f1 1e 03  69 40 55 9d  | ...'...W#...i at U.
            session ID = {
                length = 32
                contents = {...}
   0: 67 66 c6 7f  f7 ac d6 98  45 f2 6d 9f  c6 84 e1 df  | gf.....E.m.....
  10: ff ff c0 87  d8 e9 97 f9  f6 37 8b 6e  09 d9 2b 25  | .........7.n..+%
            }
            cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
            compression method = 00
         }
   0: 0b 00 07 18                                         | ....
      type = 11 (certificate)
      length = 1816 (0x000718)
         CertificateChain {
            chainlength = 1813 (0x0715)
            Certificate {
               size = 890 (0x037a)
               data = { saved in file 'cert.001' }
            }
            Certificate {
               size = 917 (0x0395)
               data = { saved in file 'cert.002' }
            }
         }
   0: 0e 00 00 00                                         | ....
      type = 14 (server_hello_done)
      length = 0 (0x000000)
   }
}
]
--> [
(310 bytes of 262, with 43 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
   0: 16 03 01 01  06                                     | .....
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 262 (0x106)
   handshake {
   0: 10 00 01 02                                         | ....
      type = 16 (client_key_exchange)
      length = 258 (0x000102)
         ClientKeyExchange {
            message = {...}
         }
   }
}
(310 bytes of 1, with 37 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
   0: 14 03 01 00  01                                     | .....
   type    = 20 (change_cipher_spec)
   version = { 3,1 }
   length  = 1 (0x1)
   0: 01                                                  | .
}
(310 bytes of 32)
SSLRecord { [Wed Nov 18 09:14:56 2009]
   0: 16 03 01 00  20                                     | ....
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 32 (0x20)
            < encrypted >
}
]
ssltap: Error -5961: TCP connection reset by peer.: error on server-side
socket.
Connection 1 Complete [Wed Nov 18 09:14:56 2009]

Connection #2 [Wed Nov 18 09:14:56 2009]

Connected to localhost.localdomain:9545
--> [
recordLen = 81 bytes
(81 bytes of 81)
 [Wed Nov 18 09:14:56 2009] [ssl2]  ClientHelloV2 {
           version = {0x03, 0x00}
           cipher-specs-length = 54 (0x36)
           sid-length = 0 (0x00)
           challenge-length = 16 (0x10)
           cipher-suites = {
                (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
                (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
                (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
                (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
                (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
                (0x000035) TLS/RSA/AES256-CBC/SHA
                (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
                (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
                (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
                (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
                (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
                (0x000004) SSL3/RSA/RC4-128/MD5
                (0x000005) SSL3/RSA/RC4-128/SHA
                (0x00002f) TLS/RSA/AES128-CBC/SHA
                (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
                }
           session-id = { }
           challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742
0xf716 }
}
]
<-- [
(1903 bytes of 1898)
SSLRecord { [Wed Nov 18 09:14:56 2009]
   0: 16 03 00 07  6a                                     | ....j
   type    = 22 (handshake)
   version = { 3,0 }
   length  = 1898 (0x76a)
   handshake {
   0: 02 00 00 46                                         | ...F
      type = 2 (server_hello)
      length = 70 (0x000046)
         ServerHello {
            server_version = {3, 0}
            random = {...}
   0: 4b 04 01 60  55 ce 82 33  ab d7 da 7f  bc 74 ed ca  | K..`U..3....t..
  10: 1e f3 95 26  21 fa db ce  83 94 24 0a  bc 4e 89 51  |
...&!.....$..N.Q
            session ID = {
                length = 32
                contents = {...}
   0: 67 66 50 ba  19 6d d9 38  7d 86 a9 e0  43 cb 57 0b  | gfP..m.8}...C.W.
  10: 19 d5 a7 e0  90 99 e5 78  03 f6 55 26  c4 f1 bc 03  |
.......x..U&....
            }
            cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
            compression method = 00
         }
   0: 0b 00 07 18                                         | ....
      type = 11 (certificate)
      length = 1816 (0x000718)
         CertificateChain {
            chainlength = 1813 (0x0715)
            Certificate {
               size = 890 (0x037a)
               data = { saved in file 'cert.003' }
            }
            Certificate {
               size = 917 (0x0395)
               data = { saved in file 'cert.004' }
            }
         }
   0: 0e 00 00 00                                         | ....
      type = 14 (server_hello_done)
      length = 0 (0x000000)
   }
}
]
--> [
(332 bytes of 260, with 67 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
   0: 16 03 00 01  04                                     | .....
   type    = 22 (handshake)
   version = { 3,0 }
   length  = 260 (0x104)
   handshake {
   0: 10 00 01 00                                         | ....
      type = 16 (client_key_exchange)
      length = 256 (0x000100)
         ClientKeyExchange {
            message = {...}
         }
   }
}
(332 bytes of 1, with 61 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
   0: 14 03 00 00  01                                     | .....
   type    = 20 (change_cipher_spec)
   version = { 3,0 }
   length  = 1 (0x1)
   0: 01                                                  | .
}
(332 bytes of 56)
SSLRecord { [Wed Nov 18 09:14:56 2009]
   0: 16 03 00 00  38                                     | ....8
   type    = 22 (handshake)
   version = { 3,0 }
   length  = 56 (0x38)
            < encrypted >
}
]
ssltap: Error -5961: TCP connection reset by peer.: error on server-side
socket.
Connection 2 Complete [Wed Nov 18 09:14:56 2009]



On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan wrote:

>  On 11/17/2009 01:09 PM, John Dorovski wrote:
>
> It was not a typo. I did use the port number 9545.
>
>
> Ok. one idea would be to run the utility "ssltap" as a proxy
> and using your browser to connect to the "ssltap" port and
> pasting the output here so folks can see what's happening
> during the SSL handshake.
> http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
>
>
> On a Fedora 10 system, its packaged with nss-tools rpm.
>
> Run ssltap like this...
>
> ssltap -sfxl CA_HOSTNAME:CA_PORT
>
> in your case, it will be
>
> ssltap -sfxl localhost:9545
>
> Then use a browser and connect to ssltap. ssltap
> listens on port 1924. So on the browser type..
>
>  https://localhost.localdomain:1924
>
>
> ssltap will capture the results of the ssl handshake.
>
> Copy and paste it here so we can tell what's happening
> during that phase while you get the bad mac alert.
>
> Thanks,
> --Chandra
>
>
>
>
>
>
> John
>
> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 <
> Julius.Adewumi at gdc4s.com> wrote:
>
>>
>> Unless it's a typo on your part, the two port numbers are different...
>> Could that be the problem?
>> 8445  vs 9545
>>
>> From: Julius Adewumi
>> @GDC4S.com
>> Ph:480-441-6768
>> Contract Corp:MTSI
>>
>>
>> -----Original Message-----
>> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
>> On Behalf Of Christina Fu
>> Sent: Tuesday, November 17, 2009 12:56 PM
>> To: pki-users at redhat.com
>>  Cc: johndorovski at googlemail.com
>> Subject: [Pki-users] (forwarded) Help needed on dogtag
>>
>> I might have messed up when managing pki-users and this did not come
>> through.  Hence the forward.
>> Christina
>>
>> Subject:
>> Help needed on dogtag
>> From:
>> John Dorovski 
>> Date:
>> Tue, 17 Nov 2009 10:58:18 -0500
>>
>> To:
>> pki-users at redhat.com
>>
>>
>> Hi,
>>
>> I just installed a dogtag (1.2.0) instance on my Fedora 10 system.
>> I used a SafeNet ProtectServer Gold HSM as keystore.
>> The dogtag system installation and configuration were fine. No error was
>> reported.
>> All keys and certificates were generated inside the HSM.
>>
>> But when I tried to access the secure admin interface at
>>     https://localhost:localdomain:9545
>> I got error message:
>>    Secure Connection Failed
>>    An error occurred during a connection to localhost.localdomain:8445
>>    SSL peer reports incorrect Message Authentication Code.
>>    (Error code: ssl_error_bad_mac_alert)
>>
>> I checked the server certificate (viewed it with IE on a Windows box).
>> It seems fine.
>>
>> Does any body know what is wrong and how can I fix it?
>>
>> Thanks,
>>
>> John
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From johndorovski at googlemail.com  Wed Nov 18 14:33:30 2009
From: johndorovski at googlemail.com (John Dorovski)
Date: Wed, 18 Nov 2009 09:33:30 -0500
Subject: [Pki-users] (forwarded) Help needed on dogtag
In-Reply-To: 
References: <4B02FFD8.9040702@redhat.com>
	<150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com>
	
	<4B033E21.9080306@redhat.com>
	
Message-ID: 

Here are the   two certs ssltap captured.


On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski
wrote:

