[strongSwan-dev] TLS negotiation failing on power pc 64
Avesh Agarwal
avesh.ncsu at gmail.com
Wed Jan 7 20:51:26 CET 2015
Hi,
It seems that sequence number are not being treated correctly on ppc64.
When ppc64 calculated assoc structure, it comes up with: 00 00 00 00 00 00
00 00 17 03 03 00 F5
Whereas x86_64 server is expecting 00 00 00 00 00 00 00 02 17 03 03 00 F5.
And thats why signature verification is falling, because seq number on
ppc64 client calculated for type 17 is 0 whereas on x86_64 it is 2. But yet
to see why this discrepancy is happening at ppc64 client only during this
particular exchange.
Thanks
Avesh
On Wed, Jan 7, 2015 at 1:36 PM, Avesh Agarwal <avesh.ncsu at gmail.com> wrote:
> Hi,
>
> I investigated this issue further, and I found that it is following during
> signature verification in the following code at server side in
> src/libtls/tls_aead_expl.c:
>
> if (!this->signer->get_signature(this->signer, assoc, NULL) ||
> !this->signer->verify_signature(this->signer, *data, mac))
> {
> return FALSE;
> }
>
> It seems that ppc64 client is sending different signature that what is
> expected by x86_64 server.
>
> The weird part is that it happens only during following exchange, (these
> logs have customized debug messages inserted by me) . Any
> encryption/decryption/signature verification before this exchange works
> fine . The culprit seems the following assoc structure: 0: 00 00 00 00 00
> 00 00 02 17 03 03 00 F4 when sent from ppc64 client.
>
> x86_64 server side logs:
>
> Jan 7 10:30:22 10[TLS] 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31
> 20 ..........%.7.1
> Jan 7 10:30:22 10[TLS] 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70
> 63 Beta (Maipo) ppc
> Jan 7 10:30:22 10[TLS] 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00
> 1C 64..............
> Jan 7 10:30:22 10[TLS] 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00
> 00 ................
> Jan 7 10:30:22 10[TLS] 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00
> 00 ...........$....
> Jan 7 10:30:22 10[TLS] 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33
> 39 2015-01-05T18:39
> Jan 7 10:30:22 10[TLS] 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00
> 10 :35Z............
> Jan 7 10:30:22 10[TLS] 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00
> 10 ................
> Jan 7 10:30:22 10[TLS] 240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9 10
> D5 .........~h.....
> Jan 7 10:30:22 10[TLS] 256: 9E 6F 11 9C CE E7 3F AC 07 07 07 07 07 07 07
> 07 .o....?........., 272
> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, after padding: 5.5: =>
> 264 bytes @ 0x7f138e0ec495
> Jan 7 10:30:22 10[TLS] 0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00 00
> 01 ................
> Jan 7 10:30:22 10[TLS] 16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00
> 06 ................
> Jan 7 10:30:22 10[TLS] 32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67
> 75 ....Accept-Langu
> Jan 7 10:30:22 10[TLS] 48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01
> 00 age: en.........
> Jan 7 10:30:22 10[TLS] 64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF
> 01 ................
> Jan 7 10:30:22 10[TLS] 80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02
> 00 .....^..........
> Jan 7 10:30:22 10[TLS] 96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74
> 00 ........Red Hat.
> Jan 7 10:30:22 10[TLS] 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31
> 20 ..........%.7.1
> Jan 7 10:30:22 10[TLS] 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70
> 63 Beta (Maipo) ppc
> Jan 7 10:30:22 10[TLS] 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00
> 1C 64..............
> Jan 7 10:30:22 10[TLS] 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00
> 00 ................
> Jan 7 10:30:22 10[TLS] 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00
> 00 ...........$....
> Jan 7 10:30:22 10[TLS] 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33
> 39 2015-01-05T18:39
> Jan 7 10:30:22 10[TLS] 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00
> 10 :35Z............
> Jan 7 10:30:22 10[TLS] 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00
> 10 ................
> Jan 7 10:30:22 10[TLS] 240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9 10
> D5 .........~h.....
> Jan 7 10:30:22 10[TLS] 256: 9E 6F 11 9C CE E7 3F
> AC .o....?., 264
> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, mac: 6.25: => 20 bytes @
> 0x7f138e0ec589
> Jan 7 10:30:22 10[TLS] 0: ED B9 C3 BD A0 7E 68 13 BC C9 10 D5 9E 6F 11
> 9C .....~h......o..
