search

nttdots / go-dots

go implementation of DOTS(DDoS Open Threat Signaling) https://datatracker.ietf.org/wg/dots/about/
Apache License 2.0
55 stars 14 forks source link

Update expired certs. Generate with 3 years expiry #34

Closed mrdeep1 closed 4 years ago

mrdeep1 commented 4 years ago

Needed for interoperability tests as old certs expired back in April 2019.

Gone for 3 years expiry, so this does not have to be done too often.

lieunguyen-tma commented 4 years ago

Mr. @mrdeep1

NCC dots client --> go-dots server (AWS env)

2019/08/21 07:49:03 http: TLS handshake error from 217.40.240.156:45849: tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ca.example.com")
2019/08/21 07:50:03 http: TLS handshake error from 217.40.240.156:45850: tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ca.example.com")
2019/08/21 07:51:04 http: TLS handshake error from 217.40.240.156:45851: tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ca.example.com")

Failed to verify certificate that connect from NCC client to dots-server(AWS env). Could you check the certificate NCC client ?

Please confirm it.

mrdeep1 commented 4 years ago

It appears that you have rebuilt the certificates and not using the ones in this PR.

Your Server cert :-

Certificate: Data: Version: 3 (0x2) Serial Number: 5d:5b:a4:83:36:8a:09:12:75:ce:8d:ac Signature Algorithm: sha256WithRSAEncryption Issuer: CN=ca.example.com, O=Example CA, ST=Tokyo, C=JP Validity Not Before: Aug 20 07:42:59 2019 GMT Not After : Aug 19 07:42:59 2022 GMT

PRs Certificate

Certificate: Data: Version: 3 (0x2) Serial Number: 5d:5a:7b:81:2f:8f:3b:60:ce:10:35:13 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=ca.example.com, O=Example CA, ST=Tokyo, C=JP Validity Not Before: Aug 19 10:35:45 2019 GMT Not After : Aug 18 10:35:45 2022 GMT

We need to have the same at both ends.

mrdeep1 commented 4 years ago

If this PR is merged (and certs rebuilt if you want to do that), then it is easy for both of us to use the same CA, Server and Client certificates, and I can then generate the additional certificates needed for my end (which will be later today) using the CA cert/key files.

lieunguyen-tma commented 4 years ago

Mr. @mrdeep1

Mr. naga-lep merged code into master branch. Thank for your answer.

mrdeep1 commented 4 years ago

All is now looking good from my end