> Here is my ssltap output:
>
> [root at rd1 linux-i386]# ssltap -sfxl  localhost.localdomain:9545
> SSLTAP output
> 
> Looking up "localhost.localdomain"...
> Proxy socket ready and listening
> 
Connection #1 [Wed Nov 18 09:14:56 2009]
> 
Connected to localhost.localdomain:9545
> --> [
> (120 bytes of 115)
> SSLRecord { [Wed Nov 18 09:14:56 2009]
>    0: 16 03 01 00  73                                     | ....s
>    type    = 22 (handshake)
>    version = { 3,1 }
>    length  = 115 (0x73)
>    handshake {
>    0: 01 00 00 6f                                         | ...o
>       type = 1 (client_hello)
>       length = 111 (0x00006f)
>          ClientHelloV3 {
>             client_version = {3, 1}
>             random = {...}
>    0: 4b 04 01 60  3e dd 86 f2  6c 26 cb 29  b3 a4 eb 26  |
> K..`>...l&.)...&
>   10: c0 17 f1 8e  24 0a 75 79  03 91 78 40  7b 58 5e 7b  | ....$.uy..x@
> {X^{
>             session ID = {
>                 length = 0
>                 contents = {...}
>             }
>             cipher_suites[18] = {
>                 (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>                 (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>                 (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
>                 (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
>                 (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
>                 (0x0035) TLS/RSA/AES256-CBC/SHA
>                 (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>                 (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>                 (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
>                 (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
>                 (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
>                 (0x0004) SSL3/RSA/RC4-128/MD5
>                 (0x0005) SSL3/RSA/RC4-128/SHA
>                 (0x002f) TLS/RSA/AES128-CBC/SHA
>                 (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>                 (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>                 (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>                 (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
>             }
>             compression[1] = { 00 }
>             extensions[34] = {
>               extension type server_name, length [26] = {
>    0: 00 18 00 00  15 6c 6f 63  61 6c 68 6f  73 74 2e 6c  |
> .....localhost.l
>   10: 6f 63 61 6c  64 6f 6d 61  69 6e                     | ocaldomain
>               }
>               extension type session_ticket, length [0]
>             }
>          }
>    }
> }
> ]
> <-- [
> (1903 bytes of 1898)
> SSLRecord { [Wed Nov 18 09:14:56 2009]
>    0: 16 03 01 07  6a                                     | ....j
>    type    = 22 (handshake)
>    version = { 3,1 }
>    length  = 1898 (0x76a)
>    handshake {
>    0: 02 00 00 46                                         | ...F
>       type = 2 (server_hello)
>       length = 70 (0x000046)
>          ServerHello {
>             server_version = {3, 1}
>             random = {...}
>    0: 4b 04 01 60  d1 86 09 69  01 8d c2 5e  1a 9c 99 16  |
> K..`...i...^....
>   10: de 0e bd 27  b6 c5 be 57  23 f1 1e 03  69 40 55 9d  |
> ...'...W#...i at U.
>             session ID = {
>                 length = 32
>                 contents = {...}
>    0: 67 66 c6 7f  f7 ac d6 98  45 f2 6d 9f  c6 84 e1 df  | gf.
> ....E.m.....
>   10: ff ff c0 87  d8 e9 97 f9  f6 37 8b 6e  09 d9 2b 25  |
> .........7.n..+%
>             }
>             cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>             compression method = 00
>          }
>    0: 0b 00 07 18                                         | ....
>       type = 11 (certificate)
>       length = 1816 (0x000718)
>          CertificateChain {
>             chainlength = 1813 (0x0715)
>             Certificate {
>                size = 890 (0x037a)
>                data = { saved in file 'cert.001' }
>             }
>             Certificate {
>                size = 917 (0x0395)
>                data = { saved in file 'cert.002' }
>             }
>          }
>    0: 0e 00 00 00                                         | ....
>       type = 14 (server_hello_done)
>       length = 0 (0x000000)
>    }
> }
> ]
> --> [
> (310 bytes of 262, with 43 left over)
> SSLRecord { [Wed Nov 18 09:14:56 2009]
>    0: 16 03 01 01  06                                     | .....
>    type    = 22 (handshake)
>    version = { 3,1 }
>    length  = 262 (0x106)
>    handshake {
>    0: 10 00 01 02                                         | ....
>       type = 16 (client_key_exchange)
>       length = 258 (0x000102)
>          ClientKeyExchange {
>             message = {...}
>          }
>    }
> }
> (310 bytes of 1, with 37 left over)
> SSLRecord { [Wed Nov 18 09:14:56 2009]
>    0: 14 03 01 00  01                                     | .....
>    type    = 20 (change_cipher_spec)
>    version = { 3,1 }
>    length  = 1 (0x1)
>    0: 01                                                  | .
> }
> (310 bytes of 32)
> SSLRecord { [Wed Nov 18 09:14:56 2009]
>    0: 16 03 01 00  20                                     | ....
>    type    = 22 (handshake)
>    version = { 3,1 }
>    length  = 32 (0x20)
>             < encrypted >
> }
> ]
> ssltap: Error -5961: TCP connection reset by peer.: error on server-side
> socket.
> Connection 1 Complete [Wed Nov 18 09:14:56 2009]
> 
Connection #2 [Wed Nov 18 09:14:56 2009]
> 
Connected to localhost.localdomain:9545
> --> [
> recordLen = 81 bytes
> (81 bytes of 81)
>  [Wed Nov 18 09:14:56 2009] [ssl2]  ClientHelloV2 {
>            version = {0x03, 0x00}
>            cipher-specs-length = 54 (0x36)
>            sid-length = 0 (0x00)
>            challenge-length = 16 (0x10)
>            cipher-suites = {
>                 (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>                 (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>                 (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
>                 (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
>                 (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
>                 (0x000035) TLS/RSA/AES256-CBC/SHA
>                 (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>                 (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>                 (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
>                 (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
>                 (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
>                 (0x000004) SSL3/RSA/RC4-128/MD5
>                 (0x000005) SSL3/RSA/RC4-128/SHA
>                 (0x00002f) TLS/RSA/AES128-CBC/SHA
>                 (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>                 (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>                 (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>                 (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
>                 }
>            session-id = { }
>            challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742
> 0xf716 }
> }
> ]
> <-- [
> (1903 bytes of 1898)
> SSLRecord { [Wed Nov 18 09:14:56 2009]
>    0: 16 03 00 07  6a                                     | ....j
>    type    = 22 (handshake)
>    version = { 3,0 }
>    length  = 1898 (0x76a)
>    handshake {
>    0: 02 00 00 46                                         | ...F
>       type = 2 (server_hello)
>       length = 70 (0x000046)
>          ServerHello {
>             server_version = {3, 0}
>             random = {...}
>    0: 4b 04 01 60  55 ce 82 33  ab d7 da 7f  bc 74 ed ca  | K..`U..3...
> .t..
>   10: 1e f3 95 26  21 fa db ce  83 94 24 0a  bc 4e 89 51  |
> ...&!.....$..N.Q
>             session ID = {
>                 length = 32
>                 contents = {...}
>    0: 67 66 50 ba  19 6d d9 38  7d 86 a9 e0  43 cb 57 0b  |
> gfP..m.8}...C.W.
>   10: 19 d5 a7 e0  90 99 e5 78  03 f6 55 26  c4 f1 bc 03  |
> .......x..U&....
>             }
>             cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>             compression method = 00
>          }
>    0: 0b 00 07 18                                         | ....
>       type = 11 (certificate)
>       length = 1816 (0x000718)
>          CertificateChain {
>             chainlength = 1813 (0x0715)
>             Certificate {
>                size = 890 (0x037a)
>                data = { saved in file 'cert.003' }
>             }
>             Certificate {
>                size = 917 (0x0395)
>                data = { saved in file 'cert.004' }
>             }
>          }
>    0: 0e 00 00 00                                         | ....
>       type = 14 (server_hello_done)
>       length = 0 (0x000000)
>    }
> }
> ]
> --> [
> (332 bytes of 260, with 67 left over)
> SSLRecord { [Wed Nov 18 09:14:56 2009]
>    0: 16 03 00 01  04                                     | .....
>    type    = 22 (handshake)
>    version = { 3,0 }
>    length  = 260 (0x104)
>    handshake {
>    0: 10 00 01 00                                         | ....
>       type = 16 (client_key_exchange)
>       length = 256 (0x000100)
>          ClientKeyExchange {
>             message = {...}
>          }
>    }
> }
> (332 bytes of 1, with 61 left over)
> SSLRecord { [Wed Nov 18 09:14:56 2009]
>    0: 14 03 00 00  01                                     | .....
>    type    = 20 (change_cipher_spec)
>    version = { 3,0 }
>    length  = 1 (0x1)
>    0: 01                                                  | .
> }
> (332 bytes of 56)
> SSLRecord { [Wed Nov 18 09:14:56 2009]
>    0: 16 03 00 00  38                                     | ....8
>    type    = 22 (handshake)
>    version = { 3,0 }
>    length  = 56 (0x38)
>             < encrypted >
> }
> ]
> ssltap: Error -5961: TCP connection reset by peer.: error on server-side
> socket.
> Connection 2 Complete [Wed Nov 18 09:14:56 2009]
>
>
>
>
> On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan wrote:
>
>>  On 11/17/2009 01:09 PM, John Dorovski wrote:
>>
>> It was not a typo. I did use the port number 9545.
>>
>>
>> Ok. one idea would be to run the utility "ssltap" as a proxy
>> and using your browser to connect to the "ssltap" port and
>> pasting the output here so folks can see what's happening
>> during the SSL handshake.
>> http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
>>
>>
>> On a Fedora 10 system, its packaged with nss-tools rpm.
>>
>> Run ssltap like this...
>>
>> ssltap -sfxl CA_HOSTNAME:CA_PORT
>>
>> in your case, it will be
>>
>> ssltap -sfxl localhost:9545
>>
>> Then use a browser and connect to ssltap. ssltap
>> listens on port 1924. So on the browser type..
>>
>>  https://localhost.localdomain:1924
>>
>>
>> ssltap will capture the results of the ssl handshake.
>>
>> Copy and paste it here so we can tell what's happening
>> during that phase while you get the bad mac alert.
>>
>> Thanks,
>> --Chandra
>>
>>
>>
>>
>>
>>
>> John
>>
>> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 <
>> Julius.Adewumi at gdc4s.com> wrote:
>>
>>>
>>> Unless it's a typo on your part, the two port numbers are different...
>>> Could that be the problem?
>>> 8445  vs 9545
>>>
>>> From: Julius Adewumi
>>> @GDC4S.com
>>> Ph:480-441-6768
>>> Contract Corp:MTSI
>>>
>>>
>>> -----Original Message-----
>>> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
>>> On Behalf Of Christina Fu
>>> Sent: Tuesday, November 17, 2009 12:56 PM
>>> To: pki-users at redhat.com
>>>  Cc: johndorovski at googlemail.com
>>> Subject: [Pki-users] (forwarded) Help needed on dogtag
>>>
>>> I might have messed up when managing pki-users and this did not come
>>> through.  Hence the forward.
>>> Christina
>>>
>>> Subject:
>>> Help needed on dogtag
>>> From:
>>> John Dorovski 
>>> Date:
>>> Tue, 17 Nov 2009 10:58:18 -0500
>>>
>>> To:
>>> pki-users at redhat.com
>>>
>>>
>>> Hi,
>>>
>>> I just installed a dogtag (1.2.0) instance on my Fedora 10 system.
>>> I used a SafeNet ProtectServer Gold HSM as keystore.
>>> The dogtag system installation and configuration were fine. No error was
>>> reported.
>>> All keys and certificates were generated inside the HSM.
>>>
>>> But when I tried to access the secure admin interface at
>>>     https://localhost:localdomain:9545
>>> I got error message:
>>>    Secure Connection Failed
>>>    An error occurred during a connection to localhost.localdomain:8445
>>>    SSL peer reports incorrect Message Authentication Code.
>>>    (Error code: ssl_error_bad_mac_alert)
>>>
>>> I checked the server certificate (viewed it with IE on a Windows box).
>>> It seems fine.
>>>
>>> Does any body know what is wrong and how can I fix it?
>>>
>>> Thanks,
>>>
>>> John
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>
>>
>> _______________________________________________
>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cert.001
Type: application/octet-stream
Size: 890 bytes
Desc: not available
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cert.002
Type: application/octet-stream
Size: 917 bytes
Desc: not available
URL: 

From Julius.Adewumi at gdc4s.com  Wed Nov 18 17:38:05 2009
From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373)
Date: Wed, 18 Nov 2009 10:38:05 -0700
Subject: [Pki-users] (forwarded) Help needed on dogtag
In-Reply-To: 
References: <4B02FFD8.9040702@redhat.com>
	<150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com>
	
	<4B033E21.9080306@redhat.com>
	
	
Message-ID: <150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com>

SSL_ERROR_BAD_MAC_ALERT	 -12272	 "SSL peer reports incorrect Message
Authentication Code." 

The remote system has reported that it received a message with a bad
Message Authentication Code from the local system. This may indicate
that an attack on that server is underway.

 

The trace shows "cipher-change-request" as last capture before Error
reported.

 

From: Julius Adewumi 
@GDC4S.com 
Ph:480-441-6768 
Contract Corp:MTSI 

 

________________________________

From: John Dorovski [mailto:johndorovski at googlemail.com] 
Sent: Wednesday, November 18, 2009 7:34 AM
To: Chandrasekar Kannan
Cc: Adewumi, Julius-p99373; pki-users at redhat.com
Subject: Re: [Pki-users] (forwarded) Help needed on dogtag


Here are the   two certs ssltap captured.



On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski
 wrote:


	Here is my ssltap output:
	
	[root at rd1 linux-i386]# ssltap -sfxl  localhost.localdomain:9545
	SSLTAP output
	
	Looking up "localhost.localdomain"...
	Proxy socket ready and listening
	
Connection #1 [Wed Nov 18 09:14:56 2009]
	
Connected to localhost.localdomain:9545
	--> [
	(120 bytes of 115)
	SSLRecord { [Wed Nov 18 09:14:56 2009]
	   0: 16 03 01 00  73                                     |
....s
	   type    = 22 (handshake)
	   version = { 3,1 }
	   length  = 115 (0x73)
	   handshake {
	   0: 01 00 00 6f                                         | ...o
	      type = 1 (client_hello)
	      length = 111 (0x00006f)
	         ClientHelloV3 {
	            client_version = {3, 1}
	            random = {...}
	   0: 4b 04 01 60  3e dd 86 f2  6c 26 cb 29  b3 a4 eb 26  |
K..`>...l&.)...&
	  10: c0 17 f1 8e  24 0a 75 79  03 91 78 40  7b 58 5e 7b  |
....$.uy..x@{X^{
	            session ID = {
	                length = 0
	                contents = {...}
	            }
	            cipher_suites[18] = { 
	                (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
	                (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
	                (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
	                (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
	                (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
	                (0x0035) TLS/RSA/AES256-CBC/SHA
	                (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
	                (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
	                (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
	                (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
	                (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
	                (0x0004) SSL3/RSA/RC4-128/MD5
	                (0x0005) SSL3/RSA/RC4-128/SHA
	                (0x002f) TLS/RSA/AES128-CBC/SHA
	                (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
	                (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
	                (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
	                (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
	            }
	            compression[1] = { 00 }
	            extensions[34] = {
	              extension type server_name, length [26] = {
	   0: 00 18 00 00  15 6c 6f 63  61 6c 68 6f  73 74 2e 6c  |
.....localhost.l
	  10: 6f 63 61 6c  64 6f 6d 61  69 6e                     |
ocaldomain
	              }
	              extension type session_ticket, length [0]
	            }
	         }
	   }
	}
	]
	<-- [
	(1903 bytes of 1898)
	SSLRecord { [Wed Nov 18 09:14:56 2009]
	   0: 16 03 01 07  6a                                     |
....j
	   type    = 22 (handshake)
	   version = { 3,1 }
	   length  = 1898 (0x76a)
	   handshake {
	   0: 02 00 00 46                                         | ...F
	      type = 2 (server_hello)
	      length = 70 (0x000046)
	         ServerHello {
	            server_version = {3, 1}
	            random = {...}
	   0: 4b 04 01 60  d1 86 09 69  01 8d c2 5e  1a 9c 99 16  |
K..`...i...^....
	  10: de 0e bd 27  b6 c5 be 57  23 f1 1e 03  69 40 55 9d  |
...'...W#...i at U.
	            session ID = {
	                length = 32
	                contents = {...}
	   0: 67 66 c6 7f  f7 ac d6 98  45 f2 6d 9f  c6 84 e1 df  | gf.
....E.m.....
	  10: ff ff c0 87  d8 e9 97 f9  f6 37 8b 6e  09 d9 2b 25  |
.........7.n..+%
	            }
	            cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
	            compression method = 00
	         }
	   0: 0b 00 07 18                                         | ....
	      type = 11 (certificate)
	      length = 1816 (0x000718)
	         CertificateChain {
	            chainlength = 1813 (0x0715)
	            Certificate {
	               size = 890 (0x037a)
	               data = { saved in file 'cert.001' }
	            }
	            Certificate {
	               size = 917 (0x0395)
	               data = { saved in file 'cert.002' }
	            }
	         }
	   0: 0e 00 00 00                                         | ....
	      type = 14 (server_hello_done)
	      length = 0 (0x000000)
	   }
	}
	]
	--> [
	(310 bytes of 262, with 43 left over)
	SSLRecord { [Wed Nov 18 09:14:56 2009]
	   0: 16 03 01 01  06                                     |
.....
	   type    = 22 (handshake)
	   version = { 3,1 }
	   length  = 262 (0x106)
	   handshake {
	   0: 10 00 01 02                                         | ....
	      type = 16 (client_key_exchange)
	      length = 258 (0x000102)
	         ClientKeyExchange {
	            message = {...}
	         }
	   }
	}
	(310 bytes of 1, with 37 left over)
	SSLRecord { [Wed Nov 18 09:14:56 2009]
	   0: 14 03 01 00  01                                     |
.....
	   type    = 20 (change_cipher_spec)
	   version = { 3,1 }
	   length  = 1 (0x1)
	   0: 01                                                  | .
	}
	(310 bytes of 32)
	SSLRecord { [Wed Nov 18 09:14:56 2009]
	   0: 16 03 01 00  20                                     | ....

	   type    = 22 (handshake)
	   version = { 3,1 }
	   length  = 32 (0x20)
	            < encrypted >
	}
	]
	ssltap: Error -5961: TCP connection reset by peer.: error on
server-side socket.
	Connection 1 Complete [Wed Nov 18 09:14:56 2009]
	
Connection #2 [Wed Nov 18 09:14:56 2009]
	
