From sean.veale at gdc4s.com Thu Nov 5 21:27:42 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Thu, 5 Nov 2009 16:27:42 -0500 Subject: [Pki-users] Crl Generation question Message-ID: <5E904A528F23FA469961CECAC5F41787020A0DF8@NDHMC4SXCH.gdc4s.com> Hi, Is is possible for to configure a CA so the CRLs are generated every X time (say every 1 day) but Next Update specified for a longer time, say every 5 days? If so, how do you do that? Thanks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Thu Nov 5 22:21:53 2009 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 05 Nov 2009 14:21:53 -0800 Subject: [Pki-users] Crl Generation question In-Reply-To: <5E904A528F23FA469961CECAC5F41787020A0DF8@NDHMC4SXCH.gdc4s.com> References: <5E904A528F23FA469961CECAC5F41787020A0DF8@NDHMC4SXCH.gdc4s.com> Message-ID: <4AF35001.5020000@redhat.com> On 11/05/09 13:27, Veale, Sean wrote: > > Hi, > > Is is possible for to configure a CA so the CRLs are generated every X > time (say every 1 day) but Next Update specified for a longer time, > say every 5 days? > > If so, how do you do that? > > Thanks > Sean > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > Yes, you can configure CA through CA console to "Update CRL ever: 1440 minutes" with "Next update grace period: 5760 minutes" or through CS.cfg . . . ca.crl..autoUpdateInterval=1440 . . . ca.crl..nextUpdateGracePeriod=5760 . . . Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Thu Nov 5 22:37:27 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Thu, 5 Nov 2009 17:37:27 -0500 Subject: [Pki-users] Crl Generation question In-Reply-To: <4AF35001.5020000@redhat.com> References: <5E904A528F23FA469961CECAC5F41787020A0DF8@NDHMC4SXCH.gdc4s.com> <4AF35001.5020000@redhat.com> Message-ID: <5E904A528F23FA469961CECAC5F41787020A0E14@NDHMC4SXCH.gdc4s.com> Great. Thanks Sean ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Andrew Wnuk Sent: Thursday, November 05, 2009 5:22 PM To: pki-users at redhat.com Subject: Re: [Pki-users] Crl Generation question On 11/05/09 13:27, Veale, Sean wrote: Hi, Is is possible for to configure a CA so the CRLs are generated every X time (say every 1 day) but Next Update specified for a longer time, say every 5 days? If so, how do you do that? Thanks Sean _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users Yes, you can configure CA through CA console to "Update CRL ever: 1440 minutes" with "Next update grace period: 5760 minutes" or through CS.cfg . . . ca.crl..autoUpdateInterval=1440 . . . ca.crl..nextUpdateGracePeriod=5760 . . . Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Fri Nov 6 15:07:27 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Fri, 6 Nov 2009 10:07:27 -0500 Subject: [Pki-users] Question about internal OCSP responder setup by the CA. Message-ID: <5E904A528F23FA469961CECAC5F41787020E30AC@NDHMC4SXCH.gdc4s.com> Hi, Is the port the OCSP responder is listening on always 9180, or is it whatever the unsecured port is setup when configuring the CA? Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Tue Nov 10 23:21:56 2009 From: awnuk at redhat.com (Andrew Wnuk) Date: Tue, 10 Nov 2009 15:21:56 -0800 Subject: [Pki-users] Question about internal OCSP responder setup by the CA. In-Reply-To: <5E904A528F23FA469961CECAC5F41787020E30AC@NDHMC4SXCH.gdc4s.com> References: <5E904A528F23FA469961CECAC5F41787020E30AC@NDHMC4SXCH.gdc4s.com> Message-ID: <4AF9F594.3080202@redhat.com> On 11/06/09 07:07, Veale, Sean wrote: > > Hi, > > Is the port the OCSP responder is listening on always 9180, or is it > whatever the unsecured port is setup when configuring the CA? > > Sean > It is the unsecured CA port. Andrew. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Wed Nov 11 21:41:19 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Wed, 11 Nov 2009 14:41:19 -0700 Subject: [Pki-users] Attribute Certificate Message-ID: <150446754087724BA4B8F287083846B205A1FA12@AZ25EXM04.gddsi.com> Can a Redhat CA profile be created for Attributes certificate? Has anyone tried this or what problems will not allow it to be usable? From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Wed Nov 11 21:44:26 2009 From: msauton at redhat.com (Marc Sauton) Date: Wed, 11 Nov 2009 13:44:26 -0800 Subject: [Pki-users] Attribute Certificate In-Reply-To: <150446754087724BA4B8F287083846B205A1FA12@AZ25EXM04.gddsi.com> References: <150446754087724BA4B8F287083846B205A1FA12@AZ25EXM04.gddsi.com> Message-ID: <4AFB303A.6040607@redhat.com> Yes, like with the default profile for enrolling CA certificates, caCACert.cfg It is possible to create custom profiles using caCACert.cfg as an example to start with. M. Adewumi, Julius-p99373 wrote: > > Can a Redhat CA profile be created for Attributes certificate? > Has anyone tried this or what problems will not allow it to be usable? > > /From: Julius Adewumi/ > /@GDC4S.com/ > /Ph:480-441-6768/ > /Contract Corp:MTSI/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6650 bytes Desc: S/MIME Cryptographic Signature URL: From msauton at redhat.com Wed Nov 11 22:40:36 2009 From: msauton at redhat.com (Marc Sauton) Date: Wed, 11 Nov 2009 14:40:36 -0800 Subject: [Pki-users] Attribute Certificate In-Reply-To: <4AFB303A.6040607@redhat.com> References: <150446754087724BA4B8F287083846B205A1FA12@AZ25EXM04.gddsi.com> <4AFB303A.6040607@redhat.com> Message-ID: <4AFB3D64.8020307@redhat.com> I may have misunderstood your initial question. If this is about rfc3281 for "Attribute Certificate", then no, there is currently no such support in Dogtag of Red Hat Certificate System. That could be a RFE. M. Marc Sauton wrote: > Yes, like with the default profile for enrolling CA certificates, > caCACert.cfg > It is possible to create custom profiles using caCACert.cfg as an > example to start with. > M. > > Adewumi, Julius-p99373 wrote: >> >> Can a Redhat CA profile be created for Attributes certificate? >> Has anyone tried this or what problems will not allow it to be usable? >> >> /From: Julius Adewumi/ >> /@GDC4S.com/ >> /Ph:480-441-6768/ >> /Contract Corp:MTSI/ >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6650 bytes Desc: S/MIME Cryptographic Signature URL: From cfu at redhat.com Tue Nov 17 19:56:08 2009 From: cfu at redhat.com (Christina Fu) Date: Tue, 17 Nov 2009 11:56:08 -0800 Subject: [Pki-users] (forwarded) Help needed on dogtag Message-ID: <4B02FFD8.9040702@redhat.com> I might have messed up when managing pki-users and this did not come through. Hence the forward. Christina Subject: Help needed on dogtag From: John Dorovski Date: Tue, 17 Nov 2009 10:58:18 -0500 To: pki-users at redhat.com Hi, I just installed a dogtag (1.2.0) instance on my Fedora 10 system. I used a SafeNet ProtectServer Gold HSM as keystore. The dogtag system installation and configuration were fine. No error was reported. All keys and certificates were generated inside the HSM. But when I tried to access the secure admin interface at https://localhost:localdomain:9545 I got error message: Secure Connection Failed An error occurred during a connection to localhost.localdomain:8445 SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert) I checked the server certificate (viewed it with IE on a Windows box). It seems fine. Does any body know what is wrong and how can I fix it? Thanks, John From Julius.Adewumi at gdc4s.com Tue Nov 17 20:51:59 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 17 Nov 2009 13:51:59 -0700 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: <4B02FFD8.9040702@redhat.com> References: <4B02FFD8.9040702@redhat.com> Message-ID: <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> Unless it's a typo on your part, the two port numbers are different... Could that be the problem? 8445 vs 9545 From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu Sent: Tuesday, November 17, 2009 12:56 PM To: pki-users at redhat.com Cc: johndorovski at googlemail.com Subject: [Pki-users] (forwarded) Help needed on dogtag I might have messed up when managing pki-users and this did not come through. Hence the forward. Christina Subject: Help needed on dogtag From: John Dorovski Date: Tue, 17 Nov 2009 10:58:18 -0500 To: pki-users at redhat.com Hi, I just installed a dogtag (1.2.0) instance on my Fedora 10 system. I used a SafeNet ProtectServer Gold HSM as keystore. The dogtag system installation and configuration were fine. No error was reported. All keys and certificates were generated inside the HSM. But when I tried to access the secure admin interface at https://localhost:localdomain:9545 I got error message: Secure Connection Failed An error occurred during a connection to localhost.localdomain:8445 SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert) I checked the server certificate (viewed it with IE on a Windows box). It seems fine. Does any body know what is wrong and how can I fix it? Thanks, John _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From johndorovski at googlemail.com Tue Nov 17 21:09:32 2009 From: johndorovski at googlemail.com (John Dorovski) Date: Tue, 17 Nov 2009 16:09:32 -0500 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> Message-ID: It was not a typo. I did use the port number 9545. John On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 < Julius.Adewumi at gdc4s.com> wrote: > > Unless it's a typo on your part, the two port numbers are different... > Could that be the problem? > 8445 vs 9545 > > From: Julius Adewumi > @GDC4S.com > Ph:480-441-6768 > Contract Corp:MTSI > > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] > On Behalf Of Christina Fu > Sent: Tuesday, November 17, 2009 12:56 PM > To: pki-users at redhat.com > Cc: johndorovski at googlemail.com > Subject: [Pki-users] (forwarded) Help needed on dogtag > > I might have messed up when managing pki-users and this did not come > through. Hence the forward. > Christina > > Subject: > Help needed on dogtag > From: > John Dorovski > Date: > Tue, 17 Nov 2009 10:58:18 -0500 > > To: > pki-users at redhat.com > > > Hi, > > I just installed a dogtag (1.2.0) instance on my Fedora 10 system. > I used a SafeNet ProtectServer Gold HSM as keystore. > The dogtag system installation and configuration were fine. No error was > reported. > All keys and certificates were generated inside the HSM. > > But when I tried to access the secure admin interface at > https://localhost:localdomain:9545 > I got error message: > Secure Connection Failed > An error occurred during a connection to localhost.localdomain:8445 > SSL peer reports incorrect Message Authentication Code. > (Error code: ssl_error_bad_mac_alert) > > I checked the server certificate (viewed it with IE on a Windows box). > It seems fine. > > Does any body know what is wrong and how can I fix it? > > Thanks, > > John > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckannan at redhat.com Wed Nov 18 00:21:53 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Tue, 17 Nov 2009 16:21:53 -0800 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> Message-ID: <4B033E21.9080306@redhat.com> On 11/17/2009 01:09 PM, John Dorovski wrote: > It was not a typo. I did use the port number 9545. Ok. one idea would be to run the utility "ssltap" as a proxy and using your browser to connect to the "ssltap" port and pasting the output here so folks can see what's happening during the SSL handshake. http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html On a Fedora 10 system, its packaged with nss-tools rpm. Run ssltap like this... ssltap -sfxl CA_HOSTNAME:CA_PORT in your case, it will be ssltap -sfxl localhost:9545 Then use a browser and connect to ssltap. ssltap listens on port 1924. So on the browser type.. https://localhost.localdomain:1924 ssltap will capture the results of the ssl handshake. Copy and paste it here so we can tell what's happening during that phase while you get the bad mac alert. Thanks, --Chandra > > > John > > On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 > > wrote: > > > Unless it's a typo on your part, the two port numbers are different... > Could that be the problem? > 8445 vs 9545 > > From: Julius Adewumi > @GDC4S.com > Ph:480-441-6768 > Contract Corp:MTSI > > > -----Original Message----- > From: pki-users-bounces at redhat.com > > [mailto:pki-users-bounces at redhat.com > ] > On Behalf Of Christina Fu > Sent: Tuesday, November 17, 2009 12:56 PM > To: pki-users at redhat.com > Cc: johndorovski at googlemail.com > Subject: [Pki-users] (forwarded) Help needed on dogtag > > I might have messed up when managing pki-users and this did not come > through. Hence the forward. > Christina > > Subject: > Help needed on dogtag > From: > John Dorovski > > Date: > Tue, 17 Nov 2009 10:58:18 -0500 > > To: > pki-users at redhat.com > > > Hi, > > I just installed a dogtag (1.2.0) instance on my Fedora 10 system. > I used a SafeNet ProtectServer Gold HSM as keystore. > The dogtag system installation and configuration were fine. No > error was > reported. > All keys and certificates were generated inside the HSM. > > But when I tried to access the secure admin interface at > https://localhost:localdomain:9545 > I got error message: > Secure Connection Failed > An error occurred during a connection to localhost.localdomain:8445 > SSL peer reports incorrect Message Authentication Code. > (Error code: ssl_error_bad_mac_alert) > > I checked the server certificate (viewed it with IE on a Windows box). > It seems fine. > > Does any body know what is wrong and how can I fix it? > > Thanks, > > John > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From johndorovski at googlemail.com Wed Nov 18 14:20:45 2009 From: johndorovski at googlemail.com (John Dorovski) Date: Wed, 18 Nov 2009 09:20:45 -0500 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: <4B033E21.9080306@redhat.com> References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> <4B033E21.9080306@redhat.com> Message-ID: Here is my ssltap output: [root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545 SSLTAP output
Looking up "localhost.localdomain"...
Proxy socket ready and listening


