search

DMTF / Redfish-Event-Listener

The Redfish Event Listener is a lightweight HTTPS server that can be deployed to read and record events from Redfish services.
Other
31 stars 15 forks source link

Https receiving throwing error #32

Closed chandramohan83 closed 2 weeks ago

chandramohan83 commented 9 months ago

Hi DMTF,

I am getting below error while destination is configured with https://:port

The subscription is successful but when I send the event from BMC it is failing.

Please provide the info where I can disable the https handshake but still I should be able to receive the https message.

Attempt 1 of /redfish/v1/ Response Time for GET to /redfish/v1/: 0.03368935314938426 seconds. Attempt 1 of /redfish/v1/EventService Response Time for GET to /redfish/v1/EventService: 0.06416380102746189 seconds. Attempt 1 of /redfish/v1/EventService/Subscriptions Response Time for POST to /redfish/v1/EventService/Subscriptions: 0.07108544814400375 seconds. Subscription is successful for https://127.0.0.1:2443, /redfish/v1/EventService/Subscriptions/3072935522 Continuing with Listener. Listening on 10.41.25.182:1234 via HTTPS Press Ctrl-C to close program ............. Socket connected:: Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "/usr/lib/python3.8/threading.py", line 870, in run self._target(*self._args, **self._kwargs) File "RedfishEventListener_v1.py", line 52, in process_data connstreamout = context.wrap_socket(newsocketconn, server_side=True) File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket return self.sslsocket_class._create( File "/usr/lib/python3.8/ssl.py", line 1040, in _create self.do_handshake() File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1131)

mraineri commented 9 months ago

This exception happens when the remote web server attempts to push an event, but the Redfish service hangs up the connection during TLS handshaking because it doesn't trust the event listener's certificate. There are a couple of options here:

1) Set up the event listener with a certificate that the Redfish service trusts. 2) Install the event listener's certificate on the Redfish service as a trusted certificate. 3) Disable certificate checking in the event service for the Redfish service. 4) Switch from HTTPS to HTTP.

chandramohan83 commented 9 months ago

Hi Mike Raineri Is there a way to disable handshake/ certificate verification in Eventlistener ?

mraineri commented 9 months ago

It's not possible to disable TLS handshaking; that would break HTTPS.

Disabling of verification would need to be done on the Redfish service; the event listener is providing the certificate to the Redfish service, but the Redfish service is rejecting it and closing the connection. The event listener is not performing any verification.

chandramohan83 commented 9 months ago

looks like certificate from event listener has expired

root@abcd:/etc/ssl/certs openssl s_client -connect 10.41.25.182:1234 CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = RedfishEvent verify error:num=18:self-signed certificate verify return:1 depth=0 CN = RedfishEvent verify error:num=10:certificate has expired notAfter=May 24 12:39:02 2022 GMT verify return:1 depth=0 CN = RedfishEvent notAfter=May 24 12:39:02 2022 GMT verify return:1

Certificate chain 0 s:CN = RedfishEvent i:CN = RedfishEvent a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: May 24 12:39:02 2017 GMT; NotAfter: May 24 12:39:02 2022 GMT