Connected to localhost.localdomain:9545
	--> [
	recordLen = 81 bytes
	(81 bytes of 81)
	 [Wed Nov 18 09:14:56 2009] [ssl2]  ClientHelloV2 {
	           version = {0x03, 0x00}
	           cipher-specs-length = 54 (0x36)
	           sid-length = 0 (0x00)
	           challenge-length = 16 (0x10)
	           cipher-suites = { 
	                (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
	                (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
	                (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
	                (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
	                (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
	                (0x000035) TLS/RSA/AES256-CBC/SHA
	                (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
	                (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
	                (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
	                (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
	                (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
	                (0x000004) SSL3/RSA/RC4-128/MD5
	                (0x000005) SSL3/RSA/RC4-128/SHA
	                (0x00002f) TLS/RSA/AES128-CBC/SHA
	                (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
	                (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
	                (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
	                (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
	                }
	           session-id = { }
	           challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135
0x4f6a 0x5742 0xf716 }
	}
	]
	<-- [
	(1903 bytes of 1898)
	SSLRecord { [Wed Nov 18 09:14:56 2009]
	   0: 16 03 00 07  6a                                     |
....j
	   type    = 22 (handshake)
	   version = { 3,0 }
	   length  = 1898 (0x76a)
	   handshake {
	   0: 02 00 00 46                                         | ...F
	      type = 2 (server_hello)
	      length = 70 (0x000046)
	         ServerHello {
	            server_version = {3, 0}
	            random = {...}
	   0: 4b 04 01 60  55 ce 82 33  ab d7 da 7f  bc 74 ed ca  |
K..`U..3... .t..
	  10: 1e f3 95 26  21 fa db ce  83 94 24 0a  bc 4e 89 51  |
...&!.....$..N.Q
	            session ID = {
	                length = 32
	                contents = {...}
	   0: 67 66 50 ba  19 6d d9 38  7d 86 a9 e0  43 cb 57 0b  |
gfP..m.8}...C.W.
	  10: 19 d5 a7 e0  90 99 e5 78  03 f6 55 26  c4 f1 bc 03  |
.......x..U&....
	            }
	            cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
	            compression method = 00
	         }
	   0: 0b 00 07 18                                         | ....
	      type = 11 (certificate)
	      length = 1816 (0x000718)
	         CertificateChain {
	            chainlength = 1813 (0x0715)
	            Certificate {
	               size = 890 (0x037a)
	               data = { saved in file 'cert.003' }
	            }
	            Certificate {
	               size = 917 (0x0395)
	               data = { saved in file 'cert.004' }
	            }
	         }
	   0: 0e 00 00 00                                         | ....
	      type = 14 (server_hello_done)
	      length = 0 (0x000000)
	   }
	}
	]
	--> [
	(332 bytes of 260, with 67 left over)
	SSLRecord { [Wed Nov 18 09:14:56 2009]
	   0: 16 03 00 01  04                                     |
.....
	   type    = 22 (handshake)
	   version = { 3,0 }
	   length  = 260 (0x104)
	   handshake {
	   0: 10 00 01 00                                         | ....
	      type = 16 (client_key_exchange)
	      length = 256 (0x000100)
	         ClientKeyExchange {
	            message = {...}
	         }
	   }
	}
	(332 bytes of 1, with 61 left over)
	SSLRecord { [Wed Nov 18 09:14:56 2009]
	   0: 14 03 00 00  01                                     |
.....
	   type    = 20 (change_cipher_spec)
	   version = { 3,0 }
	   length  = 1 (0x1)
	   0: 01                                                  | .
	}
	(332 bytes of 56)
	SSLRecord { [Wed Nov 18 09:14:56 2009]
	   0: 16 03 00 00  38                                     |
....8
	   type    = 22 (handshake)
	   version = { 3,0 }
	   length  = 56 (0x38)
	            < encrypted >
	}
	]
	ssltap: Error -5961: TCP connection reset by peer.: error on
server-side socket.
	Connection 2 Complete [Wed Nov 18 09:14:56 2009] 




	On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan
 wrote:
	

		On 11/17/2009 01:09 PM, John Dorovski wrote: 

			It was not a typo. I did use the port number
9545.
			


		Ok. one idea would be to run the utility "ssltap" as a
proxy
		and using your browser to connect to the "ssltap" port
and
		pasting the output here so folks can see what's
happening
		during the SSL handshake.
	
http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
		
		
		On a Fedora 10 system, its packaged with nss-tools rpm.
		
		Run ssltap like this...
		
		ssltap -sfxl CA_HOSTNAME:CA_PORT
		
		in your case, it will be 
		
		ssltap -sfxl localhost:9545
		
		Then use a browser and connect to ssltap. ssltap
		listens on port 1924. So on the browser type..
		
		 https://localhost.localdomain:1924
		
		
		ssltap will capture the results of the ssl handshake. 
		
		Copy and paste it here so we can tell what's happening
		during that phase while you get the bad mac alert.
		
		Thanks,
		--Chandra 







			John
			
			
			On Tue, Nov 17, 2009 at 3:51 PM, Adewumi,
Julius-p99373  wrote:
			


				Unless it's a typo on your part, the two
port numbers are different...
				Could that be the problem?
				8445  vs 9545
				
				From: Julius Adewumi
				@GDC4S.com
				Ph:480-441-6768
				Contract Corp:MTSI
				


				-----Original Message-----
				From: pki-users-bounces at redhat.com
[mailto:pki-users-bounces at redhat.com]
				On Behalf Of Christina Fu
				Sent: Tuesday, November 17, 2009 12:56
PM
				To: pki-users at redhat.com
				
				Cc: johndorovski at googlemail.com
				Subject: [Pki-users] (forwarded) Help
needed on dogtag
				
				I might have messed up when managing
pki-users and this did not come
				through.  Hence the forward.
				Christina
				
				Subject:
				Help needed on dogtag
				From:
				John Dorovski

				Date:
				Tue, 17 Nov 2009 10:58:18 -0500
				
				To:
				pki-users at redhat.com
				
				
				Hi,
				
				I just installed a dogtag (1.2.0)
instance on my Fedora 10 system.
				I used a SafeNet ProtectServer Gold HSM
as keystore.
				The dogtag system installation and
configuration were fine. No error was
				reported.
				All keys and certificates were generated
inside the HSM.
				
				But when I tried to access the secure
admin interface at
				    https://localhost:localdomain:9545
				I got error message:
				   Secure Connection Failed
				   An error occurred during a connection
to localhost.localdomain:8445
				   SSL peer reports incorrect Message
Authentication Code.
				   (Error code: ssl_error_bad_mac_alert)
				
				I checked the server certificate (viewed
it with IE on a Windows box).
				It seems fine.
				
				Does any body know what is wrong and how
can I fix it?
				
				Thanks,
				
				John
				
	
_______________________________________________
				Pki-users mailing list
				Pki-users at redhat.com
	
https://www.redhat.com/mailman/listinfo/pki-users
				


			
			_______________________________________________
			Pki-users mailing list
			Pki-users at redhat.com
	
https://www.redhat.com/mailman/listinfo/pki-users
			  



		_______________________________________________
		Pki-users mailing list
		Pki-users at redhat.com
		https://www.redhat.com/mailman/listinfo/pki-users
		
		



-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From ckannan at redhat.com  Wed Nov 18 17:49:19 2009
From: ckannan at redhat.com (Chandrasekar Kannan)
Date: Wed, 18 Nov 2009 09:49:19 -0800
Subject: [Pki-users] (forwarded) Help needed on dogtag
In-Reply-To: <150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com>
References: <4B02FFD8.9040702@redhat.com>	<150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com>		<4B033E21.9080306@redhat.com>		
	<150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com>
Message-ID: <4B04339F.6060203@redhat.com>

On 11/18/2009 09:38 AM, Adewumi, Julius-p99373 wrote:
> SSL_ERROR_BAD_MAC_ALERT 	-12272 	"SSL peer reports incorrect Message 
> Authentication Code."
>
> The remote system has reported that it received a message with a bad 
> Message Authentication Code from the local system. This may indicate 
> that an attack on that server is underway.
>
> /The trace shows "cipher-change-request" as last capture before Error 
> reported./
>
> //
>

Just FYI. we noticed a similar message during dogtag 1.2.0
development but with a different HSM(nethsm). That issue
was fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=495597

FWIW, we have never tried with the mentioned
Safenet Protectserver Gold HSM....


