search

CESNET / netopeer2

NETCONF toolset
BSD 3-Clause "New" or "Revised" License
301 stars 188 forks source link

Error with TLS Call Home connection using netopeer2-cli #1623

Open Aaru47527 opened 1 month ago

Aaru47527 commented 1 month ago

Describe the issue: I am encountering an error when attempting to listen for a TLS Call Home connection using netopeer2-cli. Below is the command and the error log I receive:

Command: listen --tls

Error Log: cmd_listen: Waiting 60s for a TLS Call Home connection on port 4335... nc ERROR: Communication socket unexpectedly closed. cmd_listen: Receiving TLS Call Home on port 4335 failed.

Here are the relevant logs from the netopeer2-server: [INF]: LN: Trying to connect via IPv4 to 172.17.167.137:4335. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Successfully connected to 172.17.167.137:4335 over IPv4. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Successfully connected to 172.17.167.137:4335 over IPv4. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Session 822 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: SR: Session 822 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Session 823 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: SR: Session 823 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Session 824 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: SR: Session 824 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: depth 1. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: depth 1. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: depth 0. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert-to-name unsuccessful, dropping the new client. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [ERR]: LN: Client certificate error (application verification failure). Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [ERR]: LN: SSL accept failed (certificate verify failed). Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: depth 0. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/emailAddress=ut@gmail.com. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert-to-name unsuccessful, dropping the new client. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Client certificate error (application verification failure). Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: SSL accept failed (certificate verify failed). Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: Call Home client "default-client" endpoint "endpoint-tls" failed connection attempt limit 3 reached. Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Call Home client "default-client" endpoint "endpoint-tls" failed connection attempt limit 3 reached. Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Call Home client "default-client" endpoint "endpoint-tls" connecting... Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Trying to connect via IPv4 to 172.17.167.137:4335. Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: getsockopt() error (Connection refused). Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: Call Home client "default-client" endpoint "endpoint-tls" connecting... Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: Trying to connect via IPv4 to 172.17.167.137:4335.

Steps to Reproduce:

  1. Start the netopeer2-server.
  2. Run listen --tls command from netopeer2-cli.
  3. Observe the error log.

Expected Behavior: The TLS Call Home connection should be established successfully.

Actual Behavior: The connection fails with the error: SSL accept failed (certificate verify failed). Any help resolving this issue would be greatly appreciated.

regard aarti

Roytak commented 1 month ago

Hi, what libnetconf2/netopeer2 versions are you using? I think that the problem is that you're missing a cert-to-name entry for the client's certificate in the server's configuration.

Aaru47527 commented 1 month ago

Hi @Roytak ,

We are using libnetconf2-2.1.31 and netopeer2-2.1.59. The issue might be related to a missing cert-to-name entry for the client's certificate in the server's configuration. Here's an example of how it should look: `

            <ca-certs>cacerts</ca-certs>
            <client-certs>clientcerts</client-certs>
            <cert-maps>
              <cert-to-name>
                <id>1</id>
                <fingerprint>02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74</fingerprint>
              <map-type xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name">x509c2n:specified</map-type>
                <name>tls-test</name>
              </cert-to-name>
            </cert-maps>

`

This configuration needs to be added under the section of your in the server configuration.