TLS connection succeeds, but TLS call-home fails

[Yeager1998]

Hi @michalvasko, I tried the TLS connection according to README.md, it succeeded. But when I use the same certificates and authorization for TLS call-home, the neopeer2-cli print an certificate verification error. Here's what I do with nepeer2-cli:

> cert replaceown tls_certs/client.crt tls_certs/client.key 
> cert add tls_certs/ca.pem
> Doing /home/user/.netopeer2-cli/certs

> connect --tls
> status
Current NETCONF session:
  ID          : 1
  Host        : 127.0.0.1
  Port        : 6513
  Transport   : TLS
  Capabilities:
    urn:ietf:params:netconf:base:1.0
    urn:ietf:params:netconf:base:1.1
        ...
> disconnect 
> listen -h
listen [--help] [--timeout <sec>] [--host <hostname>] [--port <num>]
   SSH [--ssh] [--login <username>]
   TLS  --tls  [--cert <cert_path> [--key <key_path>]] [--trusted <trusted_CA_store.pem>]
> listen --tls
cmd_listen: Waiting 60s for a TLS Call Home connection on port 4335...
nc ERROR: SSL_connect failed (certificate verify failed).
cmd_listen: Receiving TLS Call Home on port 4335 failed.
listen: unrecognized option '--tls'
cmd_listen: Unknown option -?.
listen [--help] [--timeout <sec>] [--host <hostname>] [--port <num>]
   SSH [--ssh] [--login <username>]
   TLS  --tls  [--cert <cert_path> [--key <key_path>]] [--trusted <trusted_CA_store.pem>]
> listen --tls --cert tls_certs/client.crt --key tls_certs/client.key --trusted tls_certs/ca.pem
cmd_listen: Waiting 60s for a TLS Call Home connection on port 4335...
nc ERROR: SSL_connect failed (certificate verify failed).
cmd_listen: Receiving TLS Call Home on port 4335 failed.
listen: unrecognized option '--tls'
cmd_listen: Unknown option -?.
listen [--help] [--timeout <sec>] [--host <hostname>] [--port <num>]
   SSH [--ssh] [--login <username>]
   TLS  --tls  [--cert <cert_path> [--key <key_path>]] [--trusted <trusted_CA_store.pem>]
> 

Looking forward to your reply.

[Yeager1998]

Hi @michalvasko, The print of netopeer2-server is as follows:

[INF]: LN: Trying to connect via IPv6 to ::1:4335.
[INF]: LN: getsockopt() error (Connection refused).
[INF]: LN: Trying to connect via IPv4 to 127.0.0.1:4335.
[INF]: LN: getsockopt() error (Connection refused).
[INF]: LN: Trying to connect via IPv6 to ::1:4335.
[INF]: LN: Successfully connected to localhost:4335 over IPv6.
[INF]: SR: Session 388 (user "root", CID 29) created.
[INF]: SR: Session 389 (user "root", CID 29) created.
[INF]: SR: Session 390 (user "root", CID 29) created.
**[ERR]: LN: SSL_accept failed (sslv3 alert bad certificate).**
[INF]: LN: Trying to connect via IPv6 to ::1:4335.
[INF]: LN: getsockopt() error (Connection refused).
[INF]: LN: Trying to connect via IPv4 to 127.0.0.1:4335.
[INF]: LN: getsockopt() error (Connection refused).
[INF]: LN: Trying to connect via IPv6 to ::1:4335.
[INF]: LN: getsockopt() error (Connection refused).

All software versions are as follows：

1. libyang-2.0.231
2. libssh-0.9.6 
3. libnetconf2-2.1.18
4. sysrepo-2.1.84
5. netopeer2-2.1.36

Thanks.

[michalvasko]

The command you are using seem fine so the only problem I can find are the outdated versions of our libraries that you are using. Try updating them and let us know if you still encounter the same behavior.

[Yeager1998]

Hi @michalvasko After I updated all software versions, TLS call-home was successfull. All software versions are as follow:

1. libyang-2.1.55
2. libssh-0.9.6 
3. libnetconf2-2.1.31
4. sysrepo-2.2.60
5. netopeer2-2.1.59

One more question: I tried to use server.key and server.crt for call-home authentiation, it works, is that a normal behavior?

Thanks.

[michalvasko]

Why should not the server certificate and key work for Call Home? I do not understand the question.

[Yeager1998]

Hi @michalvasko I use SSH a lot and don't know much about TLS，and I will learn more information about TLS.

Thanks for your help