[strongSwan-dev] TLS negotiation failing on power pc 64

Avesh Agarwal avesh.ncsu at gmail.com
Wed Jan 7 19:36:29 CET 2015 

Hi,

I investigated this issue further, and I found that it is following during
signature verification in the following code at server side in
src/libtls/tls_aead_expl.c:

       if (!this->signer->get_signature(this->signer, assoc, NULL) ||
                !this->signer->verify_signature(this->signer, *data, mac))
        {
                return FALSE;
        }

It seems that ppc64 client is sending different signature that what is
expected by x86_64 server.

The weird part is that it happens only during following exchange, (these
logs have customized debug messages inserted by me) . Any
encryption/decryption/signature verification before this exchange works
fine . The culprit seems the following assoc structure: 0: 00 00 00 00 00
00 00 02 17 03 03 00 F4   when sent from ppc64 client.

x86_64 server side logs:

Jan  7 10:30:22 10[TLS]  112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31
20  ..........%.7.1
Jan  7 10:30:22 10[TLS]  128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70
63  Beta (Maipo) ppc
Jan  7 10:30:22 10[TLS]  144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00
1C  64..............
Jan  7 10:30:22 10[TLS]  160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00
00  ................
Jan  7 10:30:22 10[TLS]  176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00
00  ...........$....
Jan  7 10:30:22 10[TLS]  192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33
39  2015-01-05T18:39
Jan  7 10:30:22 10[TLS]  208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00
10  :35Z............
Jan  7 10:30:22 10[TLS]  224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00
10  ................
Jan  7 10:30:22 10[TLS]  240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9 10
D5  .........~h.....
Jan  7 10:30:22 10[TLS]  256: 9E 6F 11 9C CE E7 3F AC 07 07 07 07 07 07 07
07  .o....?........., 272
Jan  7 10:30:22 10[TLS] decrypt tls_aead_expl.c, after padding: 5.5: => 264
bytes @ 0x7f138e0ec495
Jan  7 10:30:22 10[TLS]    0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00 00
01  ................
Jan  7 10:30:22 10[TLS]   16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00
06  ................
Jan  7 10:30:22 10[TLS]   32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67
75  ....Accept-Langu
Jan  7 10:30:22 10[TLS]   48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01
00  age: en.........
Jan  7 10:30:22 10[TLS]   64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF
01  ................
Jan  7 10:30:22 10[TLS]   80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02
00  .....^..........
Jan  7 10:30:22 10[TLS]   96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74
00  ........Red Hat.
Jan  7 10:30:22 10[TLS]  112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31
20  ..........%.7.1
Jan  7 10:30:22 10[TLS]  128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70
63  Beta (Maipo) ppc
Jan  7 10:30:22 10[TLS]  144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00
1C  64..............
Jan  7 10:30:22 10[TLS]  160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00
00  ................
Jan  7 10:30:22 10[TLS]  176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00
00  ...........$....
Jan  7 10:30:22 10[TLS]  192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33
39  2015-01-05T18:39
Jan  7 10:30:22 10[TLS]  208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00
10  :35Z............
Jan  7 10:30:22 10[TLS]  224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00
10  ................
Jan  7 10:30:22 10[TLS]  240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9 10
D5  .........~h.....
Jan  7 10:30:22 10[TLS]  256: 9E 6F 11 9C CE E7 3F
AC                          .o....?., 264
Jan  7 10:30:22 10[TLS] decrypt tls_aead_expl.c,  mac: 6.25: => 20 bytes @
0x7f138e0ec589
Jan  7 10:30:22 10[TLS]    0: ED B9 C3 BD A0 7E 68 13 BC C9 10 D5 9E 6F 11
9C  .....~h......o..
Jan  7 10:30:22 10[TLS]   16: CE E7 3F AC
Jan  7 10:30:22 10[TLS] decrypt tls_aead_expl.c, after mac: 6.5: => 244
bytes @ 0x7f138e0ec495
Jan  7 10:30:22 10[TLS]    0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00 00
01  ................
Jan  7 10:30:22 10[TLS]   16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00
06  ................
Jan  7 10:30:22 10[TLS]   32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67
75  ....Accept-Langu
Jan  7 10:30:22 10[TLS]   48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01
00  age: en.........
Jan  7 10:30:22 10[TLS]   64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF
01  ................
Jan  7 10:30:22 10[TLS]   80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02
00  .....^..........
Jan  7 10:30:22 10[TLS]   96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74
00  ........Red Hat.
Jan  7 10:30:22 10[TLS]  112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31
20  ..........%.7.1
Jan  7 10:30:22 10[TLS]  128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70
63  Beta (Maipo) ppc
Jan  7 10:30:22 10[TLS]  144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00
1C  64..............
Jan  7 10:30:22 10[TLS]  160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00
00  ................
Jan  7 10:30:22 10[TLS]  176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00
00  ...........$....
Jan  7 10:30:22 10[TLS]  192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33
39  2015-01-05T18:39
Jan  7 10:30:22 10[TLS]  208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00
10  :35Z............
Jan  7 10:30:22 10[TLS]  224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00
10  ................
Jan  7 10:30:22 10[TLS]  240: 00 00 00
00                                      ...., 244
Jan  7 10:30:22 10[TLS] decrypt tls_aead_expl.c,  assoc: 6.75: => 13 bytes
@ 0x7f138e0ec350
Jan  7 10:30:22 10[TLS]    0: 00 00 00 00 00 00 00 02 17 03 03 00
F4           ............., 13
Jan  7 10:30:22 10[TLS] decrypt tls_aead_expl.c: 7
Jan  7 10:30:22 10[TLS] TLS record decryption failed
Jan  7 10:30:22 10[TLS] sending fatal TLS alert 'bad record mac'


