search

CESNET / netopeer2

NETCONF toolset
BSD 3-Clause "New" or "Revised" License
300 stars 188 forks source link

netopeer server-client connection failed over TLS #358

Closed cromlegionar closed 4 years ago

cromlegionar commented 5 years ago

Hello all,

I am just getting stared with the topic of network configuration and currently trying to set up a netopeer client<->server communication over TLS. I followed the instructions on how to configure TLS in netopeer like it is discribed in here , but I cannot get the connection to survive the inital "connect --tls" communication:

Server Log:

Client Log:

> connect --tls 
nc VERBOSE: nc_sock_connect(localhost, 6513, -1, -1)
nc VERBOSE: Trying to connect via IPv6.
nc VERBOSE: getsockopt error: (Connection refused).
nc VERBOSE: Trying to connect via IPv4.
nc VERBOSE: Successfully connected to localhost:6513 over IPv4.
nc VERBOSE: Server certificate successfully verified.
ly VERBOSE: Plugin "/home/siemens/development_ws/libs/lib/libyang/extensions/metadata.so" successfully loaded.
ly VERBOSE: Plugin "/home/siemens/development_ws/libs/lib/libyang/extensions/yangdata.so" successfully loaded.
ly VERBOSE: Plugin "/home/siemens/development_ws/libs/lib/libyang/extensions/nacm.so" successfully loaded.
ly VERBOSE: Plugin "/home/siemens/development_ws/libs/lib/libyang/user_types/user_date_and_time.so" successfully loaded.
ly VERBOSE: Reading module "ietf-yang-metadata".
ly VERBOSE: Module "ietf-yang-metadata@2016-08-05" successfully parsed as implemented.
ly VERBOSE: Reading module "yang".
ly VERBOSE: Resolving "yang" unresolved schema nodes and their constraints...
ly VERBOSE: All "yang" schema nodes and constraints resolved.
ly VERBOSE: Module "yang@2017-02-20" successfully parsed as implemented.
ly VERBOSE: Reading module "ietf-inet-types".
ly VERBOSE: Resolving derived type "union" failed, it will be attempted later.
ly VERBOSE: Resolving derived type "union" failed, it will be attempted later.
ly VERBOSE: Resolving derived type "union" failed, it will be attempted later.
ly VERBOSE: Resolving derived type "union" failed, it will be attempted later.
ly VERBOSE: Resolving "ietf-inet-types" unresolved schema nodes and their constraints...
ly VERBOSE: All "ietf-inet-types" schema nodes and constraints resolved.
ly VERBOSE: Module "ietf-inet-types@2013-07-15" successfully parsed as implemented.
ly VERBOSE: Reading module "ietf-yang-types".
ly VERBOSE: Module "ietf-yang-types@2013-07-15" successfully parsed as implemented.
nc DEBUG: Session 0: sending message:
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><capabilities><capability>urn:ietf:params:netconf:base:1.0</capability><capability>urn:ietf:params:netconf:base:1.1</capability></capabilities></hello>

nc DEBUG: Session 0: sending message:
]]>]]>

nc DEBUG: Session 0: received message:
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><capabilities><capability>urn:ietf:params:netconf:base:1.0</capability><capability>urn:ietf:params:netconf:base:1.1</capability><capability>urn:ietf:params:netconf:capability:writable-running:1.0</capability><capability>urn:ietf:params:netconf:capability:candidate:1.0</capability><capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</capability><capability>urn:ietf:params:netconf:capability:validate:1.1</capability><capability>urn:ietf:params:netconf:capability:startup:1.0</capability><capability>urn:ietf:params:netconf:capability:xpath:1.0</capability><capability>urn:ietf:params:netconf:capability:with-defaults:1.0?basic-mode=explicit&amp;also-supported=report-all,report-all-tagged,trim,explicit</capability><capability>urn:ietf:params:netconf:capability:notification:1.0</capability><capability>urn:ietf:params:netconf:capability:interleave:1.0</capability><capability>urn:ietf:params:xml:ns:yang:ietf-yang-metadata?module=ietf-yang-metadata&amp;revision=2016-08-05</capability><capability>urn:ietf:params:xml:ns:yang:1?module=yang&amp;revision=2017-02-20</capability><capability>urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&amp;revision=2013-07-15</capability><capability>urn:ietf:params:xml:ns:yang:ietf-yang-types?module=ietf-yang-types&amp;revision=2013-07-15</capability><capability>urn:ietf:params:netconf:capability:yang-library:1.0?revision=2018-01-17&amp;module-set-id=53</capability><capability>urn:ietf:params:xml:ns:yang:example?module=example-module</capability><capability>urn:rd?module=referenced-data</capability><capability>urn:ietf:params:xml:ns:yang:small-module?module=small-module</capability><capability>urn:ietf:params:xml:ns:yang:info?module=info-module</capability><capability>urn:ietf:params:xml:ns:yang:id-ref-base?module=id-ref-base</capability><capability>urn:ietf:params:xml:ns:yang:id-def-base?module=id-def-base</capability><capability>urn:ietf:params:xml:ns:yang:id-ref-aug?module=id-ref-aug</capability><capability>urn:ietf:params:xml:ns:yang:id-ref-hello-cont?module=id-ref-hello-cont</capability><capability>urn:ietf:params:xml:ns:yang:id-ref-hello?module=id-ref-hello</capability><capability>urn:ietf:params:xml:ns:yang:id-def-extended?module=id-def-extended</capability><capability>urn:ietf:params:xml:ns:yang:id-ref-imported?module=id-ref-imported</capability><capability>urn:ietf:params:xml:ns:yang:id-ref-main?module=id-ref-main</capability><capability>urn:ietf:params:xml:ns:yang:id-ref-extend-main?module=id-ref-extend-main</capability><capability>urn:ietf:params:xml:ns:yang:id-ref-installed?module=id-ref-installed</capability><capability>test:augmleafrefcompanion?module=augm_leafref_m2</capability><capability>test:augmleafref?module=augm_leafref_m1</capability><capability>ns:yang:module-a?module=module-a&amp;revision=2016-02-10</capability><capability>ns:yang:module-b?module=module-b&amp;revision=2016-02-05</capability><capability>urn:ietf:params:xml:ns:yang:ietf-interfaces?module=ietf-interfaces&amp;revision=2014-05-08</capability><capability>urn:ietf:params:xml:ns:yang:iana-if-type?module=iana-if-type&amp;revision=2014-05-08</capability><capability>urn:ietf:params:xml:ns:yang:ietf-ip?module=ietf-ip&amp;revision=2014-06-16</capability><capability>ns:yang:state-module?module=state-module&amp;revision=2016-07-01</capability><capability>test:top-level-mandatory?module=top-level-mandatory</capability><capability>urn:cm?module=cross-module</capability><capability>http://example.net/turing-machine?module=turing-machine&amp;revision=2013-12-27</capability><capability>urn:ietf:params:xml:ns:yang:ietf-netconf-acm?module=ietf-netconf-acm&amp;revision=2018-02-14</capability><capability>urn:ietf:params:xml:ns:netconf:base:1.0?module=ietf-netconf&amp;revision=2011-06-01&amp;features=writable-running,candidate,rollback-on-error,validate,startup,xpath</capability><capability>urn:ietf:params:xml:ns:yang:ietf-netconf-notifications?module=ietf-netconf-notifications&amp;revision=2012-02-06</capability><capa
nc VERBOSE: Session 2: retreiving data for schema "ietf-netconf-monitoring", revision "2010-10-04".
nc VERBOSE: Session 2: reading schema from localfile "/home/siemens/development_ws/libs/share/libnetconf2/ietf-netconf-monitoring.yin".
nc VERBOSE: Session 2: retreiving data for schema "ietf-netconf", revision "2011-06-01".
nc VERBOSE: Session 2: reading schema from localfile "/home/siemens/development_ws/libs/share/libnetconf2/ietf-netconf.yin".
nc VERBOSE: Session 2: retreiving data for schema "ietf-netconf-acm", revision "2018-02-14".
nc VERBOSE: Session 2: reading schema from localfile "/home/siemens/development_ws/libs/share/libnetconf2/ietf-netconf-acm.yin".
nc VERBOSE: Session 2: retreiving data for schema "ietf-yang-library", revision "2018-01-17".
nc VERBOSE: Session 2: reading schema from server via get-schema.
nc DEBUG: Session 2: sending message:

#251

nc DEBUG: Session 2: sending message:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"><get-schema xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><identifier>ietf-yang-library</identifier><version>2018-01-17</version><format>yang</format></get-schema></rpc>

nc DEBUG: Session 2: sending message:

##

nc DEBUG: Session 2: received message:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"><data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module ietf-yang-library {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-yang-library";
  prefix yanglib;

  import ietf-yang-types {
    prefix yang;
    reference
      "RFC 6991: Common YANG Data Types.";
  }

  import ietf-inet-types {
    prefix inet;
    reference
      "RFC 6991: Common YANG Data Types.";
  }

  import ietf-datastores {
    prefix ds;
    reference
      "I-D.ietf-revised-datastores:
       Network Management Datastore Architecture.";
  }

  organization
    "IETF NETCONF (Network Configuration) Working Group";
  contact
    "WG Web:   &lt;http://tools.ietf.org/wg/netconf/&gt;
     WG List:  &lt;mailto:netconf@ietf.org&gt;

     Author:   Andy Bierman
               &lt;mailto:andy@yumaworks.com&gt;

     Author:   Martin Bjorklund
               &lt;mailto:mbj@tail-f.com&gt;

     Author:   Juergen Schoenwaelder
               &lt;mailto:j.schoenwaelder@jacobs-university.de&gt;

     Author:   Kent Watsen
               &lt;mailto:kwatsen@juniper.net&gt;

     Author:   Rob Wilton
               &lt;rwilton@cisco.com&gt;";
  description
    "This module contains information about the YANG server instance,
     including the modules and datastores the server supports, and
     which modules are present in which datastores.

     Copyright (c) 2018 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject
     to the license terms contained in, the Simplified BSD License
     set forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (http://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC XXXX; see
     the RFC itself for full legal notices.";

  revision 2018-01-17 {
    description
      "Added support for multiple datastores.";
    reference
      "RFC XXXX: YANG Library.";
  }
  revision 2016-04-09 {
    description
      "Initial revision.";
    reference
      "RFC 7895: YANG Module Library.";
  }

  typedef revision-identifier {
    type string {
      pattern "\\d{4}-\\d{2}-\\d{2}";
    }
    description
      "Represents a specific date in YYYY-MM-DD format.";
  }

  grouping module-identification-leafs {
    description
      "Parameters for identifying YANG modules and submodules.";
    leaf name {
      type yang:yang-identifier;
      mandatory true;
      description
        "The YANG module or submodule name.";
    }

    leaf revision {
      type revision-identifier;
      description
        "The YANG module or submodule revision date.  If no revision
         statement is present in the YANG module or submodule, this
         leaf is not instantiated.";
    }
  }

  grouping location-leaf-list {
    description
      "Common location leaf list parameter for modules and
       submodules.";
    leaf-list location {
      type inet:uri;
      description
        "Contains a URL that represents the YANG schema
         resource for this module or submodule.

         This leaf will only be present if there is a URL
         available for retrieval of the schema for this entry.";
    }
  }

  grouping implementation-parameters {
    description
      "Parameters for describing the implementation of a module.";
    list feature {
      key "name";
      description
        "List of YANG feature names from this module that are
         supported by the server, regardless whether they are defined
         in the module or any included submodule.";
      leaf name {
        type yang:yang-identifier;
        description
          "A feature supported by the server.";
      }
    }

    list deviation {
      key "module";
      description
        "List of YANG deviation modules used by this server to modify
         the conformance of the module associated with thi
nc WARNING: Session 2: unable to identify revision of the schema "ietf-datastores" from the available server side information.
nc VERBOSE: Session 2: retreiving data for schema "ietf-datastores", revision "(null)".
nc VERBOSE: Session 2: reading schema from server via get-schema.
nc DEBUG: Session 2: sending message:

#220

nc DEBUG: Session 2: sending message:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2"><get-schema xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><identifier>ietf-datastores</identifier><format>yang</format></get-schema></rpc>

nc DEBUG: Session 2: sending message:

##

nc DEBUG: Session 2: received message:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2"><data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module ietf-datastores {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-datastores";
  prefix ds;

  organization
    "IETF Network Modeling (NETMOD) Working Group";
  contact
    "WG Web:   &lt;https://datatracker.ietf.org/wg/netmod/&gt;

     WG List:  &lt;mailto:netmod@ietf.org&gt;

     Author:   Martin Bjorklund
               &lt;mailto:mbj@tail-f.com&gt;

     Author:   Juergen Schoenwaelder
               &lt;mailto:j.schoenwaelder@jacobs-university.de&gt;

     Author:   Phil Shafer
               &lt;mailto:phil@juniper.net&gt;

     Author:   Kent Watsen
               &lt;mailto:kwatsen@juniper.net&gt;

     Author:   Rob Wilton
               &lt;rwilton@cisco.com&gt;";
  description
    "This YANG module defines two sets of identities for datastores.
     The first identifies the datastores themselves, the second
     identifies datastore properties.

     Copyright (c) 2017 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject to
     the license terms contained in, the Simplified BSD License set
     forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (http://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC XXXX
     (http://www.rfc-editor.org/info/rfcxxxx); see the RFC itself
     for full legal notices.";

  revision 2017-08-17 {
    description
      "Initial revision.";
    reference
      "RFC XXXX: Network Management Datastore Architecture";
  }

  identity datastore {
    description
      "Abstract base identity for datastore identities.";
  }

  identity conventional {
    base datastore;
    description
      "Abstract base identity for conventional configuration
       datastores.";
  }

  identity running {
    base conventional;
    description
      "The running configuration datastore.";
  }

  identity candidate {
    base conventional;
    description
      "The candidate configuration datastore.";
  }

  identity startup {
    base conventional;
    description
      "The startup configuration datastore.";
  }

  identity intended {
    base conventional;
    description
      "The intended configuration datastore.";
  }

  identity dynamic {
    base datastore;
    description
      "Abstract base identity for dynamic configuration datastores.";
  }

  identity operational {
    base datastore;
    description
      "The operational state datastore.";
  }

  typedef datastore-ref {
    type identityref {
      base datastore;
    }
    description
      "A datastore identity reference.";
  }
}
</data></rpc-reply>

ly VERBOSE: Resolving unresolved data nodes and their constraints...
ly VERBOSE: All data nodes and constraints resolved.
nc DEBUG: Session 2: sending message:

#237

nc DEBUG: Session 2: sending message:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3"><get xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><filter type="xpath" xmlns:yanglib="urn:ietf:params:xml:ns:yang:ietf-yang-library" select="/yanglib:*"/></get></rpc>

nc DEBUG: Session 2: sending message:

##

nc DEBUG: Session 2: received message:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3"><data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><yang-library xmlns="urn:ietf:params:xml:ns:yang:ietf-yang-library"><checksum>53</checksum><module-set><name>complete</name><checksum>53</checksum><module><name>yang</name><revision>2017-02-20</revision><namespace>urn:ietf:params:xml:ns:yang:1</namespace></module><module><name>ietf-yang-library</name><revision>2018-01-17</revision><namespace>urn:ietf:params:xml:ns:yang:ietf-yang-library</namespace></module><module><name>example-module</name><namespace>urn:ietf:params:xml:ns:yang:example</namespace></module><module><name>referenced-data</name><namespace>urn:rd</namespace></module><module><name>test-module</name><namespace>urn:ietf:params:xml:ns:yang:test-module</namespace></module><module><name>small-module</name><namespace>urn:ietf:params:xml:ns:yang:small-module</namespace></module><module><name>info-module</name><namespace>urn:ietf:params:xml:ns:yang:info</namespace></module><module><name>id-ref-base</name><namespace>urn:ietf:params:xml:ns:yang:id-ref-base</namespace></module><module><name>id-ref-aug</name><namespace>urn:ietf:params:xml:ns:yang:id-ref-aug</namespace></module><module><name>id-ref-hello</name><namespace>urn:ietf:params:xml:ns:yang:id-ref-hello</namespace></module><module><name>id-def-extended</name><namespace>urn:ietf:params:xml:ns:yang:id-def-extended</namespace></module><module><name>id-ref-main</name><namespace>urn:ietf:params:xml:ns:yang:id-ref-main</namespace></module><module><name>id-ref-installed</name><namespace>urn:ietf:params:xml:ns:yang:id-ref-installed</namespace></module><module><name>augm_leafref_m2</name><namespace>test:augmleafrefcompanion</namespace></module><module><name>augm_leafref_m1</name><namespace>test:augmleafref</namespace></module><module><name>module-a</name><revision>2016-02-10</revision><namespace>ns:yang:module-a</namespace><submodule><name>sub-a-one</name><revision>2016-02-10</revision></submodule><submodule><name>sub-a-two</name><revision>2016-02-02</revision></submodule></module><module><name>module-b</name><revision>2016-02-05</revision><namespace>ns:yang:module-b</namespace></module><module><name>ietf-interfaces</name><revision>2014-05-08</revision><namespace>urn:ietf:params:xml:ns:yang:ietf-interfaces</namespace></module><module><name>iana-if-type</name><revision>2014-05-08</revision><namespace>urn:ietf:params:xml:ns:yang:iana-if-type</namespace></module><module><name>ietf-ip</name><revision>2014-06-16</revision><namespace>urn:ietf:params:xml:ns:yang:ietf-ip</namespace></module><module><name>state-module</name><revision>2016-07-01</revision><namespace>ns:yang:state-module</namespace></module><module><name>top-level-mandatory</name><namespace>test:top-level-mandatory</namespace></module><module><name>cross-module</name><namespace>urn:cm</namespace></module><module><name>turing-machine</name><revision>2013-12-27</revision><namespace>http://example.net/turing-machine</namespace></module><module><name>ietf-netconf</name><revision>2011-06-01</revision><namespace>urn:ietf:params:xml:ns:netconf:base:1.0</namespace></module><module><name>ietf-netconf-notifications</name><revision>2012-02-06</revision><namespace>urn:ietf:params:xml:ns:yang:ietf-netconf-notifications</namespace></module><module><name>notifications</name><revision>2008-07-14</revision><namespace>urn:ietf:params:xml:ns:netconf:notification:1.0</namespace></module><module><name>nc-notifications</name><revision>2008-07-14</revision><namespace>urn:ietf:params:xml:ns:netmod:notification</namespace></module><module><name>servers</name><namespace>http://example.com/ns/servers</namespace></module><module><name>commit-nacm</name><namespace>test:commit-nacm</namespace></module><module><name>swig-test-cpp-changes</name><revision>2017-03-09</revision><namespace>urn:ietf:params:xml:ns:yang:swig-test-cpp-changes</namespace></module><module><name>swig-test-cpp-operations</name><revision>2017-03-09</revision><namespace>urn:ietf:params:xml:ns:yang:swig-test-cpp-operations<
nc VERBOSE: Session 2: retreiving data for schema "example-module", revision "(null)".
nc VERBOSE: Session 2: reading schema from server via get-schema.
nc DEBUG: Session 2: sending message:

#219

nc DEBUG: Session 2: sending message:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="4"><get-schema xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><identifier>example-module</identifier><format>yang</format></get-schema></rpc>

nc DEBUG: Session 2: sending message:

##

nc DEBUG: Session 2: received message:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="4"><data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module example-module {
  namespace "urn:ietf:params:xml:ns:yang:example";
  prefix ie;

  organization
    "organization";
  contact
    "contact@example.com";
  description
    "example yang module";

  container container {
    list list {
      key "key1 key2";
      leaf leaf {
        type string;
      }

      leaf key1 {
        type string;
      }

      leaf key2 {
        type string;
      }
    }
  }

  leaf-list number {
    type uint16;
  }

  leaf-list array {
    type string;
  }
}
</data></rpc-reply>

nc VERBOSE: Session 2: retreiving data for schema "referenced-data", revision "(null)".
nc VERBOSE: Session 2: reading schema from server via get-schema.
nc DEBUG: Session 2: sending message:

#220

nc DEBUG: Session 2: sending message:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="5"><get-schema xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><identifier>referenced-data</identifier><format>yang</format></get-schema></rpc>

nc DEBUG: Session 2: sending message:

##

nc DEBUG: Session 2: received message:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="5"><data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module referenced-data {
  namespace "urn:rd";
  prefix rd;

  list list-b {
    key "name";
    leaf name {
      type string;
    }

    leaf value {
      type uint32;
    }
  }

  leaf magic_number {
    type uint8;
  }
}
</data></rpc-reply>

nc VERBOSE: Session 2: retreiving data for schema "test-module", revision "(null)".
nc VERBOSE: Session 2: reading schema from server via get-schema.
nc DEBUG: Session 2: sending message:

#216

nc DEBUG: Session 2: sending message:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="6"><get-schema xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><identifier>test-module</identifier><format>yang</format></get-schema></rpc>

nc DEBUG: Session 2: sending message:

##

nc ERROR: Session 2: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 2: failed to receive a reply to <get-schema>.
nc ERROR: Session 2: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.

As you can see the error messages in the client are not consistent, i cannot figure out why this is. I am able to connect via ssh, perform get / get-config, edit-config. (In order to change the config as I am currently only modifying the running datastore)

At first I did not have a dummy "test" user, but adding him to my system did not change the error.

This is the complete config I am sending via the edit-config command:

<config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
  <private-keys>
    <private-key>
      <name>ssh_host_rsa_key</name>
    </private-key>
     <private-key>
      <name>test_server_key</name>
      <certificate-chains>
        <certificate-chain>
          <name>test_server_cert</name>
          <certificate>MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCQ1ox
FjAUBgNVBAgMDVNvdXRoIE1vcmF2aWExDTALBgNVBAcMBEJybm8xDzANBgNVBAoM
BkNFU05FVDEMMAoGA1UECwwDVE1DMRMwEQYDVQQDDApleGFtcGxlIENBMSIwIAYJ
KoZIhvcNAQkBFhNleGFtcGxlY2FAbG9jYWxob3N0MB4XDTE1MDczMDA3MjU1MFoX
DTM1MDcyNTA3MjU1MFowgYUxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBN
b3JhdmlhMQ8wDQYDVQQKDAZDRVNORVQxDDAKBgNVBAsMA1RNQzEXMBUGA1UEAwwO
ZXhhbXBsZSBzZXJ2ZXIxJjAkBgkqhkiG9w0BCQEWF2V4YW1wbGVzZXJ2ZXJAbG9j
YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsdI1TBjzX1Pg
QXFuPCw5/kQwU7qkrhirMcFAXhI8EoXepPa9fKAVuMjHW32P6nNzDpnhFe0YGdNl
oIEN3hJJ87cVOqj4o7zZMbq3zVG2L8As7MTA8tYXm2fSC/0rIxxRRemcGUXM0q+4
LEACjZj2pOKonaivF5VbhgNjPCO1Jj/TamUc0aViE577C9L9EiObGM+bGbabWk/K
WKLsvxUc+sKZXaJ7psTVgpggJAkUszlmwOQgFiMSR53E9/CAkQYhzGVCmH44Vs6H
zs3RZjOTbce4wr4ongiA5LbPeSNSCFjy9loKpaE1rtOjkNBVdiNPCQTmLuODXUTK
gkeL+9v/OwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU83qEtQDFzDvLoaII
vqiU6k7j1uswHwYDVR0jBBgwFoAUc1YQIqjZsHVwlea0AB4N+ilNI2gwDQYJKoZI
hvcNAQELBQADggEBAJ+QOLi4gPWGofMkLTqSsbv5xRvTw0xa/sJnEeiejtygAu3o
McAsyevSH9EYVPCANxzISPzd9SFaO56HxWgcxLn9vi8ZNvo2wIp9zucNu285ced1
K/2nDZfBmvBxXnj/n7spwqOyuoIc8sR7P7YyI806Qsfhk3ybNZE5UHJFZKDRQKvR
J1t4nk9saeo87kIuNEDfYNdwYZzRfXoGJ5qIJQK+uJJv9noaIhfFowDW/G14Ji5p
Vh/YtvnOPh7aBjOj8jmzk8MqzK+TZgT7GWu48Nd/NaV8g/DNg9hlN047LaNsJly3
NX3+VBlpMnA4rKwl1OnmYSirIVh9RJqNwqe6k/k=</certificate>
        </certificate-chain>
      </certificate-chains>
    </private-key>
  </private-keys>
  <trusted-certificates>
    <name>test_trusted_ca_list</name>
    <trusted-certificate>
      <name>test_ca</name>
      <certificate>MIID7TCCAtWgAwIBAgIJAMtE1NGAR5KoMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
VQQGEwJDWjEWMBQGA1UECAwNU291dGggTW9yYXZpYTENMAsGA1UEBwwEQnJubzEP
MA0GA1UECgwGQ0VTTkVUMQwwCgYDVQQLDANUTUMxEzARBgNVBAMMCmV4YW1wbGUg
Q0ExIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVjYUBsb2NhbGhvc3QwHhcNMTQwNzI0
MTQxOTAyWhcNMjQwNzIxMTQxOTAyWjCBjDELMAkGA1UEBhMCQ1oxFjAUBgNVBAgM
DVNvdXRoIE1vcmF2aWExDTALBgNVBAcMBEJybm8xDzANBgNVBAoMBkNFU05FVDEM
MAoGA1UECwwDVE1DMRMwEQYDVQQDDApleGFtcGxlIENBMSIwIAYJKoZIhvcNAQkB
FhNleGFtcGxlY2FAbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEArD3TDHPAMT2Z84orK4lMlarbgooIUCcRZyLe+QM+8KY8Hn+mGaxPEOTS
L3ywszqefB/Utm2hPKLHX684iRC14ID9WDGHxPjvoPArhgFhfV+qnPfxKTgxZC12
uOj4u1V9y+SkTCocFbRfXVBGpojrBuDHXkDMDEWNvr8/52YCv7bGaiBwUHolcLCU
bmtKILCG0RNJyTaJpXQdAeq5Z1SJotpbfYFFtAXB32hVoLug1dzl2tjG9sb1wq3Q
aDExcbC5w6P65qOkNoyym9ne6QlQagCqVDyFn3vcqkRaTjvZmxauCeUxXgJoXkyW
cm0lM1KMHdoTArmchw2Dz0yHHSyDAQIDAQABo1AwTjAdBgNVHQ4EFgQUc1YQIqjZ
sHVwlea0AB4N+ilNI2gwHwYDVR0jBBgwFoAUc1YQIqjZsHVwlea0AB4N+ilNI2gw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAI/1KH60qnw9Xs2RGfi0/
IKf5EynXt4bQX8EIyVKwSkYKe04zZxYfLIl/Q2HOPYoFmm3daj5ddr0ZS1i4p4fT
UhstjsYWvXs3W/HhVmFUslakkn3PrswhP77fCk6eEJLxdfyJ1C7Uudq2m1isZbKi
h+XF0mG1LxJaDMocSz4eAya7M5brwjy8DoOmA1TnLQFCVcpn+sCr7VC4wE/JqxyV
hBCk/MuGqqM3B1j90bGFZ112ZOecyE0EDSr6IbiRBtmeNbEwOFjKXhNLYdxpBZ9D
8A/368OckZkCrVLGuJNxK9UwCVTe8IhotHUqU9EqFDmxdV8oIdU/OzUwwNPA/Bd/
9g==</certificate>
    </trusted-certificate>
  </trusted-certificates>
</keystore>
<netconf-server xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-server">
  <listen>
    <endpoint>
      <name>all-interfaces</name>
      <ssh>
        <address>0.0.0.0</address>
        <port>830</port>
        <host-keys>
          <host-key>
            <name>imported SSH key</name>
            <public-key>ssh_host_rsa_key</public-key>
          </host-key>
        </host-keys>
      </ssh>
    </endpoint>
    <endpoint>
      <name>test_tls_listen_endpt</name>
      <tls>
        <address>0.0.0.0</address>
        <port>6513</port>
        <certificates>
          <certificate>
            <name>test_server_cert</name>
          </certificate>
        </certificates>
        <client-auth>
          <trusted-ca-certs>test_trusted_ca_list</trusted-ca-certs>
          <cert-maps>
            <cert-to-name>
              <id>1</id>
              <fingerprint>02:E9:38:1F:F6:8B:62:DE:0A:0B:C5:03:81:A8:03:49:A0:00:7F:8B:F3</fingerprint>
              <map-type xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name">x509c2n:specified</map-type>
              <name>test</name>
            </cert-to-name>
          </cert-maps>
        </client-auth>
      </tls>
    </endpoint>
  </listen>
</netconf-server>
</config>

I am sorry if I missed something obvious, as I said I am just getting started with this topic.

michalvasko commented 5 years ago

Hi, it seems you configured everything well because you successfully connected to the server. So, you are saying SSH connection works fine? Then I do not know what can be wrong.

I have just tried to set up TLS from scratch and it worked fine so my suggestion is to completely clean and reinstall sysrepo, keystored, and netopeer2-server and then try again. Also, what version OpenSSL are you using?

Regards, Michal

cromlegionar commented 5 years ago

Hello, thank you for your quick answer. Unfortunately I cannot get the system running after a reinstall. I deleted all files with the install_manifest.txt files, deleted all github clones, updated all my packages, cloned the repositorys from the current version and cmake'd, make'd, and make installed everything. Now the server cannot set the hostkey "ssh-host_rsa_key" when a client is connecting:

[2018/12/03 18:04:22.968307, 1] ssh_pki_import_privkey_file:  Error opening /usr/local/etc/keystored/keys/ssh_host_rsa_key.pem: No such file or directory
[ERR]: Failed to set hostkey "ssh_host_rsa_key" (/usr/local/etc/keystored/keys/ssh_host_rsa_key.pem).

client: 

> connect
nc ERROR: Starting the SSH session failed (Socket error: Connection reset by peer).
cmd_connect: Connecting to the localhost:830 as user "root" failed.

I noticed that during the keystore installation a message like this one from "ssh-key-import.sh" popped up, sadly I did not save the installation log:

Some ietf-keystore configuration set, skipping stock key configuration import.

Could you point out what I mixed up this time? The keystore dir /usr/local/etc/keystored/keys/ is indeed empty, is there an easy way to repopulate it or do I have to reinstall the whole setup (If I left sth. out while de/reinstalling everything, please tell me)

Thank you for your help

michalvasko commented 5 years ago

Hi, I could have been more specific, probably the most important step is correctly reinstalling sysrepo and we have recently added a make target uninstall_with_repo that should perform all that is needed. After that install sysrepo, keystored, and netopeer2-server and pay special attention to the install output as any problems should be displayed. If the installations finish successfully without warnings, it should all work fine.

