search

CESNET / libnetconf

C NETCONF library
Other
113 stars 84 forks source link

How to specify Netconf TLS certificates on the server side #182

Closed mukundanaresh closed 8 years ago

mukundanaresh commented 8 years ago

Hi All,

I have generated and installed certificates under /etc/ssl/certs/ directory in Linux root@virtualbox certs]# pwd /etc/ssl/certs [root@virtualbox certs]# ls ca.crt ca.key ca.pem client.crt client.csr client.key server.crt server.csr server.key

I understand something this XML netopeer/build/server/config/datastore.xml file is used for TLS certificate information.

  1. Is this XML file auto generated or manually updated with cert info and maps?
  2. Getting failure at cert_to_name mapping When trying to connect NC Server wih Netopeer cli with below error.

CL08150:Apr 6 16:30:56 virtualbox netopeer-cli: NETCONF[] [mdc@644 class="tls.c:nc_tls_init:192" level="DEB " number="0" thread="32076" time="99755.495" addinfo="misc-d"] - TLS subsystem reinitiation. Resetting certificates settings CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: Cert verify: depth 1 CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: Cert verify: subject: /C=XX/L=Default City/O=Default Company Ltd/CN=rootca CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: Cert verify: issuer: /C=XX/L=Default City/O=Default Company Ltd/CN=rootca CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: tls_cert_to_name: unknown fingerprint algorithm used (9a:cc:f6:94:90:04:e9:23:a0:32:39:ce:2c:f4:e2:5f:93:b7:db:da), skipping CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: tls_cert_to_name: unknown fingerprint algorithm used (43:61:c9:fa:ee:68:ca:1a:11:7f:73:2c:ea:83:60:42:ae:1b:c2:8a), skipping CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: Cert verify CTN: cert fail: cert-to-name will continue on the next cert in chain CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: Cert verify: depth 0 CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: Cert verify: subject: /C=XX/L=Default City/O=Default Company Ltd/CN=client CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: Cert verify: issuer: /C=XX/L=Default City/O=Default Company Ltd/CN=rootca CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: tls_cert_to_name: unknown fingerprint algorithm used (9a:cc:f6:94:90:04:e9:23:a0:32:39:ce:2c:f4:e2:5f:93:b7:db:da), skipping CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: tls_cert_to_name: unknown fingerprint algorithm used (43:61:c9:fa:ee:68:ca:1a:11:7f:73:2c:ea:83:60:42:ae:1b:c2:8a), skipping CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: Cert-to-name unsuccessful, dropping the new client. CL08150:Apr 6 16:30:56 virtualbox netopeer-server[302]: TLS accept failed (no certificate returned). CL08150:Apr 6 16:30:56 virtualbox netopeer-cli: NETCONF[] [mdc@644 class="tls.c:nc_session_connect_tls_socket:342" level="ERR " number="0" thread="32076" time="99755.526"] - Connecting over TLS failed (sslv3 alert handshake failure).

Please find the attachment. datastore.zip certs.zip

Regards mukund

michalvasko commented 8 years ago

Hi Mukund, you are using netopeer, so we will solve the issue you posted there, please do not post duplicite issue next time.

Regards, Michal