At ppc64 client side logs:

sending PB-TNC CDATA batch (228 bytes) for Connection ID 1
=> 228 bytes @ 0x1000c66d1d0
   0: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06  ................
  16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75  ....Accept-Langu
  32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00  age: en.........
  48: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01  ................
  64: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02 00  .....^..........
  80: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00  ........Red Hat.
  96: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20  ..........%.7.1
 112: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63  Beta (Maipo) ppc
 128: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C  64..............
 144: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00  ................
 160: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00  ...........$....
 176: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39  2015-01-05T18:39
 192: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10  :35Z............
 208: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10  ................
 224: 00 00 00 00                                      ....
sending PT-TLS message #1 of type 'PB-TNC Batch' (244 bytes)
encrypt tls_aead_expl.c, before encryption: 1: => 272 bytes @ 0x1000c669bd0
   0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00 00 01  ................
  16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06  ................
  32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75  ....Accept-Langu
  48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00  age: en.........
  64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01  ................
  80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02 00  .....^..........
  96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00  ........Red Hat.
 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20  ..........%.7.1
 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63  Beta (Maipo) ppc
 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C  64..............
 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00  ................
 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00  ...........$....
 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39  2015-01-05T18:39
 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10  :35Z............
 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10  ................
 240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9 10 D5  .........~h.....
 256: 9E 6F 11 9C CE E7 3F AC 07 07 07 07 07 07 07 07  .o....?........., 272
encrypt tls_aead_expl.c, after encryption: 2: => 272 bytes @ 0x1000c669bd0
   0: 12 F6 84 24 74 97 99 02 8F B1 4C 3D 97 CC 33 D7  ...$t.....L=..3.
  16: A9 04 27 80 28 2B 7B CE 84 97 0B F4 ED DD 23 1F  ..'.(+{.......#.
  32: 98 5C E1 78 E6 03 5E D5 D6 2F DD F9 D5 A1 FB 4A  .\.x..^../.....J
  48: 32 17 43 07 F5 AF 0B FF AD 6B 29 01 E4 29 9C 36  2.C......k)..).6
  64: AC 2F 2B 0C 97 EE 5F 06 C4 5A A4 AC 0E CF 7E 18  ./+..._..Z....~.
  80: 0D 86 FA 68 0B CF 67 DC EA 17 49 4E 86 97 39 D3  ...h..g...IN..9.
  96: 5D 24 E1 93 01 88 C1 ED 3E DA 1C 8D 17 47 2E B8  ]$......>....G..
 112: 17 44 7E 0F AC 90 B7 B5 84 3E 01 7A D0 4A 13 F9  .D~......>.z.J..
 128: F1 F8 29 C5 C4 E4 D3 A3 A2 87 43 55 A5 CF 49 5E  ..).......CU..I^
 144: 23 53 8A FE 1D 48 CF B8 C4 D3 4F F5 BB B5 BF EB  #S...H....O.....
 160: 02 6C E6 74 81 0F C4 69 A8 EC 17 DD 26 CF 61 AF  .l.t...i....&.a.
 176: 75 DC 96 A1 23 A0 1C A7 5E 0E 91 43 77 F2 69 EA  u...#...^..Cw.i.
 192: 70 C6 2A 24 9B 8B 22 7A 12 58 03 09 9D 65 A6 19  p.*$.."z.X...e..
 208: 14 AD 15 E7 F5 A1 4B C8 93 D8 59 41 76 45 AE 5A  ......K...YAvE.Z
 224: 63 73 A7 A4 FA 1D 53 8E F9 32 7F 58 32 7A 1E 66  cs....S..2.X2z.f
 240: A5 65 25 44 93 D8 57 27 5F CA 39 01 85 79 15 C3  .e%D..W'_.9..y..
 256: 04 F5 4A D9 90 9E 01 C8 DC 66 64 DA E5 86 FC FB  ..J......fd....., 272
encrypt tls_aead_expl.c, after IV: 3: => 288 bytes @ 0x1000c66f3f0
   0: 71 58 04 43 29 B9 1C 01 27 95 6D AA D5 C2 9F 07  qX.C)...'.m.....
  16: 12 F6 84 24 74 97 99 02 8F B1 4C 3D 97 CC 33 D7  ...$t.....L=..3.
  32: A9 04 27 80 28 2B 7B CE 84 97 0B F4 ED DD 23 1F  ..'.(+{.......#.
  48: 98 5C E1 78 E6 03 5E D5 D6 2F DD F9 D5 A1 FB 4A  .\.x..^../.....J
  64: 32 17 43 07 F5 AF 0B FF AD 6B 29 01 E4 29 9C 36  2.C......k)..).6
  80: AC 2F 2B 0C 97 EE 5F 06 C4 5A A4 AC 0E CF 7E 18  ./+..._..Z....~.
  96: 0D 86 FA 68 0B CF 67 DC EA 17 49 4E 86 97 39 D3  ...h..g...IN..9.
 112: 5D 24 E1 93 01 88 C1 ED 3E DA 1C 8D 17 47 2E B8  ]$......>....G..
 128: 17 44 7E 0F AC 90 B7 B5 84 3E 01 7A D0 4A 13 F9  .D~......>.z.J..
 144: F1 F8 29 C5 C4 E4 D3 A3 A2 87 43 55 A5 CF 49 5E  ..).......CU..I^
 160: 23 53 8A FE 1D 48 CF B8 C4 D3 4F F5 BB B5 BF EB  #S...H....O.....
 176: 02 6C E6 74 81 0F C4 69 A8 EC 17 DD 26 CF 61 AF  .l.t...i....&.a.
 192: 75 DC 96 A1 23 A0 1C A7 5E 0E 91 43 77 F2 69 EA  u...#...^..Cw.i.
 208: 70 C6 2A 24 9B 8B 22 7A 12 58 03 09 9D 65 A6 19  p.*$.."z.X...e..
 224: 14 AD 15 E7 F5 A1 4B C8 93 D8 59 41 76 45 AE 5A  ......K...YAvE.Z
 240: 63 73 A7 A4 FA 1D 53 8E F9 32 7F 58 32 7A 1E 66  cs....S..2.X2z.f
 256: A5 65 25 44 93 D8 57 27 5F CA 39 01 85 79 15 C3  .e%D..W'_.9..y..
 272: 04 F5 4A D9 90 9E 01 C8 DC 66 64 DA E5 86 FC FB  ..J......fd....., 288
sending TLS ApplicationData record (288 bytes)

Just sending some more info assuming it might be helpful in debugging.

