TLS1.2 after upgrade to 10.03

After upgrade our DPs from 10.02 to 10.03 (Windows) we have problem to communicate with some Linux clients. We have two branch offices with same configuration with one DP Cell Manager at each offices (serverB and serverC) and on one offices with serverB we have a problem. Office with ServerC is fine.

Our Linux master tried, just for test, connect from workstation „workstation“ (which is not in any DPs, not backuped by DP) to CM on server serverB.domain.local and CM on server serverC.domain.local . Each CM are same configuration, they are working as a single for own locality.

 

    root@workstation:~$ uname -

    Linux workstation 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1 deb9u1 (2018-05-07) x86_64 GNU/Linux

    root@workstation~$ ip

 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

link/ether 00:21:70:34:da:d4 brd ff:ff:ff:ff:ff:ff

inet 10.2.36.5/22 brd 10.2.39.255 scope global eth0

valid_lft forever preferred_lft forever

inet6 fe80::221:70ff:fe34:dad4/64 scope link

valid_lft forever preferred_lft forever

 

********************

serverB:

 

root@workstation:~$ openssl s_client -connect serverB.domain.local:5555

CONNECTED(00000003)

write:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 176 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : 0000

Session-ID:

Session-ID-ctx:

Master-Key:

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1527774197

Timeout : 7200 (sec)

Verify return code: 0 (ok)

Extended master secret: no

---

root@workstation:~$

 

it means connection did not connect

root@workstation:~$ errno 104

ECONNRESET 104 Connection reset by peer

 

********************

serverC:

 

root@workstation:~$ openssl s_client -connect serverC.domain.local:5565

CONNECTED(00000003)

depth=0 C = US, ST = CA, O = HEWLETT PACKARD ENTERPRISE, CN = serverC.domain.local

verify error:num=18:self signed certificate

verify return:1

depth=0 C = US, ST = CA, O = HEWLETT PACKARD ENTERPRISE, CN = serverC.domain.local

verify return:1

139902144152832:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40

---

Certificate chain

0 s:/C=US/ST=CA/O=HEWLETT PACKARD ENTERPRISE/CN=serverC.domain.local

i:/C=US/ST=CA/O=HEWLETT PACKARD ENTERPRISE/CN=serverC.domain.local

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFLjCCAxYCCQCkX150jCSkvTANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJV

UzELMAkGA1UECBMCQ0ExIzAhBgNVBAoTGkhFV0xFVFQgUEFDS0FSRCBFTlRFUlBS

SVNFMRgwFgYDVQQDEw9zY2J1MDAxLmFkLmkuY3owHhcNMTcxMjAxMTAzNzMzWhcN

MjcxMTI5MTAzNzMzWjBZMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExIzAhBgNV

BAoTGkhFV0xFVFQgUEFDS0FSRCBFTlRFUlBSSVNFMRgwFgYDVQQDEw9zY2J1MDAx

LmFkLmkuY3owggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzTJZUrgWk

tJIS8q20w1tIPimC4OsQpepL9RKktIdgzi9efk3sTumm41ElH7opEXCJCjpBhnDa

w2r/n 3l5N5AKCMvk31znYmTqtptuknd6ZJHrKiMStd0bYkGxc5hAdecuu8aDDmQ

7YYk5RbX/Tyg/LJE25VHBRljzeLbtFVc5h5LCvK0wA3CKiNagxP VxHqJis2I68d

1tHudWELfb SbM4uWKuQGDmLsVTVb/2dNbIcUEZjX2aaC8VFWVrKqP3mVlMn40Xx

eHX0TH fBUKMFIsu8MziEbqNwjeMARE01JJZm1Wsa9Cd0dTXqBPKoYUPgV8wI0Az

36SG8fTi27NwNiwWf O9J4XW1vQR H1aKpIQzTL 3eJF bfEaGQL42an mpnpFbb

JQbAP VlvEzktDQ9gG2AFk1HK2lY/FpuZfkFfE2zGJ5ZsVYwkEnko37TOVYhStij

aeuSZVPvR7 XsJNABbOe3u/FrsDo2K7iu5AJ3pOWKMVY0fm 9gTuvHqENMIs1uFK

GNXUAGMwvbC/hhOlFeLod2Px2W9kSP2ynCZYiXHlrDYrnJlybgZVeApdN42BoGx8

Y2cnZdLaBdFCQY4LOnUHo84x76G ui6bv 7ZZdvWpLKAgLT6pyccwRhBsD0Hk5yt

bkrwBz0Gd34SqCuDDklVISdvN4ukPmU8awIDAQABMA0GCSqGSIb3DQEBCwUAA4IC

AQCtci7ukcFVOYAnSi4YnVNA xVKhMcn Lv CEkZUQT rf44r3hIV4ADEAd/yo5y

bkCittbVyyHUp05P3kgYpKZfTGzA REfbpzcGjx e8stZlZD DW3NyOoaKStvrkS

8xcpnpvpwI7O1pZlonLztBxxSgnSYnCMU9uCkafoOgbxcEOS/tU njsLKdRahLEP

R60suomRaPEgWNO bfiFsawinC2Auowfo7WeAIt8346MXEkKNRtKTVAC F3821C2

WtW02vV/qzOZKu Qv9b6B6dhwTcLfAtBfTGSGPdEsA09bxoY9Xjl9rnB0FzGagGU

RQLJesiUia2RwUWneM Jrkulvo3fiO Bp02JUa/KKNSe/hRQMUI NERaY9iVd0r2

IH9dF/IEzOlJ4OaujJsCUIfAPgiReuHwXsELqOiFpap9t4GgU MJbRsDzAmamZPM

lh G9NIoJz690rK/Jooc8PpdZIUBYwXOQBaX2FNqsVY sOiHyTe HYhcKA3YBir0

jxwvLbwl99b U72SK4dmDJUgnJ6sTEiqZiQVZYmJanAoA1Jz/MaAMZqnQiLInZEw

0j/ugPbGP06q7bDK1TWJ98POxwZOEB8wgCvIDw4 8Tq 3qsL aSN37xy1gFeDRtW

5uu2dM82JN/X nXyHFkEmGhN jmE8MT4ot/RNQsPhBommQ==

-----END CERTIFICATE-----

subject=/C=US/ST=CA/O=HEWLETT PACKARD ENTERPRISE/CN=serverC.domain.local

issuer=/C=US/ST=CA/O=HEWLETT PACKARD ENTERPRISE/CN=serverC.domain.local

---

No client certificate CA names sent

Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Requested Signature Algorithms: RSA SHA512:DSA SHA512:ECDSA SHA512:RSA SHA384:DSA SHA384:ECDSA SHA384:RSA SHA256:DSA SHA256:ECDSA SHA256:RSA SHA224:DSA SHA224:ECDSA SHA224:RSA SHA1:DSA SHA1:ECDSA SHA1

Shared Requested Signature Algorithms: RSA SHA512:DSA SHA512:ECDSA SHA512:RSA SHA384:DSA SHA384:ECDSA SHA384:RSA SHA256:DSA SHA256:ECDSA SHA256:RSA SHA224:DSA SHA224:ECDSA SHA224:RSA SHA1:DSA SHA1:ECDSA SHA1

---

SSL handshake has read 1461 bytes and written 762 bytes

Verification error: self signed certificate

---

New, TLSv1.2, Cipher is AES256-GCM-SHA384

Server public key is 4096 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : AES256-GCM-SHA384

Session-ID:

Session-ID-ctx:

Master-Key: B79574587A4418B0C0EB6CE03FEDD3DC5A995411577081FBADA4E0DA76E4A3CAE28D6C478E8959DC4B13FA64BCAAEBB9

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1527774274

Timeout : 7200 (sec)

Verify return code: 18 (self signed certificate)

Extended master secret: no

---

root@workstation:~$

 

so TLSv1.2 connections between workstation and serverC.domain.local is OK but ofcourse it finished with alert.

So our CM serverB.domain.local has some problem because it didnt get to this point as serverC.domain.local even so DP manager on problematic serverB has started crashing very often after upgrade .


Thank you,

Kamil

  • Hello Kamil,

    Is it expected that Data Protector is using different ports on serverB and serverC?

    Can you elaborate what is crashing on serverB? Any of the services like CRS? Based on the information you’re either sending queries to the wrong port or INET is not responding properly. I would check for possible services crashing in dmesg and enable INET debugging on serverB. The inet.log and debug.log might have useful traces.

    Regards,
    Sebastian Koehler