This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
kamiltitera
Ensign Ensign
Ensign
‎2018-06-01 14:34
530 views

TLS1.2 after upgrade to 10.03

After upgrade our DPs from 10.02 to 10.03 (Windows) we have problem to communicate with some Linux clients. We have two branch offices with same configuration with one DP Cell Manager at each offices (serverB and serverC) and on one offices with serverB we have a problem. Office with ServerC is fine.

Our Linux master tried, just for test, connect from workstation „workstation“ (which is not in any DPs, not backuped by DP) to CM on server serverB.domain.local and CM on server serverC.domain.local . Each CM are same configuration, they are working as a single for own locality.

 

    root@workstation:~$ uname -

    Linux workstation 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux

    root@workstation~$ ip

 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

link/ether 00:21:70:34:da:d4 brd ff:ff:ff:ff:ff:ff

inet 10.2.36.5/22 brd 10.2.39.255 scope global eth0

valid_lft forever preferred_lft forever

inet6 fe80::221:70ff:fe34:dad4/64 scope link

valid_lft forever preferred_lft forever

 

********************

serverB:

 

root@workstation:~$ openssl s_client -connect serverB.domain.local:5555

CONNECTED(00000003)

write:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 176 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : 0000

Session-ID:

Session-ID-ctx:

Master-Key:

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1527774197

Timeout : 7200 (sec)

Verify return code: 0 (ok)

Extended master secret: no

---

root@workstation:~$

 

it means connection did not connect

root@workstation:~$ errno 104

ECONNRESET 104 Connection reset by peer

 

********************

serverC:

 

root@workstation:~$ openssl s_client -connect serverC.domain.local:5565

CONNECTED(00000003)

depth=0 C = US, ST = CA, O = HEWLETT PACKARD ENTERPRISE, CN = serverC.domain.local

verify error:num=18:self signed certificate

verify return:1

depth=0 C = US, ST = CA, O = HEWLETT PACKARD ENTERPRISE, CN = serverC.domain.local

verify return:1

139902144152832:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40

---

Certificate chain

0 s:/C=US/ST=CA/O=HEWLETT PACKARD ENTERPRISE/CN=serverC.domain.local

i:/C=US/ST=CA/O=HEWLETT PACKARD ENTERPRISE/CN=serverC.domain.local

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFLjCCAxYCCQCkX150jCSkvTANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJV

UzELMAkGA1UECBMCQ0ExIzAhBgNVBAoTGkhFV0xFVFQgUEFDS0FSRCBFTlRFUlBS

SVNFMRgwFgYDVQQDEw9zY2J1MDAxLmFkLmkuY3owHhcNMTcxMjAxMTAzNzMzWhcN

MjcxMTI5MTAzNzMzWjBZMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExIzAhBgNV

BAoTGkhFV0xFVFQgUEFDS0FSRCBFTlRFUlBSSVNFMRgwFgYDVQQDEw9zY2J1MDAx

LmFkLmkuY3owggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzTJZUrgWk

tJIS8q20w1tIPimC4OsQpepL9RKktIdgzi9efk3sTumm41ElH7opEXCJCjpBhnDa

w2r/n+3l5N5AKCMvk31znYmTqtptuknd6ZJHrKiMStd0bYkGxc5hAdecuu8aDDmQ

7YYk5RbX/Tyg/LJE25VHBRljzeLbtFVc5h5LCvK0wA3CKiNagxP+VxHqJis2I68d

1tHudWELfb+SbM4uWKuQGDmLsVTVb/2dNbIcUEZjX2aaC8VFWVrKqP3mVlMn40Xx

eHX0TH+fBUKMFIsu8MziEbqNwjeMARE01JJZm1Wsa9Cd0dTXqBPKoYUPgV8wI0Az

36SG8fTi27NwNiwWf+O9J4XW1vQR+H1aKpIQzTL+3eJF+bfEaGQL42an+mpnpFbb

JQbAP+VlvEzktDQ9gG2AFk1HK2lY/FpuZfkFfE2zGJ5ZsVYwkEnko37TOVYhStij

aeuSZVPvR7+XsJNABbOe3u/FrsDo2K7iu5AJ3pOWKMVY0fm+9gTuvHqENMIs1uFK

GNXUAGMwvbC/hhOlFeLod2Px2W9kSP2ynCZYiXHlrDYrnJlybgZVeApdN42BoGx8

Y2cnZdLaBdFCQY4LOnUHo84x76G+ui6bv+7ZZdvWpLKAgLT6pyccwRhBsD0Hk5yt

bkrwBz0Gd34SqCuDDklVISdvN4ukPmU8awIDAQABMA0GCSqGSIb3DQEBCwUAA4IC

AQCtci7ukcFVOYAnSi4YnVNA+xVKhMcn+Lv+CEkZUQT+rf44r3hIV4ADEAd/yo5y

bkCittbVyyHUp05P3kgYpKZfTGzA+REfbpzcGjx+e8stZlZD+DW3NyOoaKStvrkS

8xcpnpvpwI7O1pZlonLztBxxSgnSYnCMU9uCkafoOgbxcEOS/tU+njsLKdRahLEP

R60suomRaPEgWNO+bfiFsawinC2Auowfo7WeAIt8346MXEkKNRtKTVAC+F3821C2

WtW02vV/qzOZKu+Qv9b6B6dhwTcLfAtBfTGSGPdEsA09bxoY9Xjl9rnB0FzGagGU

RQLJesiUia2RwUWneM+Jrkulvo3fiO+Bp02JUa/KKNSe/hRQMUI+NERaY9iVd0r2

IH9dF/IEzOlJ4OaujJsCUIfAPgiReuHwXsELqOiFpap9t4GgU+MJbRsDzAmamZPM

lh+G9NIoJz690rK/Jooc8PpdZIUBYwXOQBaX2FNqsVY+sOiHyTe+HYhcKA3YBir0

jxwvLbwl99b+U72SK4dmDJUgnJ6sTEiqZiQVZYmJanAoA1Jz/MaAMZqnQiLInZEw

0j/ugPbGP06q7bDK1TWJ98POxwZOEB8wgCvIDw4+8Tq+3qsL+aSN37xy1gFeDRtW

5uu2dM82JN/X+nXyHFkEmGhN+jmE8MT4ot/RNQsPhBommQ==

-----END CERTIFICATE-----

subject=/C=US/ST=CA/O=HEWLETT PACKARD ENTERPRISE/CN=serverC.domain.local

issuer=/C=US/ST=CA/O=HEWLETT PACKARD ENTERPRISE/CN=serverC.domain.local

---

No client certificate CA names sent

Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1

Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1

---

SSL handshake has read 1461 bytes and written 762 bytes

Verification error: self signed certificate

---

New, TLSv1.2, Cipher is AES256-GCM-SHA384

Server public key is 4096 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : AES256-GCM-SHA384

Session-ID:

Session-ID-ctx:

Master-Key: B79574587A4418B0C0EB6CE03FEDD3DC5A995411577081FBADA4E0DA76E4A3CAE28D6C478E8959DC4B13FA64BCAAEBB9

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1527774274

Timeout : 7200 (sec)

Verify return code: 18 (self signed certificate)

Extended master secret: no

---

root@workstation:~$

 

so TLSv1.2 connections between workstation and serverC.domain.local is OK but ofcourse it finished with alert.

So our CM serverB.domain.local has some problem because it didnt get to this point as serverC.domain.local even so DP manager on problematic serverB has started crashing very often after upgrade .


Thank you,

Kamil

0 Likes
Reply
Report Inappropriate Content
1 Reply
Sebastian.Koehler
Micro Focus Expert
Micro Focus Expert
‎2018-06-04 08:41

Hello Kamil,

Is it expected that Data Protector is using different ports on serverB and serverC?

Can you elaborate what is crashing on serverB? Any of the services like CRS? Based on the information you’re either sending queries to the wrong port or INET is not responding properly. I would check for possible services crashing in dmesg and enable INET debugging on serverB. The inet.log and debug.log might have useful traces.

Regards,
Sebastian Koehler
---
Please use the Like button below, if you find this post useful.
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.