> /From: Julius Adewumi/
> /@GDC4S.com/
> /Ph:480-441-6768/
> /Contract Corp:MTSI/
>
>
> ------------------------------------------------------------------------
> *From:* John Dorovski [mailto:johndorovski at googlemail.com]
> *Sent:* Wednesday, November 18, 2009 7:34 AM
> *To:* Chandrasekar Kannan
> *Cc:* Adewumi, Julius-p99373; pki-users at redhat.com
> *Subject:* Re: [Pki-users] (forwarded) Help needed on dogtag
>
> Here are the   two certs ssltap captured.
>
>
> On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski 
> > wrote:
>
>     Here is my ssltap output:
>
>     [root at rd1 linux-i386]# ssltap -sfxl  localhost.localdomain:9545
>     SSLTAP output
>     
>     Looking up "localhost.localdomain"...
>     Proxy socket ready and listening
>     
Connection #1 [Wed Nov 18 09:14:56 2009]
>     
Connected to localhost.localdomain:9545
>     --> [
>     (120 bytes of 115)
>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>        0: 16 03 01 00  73                                     | ....s
>        type    = 22 (handshake)
>        version = { 3,1 }
>        length  = 115 (0x73)
>        handshake {
>        0: 01 00 00 6f                                         | ...o
>           type = 1 (client_hello)
>           length = 111 (0x00006f)
>              ClientHelloV3 {
>                 client_version = {3, 1}
>                 random = {...}
>        0: 4b 04 01 60  3e dd 86 f2  6c 26 cb 29  b3 a4 eb 26  |
>     K..`>...l&.)...&
>       10: c0 17 f1 8e  24 0a 75 79  03 91 78 40  7b 58 5e 7b  |
>     ....$.uy..x@{X^{
>                 session ID = {
>                     length = 0
>                     contents = {...}
>                 }
>                 cipher_suites[18] = {
>                     (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>                     (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>                     (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
>                     (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
>                     (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
>                     (0x0035) TLS/RSA/AES256-CBC/SHA
>                     (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>                     (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>                     (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
>                     (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
>                     (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
>                     (0x0004) SSL3/RSA/RC4-128/MD5
>                     (0x0005) SSL3/RSA/RC4-128/SHA
>                     (0x002f) TLS/RSA/AES128-CBC/SHA
>                     (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>                     (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>                     (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>                     (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
>                 }
>                 compression[1] = { 00 }
>                 extensions[34] = {
>                   extension type server_name, length [26] = {
>        0: 00 18 00 00  15 6c 6f 63  61 6c 68 6f  73 74 2e 6c  |
>     .....localhost.l
>       10: 6f 63 61 6c  64 6f 6d 61  69 6e                     | ocaldomain
>                   }
>                   extension type session_ticket, length [0]
>                 }
>              }
>        }
>     }
>     ]
>     <-- [
>     (1903 bytes of 1898)
>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>        0: 16 03 01 07  6a                                     | ....j
>        type    = 22 (handshake)
>        version = { 3,1 }
>        length  = 1898 (0x76a)
>        handshake {
>        0: 02 00 00 46                                         | ...F
>           type = 2 (server_hello)
>           length = 70 (0x000046)
>              ServerHello {
>                 server_version = {3, 1}
>                 random = {...}
>        0: 4b 04 01 60  d1 86 09 69  01 8d c2 5e  1a 9c 99 16  |
>     K..`...i...^....
>       10: de 0e bd 27  b6 c5 be 57  23 f1 1e 03  69 40 55 9d  |
>     ...'...W#...i at U.
>                 session ID = {
>                     length = 32
>                     contents = {...}
>        0: 67 66 c6 7f  f7 ac d6 98  45 f2 6d 9f  c6 84 e1 df  | gf.
>     ....E.m.....
>       10: ff ff c0 87  d8 e9 97 f9  f6 37 8b 6e  09 d9 2b 25  |
>     .........7.n..+%
>                 }
>                 cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>                 compression method = 00
>              }
>        0: 0b 00 07 18                                         | ....
>           type = 11 (certificate)
>           length = 1816 (0x000718)
>              CertificateChain {
>                 chainlength = 1813 (0x0715)
>                 Certificate {
>                    size = 890 (0x037a)
>                    data = { saved in file 'cert.001' }
>                 }
>                 Certificate {
>                    size = 917 (0x0395)
>                    data = { saved in file 'cert.002' }
>                 }
>              }
>        0: 0e 00 00 00                                         | ....
>           type = 14 (server_hello_done)
>           length = 0 (0x000000)
>        }
>     }
>     ]
>     --> [
>     (310 bytes of 262, with 43 left over)
>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>        0: 16 03 01 01  06                                     | .....
>        type    = 22 (handshake)
>        version = { 3,1 }
>        length  = 262 (0x106)
>        handshake {
>        0: 10 00 01 02                                         | ....
>           type = 16 (client_key_exchange)
>           length = 258 (0x000102)
>              ClientKeyExchange {
>                 message = {...}
>              }
>        }
>     }
>     (310 bytes of 1, with 37 left over)
>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>        0: 14 03 01 00  01                                     | .....
>        type    = 20 (change_cipher_spec)
>        version = { 3,1 }
>        length  = 1 (0x1)
>        0: 01                                                  | .
>     }
>     (310 bytes of 32)
>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>        0: 16 03 01 00  20                                     | ....
>        type    = 22 (handshake)
>        version = { 3,1 }
>        length  = 32 (0x20)
>     < encrypted >
>     }
>     ]
>     ssltap: Error -5961: TCP connection reset by peer.: error on
>     server-side socket.
>     Connection 1 Complete [Wed Nov 18 09:14:56 2009]
>     
Connection #2 [Wed Nov 18 09:14:56 2009]
>     
Connected to localhost.localdomain:9545
>     --> [
>     recordLen = 81 bytes
>     (81 bytes of 81)
>      [Wed Nov 18 09:14:56 2009] [ssl2]  ClientHelloV2 {
>                version = {0x03, 0x00}
>                cipher-specs-length = 54 (0x36)
>                sid-length = 0 (0x00)
>                challenge-length = 16 (0x10)
>                cipher-suites = {
>                     (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>                     (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>                     (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
>                     (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
>                     (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
>                     (0x000035) TLS/RSA/AES256-CBC/SHA
>                     (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>                     (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>                     (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
>                     (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
>                     (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
>                     (0x000004) SSL3/RSA/RC4-128/MD5
>                     (0x000005) SSL3/RSA/RC4-128/SHA
>                     (0x00002f) TLS/RSA/AES128-CBC/SHA
>                     (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>                     (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>                     (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>                     (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
>                     }
>                session-id = { }
>                challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a
>     0x5742 0xf716 }
>     }
>     ]
>     <-- [
>     (1903 bytes of 1898)
>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>        0: 16 03 00 07  6a                                     | ....j
>        type    = 22 (handshake)
>        version = { 3,0 }
>        length  = 1898 (0x76a)
>        handshake {
>        0: 02 00 00 46                                         | ...F
>           type = 2 (server_hello)
>           length = 70 (0x000046)
>              ServerHello {
>                 server_version = {3, 0}
>                 random = {...}
>        0: 4b 04 01 60  55 ce 82 33  ab d7 da 7f  bc 74 ed ca  |
>     K..`U..3... .t..
>       10: 1e f3 95 26  21 fa db ce  83 94 24 0a  bc 4e 89 51  |
>     ...&!.....$..N.Q
>                 session ID = {
>                     length = 32
>                     contents = {...}
>        0: 67 66 50 ba  19 6d d9 38  7d 86 a9 e0  43 cb 57 0b  |
>     gfP..m.8}...C.W.
>       10: 19 d5 a7 e0  90 99 e5 78  03 f6 55 26  c4 f1 bc 03  |
>     .......x..U&....
>                 }
>                 cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>                 compression method = 00
>              }
>        0: 0b 00 07 18                                         | ....
>           type = 11 (certificate)
>           length = 1816 (0x000718)
>              CertificateChain {
>                 chainlength = 1813 (0x0715)
>                 Certificate {
>                    size = 890 (0x037a)
>                    data = { saved in file 'cert.003' }
>                 }
>                 Certificate {
>                    size = 917 (0x0395)
>                    data = { saved in file 'cert.004' }
>                 }
>              }
>        0: 0e 00 00 00                                         | ....
>           type = 14 (server_hello_done)
>           length = 0 (0x000000)
>        }
>     }
>     ]
>     --> [
>     (332 bytes of 260, with 67 left over)
>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>        0: 16 03 00 01  04                                     | .....
>        type    = 22 (handshake)
>        version = { 3,0 }
>        length  = 260 (0x104)
>        handshake {
>        0: 10 00 01 00                                         | ....
>           type = 16 (client_key_exchange)
>           length = 256 (0x000100)
>              ClientKeyExchange {
>                 message = {...}
>              }
>        }
>     }
>     (332 bytes of 1, with 61 left over)
>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>        0: 14 03 00 00  01                                     | .....
>        type    = 20 (change_cipher_spec)
>        version = { 3,0 }
>        length  = 1 (0x1)
>        0: 01                                                  | .
>     }
>     (332 bytes of 56)
>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>        0: 16 03 00 00  38                                     | ....8
>        type    = 22 (handshake)
>        version = { 3,0 }
>        length  = 56 (0x38)
>     < encrypted >
>     }
>     ]
>     ssltap: Error -5961: TCP connection reset by peer.: error on
>     server-side socket.
>     Connection 2 Complete [Wed Nov 18 09:14:56 2009]
>
>
>
>
>     On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan
>     > wrote:
>
>         On 11/17/2009 01:09 PM, John Dorovski wrote:
>>         It was not a typo. I did use the port number 9545.
>
>         Ok. one idea would be to run the utility "ssltap" as a proxy
>         and using your browser to connect to the "ssltap" port and
>         pasting the output here so folks can see what's happening
>         during the SSL handshake.
>         http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
>
>
>         On a Fedora 10 system, its packaged with nss-tools rpm.
>
>         Run ssltap like this...
>
>         ssltap -sfxl CA_HOSTNAME:CA_PORT
>
>         in your case, it will be
>
>         ssltap -sfxl localhost:9545
>
>         Then use a browser and connect to ssltap. ssltap
>         listens on port 1924. So on the browser type..
>
>         https://localhost.localdomain:1924
>
>
>         ssltap will capture the results of the ssl handshake.
>
>         Copy and paste it here so we can tell what's happening
>         during that phase while you get the bad mac alert.
>
>         Thanks,
>         --Chandra
>
>
>
>
>>
>>
>>         John
>>
>>         On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373
>>         >
>>         wrote:
>>
>>
>>             Unless it's a typo on your part, the two port numbers are
>>             different...
>>             Could that be the problem?
>>             8445  vs 9545
>>
>>             From: Julius Adewumi
>>             @GDC4S.com
>>             Ph:480-441-6768
>>             Contract Corp:MTSI
>>
>>
>>             -----Original Message-----
>>             From: pki-users-bounces at redhat.com
>>             
>>             [mailto:pki-users-bounces at redhat.com
>>             ]
>>             On Behalf Of Christina Fu
>>             Sent: Tuesday, November 17, 2009 12:56 PM
>>             To: pki-users at redhat.com 
>>             Cc: johndorovski at googlemail.com
>>             
>>             Subject: [Pki-users] (forwarded) Help needed on dogtag
>>
>>             I might have messed up when managing pki-users and this
>>             did not come
>>             through.  Hence the forward.
>>             Christina
>>
>>             Subject:
>>             Help needed on dogtag
>>             From:
>>             John Dorovski >             >
>>             Date:
>>             Tue, 17 Nov 2009 10:58:18 -0500
>>
>>             To:
>>             pki-users at redhat.com 
>>
>>
>>             Hi,
>>
>>             I just installed a dogtag (1.2.0) instance on my Fedora
>>             10 system.
>>             I used a SafeNet ProtectServer Gold HSM as keystore.
>>             The dogtag system installation and configuration were
>>             fine. No error was
>>             reported.
>>             All keys and certificates were generated inside the HSM.
>>
>>             But when I tried to access the secure admin interface at
>>             https://localhost:localdomain:9545
>>             I got error message:
>>                Secure Connection Failed
>>                An error occurred during a connection to
>>             localhost.localdomain:8445
>>                SSL peer reports incorrect Message Authentication Code.
>>                (Error code: ssl_error_bad_mac_alert)
>>
>>             I checked the server certificate (viewed it with IE on a
>>             Windows box).
>>             It seems fine.
>>
>>             Does any body know what is wrong and how can I fix it?
>>
>>             Thanks,
>>
>>             John
>>
>>             _______________________________________________
>>             Pki-users mailing list
>>             Pki-users at redhat.com 
>>             https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>>         _______________________________________________
>>         Pki-users mailing list
>>         Pki-users at redhat.com  
>>         https://www.redhat.com/mailman/listinfo/pki-users
>>            
>
>
>         _______________________________________________
>         Pki-users mailing list
>         Pki-users at redhat.com 
>         https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From ckannan at redhat.com  Wed Nov 18 18:23:59 2009
From: ckannan at redhat.com (Chandrasekar Kannan)
Date: Wed, 18 Nov 2009 10:23:59 -0800
Subject: [Pki-users] (forwarded) Help needed on dogtag
In-Reply-To: <4B04339F.6060203@redhat.com>
References: <4B02FFD8.9040702@redhat.com>	<150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com>		<4B033E21.9080306@redhat.com>			<150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com>
	<4B04339F.6060203@redhat.com>
Message-ID: <4B043BBF.8000001@redhat.com>

On 11/18/2009 09:49 AM, Chandrasekar Kannan wrote:
> On 11/18/2009 09:38 AM, Adewumi, Julius-p99373 wrote:
>> SSL_ERROR_BAD_MAC_ALERT 	-12272 	"SSL peer reports incorrect Message 
>> Authentication Code."
>>
>> The remote system has reported that it received a message with a bad 
>> Message Authentication Code from the local system. This may indicate 
>> that an attack on that server is underway.
>>
>> /The trace shows "cipher-change-request" as last capture before Error 
>> reported./
>>
>> //
>>
>
> Just FYI. we noticed a similar message during dogtag 1.2.0
> development but with a different HSM(nethsm). That issue
> was fixed.
> https://bugzilla.redhat.com/show_bug.cgi?id=495597
>
> FWIW, we have never tried with the mentioned
> Safenet Protectserver Gold HSM....


Can you check settings for this ..

  /var/lib/pki-ca/conf/server.xml
  Look for clientAuth="agent"

  If you see that can you replace that with
  clientAuth="true" and restart the CA
  and see if it addresses the bad mac problem..