Connection #1 [Wed Nov 18 09:14:56 2009]

Connected to localhost.localdomain:9545 --> [ (120 bytes of 115) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 01 00 73 | ....s type = 22 (handshake) version = { 3,1 } length = 115 (0x73) handshake { 0: 01 00 00 6f | ...o type = 1 (client_hello) length = 111 (0x00006f) ClientHelloV3 { client_version = {3, 1} random = {...} 0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 | K..`>...l&.)...& 10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b | ....$.uy..x@{X^{ session ID = { length = 0 contents = {...} } cipher_suites[18] = { (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA (0x0039) TLS/DHE-RSA/AES256-CBC/SHA (0x0038) TLS/DHE-DSS/AES256-CBC/SHA (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA (0x0035) TLS/RSA/AES256-CBC/SHA (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA (0x0033) TLS/DHE-RSA/AES128-CBC/SHA (0x0032) TLS/DHE-DSS/AES128-CBC/SHA (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA (0x0004) SSL3/RSA/RC4-128/MD5 (0x0005) SSL3/RSA/RC4-128/SHA (0x002f) TLS/RSA/AES128-CBC/SHA (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA } compression[1] = { 00 } extensions[34] = { extension type server_name, length [26] = { 0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c | .....localhost.l 10: 6f 63 61 6c 64 6f 6d 61 69 6e | ocaldomain } extension type session_ticket, length [0] } } } } ] <-- [ (1903 bytes of 1898) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 01 07 6a | ....j type = 22 (handshake) version = { 3,1 } length = 1898 (0x76a) handshake { 0: 02 00 00 46 | ...F type = 2 (server_hello) length = 70 (0x000046) ServerHello { server_version = {3, 1} random = {...} 0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 | K..`...i...^.... 10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d | ...'...W#...i at U. session ID = { length = 32 contents = {...} 0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf.....E.m..... 10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 | .........7.n..+% } cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 compression method = 00 } 0: 0b 00 07 18 | .... type = 11 (certificate) length = 1816 (0x000718) CertificateChain { chainlength = 1813 (0x0715) Certificate { size = 890 (0x037a) data = { saved in file 'cert.001' } } Certificate { size = 917 (0x0395) data = { saved in file 'cert.002' } } } 0: 0e 00 00 00 | .... type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (310 bytes of 262, with 43 left over) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 01 01 06 | ..... type = 22 (handshake) version = { 3,1 } length = 262 (0x106) handshake { 0: 10 00 01 02 | .... type = 16 (client_key_exchange) length = 258 (0x000102) ClientKeyExchange { message = {...} } } } (310 bytes of 1, with 37 left over) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 14 03 01 00 01 | ..... type = 20 (change_cipher_spec) version = { 3,1 } length = 1 (0x1) 0: 01 | . } (310 bytes of 32) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 01 00 20 | .... type = 22 (handshake) version = { 3,1 } length = 32 (0x20) < encrypted > } ] ssltap: Error -5961: TCP connection reset by peer.: error on server-side socket. Connection 1 Complete [Wed Nov 18 09:14:56 2009]


Connection #2 [Wed Nov 18 09:14:56 2009]

Connected to localhost.localdomain:9545 --> [ recordLen = 81 bytes (81 bytes of 81) [Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 { version = {0x03, 0x00} cipher-specs-length = 54 (0x36) sid-length = 0 (0x00) challenge-length = 16 (0x10) cipher-suites = { (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA (0x000039) TLS/DHE-RSA/AES256-CBC/SHA (0x000038) TLS/DHE-DSS/AES256-CBC/SHA (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA (0x000035) TLS/RSA/AES256-CBC/SHA (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA (0x000033) TLS/DHE-RSA/AES128-CBC/SHA (0x000032) TLS/DHE-DSS/AES128-CBC/SHA (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA (0x000004) SSL3/RSA/RC4-128/MD5 (0x000005) SSL3/RSA/RC4-128/SHA (0x00002f) TLS/RSA/AES128-CBC/SHA (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA } session-id = { } challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742 0xf716 } } ] <-- [ (1903 bytes of 1898) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 00 07 6a | ....j type = 22 (handshake) version = { 3,0 } length = 1898 (0x76a) handshake { 0: 02 00 00 46 | ...F type = 2 (server_hello) length = 70 (0x000046) ServerHello { server_version = {3, 0} random = {...} 0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | K..`U..3....t.. 10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 | ...&!.....$..N.Q session ID = { length = 32 contents = {...} 0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b | gfP..m.8}...C.W. 10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 | .......x..U&.... } cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 compression method = 00 } 0: 0b 00 07 18 | .... type = 11 (certificate) length = 1816 (0x000718) CertificateChain { chainlength = 1813 (0x0715) Certificate { size = 890 (0x037a) data = { saved in file 'cert.003' } } Certificate { size = 917 (0x0395) data = { saved in file 'cert.004' } } } 0: 0e 00 00 00 | .... type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (332 bytes of 260, with 67 left over) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 00 01 04 | ..... type = 22 (handshake) version = { 3,0 } length = 260 (0x104) handshake { 0: 10 00 01 00 | .... type = 16 (client_key_exchange) length = 256 (0x000100) ClientKeyExchange { message = {...} } } } (332 bytes of 1, with 61 left over) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 14 03 00 00 01 | ..... type = 20 (change_cipher_spec) version = { 3,0 } length = 1 (0x1) 0: 01 | . } (332 bytes of 56) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 00 00 38 | ....8 type = 22 (handshake) version = { 3,0 } length = 56 (0x38) < encrypted > } ] ssltap: Error -5961: TCP connection reset by peer.: error on server-side socket. Connection 2 Complete [Wed Nov 18 09:14:56 2009] On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan wrote: > On 11/17/2009 01:09 PM, John Dorovski wrote: > > It was not a typo. I did use the port number 9545. > > > Ok. one idea would be to run the utility "ssltap" as a proxy > and using your browser to connect to the "ssltap" port and > pasting the output here so folks can see what's happening > during the SSL handshake. > http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html > > > On a Fedora 10 system, its packaged with nss-tools rpm. > > Run ssltap like this... > > ssltap -sfxl CA_HOSTNAME:CA_PORT > > in your case, it will be > > ssltap -sfxl localhost:9545 > > Then use a browser and connect to ssltap. ssltap > listens on port 1924. So on the browser type.. > > https://localhost.localdomain:1924 > > > ssltap will capture the results of the ssl handshake. > > Copy and paste it here so we can tell what's happening > during that phase while you get the bad mac alert. > > Thanks, > --Chandra > > > > > > > John > > On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 < > Julius.Adewumi at gdc4s.com> wrote: > >> >> Unless it's a typo on your part, the two port numbers are different... >> Could that be the problem? >> 8445 vs 9545 >> >> From: Julius Adewumi >> @GDC4S.com >> Ph:480-441-6768 >> Contract Corp:MTSI >> >> >> -----Original Message----- >> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] >> On Behalf Of Christina Fu >> Sent: Tuesday, November 17, 2009 12:56 PM >> To: pki-users at redhat.com >> Cc: johndorovski at googlemail.com >> Subject: [Pki-users] (forwarded) Help needed on dogtag >> >> I might have messed up when managing pki-users and this did not come >> through. Hence the forward. >> Christina >> >> Subject: >> Help needed on dogtag >> From: >> John Dorovski >> Date: >> Tue, 17 Nov 2009 10:58:18 -0500 >> >> To: >> pki-users at redhat.com >> >> >> Hi, >> >> I just installed a dogtag (1.2.0) instance on my Fedora 10 system. >> I used a SafeNet ProtectServer Gold HSM as keystore. >> The dogtag system installation and configuration were fine. No error was >> reported. >> All keys and certificates were generated inside the HSM. >> >> But when I tried to access the secure admin interface at >> https://localhost:localdomain:9545 >> I got error message: >> Secure Connection Failed >> An error occurred during a connection to localhost.localdomain:8445 >> SSL peer reports incorrect Message Authentication Code. >> (Error code: ssl_error_bad_mac_alert) >> >> I checked the server certificate (viewed it with IE on a Windows box). >> It seems fine. >> >> Does any body know what is wrong and how can I fix it? >> >> Thanks, >> >> John >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From johndorovski at googlemail.com Wed Nov 18 14:33:30 2009 From: johndorovski at googlemail.com (John Dorovski) Date: Wed, 18 Nov 2009 09:33:30 -0500 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> <4B033E21.9080306@redhat.com> Message-ID: Here are the two certs ssltap captured. On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski wrote: > Here is my ssltap output: > > [root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545 > SSLTAP output >
> Looking up "localhost.localdomain"...
> Proxy socket ready and listening
> 


Connection #1 [Wed Nov 18 09:14:56 2009] >

Connected to localhost.localdomain:9545 > --> [ > (120 bytes of 115) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 01 00 73 | ....s > type = 22 (handshake) > version = { 3,1 } > length = 115 (0x73) > handshake { > 0: 01 00 00 6f | ...o > type = 1 (client_hello) > length = 111 (0x00006f) > ClientHelloV3 { > client_version = {3, 1} > random = {...} > 0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 | > K..`>...l&.)...& > 10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b | ....$.uy..x@ > {X^{ > session ID = { > length = 0 > contents = {...} > } > cipher_suites[18] = { > (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA > (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA > (0x0039) TLS/DHE-RSA/AES256-CBC/SHA > (0x0038) TLS/DHE-DSS/AES256-CBC/SHA > (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA > (0x0035) TLS/RSA/AES256-CBC/SHA > (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA > (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA > (0x0033) TLS/DHE-RSA/AES128-CBC/SHA > (0x0032) TLS/DHE-DSS/AES128-CBC/SHA > (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA > (0x0004) SSL3/RSA/RC4-128/MD5 > (0x0005) SSL3/RSA/RC4-128/SHA > (0x002f) TLS/RSA/AES128-CBC/SHA > (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA > (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA > (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA > (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA > } > compression[1] = { 00 } > extensions[34] = { > extension type server_name, length [26] = { > 0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c | > .....localhost.l > 10: 6f 63 61 6c 64 6f 6d 61 69 6e | ocaldomain > } > extension type session_ticket, length [0] > } > } > } > } > ] > <-- [ > (1903 bytes of 1898) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 01 07 6a | ....j > type = 22 (handshake) > version = { 3,1 } > length = 1898 (0x76a) > handshake { > 0: 02 00 00 46 | ...F > type = 2 (server_hello) > length = 70 (0x000046) > ServerHello { > server_version = {3, 1} > random = {...} > 0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 | > K..`...i...^.... > 10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d | > ...'...W#...i at U. > session ID = { > length = 32 > contents = {...} > 0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf. > ....E.m..... > 10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 | > .........7.n..+% > } > cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 > compression method = 00 > } > 0: 0b 00 07 18 | .... > type = 11 (certificate) > length = 1816 (0x000718) > CertificateChain { > chainlength = 1813 (0x0715) > Certificate { > size = 890 (0x037a) > data = { saved in file 'cert.001' } > } > Certificate { > size = 917 (0x0395) > data = { saved in file 'cert.002' } > } > } > 0: 0e 00 00 00 | .... > type = 14 (server_hello_done) > length = 0 (0x000000) > } > } > ] > --> [ > (310 bytes of 262, with 43 left over) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 01 01 06 | ..... > type = 22 (handshake) > version = { 3,1 } > length = 262 (0x106) > handshake { > 0: 10 00 01 02 | .... > type = 16 (client_key_exchange) > length = 258 (0x000102) > ClientKeyExchange { > message = {...} > } > } > } > (310 bytes of 1, with 37 left over) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 14 03 01 00 01 | ..... > type = 20 (change_cipher_spec) > version = { 3,1 } > length = 1 (0x1) > 0: 01 | . > } > (310 bytes of 32) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 01 00 20 | .... > type = 22 (handshake) > version = { 3,1 } > length = 32 (0x20) > < encrypted > > } > ] > ssltap: Error -5961: TCP connection reset by peer.: error on server-side > socket. > Connection 1 Complete [Wed Nov 18 09:14:56 2009] >


