Closed leonel-santos closed 5 years ago
thorgrin
commented
6 years ago Hello, sorry for the late response. This seems like an issue with the certificate. Could you provide commands that were used to generate those certificates and keys so that we can replicate the issue?
leonel-santos
commented
6 years ago Thanks for your reply.
We are using a private certificate authority. We used Easy-RSA (https://github.com/OpenVPN/easy-rsa) scripts to generate a pki solution. After CA key and CA certificate generation, we generate PEM key pairs (private key + public certificate signed by our CA) for the YAF (ipfix exporter) and IPFIXCOL (ipfix collector).
We used openssl’s s_server and s_client to test both YAF and ipfixcol with the certificates/keys generated. YAF properly connects to openssl’s s_server and openssl validates the client certificate properly. Ipfix is successfully passed through the encrypted socket. However, openssl’s s_client cannot successfully connect to ipfixcol’s server.
We hope you could help us to overcome this question. Thank you!
leonel-santos
commented
6 years ago Sorry, we forget the commands.
./easyrsa init-pki # create PKI directories ./easyrsa build-ca # create CA key pair and self-signed certificate
./easyrsa gen-req IPFIXCOL nopass # create a key pair for IPFIXCOL ./easyrsa sign-req server IPFIXCOL # sign public key of IPFIXCOL and create the digital certificate
./easyrsa gen-req YAF nopass # create a key pair for YAF ./easyrsa sign-req client YAF # sign public key of YAF and create the digital certificate
Lukas955
commented
6 years ago Hello,
first of all, thank you for the commands. They are really helpful and I was able to use them to reproduce the bug. I also managed to fix it (sort of), however, it looks like I ran into another issue. It looks like that yaf doesn't work properly (as least in my case).
When the exporter is connected to the collector, the collector rejects a new connection with the following error: error:1408F10B:SSL routines:ssl3_get_record:wrong version number. I'm surprisingly getting the same error message when I replace IPFIXcol with openssl's s_server, but in the post above you mentioned that it works. Therefore, I think it is possible that there is a bug in openssl or yaf.
Can you provide version of your openssl library and yaf exporter? I would like to test the patch against the same versions as in your case.
openssl version
yaf --versionLukas
leonel-santos
commented
6 years ago Hello!
We never get that kind of error message. Here are the outputs of the commands mentioned:
rpm -q centos-release
centos-release-7-5.1804.5.el7.centos.x86_64
openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
yaf --version
yaf version 2.10.0 Build Configuration:
- Timezone support: UTC
- Fixbuf version: 2.1.0
- DAG support: NO
- Napatech support: NO
- Netronome support: NO
- Bivio support: NO
- PFRING support: YES
- Compact IPv4 support: NO
- Plugin support: NO
- Application Labeling: NO
- Payload Processing Support: YES
- Entropy support: NO
- Fingerprint Export Support: NO
- P0F Support: NO
- Spread Support: NO
- MPLS Support: NO
- Non-IP Support: NO
- Separate Interface Support: YES
- nDPI Support: NO
- IE Metadata Export: YES (c) 2000-2017 Carnegie Mellon University. GNU General Public License (GPL) Rights pursuant to Version 2, June 1991 Some included library code covered by LGPL 2.1; see source for details. Government Purpose License Rights (GPLR) pursuant to DFARS 252.227-7013 Send bug reports, feature requests, and comments to netsa-help@cert.org.
