search

CESNET / netopeer2

NETCONF toolset
BSD 3-Clause "New" or "Revised" License
301 stars 189 forks source link

Failed to establish remote TLS connection using self-signed certificate #1603

Closed satomhxl closed 3 months ago

satomhxl commented 3 months ago

Hello, I'm testing the establishment of remote TLS connection using self-signed certificates generated locally. The netopeer2 version is 2.2.28. But when I try to connect, the netopeer2-cli reports an error:

> connect --tls --host 172.16.26.221 --cert client.crt --key client.key --trusted ca.pem
nc ERROR: SSL connect to "172.16.26.221" failed (Connection reset by peer).
cmd_connect: Connecting to the 172.16.26.221:6513 failed.

And the server outputs

[INF]: LN: Accepted a connection on 0.0.0.0:6513 from 172.16.28.168:34472.

The netopeer2 client's IP is 172.16.28.168, netopeer2-server's IP is 172.16.26.221.

Here are the steps I took to generate certificates:

1. certificate of CA
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem

2. certificate of server
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr (I set the Common Name to 172.16.26.221 here)
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 500 -sha256

3. certificate of client
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr (I set the Common Name to 172.16.28.168 here)
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.crt -days 500 -sha256

4. prepare XMLs and load them into sysrepo, and start netopeer2-server
sysrepocfg --edit=tls_keystore.xml
sysrepocfg --edit=tls_truststore.xml
sysrepocfg --edit=tls_listen.xml
netopeer2-server -d -v2

5. at client side, start netopeer2-cli and connect
netopeer2-cli
> connect --tls --host 172.16.26.221 --cert client.crt --key client.key --trusted ca.pem
nc ERROR: SSL connect to "172.16.26.221" failed (Connection reset by peer).
cmd_connect: Connecting to the 172.16.26.221:6513 failed.

I can successfully establish netconf connection using SSH between client and server, and also local TLS with certificates in example_configurations provided in netopeer2 source code. Here are all the certificates and xmls I use: tls_certs.zip My host environment is ubuntu 22.04. The openssl version is OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Can you have a look? Thank you very much.

satomhxl commented 3 months ago

Sorry, I find I set the servercert's cert-data to CA's cert data in tls_keystore.xml. Now I can successfully establish the connection.