search

cisco / libacvp

The libacvp library is a client-side implementation of the draft ACVP protocol (github.com/usnistgov/ACVP).
Apache License 2.0
67 stars 69 forks source link

Curl failed with code 60 (SSL peer certificate or SSH remote key was not OK) #880

Open chenchudhcs opened 3 days ago

chenchudhcs commented 3 days ago

sysint@sjfw4-ubuntu-3:~/demo-server/libacvp$ ./app/acvp_app --verbose --aes

This is falling under openssl version < 3.0Using the following parameters:

ACV_SERVER:     demo.acvts.nist.gov
ACV_PORT:       443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE:    /home/sysint/demo-server/libacvp/certs/mozzila_trust_anchors.pem
ACV_CERT_FILE:  /home/sysint/demo-server/libacvp/certs/SKDemo.cer
ACV_KEY_FILE:   /home/sysint/demo-server/libacvp/certs/SK.key

[ACVP]: HTTP User-Agent: libacvp/2.1.1;Linux;6.5.0-14-generic;x86_64;Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz;GCC/11.4.0

[ACVP]: Logging in... [ACVP][ERROR]: Curl failed with code 60 (SSL peer certificate or SSH remote key was not OK) [ACVP]: POST Login... Status: 0 Url: https://demo.acvts.nist.gov:443/acvp/v1/login Resp: Recieved

[ACVP][ERROR]: Received no response from server. [ACVP][ERROR]: Login Send Failed [ACVP][ERROR]: Failed to login with ACVP server

--------curl -v -----------------

sysint@sjfw4-ubuntu-3:~/demo-server/libacvp$ curl -V curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16 Release-Date: 2022-01-05 Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

abkarcher commented 2 days ago

Hello,

There can be several possible causes for this - if you have not already, searching through previous issues may shed some useful information.

In general, make sure the key/cert are in the right format, and have the right permissions. You could also try un-setting ACV_CA_FILE, or trying a different CA file. Additionally, if you are using the FIPS provider, ensure that OpenSSL has its default provider explicitly enabled in the config, as curl often seems to fail if only the FIPS provider is enabled.

Thanks, Andrew

chenchudhcs commented 2 days ago

Hi Andrew,

hsm-pqc@hsm-pqc:~/CAVP/libacvp$ ./app/acvp_app -v

ACVP library version: libacvp_oss-2.1.1 ACVP protocol version: 1.0

Compiled SSL version: OpenSSL 3.0.0 7 sep 2021 Linked SSL version: OpenSSL 3.0.2 15 Mar 2022

   FIPS requested: yes

ssl_OSSL_PROVIDER_num: 1 provider name: provider version: FIPS Provider Version: 3.0.0

hsm-pqc@hsm-pqc:~/CAVP/libacvp$ ./app/acvp_app --aes --vector_req vectors.req

status of EVP_Q_DIGEST: 1md_len: 28Using the following parameters:

ACV_SERVER:     demo.acvts.nist.gov
ACV_PORT:       443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE:    certs/acvp.nist.gov.crt
ACV_CERT_FILE:  certs/SKhynixmemorysolutionsAmericaInc_Chenchukumar_Billu_Demo.cer
ACV_KEY_FILE:   certs/SKhynixmemorysolutionsAmericaInc_Chenchukumar_Billu_Demo.key

[ACVP]: Logging in... [ACVP][ERROR]: Curl failed with code 60 (SSL peer certificate or SSH remote key was not OK) [ACVP][ERROR]: Received no response from server. [ACVP][ERROR]: Login Send Failed [ACVP][ERROR]: Failed to login with ACVP server hsm-pqc@hsm-pqc:~/CAVP/libacvp$

still i'm seeing same problem, can you please help out.

Thanks, Chenchu.

chenchudhcs commented 1 day ago

hsm-pqc@hsm-pqc:~/CAVP/libacvp$ openssl list -providers Providers: base name: OpenSSL Base Provider version: 3.0.2 status: active fips name: OpenSSL FIPS Provider version: 3.0.2 status: active

in ACVP complied SSL version and linked SSL version not same, Any thoughts?

hsm-pqc@hsm-pqc:~/CAVP/libacvp$ ./app/acvp_app -v

ACVP library version: libacvp_oss-2.1.1 ACVP protocol version: 1.0

Compiled SSL version: OpenSSL 3.0.0 7 sep 2021 Linked SSL version: OpenSSL 3.0.2 15 Mar 2022

   FIPS requested: yes

ssl_OSSL_PROVIDER_num: 2 provider name: provider version: FIPS Provider Version: 3.0.2

abkarcher commented 11 hours ago

Hi,

Yes, you typically always want to have the same compiled and linked version. Since you have multiple OpenSSL libraries on the device, you need to set the appropriate linux environment varaibles to make sure the version you want is linked.

Usually we set LD_LIBRARY_PATH to the directory containing the libcrypto.so we want to test, which bypasses the system's OpenSSL library.

Thanks, Andrew