Open Aaru47527 opened 3 months ago
Roytak
commented
3 months ago Hi, what libnetconf2/netopeer2 versions are you using? I think that the problem is that you're missing a cert-to-name entry for the client's certificate in the server's configuration.
Aaru47527
commented
3 months ago Hi @Roytak ,
We are using libnetconf2-2.1.31 and netopeer2-2.1.59. The issue might be related to a missing cert-to-name entry for the client's certificate in the server's configuration. Here's an example of how it should look:
`
<ca-certs>cacerts</ca-certs>
<client-certs>clientcerts</client-certs>
<cert-maps>
<cert-to-name>
<id>1</id>
<fingerprint>02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74</fingerprint>
<map-type xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name">x509c2n:specified</map-type>
<name>tls-test</name>
</cert-to-name>
</cert-maps>`
This configuration needs to be added under the
Describe the issue: I am encountering an error when attempting to listen for a TLS Call Home connection using netopeer2-cli. Below is the command and the error log I receive:
Command: listen --tls
Error Log: cmd_listen: Waiting 60s for a TLS Call Home connection on port 4335... nc ERROR: Communication socket unexpectedly closed. cmd_listen: Receiving TLS Call Home on port 4335 failed.
Here are the relevant logs from the netopeer2-server: [INF]: LN: Trying to connect via IPv4 to 172.17.167.137:4335. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Successfully connected to 172.17.167.137:4335 over IPv4. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Successfully connected to 172.17.167.137:4335 over IPv4. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Session 822 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: SR: Session 822 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Session 823 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: SR: Session 823 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Session 824 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: SR: Session 824 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: depth 1. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: depth 1. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: depth 0. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert-to-name unsuccessful, dropping the new client. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [ERR]: LN: Client certificate error (application verification failure). Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [ERR]: LN: SSL accept failed (certificate verify failed). Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: depth 0. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert-to-name unsuccessful, dropping the new client. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Client certificate error (application verification failure). Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: SSL accept failed (certificate verify failed). Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: Call Home client "default-client" endpoint "endpoint-tls" failed connection attempt limit 3 reached. Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Call Home client "default-client" endpoint "endpoint-tls" failed connection attempt limit 3 reached. Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Call Home client "default-client" endpoint "endpoint-tls" connecting... Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Trying to connect via IPv4 to 172.17.167.137:4335. Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: getsockopt() error (Connection refused). Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: Call Home client "default-client" endpoint "endpoint-tls" connecting... Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: Trying to connect via IPv4 to 172.17.167.137:4335.
Steps to Reproduce:
listen --tlscommand from netopeer2-cli.Expected Behavior: The TLS Call Home connection should be established successfully.
Actual Behavior: The connection fails with the error:
SSL accept failed (certificate verify failed). Any help resolving this issue would be greatly appreciated.regard aarti