> Jan 7 10:30:22 10[TLS] 16: CE E7 3F AC
> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, after mac: 6.5: => 244
> bytes @ 0x7f138e0ec495
> Jan 7 10:30:22 10[TLS] 0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00 00
> 01 ................
> Jan 7 10:30:22 10[TLS] 16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00
> 06 ................
> Jan 7 10:30:22 10[TLS] 32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67
> 75 ....Accept-Langu
> Jan 7 10:30:22 10[TLS] 48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01
> 00 age: en.........
> Jan 7 10:30:22 10[TLS] 64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF
> 01 ................
> Jan 7 10:30:22 10[TLS] 80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02
> 00 .....^..........
> Jan 7 10:30:22 10[TLS] 96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74
> 00 ........Red Hat.
> Jan 7 10:30:22 10[TLS] 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31
> 20 ..........%.7.1
> Jan 7 10:30:22 10[TLS] 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70
> 63 Beta (Maipo) ppc
> Jan 7 10:30:22 10[TLS] 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00
> 1C 64..............
> Jan 7 10:30:22 10[TLS] 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00
> 00 ................
> Jan 7 10:30:22 10[TLS] 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00
> 00 ...........$....
> Jan 7 10:30:22 10[TLS] 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33
> 39 2015-01-05T18:39
> Jan 7 10:30:22 10[TLS] 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00
> 10 :35Z............
> Jan 7 10:30:22 10[TLS] 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00
> 10 ................
> Jan 7 10:30:22 10[TLS] 240: 00 00 00
> 00 ...., 244
> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, assoc: 6.75: => 13 bytes
> @ 0x7f138e0ec350
> Jan 7 10:30:22 10[TLS] 0: 00 00 00 00 00 00 00 02 17 03 03 00
> F4 ............., 13
> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c: 7
> Jan 7 10:30:22 10[TLS] TLS record decryption failed
> Jan 7 10:30:22 10[TLS] sending fatal TLS alert 'bad record mac'
>
>
> At ppc64 client side logs:
>
> sending PB-TNC CDATA batch (228 bytes) for Connection ID 1
> => 228 bytes @ 0x1000c66d1d0
> 0: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06 ................
> 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
> 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
> 48: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01 ................
> 64: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02 00 .....^..........
> 80: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00 ........Red Hat.
> 96: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20 ..........%.7.1
> 112: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63 Beta (Maipo) ppc
> 128: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C 64..............
> 144: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
> 160: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00 ...........$....
> 176: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39 2015-01-05T18:39
> 192: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10 :35Z............
> 208: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10 ................
> 224: 00 00 00 00 ....
> sending PT-TLS message #1 of type 'PB-TNC Batch' (244 bytes)
> encrypt tls_aead_expl.c, before encryption: 1: => 272 bytes @ 0x1000c669bd0
> 0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00 00 01 ................
> 16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06 ................
> 32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
> 48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
> 64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01 ................
> 80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02 00 .....^..........
> 96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00 ........Red Hat.
> 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20 ..........%.7.1
> 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63 Beta (Maipo) ppc
> 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C 64..............
> 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
> 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00 ...........$....
> 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39 2015-01-05T18:39
> 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10 :35Z............
> 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10 ................
> 240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9 10 D5 .........~h.....
> 256: 9E 6F 11 9C CE E7 3F AC 07 07 07 07 07 07 07 07 .o....?.........,
> 272
> encrypt tls_aead_expl.c, after encryption: 2: => 272 bytes @ 0x1000c669bd0
> 0: 12 F6 84 24 74 97 99 02 8F B1 4C 3D 97 CC 33 D7 ...$t.....L=..3.
> 16: A9 04 27 80 28 2B 7B CE 84 97 0B F4 ED DD 23 1F ..'.(+{.......#.
> 32: 98 5C E1 78 E6 03 5E D5 D6 2F DD F9 D5 A1 FB 4A .\.x..^../.....J
> 48: 32 17 43 07 F5 AF 0B FF AD 6B 29 01 E4 29 9C 36 2.C......k)..).6
> 64: AC 2F 2B 0C 97 EE 5F 06 C4 5A A4 AC 0E CF 7E 18 ./+..._..Z....~.
> 80: 0D 86 FA 68 0B CF 67 DC EA 17 49 4E 86 97 39 D3 ...h..g...IN..9.
> 96: 5D 24 E1 93 01 88 C1 ED 3E DA 1C 8D 17 47 2E B8 ]$......>....G..
> 112: 17 44 7E 0F AC 90 B7 B5 84 3E 01 7A D0 4A 13 F9 .D~......>.z.J..
> 128: F1 F8 29 C5 C4 E4 D3 A3 A2 87 43 55 A5 CF 49 5E ..).......CU..I^
> 144: 23 53 8A FE 1D 48 CF B8 C4 D3 4F F5 BB B5 BF EB #S...H....O.....
> 160: 02 6C E6 74 81 0F C4 69 A8 EC 17 DD 26 CF 61 AF .l.t...i....&.a.
> 176: 75 DC 96 A1 23 A0 1C A7 5E 0E 91 43 77 F2 69 EA u...#...^..Cw.i.
> 192: 70 C6 2A 24 9B 8B 22 7A 12 58 03 09 9D 65 A6 19 p.*$.."z.X...e..
> 208: 14 AD 15 E7 F5 A1 4B C8 93 D8 59 41 76 45 AE 5A ......K...YAvE.Z
> 224: 63 73 A7 A4 FA 1D 53 8E F9 32 7F 58 32 7A 1E 66 cs....S..2.X2z.f
> 240: A5 65 25 44 93 D8 57 27 5F CA 39 01 85 79 15 C3 .e%D..W'_.9..y..
> 256: 04 F5 4A D9 90 9E 01 C8 DC 66 64 DA E5 86 FC FB ..J......fd.....,
> 272
> encrypt tls_aead_expl.c, after IV: 3: => 288 bytes @ 0x1000c66f3f0
> 0: 71 58 04 43 29 B9 1C 01 27 95 6D AA D5 C2 9F 07 qX.C)...'.m.....
> 16: 12 F6 84 24 74 97 99 02 8F B1 4C 3D 97 CC 33 D7 ...$t.....L=..3.
> 32: A9 04 27 80 28 2B 7B CE 84 97 0B F4 ED DD 23 1F ..'.(+{.......#.
> 48: 98 5C E1 78 E6 03 5E D5 D6 2F DD F9 D5 A1 FB 4A .\.x..^../.....J
> 64: 32 17 43 07 F5 AF 0B FF AD 6B 29 01 E4 29 9C 36 2.C......k)..).6
> 80: AC 2F 2B 0C 97 EE 5F 06 C4 5A A4 AC 0E CF 7E 18 ./+..._..Z....~.
> 96: 0D 86 FA 68 0B CF 67 DC EA 17 49 4E 86 97 39 D3 ...h..g...IN..9.
> 112: 5D 24 E1 93 01 88 C1 ED 3E DA 1C 8D 17 47 2E B8 ]$......>....G..
> 128: 17 44 7E 0F AC 90 B7 B5 84 3E 01 7A D0 4A 13 F9 .D~......>.z.J..
> 144: F1 F8 29 C5 C4 E4 D3 A3 A2 87 43 55 A5 CF 49 5E ..).......CU..I^
> 160: 23 53 8A FE 1D 48 CF B8 C4 D3 4F F5 BB B5 BF EB #S...H....O.....
> 176: 02 6C E6 74 81 0F C4 69 A8 EC 17 DD 26 CF 61 AF .l.t...i....&.a.
> 192: 75 DC 96 A1 23 A0 1C A7 5E 0E 91 43 77 F2 69 EA u...#...^..Cw.i.
> 208: 70 C6 2A 24 9B 8B 22 7A 12 58 03 09 9D 65 A6 19 p.*$.."z.X...e..
> 224: 14 AD 15 E7 F5 A1 4B C8 93 D8 59 41 76 45 AE 5A ......K...YAvE.Z
> 240: 63 73 A7 A4 FA 1D 53 8E F9 32 7F 58 32 7A 1E 66 cs....S..2.X2z.f
> 256: A5 65 25 44 93 D8 57 27 5F CA 39 01 85 79 15 C3 .e%D..W'_.9..y..
> 272: 04 F5 4A D9 90 9E 01 C8 DC 66 64 DA E5 86 FC FB ..J......fd.....,
> 288
> sending TLS ApplicationData record (288 bytes)
>
> Just sending some more info assuming it might be helpful in debugging.
>
> Thanks and Regards
> Avesh
>
> On Tue, Jan 6, 2015 at 10:51 AM, Avesh Agarwal <avesh.ncsu at gmail.com>
> wrote:
>
>> Hi,
>>
>> I came across a bug where TLS negotiation is failing on power pc 64
>> architecture with the latest release 5.2.2. I also tested 5.2.0 and the
>> issue is present. But the issue does not show up with earlier 5.1.1
>> release. Also this does not happen on x86 architecture.
