Anonymous_User Absent Member.
Absent Member.
649 views

SSL syslog server with strict client auth


Hello,

I was wondering am I doing something wrong or strict and loose client
auth options in syslog connector 6.1r10 are not working as they should.

So, here goes the story:


- I generated two self signed certificates cert1.pem and cert2.pem

Code:
--------------------

# openssl req -nodes -new -x509 -days 365 -keyout cert1.pem -out cert1.pem
# openssl req -nodes -new -x509 -days 365 -keyout cert2.pem -out cert2.pem

--------------------

- I created trust store with only one of the certs inside

Code:
--------------------

# TruststoreCreator.bat
Enter the file name for the truststore: ts
Enter the password to create truststore:*****
Enter the list of certificates to import (comma seperated): cert1.pem
Created ts successfully

--------------------

- I imported the truststore into syslog event source server.


And now the testing part, which is not working as I expected

2
- connection with cert1, the one which is in the truststore

Code:
--------------------

# openssl s_client -connect 161.89.25.232:11514 -ssl3 -cert cert1.pem
CONNECTED(00000003)
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=26:unsupported certificate purpose
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify return:1
---
Certificate chain
0 s:/C=US/CN=Novell NSure Audit
i:/C=US/CN=Novell NSure Audit
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBpDCCAU6gAwIBAgIEJwUZdzANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJV
UzEbMBkGA1UEAxMSTm92ZWxsIE5TdXJlIEF1ZGl0MB4XDTAzMDMzMDAzMDgyNloX
DTEzMDMyNzAzMDgyNlowKjELMAkGA1UEBhMCVVMxGzAZBgNVBAMTEk5vdmVsbCBO
U3VyZSBBdWRpdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDAfCh6d4GOmYd16WB0
gkdFxutR9O0R7sceFY4di2GJCCol+Nl2iQjo8q1KVz1dautEFoQiS/JzqwLJmmg5
PqBzAgMBAAGjXDBaMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
A1UdDgQWBBTApKjt/Z4YUzX2MlmGJhNs/Xco5jAYBgxghkgBhvg3AYJbCgEECBYG
TkF1ZGl0MA0GCSqGSIb3DQEBBAUAA0EAmoj+rclCSq9OZYwrljfzElFWtzDPgEe0
6V6y0W0ooRj4bDbDFQ2of6HRbJfhsPHT8wAs/MV/4LsvVYOXGAiH8g==
-----END CERTIFICATE-----
subject=/C=US/CN=Novell NSure Audit
issuer=/C=US/CN=Novell NSure Audit
---
Acceptable client certificate CA names
/C=PL/ST=""/L=Bydgoszcz/O=Atos/CN=srv-hps-tdpc-linux
---
SSL handshake has read 1066 bytes and written 1195 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 512 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 50659BC381FD38D5D085E5ED19C07248B3E69529A98487A8AB36E73D91A9F9D1
Session-ID-ctx:
Master-Key: 71413B718A9A315C0BB938D1E521544BD9A68E648F299E9D396BAB90B625F258B4081DE7B5E77943B9B09DA9833A3464
Key-Arg : None
Start Time: 1348834683
Timeout : 7200 (sec)
Verify return code: 26 (unsupported certificate purpose)
---
^D
DONE

--------------------

above does work, as I expected.
- connection with cert2, the one which is NOT in the truststore

Code:
--------------------

# openssl s_client -connect 161.89.25.232:11514 -ssl3 -cert cert2.pem
CONNECTED(00000003)
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=26:unsupported certificate purpose
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify return:1
3402:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1094:SSL alert number 46
3402:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

--------------------

above does not work, as I expected.
- connection without any client cert

Code:
--------------------

# openssl s_client -connect 161.89.25.232:11514 -ssl3
CONNECTED(00000003)
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=26:unsupported certificate purpose
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify return:1
---
Certificate chain
0 s:/C=US/CN=Novell NSure Audit
i:/C=US/CN=Novell NSure Audit
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBpDCCAU6gAwIBAgIEJwUZdzANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJV
UzEbMBkGA1UEAxMSTm92ZWxsIE5TdXJlIEF1ZGl0MB4XDTAzMDMzMDAzMDgyNloX
DTEzMDMyNzAzMDgyNlowKjELMAkGA1UEBhMCVVMxGzAZBgNVBAMTEk5vdmVsbCBO
U3VyZSBBdWRpdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDAfCh6d4GOmYd16WB0
gkdFxutR9O0R7sceFY4di2GJCCol+Nl2iQjo8q1KVz1dautEFoQiS/JzqwLJmmg5
PqBzAgMBAAGjXDBaMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
A1UdDgQWBBTApKjt/Z4YUzX2MlmGJhNs/Xco5jAYBgxghkgBhvg3AYJbCgEECBYG
TkF1ZGl0MA0GCSqGSIb3DQEBBAUAA0EAmoj+rclCSq9OZYwrljfzElFWtzDPgEe0
6V6y0W0ooRj4bDbDFQ2of6HRbJfhsPHT8wAs/MV/4LsvVYOXGAiH8g==
-----END CERTIFICATE-----
subject=/C=US/CN=Novell NSure Audit
issuer=/C=US/CN=Novell NSure Audit
---
Acceptable client certificate CA names
/C=PL/ST=""/L=Bydgoszcz/O=Atos/CN=srv-hps-tdpc-linux
---
SSL handshake has read 1066 bytes and written 290 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 512 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 50659C7569650612B021BC0F835FDD19A0D6C79FE84BE572375AE86AF54984FD
Session-ID-ctx:
Master-Key: 94523619B9D4F8180EAC0A576A4432E1E8F24813F59F9F368E86000A2973DAD70D72DE7717C08C25CDB4A77348446911
Key-Arg : None
Start Time: 1348834862
Timeout : 7200 (sec)
Verify return code: 26 (unsupported certificate purpose)
---
^D
DONE

--------------------

connection DOES work, how?

The same happens if I select loose client auth and I don't specify any
client cert. The connection also works.
Any hints?

PS.
I dumped ssl handshake; the interesting part highlighted

[image: http://s9.postimage.org/ef2pkchr3/2012_09_28_15h07_23.png]

Bug or not a bug?


--
piotr_chmylkowski
------------------------------------------------------------------------
piotr_chmylkowski's Profile: https://forums.netiq.com/member.php?userid=1605
View this thread: https://forums.netiq.com/showthread.php?t=42653

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: SSL syslog server with strict client auth

piotr,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://forums.novell.com/

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL syslog server with strict client auth


Hi there,

Did you get a solution to your issue? I'm finding this a challenge
too.

Kirk


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=42653

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL syslog server with strict client auth


kmaule;202197 Wrote:
> Hi there,
>
> Did you get a solution to your issue? I'm finding this a challenge
> too.
>
> Kirk


Hi Kirk,

No, I did not investigate further and as you can see noone replied
here.


--
piotr_chmylkowski
------------------------------------------------------------------------
piotr_chmylkowski's Profile: https://forums.netiq.com/member.php?userid=1605
View this thread: https://forums.netiq.com/showthread.php?t=42653

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL syslog server with strict client auth


What you are observing is bug
https://bugzilla.novell.com/show_bug.cgi?id=719363 which is fixed for
next release (2011.1r1).


--
satul
------------------------------------------------------------------------
satul's Profile: https://forums.netiq.com/member.php?userid=2543
View this thread: https://forums.netiq.com/showthread.php?t=42653

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL syslog server with strict client auth

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For testing you may want to give
ftp://ftp.novell.com/outgoing/Syslog_2011.1r1-Beta10.cnz.zip a shot,
with the obvious caveat that, by its name, it is still a beta. If that
does not work for you then open an SR and mention the bug from satul.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQdDlDAAoJEF+XTK08PnB5eZcQAI7OPF5NHbPske9BbBhFca1Q
o6qojwc0kktLQ8dnwlYTrwHpOSXomNd/nPkroI+ajvS9bt6LaNOSLCnVDco8PvsV
etiUMPgUpFfwqUMazD6hDgrO0+dZkF1EmBxxuI12t5csJsKT0stSgCSEpSL+Xgj+
YmmIt3nnPuTa/Y0Oz4CJ2KEcIRQyc/627Qh0HSZP/WYjVty1DimCxPbrl7UsfNXr
dNVsgCoq1ovc/8YjIQAcw64gZb1xCy9PYgnMbYLwRYxVQO99dTDBNUPBffwx0duH
LW7mOIfgSJuw6EkeP/YhQylPQNEQ7N2jc+S/2gw8Aw3AluibtXQugXKLJ4eOXiRo
C9xC7X6lXaLV8fiXQuX673nXHUBVgNJ0KE549Gzt2KoCcxBYYKC7czx25AdwuT1Y
ZWAaDK4g7mdUqxYj8PxHRZ5PkWrdVqehoZP4bu4Q8FPrE3+pSGAwulJ9wORdVuV1
Cv6thKccagovGk/UohX1raXPFInRU7rRo52h83CQfZcjZUZQn5ZhZ3h/hG3toNCp
8mTEl2xyS7s0LbfBU0Vjhjw7R5erQQvp1AJdUQGU7iQujC5eWNtGrv5/543oe++u
3KAY887qkZ2XL4ZcoD15oFON37Ra7Fsq0LUyuMMCeLmJcIyhGPIiwoC3mM56PNY4
tta+02guC+QN3LnE+wQZ
=hdoL
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL syslog server with strict client auth


Thanks for replies. I will test the beta connector.

Piotr


--
piotr_chmylkowski
------------------------------------------------------------------------
piotr_chmylkowski's Profile: https://forums.netiq.com/member.php?userid=1605
View this thread: https://forums.netiq.com/showthread.php?t=42653

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.