Thanks and Regards
Avesh

On Tue, Jan 6, 2015 at 10:51 AM, Avesh Agarwal <avesh.ncsu at gmail.com> wrote:

> Hi,
>
> I came across a bug where TLS negotiation is failing on power pc 64
> architecture with the latest release 5.2.2. I also tested 5.2.0 and the
> issue is present. But the issue does not show up with earlier 5.1.1
> release. Also this does not happen on x86 architecture.
>
> This was tested with OS IMC/IMV by using pt-tls. The client logs (ppc64)
> are as follows:
>
> loading IMCs from '/etc/tnc_config'
> libimcv initialized
> IMC 1 "OS" initialized
> processing "/etc/redhat-release" file
> operating system name is 'Red Hat'
> operating system version is '7.1 Beta (Maipo) ppc64'
> IMC 1 "OS" loaded from '/usr/lib64/strongswan/imcvs/
> imc-os.so'
> loaded plugins: pt-tls-client curl revocation constraints pem nonce
> tnc-tnccs tnc-imc tnccs-20 openssl
> unable to load 9 plugin features (9 due to unmet dependencies)
> created thread 01 [30359]
> entering PT-TLS setup phase
> 36 supported TLS cipher suites:
>   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>   TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
>   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
>   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
>   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
>   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>   TLS_RSA_WITH_AES_128_CBC_SHA
>   TLS_RSA_WITH_AES_128_CBC_SHA256
>   TLS_RSA_WITH_AES_256_CBC_SHA
>   TLS_RSA_WITH_AES_256_CBC_SHA256
>   TLS_RSA_WITH_AES_128_GCM_SHA256
>   TLS_RSA_WITH_AES_256_GCM_SHA384
>   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
>   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
>   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
>   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
>   TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
>   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>   TLS_RSA_WITH_3DES_EDE_CBC_SHA
> entering PT-TLS negotiation phase
> sending offer for PT-TLS version 1
> sending PT-TLS message #0 of type 'Version Request' (20 bytes)
> sending Server Name Indication for 'aaa.strongswan.org'
> sending TLS ClientHello handshake (188 bytes)
> sending TLS Handshake record (192 bytes)
> processing TLS Handshake record (1571 bytes)
> received TLS ServerHello handshake (54 bytes)
> negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> received TLS Certificate handshake (1066 bytes)
> received TLS server certificate 'C=CH, O=Linux strongSwan, CN=
> aaa.strongswan.org'
> received TLS ServerKeyExchange handshake (329 bytes)
>   using certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
>   certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" key: 2048
> bit RSA
>   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan
> Root CA"
> checking certificate status of "C=CH, O=Linux strongSwan, CN=
> aaa.strongswan.org"
> ocsp check skipped, no ocsp found
>   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
>   sending http request to 'http://crl.strongswan.org/strongswan.crl'...
> libcurl http request failed [6]: Could not resolve host:
> crl.strongswan.org; Name or service not known
> crl fetching failed
> certificate status is not available
>   certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" key: 2048
> bit RSA
>   reached self-signed root ca with a path length of 0
> verified signature with SHA256/RSA
> received TLS CertificateRequest handshake (102 bytes)
> received TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan
> Root CA
> received TLS ServerHelloDone handshake (0 bytes)
> sending TLS peer certificate 'C=CH, O=Linux strongSwan, OU=Accounting, CN=
> dave at strongswan.org'
> sending TLS Certificate handshake (1068 bytes)
> sending TLS ClientKeyExchange handshake (66 bytes)
> created signature with SHA256/RSA
> sending TLS CertificateVerify handshake (260 bytes)
> sending TLS Handshake record (1406 bytes)
> sending TLS ChangeCipherSpec record (1 bytes)
> sending TLS Finished handshake (12 bytes)
> sending TLS Handshake record (64 bytes)
> processing TLS ChangeCipherSpec record (1 bytes)
> processing TLS Handshake record (64 bytes)
> received TLS Finished handshake (12 bytes)
> sending TLS ApplicationData record (64 bytes)
> processing TLS ApplicationData record (64 bytes)
> => 20 bytes @ 0x3fffd13fa22d
>    0: 00 00 00 00 00 00 00 02 00 00 00 14 00 00 00 00  ................
>   16: 00 00 00 01                                      ....
> => 4 bytes @ 0x3fffd13fa23d
>    0: 00 00 00 01                                      ....
> received PT-TLS message #0 of type 'Version Response' (20 bytes)
> doing SASL client authentication
> processing TLS ApplicationData record (64 bytes)
> => 16 bytes @ 0x3fffd13fa22d
>    0: 00 00 00 00 00 00 00 03 00 00 00 10 00 00 00 01  ................
> received PT-TLS message #1 of type 'SASL Mechanisms' (16 bytes)
> PT-TLS authentication complete
> entering PT-TLS data transport phase
> assigned TNCCS Connection ID 1