Connection #2 [Wed Nov 18 09:14:56 2009] >

Connected to localhost.localdomain:9545 > --> [ > recordLen = 81 bytes > (81 bytes of 81) > [Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 { > version = {0x03, 0x00} > cipher-specs-length = 54 (0x36) > sid-length = 0 (0x00) > challenge-length = 16 (0x10) > cipher-suites = { > (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA > (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA > (0x000039) TLS/DHE-RSA/AES256-CBC/SHA > (0x000038) TLS/DHE-DSS/AES256-CBC/SHA > (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA > (0x000035) TLS/RSA/AES256-CBC/SHA > (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA > (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA > (0x000033) TLS/DHE-RSA/AES128-CBC/SHA > (0x000032) TLS/DHE-DSS/AES128-CBC/SHA > (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA > (0x000004) SSL3/RSA/RC4-128/MD5 > (0x000005) SSL3/RSA/RC4-128/SHA > (0x00002f) TLS/RSA/AES128-CBC/SHA > (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA > (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA > (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA > (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA > } > session-id = { } > challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742 > 0xf716 } > } > ] > <-- [ > (1903 bytes of 1898) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 00 07 6a | ....j > type = 22 (handshake) > version = { 3,0 } > length = 1898 (0x76a) > handshake { > 0: 02 00 00 46 | ...F > type = 2 (server_hello) > length = 70 (0x000046) > ServerHello { > server_version = {3, 0} > random = {...} > 0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | K..`U..3... > .t.. > 10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 | > ...&!.....$..N.Q > session ID = { > length = 32 > contents = {...} > 0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b | > gfP..m.8}...C.W. > 10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 | > .......x..U&.... > } > cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 > compression method = 00 > } > 0: 0b 00 07 18 | .... > type = 11 (certificate) > length = 1816 (0x000718) > CertificateChain { > chainlength = 1813 (0x0715) > Certificate { > size = 890 (0x037a) > data = { saved in file 'cert.003' } > } > Certificate { > size = 917 (0x0395) > data = { saved in file 'cert.004' } > } > } > 0: 0e 00 00 00 | .... > type = 14 (server_hello_done) > length = 0 (0x000000) > } > } > ] > --> [ > (332 bytes of 260, with 67 left over) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 00 01 04 | ..... > type = 22 (handshake) > version = { 3,0 } > length = 260 (0x104) > handshake { > 0: 10 00 01 00 | .... > type = 16 (client_key_exchange) > length = 256 (0x000100) > ClientKeyExchange { > message = {...} > } > } > } > (332 bytes of 1, with 61 left over) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 14 03 00 00 01 | ..... > type = 20 (change_cipher_spec) > version = { 3,0 } > length = 1 (0x1) > 0: 01 | . > } > (332 bytes of 56) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 00 00 38 | ....8 > type = 22 (handshake) > version = { 3,0 } > length = 56 (0x38) > < encrypted > > } > ] > ssltap: Error -5961: TCP connection reset by peer.: error on server-side > socket. > Connection 2 Complete [Wed Nov 18 09:14:56 2009] > > > > > On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan wrote: > >> On 11/17/2009 01:09 PM, John Dorovski wrote: >> >> It was not a typo. I did use the port number 9545. >> >> >> Ok. one idea would be to run the utility "ssltap" as a proxy >> and using your browser to connect to the "ssltap" port and >> pasting the output here so folks can see what's happening >> during the SSL handshake. >> http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html >> >> >> On a Fedora 10 system, its packaged with nss-tools rpm. >> >> Run ssltap like this... >> >> ssltap -sfxl CA_HOSTNAME:CA_PORT >> >> in your case, it will be >> >> ssltap -sfxl localhost:9545 >> >> Then use a browser and connect to ssltap. ssltap >> listens on port 1924. So on the browser type.. >> >> https://localhost.localdomain:1924 >> >> >> ssltap will capture the results of the ssl handshake. >> >> Copy and paste it here so we can tell what's happening >> during that phase while you get the bad mac alert. >> >> Thanks, >> --Chandra >> >> >> >> >> >> >> John >> >> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 < >> Julius.Adewumi at gdc4s.com> wrote: >> >>> >>> Unless it's a typo on your part, the two port numbers are different... >>> Could that be the problem? >>> 8445 vs 9545 >>> >>> From: Julius Adewumi >>> @GDC4S.com >>> Ph:480-441-6768 >>> Contract Corp:MTSI >>> >>> >>> -----Original Message----- >>> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] >>> On Behalf Of Christina Fu >>> Sent: Tuesday, November 17, 2009 12:56 PM >>> To: pki-users at redhat.com >>> Cc: johndorovski at googlemail.com >>> Subject: [Pki-users] (forwarded) Help needed on dogtag >>> >>> I might have messed up when managing pki-users and this did not come >>> through. Hence the forward. >>> Christina >>> >>> Subject: >>> Help needed on dogtag >>> From: >>> John Dorovski >>> Date: >>> Tue, 17 Nov 2009 10:58:18 -0500 >>> >>> To: >>> pki-users at redhat.com >>> >>> >>> Hi, >>> >>> I just installed a dogtag (1.2.0) instance on my Fedora 10 system. >>> I used a SafeNet ProtectServer Gold HSM as keystore. >>> The dogtag system installation and configuration were fine. No error was >>> reported. >>> All keys and certificates were generated inside the HSM. >>> >>> But when I tried to access the secure admin interface at >>> https://localhost:localdomain:9545 >>> I got error message: >>> Secure Connection Failed >>> An error occurred during a connection to localhost.localdomain:8445 >>> SSL peer reports incorrect Message Authentication Code. >>> (Error code: ssl_error_bad_mac_alert) >>> >>> I checked the server certificate (viewed it with IE on a Windows box). >>> It seems fine. >>> >>> Does any body know what is wrong and how can I fix it? >>> >>> Thanks, >>> >>> John >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> >> >> _______________________________________________ >> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: cert.001 Type: application/octet-stream Size: 890 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: cert.002 Type: application/octet-stream Size: 917 bytes Desc: not available URL: From Julius.Adewumi at gdc4s.com Wed Nov 18 17:38:05 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Wed, 18 Nov 2009 10:38:05 -0700 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> <4B033E21.9080306@redhat.com> Message-ID: <150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com> SSL_ERROR_BAD_MAC_ALERT -12272 "SSL peer reports incorrect Message Authentication Code." The remote system has reported that it received a message with a bad Message Authentication Code from the local system. This may indicate that an attack on that server is underway. The trace shows "cipher-change-request" as last capture before Error reported. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: John Dorovski [mailto:johndorovski at googlemail.com] Sent: Wednesday, November 18, 2009 7:34 AM To: Chandrasekar Kannan Cc: Adewumi, Julius-p99373; pki-users at redhat.com Subject: Re: [Pki-users] (forwarded) Help needed on dogtag Here are the two certs ssltap captured. On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski wrote: Here is my ssltap output: [root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545 SSLTAP output
	Looking up "localhost.localdomain"...
	Proxy socket ready and listening
	


Connection #1 [Wed Nov 18 09:14:56 2009]

Connected to localhost.localdomain:9545 --> [ (120 bytes of 115) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 01 00 73 | ....s type = 22 (handshake) version = { 3,1 } length = 115 (0x73) handshake { 0: 01 00 00 6f | ...o type = 1 (client_hello) length = 111 (0x00006f) ClientHelloV3 { client_version = {3, 1} random = {...} 0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 | K..`>...l&.)...& 10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b | ....$.uy..x@{X^{ session ID = { length = 0 contents = {...} } cipher_suites[18] = { (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA (0x0039) TLS/DHE-RSA/AES256-CBC/SHA (0x0038) TLS/DHE-DSS/AES256-CBC/SHA (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA (0x0035) TLS/RSA/AES256-CBC/SHA (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA (0x0033) TLS/DHE-RSA/AES128-CBC/SHA (0x0032) TLS/DHE-DSS/AES128-CBC/SHA (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA (0x0004) SSL3/RSA/RC4-128/MD5 (0x0005) SSL3/RSA/RC4-128/SHA (0x002f) TLS/RSA/AES128-CBC/SHA (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA } compression[1] = { 00 } extensions[34] = { extension type server_name, length [26] = { 0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c | .....localhost.l 10: 6f 63 61 6c 64 6f 6d 61 69 6e | ocaldomain } extension type session_ticket, length [0] } } } } ] <-- [ (1903 bytes of 1898) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 01 07 6a | ....j type = 22 (handshake) version = { 3,1 } length = 1898 (0x76a) handshake { 0: 02 00 00 46 | ...F type = 2 (server_hello) length = 70 (0x000046) ServerHello { server_version = {3, 1} random = {...} 0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 | K..`...i...^.... 10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d | ...'...W#...i at U. session ID = { length = 32 contents = {...} 0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf. ....E.m..... 10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 | .........7.n..+% } cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 compression method = 00 } 0: 0b 00 07 18 | .... type = 11 (certificate) length = 1816 (0x000718) CertificateChain { chainlength = 1813 (0x0715) Certificate { size = 890 (0x037a) data = { saved in file 'cert.001' } } Certificate { size = 917 (0x0395) data = { saved in file 'cert.002' } } } 0: 0e 00 00 00 | .... type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (310 bytes of 262, with 43 left over) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 01 01 06 | ..... type = 22 (handshake) version = { 3,1 } length = 262 (0x106) handshake { 0: 10 00 01 02 | .... type = 16 (client_key_exchange) length = 258 (0x000102) ClientKeyExchange { message = {...} } } } (310 bytes of 1, with 37 left over) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 14 03 01 00 01 | ..... type = 20 (change_cipher_spec) version = { 3,1 } length = 1 (0x1) 0: 01 | . } (310 bytes of 32) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 01 00 20 | .... type = 22 (handshake) version = { 3,1 } length = 32 (0x20) < encrypted > } ] ssltap: Error -5961: TCP connection reset by peer.: error on server-side socket. Connection 1 Complete [Wed Nov 18 09:14:56 2009]


Connection #2 [Wed Nov 18 09:14:56 2009]

Connected to localhost.localdomain:9545 --> [ recordLen = 81 bytes (81 bytes of 81) [Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 { version = {0x03, 0x00} cipher-specs-length = 54 (0x36) sid-length = 0 (0x00) challenge-length = 16 (0x10) cipher-suites = { (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA (0x000039) TLS/DHE-RSA/AES256-CBC/SHA (0x000038) TLS/DHE-DSS/AES256-CBC/SHA (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA (0x000035) TLS/RSA/AES256-CBC/SHA (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA (0x000033) TLS/DHE-RSA/AES128-CBC/SHA (0x000032) TLS/DHE-DSS/AES128-CBC/SHA (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA (0x000004) SSL3/RSA/RC4-128/MD5 (0x000005) SSL3/RSA/RC4-128/SHA (0x00002f) TLS/RSA/AES128-CBC/SHA (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA } session-id = { } challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742 0xf716 } } ] <-- [ (1903 bytes of 1898) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 00 07 6a | ....j type = 22 (handshake) version = { 3,0 } length = 1898 (0x76a) handshake { 0: 02 00 00 46 | ...F type = 2 (server_hello) length = 70 (0x000046) ServerHello { server_version = {3, 0} random = {...} 0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | K..`U..3... .t.. 10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 | ...&!.....$..N.Q session ID = { length = 32 contents = {...} 0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b | gfP..m.8}...C.W. 10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 | .......x..U&.... } cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 compression method = 00 } 0: 0b 00 07 18 | .... type = 11 (certificate) length = 1816 (0x000718) CertificateChain { chainlength = 1813 (0x0715) Certificate { size = 890 (0x037a) data = { saved in file 'cert.003' } } Certificate { size = 917 (0x0395) data = { saved in file 'cert.004' } } } 0: 0e 00 00 00 | .... type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (332 bytes of 260, with 67 left over) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 00 01 04 | ..... type = 22 (handshake) version = { 3,0 } length = 260 (0x104) handshake { 0: 10 00 01 00 | .... type = 16 (client_key_exchange) length = 256 (0x000100) ClientKeyExchange { message = {...} } } } (332 bytes of 1, with 61 left over) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 14 03 00 00 01 | ..... type = 20 (change_cipher_spec) version = { 3,0 } length = 1 (0x1) 0: 01 | . } (332 bytes of 56) SSLRecord { [Wed Nov 18 09:14:56 2009] 0: 16 03 00 00 38 | ....8 type = 22 (handshake) version = { 3,0 } length = 56 (0x38) < encrypted > } ] ssltap: Error -5961: TCP connection reset by peer.: error on server-side socket. Connection 2 Complete [Wed Nov 18 09:14:56 2009] On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan wrote: On 11/17/2009 01:09 PM, John Dorovski wrote: It was not a typo. I did use the port number 9545. Ok. one idea would be to run the utility "ssltap" as a proxy and using your browser to connect to the "ssltap" port and pasting the output here so folks can see what's happening during the SSL handshake. http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html On a Fedora 10 system, its packaged with nss-tools rpm. Run ssltap like this... ssltap -sfxl CA_HOSTNAME:CA_PORT in your case, it will be ssltap -sfxl localhost:9545 Then use a browser and connect to ssltap. ssltap listens on port 1924. So on the browser type.. https://localhost.localdomain:1924 ssltap will capture the results of the ssl handshake. Copy and paste it here so we can tell what's happening during that phase while you get the bad mac alert. Thanks, --Chandra John On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 wrote: Unless it's a typo on your part, the two port numbers are different... Could that be the problem? 8445 vs 9545 From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu Sent: Tuesday, November 17, 2009 12:56 PM To: pki-users at redhat.com Cc: johndorovski at googlemail.com Subject: [Pki-users] (forwarded) Help needed on dogtag I might have messed up when managing pki-users and this did not come through. Hence the forward. Christina Subject: Help needed on dogtag From: John Dorovski Date: Tue, 17 Nov 2009 10:58:18 -0500 To: pki-users at redhat.com Hi, I just installed a dogtag (1.2.0) instance on my Fedora 10 system. I used a SafeNet ProtectServer Gold HSM as keystore. The dogtag system installation and configuration were fine. No error was reported. All keys and certificates were generated inside the HSM. But when I tried to access the secure admin interface at https://localhost:localdomain:9545 I got error message: Secure Connection Failed An error occurred during a connection to localhost.localdomain:8445 SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert) I checked the server certificate (viewed it with IE on a Windows box). It seems fine. Does any body know what is wrong and how can I fix it? Thanks, John _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckannan at redhat.com Wed Nov 18 17:49:19 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Wed, 18 Nov 2009 09:49:19 -0800 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: <150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com> References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> <4B033E21.9080306@redhat.com> <150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com> Message-ID: <4B04339F.6060203@redhat.com> On 11/18/2009 09:38 AM, Adewumi, Julius-p99373 wrote: > SSL_ERROR_BAD_MAC_ALERT -12272 "SSL peer reports incorrect Message > Authentication Code." > > The remote system has reported that it received a message with a bad > Message Authentication Code from the local system. This may indicate > that an attack on that server is underway. > > /The trace shows "cipher-change-request" as last capture before Error > reported./ > > // > Just FYI. we noticed a similar message during dogtag 1.2.0 development but with a different HSM(nethsm). That issue was fixed. https://bugzilla.redhat.com/show_bug.cgi?id=495597 FWIW, we have never tried with the mentioned Safenet Protectserver Gold HSM.... > /From: Julius Adewumi/ > /@GDC4S.com/ > /Ph:480-441-6768/ > /Contract Corp:MTSI/ > > > ------------------------------------------------------------------------ > *From:* John Dorovski [mailto:johndorovski at googlemail.com] > *Sent:* Wednesday, November 18, 2009 7:34 AM > *To:* Chandrasekar Kannan > *Cc:* Adewumi, Julius-p99373; pki-users at redhat.com > *Subject:* Re: [Pki-users] (forwarded) Help needed on dogtag > > Here are the two certs ssltap captured. > > > On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski > > wrote: > > Here is my ssltap output: > > [root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545 > SSLTAP output >
>     Looking up "localhost.localdomain"...
>     Proxy socket ready and listening
>     


