Columbia Kermit

home *** CD-ROM | disk | FTP | other *** search

/ Columbia Kermit / kermit.zip / newsgroups / misc.20021006-20030409 / 000285_jaltman@columbia.edu_Tue Feb 11 15:59:19 EST 2003.msg < prev next >

Wrap

Text File | 2020-01-01 | 4KB | 108 lines

Article: 14082 of comp.protocols.kermit.misc Path: newsmaster.cc.columbia.edu!phl-feed.news.verio.net!iad-feed.news.verio.net!iad-peer.news.verio.net!news.verio.net!news.maxwell.syr.edu!newsfeed-east.nntpserver.com!nntpserver.com!news-west.rr.com!news-server.columbus.rr.com!cyclone.rdc-nyc.rr.com!news-out.nyc.rr.com!twister.nyc.rr.com.POSTED!not-for-mail Message-ID: <3E493E29.5040800@columbia.edu> From: Jeffrey Altman <jaltman@columbia.edu> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: comp.protocols.kermit.misc Subject: Re: SSL-Telnet waiting for WILL AUTHENTICATION subnegotiation References: <f53f8c5c.0302101307.43a79f75@posting.google.com> <3E482A46.2010509@nyc.rr.com> <f53f8c5c.0302110921.bbf187d@posting.google.com> In-Reply-To: <f53f8c5c.0302110921.bbf187d@posting.google.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Lines: 85 Date: Tue, 11 Feb 2003 18:15:44 GMT NNTP-Posting-Host: 66.108.138.151 X-Complaints-To: abuse@rr.com X-Trace: twister.nyc.rr.com 1044987344 66.108.138.151 (Tue, 11 Feb 2003 13:15:44 EST) NNTP-Posting-Date: Tue, 11 Feb 2003 13:15:44 EST Organization: Road Runner - NYC Xref: newsmaster.cc.columbia.edu comp.protocols.kermit.misc:14082 Curtis Steward wrote: > Jeff, > > I didn't realize that "AUTH SSL" shouldn't be used. Thanks > for the tip, that's why I also had "start-tls refused", trying > to force SSL... > > I've changed from SSL to TLS. > Added the "start-tls required". > I've also had to resort to "--database:off" on the server, see > syslog. > However, things still hang: > > Negotiations..TELNET RCVD DO START-TLS > TELNET SENT SB START-TLS FOLLOWS IAC SE > TELNET RCVD DO AUTHENTICATION > TELNET RCVD DO NAWS > TELNET RCVD WILL SUPPRESS-GO-AHEAD > TELNET RCVD DO SUPPRESS-GO-AHEAD > TELNET RCVD WILL ECHO > TELNET RCVD DO NEW-ENVIRONMENT > TELNET RCVD SB START-TLS FOLLOWS IAC SE > [TLS - handshake starting] > Loading RSA certificate into SSL > Enter pass phrase: <passphrase> > SSL_handshake:UNKWN before/connect initialization > SSL_connect:UNKWN before/connect initialization > SSL_connect:3WCH_A SSLv3 write client hello A > HANG... > > syslog > Feb 10 16:37:58 cms iksd[825]: file[] /var/log/95dfd2cb.339: rename to > /var/log/iksd.lck failed (No such file or directory) How is iksd being started? > > script > #!/usr/local/bin/kermit + > set debug on > set debug session > set auth tls debug on > set auth tls rsa-cert-file w.pem ;personal cert pem > set auth tls rsa-key-file work_priv.pem ;personal key pem > set auth tls verbose on > set auth tls verify-dir /usr/local/ca ;CA directory > set auth tls verify-file /usr/local/ca/cacert.pem ;CA cert pem w/hash > set login userid <userid> > set telopt start-tls required The file /usr/local/ca/cacert.pem must contain the CA certificate used to sign the IKSD host certificate > iksd.conf > set auth tls rsa-cert-file /root/HomeWIP/pki/c.pem #points to host > cert? > set auth tls rsa-key-file /root/HomeWIP/pki/cms.jms.lucascargo.com.pem > #points to host key? These are the server's certificate and key in PEM format. > set auth tls verify-dir /usr/local/ca > set auth tls verify-file /usr/local/ca/cacert.pem These are only necessary if you are attempting to verify client certificates. > Is the host settings for the iksd.conf's rsa's suppose to be the host > client? And is the CA key the only key that needs hashed? > Thanks > > cs To debug IKSD include a LOG DEBUG /root/iksd.debug.\v(pid).log command in your iksd.conf file. If you are not getting a response to the "client hello A" it is most likely a problem related to firewall's blocking the negotiation OR perhaps a file system access problem on the host.