> IMC 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl
> -soh
>   over IF-T for TLS 2.0 with maximum PA-TNC message size of 2097104 bytes
> IMC 1 "OS" changed state of Connection ID 1 to 'Handshake'
> operating system numeric version is 7.1
> last boot: Jan 05 18:39:35 UTC 2015, 74582 s ago
> IPv4 forwarding is disabled
> factory default password is disabled
> failed to open '/var/lib/dbus/machine-id'
> no device ID available
> creating PA-TNC message with ID 0x7cd4e2e8
> creating PA-TNC attribute type 'IETF/Product Information'
> 0x000000/0x00000002
> => 12 bytes @ 0x1001c84f110
>    0: 00 09 08 00 00 52 65 64 20 48 61 74              .....Red Hat
> creating PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
> => 25 bytes @ 0x1001c849830
>    0: 16 37 2E 31 20 42 65 74 61 20 28 4D 61 69 70 6F  .7.1 Beta (Maipo
>   16: 29 20 70 70 63 36 34 00 00                       ) ppc64..
> creating PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
> => 16 bytes @ 0x1001c84d240
>    0: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00  ................
> creating PA-TNC attribute type 'IETF/Operational Status'
> 0x000000/0x00000005
> => 24 bytes @ 0x1001c849ba0
>    0: 03 01 00 00 32 30 31 35 2D 30 31 2D 30 35 54 31  ....2015-01-05T1
>   16: 38 3A 33 39 3A 33 35 5A                          8:39:35Z
> creating PA-TNC attribute type 'IETF/Forwarding Enabled'
> 0x000000/0x0000000b
> => 4 bytes @ 0x1001c849c60
>    0: 00 00 00 00                                      ....
> creating PA-TNC attribute type 'IETF/Factory Default Password Enabled'
> 0x000000/0x0000000c
> => 4 bytes @ 0x1001c84dcc0
>    0: 00 00 00 00                                      ....
> created PA-TNC message: => 165 bytes @ 0x1001c84f130
>    0: 01 00 00 00 7C D4 E2 E8 00 00 00 00 00 00 00 02  ....|...........
>   16: 00 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74  .........Red Hat
>   32: 00 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31  ...........%.7.1
>   48: 20 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70   Beta (Maipo) pp
>   64: 63 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00  c64.............
>   80: 1C 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00  ................
>   96: 00 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00  ............$...
>  112: 00 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33  .2015-01-05T18:3
>  128: 39 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00  9:35Z...........
>  144: 10 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00  ................
>  160: 10 00 00 00 00                                   .....
> creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
> PB-TNC state transition from 'Init' to 'Server Working'
> creating PB-TNC CDATA batch
> adding IETF/PB-Language-Preference message
> adding IETF/PB-PA message
> sending PB-TNC CDATA batch (228 bytes) for Connection ID 1
> => 228 bytes @ 0x1001c849b00
>    0: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06  ................
>   16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75  ....Accept-Langu
>   32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00  age: en.........
>   48: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01  ................
>   64: 00 00 00 7C D4 E2 E8 00 00 00 00 00 00 00 02 00  ...|............
>   80: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00  ........Red Hat.
>   96: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20  ..........%.7.1
>  112: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63  Beta (Maipo) ppc
>  128: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C  64..............
>  144: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00  ................
>  160: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00  ...........$....
>  176: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39  2015-01-05T18:39
>  192: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10  :35Z............
>  208: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10  ................
>  224: 00 00 00 00                                      ....
> sending PT-TLS message #1 of type 'PB-TNC Batch' (244 bytes)
> sending TLS ApplicationData record (288 bytes)
> processing TLS Alert record (48 bytes)
>
> *received fatal TLS alert 'bad record mac'*sending TLS close notify
> sending TLS Alert record (48 bytes)
> IMC 1 "OS" deleted the state of Connection ID 1
> removed TNCCS Connection ID 1
> IMC 1 "OS" terminated
> removed TCG functional component namespace
> removed ITA-HSR functional component namespace
> removed IETF attributes
> removed ITA-HSR attributes
> removed TCG attributes
> libimcv terminated
>
> Server (x86-64) logs have been attached them with this email.
>
> Please let me know if any other information is required.
>
> Thanks and Regards
> Avesh
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150107/57b382aa/attachment-0001.html>

More information about the Dev mailing list