>>
>> This was tested with OS IMC/IMV by using pt-tls. The client logs (ppc64)
>> are as follows:
>>
>> loading IMCs from '/etc/tnc_config'
>> libimcv initialized
>> IMC 1 "OS" initialized
>> processing "/etc/redhat-release" file
>> operating system name is 'Red Hat'
>> operating system version is '7.1 Beta (Maipo) ppc64'
>> IMC 1 "OS" loaded from '/usr/lib64/strongswan/imcvs/
>> imc-os.so'
>> loaded plugins: pt-tls-client curl revocation constraints pem nonce
>> tnc-tnccs tnc-imc tnccs-20 openssl
>> unable to load 9 plugin features (9 due to unmet dependencies)
>> created thread 01 [30359]
>> entering PT-TLS setup phase
>> 36 supported TLS cipher suites:
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
>> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
>> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
>> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
>> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>> TLS_RSA_WITH_AES_128_CBC_SHA
>> TLS_RSA_WITH_AES_128_CBC_SHA256
>> TLS_RSA_WITH_AES_256_CBC_SHA
>> TLS_RSA_WITH_AES_256_CBC_SHA256
>> TLS_RSA_WITH_AES_128_GCM_SHA256
>> TLS_RSA_WITH_AES_256_GCM_SHA384
>> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
>> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
>> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
>> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
>> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
>> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>> TLS_RSA_WITH_3DES_EDE_CBC_SHA
>> entering PT-TLS negotiation phase
>> sending offer for PT-TLS version 1
>> sending PT-TLS message #0 of type 'Version Request' (20 bytes)
>> sending Server Name Indication for 'aaa.strongswan.org'
>> sending TLS ClientHello handshake (188 bytes)
>> sending TLS Handshake record (192 bytes)
>> processing TLS Handshake record (1571 bytes)
>> received TLS ServerHello handshake (54 bytes)
>> negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>> received TLS Certificate handshake (1066 bytes)
>> received TLS server certificate 'C=CH, O=Linux strongSwan, CN=
>> aaa.strongswan.org'
>> received TLS ServerKeyExchange handshake (329 bytes)
>> using certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
>> certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" key:
>> 2048 bit RSA
>> using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan
>> Root CA"
>> checking certificate status of "C=CH, O=Linux strongSwan, CN=
>> aaa.strongswan.org"
>> ocsp check skipped, no ocsp found
>> fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
>> sending http request to 'http://crl.strongswan.org/strongswan.crl'...
>> libcurl http request failed [6]: Could not resolve host:
>> crl.strongswan.org; Name or service not known
>> crl fetching failed
>> certificate status is not available
>> certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" key: 2048
>> bit RSA
>> reached self-signed root ca with a path length of 0
>> verified signature with SHA256/RSA
>> received TLS CertificateRequest handshake (102 bytes)
>> received TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan
>> Root CA
>> received TLS ServerHelloDone handshake (0 bytes)
>> sending TLS peer certificate 'C=CH, O=Linux strongSwan, OU=Accounting, CN=
>> dave at strongswan.org'
>> sending TLS Certificate handshake (1068 bytes)
>> sending TLS ClientKeyExchange handshake (66 bytes)
>> created signature with SHA256/RSA
>> sending TLS CertificateVerify handshake (260 bytes)
>> sending TLS Handshake record (1406 bytes)
>> sending TLS ChangeCipherSpec record (1 bytes)
>> sending TLS Finished handshake (12 bytes)
>> sending TLS Handshake record (64 bytes)
>> processing TLS ChangeCipherSpec record (1 bytes)
>> processing TLS Handshake record (64 bytes)
>> received TLS Finished handshake (12 bytes)
>> sending TLS ApplicationData record (64 bytes)
>> processing TLS ApplicationData record (64 bytes)
>> => 20 bytes @ 0x3fffd13fa22d
>> 0: 00 00 00 00 00 00 00 02 00 00 00 14 00 00 00 00 ................
>> 16: 00 00 00 01 ....
>> => 4 bytes @ 0x3fffd13fa23d
>> 0: 00 00 00 01 ....
>> received PT-TLS message #0 of type 'Version Response' (20 bytes)
>> doing SASL client authentication
>> processing TLS ApplicationData record (64 bytes)
>> => 16 bytes @ 0x3fffd13fa22d
>> 0: 00 00 00 00 00 00 00 03 00 00 00 10 00 00 00 01 ................
