home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
kermit.columbia.edu
/
kermit.columbia.edu.tar
/
kermit.columbia.edu
/
newsgroups
/
misc.20021006-20030409
/
000369_curtis.steward@goodrich.com_Thu Mar 6 13:11:25 EST 2003.msg
< prev
next >
Wrap
Text File
|
2003-04-08
|
9KB
|
293 lines
Article: 14166 of comp.protocols.kermit.misc
Path: newsmaster.cc.columbia.edu!panix!bloom-beacon.mit.edu!newsfeed.stanford.edu!postnews1.google.com!not-for-mail
From: curtis.steward@goodrich.com (Curtis Steward)
Newsgroups: comp.protocols.kermit.misc
Subject: Re: TLS HowTo Telnet/FTP
Date: 6 Mar 2003 09:26:16 -0800
Organization: http://groups.google.com/
Lines: 274
Message-ID: <f53f8c5c.0303060740.514c6150@posting.google.com>
References: <f53f8c5c.0303041213.45f6bbe7@posting.google.com> <b4329a$300$1@watsol.cc.columbia.edu> <f53f8c5c.0303051052.327e975c@posting.google.com> <3E66D40A.1050402@nyc.rr.com>
NNTP-Posting-Host: 207.180.255.121
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1046971576 26207 127.0.0.1 (6 Mar 2003 17:26:16 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: 6 Mar 2003 17:26:16 GMT
Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14166
Error & Howto:
Enter certificate passphrase:
[TLS - handshake starting]
SSL_handshake:UNKWN before/connect initialization
SSL_connect:UNKWN before/connect initialization
SSL_connect:3WCH_A SSLv3 write client hello A
SSL_write_alert
SSL_connect:error in 3RSH_A SSLv3 read server hello A
[TLS - SSL_connect error: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
[TLS - FAILED]
HOWTO
This HowTo is nonfunctional at the time of this writing. It attempts
to create a basic ?loopback test? via an OpenSSL certificate.
Localhost is client & server: Redhat 8.0
Kermit Client: Kermit 8.0.208
Kermit Server: Kermit 8.0.208 (IKSD)
Certificates: RSA based, length 2048 (openssl genrsa)
Status:
Server configuration appears at fault with client tests to amazon for
TLS appearing ok as suggested by:
http://www.columbia.edu/kermit/case21.html
Current testing yields a wrong SSL version to the IKSD, suspect
incorrect cipher-list. (?ALL:+RSA?). It?s understood that TLS
authentication rather than SSL should be pursued for certificate based
communication with Kermit.
TLS STEP-BY-STEP
download <tarball>
mkdir kermit
cd kermit
tar ?xvzf ../<tarball>
make redhat80
cp ?p wermit /usr/local/bin/kermit
cp ?p wermit /usr/sbin/iksd
mkdir ~/.tlslogin
Place certs/keys, don't have password on servers' host cert.
chown ?R <user>:<user group~<user>/.tlslogin
cp ?p $WS_NAME.crt ~<user>/.tlslogin
ls /usr/local/ca/cacert.crt
/etc/init.d/xinetd.d stop
/etc/init.d/xinetd.d start
netstat ?an | grep 1649
tcp 0 0 0.0.0.0:1649 0.0.0.0:* LISTEN
kermit
show features
?
Major optional features included:
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
?
iks /user:anonymous /pass:user@host kermit.columbia.edu #basic test
set host www.amazon.com https /ssl #should get [TLS-OK]
set host /connect <host> 1649 /tls-telnet
/ETC/XINETD.D/KERMIT
# default: on
# server_args = -A --syslog:6 --database:off
service kermit
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/iksd
server_args = -A
disable = no
}
/ETC/IKSD.CONF
;log debug /root/iksd.debug.\v(pid).log
set auth tls rsa-cert-file /root/.tlslogin/c.crt
set auth tls rsa-key-file /root/.tlslogin/c.unp
set auth tls verify-dir /usr/local/ca
set auth tls verify-file /usr/local/ca/cacert.pem
set telopt /server start-tls required
set telopt /server auth refused
set telopt /server encrypt refused refused
set telopt /server new-environment required
set auth tls cipher-list ALL:+RSA
set auth tls verify peer-cert
KERMIT CLIENT STARTUP
#!/usr/local/bin/kermit +
set auth tls rsa-cert-file w.crt ;personal cert pem
set auth tls rsa-key-file work_priv.pem ;personal key pem
set auth tls verify-dir /usr/local/ca ;CA directory
set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem
w/hash?
set auth tls verify peer-cert
set login userid stewarcm
set telopt start-tls required
set auth tls verbose on
set auth tls debug on
set telnet debug on
TLS TELNET RESULTS
C-Kermit>set host /connect <host> 1649 /tls-telnet
DNS Lookup... Trying 149.223.210.203... (OK)
SSL_DEBUG_FLAG on
SSL/TLS init done!
Loading RSA certificate into SSL
Enter certificate passphrase:
[TLS - handshake starting]
SSL_handshake:UNKWN before/connect initialization
SSL_connect:UNKWN before/connect initialization
SSL_connect:3WCH_A SSLv3 write client hello A
SSL_write_alert
SSL_connect:error in 3RSH_A SSLv3 read server hello A
[TLS - SSL_connect error: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
[TLS - FAILED]
TELNET SENT DO LOGOUT
Can't open connection to <host>:1649
"Jeffrey Altman [Road Runner NYC]" <jaltman2@nyc.rr.com> wrote in message news:<3E66D40A.1050402@nyc.rr.com>...
> Curtis Steward wrote:
> >
> > Frank,
> >
> > My main question at the time would be what instructions would be
> > necessary in the iksd.conf file to make TLS for telnet available (see
> > below) after successfully entering the passphrase?
> >
> > For what it's worth, here's my HowTo draft, though it doesn't work :)
> > The scenario here is as basic to the "loopback test" for a connection
> > that I can make it in hopes that it can be used to address varying
> > scenario's. I'd suggest a case study on your site for others, if I
> > get this working I'll contrib a copy. Key/Cert detail and generation
> > could be provided as well and I'm using .tlslogin to avoid changing
> > code and not depend on a single field. There's a lot of interest in
> > the Open Source world for x509 host to host Communication, and I
> > believe Kermit offers up one of the best possibilities.
> >
> > Regards,
> >
> > cs
> >
> > STEP-BY-STEP
> >
> > download <tarball>
> > mkdir kermit
> > cd kermit
> > tar ?xvzf ../<tarball>
> > make redhat80
> > cp ?p wermit /usr/local/bin/kermit
> > cp ?p wermit /usr/sbin/iksd
> > mkdir ~/.tlslogin
> >
> > Place certs/keys, don't have password on servers' host cert.
> >
> > chown ?R <user>:<user group> ~<user>/.tlslogin
> > cp ?p $WS_NAME.crt ~<user>/.tlslogin
> > ls /usr/local/ca/cacert.crt
> >
> > /etc/init.d/xinetd.d stop
> > /etc/init.d/xinetd.d start
> >
> > netstat ?an | grep 1649
> > tcp 0 0 0.0.0.0:1649 0.0.0.0:* LISTEN
> >
> >
> > kermit
> > show features
> > ?
> > Major optional features included:
> > Secure Sockets Layer (SSL)
> > Transport Layer Security (TLS)
> > ?
> > set host www.amazon.com https /ssl
> > iks /user:anonymous /pass:user@host kermit.columbia.edu
> >
> > iks <host>
> >
> > /ETC/XINETD.D/KERMIT
> >
> > # default: on
> > # server_args = -A --syslog:6 --database:off
> > service kermit
> > {
> > socket_type = stream
> > wait = no
> > user = root
> > server = /usr/sbin/iksd
> > server_args = -A
> > disable = no
> > }
> >
> > /ETC/IKSD.CONF
> >
> > log debug /root/iksd.debug.\v(pid).log
> >
> > set auth tls rsa-cert-file /root/.tlslogin/c.crt
> > set auth tls rsa-key-file /root/.tlslogin/c.unp
> > set auth tls verify-dir /usr/local/ca
> > set auth tls verify-file /usr/local/ca/cacert.pem
> SET TELOPT /SERVER START-TLS REQUIRED
> SET TELOPT /SERVER AUTH REFUSED
> SET TELOPT /SERVER ENCRYPT REFUSED REFUSED
> SET TELOPT /SERVER NEW-ENVIRONMENT REQUIRED
> SET AUTH TLS CIPHER-LIST <list based upon the type of certificates RSA
> or DSS that you are using>
> SET AUTH TLS VERIFY PEER-CERT
>
>
> > KERMIT CLIENT STARTUP
> >
> > #!/usr/local/bin/kermit +
> > set auth tls rsa-cert-file w.crt ;personal cert pem
> > set auth tls rsa-key-file work_priv.pem ;personal key pem
> > set auth tls verify-dir /usr/local/ca ;CA directory
> > set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem w/hash
> > set auth tls verify peer-cert
> > set login userid <user>
> > set telopt start-tls required
> > set auth tls verbose on
> > set auth tls debug on
> > set telnet debug on
> >
> > TLS TELNET RESULTS
> >
> > SSL_handshake:SSLOK SSL negotiation finished successfully
> > TLS client finished: 27 7C CD CA 0B 7E 7E F8 FB C9 6E 66
> > TLS server finished: 3E EC EF 93 1F 2D 8D 09 07 2B 7B A2
> > [TLS - OK]
> > [TLS - EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168)
> > Mac=SHA1
> > Compression: run length compression
> > [TLS - subject=/C=US/ST=?detail?]
> > [TLS - issuer=/C=US/O=?detail?]
> > TELNET SENT WILL AUTHENTICATION
> > TELNET SENT WILL NAWS
> > TELNET SENT WILL TERMINAL-TYPE
> > TELNET SENT WILL NEW-ENVIRONMENT
> > TELNET SENT WILL COM-PORT-CONTROL
> > <wait for outstanding negotiations>
> > TELNET RCVD DO AUTHENTICATION
> > TELNET RCVD DO NAWS
> > TELNET RCVD WILL SUPPRESS-GO-AHEAD
> > TELNET SENT DO SUPPRESS-GO-AHEAD
> > TELNET RCVD DO SUPPRESS-GO-AHEAD
> > TELNET SENT WILL SUPPRESS-GO-AHEAD
> > TELNET RCVD WILL ECHO
> > TELNET SENT DO ECHO
> > TELNET RCVD DO NEW-ENVIRONMENT
> > TELNET RCVD SB AUTHENTICATION SEND IAC SE
> > TELNET SENT SB AUTHENTICATION IS NULL NULL IAC SE
> > Authentication failed: No authentication method available
> > TELNET SENT WONT AUTHENTICATION
> > TELNET RCVD DONT TERMINAL-TYPE
> > TELNET RCVD SB NEW-ENVIRONMENT SEND IAC SE
> > TELNET RCVD DONT COM-PORT-CONTROL
> > <no outstanding negotiations>