>
>
>> /From: Julius Adewumi/
>> /@GDC4S.com/
>> /Ph:480-441-6768/
>> /Contract Corp:MTSI/
>>
>>
>> ------------------------------------------------------------------------
>> *From:* John Dorovski [mailto:johndorovski at googlemail.com]
>> *Sent:* Wednesday, November 18, 2009 7:34 AM
>> *To:* Chandrasekar Kannan
>> *Cc:* Adewumi, Julius-p99373; pki-users at redhat.com
>> *Subject:* Re: [Pki-users] (forwarded) Help needed on dogtag
>>
>> Here are the   two certs ssltap captured.
>>
>>
>> On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski 
>> > wrote:
>>
>>     Here is my ssltap output:
>>
>>     [root at rd1 linux-i386]# ssltap -sfxl  localhost.localdomain:9545
>>     SSLTAP output
>>     
>>     Looking up "localhost.localdomain"...
>>     Proxy socket ready and listening
>>     
Connection #1 [Wed Nov 18 09:14:56 2009]
>>     
Connected to localhost.localdomain:9545
>>     --> [
>>     (120 bytes of 115)
>>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>>        0: 16 03 01 00  73                                     | ....s
>>        type    = 22 (handshake)
>>        version = { 3,1 }
>>        length  = 115 (0x73)
>>        handshake {
>>        0: 01 00 00 6f                                         | ...o
>>           type = 1 (client_hello)
>>           length = 111 (0x00006f)
>>              ClientHelloV3 {
>>                 client_version = {3, 1}
>>                 random = {...}
>>        0: 4b 04 01 60  3e dd 86 f2  6c 26 cb 29  b3 a4 eb 26  |
>>     K..`>...l&.)...&
>>       10: c0 17 f1 8e  24 0a 75 79  03 91 78 40  7b 58 5e 7b  |
>>     ....$.uy..x@{X^{
>>                 session ID = {
>>                     length = 0
>>                     contents = {...}
>>                 }
>>                 cipher_suites[18] = {
>>                     (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>>                     (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>>                     (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
>>                     (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
>>                     (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
>>                     (0x0035) TLS/RSA/AES256-CBC/SHA
>>                     (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>>                     (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>>                     (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
>>                     (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
>>                     (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
>>                     (0x0004) SSL3/RSA/RC4-128/MD5
>>                     (0x0005) SSL3/RSA/RC4-128/SHA
>>                     (0x002f) TLS/RSA/AES128-CBC/SHA
>>                     (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>>                     (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>>                     (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>>                     (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
>>                 }
>>                 compression[1] = { 00 }
>>                 extensions[34] = {
>>                   extension type server_name, length [26] = {
>>        0: 00 18 00 00  15 6c 6f 63  61 6c 68 6f  73 74 2e 6c  |
>>     .....localhost.l
>>       10: 6f 63 61 6c  64 6f 6d 61  69 6e                     |
>>     ocaldomain
>>                   }
>>                   extension type session_ticket, length [0]
>>                 }
>>              }
>>        }
>>     }
>>     ]
>>     <-- [
>>     (1903 bytes of 1898)
>>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>>        0: 16 03 01 07  6a                                     | ....j
>>        type    = 22 (handshake)
>>        version = { 3,1 }
>>        length  = 1898 (0x76a)
>>        handshake {
>>        0: 02 00 00 46                                         | ...F
>>           type = 2 (server_hello)
>>           length = 70 (0x000046)
>>              ServerHello {
>>                 server_version = {3, 1}
>>                 random = {...}
>>        0: 4b 04 01 60  d1 86 09 69  01 8d c2 5e  1a 9c 99 16  |
>>     K..`...i...^....
>>       10: de 0e bd 27  b6 c5 be 57  23 f1 1e 03  69 40 55 9d  |
>>     ...'...W#...i at U.
>>                 session ID = {
>>                     length = 32
>>                     contents = {...}
>>        0: 67 66 c6 7f  f7 ac d6 98  45 f2 6d 9f  c6 84 e1 df  | gf.
>>     ....E.m.....
>>       10: ff ff c0 87  d8 e9 97 f9  f6 37 8b 6e  09 d9 2b 25  |
>>     .........7.n..+%
>>                 }
>>                 cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>>                 compression method = 00
>>              }
>>        0: 0b 00 07 18                                         | ....
>>           type = 11 (certificate)
>>           length = 1816 (0x000718)
>>              CertificateChain {
>>                 chainlength = 1813 (0x0715)
>>                 Certificate {
>>                    size = 890 (0x037a)
>>                    data = { saved in file 'cert.001' }
>>                 }
>>                 Certificate {
>>                    size = 917 (0x0395)
>>                    data = { saved in file 'cert.002' }
>>                 }
>>              }
>>        0: 0e 00 00 00                                         | ....
>>           type = 14 (server_hello_done)
>>           length = 0 (0x000000)
>>        }
>>     }
>>     ]
>>     --> [
>>     (310 bytes of 262, with 43 left over)
>>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>>        0: 16 03 01 01  06                                     | .....
>>        type    = 22 (handshake)
>>        version = { 3,1 }
>>        length  = 262 (0x106)
>>        handshake {
>>        0: 10 00 01 02                                         | ....
>>           type = 16 (client_key_exchange)
>>           length = 258 (0x000102)
>>              ClientKeyExchange {
>>                 message = {...}
>>              }
>>        }
>>     }
>>     (310 bytes of 1, with 37 left over)
>>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>>        0: 14 03 01 00  01                                     | .....
>>        type    = 20 (change_cipher_spec)
>>        version = { 3,1 }
>>        length  = 1 (0x1)
>>        0: 01                                                  | .
>>     }
>>     (310 bytes of 32)
>>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>>        0: 16 03 01 00  20                                     | ....
>>        type    = 22 (handshake)
>>        version = { 3,1 }
>>        length  = 32 (0x20)
>>     < encrypted >
>>     }
>>     ]
>>     ssltap: Error -5961: TCP connection reset by peer.: error on
>>     server-side socket.
>>     Connection 1 Complete [Wed Nov 18 09:14:56 2009]
>>     
Connection #2 [Wed Nov 18 09:14:56 2009]
>>     
Connected to localhost.localdomain:9545
>>     --> [
>>     recordLen = 81 bytes
>>     (81 bytes of 81)
>>      [Wed Nov 18 09:14:56 2009] [ssl2]  ClientHelloV2 {
>>                version = {0x03, 0x00}
>>                cipher-specs-length = 54 (0x36)
>>                sid-length = 0 (0x00)
>>                challenge-length = 16 (0x10)
>>                cipher-suites = {
>>                     (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>>                     (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>>                     (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
>>                     (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
>>                     (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
>>                     (0x000035) TLS/RSA/AES256-CBC/SHA
>>                     (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>>                     (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>>                     (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
>>                     (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
>>                     (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
>>                     (0x000004) SSL3/RSA/RC4-128/MD5
>>                     (0x000005) SSL3/RSA/RC4-128/SHA
>>                     (0x00002f) TLS/RSA/AES128-CBC/SHA
>>                     (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>>                     (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>>                     (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>>                     (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
>>                     }
>>                session-id = { }
>>                challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135
>>     0x4f6a 0x5742 0xf716 }
>>     }
>>     ]
>>     <-- [
>>     (1903 bytes of 1898)
>>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>>        0: 16 03 00 07  6a                                     | ....j
>>        type    = 22 (handshake)
>>        version = { 3,0 }
>>        length  = 1898 (0x76a)
>>        handshake {
>>        0: 02 00 00 46                                         | ...F
>>           type = 2 (server_hello)
>>           length = 70 (0x000046)
>>              ServerHello {
>>                 server_version = {3, 0}
>>                 random = {...}
>>        0: 4b 04 01 60  55 ce 82 33  ab d7 da 7f  bc 74 ed ca  |
>>     K..`U..3... .t..
>>       10: 1e f3 95 26  21 fa db ce  83 94 24 0a  bc 4e 89 51  |
>>     ...&!.....$..N.Q
>>                 session ID = {
>>                     length = 32
>>                     contents = {...}
>>        0: 67 66 50 ba  19 6d d9 38  7d 86 a9 e0  43 cb 57 0b  |
>>     gfP..m.8}...C.W.
>>       10: 19 d5 a7 e0  90 99 e5 78  03 f6 55 26  c4 f1 bc 03  |
>>     .......x..U&....
>>                 }
>>                 cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>>                 compression method = 00
>>              }
>>        0: 0b 00 07 18                                         | ....
>>           type = 11 (certificate)
>>           length = 1816 (0x000718)
>>              CertificateChain {
>>                 chainlength = 1813 (0x0715)
>>                 Certificate {
>>                    size = 890 (0x037a)
>>                    data = { saved in file 'cert.003' }
>>                 }
>>                 Certificate {
>>                    size = 917 (0x0395)
>>                    data = { saved in file 'cert.004' }
>>                 }
>>              }
>>        0: 0e 00 00 00                                         | ....
>>           type = 14 (server_hello_done)
>>           length = 0 (0x000000)
>>        }
>>     }
>>     ]
>>     --> [
>>     (332 bytes of 260, with 67 left over)
>>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>>        0: 16 03 00 01  04                                     | .....
>>        type    = 22 (handshake)
>>        version = { 3,0 }
>>        length  = 260 (0x104)
>>        handshake {
>>        0: 10 00 01 00                                         | ....
>>           type = 16 (client_key_exchange)
>>           length = 256 (0x000100)
>>              ClientKeyExchange {
>>                 message = {...}
>>              }
>>        }
>>     }
>>     (332 bytes of 1, with 61 left over)
>>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>>        0: 14 03 00 00  01                                     | .....
>>        type    = 20 (change_cipher_spec)
>>        version = { 3,0 }
>>        length  = 1 (0x1)
>>        0: 01                                                  | .
>>     }
>>     (332 bytes of 56)
>>     SSLRecord { [Wed Nov 18 09:14:56 2009]
>>        0: 16 03 00 00  38                                     | ....8
>>        type    = 22 (handshake)
>>        version = { 3,0 }
>>        length  = 56 (0x38)
>>     < encrypted >
>>     }
>>     ]
>>     ssltap: Error -5961: TCP connection reset by peer.: error on
>>     server-side socket.
>>     Connection 2 Complete [Wed Nov 18 09:14:56 2009]
>>
>>
>>
>>
>>     On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan
>>     > wrote:
>>
>>         On 11/17/2009 01:09 PM, John Dorovski wrote:
>>>         It was not a typo. I did use the port number 9545.
>>
>>         Ok. one idea would be to run the utility "ssltap" as a proxy
>>         and using your browser to connect to the "ssltap" port and
>>         pasting the output here so folks can see what's happening
>>         during the SSL handshake.
>>         http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
>>
>>
>>         On a Fedora 10 system, its packaged with nss-tools rpm.
>>
>>         Run ssltap like this...
>>
>>         ssltap -sfxl CA_HOSTNAME:CA_PORT
>>
>>         in your case, it will be
>>
>>         ssltap -sfxl localhost:9545
>>
>>         Then use a browser and connect to ssltap. ssltap
>>         listens on port 1924. So on the browser type..
>>
>>         https://localhost.localdomain:1924
>>
>>
>>         ssltap will capture the results of the ssl handshake.
>>
>>         Copy and paste it here so we can tell what's happening
>>         during that phase while you get the bad mac alert.
>>
>>         Thanks,
>>         --Chandra
>>
>>
>>
>>
>>>
>>>
>>>         John
>>>
>>>         On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373
>>>         >
>>>         wrote:
>>>
>>>
>>>             Unless it's a typo on your part, the two port numbers
>>>             are different...
>>>             Could that be the problem?
>>>             8445  vs 9545
>>>
>>>             From: Julius Adewumi
>>>             @GDC4S.com
>>>             Ph:480-441-6768
>>>             Contract Corp:MTSI
>>>
>>>
>>>             -----Original Message-----
>>>             From: pki-users-bounces at redhat.com
>>>             
>>>             [mailto:pki-users-bounces at redhat.com
>>>             ]
>>>             On Behalf Of Christina Fu
>>>             Sent: Tuesday, November 17, 2009 12:56 PM
>>>             To: pki-users at redhat.com 
>>>             Cc: johndorovski at googlemail.com
>>>             
>>>             Subject: [Pki-users] (forwarded) Help needed on dogtag
>>>
>>>             I might have messed up when managing pki-users and this
>>>             did not come
>>>             through.  Hence the forward.
>>>             Christina
>>>
>>>             Subject:
>>>             Help needed on dogtag
>>>             From:
>>>             John Dorovski >>             >
>>>             Date:
>>>             Tue, 17 Nov 2009 10:58:18 -0500
>>>
>>>             To:
>>>             pki-users at redhat.com 
>>>
>>>
>>>             Hi,
>>>
>>>             I just installed a dogtag (1.2.0) instance on my Fedora
>>>             10 system.
>>>             I used a SafeNet ProtectServer Gold HSM as keystore.
>>>             The dogtag system installation and configuration were
>>>             fine. No error was
>>>             reported.
>>>             All keys and certificates were generated inside the HSM.
>>>
>>>             But when I tried to access the secure admin interface at
>>>             https://localhost:localdomain:9545
>>>             I got error message:
>>>                Secure Connection Failed
>>>                An error occurred during a connection to
>>>             localhost.localdomain:8445
>>>                SSL peer reports incorrect Message Authentication Code.
>>>                (Error code: ssl_error_bad_mac_alert)
>>>
>>>             I checked the server certificate (viewed it with IE on a
>>>             Windows box).
>>>             It seems fine.
>>>
>>>             Does any body know what is wrong and how can I fix it?
>>>
>>>             Thanks,
>>>
>>>             John
>>>
>>>             _______________________________________________
>>>             Pki-users mailing list
>>>             Pki-users at redhat.com 
>>>             https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Pki-users mailing list
>>>         Pki-users at redhat.com  
>>>         https://www.redhat.com/mailman/listinfo/pki-users
>>>            
>>
>>
>>         _______________________________________________
>>         Pki-users mailing list
>>         Pki-users at redhat.com 
>>         https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>    
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From johndorovski at googlemail.com  Wed Nov 18 19:40:43 2009
From: johndorovski at googlemail.com (John Dorovski)
Date: Wed, 18 Nov 2009 14:40:43 -0500
Subject: [Pki-users] (forwarded) Help needed on dogtag
In-Reply-To: <150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com>
References: <4B02FFD8.9040702@redhat.com>
	<150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com>
	
	<4B033E21.9080306@redhat.com>
	
	
	<150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com>
Message-ID: 

I found the error code from Mozilla site also.
I am not sure that is the case.
Since I installed dogtag on two separate systems with the exact
configuration.
The systems were all installed with brand new OS (Fedora 10).
One system even unplugged from internet after dogtag was installed.
They all got the exact same error.


On Wed, Nov 18, 2009 at 12:38 PM, Adewumi, Julius-p99373 <
Julius.Adewumi at gdc4s.com> wrote:

