Closed wadelockhart closed 1 week ago
I just re-read the readme and noticed...
A potential source of issues is the default libcurl on the Linux distro, which may be linked against the previously mentioned default OpenSSL. This could result in linker failures when trying to use the system default libcurl with the new OpenSSL install (due to missing symbols). Therefore, you SHOULD download the Curl source, compile it against the "new" OpenSSL header files, and link libcurl against the "new" OpenSSL. libacvp uses compile time macro logic to address differences in the APIs of different OpenSSL versions; therefore, it is important that you ensure libacvp is linking to the correct openSSL versions at run time as well.
...I am currently using the default libcurl installation. I will build from source as recommended here to see if that fixes the issue.
Compiled curl 7.81 from source and linked to the custom OpenSSL 3.0.9 installed at /opt/openssl
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ which curl
/usr/local/bin/curl
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ curl -V
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.9 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.18
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ldd /usr/local/bin/curl | grep libcrypto
libcrypto.so.3 => /opt/openssl/lib64/libcrypto.so.3 (0x00007f20ec238000)
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ldd /usr/local/bin/curl | grep libssl
libssl.so.3 => /opt/openssl/lib64/libssl.so.3 (0x00007f91f8d8a000)
...however, the same issue persists.
Any thoughts?
Hello,
First of all, thanks for providing so much detail and debugging! :)
Could you try different configurations with the ACV_CA_FILE variable?
If that doesn't make any progress, are you connecting from corporate/govt environment that may be interfering with the connection for security reasons?
One other thing that I don't see here - can you do ldd ./app/acvp_app
to ensure it is linking to the custom-built versions of libcurl and openssl using LD_LIBRARY_PATH?
Thanks! Andrew
Hey Andrew,
First thing was running the ldd
command, not sure why it is showing up as not a dynamic executable (message).
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ldd ./app/acvp_app
not a dynamic executable
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ echo $LD_LIBRARY_PATH
/opt/openssl/lib64:/usr/lib/x86_64-linux-gnu:/usr/local/lib
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ls -l /opt/openssl/lib64
total 16580
drwxr-xr-x 2 root root 4096 Sep 9 16:53 engines-3
-rw-r--r-- 1 root root 9508688 Sep 9 16:53 libcrypto.a
lrwxrwxrwx 1 root root 14 Sep 9 16:53 libcrypto.so -> libcrypto.so.3
-rwxr-xr-x 1 root root 5365536 Sep 9 16:53 libcrypto.so.3
-rw-r--r-- 1 root root 1266668 Sep 9 16:53 libssl.a
lrwxrwxrwx 1 root root 11 Sep 9 16:53 libssl.so -> libssl.so.3
-rwxr-xr-x 1 root root 818224 Sep 9 16:53 libssl.so.3
drwxr-xr-x 2 root root 4096 Sep 9 16:53 ossl-modules
drwxr-xr-x 2 root root 4096 Sep 9 16:53 pkgconfig
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ls -l /usr/local/lib
total 1792
-rw-r--r-- 1 root root 1182720 Sep 10 18:40 libcurl.a
-rwxr-xr-x 1 root root 973 Sep 10 18:40 libcurl.la
lrwxrwxrwx 1 root root 16 Sep 10 18:40 libcurl.so -> libcurl.so.4.7.0
lrwxrwxrwx 1 root root 16 Sep 10 18:40 libcurl.so.4 -> libcurl.so.4.7.0
-rwxr-xr-x 1 root root 638736 Sep 10 18:40 libcurl.so.4.7.0
drwxr-xr-x 2 root root 4096 Sep 10 18:40 pkgconfig
drwxr-xr-x 3 root root 4096 Feb 16 2024 python3.10
Tried the mozilla CA that comes with libacvp and same error below:
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ./app/acvp_app --aes --verbose
Using the following parameters:
ACV_SERVER: demo.acvts.nist.gov
ACV_PORT: 443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE: certs/mozzila_trust_anchors.pem
ACV_CERT_FILE: /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
ACV_KEY_FILE: /opt/nist_work/libacvp/certs/private.key
[ACVP]: HTTP User-Agent: libacvp/2.1.1;Linux;5.15.0-119-generic;x86_64;Intel(R) Xeon(R) Silver 4215R CPU @ 3.20GHz;GCC/11.4.0
[ACVP]: Logging in...
[ACVP][ERROR]: Curl failed with code 58 (Problem with the local SSL certificate): could not load PEM client certificate, OpenSSL error error:03000072:digital envelope routines::decode error, (no key found, wrong pass phrase, or wrong file format?)
[ACVP]: POST Login...
Status: 0
Url: https://demo.acvts.nist.gov:443/acvp/v1/login
Resp: Recieved
[ACVP][ERROR]: Received no response from server.
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server
Tried with no CA setting and got same error:
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ source scripts/nist_setup.sh
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ echo $ACV_CA_FILE
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ./app/acvp_app --aes --verbose
Using the following parameters:
ACV_SERVER: demo.acvts.nist.gov
ACV_PORT: 443
ACV_URI_PREFIX: /acvp/v1/
ACV_CERT_FILE: /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
ACV_KEY_FILE: /opt/nist_work/libacvp/certs/private.key
[ACVP]: HTTP User-Agent: libacvp/2.1.1;Linux;5.15.0-119-generic;x86_64;Intel(R) Xeon(R) Silver 4215R CPU @ 3.20GHz;GCC/11.4.0
[ACVP]: Logging in...
[ACVP][ERROR]: Curl failed with code 58 (Problem with the local SSL certificate): could not load PEM client certificate, OpenSSL error error:03000072:digital envelope routines::decode error, (no key found, wrong pass phrase, or wrong file format?)
[ACVP]: POST Login...
Status: 0
Url: https://demo.acvts.nist.gov:443/acvp/v1/login
Resp: Recieved
[ACVP][ERROR]: Received no response from server.
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server
Tried the latest mozilla cacert.pem file with same issue:
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ source scripts/nist_setup.sh
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ echo $ACV_CA_FILE
/opt/nist_work/libacvp/certs/cacert.pem
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ls -l /opt/nist_work/libacvp/certs/cacert.pem
-rw-r----- 1 wade.lockhart domain users 228633 Sep 11 11:02 /opt/nist_work/libacvp/certs/cacert.pem
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ ./app/acvp_app --aes --verbose
Using the following parameters:
ACV_SERVER: demo.acvts.nist.gov
ACV_PORT: 443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE: /opt/nist_work/libacvp/certs/cacert.pem
ACV_CERT_FILE: /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
ACV_KEY_FILE: /opt/nist_work/libacvp/certs/private.key
[ACVP]: HTTP User-Agent: libacvp/2.1.1;Linux;5.15.0-119-generic;x86_64;Intel(R) Xeon(R) Silver 4215R CPU @ 3.20GHz;GCC/11.4.0
[ACVP]: Logging in...
[ACVP][ERROR]: Curl failed with code 58 (Problem with the local SSL certificate): could not load PEM client certificate, OpenSSL error error:03000072:digital envelope routines::decode error, (no key found, wrong pass phrase, or wrong file format?)
[ACVP]: POST Login...
Status: 0
Url: https://demo.acvts.nist.gov:443/acvp/v1/login
Resp: Recieved
[ACVP][ERROR]: Received no response from server.
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server
Based upon the OpenSSL error, I am inclined to think that the .cer file is bad. I did check the format and it is a PEM file.
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp$ file /opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer
/opt/nist_work/libacvp/certs/Eideticom_Wade_Lockhart_Demo.cer: PEM certificate
Lastly, I ran it from home and behind our corporate firewall with the same results.
Hey Andrew,
We found the cause of the error. Apparently, I had only enabled a FIPS provider for my OpenSSL installation. Once I added a base provider to my openssl.cnf, I am now able to login to the demo server.
wade.lockhart@wade-u22-nist/opt/nist_work/libacvp/certs$ openssl list -providers
Providers:
base
name: OpenSSL Base Provider
version: 3.0.9
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.9
status: active
When I try to connect to the demo acvts nist server using the libacvp client I receive the following error:
attempt to connect and run sample verbose
check the file paths are correct
version of curl installed
check LD_LIBRARY_PATH for the session
check location of the libcurl libraries
I looked through the existing issues, but nothing I tried seemed to help out. Any thoughts?