Regards, Michal

cromlegionar commented 5 years ago

Hello, I am sorry to bother you again (and for replying so late) but now I am running into an error I never had before. I reinstalled everthing, even installed the whole project from scratch onto a brand new debian installation (ion a pc which is physically identical to the one I am working on). I scanned through the whole installation log, but I could not find any errors. (I did not install valgrind which is throwing a warning, but no serious/unexplainable messages) Now the client disconnects from the server (because the encryption does not match?):

Client Log:

> connect
nc ERROR: Starting the SSH session failed (Public key from server (rsa-sha2-512) doesn't match user preference (ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ssh-rsa,ssh-dss)).
cmd_connect: Connecting to the localhost:830 as user "siemens" failed.

Server Log:

[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/name" created.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh" created.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh/address" created.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh/port" created.
[INF]: Listening on 0.0.0.0:830 for SSH connections.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh/host-keys" created.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh/host-keys/host-key[name='imported SSH key']/name" created.
[INF]: Path "/ietf-netconf-server:netconf-server/listen/endpoint[name='all-interfaces']/ssh/host-keys/host-key[name='imported SSH key']/public-key" created.
[INF]: Accepted a connection on 0.0.0.0:830.
[2018/12/07 14:47:12.343262, 2] ssh_pki_import_privkey_base64:  Trying to decode privkey passphrase=false
[2018/12/07 14:47:12.344929, 1] ssh_server_connection_callback:  SSH client banner: SSH-2.0-libssh_0.8.90
[2018/12/07 14:47:12.344970, 1] ssh_analyze_banner:  Analyzing banner: SSH-2.0-libssh_0.8.90
[2018/12/07 14:47:12.346293, 2] ssh_kex_select_methods:  Negotiated curve25519-sha256,ssh-rsa,aes256-gcm@openssh.com,aes256-gcm@openssh.com,hmac-sha2-256,hmac-sha2-256,none,none,,
[2018/12/07 14:47:12.411862, 2] ssh_server_curve25519_init:  SSH_MSG_KEX_ECDH_REPLY sent
[2018/12/07 14:47:12.411919, 2] ssh_server_curve25519_init:  SSH_MSG_NEWKEYS sent
[2018/12/07 14:47:12.420715, 2] ssh_packet_newkeys:  Received SSH_MSG_NEWKEYS
[2018/12/07 14:47:12.420873, 1] ssh_socket_exception_callback:  Socket exception callback: 1 (0)
[2018/12/07 14:47:12.420881, 1] ssh_socket_exception_callback:  Socket error: disconnected
[ERR]: Communication SSH socket unexpectedly closed.

I cannot recall doing anything different than when I used to get a ssh connection and only fail at the TLS connection, do you know what went wrong this time? Again thank you very much for your help!

Regards, Kilian

michalvasko commented 5 years ago

Hi Kilian, I would blame libssh for this as you are using the latest master version, which is my guess. Try using libssh v0.8.5.

Regards, Michal

cromlegionar commented 5 years ago

Hello Michal,

it actually was the mastr version of libssh which caused the problems - thank you. (although it did originally work with the master version ..) However all of this did not solve the original problem. I noticed i placed the wrong log output into the server: connect --tls (in the original post):

[INF]: Session 1: thread 0 event new RPC.
[INF]: Accepted a connection on 0.0.0.0:6513.
[INF]: Cert verify: depth 1.
[INF]: Cert verify: subject: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Cert verify: issuer:  /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Cert verify CTN: entry with a matching fingerprint found.
[INF]: Cert verify CTN: new client username recognized as "test".
[INF]: Cert verify: depth 0.
[INF]: Cert verify: subject: /C=CZ/ST=South Moravia/O=CESNET/OU=TMC/CN=example client/emailAddress=exampleclient@localhost.
[INF]: Cert verify: issuer:  /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Generated new event (netconf-session-start).
[INF]: Resolving unresolved data nodes and their constraints...
[INF]: All data nodes and constraints resolved.
[INF]: Resolving unresolved data nodes and their constraints...
[INF]: All data nodes and constraints resolved.
[INF]: Session 2: thread 1 event new RPC.
[ERR]: Session 2: reading from the TLS session failed (SSL code 1).
[INF]: Session 2: thread 3 event session terminated.
[INF]: Generated new event (netconf-session-end).

Also I am currently using Version OpenSSL 1.1.0j 20 Nov 2018 (Should I use another one?)

michalvasko commented 5 years ago

Hi, I do not know much about OpenSSL versions but as long as you are using a specific release, I think it should be fine. So, what does the client print in this case? Server seems fine, the error occurs after you got authenticated.

