home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Columbia Kermit
/
kermit.zip
/
newsgroups
/
misc.20021006-20030409
/
000285_jaltman@columbia.edu_Tue Feb 11 15:59:19 EST 2003.msg
< prev
next >
Wrap
Text File
|
2020-01-01
|
4KB
|
108 lines
Article: 14082 of comp.protocols.kermit.misc
Path: newsmaster.cc.columbia.edu!phl-feed.news.verio.net!iad-feed.news.verio.net!iad-peer.news.verio.net!news.verio.net!news.maxwell.syr.edu!newsfeed-east.nntpserver.com!nntpserver.com!news-west.rr.com!news-server.columbus.rr.com!cyclone.rdc-nyc.rr.com!news-out.nyc.rr.com!twister.nyc.rr.com.POSTED!not-for-mail
Message-ID: <3E493E29.5040800@columbia.edu>
From: Jeffrey Altman <jaltman@columbia.edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: comp.protocols.kermit.misc
Subject: Re: SSL-Telnet waiting for WILL AUTHENTICATION subnegotiation
References: <f53f8c5c.0302101307.43a79f75@posting.google.com> <3E482A46.2010509@nyc.rr.com> <f53f8c5c.0302110921.bbf187d@posting.google.com>
In-Reply-To: <f53f8c5c.0302110921.bbf187d@posting.google.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Lines: 85
Date: Tue, 11 Feb 2003 18:15:44 GMT
NNTP-Posting-Host: 66.108.138.151
X-Complaints-To: abuse@rr.com
X-Trace: twister.nyc.rr.com 1044987344 66.108.138.151 (Tue, 11 Feb 2003 13:15:44 EST)
NNTP-Posting-Date: Tue, 11 Feb 2003 13:15:44 EST
Organization: Road Runner - NYC
Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14082
Curtis Steward wrote:
> Jeff,
>
> I didn't realize that "AUTH SSL" shouldn't be used. Thanks
> for the tip, that's why I also had "start-tls refused", trying
> to force SSL...
>
> I've changed from SSL to TLS.
> Added the "start-tls required".
> I've also had to resort to "--database:off" on the server, see
> syslog.
> However, things still hang:
>
> Negotiations..TELNET RCVD DO START-TLS
> TELNET SENT SB START-TLS FOLLOWS IAC SE
> TELNET RCVD DO AUTHENTICATION
> TELNET RCVD DO NAWS
> TELNET RCVD WILL SUPPRESS-GO-AHEAD
> TELNET RCVD DO SUPPRESS-GO-AHEAD
> TELNET RCVD WILL ECHO
> TELNET RCVD DO NEW-ENVIRONMENT
> TELNET RCVD SB START-TLS FOLLOWS IAC SE
> [TLS - handshake starting]
> Loading RSA certificate into SSL
> Enter pass phrase: <passphrase>
> SSL_handshake:UNKWN before/connect initialization
> SSL_connect:UNKWN before/connect initialization
> SSL_connect:3WCH_A SSLv3 write client hello A
> HANG...
>
> syslog
> Feb 10 16:37:58 cms iksd[825]: file[] /var/log/95dfd2cb.339: rename to
> /var/log/iksd.lck failed (No such file or directory)
How is iksd being started?
>
> script
> #!/usr/local/bin/kermit +
> set debug on
> set debug session
> set auth tls debug on
> set auth tls rsa-cert-file w.pem ;personal cert pem
> set auth tls rsa-key-file work_priv.pem ;personal key pem
> set auth tls verbose on
> set auth tls verify-dir /usr/local/ca ;CA directory
> set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem w/hash
> set login userid <userid>
> set telopt start-tls required
The file /usr/local/ca/cacert.pem must contain the CA certificate used
to sign the IKSD host certificate
> iksd.conf
> set auth tls rsa-cert-file /root/HomeWIP/pki/c.pem #points to host
> cert?
> set auth tls rsa-key-file /root/HomeWIP/pki/cms.jms.lucascargo.com.pem
> #points to host key?
These are the server's certificate and key in PEM format.
> set auth tls verify-dir /usr/local/ca
> set auth tls verify-file /usr/local/ca/cacert.pem
These are only necessary if you are attempting to verify client
certificates.
> Is the host settings for the iksd.conf's rsa's suppose to be the host
> client? And is the CA key the only key that needs hashed?
> Thanks
>
> cs
To debug IKSD include a
LOG DEBUG /root/iksd.debug.\v(pid).log
command in your iksd.conf file. If you are not getting a response to
the "client hello A" it is most likely a problem related to firewall's
blocking the negotiation OR perhaps a file system access problem on the
host.