search

CESNET / netopeer2

NETCONF toolset
BSD 3-Clause "New" or "Revised" License
300 stars 188 forks source link

SSL accept failed (wrong version number). #1561

Closed biswajit84 closed 5 months ago

biswajit84 commented 5 months ago

Hi , I am trying to test the netopeer2-server with TLS based communication with netopeer2-cli. when I try to connect the server using connect --host localhost --login tls-test --port 6513 on client side I am getting error : nc ERROR: Starting the SSH session failed (Socket error: Connection reset by peer). cmd_connect: Connecting to the localhost:6513 as user "tls-test" failed.

Any input will be really helpful. on server side:

[INF]: SR: Connection 33 created.
[INF]: SR: Session 43 (user "root", CID 33) created.
[INF]: SR: Triggering "ietf-netconf-server" "done" event on enabled data.
[INF]: LN: Listening on 0.0.0.0:830 for SSH connections.
[INF]: LN: Listening on 0.0.0.0:6513 for TLS connections.
[INF]: SR: Triggering "ietf-keystore" "done" event on enabled data.
[INF]: SR: Triggering "ietf-truststore" "done" event on enabled data.
[INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data.
[INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data.
[INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data.
[INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data.

[INF]: LN: Accepted a connection on 0.0.0.0:6513 from 127.0.0.1:36174.
[ERR]: LN: SSL accept failed (wrong version number).

Command used to run netopeer2-cli:

sudo netopeer2-cli --tls --cert /home/biswajit/netopeer/netopeer2/example_configuration/tls_certs/client.crt --key /home/biswajit/netopeer/netopeer2/example_configuration/tls_certs/client.key --trusted /home/biswajit/netopeer/netopeer2/example_configuration/tls_certs/ca.pem
>connect --host localhost --login tls-test --port 6513

openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

ldd /usr/local/lib/libnetconf2.so.4.1.14
        linux-vdso.so.1 (0x00007fff5e5d3000)
        libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007f8f7a702000)
        libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007f8f7a2be000)
        libssh.so.4 => /usr/local/lib/libssh.so.4 (0x00007f8f7a233000)
        libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0x00007f8f7a129000)
        libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f8f7a0ef000)
        libyang.so.3 => /usr/local/lib/libyang.so.3 (0x00007f8f79ee5000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8f79cbc000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f8f79ca0000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f8f7a835000)
 ldd /usr/local/sbin/netopeer2-server
        linux-vdso.so.1 (0x00007fff2d9ed000)
        libnetconf2.so.4 => /usr/local/lib/libnetconf2.so.4 (0x00007fe705907000)
        libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0x00007fe7057fd000)
        libyang.so.3 => /usr/local/lib/libyang.so.3 (0x00007fe7055f5000)
        libsysrepo.so.7 => /usr/local/lib/libsysrepo.so.7 (0x00007fe705536000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe70530d000)
        libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007fe705267000)
        libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007fe704e23000)
        libssh.so.4 => /usr/local/lib/libssh.so.4 (0x00007fe704d98000)
        libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fe704d5e000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fe704d42000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe7059bc000)

Regards, Biswajit

michalvasko commented 5 months ago

My guess would be that the client is attempting to use an old version of TLS so the server disconnects. Why that is, though, I do not know. Also, the CLI command is rather weird, you should simply run the CLI (no root) and then execute

connect --tls --host localhost --login tls-test --port 6513 --cert /home/biswajit/netopeer/netopeer2/example_configuration/tls_certs/client.crt --key /home/biswajit/netopeer/netopeer2/example_configuration/tls_certs/client.key --trusted /home/biswajit/netopeer/netopeer2/example_configuration/tls_certs/ca.pem
biswajit84 commented 5 months ago

Thanks a lot for your input. I have tried as you have suggested and it worked..

Regards, Biswajit