Connection #1 [Wed Nov 18 09:14:56 2009] >

Connected to localhost.localdomain:9545 > --> [ > (120 bytes of 115) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 01 00 73 | ....s > type = 22 (handshake) > version = { 3,1 } > length = 115 (0x73) > handshake { > 0: 01 00 00 6f | ...o > type = 1 (client_hello) > length = 111 (0x00006f) > ClientHelloV3 { > client_version = {3, 1} > random = {...} > 0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 | > K..`>...l&.)...& > 10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b | > ....$.uy..x@{X^{ > session ID = { > length = 0 > contents = {...} > } > cipher_suites[18] = { > (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA > (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA > (0x0039) TLS/DHE-RSA/AES256-CBC/SHA > (0x0038) TLS/DHE-DSS/AES256-CBC/SHA > (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA > (0x0035) TLS/RSA/AES256-CBC/SHA > (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA > (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA > (0x0033) TLS/DHE-RSA/AES128-CBC/SHA > (0x0032) TLS/DHE-DSS/AES128-CBC/SHA > (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA > (0x0004) SSL3/RSA/RC4-128/MD5 > (0x0005) SSL3/RSA/RC4-128/SHA > (0x002f) TLS/RSA/AES128-CBC/SHA > (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA > (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA > (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA > (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA > } > compression[1] = { 00 } > extensions[34] = { > extension type server_name, length [26] = { > 0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c | > .....localhost.l > 10: 6f 63 61 6c 64 6f 6d 61 69 6e | ocaldomain > } > extension type session_ticket, length [0] > } > } > } > } > ] > <-- [ > (1903 bytes of 1898) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 01 07 6a | ....j > type = 22 (handshake) > version = { 3,1 } > length = 1898 (0x76a) > handshake { > 0: 02 00 00 46 | ...F > type = 2 (server_hello) > length = 70 (0x000046) > ServerHello { > server_version = {3, 1} > random = {...} > 0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 | > K..`...i...^.... > 10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d | > ...'...W#...i at U. > session ID = { > length = 32 > contents = {...} > 0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf. > ....E.m..... > 10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 | > .........7.n..+% > } > cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 > compression method = 00 > } > 0: 0b 00 07 18 | .... > type = 11 (certificate) > length = 1816 (0x000718) > CertificateChain { > chainlength = 1813 (0x0715) > Certificate { > size = 890 (0x037a) > data = { saved in file 'cert.001' } > } > Certificate { > size = 917 (0x0395) > data = { saved in file 'cert.002' } > } > } > 0: 0e 00 00 00 | .... > type = 14 (server_hello_done) > length = 0 (0x000000) > } > } > ] > --> [ > (310 bytes of 262, with 43 left over) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 01 01 06 | ..... > type = 22 (handshake) > version = { 3,1 } > length = 262 (0x106) > handshake { > 0: 10 00 01 02 | .... > type = 16 (client_key_exchange) > length = 258 (0x000102) > ClientKeyExchange { > message = {...} > } > } > } > (310 bytes of 1, with 37 left over) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 14 03 01 00 01 | ..... > type = 20 (change_cipher_spec) > version = { 3,1 } > length = 1 (0x1) > 0: 01 | . > } > (310 bytes of 32) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 01 00 20 | .... > type = 22 (handshake) > version = { 3,1 } > length = 32 (0x20) > < encrypted > > } > ] > ssltap: Error -5961: TCP connection reset by peer.: error on > server-side socket. > Connection 1 Complete [Wed Nov 18 09:14:56 2009] >


Connection #2 [Wed Nov 18 09:14:56 2009] >

Connected to localhost.localdomain:9545 > --> [ > recordLen = 81 bytes > (81 bytes of 81) > [Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 { > version = {0x03, 0x00} > cipher-specs-length = 54 (0x36) > sid-length = 0 (0x00) > challenge-length = 16 (0x10) > cipher-suites = { > (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA > (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA > (0x000039) TLS/DHE-RSA/AES256-CBC/SHA > (0x000038) TLS/DHE-DSS/AES256-CBC/SHA > (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA > (0x000035) TLS/RSA/AES256-CBC/SHA > (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA > (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA > (0x000033) TLS/DHE-RSA/AES128-CBC/SHA > (0x000032) TLS/DHE-DSS/AES128-CBC/SHA > (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA > (0x000004) SSL3/RSA/RC4-128/MD5 > (0x000005) SSL3/RSA/RC4-128/SHA > (0x00002f) TLS/RSA/AES128-CBC/SHA > (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA > (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA > (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA > (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA > } > session-id = { } > challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a > 0x5742 0xf716 } > } > ] > <-- [ > (1903 bytes of 1898) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 00 07 6a | ....j > type = 22 (handshake) > version = { 3,0 } > length = 1898 (0x76a) > handshake { > 0: 02 00 00 46 | ...F > type = 2 (server_hello) > length = 70 (0x000046) > ServerHello { > server_version = {3, 0} > random = {...} > 0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | > K..`U..3... .t.. > 10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 | > ...&!.....$..N.Q > session ID = { > length = 32 > contents = {...} > 0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b | > gfP..m.8}...C.W. > 10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 | > .......x..U&.... > } > cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 > compression method = 00 > } > 0: 0b 00 07 18 | .... > type = 11 (certificate) > length = 1816 (0x000718) > CertificateChain { > chainlength = 1813 (0x0715) > Certificate { > size = 890 (0x037a) > data = { saved in file 'cert.003' } > } > Certificate { > size = 917 (0x0395) > data = { saved in file 'cert.004' } > } > } > 0: 0e 00 00 00 | .... > type = 14 (server_hello_done) > length = 0 (0x000000) > } > } > ] > --> [ > (332 bytes of 260, with 67 left over) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 00 01 04 | ..... > type = 22 (handshake) > version = { 3,0 } > length = 260 (0x104) > handshake { > 0: 10 00 01 00 | .... > type = 16 (client_key_exchange) > length = 256 (0x000100) > ClientKeyExchange { > message = {...} > } > } > } > (332 bytes of 1, with 61 left over) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 14 03 00 00 01 | ..... > type = 20 (change_cipher_spec) > version = { 3,0 } > length = 1 (0x1) > 0: 01 | . > } > (332 bytes of 56) > SSLRecord { [Wed Nov 18 09:14:56 2009] > 0: 16 03 00 00 38 | ....8 > type = 22 (handshake) > version = { 3,0 } > length = 56 (0x38) > < encrypted > > } > ] > ssltap: Error -5961: TCP connection reset by peer.: error on > server-side socket. > Connection 2 Complete [Wed Nov 18 09:14:56 2009] > > > > > On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan > > wrote: > > On 11/17/2009 01:09 PM, John Dorovski wrote: >> It was not a typo. I did use the port number 9545. > > Ok. one idea would be to run the utility "ssltap" as a proxy > and using your browser to connect to the "ssltap" port and > pasting the output here so folks can see what's happening > during the SSL handshake. > http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html > > > On a Fedora 10 system, its packaged with nss-tools rpm. > > Run ssltap like this... > > ssltap -sfxl CA_HOSTNAME:CA_PORT > > in your case, it will be > > ssltap -sfxl localhost:9545 > > Then use a browser and connect to ssltap. ssltap > listens on port 1924. So on the browser type.. > > https://localhost.localdomain:1924 > > > ssltap will capture the results of the ssl handshake. > > Copy and paste it here so we can tell what's happening > during that phase while you get the bad mac alert. > > Thanks, > --Chandra > > > > >> >> >> John >> >> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 >> > >> wrote: >> >> >> Unless it's a typo on your part, the two port numbers are >> different... >> Could that be the problem? >> 8445 vs 9545 >> >> From: Julius Adewumi >> @GDC4S.com >> Ph:480-441-6768 >> Contract Corp:MTSI >> >> >> -----Original Message----- >> From: pki-users-bounces at redhat.com >> >> [mailto:pki-users-bounces at redhat.com >> ] >> On Behalf Of Christina Fu >> Sent: Tuesday, November 17, 2009 12:56 PM >> To: pki-users at redhat.com >> Cc: johndorovski at googlemail.com >> >> Subject: [Pki-users] (forwarded) Help needed on dogtag >> >> I might have messed up when managing pki-users and this >> did not come >> through. Hence the forward. >> Christina >> >> Subject: >> Help needed on dogtag >> From: >> John Dorovski > > >> Date: >> Tue, 17 Nov 2009 10:58:18 -0500 >> >> To: >> pki-users at redhat.com >> >> >> Hi, >> >> I just installed a dogtag (1.2.0) instance on my Fedora >> 10 system. >> I used a SafeNet ProtectServer Gold HSM as keystore. >> The dogtag system installation and configuration were >> fine. No error was >> reported. >> All keys and certificates were generated inside the HSM. >> >> But when I tried to access the secure admin interface at >> https://localhost:localdomain:9545 >> I got error message: >> Secure Connection Failed >> An error occurred during a connection to >> localhost.localdomain:8445 >> SSL peer reports incorrect Message Authentication Code. >> (Error code: ssl_error_bad_mac_alert) >> >> I checked the server certificate (viewed it with IE on a >> Windows box). >> It seems fine. >> >> Does any body know what is wrong and how can I fix it? >> >> Thanks, >> >> John >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckannan at redhat.com Wed Nov 18 18:23:59 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Wed, 18 Nov 2009 10:23:59 -0800 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: <4B04339F.6060203@redhat.com> References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> <4B033E21.9080306@redhat.com> <150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com> <4B04339F.6060203@redhat.com> Message-ID: <4B043BBF.8000001@redhat.com> On 11/18/2009 09:49 AM, Chandrasekar Kannan wrote: > On 11/18/2009 09:38 AM, Adewumi, Julius-p99373 wrote: >> SSL_ERROR_BAD_MAC_ALERT -12272 "SSL peer reports incorrect Message >> Authentication Code." >> >> The remote system has reported that it received a message with a bad >> Message Authentication Code from the local system. This may indicate >> that an attack on that server is underway. >> >> /The trace shows "cipher-change-request" as last capture before Error >> reported./ >> >> // >> > > Just FYI. we noticed a similar message during dogtag 1.2.0 > development but with a different HSM(nethsm). That issue > was fixed. > https://bugzilla.redhat.com/show_bug.cgi?id=495597 > > FWIW, we have never tried with the mentioned > Safenet Protectserver Gold HSM.... Can you check settings for this .. /var/lib/pki-ca/conf/server.xml Look for clientAuth="agent" If you see that can you replace that with clientAuth="true" and restart the CA and see if it addresses the bad mac problem.. > > >> /From: Julius Adewumi/ >> /@GDC4S.com/ >> /Ph:480-441-6768/ >> /Contract Corp:MTSI/ >> >> >> ------------------------------------------------------------------------ >> *From:* John Dorovski [mailto:johndorovski at googlemail.com] >> *Sent:* Wednesday, November 18, 2009 7:34 AM >> *To:* Chandrasekar Kannan >> *Cc:* Adewumi, Julius-p99373; pki-users at redhat.com >> *Subject:* Re: [Pki-users] (forwarded) Help needed on dogtag >> >> Here are the two certs ssltap captured. >> >> >> On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski >> > wrote: >> >> Here is my ssltap output: >> >> [root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545 >> SSLTAP output >>
>>     Looking up "localhost.localdomain"...
>>     Proxy socket ready and listening
>>     


