home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
kermit.columbia.edu
/
kermit.columbia.edu.tar
/
kermit.columbia.edu
/
newsgroups
/
misc.20021006-20030409
/
000284_curtis.steward@goodrich.com_Tue Feb 11 15:58:51 EST 2003.msg
< prev
next >
Wrap
Text File
|
2003-04-08
|
6KB
|
164 lines
Article: 14079 of comp.protocols.kermit.misc
Path: newsmaster.cc.columbia.edu!phl-feed.news.verio.net!iad-feed.news.verio.net!iad-peer.news.verio.net!news.verio.net!bloom-beacon.mit.edu!newsfeed.stanford.edu!postnews1.google.com!not-for-mail
From: curtis.steward@goodrich.com (Curtis Steward)
Newsgroups: comp.protocols.kermit.misc
Subject: Re: SSL-Telnet waiting for WILL AUTHENTICATION subnegotiation
Date: 11 Feb 2003 09:21:22 -0800
Organization: http://groups.google.com/
Lines: 145
Message-ID: <f53f8c5c.0302110921.bbf187d@posting.google.com>
References: <f53f8c5c.0302101307.43a79f75@posting.google.com> <3E482A46.2010509@nyc.rr.com>
NNTP-Posting-Host: 207.180.255.121
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1044984082 5446 127.0.0.1 (11 Feb 2003 17:21:22 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 11 Feb 2003 17:21:22 GMT
Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14079
Jeff,
I didn't realize that "AUTH SSL" shouldn't be used. Thanks
for the tip, that's why I also had "start-tls refused", trying
to force SSL...
I've changed from SSL to TLS.
Added the "start-tls required".
I've also had to resort to "--database:off" on the server, see
syslog.
However, things still hang:
Negotiations..TELNET RCVD DO START-TLS
TELNET SENT SB START-TLS FOLLOWS IAC SE
TELNET RCVD DO AUTHENTICATION
TELNET RCVD DO NAWS
TELNET RCVD WILL SUPPRESS-GO-AHEAD
TELNET RCVD DO SUPPRESS-GO-AHEAD
TELNET RCVD WILL ECHO
TELNET RCVD DO NEW-ENVIRONMENT
TELNET RCVD SB START-TLS FOLLOWS IAC SE
[TLS - handshake starting]
Loading RSA certificate into SSL
Enter pass phrase: <passphrase>
SSL_handshake:UNKWN before/connect initialization
SSL_connect:UNKWN before/connect initialization
SSL_connect:3WCH_A SSLv3 write client hello A
HANG...
syslog
Feb 10 16:37:58 cms iksd[825]: file[] /var/log/95dfd2cb.339: rename to
/var/log/iksd.lck failed (No such file or directory)
script
#!/usr/local/bin/kermit +
set debug on
set debug session
set auth tls debug on
set auth tls rsa-cert-file w.pem ;personal cert pem
set auth tls rsa-key-file work_priv.pem ;personal key pem
set auth tls verbose on
set auth tls verify-dir /usr/local/ca ;CA directory
set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem w/hash
set login userid <userid>
set telopt start-tls required
iksd.conf
set auth tls rsa-cert-file /root/HomeWIP/pki/c.pem #points to host
cert?
set auth tls rsa-key-file /root/HomeWIP/pki/cms.jms.lucascargo.com.pem
#points to host key?
set auth tls verify-dir /usr/local/ca
set auth tls verify-file /usr/local/ca/cacert.pem
Is the host settings for the iksd.conf's rsa's suppose to be the host
client? And is the CA key the only key that needs hashed?
Thanks
cs
"Jeffrey Altman [Road Runner NYC]" <jaltman2@nyc.rr.com> wrote in message news:<3E482A46.2010509@nyc.rr.com>...
> You do not want to use the broken protocol AUTH SSL. You want to use
> the START_TLS option. Remove
>
> SET TeLNET AUTH TYPE SSL
>
> and replace it with
>
> SET TeLOPT START-TLS REQUIRE
>
> Why are you refusing START-TLS on the SERVER?
>
> The AUTH SSL protocol is only meant for use with old Eric Young telnet
> servers.
>
>
>
> Curtis Steward wrote:
> > I'm trying to get straight SSL authentication to work as described in:
> > http://www.columbia.edu/kermit/security80.html (compiled with
> > "linux+openssl" no flags). I understand that ~/.tlslogin will give me
> > a complete cert to userid map with the code as is.
> >
> > After pouring over the doc I'm receiving the following:
> >
> > c-kermit8.0
> > ...
> > iksd <hostname>
> > ...
> > TELNET RCVD DO NEW-ENVIRONMENT
> > TELNET RCVD SB AUTHENTICATION SEND SSL CLIENT_TO_SERVER|ONE_WAY IAC
> > SE
> > Loading RSA certificate into SSL
> > Enter pass phrase: <pass-phrase>
> > Authenticating with SSL
> > TELNET SENT SB AUTHENTICATION IS SSL CLIENT_TO_SERVER|ONE_WAY START
> > IAC SE
> > TELNET RCVD DONT TERMINAL-TYPE
> > TELNET RCVD SB NEW-ENVIRONMENT SEND IAC SE
> > TELNET RCVD DONT COM-PORT-CONTROL
> > Negotiations..............................
> > *************************
> > The Telnet server is not sending required responses.
> >
> > ?Telnet waiting for WILL AUTHENTICATION subnegotiation
> >
> > You can continue to wait or you can cancel with Ctrl-C.
> > In case the Telnet server never responds as required,
> > you can try connecting to this host with TELNET /NOWAIT.
> > Use SET HINTS OFF to suppress further hints.
> > *************************
> >
> > ...
> >
> > /etc/iksd.conf
> > set auth ssl rsa-cert-file /root/HomeWIP/pki/cmscert.pem #
> > points to host cert?
> > set auth ssl rsa-key-file /root/HomeWIP/pki/cms.jms.lucascargo.com.pem
> > # points to host key?
> > set auth ssl verify-dir /usr/local/ca # pem
> > is hashed
> > set auth ssl verify-file /usr/local/ca/cacert.pem
> > set telopt start-tls refused # just
> > SSL
> >
> > script
> > #!/usr/local/bin/kermit +
> > set debug on
> > set debug session
> > set auth ssl debug on
> > set auth ssl rsa-cert-file w.pem ;personal cert pem
> > set auth ssl rsa-key-file work_priv.pem ;personal key pem
> > set auth ssl verbose on
> > set auth ssl verify-dir /usr/local/ca ;CA directory
> > set auth ssl verify-file /usr/local/ca/cacert.pem ;CA cert pem
> > set login userid <userid>
> > set telnet auth type ssl ;just SSL
> >
> > I've tried sb-implies-will-do on/off on both client and server
> > sides with no luck.
> >
> > TIA,
> >
> > cs