[Pki-users] (forwarded) Help needed on dogtag
John Dorovski
johndorovski at googlemail.com
Wed Nov 18 19:40:43 UTC 2009
I found the error code from Mozilla site also.
I am not sure that is the case.
Since I installed dogtag on two separate systems with the exact
configuration.
The systems were all installed with brand new OS (Fedora 10).
One system even unplugged from internet after dogtag was installed.
They all got the exact same error.
On Wed, Nov 18, 2009 at 12:38 PM, Adewumi, Julius-p99373 <
Julius.Adewumi at gdc4s.com> wrote:
> SSL_ERROR_BAD_MAC_ALERT -12272
> "SSL peer reports incorrect Message Authentication Code."
>
> The remote system has reported that it received a message with a bad
> Message Authentication Code from the local system. This may indicate that an
> attack on that server is underway.
>
>
> *The trace shows "cipher-change-request" as last capture before Error
> reported.*
>
> **
>
> *From: Julius Adewumi*
> *@GDC4S.com*
> *Ph:480-441-6768*
> *Contract Corp:MTSI*
>
>
> ------------------------------
> *From:* John Dorovski [mailto:johndorovski at googlemail.com]
> *Sent:* Wednesday, November 18, 2009 7:34 AM
> *To:* Chandrasekar Kannan
> *Cc:* Adewumi, Julius-p99373; pki-users at redhat.com
> *Subject:* Re: [Pki-users] (forwarded) Help needed on dogtag
>
> Here are the two certs ssltap captured.
>
>
> On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski <
> johndorovski at googlemail.com> wrote:
>
>> Here is my ssltap output:
>>
>> [root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545
>> <HTML><HEAD><TITLE>SSLTAP output</TITLE></HEAD>
>> <BODY><PRE>
>> Looking up "localhost.localdomain"...
>> Proxy socket ready and listening
>> <p><HR><H2>Connection #1 [Wed Nov 18 09:14:56 2009]
>> </H2>Connected to localhost.localdomain:9545
>> --> [
>> <font color=blue>(120 bytes of 115)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 01 00 73 | ....s
>> type = 22 (handshake)
>> version = { 3,1 }
>> length = 115 (0x73)
>> handshake {
>> 0: 01 00 00 6f | ...o
>> type = 1 (client_hello)
>> length = 111 (0x00006f)
>> ClientHelloV3 {
>> client_version = {3, 1}
>> random = {...}
>> 0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 |
>> K..`>...l&.)...&
>> 10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b | ....$.uy..x@
>> {X^{
>> session ID = {
>> length = 0
>> contents = {...}
>> }
>> cipher_suites[18] = {
>> (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>> (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>> (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
>> (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
>> (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
>> (0x0035) TLS/RSA/AES256-CBC/SHA
>> (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>> (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>> (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
>> (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
>> (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
>> (0x0004) SSL3/RSA/RC4-128/MD5
>> (0x0005) SSL3/RSA/RC4-128/SHA
>> (0x002f) TLS/RSA/AES128-CBC/SHA
>> (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>> (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>> (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>> (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
>> }
>> compression[1] = { 00 }
>> extensions[34] = {
>> extension type server_name, length [26] = {
>> 0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c |
>> .....localhost.l
>> 10: 6f 63 61 6c 64 6f 6d 61 69 6e | ocaldomain
>> }
>> extension type session_ticket, length [0]
>> }
>> }
>> }
>> }
>> </font>]
>> <-- [
>> <font color=red>(1903 bytes of 1898)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 01 07 6a | ....j
>> type = 22 (handshake)
>> version = { 3,1 }
>> length = 1898 (0x76a)
>> handshake {
>> 0: 02 00 00 46 | ...F
>> type = 2 (server_hello)
>> length = 70 (0x000046)
>> ServerHello {
>> server_version = {3, 1}
>> random = {...}
>> 0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 |
>> K..`...i...^....
>> 10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d |
>> ...'...W#...i at U.
>> session ID = {
>> length = 32
>> contents = {...}
>> 0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf.
>> ....E.m.....
>> 10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 |
>> .........7.n..+%
>> }
>> cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>> compression method = 00
>> }
>> 0: 0b 00 07 18 | ....
>> type = 11 (certificate)
>> length = 1816 (0x000718)
>> CertificateChain {
>> chainlength = 1813 (0x0715)
>> Certificate {
>> size = 890 (0x037a)
>> data = { saved in file 'cert.001' }
>> }
>> Certificate {
>> size = 917 (0x0395)
>> data = { saved in file 'cert.002' }
>> }
>> }
>> 0: 0e 00 00 00 | ....
>> type = 14 (server_hello_done)
>> length = 0 (0x000000)
>> }
>> }
>> </font>]
>> --> [
>> <font color=blue>(310 bytes of 262, with 43 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 01 01 06 | .....
>> type = 22 (handshake)
>> version = { 3,1 }
>> length = 262 (0x106)
>> handshake {
>> 0: 10 00 01 02 | ....
>> type = 16 (client_key_exchange)
>> length = 258 (0x000102)
>> ClientKeyExchange {
>> message = {...}
>> }
>> }
>> }
>> (310 bytes of 1, with 37 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 14 03 01 00 01 | .....
>> type = 20 (change_cipher_spec)
>> version = { 3,1 }
>> length = 1 (0x1)
>> 0: 01 | .
>> }
>> (310 bytes of 32)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 01 00 20 | ....
>> type = 22 (handshake)
>> version = { 3,1 }
>> length = 32 (0x20)
>> < encrypted >
>> }
>> </font>]
>> ssltap: Error -5961: TCP connection reset by peer.: error on server-side
>> socket.
>> Connection 1 Complete [Wed Nov 18 09:14:56 2009]
>> <p><HR><H2>Connection #2 [Wed Nov 18 09:14:56 2009]
>> </H2>Connected to localhost.localdomain:9545
>> --> [
>> <font color=blue>recordLen = 81 bytes
>> (81 bytes of 81)
>> [Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 {
>> version = {0x03, 0x00}
>> cipher-specs-length = 54 (0x36)
>> sid-length = 0 (0x00)
>> challenge-length = 16 (0x10)
>> cipher-suites = {
>> (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>> (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>> (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
>> (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
>> (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
>> (0x000035) TLS/RSA/AES256-CBC/SHA
>> (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>> (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>> (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
>> (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
>> (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
>> (0x000004) SSL3/RSA/RC4-128/MD5
>> (0x000005) SSL3/RSA/RC4-128/SHA
>> (0x00002f) TLS/RSA/AES128-CBC/SHA
>> (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>> (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>> (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>> (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
>> }
>> session-id = { }
>> challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742
>> 0xf716 }
>> }
>> </font>]
>> <-- [
>> <font color=red>(1903 bytes of 1898)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 00 07 6a | ....j
>> type = 22 (handshake)
>> version = { 3,0 }
>> length = 1898 (0x76a)
>> handshake {
>> 0: 02 00 00 46 | ...F
>> type = 2 (server_hello)
>> length = 70 (0x000046)
>> ServerHello {
>> server_version = {3, 0}
>> random = {...}
>> 0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | K..`U..3...
>> .t..
>> 10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 |
>> ...&!.....$..N.Q
>> session ID = {
>> length = 32
>> contents = {...}
>> 0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b |
>> gfP..m.8}...C.W.
>> 10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 |
>> .......x..U&....
>> }
>> cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>> compression method = 00
>> }
>> 0: 0b 00 07 18 | ....
>> type = 11 (certificate)
>> length = 1816 (0x000718)
>> CertificateChain {
>> chainlength = 1813 (0x0715)
>> Certificate {
>> size = 890 (0x037a)
>> data = { saved in file 'cert.003' }
>> }
>> Certificate {
>> size = 917 (0x0395)
>> data = { saved in file 'cert.004' }
>> }
>> }
>> 0: 0e 00 00 00 | ....
>> type = 14 (server_hello_done)
>> length = 0 (0x000000)
>> }
>> }
>> </font>]
>> --> [
>> <font color=blue>(332 bytes of 260, with 67 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 00 01 04 | .....
>> type = 22 (handshake)
>> version = { 3,0 }
>> length = 260 (0x104)
>> handshake {
>> 0: 10 00 01 00 | ....
>> type = 16 (client_key_exchange)
>> length = 256 (0x000100)
>> ClientKeyExchange {
>> message = {...}
>> }
>> }
>> }
>> (332 bytes of 1, with 61 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 14 03 00 00 01 | .....
>> type = 20 (change_cipher_spec)
>> version = { 3,0 }
>> length = 1 (0x1)
>> 0: 01 | .
>> }
>> (332 bytes of 56)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 00 00 38 | ....8
>> type = 22 (handshake)
>> version = { 3,0 }
>> length = 56 (0x38)
>> < encrypted >
>> }
>> </font>]
>> ssltap: Error -5961: TCP connection reset by peer.: error on server-side
>> socket.
>> Connection 2 Complete [Wed Nov 18 09:14:56 2009]
>>
>>
>>
>>
>> On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan <ckannan at redhat.com>wrote:
>>
>>> On 11/17/2009 01:09 PM, John Dorovski wrote:
>>>
>>> It was not a typo. I did use the port number 9545.
>>>
>>>
>>> Ok. one idea would be to run the utility "ssltap" as a proxy
>>> and using your browser to connect to the "ssltap" port and
>>> pasting the output here so folks can see what's happening
>>> during the SSL handshake.
>>> http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
>>>
>>>
>>> On a Fedora 10 system, its packaged with nss-tools rpm.
>>>
>>> Run ssltap like this...
>>>
>>> ssltap -sfxl CA_HOSTNAME:CA_PORT
>>>
>>> in your case, it will be
>>>
>>> ssltap -sfxl localhost:9545
>>>
>>> Then use a browser and connect to ssltap. ssltap
>>> listens on port 1924. So on the browser type..
>>>
>>> https://localhost.localdomain:1924
>>>
>>>
>>> ssltap will capture the results of the ssl handshake.
>>>
>>> Copy and paste it here so we can tell what's happening
>>> during that phase while you get the bad mac alert.
>>>
>>> Thanks,
>>> --Chandra
>>>
>>>
>>>
>>>
>>>
>>>
>>> John
>>>
>>> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 <
>>> Julius.Adewumi at gdc4s.com> wrote:
>>>
>>>>
>>>> Unless it's a typo on your part, the two port numbers are different...
>>>> Could that be the problem?
>>>> 8445 vs 9545
>>>>
>>>> From: Julius Adewumi
>>>> @GDC4S.com
>>>> Ph:480-441-6768
>>>> Contract Corp:MTSI
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com
>>>> ]
>>>> On Behalf Of Christina Fu
>>>> Sent: Tuesday, November 17, 2009 12:56 PM
>>>> To: pki-users at redhat.com
>>>> Cc: johndorovski at googlemail.com
>>>> Subject: [Pki-users] (forwarded) Help needed on dogtag
>>>>
>>>> I might have messed up when managing pki-users and this did not come
>>>> through. Hence the forward.
>>>> Christina
>>>>
>>>> Subject:
>>>> Help needed on dogtag
>>>> From:
>>>> John Dorovski <johndorovski at googlemail.com>
>>>> Date:
>>>> Tue, 17 Nov 2009 10:58:18 -0500
>>>>
>>>> To:
>>>> pki-users at redhat.com
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I just installed a dogtag (1.2.0) instance on my Fedora 10 system.
>>>> I used a SafeNet ProtectServer Gold HSM as keystore.
>>>> The dogtag system installation and configuration were fine. No error was
>>>> reported.
>>>> All keys and certificates were generated inside the HSM.
>>>>
>>>> But when I tried to access the secure admin interface at
>>>> https://localhost:localdomain:9545
>>>> I got error message:
>>>> Secure Connection Failed
>>>> An error occurred during a connection to localhost.localdomain:8445
>>>> SSL peer reports incorrect Message Authentication Code.
>>>> (Error code: ssl_error_bad_mac_alert)
>>>>
>>>> I checked the server certificate (viewed it with IE on a Windows box).
>>>> It seems fine.
>>>>
>>>> Does any body know what is wrong and how can I fix it?
>>>>
>>>> Thanks,
>>>>
>>>> John
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20091118/7aefa9b8/attachment.htm>
More information about the Pki-users
mailing list