Unable to connect using TLS in netopeer2-2.2.28

[satomhxl]

Hello, I'm testing netopeer2-2.2.28 these days, and I failed to establish TLS connection using files in example_configuration dir.

Here are my steps:

1. Load xmls and start netopeer2-server

   # in netopeer2-2.2.28/example_configuration
   sysrepocfg --edit=tls_keystore.xml
   sysrepocfg --edit=tls_truststore.xml
   sysrepocfg --edit=tls_listen.xml
   netopeer2-server -d -v2
   [INF]: SR: Connection 20 created.
   [INF]: SR: Session 34 (user "root", CID 20) created.
   [INF]: SR: Triggering "ietf-netconf-server" "done" event on enabled data.
   [INF]: LN: Listening on 0.0.0.0:830 for SSH connections.
   [INF]: LN: Listening on 0.0.0.0:6513 for TLS connections.
   [INF]: SR: Triggering "ietf-keystore" "done" event on enabled data.
   [INF]: SR: Triggering "ietf-truststore" "done" event on enabled data.
   [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data.
   [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data.
   [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data.
   [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data.

2. Add certificates in netopeer2-cli

   
   netopeer2-cli
   > cert display
   get_default_trustedCA_dir: Default trusted CA directory does not exist, creating it.
   No certificates found in the default trusted CA directory.

cert displayown FAIL: No client certificate found, use "cert replaceown" to set some.

cert add tls_certs/ca.pem

cert replaceown tls_certs/client.crt tls_certs/client.key

cert display -----ca----- serial: 45ce2c8a91ef25294dad0221461662941bd5e11a Subject: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org Issuer: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org Valid until: Sep 1 10:21:01 2031 GMT

cert displayown OK: Using *.crt certificate with a separate private key. -----CRT----- serial: 47f82c15c5f3457a6d35a7ea427f46e71ca49fc0 Subject: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=client/emailAddress=client@example.org Issuer: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org Valid until: Sep 1 10:28:18 2031 GMT

3. Connect, and the output of netopeer2-cli and netopeer2-server

   
   # client
   > connect --tls
   nc ERROR: Server certificate error (unable to get certificate CRL).
   nc ERROR: TLS connection to "localhost" failed (certificate verify failed).
   cmd_connect: Connecting to the localhost:6513 failed.

server

[INF]: LN: Accepted a connection on 0.0.0.0:6513 from 127.0.0.1:34544. [ERR]: LN: TLS accept failed (tlsv1 alert unknown ca).

Are there any steps I did wrong?

The host environment is ubuntu 22.04.
openssl version is OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Thank you very much.

[Roytak]

Hello, thank you for reporting this, it is a bug. Should be fixed tomorrow.

[satomhxl]

So you change the code from

• user need to add CRL info manually using crl add

to

• the CRL info wll automatically be checked if this field exist in certificate

right?

[Roytak]

Yes, that's right. CRLs are meant to be optional, but the latest release breaks it and requires netopeer2-cli to set a CRL that is signed by the server's CA.

[satomhxl]

OK, thank you. I can successfully connect using the devel branch now.