>> received PT-TLS message #1 of type 'SASL Mechanisms' (16 bytes)
>> PT-TLS authentication complete
>> entering PT-TLS data transport phase
>> assigned TNCCS Connection ID 1
>> IMC 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl
>> -soh
>> over IF-T for TLS 2.0 with maximum PA-TNC message size of 2097104 bytes
>> IMC 1 "OS" changed state of Connection ID 1 to 'Handshake'
>> operating system numeric version is 7.1
>> last boot: Jan 05 18:39:35 UTC 2015, 74582 s ago
>> IPv4 forwarding is disabled
>> factory default password is disabled
>> failed to open '/var/lib/dbus/machine-id'
>> no device ID available
>> creating PA-TNC message with ID 0x7cd4e2e8
>> creating PA-TNC attribute type 'IETF/Product Information'
>> 0x000000/0x00000002
>> => 12 bytes @ 0x1001c84f110
>> 0: 00 09 08 00 00 52 65 64 20 48 61 74 .....Red Hat
>> creating PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
>> => 25 bytes @ 0x1001c849830
>> 0: 16 37 2E 31 20 42 65 74 61 20 28 4D 61 69 70 6F .7.1 Beta (Maipo
>> 16: 29 20 70 70 63 36 34 00 00 ) ppc64..
>> creating PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
>> => 16 bytes @ 0x1001c84d240
>> 0: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
>> creating PA-TNC attribute type 'IETF/Operational Status'
>> 0x000000/0x00000005
>> => 24 bytes @ 0x1001c849ba0
>> 0: 03 01 00 00 32 30 31 35 2D 30 31 2D 30 35 54 31 ....2015-01-05T1
>> 16: 38 3A 33 39 3A 33 35 5A 8:39:35Z
>> creating PA-TNC attribute type 'IETF/Forwarding Enabled'
>> 0x000000/0x0000000b
>> => 4 bytes @ 0x1001c849c60
>> 0: 00 00 00 00 ....
>> creating PA-TNC attribute type 'IETF/Factory Default Password Enabled'
>> 0x000000/0x0000000c
>> => 4 bytes @ 0x1001c84dcc0
>> 0: 00 00 00 00 ....
>> created PA-TNC message: => 165 bytes @ 0x1001c84f130
>> 0: 01 00 00 00 7C D4 E2 E8 00 00 00 00 00 00 00 02 ....|...........
>> 16: 00 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 .........Red Hat
>> 32: 00 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 ...........%.7.1
>> 48: 20 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 Beta (Maipo) pp
>> 64: 63 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 c64.............
>> 80: 1C 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 ................
>> 96: 00 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 ............$...
>> 112: 00 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 .2015-01-05T18:3
>> 128: 39 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 9:35Z...........
>> 144: 10 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 ................
>> 160: 10 00 00 00 00 .....
>> creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
>> PB-TNC state transition from 'Init' to 'Server Working'
>> creating PB-TNC CDATA batch
>> adding IETF/PB-Language-Preference message
>> adding IETF/PB-PA message
>> sending PB-TNC CDATA batch (228 bytes) for Connection ID 1
>> => 228 bytes @ 0x1001c849b00
>> 0: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06 ................
>> 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
>> 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
>> 48: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01 ................
>> 64: 00 00 00 7C D4 E2 E8 00 00 00 00 00 00 00 02 00 ...|............
>> 80: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00 ........Red Hat.
>> 96: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20 ..........%.7.1
>> 112: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63 Beta (Maipo) ppc
>> 128: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C 64..............
>> 144: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
>> 160: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00 ...........$....
>> 176: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39 2015-01-05T18:39
>> 192: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10 :35Z............
>> 208: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10 ................
>> 224: 00 00 00 00 ....
>> sending PT-TLS message #1 of type 'PB-TNC Batch' (244 bytes)
>> sending TLS ApplicationData record (288 bytes)
>> processing TLS Alert record (48 bytes)
>>
>> *received fatal TLS alert 'bad record mac'*sending TLS close notify
>> sending TLS Alert record (48 bytes)
>> IMC 1 "OS" deleted the state of Connection ID 1
>> removed TNCCS Connection ID 1
>> IMC 1 "OS" terminated
>> removed TCG functional component namespace
>> removed ITA-HSR functional component namespace
>> removed IETF attributes
>> removed ITA-HSR attributes
>> removed TCG attributes
>> libimcv terminated
>>
>> Server (x86-64) logs have been attached them with this email.
>>
>> Please let me know if any other information is required.
>>
>> Thanks and Regards
>> Avesh
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150107/ddaf07c0/attachment-0001.html>
More information about the Dev
mailing list