search

cisco / libacvp

The libacvp library is a client-side implementation of the draft ACVP protocol (github.com/usnistgov/ACVP).
Apache License 2.0
65 stars 65 forks source link

Error when connecting to the demo acvts server: curl failed with code 58 #862

Closed wadelockhart closed 1 week ago

wadelockhart commented 1 week ago

When I try to connect to the demo acvts nist server using the libacvp client I receive the following error:

attempt to connect and run sample verbose

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ./app/acvp_app --sample --aes --verbose

Using the following parameters:

    ACV_SERVER:     demo.acvts.nist.gov
    ACV_PORT:       443
    ACV_URI_PREFIX: /acvp/v1/
    ACV_CA_FILE:    /opt/nist_work/libacvp/certs/acvp.nist.gov.crt
    ACV_CERT_FILE:  /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
    ACV_KEY_FILE:   /opt/nist_work/libacvp/certs/private.key

[ACVP]: HTTP User-Agent: libacvp/2.1.1;Linux;5.15.0-119-generic;x86_64;Intel(R) Xeon(R) Silver 4215R CPU @ 3.20GHz;GCC/11.4.0

[ACVP]: Logging in...
[ACVP][ERROR]: Curl failed with code 58 (Problem with the local SSL certificate)
[ACVP]: POST Login...
        Status: 0
        Url: https://demo.acvts.nist.gov:443/acvp/v1/login
        Resp: Recieved

[ACVP][ERROR]: Received no response from server.
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server

check the file paths are correct

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ls -l /opt/nist_work/libacvp/certs/acvp.nist.gov.crt
-rw-r--r-- 1 wade.lockhart domain users 1566 Sep  9 18:00 /opt/nist_work/libacvp/certs/acvp.nist.gov.crt
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ls -l /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
-rw-r----- 1 wade.lockhart domain users 2260 Sep 10 10:49 /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ls -l /opt/nist_work/libacvp/certs/private.key
-rw------- 1 wade.lockhart domain users 1708 Sep 10 10:50 /opt/nist_work/libacvp/certs/private.key

version of curl installed

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ curl --version
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.9 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.18
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

check LD_LIBRARY_PATH for the session

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ echo $LD_LIBRARY_PATH
/opt/openssl/lib64:/usr/lib/x86_64-linux-gnu

check location of the libcurl libraries

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ sudo ls -l /usr/lib/x86_64-linux-gnu/libcurl*
-rw-r--r-- 1 root root 1320362 Aug  1 07:51 /usr/lib/x86_64-linux-gnu/libcurl.a
lrwxrwxrwx 1 root root      19 Aug  1 07:51 /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.3 -> libcurl-gnutls.so.4
lrwxrwxrwx 1 root root      23 Aug  1 07:51 /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 -> libcurl-gnutls.so.4.7.0
-rw-r--r-- 1 root root  657176 Aug  1 07:51 /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.7.0
lrwxrwxrwx 1 root root      16 Aug  1 07:51 /usr/lib/x86_64-linux-gnu/libcurl.so -> libcurl.so.4.7.0
lrwxrwxrwx 1 root root      16 Aug  1 07:51 /usr/lib/x86_64-linux-gnu/libcurl.so.4 -> libcurl.so.4.7.0
-rw-r--r-- 1 root root  677656 Aug  1 07:51 /usr/lib/x86_64-linux-gnu/libcurl.so.4.7.0

I looked through the existing issues, but nothing I tried seemed to help out. Any thoughts?

wadelockhart commented 1 week ago

I just re-read the readme and noticed...

A potential source of issues is the default libcurl on the Linux distro, which may be linked against the previously mentioned default OpenSSL. This could result in linker failures when trying to use the system default libcurl with the new OpenSSL install (due to missing symbols). Therefore, you SHOULD download the Curl source, compile it against the "new" OpenSSL header files, and link libcurl against the "new" OpenSSL. libacvp uses compile time macro logic to address differences in the APIs of different OpenSSL versions; therefore, it is important that you ensure libacvp is linking to the correct openSSL versions at run time as well.

...I am currently using the default libcurl installation. I will build from source as recommended here to see if that fixes the issue.

wadelockhart commented 1 week ago

Compiled curl 7.81 from source and linked to the custom OpenSSL 3.0.9 installed at /opt/openssl

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ which curl
/usr/local/bin/curl

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ curl -V
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.9 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.18
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ldd /usr/local/bin/curl | grep libcrypto
        libcrypto.so.3 => /opt/openssl/lib64/libcrypto.so.3 (0x00007f20ec238000)
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ldd /usr/local/bin/curl | grep libssl
        libssl.so.3 => /opt/openssl/lib64/libssl.so.3 (0x00007f91f8d8a000)

...however, the same issue persists.

Any thoughts?

abkarcher commented 1 week ago

Hello,

First of all, thanks for providing so much detail and debugging! :)

Could you try different configurations with the ACV_CA_FILE variable?

If that doesn't make any progress, are you connecting from corporate/govt environment that may be interfering with the connection for security reasons?

One other thing that I don't see here - can you do ldd ./app/acvp_app to ensure it is linking to the custom-built versions of libcurl and openssl using LD_LIBRARY_PATH?

Thanks! Andrew

wadelockhart commented 1 week ago

Hey Andrew,

First thing was running the ldd command, not sure why it is showing up as not a dynamic executable (message).

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ldd ./app/acvp_app
        not a dynamic executable

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ echo $LD_LIBRARY_PATH
/opt/openssl/lib64:/usr/lib/x86_64-linux-gnu:/usr/local/lib
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ls -l /opt/openssl/lib64
total 16580
drwxr-xr-x 2 root root    4096 Sep  9 16:53 engines-3
-rw-r--r-- 1 root root 9508688 Sep  9 16:53 libcrypto.a
lrwxrwxrwx 1 root root      14 Sep  9 16:53 libcrypto.so -> libcrypto.so.3
-rwxr-xr-x 1 root root 5365536 Sep  9 16:53 libcrypto.so.3
-rw-r--r-- 1 root root 1266668 Sep  9 16:53 libssl.a
lrwxrwxrwx 1 root root      11 Sep  9 16:53 libssl.so -> libssl.so.3
-rwxr-xr-x 1 root root  818224 Sep  9 16:53 libssl.so.3
drwxr-xr-x 2 root root    4096 Sep  9 16:53 ossl-modules
drwxr-xr-x 2 root root    4096 Sep  9 16:53 pkgconfig
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ls -l /usr/local/lib
total 1792
-rw-r--r-- 1 root root 1182720 Sep 10 18:40 libcurl.a
-rwxr-xr-x 1 root root     973 Sep 10 18:40 libcurl.la
lrwxrwxrwx 1 root root      16 Sep 10 18:40 libcurl.so -> libcurl.so.4.7.0
lrwxrwxrwx 1 root root      16 Sep 10 18:40 libcurl.so.4 -> libcurl.so.4.7.0
-rwxr-xr-x 1 root root  638736 Sep 10 18:40 libcurl.so.4.7.0
drwxr-xr-x 2 root root    4096 Sep 10 18:40 pkgconfig
drwxr-xr-x 3 root root    4096 Feb 16  2024 python3.10

Tried the mozilla CA that comes with libacvp and same error below:

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ./app/acvp_app --aes --verbose

Using the following parameters:

    ACV_SERVER:     demo.acvts.nist.gov
    ACV_PORT:       443
    ACV_URI_PREFIX: /acvp/v1/
    ACV_CA_FILE:    certs/mozzila_trust_anchors.pem
    ACV_CERT_FILE:  /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
    ACV_KEY_FILE:   /opt/nist_work/libacvp/certs/private.key

[ACVP]: HTTP User-Agent: libacvp/2.1.1;Linux;5.15.0-119-generic;x86_64;Intel(R) Xeon(R) Silver 4215R CPU @ 3.20GHz;GCC/11.4.0

[ACVP]: Logging in...
[ACVP][ERROR]: Curl failed with code 58 (Problem with the local SSL certificate): could not load PEM client certificate, OpenSSL error error:03000072:digital envelope routines::decode error, (no key found, wrong pass phrase, or wrong file format?)
[ACVP]: POST Login...
        Status: 0
        Url: https://demo.acvts.nist.gov:443/acvp/v1/login
        Resp: Recieved

[ACVP][ERROR]: Received no response from server.
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server

Tried with no CA setting and got same error:

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ source scripts/nist_setup.sh
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ echo $ACV_CA_FILE

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ./app/acvp_app --aes --verbose

Using the following parameters:

    ACV_SERVER:     demo.acvts.nist.gov
    ACV_PORT:       443
    ACV_URI_PREFIX: /acvp/v1/
    ACV_CERT_FILE:  /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
    ACV_KEY_FILE:   /opt/nist_work/libacvp/certs/private.key

[ACVP]: HTTP User-Agent: libacvp/2.1.1;Linux;5.15.0-119-generic;x86_64;Intel(R) Xeon(R) Silver 4215R CPU @ 3.20GHz;GCC/11.4.0

[ACVP]: Logging in...
[ACVP][ERROR]: Curl failed with code 58 (Problem with the local SSL certificate): could not load PEM client certificate, OpenSSL error error:03000072:digital envelope routines::decode error, (no key found, wrong pass phrase, or wrong file format?)
[ACVP]: POST Login...
        Status: 0
        Url: https://demo.acvts.nist.gov:443/acvp/v1/login
        Resp: Recieved

[ACVP][ERROR]: Received no response from server.
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server

Tried the latest mozilla cacert.pem file with same issue:

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ source scripts/nist_setup.sh
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ echo $ACV_CA_FILE
/opt/nist_work/libacvp/certs/cacert.pem
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ls -l /opt/nist_work/libacvp/certs/cacert.pem
-rw-r----- 1 wade.lockhart domain users 228633 Sep 11 11:02 /opt/nist_work/libacvp/certs/cacert.pem
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ./app/acvp_app --aes --verbose

Using the following parameters:

    ACV_SERVER:     demo.acvts.nist.gov
    ACV_PORT:       443
    ACV_URI_PREFIX: /acvp/v1/
    ACV_CA_FILE:    /opt/nist_work/libacvp/certs/cacert.pem
    ACV_CERT_FILE:  /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
    ACV_KEY_FILE:   /opt/nist_work/libacvp/certs/private.key

[ACVP]: HTTP User-Agent: libacvp/2.1.1;Linux;5.15.0-119-generic;x86_64;Intel(R) Xeon(R) Silver 4215R CPU @ 3.20GHz;GCC/11.4.0

[ACVP]: Logging in...
[ACVP][ERROR]: Curl failed with code 58 (Problem with the local SSL certificate): could not load PEM client certificate, OpenSSL error error:03000072:digital envelope routines::decode error, (no key found, wrong pass phrase, or wrong file format?)
[ACVP]: POST Login...
        Status: 0
        Url: https://demo.acvts.nist.gov:443/acvp/v1/login
        Resp: Recieved

[ACVP][ERROR]: Received no response from server.
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server

Based upon the OpenSSL error, I am inclined to think that the .cer file is bad. I did check the format and it is a PEM file.

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ file /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
/opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer: PEM certificate

Lastly, I ran it from home and behind our corporate firewall with the same results.

wadelockhart commented 1 week ago

Hey Andrew,

We found the cause of the error. Apparently, I had only enabled a FIPS provider for my OpenSSL installation. Once I added a base provider to my openssl.cnf, I am now able to login to the demo server.

wade.lockhart@wade-u22-nist/opt/nist_work/libacvp/certs$ openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.0.9
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.0.9
    status: active