search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

Issue with ipv6 address of CMP server #218

Closed meghana-svg closed 3 years ago

meghana-svg commented 3 years ago

Hi team,

Facing the below issue with certfetch for ipv6 address and port. openssl version used "OpenSSL 3.0.0-alpha9 26 Nov 2020 (Library: OpenSSL 3.0.0-alpha9 26 Nov 2020)"

openssl cmp -cmd ir -server [3a00:8a00:4000:20c::19:66]:8082/pkix/ -ref 2763 -secret pass:HJZd-pBZg-p5kq-EGKP -newkey private-key.pem -recipient "/C=FI/O=myname/CN=CTCA" -subject "/C=FI/O=myname/CN=CTCA" -certout cl_cert.pem -cacertsout capubs1.pem
CMP:apps/cmp.c:2669:CMP info: using section(s) 'cmp' of OpenSSL configuration file '/usr/local/ssl/openssl.cnf'
CMP:apps/cmp.c:2678:CMP info: no [cmp] section found in config file '/usr/local/ssl/openssl.cnf'; will thus use just [default] and unnamed section if present
CMP:apps/cmp.c:1984:CMP info: will contact http://2a00:8a00:4000:20c::19:62:8082/pkix/
CMP info: sending IR
CMP error: ambiguous host or service
CMP error: transfer error : request sent: IR, expected response: IP

We have observed that the square brackets for ipv6 address is stripped in the line "CMP:apps/cmp.c:1984:CMP info: will contact http://3a00:8a00:4000:20c::19:66:8082/pkix/"

Can you please suggest any workaround for the same.

os used:

bash-4.2# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"

Thanks, Meghana

DDvO commented 3 years ago

Hi Meghana,

thank you for your bug report and sorry that I had overlooked it so far! Yes, it looks like the OpenSSL HTTP client should have retained the [ and ] around IPv6 addresses. I've tentatively changed it this way in the cmp branch of git@github.com:mpeylo/cmpossl.git but I have no CMP test server that supports IPv6. Can you please give me feedback if the problem is solved this way?

Regards, David

DDvO commented 3 years ago

@meghana-svg, does the problem still exist? When I try

apps/openssl cmp -cmd ir -section "" -server [3a00:8a00:4000:20c::19:66]:8082/pkix/ -ref 2763 -secret pass:HJZd-pBZg-p5kq-EGKP -newkey test/certs/ee-key.pem -recipient "/C=FI/O=myname/CN=CTCA" -subject "/C=FI/O=myname/CN=CTCA" -certout cl_cert.pem -cacertsout capubs1.pem -msg_timeout 5

it looks like the connection setup is fine now but the server does not respond:

cmp_main:apps/cmp.c:2601:CMP info: using section(s) 'default' of OpenSSL configuration file 'apps/openssl.cnf'
setup_client_ctx:apps/cmp.c:1903:CMP info: will contact http://[3a00:8a00:4000:20c::19:66]:8082/pkix/
send_receive_check:crypto/cmp/cmp_client.c:167:CMP info: sending IR
BIO_do_connect_retry:crypto/bio/bio_lib.c:906:CMP error: connect timeout:
send_receive_check:crypto/cmp/cmp_client.c:173:CMP error: transfer error:request sent: IR, expected response: IP
DDvO commented 3 years ago

Closing for lack of response. I think this works meanwhile - if not, you can re-open the issue.