Columbia Kermit

home *** CD-ROM | disk | FTP | other *** search

/ Columbia Kermit / kermit.zip / newsgroups / misc.20021006-20030409 / 000284_curtis.steward@goodrich.com_Tue Feb 11 15:58:51 EST 2003.msg < prev next >

Wrap

Text File | 2020-01-01 | 6KB | 164 lines

Article: 14079 of comp.protocols.kermit.misc Path: newsmaster.cc.columbia.edu!phl-feed.news.verio.net!iad-feed.news.verio.net!iad-peer.news.verio.net!news.verio.net!bloom-beacon.mit.edu!newsfeed.stanford.edu!postnews1.google.com!not-for-mail From: curtis.steward@goodrich.com (Curtis Steward) Newsgroups: comp.protocols.kermit.misc Subject: Re: SSL-Telnet waiting for WILL AUTHENTICATION subnegotiation Date: 11 Feb 2003 09:21:22 -0800 Organization: http://groups.google.com/ Lines: 145 Message-ID: <f53f8c5c.0302110921.bbf187d@posting.google.com> References: <f53f8c5c.0302101307.43a79f75@posting.google.com> <3E482A46.2010509@nyc.rr.com> NNTP-Posting-Host: 207.180.255.121 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1044984082 5446 127.0.0.1 (11 Feb 2003 17:21:22 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: 11 Feb 2003 17:21:22 GMT Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14079 Jeff, I didn't realize that "AUTH SSL" shouldn't be used. Thanks for the tip, that's why I also had "start-tls refused", trying to force SSL... I've changed from SSL to TLS. Added the "start-tls required". I've also had to resort to "--database:off" on the server, see syslog. However, things still hang: Negotiations..TELNET RCVD DO START-TLS TELNET SENT SB START-TLS FOLLOWS IAC SE TELNET RCVD DO AUTHENTICATION TELNET RCVD DO NAWS TELNET RCVD WILL SUPPRESS-GO-AHEAD TELNET RCVD DO SUPPRESS-GO-AHEAD TELNET RCVD WILL ECHO TELNET RCVD DO NEW-ENVIRONMENT TELNET RCVD SB START-TLS FOLLOWS IAC SE [TLS - handshake starting] Loading RSA certificate into SSL Enter pass phrase: <passphrase> SSL_handshake:UNKWN before/connect initialization SSL_connect:UNKWN before/connect initialization SSL_connect:3WCH_A SSLv3 write client hello A HANG... syslog Feb 10 16:37:58 cms iksd[825]: file[] /var/log/95dfd2cb.339: rename to /var/log/iksd.lck failed (No such file or directory) script #!/usr/local/bin/kermit + set debug on set debug session set auth tls debug on set auth tls rsa-cert-file w.pem ;personal cert pem set auth tls rsa-key-file work_priv.pem ;personal key pem set auth tls verbose on set auth tls verify-dir /usr/local/ca ;CA directory set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem w/hash set login userid <userid> set telopt start-tls required iksd.conf set auth tls rsa-cert-file /root/HomeWIP/pki/c.pem #points to host cert? set auth tls rsa-key-file /root/HomeWIP/pki/cms.jms.lucascargo.com.pem #points to host key? set auth tls verify-dir /usr/local/ca set auth tls verify-file /usr/local/ca/cacert.pem Is the host settings for the iksd.conf's rsa's suppose to be the host client? And is the CA key the only key that needs hashed? Thanks cs "Jeffrey Altman [Road Runner NYC]" <jaltman2@nyc.rr.com> wrote in message news:<3E482A46.2010509@nyc.rr.com>... > You do not want to use the broken protocol AUTH SSL. You want to use > the START_TLS option. Remove > > SET TeLNET AUTH TYPE SSL > > and replace it with > > SET TeLOPT START-TLS REQUIRE > > Why are you refusing START-TLS on the SERVER? > > The AUTH SSL protocol is only meant for use with old Eric Young telnet > servers. > > > > Curtis Steward wrote: > > I'm trying to get straight SSL authentication to work as described in: > > http://www.columbia.edu/kermit/security80.html (compiled with > > "linux+openssl" no flags). I understand that ~/.tlslogin will give me > > a complete cert to userid map with the code as is. > > > > After pouring over the doc I'm receiving the following: > > > > c-kermit8.0 > > ... > > iksd <hostname> > > ... > > TELNET RCVD DO NEW-ENVIRONMENT > > TELNET RCVD SB AUTHENTICATION SEND SSL CLIENT_TO_SERVER|ONE_WAY IAC > > SE > > Loading RSA certificate into SSL > > Enter pass phrase: <pass-phrase> > > Authenticating with SSL > > TELNET SENT SB AUTHENTICATION IS SSL CLIENT_TO_SERVER|ONE_WAY START > > IAC SE > > TELNET RCVD DONT TERMINAL-TYPE > > TELNET RCVD SB NEW-ENVIRONMENT SEND IAC SE > > TELNET RCVD DONT COM-PORT-CONTROL > > Negotiations.............................. > > ************************* > > The Telnet server is not sending required responses. > > > > ?Telnet waiting for WILL AUTHENTICATION subnegotiation > > > > You can continue to wait or you can cancel with Ctrl-C. > > In case the Telnet server never responds as required, > > you can try connecting to this host with TELNET /NOWAIT. > > Use SET HINTS OFF to suppress further hints. > > ************************* > > > > ... > > > > /etc/iksd.conf > > set auth ssl rsa-cert-file /root/HomeWIP/pki/cmscert.pem # > > points to host cert? > > set auth ssl rsa-key-file /root/HomeWIP/pki/cms.jms.lucascargo.com.pem > > # points to host key? > > set auth ssl verify-dir /usr/local/ca # pem > > is hashed > > set auth ssl verify-file /usr/local/ca/cacert.pem > > set telopt start-tls refused # just > > SSL > > > > script > > #!/usr/local/bin/kermit + > > set debug on > > set debug session > > set auth ssl debug on > > set auth ssl rsa-cert-file w.pem ;personal cert pem > > set auth ssl rsa-key-file work_priv.pem ;personal key pem > > set auth ssl verbose on > > set auth ssl verify-dir /usr/local/ca ;CA directory > > set auth ssl verify-file /usr/local/ca/cacert.pem ;CA cert pem > > set login userid <userid> > > set telnet auth type ssl ;just SSL > > > > I've tried sb-implies-will-do on/off on both client and server > > sides with no luck. > > > > TIA, > > > > cs