[Pki-users] (forwarded) Help needed on dogtag
Adewumi, Julius-p99373
Julius.Adewumi at gdc4s.com
Wed Nov 18 17:38:05 UTC 2009
SSL_ERROR_BAD_MAC_ALERT -12272 "SSL peer reports incorrect Message
Authentication Code."
The remote system has reported that it received a message with a bad
Message Authentication Code from the local system. This may indicate
that an attack on that server is underway.
The trace shows "cipher-change-request" as last capture before Error
reported.
From: Julius Adewumi
@GDC4S.com
Ph:480-441-6768
Contract Corp:MTSI
________________________________
From: John Dorovski [mailto:johndorovski at googlemail.com]
Sent: Wednesday, November 18, 2009 7:34 AM
To: Chandrasekar Kannan
Cc: Adewumi, Julius-p99373; pki-users at redhat.com
Subject: Re: [Pki-users] (forwarded) Help needed on dogtag
Here are the two certs ssltap captured.
On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski
<johndorovski at googlemail.com> wrote:
Here is my ssltap output:
[root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545
<HTML><HEAD><TITLE>SSLTAP output</TITLE></HEAD>
<BODY><PRE>
Looking up "localhost.localdomain"...
Proxy socket ready and listening
<p><HR><H2>Connection #1 [Wed Nov 18 09:14:56 2009]
</H2>Connected to localhost.localdomain:9545
--> [
<font color=blue>(120 bytes of 115)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 01 00 73 |
....s
type = 22 (handshake)
version = { 3,1 }
length = 115 (0x73)
handshake {
0: 01 00 00 6f | ...o
type = 1 (client_hello)
length = 111 (0x00006f)
ClientHelloV3 {
client_version = {3, 1}
random = {...}
0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 |
K..`>...l&.)...&
10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b |
....$.uy..x@{X^{
session ID = {
length = 0
contents = {...}
}
cipher_suites[18] = {
(0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
(0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
(0x0039) TLS/DHE-RSA/AES256-CBC/SHA
(0x0038) TLS/DHE-DSS/AES256-CBC/SHA
(0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
(0x0035) TLS/RSA/AES256-CBC/SHA
(0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
(0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
(0x0033) TLS/DHE-RSA/AES128-CBC/SHA
(0x0032) TLS/DHE-DSS/AES128-CBC/SHA
(0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
(0x0004) SSL3/RSA/RC4-128/MD5
(0x0005) SSL3/RSA/RC4-128/SHA
(0x002f) TLS/RSA/AES128-CBC/SHA
(0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
}
compression[1] = { 00 }
extensions[34] = {
extension type server_name, length [26] = {
0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c |
.....localhost.l
10: 6f 63 61 6c 64 6f 6d 61 69 6e |
ocaldomain
}
extension type session_ticket, length [0]
}
}
}
}
</font>]
<-- [
<font color=red>(1903 bytes of 1898)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 01 07 6a |
....j
type = 22 (handshake)
version = { 3,1 }
length = 1898 (0x76a)
handshake {
0: 02 00 00 46 | ...F
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 1}
random = {...}
0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 |
K..`...i...^....
10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d |
...'...W#...i at U.
session ID = {
length = 32
contents = {...}
0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf.
....E.m.....
10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 |
.........7.n..+%
}
cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
compression method = 00
}
0: 0b 00 07 18 | ....
type = 11 (certificate)
length = 1816 (0x000718)
CertificateChain {
chainlength = 1813 (0x0715)
Certificate {
size = 890 (0x037a)
data = { saved in file 'cert.001' }
}
Certificate {
size = 917 (0x0395)
data = { saved in file 'cert.002' }
}
}
0: 0e 00 00 00 | ....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
</font>]
--> [
<font color=blue>(310 bytes of 262, with 43 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 01 01 06 |
.....
type = 22 (handshake)
version = { 3,1 }
length = 262 (0x106)
handshake {
0: 10 00 01 02 | ....
type = 16 (client_key_exchange)
length = 258 (0x000102)
ClientKeyExchange {
message = {...}
}
}
}
(310 bytes of 1, with 37 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 14 03 01 00 01 |
.....
type = 20 (change_cipher_spec)
version = { 3,1 }
length = 1 (0x1)
0: 01 | .
}
(310 bytes of 32)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 01 00 20 | ....
type = 22 (handshake)
version = { 3,1 }
length = 32 (0x20)
< encrypted >
}
</font>]
ssltap: Error -5961: TCP connection reset by peer.: error on
server-side socket.
Connection 1 Complete [Wed Nov 18 09:14:56 2009]
<p><HR><H2>Connection #2 [Wed Nov 18 09:14:56 2009]
</H2>Connected to localhost.localdomain:9545
--> [
<font color=blue>recordLen = 81 bytes
(81 bytes of 81)
[Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 54 (0x36)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
(0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
(0x000039) TLS/DHE-RSA/AES256-CBC/SHA
(0x000038) TLS/DHE-DSS/AES256-CBC/SHA
(0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
(0x000035) TLS/RSA/AES256-CBC/SHA
(0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
(0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
(0x000033) TLS/DHE-RSA/AES128-CBC/SHA
(0x000032) TLS/DHE-DSS/AES128-CBC/SHA
(0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
(0x000004) SSL3/RSA/RC4-128/MD5
(0x000005) SSL3/RSA/RC4-128/SHA
(0x00002f) TLS/RSA/AES128-CBC/SHA
(0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
}
session-id = { }
challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135
0x4f6a 0x5742 0xf716 }
}
</font>]
<-- [
<font color=red>(1903 bytes of 1898)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 00 07 6a |
....j
type = 22 (handshake)
version = { 3,0 }
length = 1898 (0x76a)
handshake {
0: 02 00 00 46 | ...F
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 0}
random = {...}
0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca |
K..`U..3... .t..
10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 |
...&!.....$..N.Q
session ID = {
length = 32
contents = {...}
0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b |
gfP..m.8}...C.W.
10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 |
.......x..U&....
}
cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
compression method = 00
}
0: 0b 00 07 18 | ....
type = 11 (certificate)
length = 1816 (0x000718)
CertificateChain {
chainlength = 1813 (0x0715)
Certificate {
size = 890 (0x037a)
data = { saved in file 'cert.003' }
}
Certificate {
size = 917 (0x0395)
data = { saved in file 'cert.004' }
}
}
0: 0e 00 00 00 | ....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
</font>]
--> [
<font color=blue>(332 bytes of 260, with 67 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 00 01 04 |
.....
type = 22 (handshake)
version = { 3,0 }
length = 260 (0x104)
handshake {
0: 10 00 01 00 | ....
type = 16 (client_key_exchange)
length = 256 (0x000100)
ClientKeyExchange {
message = {...}
}
}
}
(332 bytes of 1, with 61 left over)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 14 03 00 00 01 |
.....
type = 20 (change_cipher_spec)
version = { 3,0 }
length = 1 (0x1)
0: 01 | .
}
(332 bytes of 56)
SSLRecord { [Wed Nov 18 09:14:56 2009]
0: 16 03 00 00 38 |
....8
type = 22 (handshake)
version = { 3,0 }
length = 56 (0x38)
< encrypted >
}
</font>]
ssltap: Error -5961: TCP connection reset by peer.: error on
server-side socket.
Connection 2 Complete [Wed Nov 18 09:14:56 2009]
On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan
<ckannan at redhat.com> wrote:
On 11/17/2009 01:09 PM, John Dorovski wrote:
It was not a typo. I did use the port number
9545.
Ok. one idea would be to run the utility "ssltap" as a
proxy
and using your browser to connect to the "ssltap" port
and
pasting the output here so folks can see what's
happening
during the SSL handshake.
http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
On a Fedora 10 system, its packaged with nss-tools rpm.
Run ssltap like this...
ssltap -sfxl CA_HOSTNAME:CA_PORT
in your case, it will be
ssltap -sfxl localhost:9545
Then use a browser and connect to ssltap. ssltap
listens on port 1924. So on the browser type..
https://localhost.localdomain:1924
ssltap will capture the results of the ssl handshake.
Copy and paste it here so we can tell what's happening
during that phase while you get the bad mac alert.
Thanks,
--Chandra
John
On Tue, Nov 17, 2009 at 3:51 PM, Adewumi,
Julius-p99373 <Julius.Adewumi at gdc4s.com> wrote:
Unless it's a typo on your part, the two
port numbers are different...
Could that be the problem?
8445 vs 9545
From: Julius Adewumi
@GDC4S.com
Ph:480-441-6768
Contract Corp:MTSI
-----Original Message-----
From: pki-users-bounces at redhat.com
[mailto:pki-users-bounces at redhat.com]
On Behalf Of Christina Fu
Sent: Tuesday, November 17, 2009 12:56
PM
To: pki-users at redhat.com
Cc: johndorovski at googlemail.com
Subject: [Pki-users] (forwarded) Help
needed on dogtag
I might have messed up when managing
pki-users and this did not come
through. Hence the forward.
Christina
Subject:
Help needed on dogtag
From:
John Dorovski
<johndorovski at googlemail.com>
Date:
Tue, 17 Nov 2009 10:58:18 -0500
To:
pki-users at redhat.com
Hi,
I just installed a dogtag (1.2.0)
instance on my Fedora 10 system.
I used a SafeNet ProtectServer Gold HSM
as keystore.
The dogtag system installation and
configuration were fine. No error was
reported.
All keys and certificates were generated
inside the HSM.
But when I tried to access the secure
admin interface at
https://localhost:localdomain:9545
I got error message:
Secure Connection Failed
An error occurred during a connection
to localhost.localdomain:8445
SSL peer reports incorrect Message
Authentication Code.
(Error code: ssl_error_bad_mac_alert)
I checked the server certificate (viewed
it with IE on a Windows box).
It seems fine.
Does any body know what is wrong and how
can I fix it?
Thanks,
John
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20091118/e9e82e2c/attachment.htm>
More information about the Pki-users
mailing list