search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

sending ir #181

Closed Shriyanshmit closed 5 years ago

Shriyanshmit commented 5 years ago

OpenSSL:send_receive_check():crypto/cmp/cmp_ses.c:183: INFO: sending ir

Showing same message.

mpeylo commented 5 years ago

I am somewhat unsure what the issue at hand might be...

DDvO commented 5 years ago

@Shriyanshmit, I also don't understand what you mean by your comment. Please expand.

Shriyanshmit commented 5 years ago

Hi All,

I am using EJBCA CA to generate the certificates so I used this code with openssl for generating the certificates.

I created one api server which is creating URL as mentioned below

server = https://132.186.189.217:8443 path=/api/cmp

I set the below all the parameters in openssl.cnf file.

tls_trusted = /home/TestUser/Certs/ACIssuingCA.cacert.pem tls_cert=/home/TestUser/Certs/TLS_User_EE.p12 tls_key=/home/TestUser/Certs/TLS_User_EE.p12 tls_keypass=pass:** trusted=/home/TestUser/Certs/ACIssuingCA-chain.pem

cert=/home/TestUser/Certs/ppki_cmp_signer.p12 key=/home/TestUser/Certs/ppki_cmp_signer.p12 keypass=pass:**

subject="/CN=test20181204/O=TestOrg/C=DE/serialNumber=1122333f" digest=sha256 popo=1 disableconfirm=1 unprotectederrors=1

certout=/home/TestUser/Certs/ACIssuingCA.cacert.pem extracertsout=/home/TestUser/Certs/ACIssuingCA.cacert.pem cacertsout=/home/TestUser/Certs/ACIssuingCA.cacert.pem

Now I am using command(./openssl cmp - cmd ir) to generate the certificate but giving the same message send_receive_check():crypto/cmp/cmp_ses.c:183: INFO: sending ir

I am not able to get any request to any api server.

Please help.

Shriyanshmit commented 5 years ago

@Shriyanshmit, I also don't understand what you mean by your comment. Please expand.

Hi All,

I am using EJBCA CA to generate the certificates so I used this code with openssl for generating the certificates.

I created one api server which is creating URL as mentioned below

server = https://132.186.189.217:8443 path=/api/cmp

I set the below all the parameters in openssl.cnf file.

tls_trusted = /home/TestUser/Certs/ACIssuingCA.cacert.pem tls_cert=/home/TestUser/Certs/TLS_User_EE.p12 tls_key=/home/TestUser/Certs/TLS_User_EE.p12 tls_keypass=pass:** trusted=/home/TestUser/Certs/ACIssuingCA-chain.pem

cert=/home/TestUser/Certs/ppki_cmp_signer.p12 key=/home/TestUser/Certs/ppki_cmp_signer.p12 keypass=pass:**

subject="/CN=test20181204/O=TestOrg/C=DE/serialNumber=1122333f" digest=sha256 popo=1 disableconfirm=1 unprotectederrors=1

certout=/home/TestUser/Certs/ACIssuingCA.cacert.pem extracertsout=/home/TestUser/Certs/ACIssuingCA.cacert.pem cacertsout=/home/TestUser/Certs/ACIssuingCA.cacert.pem

Now I am using command(./openssl cmp - cmd ir) to generate the certificate but giving the same message send_receive_check():crypto/cmp/cmp_ses.c:183: INFO: sending ir

I am not able to get any request to any api server.

Please help.

DDvO commented 5 years ago

The message "INFO: sending ir" by the CMP client obviously tells that it started sending the first request message. If nothing else is output thereafter this means that the client got stuck. Likely because it could not reach the server or the server did not answer or its answer did not reach the client.

Check your network setup, including any (local or remote) firewalls.

Shriyanshmit commented 5 years ago

The message "INFO: sending ir" by the CMP client obviously tells that it started sending the first request message. If nothing else is output thereafter this means that the client got stuck. Likely because it could not reach the server or the server did not answer or its answer did not reach the client.

Check your network setup, including any (local or remote) firewalls.

As i checked i am able to access the same URL from browser and command prompt as well.

DDvO commented 5 years ago

Good that you checked this. Are you sure that you are using the same URL, including port 8443? Does the client actually use the openssl.cnf file you provided? It should output, e.g., INFO: using OpenSSL configuration file '/home/TestUser/openssl.cnf'

Shriyanshmit commented 5 years ago

Thanks for your quick response.