We take the opportunity to show you the output of the command openssl s_client trying to connect to ipfixcol:
openssl s_client -connect 192.168.126.135:4740 -key pki/private/yaf.key -cert pki/issued/yaf.crt -CAfile pki/ca.crt
output of the previous command:
CONNECTED(00000003) depth=1 CN = 192.168.126.135 verify return:1 depth=0 CN = 192.168.126.135 verify return:1 139626967332752:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1493:SSL alert number 48 139626967332752:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/CN=192.168.126.135 i:/CN=192.168.126.135 --- Server certificate -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIRAPfJVGy3or3/DOsFKC+Ri8kwDQYJKoZIhvcNAQELBQAw GjEYMBYGA1UEAwwPMTkyLjE2OC4xMjYuMTM1MB4XDTE4MTAyOTE2MzQ0NVoXDTI4 MTAyNjE2MzQ0NVowGjEYMBYGA1UEAwwPMTkyLjE2OC4xMjYuMTM1MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzMDBe5Fbk8YITu8L/op87lKL2zYPHpxK sRsU+NusiaaLa9PskYOe7O+6/uN8YhqRZ7QuN379XSKmQ85UMJ+mMZeneRewJVOq WYeyFYy2jU4U+uI3Qn+CLMxFB5e65tBFBqtc8c1pYerOkVzYXQcjDKMUVG8Y+UpF Xq5OK0mXEPCyEQhqJotq8X6Z98MIhWHzuOe2qMu13Nzch1gXj4KFR2ARAmMjMBAu Kh19OK5D2B3ULrbwqXrw5HlDbVkPqYkJ0B00G/4lZJWLJDwzdfRlsxDn0D4129yI 8K+8AJIYrrG9yDtamO0yvOl89wJSmzAi/mdduaEmekgInsW4ZBynGwIDAQABo4G3 MIG0MAkGA1UdEwQCMAAwHQYDVR0OBBYEFCmJ979RnDsLJ4i88BkFuPbYDwqkMEoG A1UdIwRDMEGAFI9gO9CB7t7jOPjOM5+RWgJIKd6+oR6kHDAaMRgwFgYDVQQDDA8x OTIuMTY4LjEyNi4xMzWCCQCiUSiMIhRNFjATBgNVHSUEDDAKBggrBgEFBQcDATAL BgNVHQ8EBAMCBaAwGgYDVR0RBBMwEYIPMTkyLjE2OC4xMjYuMTM1MA0GCSqGSIb3 DQEBCwUAA4IBAQApBpDjy3UnToWcCKEvfTtZYWCDGBYx9lBu6IcDQdGBhCsz53eG Z1io7OqrhBYxcwXZtF/TWnrrVkP3gU6WGMKgQW/KKLgSUvXISuL42iV1KjljXdWC c5CtJsQmuOKi3XA9cDg8SuOvPU3liWBl6VRubjCMQBVXTukYH7qLyEvBUlLUnA7Y U6SWk9zKDe8vjgdiqWR/vZhtVG4hAv4qBVlzKKJ/veCpYNo3l9k1lqtJGkkTcYPJ ZtZfrrWz0OEy7aBRoiS4OdU9J0/44aUVzfDIYC0MuOUAJAW95CEd93zdxF9xEHfE ziOmlz6h3rI9VJ49vkPUl6pPPz8gGnrnyodi -----END CERTIFICATE----- subject=/CN=192.168.126.135 issuer=/CN=192.168.126.135 --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign --- SSL handshake has read 995 bytes and written 2304 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 0A8D06511EB0FC9A65D028FAE13AB93B1A2DB0647A63FEFBB29DA4F8F731803CE27E9B342BFD7216DAC38670B0D5A7DD Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1542654367 Timeout : 300 (sec) Verify return code: 0 (ok) --- (--process terminate!--)
Once again, thanks for your help!
Lukas955
commented
5 years ago The bug should be fixed by e8ac2c512b7ffebefc2a81dc9ebda5f25c7b5ecd. Could you rebuild the collector from devel branch and try it?
By the way, I also discovered the reason why I got the error message error:1408F10B:SSL routines:ssl3_get_record:wrong version number. It was a really stupid mistake. I passed all TLS arguments to yaf (--tls-ca, --tls-key, --tls-cert) except --tls. Therefore, TLS was disabled and the collector was receiving unencrypted IPFIX messages on an SSL socket.
Lukas
leonel-santos
commented
5 years ago I apologize for the late reply.
I rebuild the collector from devel branch and i try it with success!
thanks for your help!
Hello.
I'm trying to use the TCP collector with TLS support and had configured startup.xml like this
But when i try to connect YAF with --tls options to this IPFIXCOL collector, the verbose output of IPFIXCOL show the following messages:
the YAF command used:
the verbose output of YAF command is:
could you help me solve this issue. Thanks in advance!