ov_rest plugin, SCMB, does not work with ssl1.1

[mohandev2]

SCMB in ov_rest plugin does not work with ssl1.1, in RHEL8 and debian-sid. It works well with RHEL7.6

/usr/sbin/openhpid -c /etc/openhpi/openhpi.conf produces the following error in the syslog Oct 23 11:56:44 openhpi-debian-sid openhpid: ov_rest: ov_rest_discover.c:1733: OV_REST Discovery Completed Oct 23 11:56:45 openhpi-debian-sid openhpid: ov_rest: ov_rest_event.c:1881: Active alerts are found and events are added to logs/oem event file. Oct 23 11:56:45 openhpi-debian-sid openhpid: ov_rest: ov_rest_event.c:1882: Please login to the composer to get complete details. Oct 23 11:56:45 openhpi-debian-sid openhpid: ov_rest: ov_rest_event.c:1901: Locked alerts are found and events are added to logs/oem event file. Oct 23 11:56:45 openhpi-debian-sid openhpid: ov_rest: ov_rest_event.c:1902: Please login to the composer to get complete details. Oct 23 11:56:45 openhpi-debian-sid openhpid: ov_rest: ov_rest_event.c:1470: Error in opening SSL/TLS connection Oct 23 11:56:50 openhpi-debian-sid openhpid: ov_rest: ov_rest_event.c:1930: Composer is Accessible, SCMB is not working

The following are the packages in debian-sid ii librabbitmq-dev:amd64 0.9.0-0.1 amd64 AMQP client library written in C - Dev Files ii librabbitmq4:amd64 0.9.0-0.1 amd64 AMQP client library written in C ii openssl 1.1.1-1 amd64 Secure Sockets Layer toolkit - cryptographic utility ii libssl-dev:amd64 1.1.1-1 amd64 Secure Sockets Layer toolkit - development files ii libssl1.1:amd64 1.1.1-1 amd64 Secure Sockets Layer toolkit - shared libraries ii libopenhpi-dev 3.8.0-2 amd64 OpenHPI libraries (development files) ii libopenhpi3 3.8.0-2 amd64 OpenHPI libraries (runtime and support files) ii openhpi 3.8.0-2 all SAF's HPI: Abstracted interface for managing computer hardware ii openhpi-clients 3.8.0-2 amd64 OpenHPI example client programs ii openhpi-plugin-dynamic-simulator 3.8.0-2 amd64 OpenHPI plugin module for a dynamic simulator ii openhpi-plugin-ilo2-ribcl 3.8.0-2 amd64 OpenHPI plugin module for HP's ProLiant rackmount servers ii openhpi-plugin-ipmi 3.8.0-2 amd64 OpenHPI plugin module for OpenIPMI ii openhpi-plugin-ipmidirect 3.8.0-2 amd64 OpenHPI plugin module for direct IPMI over LAN (RMCP) or SMI ii openhpi-plugin-oa-soap 3.8.0-2 amd64 OpenHPI plugin module for HPE's BladeSystem c-Class ii openhpi-plugin-ov-rest 3.8.0-2 amd64 OpenHPI plugin module for HPE's Synergy enclosures ii openhpi-plugin-simulator 3.8.0-2 amd64 OpenHPI plugin module for a simulator that works without hardware ii openhpi-plugin-slave 3.8.0-2 amd64 OpenHPI plugin module for slave plugin ii openhpi-plugin-snmp-bc 3.8.0-2 amd64 OpenHPI plugin module for IBM's BladeCenter or RSA over SNMP ii openhpi-plugin-sysfs 3.8.0-2 amd64 OpenHPI plugin module for the sysfs filesystem ii openhpi-plugin-test-agent 3.8.0-2 amd64 OpenHPI plugin module for test agent plugin ii openhpi-plugin-watchdog 3.8.0-2 amd64 OpenHPI plugin module for the Linux watchdog interface ii openhpid 3.8.0-2 amd64 OpenHPI daemon, supports gathering of manageability information

The following are the packages in RHEL8 openssl-devel-1.1.0g-4.el8+5.x86_64 librabbitmq-0.8.0-4.el8+5.x86_64 openssl-1.1.0g-4.el8+5.x86_64 openssl-libs-1.1.0g-4.el8+5.x86_64 openhpi-libs-3.8.0-1.el8+5.x86_64 openhpi-3.8.0-1.el8+5.x86_64

[mohandev2]

Example programs in librabbitmq-0.9.0 does not work either. So the problem may be in there. ./examples/amqp_ssl_connect "IP" 5671 100 opening SSL/TLS connection: SSL handshake failed

Trying to compile 0.9.0 in RHEL7.6 lead to an error as popt >= 1.14 was needed and it was not available. Avoid building cmdline tools with the following command cmake -DBUILD_TOOLS=OFF --build . before using cmake --build . This also leads to the same error on RHEL7.6. Investigating more.

[mohandev2]

Looks like the certificate does not work on SSL1.1 The certificates are verified by librabbitmq/amqp. The SSL_get_verify_result call returns 24 which is "SSL peer cert verification failed". It may be time to follow up with one view teams.

[mohandev2]

The following openssl commands could be used for verification. The commands do not work on the certificates we downloaded. So the problem may be in openssl 1.1.* or the certificates. openssl verify -CAfile cacert.pem cert.pem and openssl s_client -connect IP:5671 -CAfile cacert.pem Both the above commands succeed from RHEL 7.6 but fail from RHEL 8 (alpha).

[mohandev2]

An enclosure with a higher version of firmware works well. The openssl command and the SCMB work well. The enclosure could not be modified, but openhpid was run against the enclosure and all the tasks and events were waited upon. We could hit "openhpid_1.log:ov_rest: DBG: ov_rest_event.c:2693: TASK_COLLECT_UTILIZATION_DATA -- Not processed" with the 3.8.0 release of the openhpi package on RHEL8 Beta. Do not know why one enclosure does not work and how to fix it. Do not know how to generate new certificates also. This bug could be closed not waiting for it.

[mohandev2]

This issue is closed as it works fine on many enclosures (except one enclosure) with the latest synergy FW (4.20)