Yes it is using the same file. INFO: using OpenSSL configuration file '/opt/openssl/openssl.cnf'

Shriyanshmit commented 5 years ago

Good that you checked this. Are you sure that you are using the same URL, including port 8443? Does the client actually use the openssl.cnf file you provided? It should output, e.g., INFO: using OpenSSL configuration file '/home/TestUser/openssl.cnf'

Good that you checked this. Are you sure that you are using the same URL, including port 8443? Does the client actually use the openssl.cnf file you provided? It should output, e.g., INFO: using OpenSSL configuration file '/home/TestUser/openssl.cnf'

Thanks for your quick response.

Yes it is using the same file. INFO: using OpenSSL configuration file '/opt/openssl/openssl.cnf'

DDvO commented 5 years ago

All right, so it is pretty much confirmed that your CMP client instance actually tries to reach https://132.186.189.217:8443/api/cmp. Then very strange that you could reach this URL from the same machine using a browser while apparently the CMP client cannot. You may also try not using TLS (e.g., by commenting out all respective lines in your config file) and use server=132.186.189.217.

For instance, I've just tried

apps/openssl cmp -cmd ir -server 132.186.189.217:80 -path api/cmp  -config "" -secret pass:test -ref test -newkey test.ECC.priv.pem  -certout test.pem

and did get a response:

OpenSSL:(PEDANTIC disallows function name)():apps/cmp.c:3216: WARNING: missing -recipient, -srvcert, -issuer, -oldcert or -cert; recipient will be set to "NULL-DN"
OpenSSL:(PEDANTIC disallows function name)():crypto/cmp/cmp_ses.c:183: INFO: sending ir
140179742328576:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=404,Reason=Not Found
140179742328576:error:390AF090:CMP routines:OSSL_CMP_MSG_http_perform:failed to receive pkimessage:crypto/cmp/cmp_http.c:520:
140179742328576:error:3909F097:CMP routines:OSSL_CMP_exec_IR_ses:ip not received:crypto/cmp/cmp_ses.c:200:

BTW, please do not write duplicate comments/responses. I've hidden/deleted them above.

mpeylo commented 5 years ago

Having a look into network traces taken with Wireshark/ (or cpdump) for the communication by browser and the client with the server might quickly give hints what goes wrong.

mpeylo commented 5 years ago

I assume that the problem was more networking-related and is probably resolved by now.

Shriyanshmit commented 5 years ago

no its not resolved till now

On Mon, Jul 15, 2019 at 3:43 PM Martin Peylo notifications@github.com wrote:

I assume that the problem was more networking-related and is probably resolved by now.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mpeylo/cmpossl/issues/181?email_source=notifications&email_token=ACZU5Z7FTBEV5V4ZZZQKIJ3P7RETVA5CNFSM4H3QILNKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ5IJ4I#issuecomment-511345905, or mute the thread https://github.com/notifications/unsubscribe-auth/ACZU5ZYRBMBZVUUE3LNUES3P7RETVANCNFSM4H3QILNA .

-- Regards.. Shreyansh Jain

mpeylo commented 5 years ago

Did you check with Wireshark what is actually going on "on the wire"?

Shriyanshmit commented 5 years ago

I was busy with som other work plz give me sometime i will check and let you know.

On Mon, Jul 15, 2019, 15:54 Martin Peylo notifications@github.com wrote:

Did you check with Wireshark what is actually going on "on the wire"?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mpeylo/cmpossl/issues/181?email_source=notifications&email_token=ACZU5Z7HTR24KTEUGEFG7D3P7RF4RA5CNFSM4H3QILNKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ5JAPA#issuecomment-511348796, or mute the thread https://github.com/notifications/unsubscribe-auth/ACZU5Z4FMRKOISLM4KCST63P7RF4RANCNFSM4H3QILNA .

mpeylo commented 5 years ago

No hurry on our side, while in the meantime we just assume that the code works as it should ;-)

mpeylo commented 5 years ago

error: unable to load new private key for certificate to be enrolled from '/home/siemensuser/Certs/ACIssuingCA.cacert.pem'

Shriyanshmit commented 5 years ago

Now i am getting below message.

root@ubuntu:/opt/openssl/bin# ./openssl cmp -cmd ir -server 132.186.189.206:444 -path api/cmp -config "" -secret pass:test -ref test -newkey Key-2019.pem -certout Key-2019.pem OpenSSL:setup_ctx():apps/cmp.c:3216: WARNING: missing -recipient, -srvcert, -issuer, -oldcert or -cert; recipient will be set to "NULL-DN" OpenSSL:send_receive_check():crypto/cmp/cmp_ses.c:183: INFO: sending ir 140641880569600:error:390B10A8:CMP routines:OSSL_CMP_MSG_http_perform:read timeout:crypto/cmp/cmp_http.c:516: 140641880569600:error:390A1098:CMP routines:OSSL_CMP_exec_IR_ses:ip not received:crypto/cmp/cmp_ses.c:199: