home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
kermit.columbia.edu
/
kermit.columbia.edu.tar
/
kermit.columbia.edu
/
newsgroups
/
misc.20021006-20030409
/
000289_curtis.steward@goodrich.com_Wed Feb 12 10:13:06 EST 2003.msg
< prev
next >
Wrap
Text File
|
2003-04-08
|
7KB
|
212 lines
Article: 14084 of comp.protocols.kermit.misc
Path: newsmaster.cc.columbia.edu!panix!newsfeed.mathworks.com!arclight.uoregon.edu!logbridge.uoregon.edu!newsfeed.stanford.edu!postnews1.google.com!not-for-mail
From: curtis.steward@goodrich.com (Curtis Steward)
Newsgroups: comp.protocols.kermit.misc
Subject: Re: SSL-Telnet waiting for WILL AUTHENTICATION subnegotiation
Date: 11 Feb 2003 15:09:34 -0800
Organization: http://groups.google.com/
Lines: 193
Message-ID: <f53f8c5c.0302111509.12c6ae2f@posting.google.com>
References: <f53f8c5c.0302101307.43a79f75@posting.google.com> <3E482A46.2010509@nyc.rr.com> <f53f8c5c.0302110921.bbf187d@posting.google.com> <3E493E29.5040800@columbia.edu>
NNTP-Posting-Host: 207.180.255.121
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1045004975 3618 127.0.0.1 (11 Feb 2003 23:09:35 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 11 Feb 2003 23:09:35 GMT
Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14084
Jeffrey Altman <jaltman@columbia.edu> wrote in message news:<3E493E29.5040800@columbia.edu>...
> Curtis Steward wrote:
> > Jeff,
> >
> > I didn't realize that "AUTH SSL" shouldn't be used. Thanks
> > for the tip, that's why I also had "start-tls refused", trying
> > to force SSL...
> >
> > I've changed from SSL to TLS.
> > Added the "start-tls required".
> > I've also had to resort to "--database:off" on the server, see
> > syslog.
> > However, things still hang:
> >
> > Negotiations..TELNET RCVD DO START-TLS
> > TELNET SENT SB START-TLS FOLLOWS IAC SE
> > TELNET RCVD DO AUTHENTICATION
> > TELNET RCVD DO NAWS
> > TELNET RCVD WILL SUPPRESS-GO-AHEAD
> > TELNET RCVD DO SUPPRESS-GO-AHEAD
> > TELNET RCVD WILL ECHO
> > TELNET RCVD DO NEW-ENVIRONMENT
> > TELNET RCVD SB START-TLS FOLLOWS IAC SE
> > [TLS - handshake starting]
> > Loading RSA certificate into SSL
> > Enter pass phrase: <passphrase>
> > SSL_handshake:UNKWN before/connect initialization
> > SSL_connect:UNKWN before/connect initialization
> > SSL_connect:3WCH_A SSLv3 write client hello A
> > HANG...
> >
> > syslog
> > Feb 10 16:37:58 cms iksd[825]: file[] /var/log/95dfd2cb.339: rename to
> > /var/log/iksd.lck failed (No such file or directory)
>
> How is iksd being started?
>
I'm using xinetd:
# default: on
# server_args = -A --syslog:6 --database:off
service kermit
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/iksd
server_args = -A
disable = no
}
FYI, I am doing client/server testing on the same host, from what
I figure "iks localhost" should be cool?
> >
> > script
> > #!/usr/local/bin/kermit +
> > set debug on
> > set debug session
> > set auth tls debug on
> > set auth tls rsa-cert-file w.pem ;personal cert pem
> > set auth tls rsa-key-file work_priv.pem ;personal key pem
> > set auth tls verbose on
> > set auth tls verify-dir /usr/local/ca ;CA directory
> > set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem w/hash
> > set login userid <userid>
> > set telopt start-tls required
>
> The file /usr/local/ca/cacert.pem must contain the CA certificate used
> to sign the IKSD host certificate
Yep
>
>
> > iksd.conf
> > set auth tls rsa-cert-file /root/HomeWIP/pki/c.pem #points to host
> > cert?
> > set auth tls rsa-key-file /root/HomeWIP/pki/cms.jms.lucascargo.com.pem
> > #points to host key?
>
> These are the server's certificate and key in PEM format.
Yep again
>
> > set auth tls verify-dir /usr/local/ca
> > set auth tls verify-file /usr/local/ca/cacert.pem
>
> These are only necessary if you are attempting to verify client
> certificates.
Would this be the personal and/or client host certificates?
>From what I understand the following would give me client(personal
user) authentication:
kermit client kermit server
personal user cert rsa-cert-file ~/.tlslogin
client host cert N/A N/A
server host cert N/A rsa-cert-file
CA cert verify-file N/A
I'm just after user authentication, client host could come later.
>
> > Is the host settings for the iksd.conf's rsa's suppose to be the host
> > client? And is the CA key the only key that needs hashed?
>
> > Thanks
> >
> > cs
>
> To debug IKSD include a
>
> LOG DEBUG /root/iksd.debug.\v(pid).log
>
> command in your iksd.conf file. If you are not getting a response to
> the "client hello A" it is most likely a problem related to firewall's
> blocking the negotiation OR perhaps a file system access problem on the
> host.
...
dbinit dbfile 1[(NULL)]
dbinit dbdir 2[/var/log/]
dbinit dbfile 2[/var/log/iksd.db]
dbinit mypid=1255
getlocalipaddr setting buf to[149.223.210.203]
dbinit myip[95dfd2cb]=-1780493621
ckgetpeer[cms.jms.lucascargo.com]=-1780493621
dbinit peerip[95dfd2cb]=-1780493621
dbinit peerip[95dfd2cb]=-1780493621
dbinit dbenabled=1
getslot idstring[95dfd2cb:0000001255
]
getslot tempfile[/var/log/95dfd2cb.4e7]
getslot lockfile[/var/log/iksd.lck]
zrename old[/var/log/95dfd2cb.4e7]
zrename new[/var/log/iksd.lck]
zrename setroot[]=0
isdir stat[/var/log/iksd.lck]=-1
isdir errno=2
zrename no dir[/var/log/iksd.lck]
zrename rename()[/var/log/95dfd2cb.4e7]=0
zfnqfp fname[/var/log/95dfd2cb.4e7]=4096
zfnqfp realpath fails[/var/log/95dfd2cb.4e7]=2
zfnqfp while *s[/var/log/95dfd2cb.4e7]
zfnqfp len=21
isdir stat[/var/log/95dfd2cb.4e7]=-1
isdir errno=2
zfnqfp path[/var/log/95dfd2cb.4e7]=21
zfnqfp name[95dfd2cb.4e7]
zfnqfp fname[/var/log/iksd.lck]=4096
isdir stat[/var/log/iksd.lck]=0
isdir islink=0
isdir statbuf.st_mode=33152
zfnqfp realpath path[/var/log/iksd.lck]
zfnqfp realpath name[iksd.lck]
getslot has lock[/var/log/iksd.lck]
getslot dbfile[/var/log/iksd.db]
zchki setroot[]=0
STAT=5
zchki stat ok:[/var/log/iksd.db]=0
zchki access ok:[/var/log/iksd.db]=4096
getslot record=0
getslot dbflags:0x00
getslot dbpid:0x04a2
getslot dbip:0x95dfd2cb
getslot free slot=0
getslot records=1
...
And from syslog...
Feb 11 14:13:51 cms iksd[1255]: file[4] /root/iksd.debug.1255.log:
create ok
Feb 11 14:13:51 cms iksd[1255]: file[] /var/log/95dfd2cb.4e7: rename
to /var/log/iksd.lck failed (No such file or directory)
FYI, I tried again after doing a "mkdir /var/log/iksd.lck":
[root@cms pki]# ls /var/log/iksd.lck
95dfd2cb.45f
syslog...
Feb 11 13:47:20 cms iksd[1119]: file[] /var/log/95dfd2cb.45f: rename
to /var/log/iksd.lck/95dfd2cb.45f failed (No such file or directory)
Couldn't find an example or case outside of stunnel, if I get this one
working, I'm writing it up :).