Closed chandramohan83 closed 2 weeks ago
This exception happens when the remote web server attempts to push an event, but the Redfish service hangs up the connection during TLS handshaking because it doesn't trust the event listener's certificate. There are a couple of options here:
1) Set up the event listener with a certificate that the Redfish service trusts. 2) Install the event listener's certificate on the Redfish service as a trusted certificate. 3) Disable certificate checking in the event service for the Redfish service. 4) Switch from HTTPS to HTTP.
Hi Mike Raineri Is there a way to disable handshake/ certificate verification in Eventlistener ?
It's not possible to disable TLS handshaking; that would break HTTPS.
Disabling of verification would need to be done on the Redfish service; the event listener is providing the certificate to the Redfish service, but the Redfish service is rejecting it and closing the connection. The event listener is not performing any verification.
looks like certificate from event listener has expired
root@abcd:/etc/ssl/certs openssl s_client -connect 10.41.25.182:1234 CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = RedfishEvent verify error:num=18:self-signed certificate verify return:1 depth=0 CN = RedfishEvent verify error:num=10:certificate has expired notAfter=May 24 12:39:02 2022 GMT verify return:1 depth=0 CN = RedfishEvent notAfter=May 24 12:39:02 2022 GMT verify return:1
Certificate chain 0 s:CN = RedfishEvent i:CN = RedfishEvent a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: May 24 12:39:02 2017 GMT; NotAfter: May 24 12:39:02 2022 GMT
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 10 (certificate has expired)
If you make a new self-signed cert, will the service accept it then?
Hi @mraineri ,
I saw you have uploaded new cert.pem and server.key file. Thank you vey much.
When I use http without SSL, this works fine. But if I use HTTPS with SSL it failed, the config and error is below:
config.ini
[Information]
Updated = February 24, 2023
Description = Redfish Event Listener Tool Simple Config
[SystemInformation]
ListenerIP = 0.0.0.0
ListenerPort = 443
UseSSL = on
[CertificateDetails]
certfile = cert.pem
keyfile = server.key
[SubscriptionDetails]
Destination = https://172.20.80.22/
Context = Public
[ServerInformation]
ServerIPs = ["https://172.20.0.42"]
UserNames = ["root"]
Passwords = ["0penBmc"]
LoginType = ["Session"]
Error is below :
Redfish Event Listener v1.1.4
ServerIP:: https://172.20.0.42
UserName:: root
Attempt 1 of /redfish/v1/
Response Time for GET to /redfish/v1/: 0.03673682175576687 seconds.
Attempt 1 of /redfish/v1/SessionService/Sessions
Response Time for POST to /redfish/v1/SessionService/Sessions: 0.1079807747155428 seconds.
Login returned code 201: {
"@odata.id": "/redfish/v1/SessionService/Sessions/1Jty3ILfop",
"@odata.type": "#Session.v1_5_0.Session",
"ClientOriginIPAddress": "172.20.80.22",
"Description": "Manager User Session",
"Id": "1Jty3ILfop",
"Name": "User Session",
"UserName": "root"
}
Attempt 1 of /redfish/v1/
Response Time for GET to /redfish/v1/: 0.006796425208449364 seconds.
Attempt 1 of /redfish/v1/EventService
Response Time for GET to /redfish/v1/EventService: 0.00610785186290741 seconds.
Attempt 1 of /redfish/v1/EventService/Subscriptions
Response Time for POST to /redfish/v1/EventService/Subscriptions: 0.05007411167025566 seconds.
Subscription is successful for https://172.20.0.42, /redfish/v1/EventService/Subscriptions/474605479
Continuing with Listener.
Listening on 0.0.0.0:443 via HTTPS
Press Ctrl-C to close program
............................
Socket connected::
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
self.run()
File "/usr/lib/python3.8/threading.py", line 870, in run
self._target(*self._args, **self._kwargs)
File "RedfishEventListener_v1.py", line 87, in process_data
connstreamout = context.wrap_socket(newsocketconn, server_side=True)
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1069, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1338, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1131)
.........
Socket connected::
.........Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
self.run()
File "/usr/lib/python3.8/threading.py", line 870, in run
self._target(*self._args, **self._kwargs)
File "RedfishEventListener_v1.py", line 87, in process_data
connstreamout = context.wrap_socket(newsocketconn, server_side=True)
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1069, in _create
How can I use SSL to build connection between them? Do I have to upload any another key towards bmc?
Thank you in advance.
Not the key, but the certificate. Your BMC may have implemented the SecurityPolicy resource and will not trust a self-signed certificate unless you install it yourself.
Hi DMTF,
I am getting below error while destination is configured with https://:port
The subscription is successful but when I send the event from BMC it is failing.
Please provide the info where I can disable the https handshake but still I should be able to receive the https message.
Attempt 1 of /redfish/v1/ Response Time for GET to /redfish/v1/: 0.03368935314938426 seconds. Attempt 1 of /redfish/v1/EventService Response Time for GET to /redfish/v1/EventService: 0.06416380102746189 seconds. Attempt 1 of /redfish/v1/EventService/Subscriptions Response Time for POST to /redfish/v1/EventService/Subscriptions: 0.07108544814400375 seconds. Subscription is successful for https://127.0.0.1:2443, /redfish/v1/EventService/Subscriptions/3072935522 Continuing with Listener. Listening on 10.41.25.182:1234 via HTTPS Press Ctrl-C to close program ............. Socket connected:: Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "/usr/lib/python3.8/threading.py", line 870, in run self._target(*self._args, **self._kwargs) File "RedfishEventListener_v1.py", line 52, in process_data connstreamout = context.wrap_socket(newsocketconn, server_side=True) File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket return self.sslsocket_class._create( File "/usr/lib/python3.8/ssl.py", line 1040, in _create self.do_handshake() File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1131)