<div dir="ltr"><div><div>Hi,<br><br></div>I came across a bug where TLS negotiation is
failing on power pc 64 architecture with the latest release 5.2.2. I
also tested 5.2.0 and the issue is present. But the issue does not show
up with earlier 5.1.1 release. Also this does not happen on x86
architecture.<br><br></div><div>This was tested with OS IMC/IMV by using pt-tls. The client logs (ppc64) are as follows:<br></div> <br>loading IMCs from '/etc/tnc_config'<br>libimcv initialized<br>IMC 1 "OS" initialized<br>processing "/etc/redhat-release" file<br>operating system name is 'Red Hat'<br>operating system version is '7.1 Beta (Maipo) ppc64'<br>IMC 1 "OS" loaded from '/usr/lib64/strongswan/imcvs/<div>imc-os.so'<br>loaded plugins: pt-tls-client curl revocation constraints pem nonce tnc-tnccs tnc-imc tnccs-20 openssl<br>unable to load 9 plugin features (9 due to unmet dependencies)<br>created thread 01 [30359]<br>entering PT-TLS setup phase<br>36 supported TLS cipher suites:<br> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA<br> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256<br> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA<br> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384<br> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256<br> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384<br> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA<br> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256<br> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<br> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384<br> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256<br> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384<br> TLS_DHE_RSA_WITH_AES_128_CBC_SHA<br> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256<br> TLS_DHE_RSA_WITH_AES_256_CBC_SHA<br> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256<br> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256<br> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384<br> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA<br> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256<br> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA<br> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256<br> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA<br> TLS_RSA_WITH_AES_128_CBC_SHA<br> TLS_RSA_WITH_AES_128_CBC_SHA256<br> TLS_RSA_WITH_AES_256_CBC_SHA<br> TLS_RSA_WITH_AES_256_CBC_SHA256<br> TLS_RSA_WITH_AES_128_GCM_SHA256<br> TLS_RSA_WITH_AES_256_GCM_SHA384<br> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA<br> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256<br> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA<br> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256<br> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA<br> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA<br> TLS_RSA_WITH_3DES_EDE_CBC_SHA<br>entering PT-TLS negotiation phase<br>sending offer for PT-TLS version 1<br>sending PT-TLS message #0 of type 'Version Request' (20 bytes)<br>sending Server Name Indication for '<a href="http://aaa.strongswan.org" target="_blank">aaa.strongswan.org</a>'<br>sending TLS ClientHello handshake (188 bytes)<br>sending TLS Handshake record (192 bytes)<br>processing TLS Handshake record (1571 bytes)<br>received TLS ServerHello handshake (54 bytes)<br>negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA<br>received TLS Certificate handshake (1066 bytes)<br>received TLS server certificate 'C=CH, O=Linux strongSwan, CN=<a href="http://aaa.strongswan.org" target="_blank">aaa.strongswan.org</a>'<br>received TLS ServerKeyExchange handshake (329 bytes)<br> using certificate "C=CH, O=Linux strongSwan, CN=<a href="http://aaa.strongswan.org" target="_blank">aaa.strongswan.org</a>"<br> certificate "C=CH, O=Linux strongSwan, CN=<a href="http://aaa.strongswan.org" target="_blank">aaa.strongswan.org</a>" key: 2048 bit RSA<br> using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"<br>checking certificate status of "C=CH, O=Linux strongSwan, CN=<a href="http://aaa.strongswan.org" target="_blank">aaa.strongswan.org</a>"<br>ocsp check skipped, no ocsp found<br> fetching crl from '<a href="http://crl.strongswan.org/strongswan.crl" target="_blank">http://crl.strongswan.org/strongswan.crl</a>' ...<br> sending http request to '<a href="http://crl.strongswan.org/strongswan.crl%27." target="_blank">http://crl.strongswan.org/strongswan.crl'.</a>..<br>libcurl http request failed [6]: Could not resolve host: <a href="http://crl.strongswan.org" target="_blank">crl.strongswan.org</a>; Name or service not known<br>crl fetching failed<br>certificate status is not available<br> certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" key: 2048 bit RSA<br> reached self-signed root ca with a path length of 0<br>verified signature with SHA256/RSA<br>received TLS CertificateRequest handshake (102 bytes)<br>received TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA<br>received TLS ServerHelloDone handshake (0 bytes)<br>sending TLS peer certificate 'C=CH, O=Linux strongSwan, OU=Accounting, CN=<a href="mailto:dave@strongswan.org" target="_blank">dave@strongswan.org</a>'<br>sending TLS Certificate handshake (1068 bytes)<br>sending TLS ClientKeyExchange handshake (66 bytes)<br>created signature with SHA256/RSA<br>sending TLS CertificateVerify handshake (260 bytes)<br>sending TLS Handshake record (1406 bytes)<br>sending TLS ChangeCipherSpec record (1 bytes)<br>sending TLS Finished handshake (12 bytes)<br>sending TLS Handshake record (64 bytes)<br>processing TLS ChangeCipherSpec record (1 bytes)<br>processing TLS Handshake record (64 bytes)<br>received TLS Finished handshake (12 bytes)<br>sending TLS ApplicationData record (64 bytes)<br>processing TLS ApplicationData record (64 bytes)<br>=> 20 bytes @ 0x3fffd13fa22d<br> 0: 00 00 00 00 00 00 00 02 00 00 00 14 00 00 00 00 ................<br> 16: 00 00 00 01 ....<br>=> 4 bytes @ 0x3fffd13fa23d<br> 0: 00 00 00 01 ....<br>received PT-TLS message #0 of type 'Version Response' (20 bytes)<br>doing SASL client authentication<br>processing TLS ApplicationData record (64 bytes)<br>=> 16 bytes @ 0x3fffd13fa22d<br> 0: 00 00 00 00 00 00 00 03 00 00 00 10 00 00 00 01 ................<br>received PT-TLS message #1 of type 'SASL Mechanisms' (16 bytes)<br>PT-TLS authentication complete<br>entering PT-TLS data transport phase<br>assigned TNCCS Connection ID 1<br>IMC 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh<br> over IF-T for TLS 2.0 with maximum PA-TNC message size of 2097104 bytes<br>IMC 1 "OS" changed state of Connection ID 1 to 'Handshake'<br>operating system numeric version is 7.1<br>last boot: Jan 05 18:39:35 UTC 2015, 74582 s ago<br>IPv4 forwarding is disabled<br>factory default password is disabled<br>failed to open '/var/lib/dbus/machine-id'<br>no device ID available<br>creating PA-TNC message with ID 0x7cd4e2e8<br>creating PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002<br>=> 12 bytes @ 0x1001c84f110<br> 0: 00 09 08 00 00 52 65 64 20 48 61 74 .....Red Hat<br>creating PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004<br>=> 25 bytes @ 0x1001c849830<br> 0: 16 37 2E 31 20 42 65 74 61 20 28 4D 61 69 70 6F .7.1 Beta (Maipo<br> 16: 29 20 70 70 63 36 34 00 00 ) ppc64..<br>creating PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003<br>=> 16 bytes @ 0x1001c84d240<br> 0: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................<br>creating PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005<br>=> 24 bytes @ 0x1001c849ba0<br> 0: 03 01 00 00 32 30 31 35 2D 30 31 2D 30 35 54 31 ....2015-01-05T1<br> 16: 38 3A 33 39 3A 33 35 5A 8:39:35Z<br>creating PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b<br>=> 4 bytes @ 0x1001c849c60<br> 0: 00 00 00 00 ....<br>creating PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c<br>=> 4 bytes @ 0x1001c84dcc0<br> 0: 00 00 00 00 ....<br>created PA-TNC message: => 165 bytes @ 0x1001c84f130<br> 0: 01 00 00 00 7C D4 E2 E8 00 00 00 00 00 00 00 02 ....|...........<br> 16: 00 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 .........Red Hat<br> 32: 00 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 ...........%.7.1<br> 48: 20 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 Beta (Maipo) pp<br> 64: 63 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 c64.............<br> 80: 1C 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 ................<br> 96: 00 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 ............$...<br> 112: 00 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 .2015-01-05T18:3<br> 128: 39 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 9:35Z...........<br> 144: 10 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 ................<br> 160: 10 00 00 00 00 .....<br>creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001<br>PB-TNC state transition from 'Init' to 'Server Working'<br>creating PB-TNC CDATA batch<br>adding IETF/PB-Language-Preference message<br>adding IETF/PB-PA message<br>sending PB-TNC CDATA batch (228 bytes) for Connection ID 1<br>=> 228 bytes @ 0x1001c849b00<br> 0: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06 ................<br> 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu<br> 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........<br> 48: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01 ................<br> 64: 00 00 00 7C D4 E2 E8 00 00 00 00 00 00 00 02 00 ...|............<br> 80: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00 ........Red Hat.<br> 96: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20 ..........%.7.1<br> 112: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63 Beta (Maipo) ppc<br> 128: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C 64..............<br> 144: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................<br> 160: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00 ...........$....<br> 176: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39 2015-01-05T18:39<br> 192: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10 :35Z............<br> 208: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10 ................<br> 224: 00 00 00 00 ....<br>sending PT-TLS message #1 of type 'PB-TNC Batch' (244 bytes)<br>sending TLS ApplicationData record (288 bytes)<br>processing TLS Alert record (48 bytes)<br><b>received fatal TLS alert 'bad record mac'<br></b>sending TLS close notify<br>sending TLS Alert record (48 bytes)<br>IMC 1 "OS" deleted the state of Connection ID 1<br>removed TNCCS Connection ID 1<br>IMC 1 "OS" terminated<br>removed TCG functional component namespace<br>removed ITA-HSR functional component namespace<br>removed IETF attributes<br>removed ITA-HSR attributes<br>removed TCG attributes<br>libimcv terminated<br><br></div><div>Server (x86-64) logs have been attached them with this email.<br><br><div>Please let me know if any other information is required.<br><br></div>Thanks and Regards<br></div><div>Avesh<br></div></div>