Connection #1 [Wed Nov 18 09:14:56 2009] >>

Connected to localhost.localdomain:9545 >> --> [ >> (120 bytes of 115) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 00 73 | ....s >> type = 22 (handshake) >> version = { 3,1 } >> length = 115 (0x73) >> handshake { >> 0: 01 00 00 6f | ...o >> type = 1 (client_hello) >> length = 111 (0x00006f) >> ClientHelloV3 { >> client_version = {3, 1} >> random = {...} >> 0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 | >> K..`>...l&.)...& >> 10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b | >> ....$.uy..x@{X^{ >> session ID = { >> length = 0 >> contents = {...} >> } >> cipher_suites[18] = { >> (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA >> (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA >> (0x0039) TLS/DHE-RSA/AES256-CBC/SHA >> (0x0038) TLS/DHE-DSS/AES256-CBC/SHA >> (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA >> (0x0035) TLS/RSA/AES256-CBC/SHA >> (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA >> (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA >> (0x0033) TLS/DHE-RSA/AES128-CBC/SHA >> (0x0032) TLS/DHE-DSS/AES128-CBC/SHA >> (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA >> (0x0004) SSL3/RSA/RC4-128/MD5 >> (0x0005) SSL3/RSA/RC4-128/SHA >> (0x002f) TLS/RSA/AES128-CBC/SHA >> (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA >> (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA >> (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA >> (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA >> } >> compression[1] = { 00 } >> extensions[34] = { >> extension type server_name, length [26] = { >> 0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c | >> .....localhost.l >> 10: 6f 63 61 6c 64 6f 6d 61 69 6e | >> ocaldomain >> } >> extension type session_ticket, length [0] >> } >> } >> } >> } >> ] >> <-- [ >> (1903 bytes of 1898) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 07 6a | ....j >> type = 22 (handshake) >> version = { 3,1 } >> length = 1898 (0x76a) >> handshake { >> 0: 02 00 00 46 | ...F >> type = 2 (server_hello) >> length = 70 (0x000046) >> ServerHello { >> server_version = {3, 1} >> random = {...} >> 0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 | >> K..`...i...^.... >> 10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d | >> ...'...W#...i at U. >> session ID = { >> length = 32 >> contents = {...} >> 0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf. >> ....E.m..... >> 10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 | >> .........7.n..+% >> } >> cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 >> compression method = 00 >> } >> 0: 0b 00 07 18 | .... >> type = 11 (certificate) >> length = 1816 (0x000718) >> CertificateChain { >> chainlength = 1813 (0x0715) >> Certificate { >> size = 890 (0x037a) >> data = { saved in file 'cert.001' } >> } >> Certificate { >> size = 917 (0x0395) >> data = { saved in file 'cert.002' } >> } >> } >> 0: 0e 00 00 00 | .... >> type = 14 (server_hello_done) >> length = 0 (0x000000) >> } >> } >> ] >> --> [ >> (310 bytes of 262, with 43 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 01 06 | ..... >> type = 22 (handshake) >> version = { 3,1 } >> length = 262 (0x106) >> handshake { >> 0: 10 00 01 02 | .... >> type = 16 (client_key_exchange) >> length = 258 (0x000102) >> ClientKeyExchange { >> message = {...} >> } >> } >> } >> (310 bytes of 1, with 37 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 14 03 01 00 01 | ..... >> type = 20 (change_cipher_spec) >> version = { 3,1 } >> length = 1 (0x1) >> 0: 01 | . >> } >> (310 bytes of 32) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 00 20 | .... >> type = 22 (handshake) >> version = { 3,1 } >> length = 32 (0x20) >> < encrypted > >> } >> ] >> ssltap: Error -5961: TCP connection reset by peer.: error on >> server-side socket. >> Connection 1 Complete [Wed Nov 18 09:14:56 2009] >>


Connection #2 [Wed Nov 18 09:14:56 2009] >>

Connected to localhost.localdomain:9545 >> --> [ >> recordLen = 81 bytes >> (81 bytes of 81) >> [Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 { >> version = {0x03, 0x00} >> cipher-specs-length = 54 (0x36) >> sid-length = 0 (0x00) >> challenge-length = 16 (0x10) >> cipher-suites = { >> (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA >> (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA >> (0x000039) TLS/DHE-RSA/AES256-CBC/SHA >> (0x000038) TLS/DHE-DSS/AES256-CBC/SHA >> (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA >> (0x000035) TLS/RSA/AES256-CBC/SHA >> (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA >> (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA >> (0x000033) TLS/DHE-RSA/AES128-CBC/SHA >> (0x000032) TLS/DHE-DSS/AES128-CBC/SHA >> (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA >> (0x000004) SSL3/RSA/RC4-128/MD5 >> (0x000005) SSL3/RSA/RC4-128/SHA >> (0x00002f) TLS/RSA/AES128-CBC/SHA >> (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA >> (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA >> (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA >> (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA >> } >> session-id = { } >> challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 >> 0x4f6a 0x5742 0xf716 } >> } >> ] >> <-- [ >> (1903 bytes of 1898) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 00 07 6a | ....j >> type = 22 (handshake) >> version = { 3,0 } >> length = 1898 (0x76a) >> handshake { >> 0: 02 00 00 46 | ...F >> type = 2 (server_hello) >> length = 70 (0x000046) >> ServerHello { >> server_version = {3, 0} >> random = {...} >> 0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | >> K..`U..3... .t.. >> 10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 | >> ...&!.....$..N.Q >> session ID = { >> length = 32 >> contents = {...} >> 0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b | >> gfP..m.8}...C.W. >> 10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 | >> .......x..U&.... >> } >> cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 >> compression method = 00 >> } >> 0: 0b 00 07 18 | .... >> type = 11 (certificate) >> length = 1816 (0x000718) >> CertificateChain { >> chainlength = 1813 (0x0715) >> Certificate { >> size = 890 (0x037a) >> data = { saved in file 'cert.003' } >> } >> Certificate { >> size = 917 (0x0395) >> data = { saved in file 'cert.004' } >> } >> } >> 0: 0e 00 00 00 | .... >> type = 14 (server_hello_done) >> length = 0 (0x000000) >> } >> } >> ] >> --> [ >> (332 bytes of 260, with 67 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 00 01 04 | ..... >> type = 22 (handshake) >> version = { 3,0 } >> length = 260 (0x104) >> handshake { >> 0: 10 00 01 00 | .... >> type = 16 (client_key_exchange) >> length = 256 (0x000100) >> ClientKeyExchange { >> message = {...} >> } >> } >> } >> (332 bytes of 1, with 61 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 14 03 00 00 01 | ..... >> type = 20 (change_cipher_spec) >> version = { 3,0 } >> length = 1 (0x1) >> 0: 01 | . >> } >> (332 bytes of 56) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 00 00 38 | ....8 >> type = 22 (handshake) >> version = { 3,0 } >> length = 56 (0x38) >> < encrypted > >> } >> ] >> ssltap: Error -5961: TCP connection reset by peer.: error on >> server-side socket. >> Connection 2 Complete [Wed Nov 18 09:14:56 2009] >> >> >> >> >> On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan >> > wrote: >> >> On 11/17/2009 01:09 PM, John Dorovski wrote: >>> It was not a typo. I did use the port number 9545. >> >> Ok. one idea would be to run the utility "ssltap" as a proxy >> and using your browser to connect to the "ssltap" port and >> pasting the output here so folks can see what's happening >> during the SSL handshake. >> http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html >> >> >> On a Fedora 10 system, its packaged with nss-tools rpm. >> >> Run ssltap like this... >> >> ssltap -sfxl CA_HOSTNAME:CA_PORT >> >> in your case, it will be >> >> ssltap -sfxl localhost:9545 >> >> Then use a browser and connect to ssltap. ssltap >> listens on port 1924. So on the browser type.. >> >> https://localhost.localdomain:1924 >> >> >> ssltap will capture the results of the ssl handshake. >> >> Copy and paste it here so we can tell what's happening >> during that phase while you get the bad mac alert. >> >> Thanks, >> --Chandra >> >> >> >> >>> >>> >>> John >>> >>> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 >>> > >>> wrote: >>> >>> >>> Unless it's a typo on your part, the two port numbers >>> are different... >>> Could that be the problem? >>> 8445 vs 9545 >>> >>> From: Julius Adewumi >>> @GDC4S.com >>> Ph:480-441-6768 >>> Contract Corp:MTSI >>> >>> >>> -----Original Message----- >>> From: pki-users-bounces at redhat.com >>> >>> [mailto:pki-users-bounces at redhat.com >>> ] >>> On Behalf Of Christina Fu >>> Sent: Tuesday, November 17, 2009 12:56 PM >>> To: pki-users at redhat.com >>> Cc: johndorovski at googlemail.com >>> >>> Subject: [Pki-users] (forwarded) Help needed on dogtag >>> >>> I might have messed up when managing pki-users and this >>> did not come >>> through. Hence the forward. >>> Christina >>> >>> Subject: >>> Help needed on dogtag >>> From: >>> John Dorovski >> > >>> Date: >>> Tue, 17 Nov 2009 10:58:18 -0500 >>> >>> To: >>> pki-users at redhat.com >>> >>> >>> Hi, >>> >>> I just installed a dogtag (1.2.0) instance on my Fedora >>> 10 system. >>> I used a SafeNet ProtectServer Gold HSM as keystore. >>> The dogtag system installation and configuration were >>> fine. No error was >>> reported. >>> All keys and certificates were generated inside the HSM. >>> >>> But when I tried to access the secure admin interface at >>> https://localhost:localdomain:9545 >>> I got error message: >>> Secure Connection Failed >>> An error occurred during a connection to >>> localhost.localdomain:8445 >>> SSL peer reports incorrect Message Authentication Code. >>> (Error code: ssl_error_bad_mac_alert) >>> >>> I checked the server certificate (viewed it with IE on a >>> Windows box). >>> It seems fine. >>> >>> Does any body know what is wrong and how can I fix it? >>> >>> Thanks, >>> >>> John >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From johndorovski at googlemail.com Wed Nov 18 19:40:43 2009 From: johndorovski at googlemail.com (John Dorovski) Date: Wed, 18 Nov 2009 14:40:43 -0500 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: <150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com> References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> <4B033E21.9080306@redhat.com> <150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com> Message-ID: I found the error code from Mozilla site also. I am not sure that is the case. Since I installed dogtag on two separate systems with the exact configuration. The systems were all installed with brand new OS (Fedora 10). One system even unplugged from internet after dogtag was installed. They all got the exact same error. On Wed, Nov 18, 2009 at 12:38 PM, Adewumi, Julius-p99373 < Julius.Adewumi at gdc4s.com> wrote: > SSL_ERROR_BAD_MAC_ALERT -12272 > "SSL peer reports incorrect Message Authentication Code." > > The remote system has reported that it received a message with a bad > Message Authentication Code from the local system. This may indicate that an > attack on that server is underway. > > > *The trace shows "cipher-change-request" as last capture before Error > reported.* > > ** > > *From: Julius Adewumi* > *@GDC4S.com* > *Ph:480-441-6768* > *Contract Corp:MTSI* > > > ------------------------------ > *From:* John Dorovski [mailto:johndorovski at googlemail.com] > *Sent:* Wednesday, November 18, 2009 7:34 AM > *To:* Chandrasekar Kannan > *Cc:* Adewumi, Julius-p99373; pki-users at redhat.com > *Subject:* Re: [Pki-users] (forwarded) Help needed on dogtag > > Here are the two certs ssltap captured. > > > On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski < > johndorovski at googlemail.com> wrote: > >> Here is my ssltap output: >> >> [root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545 >> SSLTAP output >>
>> Looking up "localhost.localdomain"...
>> Proxy socket ready and listening
>> 


Connection #1 [Wed Nov 18 09:14:56 2009] >>

Connected to localhost.localdomain:9545 >> --> [ >> (120 bytes of 115) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 00 73 | ....s >> type = 22 (handshake) >> version = { 3,1 } >> length = 115 (0x73) >> handshake { >> 0: 01 00 00 6f | ...o >> type = 1 (client_hello) >> length = 111 (0x00006f) >> ClientHelloV3 { >> client_version = {3, 1} >> random = {...} >> 0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 | >> K..`>...l&.)...& >> 10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b | ....$.uy..x@ >> {X^{ >> session ID = { >> length = 0 >> contents = {...} >> } >> cipher_suites[18] = { >> (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA >> (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA >> (0x0039) TLS/DHE-RSA/AES256-CBC/SHA >> (0x0038) TLS/DHE-DSS/AES256-CBC/SHA >> (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA >> (0x0035) TLS/RSA/AES256-CBC/SHA >> (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA >> (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA >> (0x0033) TLS/DHE-RSA/AES128-CBC/SHA >> (0x0032) TLS/DHE-DSS/AES128-CBC/SHA >> (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA >> (0x0004) SSL3/RSA/RC4-128/MD5 >> (0x0005) SSL3/RSA/RC4-128/SHA >> (0x002f) TLS/RSA/AES128-CBC/SHA >> (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA >> (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA >> (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA >> (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA >> } >> compression[1] = { 00 } >> extensions[34] = { >> extension type server_name, length [26] = { >> 0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c | >> .....localhost.l >> 10: 6f 63 61 6c 64 6f 6d 61 69 6e | ocaldomain >> } >> extension type session_ticket, length [0] >> } >> } >> } >> } >> ] >> <-- [ >> (1903 bytes of 1898) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 07 6a | ....j >> type = 22 (handshake) >> version = { 3,1 } >> length = 1898 (0x76a) >> handshake { >> 0: 02 00 00 46 | ...F >> type = 2 (server_hello) >> length = 70 (0x000046) >> ServerHello { >> server_version = {3, 1} >> random = {...} >> 0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 | >> K..`...i...^.... >> 10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d | >> ...'...W#...i at U. >> session ID = { >> length = 32 >> contents = {...} >> 0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf. >> ....E.m..... >> 10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 | >> .........7.n..+% >> } >> cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 >> compression method = 00 >> } >> 0: 0b 00 07 18 | .... >> type = 11 (certificate) >> length = 1816 (0x000718) >> CertificateChain { >> chainlength = 1813 (0x0715) >> Certificate { >> size = 890 (0x037a) >> data = { saved in file 'cert.001' } >> } >> Certificate { >> size = 917 (0x0395) >> data = { saved in file 'cert.002' } >> } >> } >> 0: 0e 00 00 00 | .... >> type = 14 (server_hello_done) >> length = 0 (0x000000) >> } >> } >> ] >> --> [ >> (310 bytes of 262, with 43 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 01 06 | ..... >> type = 22 (handshake) >> version = { 3,1 } >> length = 262 (0x106) >> handshake { >> 0: 10 00 01 02 | .... >> type = 16 (client_key_exchange) >> length = 258 (0x000102) >> ClientKeyExchange { >> message = {...} >> } >> } >> } >> (310 bytes of 1, with 37 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 14 03 01 00 01 | ..... >> type = 20 (change_cipher_spec) >> version = { 3,1 } >> length = 1 (0x1) >> 0: 01 | . >> } >> (310 bytes of 32) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 00 20 | .... >> type = 22 (handshake) >> version = { 3,1 } >> length = 32 (0x20) >> < encrypted > >> } >> ] >> ssltap: Error -5961: TCP connection reset by peer.: error on server-side >> socket. >> Connection 1 Complete [Wed Nov 18 09:14:56 2009] >>


Connection #2 [Wed Nov 18 09:14:56 2009] >>

Connected to localhost.localdomain:9545 >> --> [ >> recordLen = 81 bytes >> (81 bytes of 81) >> [Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 { >> version = {0x03, 0x00} >> cipher-specs-length = 54 (0x36) >> sid-length = 0 (0x00) >> challenge-length = 16 (0x10) >> cipher-suites = { >> (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA >> (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA >> (0x000039) TLS/DHE-RSA/AES256-CBC/SHA >> (0x000038) TLS/DHE-DSS/AES256-CBC/SHA >> (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA >> (0x000035) TLS/RSA/AES256-CBC/SHA >> (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA >> (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA >> (0x000033) TLS/DHE-RSA/AES128-CBC/SHA >> (0x000032) TLS/DHE-DSS/AES128-CBC/SHA >> (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA >> (0x000004) SSL3/RSA/RC4-128/MD5 >> (0x000005) SSL3/RSA/RC4-128/SHA >> (0x00002f) TLS/RSA/AES128-CBC/SHA >> (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA >> (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA >> (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA >> (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA >> } >> session-id = { } >> challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742 >> 0xf716 } >> } >> ] >> <-- [ >> (1903 bytes of 1898) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 00 07 6a | ....j >> type = 22 (handshake) >> version = { 3,0 } >> length = 1898 (0x76a) >> handshake { >> 0: 02 00 00 46 | ...F >> type = 2 (server_hello) >> length = 70 (0x000046) >> ServerHello { >> server_version = {3, 0} >> random = {...} >> 0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | K..`U..3... >> .t.. >> 10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 | >> ...&!.....$..N.Q >> session ID = { >> length = 32 >> contents = {...} >> 0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b | >> gfP..m.8}...C.W. >> 10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 | >> .......x..U&.... >> } >> cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 >> compression method = 00 >> } >> 0: 0b 00 07 18 | .... >> type = 11 (certificate) >> length = 1816 (0x000718) >> CertificateChain { >> chainlength = 1813 (0x0715) >> Certificate { >> size = 890 (0x037a) >> data = { saved in file 'cert.003' } >> } >> Certificate { >> size = 917 (0x0395) >> data = { saved in file 'cert.004' } >> } >> } >> 0: 0e 00 00 00 | .... >> type = 14 (server_hello_done) >> length = 0 (0x000000) >> } >> } >> ] >> --> [ >> (332 bytes of 260, with 67 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 00 01 04 | ..... >> type = 22 (handshake) >> version = { 3,0 } >> length = 260 (0x104) >> handshake { >> 0: 10 00 01 00 | .... >> type = 16 (client_key_exchange) >> length = 256 (0x000100) >> ClientKeyExchange { >> message = {...} >> } >> } >> } >> (332 bytes of 1, with 61 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 14 03 00 00 01 | ..... >> type = 20 (change_cipher_spec) >> version = { 3,0 } >> length = 1 (0x1) >> 0: 01 | . >> } >> (332 bytes of 56) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 00 00 38 | ....8 >> type = 22 (handshake) >> version = { 3,0 } >> length = 56 (0x38) >> < encrypted > >> } >> ] >> ssltap: Error -5961: TCP connection reset by peer.: error on server-side >> socket. >> Connection 2 Complete [Wed Nov 18 09:14:56 2009] >> >> >> >> >> On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan wrote: >> >>> On 11/17/2009 01:09 PM, John Dorovski wrote: >>> >>> It was not a typo. I did use the port number 9545. >>> >>> >>> Ok. one idea would be to run the utility "ssltap" as a proxy >>> and using your browser to connect to the "ssltap" port and >>> pasting the output here so folks can see what's happening >>> during the SSL handshake. >>> http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html >>> >>> >>> On a Fedora 10 system, its packaged with nss-tools rpm. >>> >>> Run ssltap like this... >>> >>> ssltap -sfxl CA_HOSTNAME:CA_PORT >>> >>> in your case, it will be >>> >>> ssltap -sfxl localhost:9545 >>> >>> Then use a browser and connect to ssltap. ssltap >>> listens on port 1924. So on the browser type.. >>> >>> https://localhost.localdomain:1924 >>> >>> >>> ssltap will capture the results of the ssl handshake. >>> >>> Copy and paste it here so we can tell what's happening >>> during that phase while you get the bad mac alert. >>> >>> Thanks, >>> --Chandra >>> >>> >>> >>> >>> >>> >>> John >>> >>> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 < >>> Julius.Adewumi at gdc4s.com> wrote: >>> >>>> >>>> Unless it's a typo on your part, the two port numbers are different... >>>> Could that be the problem? >>>> 8445 vs 9545 >>>> >>>> From: Julius Adewumi >>>> @GDC4S.com >>>> Ph:480-441-6768 >>>> Contract Corp:MTSI >>>> >>>> >>>> -----Original Message----- >>>> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com >>>> ] >>>> On Behalf Of Christina Fu >>>> Sent: Tuesday, November 17, 2009 12:56 PM >>>> To: pki-users at redhat.com >>>> Cc: johndorovski at googlemail.com >>>> Subject: [Pki-users] (forwarded) Help needed on dogtag >>>> >>>> I might have messed up when managing pki-users and this did not come >>>> through. Hence the forward. >>>> Christina >>>> >>>> Subject: >>>> Help needed on dogtag >>>> From: >>>> John Dorovski >>>> Date: >>>> Tue, 17 Nov 2009 10:58:18 -0500 >>>> >>>> To: >>>> pki-users at redhat.com >>>> >>>> >>>> Hi, >>>> >>>> I just installed a dogtag (1.2.0) instance on my Fedora 10 system. >>>> I used a SafeNet ProtectServer Gold HSM as keystore. >>>> The dogtag system installation and configuration were fine. No error was >>>> reported. >>>> All keys and certificates were generated inside the HSM. >>>> >>>> But when I tried to access the secure admin interface at >>>> https://localhost:localdomain:9545 >>>> I got error message: >>>> Secure Connection Failed >>>> An error occurred during a connection to localhost.localdomain:8445 >>>> SSL peer reports incorrect Message Authentication Code. >>>> (Error code: ssl_error_bad_mac_alert) >>>> >>>> I checked the server certificate (viewed it with IE on a Windows box). >>>> It seems fine. >>>> >>>> Does any body know what is wrong and how can I fix it? >>>> >>>> Thanks, >>>> >>>> John >>>> >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> >>> >>> >>> _______________________________________________ >>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users >>> >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From johndorovski at googlemail.com Wed Nov 18 19:49:14 2009 From: johndorovski at googlemail.com (John Dorovski) Date: Wed, 18 Nov 2009 14:49:14 -0500 Subject: [Pki-users] (forwarded) Help needed on dogtag In-Reply-To: <4B043BBF.8000001@redhat.com> References: <4B02FFD8.9040702@redhat.com> <150446754087724BA4B8F287083846B205AA5BB5@AZ25EXM04.gddsi.com> <4B033E21.9080306@redhat.com> <150446754087724BA4B8F287083846B205ACEDF1@AZ25EXM04.gddsi.com> <4B04339F.6060203@redhat.com> <4B043BBF.8000001@redhat.com> Message-ID: I checked my server.xml file. It does not have clientAuth="agent". They are all defaulted to clientAuth="true". On Wed, Nov 18, 2009 at 1:23 PM, Chandrasekar Kannan wrote: > On 11/18/2009 09:49 AM, Chandrasekar Kannan wrote: > > On 11/18/2009 09:38 AM, Adewumi, Julius-p99373 wrote: > > SSL_ERROR_BAD_MAC_ALERT -12272 "SSL peer reports incorrect Message > Authentication Code." > > The remote system has reported that it received a message with a bad > Message Authentication Code from the local system. This may indicate that an > attack on that server is underway. > > > *The trace shows "cipher-change-request" as last capture before Error > reported.* > > ** > > > Just FYI. we noticed a similar message during dogtag 1.2.0 > development but with a different HSM(nethsm). That issue > was fixed. > https://bugzilla.redhat.com/show_bug.cgi?id=495597 > > FWIW, we have never tried with the mentioned > Safenet Protectserver Gold HSM.... > > > > Can you check settings for this .. > > /var/lib/pki-ca/conf/server.xml > Look for clientAuth="agent" > > If you see that can you replace that with > clientAuth="true" and restart the CA > and see if it addresses the bad mac problem.. > > > > > > *From: Julius Adewumi* > *@GDC4S.com* > *Ph:480-441-6768* > *Contract Corp:MTSI* > > > ------------------------------ > *From:* John Dorovski [mailto:johndorovski at googlemail.com] > > *Sent:* Wednesday, November 18, 2009 7:34 AM > *To:* Chandrasekar Kannan > *Cc:* Adewumi, Julius-p99373; pki-users at redhat.com > *Subject:* Re: [Pki-users] (forwarded) Help needed on dogtag > > Here are the two certs ssltap captured. > > > On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski < > johndorovski at googlemail.com> wrote: > >> Here is my ssltap output: >> >> [root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545 >> SSLTAP output >>
>> Looking up "localhost.localdomain"...
>> Proxy socket ready and listening
>> 


Connection #1 [Wed Nov 18 09:14:56 2009] >>

Connected to localhost.localdomain:9545 >> --> [ >> (120 bytes of 115) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 00 73 | ....s >> type = 22 (handshake) >> version = { 3,1 } >> length = 115 (0x73) >> handshake { >> 0: 01 00 00 6f | ...o >> type = 1 (client_hello) >> length = 111 (0x00006f) >> ClientHelloV3 { >> client_version = {3, 1} >> random = {...} >> 0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 | >> K..`>...l&.)...& >> 10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b | ....$.uy..x@ >> {X^{ >> session ID = { >> length = 0 >> contents = {...} >> } >> cipher_suites[18] = { >> (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA >> (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA >> (0x0039) TLS/DHE-RSA/AES256-CBC/SHA >> (0x0038) TLS/DHE-DSS/AES256-CBC/SHA >> (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA >> (0x0035) TLS/RSA/AES256-CBC/SHA >> (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA >> (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA >> (0x0033) TLS/DHE-RSA/AES128-CBC/SHA >> (0x0032) TLS/DHE-DSS/AES128-CBC/SHA >> (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA >> (0x0004) SSL3/RSA/RC4-128/MD5 >> (0x0005) SSL3/RSA/RC4-128/SHA >> (0x002f) TLS/RSA/AES128-CBC/SHA >> (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA >> (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA >> (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA >> (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA >> } >> compression[1] = { 00 } >> extensions[34] = { >> extension type server_name, length [26] = { >> 0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c | >> .....localhost.l >> 10: 6f 63 61 6c 64 6f 6d 61 69 6e | ocaldomain >> } >> extension type session_ticket, length [0] >> } >> } >> } >> } >> ] >> <-- [ >> (1903 bytes of 1898) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 07 6a | ....j >> type = 22 (handshake) >> version = { 3,1 } >> length = 1898 (0x76a) >> handshake { >> 0: 02 00 00 46 | ...F >> type = 2 (server_hello) >> length = 70 (0x000046) >> ServerHello { >> server_version = {3, 1} >> random = {...} >> 0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 | >> K..`...i...^.... >> 10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d | >> ...'...W#...i at U. >> session ID = { >> length = 32 >> contents = {...} >> 0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf. >> ....E.m..... >> 10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 | >> .........7.n..+% >> } >> cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 >> compression method = 00 >> } >> 0: 0b 00 07 18 | .... >> type = 11 (certificate) >> length = 1816 (0x000718) >> CertificateChain { >> chainlength = 1813 (0x0715) >> Certificate { >> size = 890 (0x037a) >> data = { saved in file 'cert.001' } >> } >> Certificate { >> size = 917 (0x0395) >> data = { saved in file 'cert.002' } >> } >> } >> 0: 0e 00 00 00 | .... >> type = 14 (server_hello_done) >> length = 0 (0x000000) >> } >> } >> ] >> --> [ >> (310 bytes of 262, with 43 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 01 06 | ..... >> type = 22 (handshake) >> version = { 3,1 } >> length = 262 (0x106) >> handshake { >> 0: 10 00 01 02 | .... >> type = 16 (client_key_exchange) >> length = 258 (0x000102) >> ClientKeyExchange { >> message = {...} >> } >> } >> } >> (310 bytes of 1, with 37 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 14 03 01 00 01 | ..... >> type = 20 (change_cipher_spec) >> version = { 3,1 } >> length = 1 (0x1) >> 0: 01 | . >> } >> (310 bytes of 32) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 01 00 20 | .... >> type = 22 (handshake) >> version = { 3,1 } >> length = 32 (0x20) >> < encrypted > >> } >> ] >> ssltap: Error -5961: TCP connection reset by peer.: error on server-side >> socket. >> Connection 1 Complete [Wed Nov 18 09:14:56 2009] >>