>    SSL_ERROR_BAD_MAC_ALERT -12272
> "SSL peer reports incorrect Message Authentication Code."
>
> The remote system has reported that it received a message with a bad
> Message Authentication Code from the local system. This may indicate that an
> attack on that server is underway.
>
>
> *The trace shows "cipher-change-request" as last capture before Error
> reported.*
>
> **
>
> *From: Julius Adewumi*
> *@GDC4S.com*
> *Ph:480-441-6768*
> *Contract Corp:MTSI*
>
>
>  ------------------------------
> *From:* John Dorovski [mailto:johndorovski at googlemail.com]
> *Sent:* Wednesday, November 18, 2009 7:34 AM
> *To:* Chandrasekar Kannan
> *Cc:* Adewumi, Julius-p99373; pki-users at redhat.com
> *Subject:* Re: [Pki-users] (forwarded) Help needed on dogtag
>
> Here are the   two certs ssltap captured.
>
>
> On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski <
> johndorovski at googlemail.com> wrote:
>
>> Here is my ssltap output:
>>
>> [root at rd1 linux-i386]# ssltap -sfxl  localhost.localdomain:9545
>> SSLTAP output
>> 
>> Looking up "localhost.localdomain"...
>> Proxy socket ready and listening
>> 
Connection #1 [Wed Nov 18 09:14:56 2009]
>> 
Connected to localhost.localdomain:9545
>> --> [
>> (120 bytes of 115)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 01 00  73                                     | ....s
>>    type    = 22 (handshake)
>>    version = { 3,1 }
>>    length  = 115 (0x73)
>>    handshake {
>>    0: 01 00 00 6f                                         | ...o
>>       type = 1 (client_hello)
>>       length = 111 (0x00006f)
>>          ClientHelloV3 {
>>             client_version = {3, 1}
>>             random = {...}
>>    0: 4b 04 01 60  3e dd 86 f2  6c 26 cb 29  b3 a4 eb 26  |
>> K..`>...l&.)...&
>>   10: c0 17 f1 8e  24 0a 75 79  03 91 78 40  7b 58 5e 7b  | ....$.uy..x@
>> {X^{
>>             session ID = {
>>                 length = 0
>>                 contents = {...}
>>             }
>>             cipher_suites[18] = {
>>                 (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>>                 (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>>                 (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
>>                 (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
>>                 (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
>>                 (0x0035) TLS/RSA/AES256-CBC/SHA
>>                 (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>>                 (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>>                 (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
>>                 (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
>>                 (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
>>                 (0x0004) SSL3/RSA/RC4-128/MD5
>>                 (0x0005) SSL3/RSA/RC4-128/SHA
>>                 (0x002f) TLS/RSA/AES128-CBC/SHA
>>                 (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>>                 (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>>                 (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>>                 (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
>>             }
>>             compression[1] = { 00 }
>>             extensions[34] = {
>>               extension type server_name, length [26] = {
>>    0: 00 18 00 00  15 6c 6f 63  61 6c 68 6f  73 74 2e 6c  |
>> .....localhost.l
>>   10: 6f 63 61 6c  64 6f 6d 61  69 6e                     | ocaldomain
>>               }
>>               extension type session_ticket, length [0]
>>             }
>>          }
>>    }
>> }
>> ]
>> <-- [
>> (1903 bytes of 1898)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 01 07  6a                                     | ....j
>>    type    = 22 (handshake)
>>    version = { 3,1 }
>>    length  = 1898 (0x76a)
>>    handshake {
>>    0: 02 00 00 46                                         | ...F
>>       type = 2 (server_hello)
>>       length = 70 (0x000046)
>>          ServerHello {
>>             server_version = {3, 1}
>>             random = {...}
>>    0: 4b 04 01 60  d1 86 09 69  01 8d c2 5e  1a 9c 99 16  |
>> K..`...i...^....
>>   10: de 0e bd 27  b6 c5 be 57  23 f1 1e 03  69 40 55 9d  |
>> ...'...W#...i at U.
>>             session ID = {
>>                 length = 32
>>                 contents = {...}
>>    0: 67 66 c6 7f  f7 ac d6 98  45 f2 6d 9f  c6 84 e1 df  | gf.
>> ....E.m.....
>>   10: ff ff c0 87  d8 e9 97 f9  f6 37 8b 6e  09 d9 2b 25  |
>> .........7.n..+%
>>             }
>>             cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>>             compression method = 00
>>          }
>>    0: 0b 00 07 18                                         | ....
>>       type = 11 (certificate)
>>       length = 1816 (0x000718)
>>          CertificateChain {
>>             chainlength = 1813 (0x0715)
>>             Certificate {
>>                size = 890 (0x037a)
>>                data = { saved in file 'cert.001' }
>>             }
>>             Certificate {
>>                size = 917 (0x0395)
>>                data = { saved in file 'cert.002' }
>>             }
>>          }
>>    0: 0e 00 00 00                                         | ....
>>       type = 14 (server_hello_done)
>>       length = 0 (0x000000)
>>    }
>> }
>> ]
>> --> [
>> (310 bytes of 262, with 43 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 01 01  06                                     | .....
>>    type    = 22 (handshake)
>>    version = { 3,1 }
>>    length  = 262 (0x106)
>>    handshake {
>>    0: 10 00 01 02                                         | ....
>>       type = 16 (client_key_exchange)
>>       length = 258 (0x000102)
>>          ClientKeyExchange {
>>             message = {...}
>>          }
>>    }
>> }
>> (310 bytes of 1, with 37 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 14 03 01 00  01                                     | .....
>>    type    = 20 (change_cipher_spec)
>>    version = { 3,1 }
>>    length  = 1 (0x1)
>>    0: 01                                                  | .
>> }
>> (310 bytes of 32)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 01 00  20                                     | ....
>>    type    = 22 (handshake)
>>    version = { 3,1 }
>>    length  = 32 (0x20)
>>             < encrypted >
>> }
>> ]
>> ssltap: Error -5961: TCP connection reset by peer.: error on server-side
>> socket.
>> Connection 1 Complete [Wed Nov 18 09:14:56 2009]
>> 
Connection #2 [Wed Nov 18 09:14:56 2009]
>> 
Connected to localhost.localdomain:9545
>> --> [
>> recordLen = 81 bytes
>> (81 bytes of 81)
>>  [Wed Nov 18 09:14:56 2009] [ssl2]  ClientHelloV2 {
>>            version = {0x03, 0x00}
>>            cipher-specs-length = 54 (0x36)
>>            sid-length = 0 (0x00)
>>            challenge-length = 16 (0x10)
>>            cipher-suites = {
>>                 (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>>                 (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>>                 (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
>>                 (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
>>                 (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
>>                 (0x000035) TLS/RSA/AES256-CBC/SHA
>>                 (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>>                 (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>>                 (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
>>                 (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
>>                 (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
>>                 (0x000004) SSL3/RSA/RC4-128/MD5
>>                 (0x000005) SSL3/RSA/RC4-128/SHA
>>                 (0x00002f) TLS/RSA/AES128-CBC/SHA
>>                 (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>>                 (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>>                 (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>>                 (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
>>                 }
>>            session-id = { }
>>            challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742
>> 0xf716 }
>> }
>> ]
>> <-- [
>> (1903 bytes of 1898)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 00 07  6a                                     | ....j
>>    type    = 22 (handshake)
>>    version = { 3,0 }
>>    length  = 1898 (0x76a)
>>    handshake {
>>    0: 02 00 00 46                                         | ...F
>>       type = 2 (server_hello)
>>       length = 70 (0x000046)
>>          ServerHello {
>>             server_version = {3, 0}
>>             random = {...}
>>    0: 4b 04 01 60  55 ce 82 33  ab d7 da 7f  bc 74 ed ca  | K..`U..3...
>> .t..
>>   10: 1e f3 95 26  21 fa db ce  83 94 24 0a  bc 4e 89 51  |
>> ...&!.....$..N.Q
>>             session ID = {
>>                 length = 32
>>                 contents = {...}
>>    0: 67 66 50 ba  19 6d d9 38  7d 86 a9 e0  43 cb 57 0b  |
>> gfP..m.8}...C.W.
>>   10: 19 d5 a7 e0  90 99 e5 78  03 f6 55 26  c4 f1 bc 03  |
>> .......x..U&....
>>             }
>>             cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>>             compression method = 00
>>          }
>>    0: 0b 00 07 18                                         | ....
>>       type = 11 (certificate)
>>       length = 1816 (0x000718)
>>          CertificateChain {
>>             chainlength = 1813 (0x0715)
>>             Certificate {
>>                size = 890 (0x037a)
>>                data = { saved in file 'cert.003' }
>>             }
>>             Certificate {
>>                size = 917 (0x0395)
>>                data = { saved in file 'cert.004' }
>>             }
>>          }
>>    0: 0e 00 00 00                                         | ....
>>       type = 14 (server_hello_done)
>>       length = 0 (0x000000)
>>    }
>> }
>> ]
>> --> [
>> (332 bytes of 260, with 67 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 00 01  04                                     | .....
>>    type    = 22 (handshake)
>>    version = { 3,0 }
>>    length  = 260 (0x104)
>>    handshake {
>>    0: 10 00 01 00                                         | ....
>>       type = 16 (client_key_exchange)
>>       length = 256 (0x000100)
>>          ClientKeyExchange {
>>             message = {...}
>>          }
>>    }
>> }
>> (332 bytes of 1, with 61 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 14 03 00 00  01                                     | .....
>>    type    = 20 (change_cipher_spec)
>>    version = { 3,0 }
>>    length  = 1 (0x1)
>>    0: 01                                                  | .
>> }
>> (332 bytes of 56)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 00 00  38                                     | ....8
>>    type    = 22 (handshake)
>>    version = { 3,0 }
>>    length  = 56 (0x38)
>>             < encrypted >
>> }
>> ]
>> ssltap: Error -5961: TCP connection reset by peer.: error on server-side
>> socket.
>> Connection 2 Complete [Wed Nov 18 09:14:56 2009]
>>
>>
>>
>>
>> On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan wrote:
>>
>>>  On 11/17/2009 01:09 PM, John Dorovski wrote:
>>>
>>> It was not a typo. I did use the port number 9545.
>>>
>>>
>>> Ok. one idea would be to run the utility "ssltap" as a proxy
>>> and using your browser to connect to the "ssltap" port and
>>> pasting the output here so folks can see what's happening
>>> during the SSL handshake.
>>> http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
>>>
>>>
>>> On a Fedora 10 system, its packaged with nss-tools rpm.
>>>
>>> Run ssltap like this...
>>>
>>> ssltap -sfxl CA_HOSTNAME:CA_PORT
>>>
>>> in your case, it will be
>>>
>>> ssltap -sfxl localhost:9545
>>>
>>> Then use a browser and connect to ssltap. ssltap
>>> listens on port 1924. So on the browser type..
>>>
>>>  https://localhost.localdomain:1924
>>>
>>>
>>> ssltap will capture the results of the ssl handshake.
>>>
>>> Copy and paste it here so we can tell what's happening
>>> during that phase while you get the bad mac alert.
>>>
>>> Thanks,
>>> --Chandra
>>>
>>>
>>>
>>>
>>>
>>>
>>> John
>>>
>>> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 <
>>> Julius.Adewumi at gdc4s.com> wrote:
>>>
>>>>
>>>> Unless it's a typo on your part, the two port numbers are different...
>>>> Could that be the problem?
>>>> 8445  vs 9545
>>>>
>>>> From: Julius Adewumi
>>>> @GDC4S.com
>>>> Ph:480-441-6768
>>>> Contract Corp:MTSI
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com
>>>> ]
>>>> On Behalf Of Christina Fu
>>>> Sent: Tuesday, November 17, 2009 12:56 PM
>>>> To: pki-users at redhat.com
>>>>  Cc: johndorovski at googlemail.com
>>>> Subject: [Pki-users] (forwarded) Help needed on dogtag
>>>>
>>>> I might have messed up when managing pki-users and this did not come
>>>> through.  Hence the forward.
>>>> Christina
>>>>
>>>> Subject:
>>>> Help needed on dogtag
>>>> From:
>>>> John Dorovski 
>>>> Date:
>>>> Tue, 17 Nov 2009 10:58:18 -0500
>>>>
>>>> To:
>>>> pki-users at redhat.com
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I just installed a dogtag (1.2.0) instance on my Fedora 10 system.
>>>> I used a SafeNet ProtectServer Gold HSM as keystore.
>>>> The dogtag system installation and configuration were fine. No error was
>>>> reported.
>>>> All keys and certificates were generated inside the HSM.
>>>>
>>>> But when I tried to access the secure admin interface at
>>>>     https://localhost:localdomain:9545
>>>> I got error message:
>>>>    Secure Connection Failed
>>>>    An error occurred during a connection to localhost.localdomain:8445
>>>>    SSL peer reports incorrect Message Authentication Code.
>>>>    (Error code: ssl_error_bad_mac_alert)
>>>>
>>>> I checked the server certificate (viewed it with IE on a Windows box).
>>>> It seems fine.
>>>>
>>>> Does any body know what is wrong and how can I fix it?
>>>>
>>>> Thanks,
>>>>
>>>> John
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From johndorovski at googlemail.com  Wed Nov 18 19:49:14 2009
From: johndorovski at googlemail.com (John Dorovski)
Date: Wed, 18 Nov 2009 14:49:14 -0500
Subject: [Pki-users] (forwarded) Help needed on dogtag
In-Reply-To: <4B043BBF.8000001@redhat.com>
References: <4B02FFD8.9040702@redhat.com>
	<150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com>
	
	<4B033E21.9080306@redhat.com>
	
	
	<150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com>
	<4B04339F.6060203@redhat.com> <4B043BBF.8000001@redhat.com>
Message-ID: 

I checked my server.xml file. It does not have clientAuth="agent".
They are all defaulted to  clientAuth="true".


On Wed, Nov 18, 2009 at 1:23 PM, Chandrasekar Kannan wrote:

>  On 11/18/2009 09:49 AM, Chandrasekar Kannan wrote:
>
> On 11/18/2009 09:38 AM, Adewumi, Julius-p99373 wrote:
>
>   SSL_ERROR_BAD_MAC_ALERT -12272 "SSL peer reports incorrect Message
> Authentication Code."
>
> The remote system has reported that it received a message with a bad
> Message Authentication Code from the local system. This may indicate that an
> attack on that server is underway.
>
>
> *The trace shows "cipher-change-request" as last capture before Error
> reported.*
>
> **
>
>
> Just FYI. we noticed a similar message during dogtag 1.2.0
> development but with a different HSM(nethsm). That issue
> was fixed.
> https://bugzilla.redhat.com/show_bug.cgi?id=495597
>
> FWIW, we have never tried with the mentioned
> Safenet Protectserver Gold HSM....
>
>
>
> Can you check settings for this ..
>
>  /var/lib/pki-ca/conf/server.xml
>  Look for clientAuth="agent"
>
>  If you see that can you replace that with
>  clientAuth="true" and restart the CA
>  and see if it addresses the bad mac problem..
>
>
>
>
>
>  *From: Julius Adewumi*
> *@GDC4S.com*
> *Ph:480-441-6768*
> *Contract Corp:MTSI*
>
>
>  ------------------------------
> *From:* John Dorovski [mailto:johndorovski at googlemail.com]
>
> *Sent:* Wednesday, November 18, 2009 7:34 AM
> *To:* Chandrasekar Kannan
> *Cc:* Adewumi, Julius-p99373; pki-users at redhat.com
> *Subject:* Re: [Pki-users] (forwarded) Help needed on dogtag
>
>  Here are the   two certs ssltap captured.
>
>
> On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski <
> johndorovski at googlemail.com> wrote:
>
>> Here is my ssltap output:
>>
>> [root at rd1 linux-i386]# ssltap -sfxl  localhost.localdomain:9545
>> SSLTAP output
>> 
>> Looking up "localhost.localdomain"...
>> Proxy socket ready and listening
>> 
Connection #1 [Wed Nov 18 09:14:56 2009]
>> 
Connected to localhost.localdomain:9545
>> --> [
>> (120 bytes of 115)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 01 00  73                                     | ....s
>>    type    = 22 (handshake)
>>    version = { 3,1 }
>>    length  = 115 (0x73)
>>    handshake {
>>    0: 01 00 00 6f                                         | ...o
>>       type = 1 (client_hello)
>>       length = 111 (0x00006f)
>>          ClientHelloV3 {
>>             client_version = {3, 1}
>>             random = {...}
>>    0: 4b 04 01 60  3e dd 86 f2  6c 26 cb 29  b3 a4 eb 26  |
>> K..`>...l&.)...&
>>   10: c0 17 f1 8e  24 0a 75 79  03 91 78 40  7b 58 5e 7b  | ....$.uy..x@
>> {X^{
>>             session ID = {
>>                 length = 0
>>                 contents = {...}
>>             }
>>             cipher_suites[18] = {
>>                 (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>>                 (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>>                 (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
>>                 (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
>>                 (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
>>                 (0x0035) TLS/RSA/AES256-CBC/SHA
>>                 (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>>                 (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>>                 (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
>>                 (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
>>                 (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
>>                 (0x0004) SSL3/RSA/RC4-128/MD5
>>                 (0x0005) SSL3/RSA/RC4-128/SHA
>>                 (0x002f) TLS/RSA/AES128-CBC/SHA
>>                 (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>>                 (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>>                 (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>>                 (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
>>             }
>>             compression[1] = { 00 }
>>             extensions[34] = {
>>               extension type server_name, length [26] = {
>>    0: 00 18 00 00  15 6c 6f 63  61 6c 68 6f  73 74 2e 6c  |
>> .....localhost.l
>>   10: 6f 63 61 6c  64 6f 6d 61  69 6e                     | ocaldomain
>>               }
>>               extension type session_ticket, length [0]
>>             }
>>          }
>>    }
>> }
>> ]
>> <-- [
>> (1903 bytes of 1898)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 01 07  6a                                     | ....j
>>    type    = 22 (handshake)
>>    version = { 3,1 }
>>    length  = 1898 (0x76a)
>>    handshake {
>>    0: 02 00 00 46                                         | ...F
>>       type = 2 (server_hello)
>>       length = 70 (0x000046)
>>          ServerHello {
>>             server_version = {3, 1}
>>             random = {...}
>>    0: 4b 04 01 60  d1 86 09 69  01 8d c2 5e  1a 9c 99 16  |
>> K..`...i...^....
>>   10: de 0e bd 27  b6 c5 be 57  23 f1 1e 03  69 40 55 9d  |
>> ...'...W#...i at U.
>>             session ID = {
>>                 length = 32
>>                 contents = {...}
>>    0: 67 66 c6 7f  f7 ac d6 98  45 f2 6d 9f  c6 84 e1 df  | gf.
>> ....E.m.....
>>   10: ff ff c0 87  d8 e9 97 f9  f6 37 8b 6e  09 d9 2b 25  |
>> .........7.n..+%
>>             }
>>             cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>>             compression method = 00
>>          }
>>    0: 0b 00 07 18                                         | ....
>>       type = 11 (certificate)
>>       length = 1816 (0x000718)
>>          CertificateChain {
>>             chainlength = 1813 (0x0715)
>>             Certificate {
>>                size = 890 (0x037a)
>>                data = { saved in file 'cert.001' }
>>             }
>>             Certificate {
>>                size = 917 (0x0395)
>>                data = { saved in file 'cert.002' }
>>             }
>>          }
>>    0: 0e 00 00 00                                         | ....
>>       type = 14 (server_hello_done)
>>       length = 0 (0x000000)
>>    }
>> }
>> ]
>> --> [
>> (310 bytes of 262, with 43 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 01 01  06                                     | .....
>>    type    = 22 (handshake)
>>    version = { 3,1 }
>>    length  = 262 (0x106)
>>    handshake {
>>    0: 10 00 01 02                                         | ....
>>       type = 16 (client_key_exchange)
>>       length = 258 (0x000102)
>>          ClientKeyExchange {
>>             message = {...}
>>          }
>>    }
>> }
>> (310 bytes of 1, with 37 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 14 03 01 00  01                                     | .....
>>    type    = 20 (change_cipher_spec)
>>    version = { 3,1 }
>>    length  = 1 (0x1)
>>    0: 01                                                  | .
>> }
>> (310 bytes of 32)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 01 00  20                                     | ....
>>    type    = 22 (handshake)
>>    version = { 3,1 }
>>    length  = 32 (0x20)
>>             < encrypted >
>> }
>> ]
>> ssltap: Error -5961: TCP connection reset by peer.: error on server-side
>> socket.
>> Connection 1 Complete [Wed Nov 18 09:14:56 2009]
>> 
Connection #2 [Wed Nov 18 09:14:56 2009]
>> 
Connected to localhost.localdomain:9545
>> --> [
>> recordLen = 81 bytes
>> (81 bytes of 81)
>>  [Wed Nov 18 09:14:56 2009] [ssl2]  ClientHelloV2 {
>>            version = {0x03, 0x00}
>>            cipher-specs-length = 54 (0x36)
>>            sid-length = 0 (0x00)
>>            challenge-length = 16 (0x10)
>>            cipher-suites = {
>>                 (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>>                 (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>>                 (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
>>                 (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
>>                 (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
>>                 (0x000035) TLS/RSA/AES256-CBC/SHA
>>                 (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>>                 (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>>                 (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
>>                 (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
>>                 (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
>>                 (0x000004) SSL3/RSA/RC4-128/MD5
>>                 (0x000005) SSL3/RSA/RC4-128/SHA
>>                 (0x00002f) TLS/RSA/AES128-CBC/SHA
>>                 (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>>                 (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>>                 (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>>                 (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
>>                 }
>>            session-id = { }
>>            challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742
>> 0xf716 }
>> }
>> ]
>> <-- [
>> (1903 bytes of 1898)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 00 07  6a                                     | ....j
>>    type    = 22 (handshake)
>>    version = { 3,0 }
>>    length  = 1898 (0x76a)
>>    handshake {
>>    0: 02 00 00 46                                         | ...F
>>       type = 2 (server_hello)
>>       length = 70 (0x000046)
>>          ServerHello {
>>             server_version = {3, 0}
>>             random = {...}
>>    0: 4b 04 01 60  55 ce 82 33  ab d7 da 7f  bc 74 ed ca  | K..`U..3...
>> .t..
>>   10: 1e f3 95 26  21 fa db ce  83 94 24 0a  bc 4e 89 51  |
>> ...&!.....$..N.Q
>>             session ID = {
>>                 length = 32
>>                 contents = {...}
>>    0: 67 66 50 ba  19 6d d9 38  7d 86 a9 e0  43 cb 57 0b  |
>> gfP..m.8}...C.W.
>>   10: 19 d5 a7 e0  90 99 e5 78  03 f6 55 26  c4 f1 bc 03  |
>> .......x..U&....
>>             }
>>             cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>>             compression method = 00
>>          }
>>    0: 0b 00 07 18                                         | ....
>>       type = 11 (certificate)
>>       length = 1816 (0x000718)
>>          CertificateChain {
>>             chainlength = 1813 (0x0715)
>>             Certificate {
>>                size = 890 (0x037a)
>>                data = { saved in file 'cert.003' }
>>             }
>>             Certificate {
>>                size = 917 (0x0395)
>>                data = { saved in file 'cert.004' }
>>             }
>>          }
>>    0: 0e 00 00 00                                         | ....
>>       type = 14 (server_hello_done)
>>       length = 0 (0x000000)
>>    }
>> }
>> ]
>> --> [
>> (332 bytes of 260, with 67 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 00 01  04                                     | .....
>>    type    = 22 (handshake)
>>    version = { 3,0 }
>>    length  = 260 (0x104)
>>    handshake {
>>    0: 10 00 01 00                                         | ....
>>       type = 16 (client_key_exchange)
>>       length = 256 (0x000100)
>>          ClientKeyExchange {
>>             message = {...}
>>          }
>>    }
>> }
>> (332 bytes of 1, with 61 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 14 03 00 00  01                                     | .....
>>    type    = 20 (change_cipher_spec)
>>    version = { 3,0 }
>>    length  = 1 (0x1)
>>    0: 01                                                  | .
>> }
>> (332 bytes of 56)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>>    0: 16 03 00 00  38                                     | ....8
>>    type    = 22 (handshake)
>>    version = { 3,0 }
>>    length  = 56 (0x38)
>>             < encrypted >
>> }
>> ]
>> ssltap: Error -5961: TCP connection reset by peer.: error on server-side
>> socket.
>> Connection 2 Complete [Wed Nov 18 09:14:56 2009]
>>
>>
>>
>>
>> On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan wrote:
>>
>>>  On 11/17/2009 01:09 PM, John Dorovski wrote:
>>>
>>> It was not a typo. I did use the port number 9545.
>>>
>>>
>>>  Ok. one idea would be to run the utility "ssltap" as a proxy
>>> and using your browser to connect to the "ssltap" port and
>>> pasting the output here so folks can see what's happening
>>> during the SSL handshake.
>>> http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
>>>
>>>
>>> On a Fedora 10 system, its packaged with nss-tools rpm.
>>>
>>> Run ssltap like this...
>>>
>>> ssltap -sfxl CA_HOSTNAME:CA_PORT
>>>
>>> in your case, it will be
>>>
>>> ssltap -sfxl localhost:9545
>>>
>>> Then use a browser and connect to ssltap. ssltap
>>> listens on port 1924. So on the browser type..
>>>
>>>  https://localhost.localdomain:1924
>>>
>>>
>>> ssltap will capture the results of the ssl handshake.
>>>
>>> Copy and paste it here so we can tell what's happening
>>> during that phase while you get the bad mac alert.
>>>
>>> Thanks,
>>> --Chandra
>>>
>>>
>>>
>>>
>>>
>>>
>>> John
>>>
>>> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 <
>>> Julius.Adewumi at gdc4s.com> wrote:
>>>
>>>>
>>>> Unless it's a typo on your part, the two port numbers are different...
>>>> Could that be the problem?
>>>> 8445  vs 9545
>>>>
>>>> From: Julius Adewumi
>>>> @GDC4S.com
>>>> Ph:480-441-6768
>>>> Contract Corp:MTSI
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com
>>>> ]
>>>> On Behalf Of Christina Fu
>>>> Sent: Tuesday, November 17, 2009 12:56 PM
>>>> To: pki-users at redhat.com
>>>>  Cc: johndorovski at googlemail.com
>>>> Subject: [Pki-users] (forwarded) Help needed on dogtag
>>>>
>>>> I might have messed up when managing pki-users and this did not come
>>>> through.  Hence the forward.
>>>> Christina
>>>>
>>>> Subject:
>>>> Help needed on dogtag
>>>> From:
>>>> John Dorovski 
>>>> Date:
>>>> Tue, 17 Nov 2009 10:58:18 -0500
>>>>
>>>> To:
>>>> pki-users at redhat.com
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I just installed a dogtag (1.2.0) instance on my Fedora 10 system.
>>>> I used a SafeNet ProtectServer Gold HSM as keystore.
>>>> The dogtag system installation and configuration were fine. No error was
>>>> reported.
>>>> All keys and certificates were generated inside the HSM.
>>>>
>>>> But when I tried to access the secure admin interface at
>>>>     https://localhost:localdomain:9545
>>>> I got error message:
>>>>    Secure Connection Failed
>>>>    An error occurred during a connection to localhost.localdomain:8445
>>>>    SSL peer reports incorrect Message Authentication Code.
>>>>    (Error code: ssl_error_bad_mac_alert)
>>>>
>>>> I checked the server certificate (viewed it with IE on a Windows box).
>>>> It seems fine.
>>>>
>>>> Does any body know what is wrong and how can I fix it?
>>>>
>>>> Thanks,
>>>>
>>>> John
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From johndorovski at googlemail.com  Thu Nov 19 13:55:24 2009
From: johndorovski at googlemail.com (John Dorovski)
Date: Thu, 19 Nov 2009 08:55:24 -0500
Subject: [Pki-users] Recommendation needed
Message-ID: 

 Hi,

I am in a process to set up a CA which requires to use a FIPS certified HSM.
I plan to use dogtag  certificate  system. Can anyone recommend a  HSM
which
will work  with dogtag system?

Thanks in advance,

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From ckannan at redhat.com  Thu Nov 19 13:58:59 2009
From: ckannan at redhat.com (Chandrasekar Kannan)
Date: Thu, 19 Nov 2009 05:58:59 -0800
Subject: [Pki-users] Recommendation needed
In-Reply-To: 
References: 
Message-ID: <4B054F23.1000504@redhat.com>

On 11/19/2009 05:55 AM, John Dorovski wrote:
> Hi,
>
> I am in a process to set up a CA which requires to use a FIPS 
> certified HSM.
> I plan to use dogtag  certificate  system. Can anyone recommend a  
> HSM  which
> will work  with dogtag system?

Sure. I'll definitely recommend these ones..

nethsm 2000
LunaSA


>
> Thanks in advance,
>
> John
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From sean.veale at gdc4s.com  Fri Nov 20 15:52:54 2009
From: sean.veale at gdc4s.com (Veale, Sean)
Date: Fri, 20 Nov 2009 10:52:54 -0500
Subject: [Pki-users] LDAPs +TPS questions  (CS 8.0)
Message-ID: <5E904A528F23FA469961CECAC5F417870212CC61@NDHMC4SXCH.gdc4s.com>


Hello,

I'm trying to enable ssl client authentication with the internal
database for the TPS. 

Using the Administrator Guide chapter 13.5.2, I've successully enabled
ssl client authenticatoin to the internal database for the CA, DRM, and
TKS.
However, the final step 11 of 13.5.2 requires the modification of CS.cfg
paremeters:
internaldb.ldapauth.authtype
internaldb.ldapauth.clientCertNickname
internaldb.ldapconn.port
Internaldb.ldapconn.secureConn

All of which are missing from TPS CS.cfg, and I can't seem to find any
corresponding parameters.

First off, has this feature been implemented with the TPS?

If so, what are the corresponding CS.cfg parameters? Or what parameters
should I change elsewhere?

Thanks

Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From Julius.Adewumi at gdc4s.com  Fri Nov 20 16:48:45 2009
From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373)
Date: Fri, 20 Nov 2009 09:48:45 -0700
Subject: [Pki-users] LDAPs +TPS questions  (CS 8.0)
In-Reply-To: <5E904A528F23FA469961CECAC5F417870212CC61@NDHMC4SXCH.gdc4s.com>
References: <5E904A528F23FA469961CECAC5F417870212CC61@NDHMC4SXCH.gdc4s.com>
Message-ID: <150446754087724BA4B8F287083846B205AF7B6E@AZ25EXM04.gddsi.com>

Sean,
    I would try the similar param in CA,TKS such as :
 
internaldb.ldapauth.authtype= BasicAuth
internaldb.ldapauth.clientCertNickname=
internaldb.ldapconn.port=389
Internaldb.ldapconn.secureConn=false
 
Hope it works.  There are several things in RedHat manual which I have
found to be
not functioning, or rather we couldn't make them to function. Lukily,
for my project, 
we moved to Microsoft CA.

From: Julius Adewumi 
@GDC4S.com 
Ph:480-441-6768 
Contract Corp:MTSI 

 

________________________________

From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
On Behalf Of Veale, Sean
Sent: Friday, November 20, 2009 8:53 AM
To: pki-users at redhat.com
Subject: [Pki-users] LDAPs +TPS questions (CS 8.0)




Hello, 

I'm trying to enable ssl client authentication with the internal
database for the TPS. 

Using the Administrator Guide chapter 13.5.2, I've successully enabled
ssl client authenticatoin to the internal database for the CA, DRM, and
TKS.

However, the final step 11 of 13.5.2 requires the modification of CS.cfg
paremeters: 
internaldb.ldapauth.authtype 
internaldb.ldapauth.clientCertNickname 
internaldb.ldapconn.port 
Internaldb.ldapconn.secureConn 

All of which are missing from TPS CS.cfg, and I can't seem to find any
corresponding parameters. 

First off, has this feature been implemented with the TPS? 

If so, what are the corresponding CS.cfg parameters? Or what parameters
should I change elsewhere? 

Thanks 

Sean 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From sean.veale at gdc4s.com  Mon Nov 23 20:18:46 2009
From: sean.veale at gdc4s.com (Veale, Sean)
Date: Mon, 23 Nov 2009 15:18:46 -0500
Subject: [Pki-users] Subject Directory Ext
Message-ID: <5E904A528F23FA469961CECAC5F417870212CE85@NDHMC4SXCH.gdc4s.com>


Is this the correct format for the subject directory extenstion format
with no constraint?

policyset.xxx.11.constraint.class_id=noConstraintImpl
policyset.xxx.11.constraint.name=No Constraint
policyset.xxx.11.default.class_id=subjectDirAttributesExtDefaultImpl
policyset.xxx.11.default.name=Subject Directory Attributes Extension
Default
policyset.xxx.11.default.params.subjDirAttrEnable_0=true
policyset.xxx.11.default.params.subjDirAttrName_0=cn
policyset.xxx.11.default.params.subjDirAttrPattern_0=$request.cn$
policyset.xxx.11.default.params.subjDirAttrsCritical=true

I correctly see the subject directory populated but the logs  doesn't
like the name supplied.

[23/Nov/2009:14:29:50][http-9444-Processor25]:
SubjectDirAttributesExtDefault: populate start
[23/Nov/2009:14:29:50][http-9444-Processor25]:
SubjectDirAttributesExtDefault: invalid OID syntax: cn
[23/Nov/2009:14:29:50][http-9444-Processor25]:
SubjectDirAttributesExtDefault: populate end

The admin guide implies it can be any LDAP attribute. 
http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Certificat
e_and_CRL_Extensions.html#Subject_Directory_Attributes_Extension_Default

Also, I've extended inetorg person with to add my own custom attributes.
The data can be correctly found by the certificate, but
subjectDirAttributes is giving a another error as this snippit of logs
show.  Can you use custom attributes or are you limted to what is in
inetorgperson object class?  In this case the certificate is not
generated. 

[23/Nov/2009:15:01:29][http-9444-Processor25]:
nsTokenUserKeySubjectNameDefault: getSubjectName(): got attribute:
edipi=1605353424
...
[23/Nov/2009:15:01:29][http-9444-Processor25]:
SubjectDirAttributesExtDefault: populate start
[23/Nov/2009:15:01:29][http-9444-Processor25]:
SubjectDirAttributesExtDefault: invalid OID syntax: edipi
[23/Nov/2009:15:01:29][http-9444-Processor25]: ProfileSubmitServlet:
populate Invalid attribute edipi


Thanks
Sean






-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From phr at adehis.be  Fri Nov 27 17:56:47 2009
From: phr at adehis.be (Philippe Rodrigues)
Date: Fri, 27 Nov 2009 18:56:47 +0100
Subject: [Pki-users] End user certificate request
Message-ID: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be>

Hi all,

 

Newbie, I'm testing pki features but end user cannot access
http://server_ip:9180/ca/ee/ca for a certicate request.

A "netstat -anp" show service is listening on port 9180 but maybe only
on locahost.

An "nmap" show only ssh port open.

How to give access to the end user for a certificate request ?

 

My configuration is F11 and all features are installed (ca,ra,..). I've
flushed all filters "iptables -F".

 

Thank for any help

 

Philippe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From Julius.Adewumi at gdc4s.com  Fri Nov 27 19:06:18 2009
From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373)
Date: Fri, 27 Nov 2009 12:06:18 -0700
Subject: [Pki-users] End user certificate request
In-Reply-To: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be>
References: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be>
Message-ID: <150446754087724BA4B8F287083846B205B7433A@AZ25EXM04.gddsi.com>

I believe you should access https:  port.
 

From: Julius Adewumi 
@GDC4S.com 
Ph:480-441-6768 
Contract Corp:MTSI 

 

________________________________

From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com]
On Behalf Of Philippe Rodrigues
Sent: Friday, November 27, 2009 10:57 AM
To: pki-users at redhat.com
Subject: [Pki-users] End user certificate request



Hi all,

 

Newbie, I'm testing pki features but end user cannot access
http://server_ip:9180/ca/ee/ca for a certicate request.

A "netstat -anp" show service is listening on port 9180 but maybe only
on locahost.

An "nmap" show only ssh port open.

How to give access to the end user for a certificate request ?

 

My configuration is F11 and all features are installed (ca,ra,..). I've
flushed all filters "iptables -F".

 

Thank for any help

 

Philippe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From phr at adehis.be  Fri Nov 27 20:00:09 2009
From: phr at adehis.be (Philippe Rodrigues)
Date: Fri, 27 Nov 2009 21:00:09 +0100
Subject: [Pki-users] End user certificate request
In-Reply-To: <150446754087724BA4B8F287083846B205B7433A@AZ25EXM04.gddsi.com>
References: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be>
	<150446754087724BA4B8F287083846B205B7433A@AZ25EXM04.gddsi.com>
Message-ID: <19CBC5648B8EBC40AF6D579613D99899EF53C0@thot.adehisnet.be>

Julius,

 

Thank for your answer

Following result of pki-ca start, port 9180 is only accessible on http (see below)

 

pki-ca (pid 2762) is running ...

 

    Unsecure Port     = http://my_pki:9180/ca/ee/ca  

    Secure Agent Port = https://my_pki:9443/ca/agent/ca  

    Secure EE Port    = https://my_pki:9444/ca/ee/ca  

    Secure Admin Port = https://my_pki:9445/ca/services  

    PKI Console Port  = pkiconsole https://my_pki:9445/ca  

    Tomcat Port       = 9701 (for shutdown)

 

You cannot access to the others ports from any other IP address.

Is there a configuration to do for allowing access from outside ?

 

Philippe

 

________________________________

De : Adewumi, Julius-p99373 [mailto:Julius.Adewumi at gdc4s.com] 
Envoy? : vendredi 27 novembre 2009 20:06
? : Philippe Rodrigues; pki-users at redhat.com
Objet : RE: [Pki-users] End user certificate request

 

I believe you should access https:  port.

 

From: Julius Adewumi 
@GDC4S.com 
Ph:480-441-6768 
Contract Corp:MTSI 

 

 

________________________________

From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Philippe Rodrigues
Sent: Friday, November 27, 2009 10:57 AM
To: pki-users at redhat.com
Subject: [Pki-users] End user certificate request

Hi all,

 

Newbie, I'm testing pki features but end user cannot access http://server_ip:9180/ca/ee/ca for a certicate request.

A "netstat -anp" show service is listening on port 9180 but maybe only on locahost.

An "nmap" show only ssh port open.

How to give access to the end user for a certificate request ?

 

My configuration is F11 and all features are installed (ca,ra,..). I've flushed all filters "iptables -F".

 

Thank for any help

 

Philippe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From Julius.Adewumi at gdc4s.com  Fri Nov 27 20:49:49 2009
From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373)
Date: Fri, 27 Nov 2009 13:49:49 -0700
Subject: [Pki-users] End user certificate request
In-Reply-To: <19CBC5648B8EBC40AF6D579613D99899EF53C0@thot.adehisnet.be>
References: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be>
	<150446754087724BA4B8F287083846B205B7433A@AZ25EXM04.gddsi.com>
	<19CBC5648B8EBC40AF6D579613D99899EF53C0@thot.adehisnet.be>
Message-ID: <150446754087724BA4B8F287083846B205B74345@AZ25EXM04.gddsi.com>

I would try https://my_pki:9443/ca/services
make sure you restart ca after you have configured it.   Infact the last screen during configuration
ask you to restart CA.  I have run into that sometimes--wondering why it's not working, but I only failed to restart CA after configuration.
 
 

From: Julius Adewumi 
@GDC4S.com 
Ph:480-441-6768 
Contract Corp:MTSI 

 

________________________________

From: Philippe Rodrigues [mailto:phr at adehis.be] 
Sent: Friday, November 27, 2009 1:00 PM
To: Adewumi, Julius-p99373; pki-users at redhat.com
Subject: RE: [Pki-users] End user certificate request



Julius,

 

Thank for your answer

Following result of pki-ca start, port 9180 is only accessible on http (see below)

 

pki-ca (pid 2762) is running ...

 

    Unsecure Port     = http://my_pki:9180/ca/ee/ca  

    Secure Agent Port = https://my_pki:9443/ca/agent/ca  

    Secure EE Port    = https://my_pki:9444/ca/ee/ca  

    Secure Admin Port = https://my_pki:9445/ca/services  

    PKI Console Port  = pkiconsole https://my_pki:9445/ca  

    Tomcat Port       = 9701 (for shutdown)

 

You cannot access to the others ports from any other IP address.

Is there a configuration to do for allowing access from outside ?

 

Philippe

 

________________________________

De : Adewumi, Julius-p99373 [mailto:Julius.Adewumi at gdc4s.com] 
Envoy? : vendredi 27 novembre 2009 20:06
? : Philippe Rodrigues; pki-users at redhat.com
Objet : RE: [Pki-users] End user certificate request

 

I believe you should access https:  port.

 

From: Julius Adewumi 
@GDC4S.com 
Ph:480-441-6768 
Contract Corp:MTSI 

 

 

________________________________

From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Philippe Rodrigues
Sent: Friday, November 27, 2009 10:57 AM
To: pki-users at redhat.com
Subject: [Pki-users] End user certificate request

Hi all,

 

Newbie, I'm testing pki features but end user cannot access http://server_ip:9180/ca/ee/ca for a certicate request.

A "netstat -anp" show service is listening on port 9180 but maybe only on locahost.

An "nmap" show only ssh port open.

How to give access to the end user for a certificate request ?

 

My configuration is F11 and all features are installed (ca,ra,..). I've flushed all filters "iptables -F".

 

Thank for any help

 

Philippe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From phr at adehis.be  Fri Nov 27 23:44:16 2009
From: phr at adehis.be (Philippe Rodrigues)
Date: Sat, 28 Nov 2009 00:44:16 +0100
Subject: [Pki-users] End user certificate request
In-Reply-To: <150446754087724BA4B8F287083846B205B74345@AZ25EXM04.gddsi.com>
References: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be>
	<150446754087724BA4B8F287083846B205B7433A@AZ25EXM04.gddsi.com>
	<19CBC5648B8EBC40AF6D579613D99899EF53C0@thot.adehisnet.be>
	<150446754087724BA4B8F287083846B205B74345@AZ25EXM04.gddsi.com>
Message-ID: <19CBC5648B8EBC40AF6D579613D99899EF53C1@thot.adehisnet.be>

Thanks Julius, I done a restart and I can access :-)

All I've to say of this experience is that you need to adapt your firewall filters rules before starting all pki services regards of your topologie (see: http://www.redhat.com/docs/manuals/cert-system/8.0/deploy/html/index.html)

 

Philippe

 

________________________________

De : Adewumi, Julius-p99373 [mailto:Julius.Adewumi at gdc4s.com] 
Envoy? : vendredi 27 novembre 2009 21:50
? : Philippe Rodrigues; pki-users at redhat.com
Objet : RE: [Pki-users] End user certificate request

 

I would try https://my_pki:9443/ca/services

make sure you restart ca after you have configured it.   Infact the last screen during configuration

ask you to restart CA.  I have run into that sometimes--wondering why it's not working, but I only failed to restart CA after configuration.

 

 

From: Julius Adewumi 
@GDC4S.com 
Ph:480-441-6768 
Contract Corp:MTSI 

 

 

________________________________

From: Philippe Rodrigues [mailto:phr at adehis.be] 
Sent: Friday, November 27, 2009 1:00 PM
To: Adewumi, Julius-p99373; pki-users at redhat.com
Subject: RE: [Pki-users] End user certificate request

Julius,

 

Thank for your answer

Following result of pki-ca start, port 9180 is only accessible on http (see below)

 

pki-ca (pid 2762) is running ...

 

    Unsecure Port     = http://my_pki:9180/ca/ee/ca  

    Secure Agent Port = https://my_pki:9443/ca/agent/ca  

    Secure EE Port    = https://my_pki:9444/ca/ee/ca  

    Secure Admin Port = https://my_pki:9445/ca/services  

    PKI Console Port  = pkiconsole https://my_pki:9445/ca  

    Tomcat Port       = 9701 (for shutdown)

 

You cannot access to the others ports from any other IP address.

Is there a configuration to do for allowing access from outside ?

 

Philippe

 

________________________________

De : Adewumi, Julius-p99373 [mailto:Julius.Adewumi at gdc4s.com] 
Envoy? : vendredi 27 novembre 2009 20:06
? : Philippe Rodrigues; pki-users at redhat.com
Objet : RE: [Pki-users] End user certificate request

 

I believe you should access https:  port.

 

From: Julius Adewumi 
@GDC4S.com 
Ph:480-441-6768 
Contract Corp:MTSI 

 

 

________________________________

From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Philippe Rodrigues
Sent: Friday, November 27, 2009 10:57 AM
To: pki-users at redhat.com
Subject: [Pki-users] End user certificate request

Hi all,

 

Newbie, I'm testing pki features but end user cannot access http://server_ip:9180/ca/ee/ca for a certicate request.

A "netstat -anp" show service is listening on port 9180 but maybe only on locahost.

An "nmap" show only ssh port open.

How to give access to the end user for a certificate request ?

 

My configuration is F11 and all features are installed (ca,ra,..). I've flushed all filters "iptables -F".

 

Thank for any help

 

Philippe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: