[Pki-users] (forwarded) Help needed on dogtag
John Dorovski
johndorovski at googlemail.com
Wed Nov 18 19:49:14 UTC 2009
I checked my server.xml file. It does not have clientAuth="agent".
They are all defaulted to clientAuth="true".
On Wed, Nov 18, 2009 at 1:23 PM, Chandrasekar Kannan <ckannan at redhat.com>wrote:
> On 11/18/2009 09:49 AM, Chandrasekar Kannan wrote:
>
> On 11/18/2009 09:38 AM, Adewumi, Julius-p99373 wrote:
>
> SSL_ERROR_BAD_MAC_ALERT -12272 "SSL peer reports incorrect Message
> Authentication Code."
>
> The remote system has reported that it received a message with a bad
> Message Authentication Code from the local system. This may indicate that an
> attack on that server is underway.
>
>
> *The trace shows "cipher-change-request" as last capture before Error
> reported.*
>
> **
>
>
> Just FYI. we noticed a similar message during dogtag 1.2.0
> development but with a different HSM(nethsm). That issue
> was fixed.
> https://bugzilla.redhat.com/show_bug.cgi?id=495597
>
> FWIW, we have never tried with the mentioned
> Safenet Protectserver Gold HSM....
>
>
>
> Can you check settings for this ..
>
> /var/lib/pki-ca/conf/server.xml
> Look for clientAuth="agent"
>
> If you see that can you replace that with
> clientAuth="true" and restart the CA
> and see if it addresses the bad mac problem..
>
>
>
>
>
> *From: Julius Adewumi*
> *@GDC4S.com*
> *Ph:480-441-6768*
> *Contract Corp:MTSI*
>
>
> ------------------------------
> *From:* John Dorovski [mailto:johndorovski at googlemail.com<johndorovski at googlemail.com>]
>
> *Sent:* Wednesday, November 18, 2009 7:34 AM
> *To:* Chandrasekar Kannan
> *Cc:* Adewumi, Julius-p99373; pki-users at redhat.com
> *Subject:* Re: [Pki-users] (forwarded) Help needed on dogtag
>
> Here are the two certs ssltap captured.
>
>
> On Wed, Nov 18, 2009 at 9:20 AM, John Dorovski <
> johndorovski at googlemail.com> wrote:
>
>> Here is my ssltap output:
>>
>> [root at rd1 linux-i386]# ssltap -sfxl localhost.localdomain:9545
>> <HTML><HEAD><TITLE>SSLTAP output</TITLE></HEAD>
>> <BODY><PRE>
>> Looking up "localhost.localdomain"...
>> Proxy socket ready and listening
>> <p><HR><H2>Connection #1 [Wed Nov 18 09:14:56 2009]
>> </H2>Connected to localhost.localdomain:9545
>> --> [
>> <font color=blue>(120 bytes of 115)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 01 00 73 | ....s
>> type = 22 (handshake)
>> version = { 3,1 }
>> length = 115 (0x73)
>> handshake {
>> 0: 01 00 00 6f | ...o
>> type = 1 (client_hello)
>> length = 111 (0x00006f)
>> ClientHelloV3 {
>> client_version = {3, 1}
>> random = {...}
>> 0: 4b 04 01 60 3e dd 86 f2 6c 26 cb 29 b3 a4 eb 26 |
>> K..`>...l&.)...&
>> 10: c0 17 f1 8e 24 0a 75 79 03 91 78 40 7b 58 5e 7b | ....$.uy..x@
>> {X^{
>> session ID = {
>> length = 0
>> contents = {...}
>> }
>> cipher_suites[18] = {
>> (0x0088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>> (0x0087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>> (0x0039) TLS/DHE-RSA/AES256-CBC/SHA
>> (0x0038) TLS/DHE-DSS/AES256-CBC/SHA
>> (0x0084) TLS/RSA/CAMELLIA256-CBC/SHA
>> (0x0035) TLS/RSA/AES256-CBC/SHA
>> (0x0045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>> (0x0044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>> (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
>> (0x0032) TLS/DHE-DSS/AES128-CBC/SHA
>> (0x0041) TLS/RSA/CAMELLIA128-CBC/SHA
>> (0x0004) SSL3/RSA/RC4-128/MD5
>> (0x0005) SSL3/RSA/RC4-128/SHA
>> (0x002f) TLS/RSA/AES128-CBC/SHA
>> (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>> (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>> (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>> (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
>> }
>> compression[1] = { 00 }
>> extensions[34] = {
>> extension type server_name, length [26] = {
>> 0: 00 18 00 00 15 6c 6f 63 61 6c 68 6f 73 74 2e 6c |
>> .....localhost.l
>> 10: 6f 63 61 6c 64 6f 6d 61 69 6e | ocaldomain
>> }
>> extension type session_ticket, length [0]
>> }
>> }
>> }
>> }
>> </font>]
>> <-- [
>> <font color=red>(1903 bytes of 1898)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 01 07 6a | ....j
>> type = 22 (handshake)
>> version = { 3,1 }
>> length = 1898 (0x76a)
>> handshake {
>> 0: 02 00 00 46 | ...F
>> type = 2 (server_hello)
>> length = 70 (0x000046)
>> ServerHello {
>> server_version = {3, 1}
>> random = {...}
>> 0: 4b 04 01 60 d1 86 09 69 01 8d c2 5e 1a 9c 99 16 |
>> K..`...i...^....
>> 10: de 0e bd 27 b6 c5 be 57 23 f1 1e 03 69 40 55 9d |
>> ...'...W#...i at U.
>> session ID = {
>> length = 32
>> contents = {...}
>> 0: 67 66 c6 7f f7 ac d6 98 45 f2 6d 9f c6 84 e1 df | gf.
>> ....E.m.....
>> 10: ff ff c0 87 d8 e9 97 f9 f6 37 8b 6e 09 d9 2b 25 |
>> .........7.n..+%
>> }
>> cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>> compression method = 00
>> }
>> 0: 0b 00 07 18 | ....
>> type = 11 (certificate)
>> length = 1816 (0x000718)
>> CertificateChain {
>> chainlength = 1813 (0x0715)
>> Certificate {
>> size = 890 (0x037a)
>> data = { saved in file 'cert.001' }
>> }
>> Certificate {
>> size = 917 (0x0395)
>> data = { saved in file 'cert.002' }
>> }
>> }
>> 0: 0e 00 00 00 | ....
>> type = 14 (server_hello_done)
>> length = 0 (0x000000)
>> }
>> }
>> </font>]
>> --> [
>> <font color=blue>(310 bytes of 262, with 43 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 01 01 06 | .....
>> type = 22 (handshake)
>> version = { 3,1 }
>> length = 262 (0x106)
>> handshake {
>> 0: 10 00 01 02 | ....
>> type = 16 (client_key_exchange)
>> length = 258 (0x000102)
>> ClientKeyExchange {
>> message = {...}
>> }
>> }
>> }
>> (310 bytes of 1, with 37 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 14 03 01 00 01 | .....
>> type = 20 (change_cipher_spec)
>> version = { 3,1 }
>> length = 1 (0x1)
>> 0: 01 | .
>> }
>> (310 bytes of 32)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 01 00 20 | ....
>> type = 22 (handshake)
>> version = { 3,1 }
>> length = 32 (0x20)
>> < encrypted >
>> }
>> </font>]
>> ssltap: Error -5961: TCP connection reset by peer.: error on server-side
>> socket.
>> Connection 1 Complete [Wed Nov 18 09:14:56 2009]
>> <p><HR><H2>Connection #2 [Wed Nov 18 09:14:56 2009]
>> </H2>Connected to localhost.localdomain:9545
>> --> [
>> <font color=blue>recordLen = 81 bytes
>> (81 bytes of 81)
>> [Wed Nov 18 09:14:56 2009] [ssl2] ClientHelloV2 {
>> version = {0x03, 0x00}
>> cipher-specs-length = 54 (0x36)
>> sid-length = 0 (0x00)
>> challenge-length = 16 (0x10)
>> cipher-suites = {
>> (0x000088) TLS/DHE-RSA/CAMELLIA256-CBC/SHA
>> (0x000087) TLS/DHE-DSS/CAMELLIA256-CBC/SHA
>> (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
>> (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
>> (0x000084) TLS/RSA/CAMELLIA256-CBC/SHA
>> (0x000035) TLS/RSA/AES256-CBC/SHA
>> (0x000045) TLS/DHE-RSA/CAMELLIA128-CBC/SHA
>> (0x000044) TLS/DHE-DSS/CAMELLIA128-CBC/SHA
>> (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
>> (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
>> (0x000041) TLS/RSA/CAMELLIA128-CBC/SHA
>> (0x000004) SSL3/RSA/RC4-128/MD5
>> (0x000005) SSL3/RSA/RC4-128/SHA
>> (0x00002f) TLS/RSA/AES128-CBC/SHA
>> (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
>> (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
>> (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
>> (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
>> }
>> session-id = { }
>> challenge = { 0xde1b 0xaea2 0x262a 0xaae3 0x5135 0x4f6a 0x5742
>> 0xf716 }
>> }
>> </font>]
>> <-- [
>> <font color=red>(1903 bytes of 1898)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 00 07 6a | ....j
>> type = 22 (handshake)
>> version = { 3,0 }
>> length = 1898 (0x76a)
>> handshake {
>> 0: 02 00 00 46 | ...F
>> type = 2 (server_hello)
>> length = 70 (0x000046)
>> ServerHello {
>> server_version = {3, 0}
>> random = {...}
>> 0: 4b 04 01 60 55 ce 82 33 ab d7 da 7f bc 74 ed ca | K..`U..3...
>> .t..
>> 10: 1e f3 95 26 21 fa db ce 83 94 24 0a bc 4e 89 51 |
>> ...&!.....$..N.Q
>> session ID = {
>> length = 32
>> contents = {...}
>> 0: 67 66 50 ba 19 6d d9 38 7d 86 a9 e0 43 cb 57 0b |
>> gfP..m.8}...C.W.
>> 10: 19 d5 a7 e0 90 99 e5 78 03 f6 55 26 c4 f1 bc 03 |
>> .......x..U&....
>> }
>> cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
>> compression method = 00
>> }
>> 0: 0b 00 07 18 | ....
>> type = 11 (certificate)
>> length = 1816 (0x000718)
>> CertificateChain {
>> chainlength = 1813 (0x0715)
>> Certificate {
>> size = 890 (0x037a)
>> data = { saved in file 'cert.003' }
>> }
>> Certificate {
>> size = 917 (0x0395)
>> data = { saved in file 'cert.004' }
>> }
>> }
>> 0: 0e 00 00 00 | ....
>> type = 14 (server_hello_done)
>> length = 0 (0x000000)
>> }
>> }
>> </font>]
>> --> [
>> <font color=blue>(332 bytes of 260, with 67 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 00 01 04 | .....
>> type = 22 (handshake)
>> version = { 3,0 }
>> length = 260 (0x104)
>> handshake {
>> 0: 10 00 01 00 | ....
>> type = 16 (client_key_exchange)
>> length = 256 (0x000100)
>> ClientKeyExchange {
>> message = {...}
>> }
>> }
>> }
>> (332 bytes of 1, with 61 left over)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 14 03 00 00 01 | .....
>> type = 20 (change_cipher_spec)
>> version = { 3,0 }
>> length = 1 (0x1)
>> 0: 01 | .
>> }
>> (332 bytes of 56)
>> SSLRecord { [Wed Nov 18 09:14:56 2009]
>> 0: 16 03 00 00 38 | ....8
>> type = 22 (handshake)
>> version = { 3,0 }
>> length = 56 (0x38)
>> < encrypted >
>> }
>> </font>]
>> ssltap: Error -5961: TCP connection reset by peer.: error on server-side
>> socket.
>> Connection 2 Complete [Wed Nov 18 09:14:56 2009]
>>
>>
>>
>>
>> On Tue, Nov 17, 2009 at 7:21 PM, Chandrasekar Kannan <ckannan at redhat.com>wrote:
>>
>>> On 11/17/2009 01:09 PM, John Dorovski wrote:
>>>
>>> It was not a typo. I did use the port number 9545.
>>>
>>>
>>> Ok. one idea would be to run the utility "ssltap" as a proxy
>>> and using your browser to connect to the "ssltap" port and
>>> pasting the output here so folks can see what's happening
>>> during the SSL handshake.
>>> http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
>>>
>>>
>>> On a Fedora 10 system, its packaged with nss-tools rpm.
>>>
>>> Run ssltap like this...
>>>
>>> ssltap -sfxl CA_HOSTNAME:CA_PORT
>>>
>>> in your case, it will be
>>>
>>> ssltap -sfxl localhost:9545
>>>
>>> Then use a browser and connect to ssltap. ssltap
>>> listens on port 1924. So on the browser type..
>>>
>>> https://localhost.localdomain:1924
>>>
>>>
>>> ssltap will capture the results of the ssl handshake.
>>>
>>> Copy and paste it here so we can tell what's happening
>>> during that phase while you get the bad mac alert.
>>>
>>> Thanks,
>>> --Chandra
>>>
>>>
>>>
>>>
>>>
>>>
>>> John
>>>
>>> On Tue, Nov 17, 2009 at 3:51 PM, Adewumi, Julius-p99373 <
>>> Julius.Adewumi at gdc4s.com> wrote:
>>>
>>>>
>>>> Unless it's a typo on your part, the two port numbers are different...
>>>> Could that be the problem?
>>>> 8445 vs 9545
>>>>
>>>> From: Julius Adewumi
>>>> @GDC4S.com
>>>> Ph:480-441-6768
>>>> Contract Corp:MTSI
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com
>>>> ]
>>>> On Behalf Of Christina Fu
>>>> Sent: Tuesday, November 17, 2009 12:56 PM
>>>> To: pki-users at redhat.com
>>>> Cc: johndorovski at googlemail.com
>>>> Subject: [Pki-users] (forwarded) Help needed on dogtag
>>>>
>>>> I might have messed up when managing pki-users and this did not come
>>>> through. Hence the forward.
>>>> Christina
>>>>
>>>> Subject:
>>>> Help needed on dogtag
>>>> From:
>>>> John Dorovski <johndorovski at googlemail.com>
>>>> Date:
>>>> Tue, 17 Nov 2009 10:58:18 -0500
>>>>
>>>> To:
>>>> pki-users at redhat.com
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I just installed a dogtag (1.2.0) instance on my Fedora 10 system.
>>>> I used a SafeNet ProtectServer Gold HSM as keystore.
>>>> The dogtag system installation and configuration were fine. No error was
>>>> reported.
>>>> All keys and certificates were generated inside the HSM.
>>>>
>>>> But when I tried to access the secure admin interface at
>>>> https://localhost:localdomain:9545
>>>> I got error message:
>>>> Secure Connection Failed
>>>> An error occurred during a connection to localhost.localdomain:8445
>>>> SSL peer reports incorrect Message Authentication Code.
>>>> (Error code: ssl_error_bad_mac_alert)
>>>>
>>>> I checked the server certificate (viewed it with IE on a Windows box).
>>>> It seems fine.
>>>>
>>>> Does any body know what is wrong and how can I fix it?
>>>>
>>>> Thanks,
>>>>
>>>> John
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>>
>>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing listPki-users at redhat.comhttps://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20091118/54978db1/attachment.htm>
More information about the Pki-users
mailing list