Server certificate -----BEGIN CERTIFICATE----- MIIFBDCCAuygAwIBAgIJAJR2Z5lKdQbaMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV BAMMDFJlZGZpc2hFdmVudDAeFw0xNzA1MjQxMjM5MDJaFw0yMjA1MjQxMjM5MDJa MBcxFTATBgNVBAMMDFJlZGZpc2hFdmVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBAMNMB3v/ZUCNxgLUyw6jYKZLkyqpUYXAw4vw6s9+23PqgKnuc9oZ FG5GYheBp/lsXcPUXq/jDe4GE3gaZEWrVUjNiHH6EPbEd0WbMEqguxWFuXaECCSh k2PHI1EYhDWgm2IUgrrMzt5m0M32CMo3IjteuGHbAhfcvYKrSV0enMXWC0M3Mja9 0GuMqp4JsyWpou/f+J7oXm8bV0uLUBNikAJlVqFAsg2diHh3e45y15CqGB5rJcGV MiVQSQ7LYKBryWs6+L0WoCO5N9pTm5fTJu5D+JWrdveDj50ZfJSXxR5bO9zP97uC HZfZshRjWnk+TcAxj1jhOgxe2AYWjWpxpjxu23hFmeu29DghmoFvWPjliJkPa3a2 Y51hE3g1Skd9zMh5UNTWdbIn87XElpNBgpnVyim3EvNXcMeZ3vLXEW1lpw8enIiX eCDnJBCBViV24bTOk+gMybEs4Zp4kuT38epz5rp3jMqaIp383opNLBtQiZ5ex3MT bU6oBGjN6sSaW1zZf0amoQYw0c1lVbZ6U7Na4Eyrr+LSeyZw1GpNZHwV9xGEnVkP Psgdt3nXICnjasJ5CHX04iCsJwuvpDXrR3FwJiZYYm3LANkkspDoryrb/kQRlKTs kk4nTBk/i7yqWom2rzCXejg/Gbb6DyKUEPLUlFqI7O3Nvq92IxzXGJ0LAgMBAAGj UzBRMB0GA1UdDgQWBBTBB0Tyst7jJx5dvYF2wIOLB0nYiTAfBgNVHSMEGDAWgBTB B0Tyst7jJx5dvYF2wIOLB0nYiTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB CwUAA4ICAQCgVYFHsCMmhHEur+38V/ciUokgL0TGxhkxZLmT+WdmyRC/I+6mM5mC yquh3qx8bVmDx24bD7VjkUdf+kXDrQkq1EfkSmXnCn8+eiShEPfzBAiU2gd0F6S+ iuz3SJMhTseKMhyBwDRzRUraSqMCmYwaeG/nbRvYjRxMmz0zzxOAnwQhE5WFh0Yv vhbtKHxnoIjL/EZ84nS7tiDv41zd1se5l0effc2B0sE4PAU1dxWSTgMTFNybYHxb 08YvSwXm2a4YHtIUw0hGf2CLB0TQWilXpksWs5N0p287n/4rOs03lvIjJZv1b0ZL B2GQ8C0PbIu7ZxPqePXPyDpsd2qv7LgYFCz1RdfjYzRRPbMu/5+NbOl1p4OVNY4i Xqy1j/zGa0tDw7DgtadNRa07UACBHhRORLFdbLJAezaKraXrota6TGl88SoaIxPv ujxOoSpD09g5zV82YxsV27m7cnsqIwuvt2yG66qd8E0v1MR6ln7r8qEbifZ6qVhv p93LmxGDTmrLjVWXG7QFwffsIabCPQwHgRXSq796wm/HxTpJ+1VtxT8ABdo6N6Ur utG1ltmpeislDagY0McMy0gAXqHfBb318ZprR0UemuGy6G4C74PZBKQtGjCf82iV B6jpbdZdvti3oGFrYTqgZ3DcGfvgALm5dci7TQOPmeACbmIWoGvuuA== -----END CERTIFICATE----- subject=CN = RedfishEvent issuer=CN = RedfishEvent

No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2100 bytes and written 377 bytes Verification error: certificate has expired

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 10 (certificate has expired)

mraineri commented 9 months ago

If you make a new self-signed cert, will the service accept it then?

awan119 commented 3 days ago

Hi @mraineri ,

I saw you have uploaded new cert.pem and server.key file. Thank you vey much.

When I use http without SSL, this works fine. But if I use HTTPS with SSL it failed, the config and error is below:

config.ini

[Information]
Updated = February 24, 2023
Description = Redfish Event Listener Tool Simple Config

[SystemInformation]
ListenerIP = 0.0.0.0
ListenerPort = 443
UseSSL = on

[CertificateDetails]
certfile = cert.pem
keyfile = server.key

[SubscriptionDetails]
Destination = https://172.20.80.22/
Context = Public

[ServerInformation]
ServerIPs = ["https://172.20.0.42"]
UserNames = ["root"]
Passwords = ["0penBmc"]
LoginType = ["Session"]

Error is below :

Redfish Event Listener v1.1.4
ServerIP:: https://172.20.0.42
UserName:: root
Attempt 1 of /redfish/v1/
Response Time for GET to /redfish/v1/: 0.03673682175576687 seconds.
Attempt 1 of /redfish/v1/SessionService/Sessions
Response Time for POST to /redfish/v1/SessionService/Sessions: 0.1079807747155428 seconds.
Login returned code 201: {
  "@odata.id": "/redfish/v1/SessionService/Sessions/1Jty3ILfop",
  "@odata.type": "#Session.v1_5_0.Session",
  "ClientOriginIPAddress": "172.20.80.22",
  "Description": "Manager User Session",
  "Id": "1Jty3ILfop",
  "Name": "User Session",
  "UserName": "root"
}
Attempt 1 of /redfish/v1/
Response Time for GET to /redfish/v1/: 0.006796425208449364 seconds.
Attempt 1 of /redfish/v1/EventService
Response Time for GET to /redfish/v1/EventService: 0.00610785186290741 seconds.
Attempt 1 of /redfish/v1/EventService/Subscriptions
Response Time for POST to /redfish/v1/EventService/Subscriptions: 0.05007411167025566 seconds.
Subscription is successful for https://172.20.0.42, /redfish/v1/EventService/Subscriptions/474605479
Continuing with Listener.
Listening on 0.0.0.0:443 via HTTPS
Press Ctrl-C to close program
............................
Socket connected::
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "RedfishEventListener_v1.py", line 87, in process_data
    connstreamout = context.wrap_socket(newsocketconn, server_side=True)
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1069, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1338, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1131)
.........
Socket connected::
.........Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "RedfishEventListener_v1.py", line 87, in process_data
    connstreamout = context.wrap_socket(newsocketconn, server_side=True)
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1069, in _create

How can I use SSL to build connection between them? Do I have to upload any another key towards bmc?

Thank you in advance.

mraineri commented 2 days ago

Not the key, but the certificate. Your BMC may have implemented the SecurityPolicy resource and will not trust a self-signed certificate unless you install it yourself.