Regards, Michal

cromlegionar commented 5 years ago

Hi, The client in this case prints: 

> connect --tls                                                                                                                      
nc ERROR: Session 2: communication socket unexpectedly closed (OpenSSL).                                                             
nc ERROR: Session 2: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 2: invalid session to send RPCs.
nc ERROR: Session 2: failed to send the <get-schema> RPC.
nc ERROR: Session 2: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
>
cromlegionar commented 5 years ago

UPDATE: It works - kind of.After a variable amount of tries a connection can be established:

> connect --tls
nc ERROR: Session 2: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 2: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 2: invalid session to send RPCs.
nc ERROR: Session 2: failed to send the <get-schema> RPC.
nc ERROR: Session 2: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 3: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 3: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 3: invalid session to send RPCs.
nc ERROR: Session 3: failed to send the <get-schema> RPC.
nc ERROR: Session 3: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 4: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 4: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 4: invalid session to send RPCs.
nc ERROR: Session 4: failed to send the <get-schema> RPC.
nc ERROR: Session 4: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 5: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 5: failed to receive a reply to <get-schema>.
nc ERROR: Session 5: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 6: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 6: failed to receive a reply to <get-schema>.
nc ERROR: Session 6: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
> connect --tls
nc ERROR: Session 7: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 7: failed to receive a reply to <get-schema>.
ly ERROR: Importing "id-ref-base" module into "id-ref-aug" failed.                                                                   
nc ERROR: Session 7: invalid session, discarding.                                                                                    
cmd_connect: Connecting to the localhost:6513 failed.                                                                                
> connect --tls
nc ERROR: Session 8: communication socket unexpectedly closed (OpenSSL).                                                             
nc ERROR: Session 8: failed to receive a reply to <get-schema>.                                                                      
nc ERROR: Session 8: invalid session, discarding.                                                                                    
cmd_connect: Connecting to the localhost:6513 failed.                                                                                
> connect --tls
nc ERROR: Session 9: communication socket unexpectedly closed (OpenSSL).                                                             
nc ERROR: Session 9: failed to receive a reply to <get-schema>.                                                                      
nc ERROR: Session 9: invalid session, discarding.                                                                                    
cmd_connect: Connecting to the localhost:6513 failed.                                                                                
> connect --tls
nc ERROR: Session 10: communication channel unexpectedly closed.                                                                     
nc ERROR: Session 10: failed to receive a reply to <get-schema>.                                                                     
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.                                                        
nc ERROR: Session 10: invalid session to send RPCs.                                                                                  
nc ERROR: Session 10: failed to send the <get-schema> RPC.                                                                           
nc ERROR: Session 10: invalid session, discarding.                                                                                   
cmd_connect: Connecting to the localhost:6513 failed.                                                                                
> connect --tls
>

I did not change anything since my last post.

michalvasko commented 5 years ago

Hi, that is all quite weird. I have somehow improved error handling for TLS in libnetconf2, could you please update and try again?

Regards, Michal

cromlegionar commented 5 years ago

Hi,

i rebuilt the project with your changes, this is the result: server:

Accepted a connection on 0.0.0.0:6513.
[INF]: Cert verify: depth 1.
[INF]: Cert verify: subject: /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Cert verify: issuer:  /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Cert verify CTN: entry with a matching fingerprint found.
[INF]: Cert verify CTN: new client username recognized as "test".
[INF]: Cert verify: depth 0.
[INF]: Cert verify: subject: /C=CZ/ST=South Moravia/O=CESNET/OU=TMC/CN=example client/emailAddress=exampleclient@localhost.
[INF]: Cert verify: issuer:  /C=CZ/ST=South Moravia/L=Brno/O=CESNET/OU=TMC/CN=example CA/emailAddress=exampleca@localhost.
[INF]: Generated new event (netconf-session-start).
[INF]: Resolving unresolved data nodes and their constraints...
[INF]: All data nodes and constraints resolved.
[INF]: Resolving unresolved data nodes and their constraints...
[INF]: All data nodes and constraints resolved.
[INF]: Session 2: thread 3 event new RPC.
[ERR]: Session 2: SSL error ((null)).
[INF]: Session 2: thread 0 event session terminated.
[INF]: Generated new event (netconf-session-end).

client(connect --tls):

> connect --tls
nc ERROR: Session 2: communication socket unexpectedly closed (OpenSSL).
nc ERROR: Session 2: failed to receive a reply to <get-schema>.
ly ERROR: Importing "ietf-datastores" module into "ietf-yang-library" failed.
nc ERROR: Session 2: invalid session to send RPCs.
nc ERROR: Session 2: failed to send the <get-schema> RPC.
nc ERROR: Session 2: invalid session, discarding.
cmd_connect: Connecting to the localhost:6513 failed.
michalvasko commented 5 years ago

Hi, this has given me more information, but we still do not know anything specific. I have made other changes hoping we could finally get an actual error, so please pull it and try again. Sorry that it was not already there but we have never really had any chance to test it until now, so thanks.

Regards, Michal

cromlegionar commented 5 years ago

Hello Michal,

Sorry for letting you wait until now, i could not resume working on this any sooner. Since your previous commit and my response to it the only thing I did was pulling the second commit, building and installing it. Now the client connects via connect --tls without any problems. I only took a quick look at your changes, am I correct that you mainly added a more detailed error message output? Is this the result you expected?

Regards Kilian

michalvasko commented 5 years ago

Hi Kilian, yes, I have only added code that should have generated an actual error message of what went wrong. If it is working for you now I highly doubt it is because of my changes. Anyway, if you encounter any problems in future, let us know.

Regards, Michal