Connection #2 [Wed Nov 18 09:14:56 2009] >>

Connected to localhost.localdomain:9545 >> --> [ >> recordLen = 81 bytes >> (81 bytes of 81) >> [Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 { >> version = {0x03, 0x00} >> cipher-specs-length = 54 (0x36) >> sid-length = 0 (0x00) >> challenge-length = 16 (0x10) >> cipher-suites = { >> (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA >> (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA >> (0x000039) TLS/DHE-RSA/AES256-CBC/SHA >> (0x000038) TLS/DHE-DSS/AES256-CBC/SHA >> (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA >> (0x000035) TLS/RSA/AES256-CBC/SHA >> (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA >> (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA >> (0x000033) TLS/DHE-RSA/AES128-CBC/SHA >> (0x000032) TLS/DHE-DSS/AES128-CBC/SHA >> (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA >> (0x000004) SSL3/RSA/RC4-128/MD5 >> (0x000005) SSL3/RSA/RC4-128/SHA >> (0x00002f) TLS/RSA/AES128-CBC/SHA >> (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA >> (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA >> (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA >> (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA >> } >> session-id = { } >> challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742 >> 0xf716 } >> } >> ] >> <-- [ >> (1903 bytes of 1898) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 00 07 6a | ....j >> type = 22 (handshake) >> version = { 3,0 } >> length = 1898 (0x76a) >> handshake { >> 0: 02 00 00 46 | ...F >> type = 2 (server_hello) >> length = 70 (0x000046) >> ServerHello { >> server_version = {3, 0} >> random = {...} >> 0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | K..`U..3... >> .t.. >> 10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 | >> ...&!.....$..N.Q >> session ID = { >> length = 32 >> contents = {...} >> 0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b | >> gfP..m.8}...C.W. >> 10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 | >> .......x..U&.... >> } >> cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5 >> compression method = 00 >> } >> 0: 0b 00 07 18 | .... >> type = 11 (certificate) >> length = 1816 (0x000718) >> CertificateChain { >> chainlength = 1813 (0x0715) >> Certificate { >> size = 890 (0x037a) >> data = { saved in file 'cert.003' } >> } >> Certificate { >> size = 917 (0x0395) >> data = { saved in file 'cert.004' } >> } >> } >> 0: 0e 00 00 00 | .... >> type = 14 (server_hello_done) >> length = 0 (0x000000) >> } >> } >> ] >> --> [ >> (332 bytes of 260, with 67 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 00 01 04 | ..... >> type = 22 (handshake) >> version = { 3,0 } >> length = 260 (0x104) >> handshake { >> 0: 10 00 01 00 | .... >> type = 16 (client_key_exchange) >> length = 256 (0x000100) >> ClientKeyExchange { >> message = {...} >> } >> } >> } >> (332 bytes of 1, with 61 left over) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 14 03 00 00 01 | ..... >> type = 20 (change_cipher_spec) >> version = { 3,0 } >> length = 1 (0x1) >> 0: 01 | . >> } >> (332 bytes of 56) >> SSLRecord { [Wed Nov 18 09:14:56 2009] >> 0: 16 03 00 00 38 | ....8 >> type = 22 (handshake) >> version = { 3,0 } >> length = 56 (0x38) >> < encrypted > >> } >> ] >> ssltap: Error -5961: TCP connection reset by peer.: error on server-side >> socket. >> Connection 2 Complete [Wed Nov 18 09:14:56 2009] >> >> >> >> >> On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan wrote: >> >>> On 11/17/2009 01:09 PM, John Dorovski wrote: >>> >>> It was not a typo. I did use the port number 9545. >>> >>> >>> Ok. one idea would be to run the utility "ssltap" as a proxy >>> and using your browser to connect to the "ssltap" port and >>> pasting the output here so folks can see what's happening >>> during the SSL handshake. >>> http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html >>> >>> >>> On a Fedora 10 system, its packaged with nss-tools rpm. >>> >>> Run ssltap like this... >>> >>> ssltap -sfxl CA_HOSTNAME:CA_PORT >>> >>> in your case, it will be >>> >>> ssltap -sfxl localhost:9545 >>> >>> Then use a browser and connect to ssltap. ssltap >>> listens on port 1924. So on the browser type.. >>> >>> https://localhost.localdomain:1924 >>> >>> >>> ssltap will capture the results of the ssl handshake. >>> >>> Copy and paste it here so we can tell what's happening >>> during that phase while you get the bad mac alert. >>> >>> Thanks, >>> --Chandra >>> >>> >>> >>> >>> >>> >>> John >>> >>> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 < >>> Julius.Adewumi at gdc4s.com> wrote: >>> >>>> >>>> Unless it's a typo on your part, the two port numbers are different... >>>> Could that be the problem? >>>> 8445 vs 9545 >>>> >>>> From: Julius Adewumi >>>> @GDC4S.com >>>> Ph:480-441-6768 >>>> Contract Corp:MTSI >>>> >>>> >>>> -----Original Message----- >>>> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com >>>> ] >>>> On Behalf Of Christina Fu >>>> Sent: Tuesday, November 17, 2009 12:56 PM >>>> To: pki-users at redhat.com >>>> Cc: johndorovski at googlemail.com >>>> Subject: [Pki-users] (forwarded) Help needed on dogtag >>>> >>>> I might have messed up when managing pki-users and this did not come >>>> through. Hence the forward. >>>> Christina >>>> >>>> Subject: >>>> Help needed on dogtag >>>> From: >>>> John Dorovski >>>> Date: >>>> Tue, 17 Nov 2009 10:58:18 -0500 >>>> >>>> To: >>>> pki-users at redhat.com >>>> >>>> >>>> Hi, >>>> >>>> I just installed a dogtag (1.2.0) instance on my Fedora 10 system. >>>> I used a SafeNet ProtectServer Gold HSM as keystore. >>>> The dogtag system installation and configuration were fine. No error was >>>> reported. >>>> All keys and certificates were generated inside the HSM. >>>> >>>> But when I tried to access the secure admin interface at >>>> https://localhost:localdomain:9545 >>>> I got error message: >>>> Secure Connection Failed >>>> An error occurred during a connection to localhost.localdomain:8445 >>>> SSL peer reports incorrect Message Authentication Code. >>>> (Error code: ssl_error_bad_mac_alert) >>>> >>>> I checked the server certificate (viewed it with IE on a Windows box). >>>> It seems fine. >>>> >>>> Does any body know what is wrong and how can I fix it? >>>> >>>> Thanks, >>>> >>>> John >>>> >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> >>> >>> >>> _______________________________________________ >>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users >>> >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >> > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From johndorovski at googlemail.com Thu Nov 19 13:55:24 2009 From: johndorovski at googlemail.com (John Dorovski) Date: Thu, 19 Nov 2009 08:55:24 -0500 Subject: [Pki-users] Recommendation needed Message-ID: Hi, I am in a process to set up a CA which requires to use a FIPS certified HSM. I plan to use dogtag certificate system. Can anyone recommend a HSM which will work with dogtag system? Thanks in advance, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckannan at redhat.com Thu Nov 19 13:58:59 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Thu, 19 Nov 2009 05:58:59 -0800 Subject: [Pki-users] Recommendation needed In-Reply-To: References: Message-ID: <4B054F23.1000504@redhat.com> On 11/19/2009 05:55 AM, John Dorovski wrote: > Hi, > > I am in a process to set up a CA which requires to use a FIPS > certified HSM. > I plan to use dogtag certificate system. Can anyone recommend a > HSM which > will work with dogtag system? Sure. I'll definitely recommend these ones.. nethsm 2000 LunaSA > > Thanks in advance, > > John > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Fri Nov 20 15:52:54 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Fri, 20 Nov 2009 10:52:54 -0500 Subject: [Pki-users] LDAPs +TPS questions (CS 8.0) Message-ID: <5E904A528F23FA469961CECAC5F417870212CC61@NDHMC4SXCH.gdc4s.com> Hello, I'm trying to enable ssl client authentication with the internal database for the TPS. Using the Administrator Guide chapter 13.5.2, I've successully enabled ssl client authenticatoin to the internal database for the CA, DRM, and TKS. However, the final step 11 of 13.5.2 requires the modification of CS.cfg paremeters: internaldb.ldapauth.authtype internaldb.ldapauth.clientCertNickname internaldb.ldapconn.port Internaldb.ldapconn.secureConn All of which are missing from TPS CS.cfg, and I can't seem to find any corresponding parameters. First off, has this feature been implemented with the TPS? If so, what are the corresponding CS.cfg parameters? Or what parameters should I change elsewhere? Thanks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Fri Nov 20 16:48:45 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Fri, 20 Nov 2009 09:48:45 -0700 Subject: [Pki-users] LDAPs +TPS questions (CS 8.0) In-Reply-To: <5E904A528F23FA469961CECAC5F417870212CC61@NDHMC4SXCH.gdc4s.com> References: <5E904A528F23FA469961CECAC5F417870212CC61@NDHMC4SXCH.gdc4s.com> Message-ID: <150446754087724BA4B8F287083846B205AF7B6E@AZ25EXM04.gddsi.com> Sean, I would try the similar param in CA,TKS such as : internaldb.ldapauth.authtype= BasicAuth internaldb.ldapauth.clientCertNickname= internaldb.ldapconn.port=389 Internaldb.ldapconn.secureConn=false Hope it works. There are several things in RedHat manual which I have found to be not functioning, or rather we couldn't make them to function. Lukily, for my project, we moved to Microsoft CA. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Veale, Sean Sent: Friday, November 20, 2009 8:53 AM To: pki-users at redhat.com Subject: [Pki-users] LDAPs +TPS questions (CS 8.0) Hello, I'm trying to enable ssl client authentication with the internal database for the TPS. Using the Administrator Guide chapter 13.5.2, I've successully enabled ssl client authenticatoin to the internal database for the CA, DRM, and TKS. However, the final step 11 of 13.5.2 requires the modification of CS.cfg paremeters: internaldb.ldapauth.authtype internaldb.ldapauth.clientCertNickname internaldb.ldapconn.port Internaldb.ldapconn.secureConn All of which are missing from TPS CS.cfg, and I can't seem to find any corresponding parameters. First off, has this feature been implemented with the TPS? If so, what are the corresponding CS.cfg parameters? Or what parameters should I change elsewhere? Thanks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Mon Nov 23 20:18:46 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Mon, 23 Nov 2009 15:18:46 -0500 Subject: [Pki-users] Subject Directory Ext Message-ID: <5E904A528F23FA469961CECAC5F417870212CE85@NDHMC4SXCH.gdc4s.com> Is this the correct format for the subject directory extenstion format with no constraint? policyset.xxx.11.constraint.class_id=noConstraintImpl policyset.xxx.11.constraint.name=No Constraint policyset.xxx.11.default.class_id=subjectDirAttributesExtDefaultImpl policyset.xxx.11.default.name=Subject Directory Attributes Extension Default policyset.xxx.11.default.params.subjDirAttrEnable_0=true policyset.xxx.11.default.params.subjDirAttrName_0=cn policyset.xxx.11.default.params.subjDirAttrPattern_0=$request.cn$ policyset.xxx.11.default.params.subjDirAttrsCritical=true I correctly see the subject directory populated but the logs doesn't like the name supplied. [23/Nov/2009:14:29:50][http-9444-Processor25]: SubjectDirAttributesExtDefault: populate start [23/Nov/2009:14:29:50][http-9444-Processor25]: SubjectDirAttributesExtDefault: invalid OID syntax: cn [23/Nov/2009:14:29:50][http-9444-Processor25]: SubjectDirAttributesExtDefault: populate end The admin guide implies it can be any LDAP attribute. http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Certificat e_and_CRL_Extensions.html#Subject_Directory_Attributes_Extension_Default Also, I've extended inetorg person with to add my own custom attributes. The data can be correctly found by the certificate, but subjectDirAttributes is giving a another error as this snippit of logs show. Can you use custom attributes or are you limted to what is in inetorgperson object class? In this case the certificate is not generated. [23/Nov/2009:15:01:29][http-9444-Processor25]: nsTokenUserKeySubjectNameDefault: getSubjectName(): got attribute: edipi=1605353424 ... [23/Nov/2009:15:01:29][http-9444-Processor25]: SubjectDirAttributesExtDefault: populate start [23/Nov/2009:15:01:29][http-9444-Processor25]: SubjectDirAttributesExtDefault: invalid OID syntax: edipi [23/Nov/2009:15:01:29][http-9444-Processor25]: ProfileSubmitServlet: populate Invalid attribute edipi Thanks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From phr at adehis.be Fri Nov 27 17:56:47 2009 From: phr at adehis.be (Philippe Rodrigues) Date: Fri, 27 Nov 2009 18:56:47 +0100 Subject: [Pki-users] End user certificate request Message-ID: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be> Hi all, Newbie, I'm testing pki features but end user cannot access http://server_ip:9180/ca/ee/ca for a certicate request. A "netstat -anp" show service is listening on port 9180 but maybe only on locahost. An "nmap" show only ssh port open. How to give access to the end user for a certificate request ? My configuration is F11 and all features are installed (ca,ra,..). I've flushed all filters "iptables -F". Thank for any help Philippe -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Fri Nov 27 19:06:18 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Fri, 27 Nov 2009 12:06:18 -0700 Subject: [Pki-users] End user certificate request In-Reply-To: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be> References: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be> Message-ID: <150446754087724BA4B8F287083846B205B7433A@AZ25EXM04.gddsi.com> I believe you should access https: port. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Philippe Rodrigues Sent: Friday, November 27, 2009 10:57 AM To: pki-users at redhat.com Subject: [Pki-users] End user certificate request Hi all, Newbie, I'm testing pki features but end user cannot access http://server_ip:9180/ca/ee/ca for a certicate request. A "netstat -anp" show service is listening on port 9180 but maybe only on locahost. An "nmap" show only ssh port open. How to give access to the end user for a certificate request ? My configuration is F11 and all features are installed (ca,ra,..). I've flushed all filters "iptables -F". Thank for any help Philippe -------------- next part -------------- An HTML attachment was scrubbed... URL: From phr at adehis.be Fri Nov 27 20:00:09 2009 From: phr at adehis.be (Philippe Rodrigues) Date: Fri, 27 Nov 2009 21:00:09 +0100 Subject: [Pki-users] End user certificate request In-Reply-To: <150446754087724BA4B8F287083846B205B7433A@AZ25EXM04.gddsi.com> References: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be> <150446754087724BA4B8F287083846B205B7433A@AZ25EXM04.gddsi.com> Message-ID: <19CBC5648B8EBC40AF6D579613D99899EF53C0@thot.adehisnet.be> Julius, Thank for your answer Following result of pki-ca start, port 9180 is only accessible on http (see below) pki-ca (pid 2762) is running ... Unsecure Port = http://my_pki:9180/ca/ee/ca Secure Agent Port = https://my_pki:9443/ca/agent/ca Secure EE Port = https://my_pki:9444/ca/ee/ca Secure Admin Port = https://my_pki:9445/ca/services PKI Console Port = pkiconsole https://my_pki:9445/ca Tomcat Port = 9701 (for shutdown) You cannot access to the others ports from any other IP address. Is there a configuration to do for allowing access from outside ? Philippe ________________________________ De : Adewumi, Julius-p99373 [mailto:Julius.Adewumi at gdc4s.com] Envoy? : vendredi 27 novembre 2009 20:06 ? : Philippe Rodrigues; pki-users at redhat.com Objet : RE: [Pki-users] End user certificate request I believe you should access https: port. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Philippe Rodrigues Sent: Friday, November 27, 2009 10:57 AM To: pki-users at redhat.com Subject: [Pki-users] End user certificate request Hi all, Newbie, I'm testing pki features but end user cannot access http://server_ip:9180/ca/ee/ca for a certicate request. A "netstat -anp" show service is listening on port 9180 but maybe only on locahost. An "nmap" show only ssh port open. How to give access to the end user for a certificate request ? My configuration is F11 and all features are installed (ca,ra,..). I've flushed all filters "iptables -F". Thank for any help Philippe -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Fri Nov 27 20:49:49 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Fri, 27 Nov 2009 13:49:49 -0700 Subject: [Pki-users] End user certificate request In-Reply-To: <19CBC5648B8EBC40AF6D579613D99899EF53C0@thot.adehisnet.be> References: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be> <150446754087724BA4B8F287083846B205B7433A@AZ25EXM04.gddsi.com> <19CBC5648B8EBC40AF6D579613D99899EF53C0@thot.adehisnet.be> Message-ID: <150446754087724BA4B8F287083846B205B74345@AZ25EXM04.gddsi.com> I would try https://my_pki:9443/ca/services make sure you restart ca after you have configured it. Infact the last screen during configuration ask you to restart CA. I have run into that sometimes--wondering why it's not working, but I only failed to restart CA after configuration. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: Philippe Rodrigues [mailto:phr at adehis.be] Sent: Friday, November 27, 2009 1:00 PM To: Adewumi, Julius-p99373; pki-users at redhat.com Subject: RE: [Pki-users] End user certificate request Julius, Thank for your answer Following result of pki-ca start, port 9180 is only accessible on http (see below) pki-ca (pid 2762) is running ... Unsecure Port = http://my_pki:9180/ca/ee/ca Secure Agent Port = https://my_pki:9443/ca/agent/ca Secure EE Port = https://my_pki:9444/ca/ee/ca Secure Admin Port = https://my_pki:9445/ca/services PKI Console Port = pkiconsole https://my_pki:9445/ca Tomcat Port = 9701 (for shutdown) You cannot access to the others ports from any other IP address. Is there a configuration to do for allowing access from outside ? Philippe ________________________________ De : Adewumi, Julius-p99373 [mailto:Julius.Adewumi at gdc4s.com] Envoy? : vendredi 27 novembre 2009 20:06 ? : Philippe Rodrigues; pki-users at redhat.com Objet : RE: [Pki-users] End user certificate request I believe you should access https: port. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Philippe Rodrigues Sent: Friday, November 27, 2009 10:57 AM To: pki-users at redhat.com Subject: [Pki-users] End user certificate request Hi all, Newbie, I'm testing pki features but end user cannot access http://server_ip:9180/ca/ee/ca for a certicate request. A "netstat -anp" show service is listening on port 9180 but maybe only on locahost. An "nmap" show only ssh port open. How to give access to the end user for a certificate request ? My configuration is F11 and all features are installed (ca,ra,..). I've flushed all filters "iptables -F". Thank for any help Philippe -------------- next part -------------- An HTML attachment was scrubbed... URL: From phr at adehis.be Fri Nov 27 23:44:16 2009 From: phr at adehis.be (Philippe Rodrigues) Date: Sat, 28 Nov 2009 00:44:16 +0100 Subject: [Pki-users] End user certificate request In-Reply-To: <150446754087724BA4B8F287083846B205B74345@AZ25EXM04.gddsi.com> References: <19CBC5648B8EBC40AF6D579613D99899EF53BF@thot.adehisnet.be> <150446754087724BA4B8F287083846B205B7433A@AZ25EXM04.gddsi.com> <19CBC5648B8EBC40AF6D579613D99899EF53C0@thot.adehisnet.be> <150446754087724BA4B8F287083846B205B74345@AZ25EXM04.gddsi.com> Message-ID: <19CBC5648B8EBC40AF6D579613D99899EF53C1@thot.adehisnet.be> Thanks Julius, I done a restart and I can access :-) All I've to say of this experience is that you need to adapt your firewall filters rules before starting all pki services regards of your topologie (see: http://www.redhat.com/docs/manuals/cert-system/8.0/deploy/html/index.html) Philippe ________________________________ De : Adewumi, Julius-p99373 [mailto:Julius.Adewumi at gdc4s.com] Envoy? : vendredi 27 novembre 2009 21:50 ? : Philippe Rodrigues; pki-users at redhat.com Objet : RE: [Pki-users] End user certificate request I would try https://my_pki:9443/ca/services make sure you restart ca after you have configured it. Infact the last screen during configuration ask you to restart CA. I have run into that sometimes--wondering why it's not working, but I only failed to restart CA after configuration. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: Philippe Rodrigues [mailto:phr at adehis.be] Sent: Friday, November 27, 2009 1:00 PM To: Adewumi, Julius-p99373; pki-users at redhat.com Subject: RE: [Pki-users] End user certificate request Julius, Thank for your answer Following result of pki-ca start, port 9180 is only accessible on http (see below) pki-ca (pid 2762) is running ... Unsecure Port = http://my_pki:9180/ca/ee/ca Secure Agent Port = https://my_pki:9443/ca/agent/ca Secure EE Port = https://my_pki:9444/ca/ee/ca Secure Admin Port = https://my_pki:9445/ca/services PKI Console Port = pkiconsole https://my_pki:9445/ca Tomcat Port = 9701 (for shutdown) You cannot access to the others ports from any other IP address. Is there a configuration to do for allowing access from outside ? Philippe ________________________________ De : Adewumi, Julius-p99373 [mailto:Julius.Adewumi at gdc4s.com] Envoy? : vendredi 27 novembre 2009 20:06 ? : Philippe Rodrigues; pki-users at redhat.com Objet : RE: [Pki-users] End user certificate request I believe you should access https: port. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Philippe Rodrigues Sent: Friday, November 27, 2009 10:57 AM To: pki-users at redhat.com Subject: [Pki-users] End user certificate request Hi all, Newbie, I'm testing pki features but end user cannot access http://server_ip:9180/ca/ee/ca for a certicate request. A "netstat -anp" show service is listening on port 9180 but maybe only on locahost. An "nmap" show only ssh port open. How to give access to the end user for a certificate request ? My configuration is F11 and all features are installed (ca,ra,..). I've flushed all filters "iptables -F". Thank for any help Philippe -------------- next part -------------- An HTML attachment was scrubbed... URL: