[strongSwan-dev] TLS negotiation failing on power pc 64
Avesh Agarwal
avesh.ncsu at gmail.com
Wed Jan 7 23:12:26 CET 2015
Hi,
I think that the issue is NOT 64 bit sequence number on ppc64 but the
following comparison in the code:
if (*type == TLS_CHANGE_CIPHER_SPEC)
{
this->seq_out = 0;
return status;
}
It seems that at some point the above if clause is being true only on ppc64
even though there is no TLS_CHANGE_CIPHER_SPEC being sent. It causes the
sequence number to set to 0 from 2 but at the receiver side, sequence
number 2 is expected and failure occurs.
Thanks
Avesh
On Wed, Jan 7, 2015 at 3:35 PM, Avesh Agarwal <avesh.ncsu at gmail.com> wrote:
> Hi,
>
> The issue seems to be happening on ppc64 TLS client or server due to the
> switch to 64 bit sequence number from 32 bit sequence in earlier releases.
>
> Thanks
> Avesh
>
> On Wed, Jan 7, 2015 at 2:51 PM, Avesh Agarwal <avesh.ncsu at gmail.com>
> wrote:
>
>> Hi,
>>
>> It seems that sequence number are not being treated correctly on ppc64.
>> When ppc64 calculated assoc structure, it comes up with: 00 00 00 00 00 00
>> 00 00 17 03 03 00 F5
>>
>> Whereas x86_64 server is expecting 00 00 00 00 00 00 00 02 17 03 03 00 F5.
>>
>> And thats why signature verification is falling, because seq number on
>> ppc64 client calculated for type 17 is 0 whereas on x86_64 it is 2. But yet
>> to see why this discrepancy is happening at ppc64 client only during this
>> particular exchange.
>>
>> Thanks
>> Avesh
>>
>> On Wed, Jan 7, 2015 at 1:36 PM, Avesh Agarwal <avesh.ncsu at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I investigated this issue further, and I found that it is following
>>> during signature verification in the following code at server side in
>>> src/libtls/tls_aead_expl.c:
>>>
>>> if (!this->signer->get_signature(this->signer, assoc, NULL) ||
>>> !this->signer->verify_signature(this->signer, *data,
>>> mac))
>>> {
>>> return FALSE;
>>> }
>>>
>>> It seems that ppc64 client is sending different signature that what is
>>> expected by x86_64 server.
>>>
>>> The weird part is that it happens only during following exchange, (these
>>> logs have customized debug messages inserted by me) . Any
>>> encryption/decryption/signature verification before this exchange works
>>> fine . The culprit seems the following assoc structure: 0: 00 00 00 00 00
>>> 00 00 02 17 03 03 00 F4 when sent from ppc64 client.
>>>
>>> x86_64 server side logs:
>>>
>>> Jan 7 10:30:22 10[TLS] 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E
>>> 31 20 ..........%.7.1
>>> Jan 7 10:30:22 10[TLS] 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70
>>> 70 63 Beta (Maipo) ppc
>>> Jan 7 10:30:22 10[TLS] 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00
>>> 00 1C 64..............
>>> Jan 7 10:30:22 10[TLS] 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00
>>> 00 00 ................
>>> Jan 7 10:30:22 10[TLS] 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01
>>> 00 00 ...........$....
>>> Jan 7 10:30:22 10[TLS] 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A
>>> 33 39 2015-01-05T18:39
>>> Jan 7 10:30:22 10[TLS] 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00
>>> 00 10 :35Z............
>>> Jan 7 10:30:22 10[TLS] 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00
>>> 00 10 ................
>>> Jan 7 10:30:22 10[TLS] 240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9
>>> 10 D5 .........~h.....
>>> Jan 7 10:30:22 10[TLS] 256: 9E 6F 11 9C CE E7 3F AC 07 07 07 07 07 07
>>> 07 07 .o....?........., 272
>>> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, after padding: 5.5: =>
>>> 264 bytes @ 0x7f138e0ec495
>>> Jan 7 10:30:22 10[TLS] 0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00
>>> 00 01 ................
>>> Jan 7 10:30:22 10[TLS] 16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00
>>> 00 06 ................
>>> Jan 7 10:30:22 10[TLS] 32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E
>>> 67 75 ....Accept-Langu
>>> Jan 7 10:30:22 10[TLS] 48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00
>>> 01 00 age: en.........
>>> Jan 7 10:30:22 10[TLS] 64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF
>>> FF 01 ................
>>> Jan 7 10:30:22 10[TLS] 80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00
>>> 02 00 .....^..........
>>> Jan 7 10:30:22 10[TLS] 96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61
>>> 74 00 ........Red Hat.
>>> Jan 7 10:30:22 10[TLS] 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E
>>> 31 20 ..........%.7.1
>>> Jan 7 10:30:22 10[TLS] 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70
>>> 70 63 Beta (Maipo) ppc
>>> Jan 7 10:30:22 10[TLS] 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00
>>> 00 1C 64..............
>>> Jan 7 10:30:22 10[TLS] 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00
>>> 00 00 ................
>>> Jan 7 10:30:22 10[TLS] 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01
>>> 00 00 ...........$....
>>> Jan 7 10:30:22 10[TLS] 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A
>>> 33 39 2015-01-05T18:39
>>> Jan 7 10:30:22 10[TLS] 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00
>>> 00 10 :35Z............
>>> Jan 7 10:30:22 10[TLS] 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00
>>> 00 10 ................
>>> Jan 7 10:30:22 10[TLS] 240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9
>>> 10 D5 .........~h.....
>>> Jan 7 10:30:22 10[TLS] 256: 9E 6F 11 9C CE E7 3F
>>> AC .o....?., 264
>>> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, mac: 6.25: => 20 bytes
>>> @ 0x7f138e0ec589
>>> Jan 7 10:30:22 10[TLS] 0: ED B9 C3 BD A0 7E 68 13 BC C9 10 D5 9E 6F
>>> 11 9C .....~h......o..
>>> Jan 7 10:30:22 10[TLS] 16: CE E7 3F AC
>>> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, after mac: 6.5: => 244
>>> bytes @ 0x7f138e0ec495
>>> Jan 7 10:30:22 10[TLS] 0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00
>>> 00 01 ................
>>> Jan 7 10:30:22 10[TLS] 16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00
>>> 00 06 ................
>>> Jan 7 10:30:22 10[TLS] 32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E
>>> 67 75 ....Accept-Langu
>>> Jan 7 10:30:22 10[TLS] 48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00
>>> 01 00 age: en.........
>>> Jan 7 10:30:22 10[TLS] 64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF
>>> FF 01 ................
>>> Jan 7 10:30:22 10[TLS] 80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00
>>> 02 00 .....^..........
>>> Jan 7 10:30:22 10[TLS] 96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61
>>> 74 00 ........Red Hat.
>>> Jan 7 10:30:22 10[TLS] 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E
>>> 31 20 ..........%.7.1
>>> Jan 7 10:30:22 10[TLS] 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70
>>> 70 63 Beta (Maipo) ppc
>>> Jan 7 10:30:22 10[TLS] 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00
>>> 00 1C 64..............
>>> Jan 7 10:30:22 10[TLS] 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00
>>> 00 00 ................
>>> Jan 7 10:30:22 10[TLS] 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01
>>> 00 00 ...........$....
>>> Jan 7 10:30:22 10[TLS] 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A
>>> 33 39 2015-01-05T18:39
>>> Jan 7 10:30:22 10[TLS] 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00
>>> 00 10 :35Z............
>>> Jan 7 10:30:22 10[TLS] 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00
>>> 00 10 ................
>>> Jan 7 10:30:22 10[TLS] 240: 00 00 00
>>> 00 ...., 244
>>> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, assoc: 6.75: => 13
>>> bytes @ 0x7f138e0ec350
>>> Jan 7 10:30:22 10[TLS] 0: 00 00 00 00 00 00 00 02 17 03 03 00
>>> F4 ............., 13
>>> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c: 7
>>> Jan 7 10:30:22 10[TLS] TLS record decryption failed
>>> Jan 7 10:30:22 10[TLS] sending fatal TLS alert 'bad record mac'
>>>
>>>
>>> At ppc64 client side logs:
>>>
>>> sending PB-TNC CDATA batch (228 bytes) for Connection ID 1
>>> => 228 bytes @ 0x1000c66d1d0
>>> 0: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06 ................
>>> 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
>>> 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
>>> 48: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01 ................
>>> 64: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02 00 .....^..........
>>> 80: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00 ........Red Hat.
>>> 96: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20 ..........%.7.1
>>> 112: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63 Beta (Maipo) ppc
>>> 128: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C 64..............
>>> 144: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
>>> 160: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00 ...........$....
>>> 176: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39 2015-01-05T18:39
>>> 192: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10 :35Z............
>>> 208: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10 ................
>>> 224: 00 00 00 00 ....
>>> sending PT-TLS message #1 of type 'PB-TNC Batch' (244 bytes)
>>> encrypt tls_aead_expl.c, before encryption: 1: => 272 bytes @
>>> 0x1000c669bd0
>>> 0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00 00 01 ................
>>> 16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06 ................
>>> 32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
>>> 48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
>>> 64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01 ................
>>> 80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02 00 .....^..........
>>> 96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00 ........Red Hat.
>>> 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20 ..........%.7.1
>>> 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63 Beta (Maipo) ppc
>>> 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C 64..............
>>> 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
>>> 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00 ...........$....
>>> 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39 2015-01-05T18:39
>>> 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10 :35Z............
>>> 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10 ................
>>> 240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9 10 D5 .........~h.....
>>> 256: 9E 6F 11 9C CE E7 3F AC 07 07 07 07 07 07 07 07 .o....?.........,
>>> 272
>>> encrypt tls_aead_expl.c, after encryption: 2: => 272 bytes @
>>> 0x1000c669bd0
>>> 0: 12 F6 84 24 74 97 99 02 8F B1 4C 3D 97 CC 33 D7 ...$t.....L=..3.
>>> 16: A9 04 27 80 28 2B 7B CE 84 97 0B F4 ED DD 23 1F ..'.(+{.......#.
>>> 32: 98 5C E1 78 E6 03 5E D5 D6 2F DD F9 D5 A1 FB 4A .\.x..^../.....J
>>> 48: 32 17 43 07 F5 AF 0B FF AD 6B 29 01 E4 29 9C 36 2.C......k)..).6
>>> 64: AC 2F 2B 0C 97 EE 5F 06 C4 5A A4 AC 0E CF 7E 18 ./+..._..Z....~.
>>> 80: 0D 86 FA 68 0B CF 67 DC EA 17 49 4E 86 97 39 D3 ...h..g...IN..9.
>>> 96: 5D 24 E1 93 01 88 C1 ED 3E DA 1C 8D 17 47 2E B8 ]$......>....G..
>>> 112: 17 44 7E 0F AC 90 B7 B5 84 3E 01 7A D0 4A 13 F9 .D~......>.z.J..
>>> 128: F1 F8 29 C5 C4 E4 D3 A3 A2 87 43 55 A5 CF 49 5E ..).......CU..I^
>>> 144: 23 53 8A FE 1D 48 CF B8 C4 D3 4F F5 BB B5 BF EB #S...H....O.....
>>> 160: 02 6C E6 74 81 0F C4 69 A8 EC 17 DD 26 CF 61 AF .l.t...i....&.a.
>>> 176: 75 DC 96 A1 23 A0 1C A7 5E 0E 91 43 77 F2 69 EA u...#...^..Cw.i.
>>> 192: 70 C6 2A 24 9B 8B 22 7A 12 58 03 09 9D 65 A6 19 p.*$.."z.X...e..
>>> 208: 14 AD 15 E7 F5 A1 4B C8 93 D8 59 41 76 45 AE 5A ......K...YAvE.Z
>>> 224: 63 73 A7 A4 FA 1D 53 8E F9 32 7F 58 32 7A 1E 66 cs....S..2.X2z.f
>>> 240: A5 65 25 44 93 D8 57 27 5F CA 39 01 85 79 15 C3 .e%D..W'_.9..y..
>>> 256: 04 F5 4A D9 90 9E 01 C8 DC 66 64 DA E5 86 FC FB ..J......fd.....,
>>> 272
>>> encrypt tls_aead_expl.c, after IV: 3: => 288 bytes @ 0x1000c66f3f0
>>> 0: 71 58 04 43 29 B9 1C 01 27 95 6D AA D5 C2 9F 07 qX.C)...'.m.....
>>> 16: 12 F6 84 24 74 97 99 02 8F B1 4C 3D 97 CC 33 D7 ...$t.....L=..3.
>>> 32: A9 04 27 80 28 2B 7B CE 84 97 0B F4 ED DD 23 1F ..'.(+{.......#.
>>> 48: 98 5C E1 78 E6 03 5E D5 D6 2F DD F9 D5 A1 FB 4A .\.x..^../.....J
>>> 64: 32 17 43 07 F5 AF 0B FF AD 6B 29 01 E4 29 9C 36 2.C......k)..).6
>>> 80: AC 2F 2B 0C 97 EE 5F 06 C4 5A A4 AC 0E CF 7E 18 ./+..._..Z....~.
>>> 96: 0D 86 FA 68 0B CF 67 DC EA 17 49 4E 86 97 39 D3 ...h..g...IN..9.
>>> 112: 5D 24 E1 93 01 88 C1 ED 3E DA 1C 8D 17 47 2E B8 ]$......>....G..
>>> 128: 17 44 7E 0F AC 90 B7 B5 84 3E 01 7A D0 4A 13 F9 .D~......>.z.J..
>>> 144: F1 F8 29 C5 C4 E4 D3 A3 A2 87 43 55 A5 CF 49 5E ..).......CU..I^
>>> 160: 23 53 8A FE 1D 48 CF B8 C4 D3 4F F5 BB B5 BF EB #S...H....O.....
>>> 176: 02 6C E6 74 81 0F C4 69 A8 EC 17 DD 26 CF 61 AF .l.t...i....&.a.
>>> 192: 75 DC 96 A1 23 A0 1C A7 5E 0E 91 43 77 F2 69 EA u...#...^..Cw.i.
>>> 208: 70 C6 2A 24 9B 8B 22 7A 12 58 03 09 9D 65 A6 19 p.*$.."z.X...e..
>>> 224: 14 AD 15 E7 F5 A1 4B C8 93 D8 59 41 76 45 AE 5A ......K...YAvE.Z
>>> 240: 63 73 A7 A4 FA 1D 53 8E F9 32 7F 58 32 7A 1E 66 cs....S..2.X2z.f
>>> 256: A5 65 25 44 93 D8 57 27 5F CA 39 01 85 79 15 C3 .e%D..W'_.9..y..
>>> 272: 04 F5 4A D9 90 9E 01 C8 DC 66 64 DA E5 86 FC FB ..J......fd.....,
>>> 288
>>> sending TLS ApplicationData record (288 bytes)
>>>
>>> Just sending some more info assuming it might be helpful in debugging.
>>>
>>> Thanks and Regards
>>> Avesh
>>>
>>> On Tue, Jan 6, 2015 at 10:51 AM, Avesh Agarwal <avesh.ncsu at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I came across a bug where TLS negotiation is failing on power pc 64
>>>> architecture with the latest release 5.2.2. I also tested 5.2.0 and the
>>>> issue is present. But the issue does not show up with earlier 5.1.1
>>>> release. Also this does not happen on x86 architecture.
>>>>
>>>> This was tested with OS IMC/IMV by using pt-tls. The client logs
>>>> (ppc64) are as follows:
>>>>
>>>> loading IMCs from '/etc/tnc_config'
>>>> libimcv initialized
>>>> IMC 1 "OS" initialized
>>>> processing "/etc/redhat-release" file
>>>> operating system name is 'Red Hat'
>>>> operating system version is '7.1 Beta (Maipo) ppc64'
>>>> IMC 1 "OS" loaded from '/usr/lib64/strongswan/imcvs/
>>>> imc-os.so'
>>>> loaded plugins: pt-tls-client curl revocation constraints pem nonce
>>>> tnc-tnccs tnc-imc tnccs-20 openssl
>>>> unable to load 9 plugin features (9 due to unmet dependencies)
>>>> created thread 01 [30359]
>>>> entering PT-TLS setup phase
>>>> 36 supported TLS cipher suites:
>>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>>>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>>>> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
>>>> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
>>>> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
>>>> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
>>>> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>>> TLS_RSA_WITH_AES_128_CBC_SHA
>>>> TLS_RSA_WITH_AES_128_CBC_SHA256
>>>> TLS_RSA_WITH_AES_256_CBC_SHA
>>>> TLS_RSA_WITH_AES_256_CBC_SHA256
>>>> TLS_RSA_WITH_AES_128_GCM_SHA256
>>>> TLS_RSA_WITH_AES_256_GCM_SHA384
>>>> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
>>>> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
>>>> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
>>>> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
>>>> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
>>>> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>>>> TLS_RSA_WITH_3DES_EDE_CBC_SHA
>>>> entering PT-TLS negotiation phase
>>>> sending offer for PT-TLS version 1
>>>> sending PT-TLS message #0 of type 'Version Request' (20 bytes)
>>>> sending Server Name Indication for 'aaa.strongswan.org'
>>>> sending TLS ClientHello handshake (188 bytes)
>>>> sending TLS Handshake record (192 bytes)
>>>> processing TLS Handshake record (1571 bytes)
>>>> received TLS ServerHello handshake (54 bytes)
>>>> negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>> received TLS Certificate handshake (1066 bytes)
>>>> received TLS server certificate 'C=CH, O=Linux strongSwan, CN=
>>>> aaa.strongswan.org'
>>>> received TLS ServerKeyExchange handshake (329 bytes)
>>>> using certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
>>>> certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" key:
>>>> 2048 bit RSA
>>>> using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan
>>>> Root CA"
>>>> checking certificate status of "C=CH, O=Linux strongSwan, CN=
>>>> aaa.strongswan.org"
>>>> ocsp check skipped, no ocsp found
>>>> fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
>>>> sending http request to 'http://crl.strongswan.org/strongswan.crl'...
>>>> libcurl http request failed [6]: Could not resolve host:
>>>> crl.strongswan.org; Name or service not known
>>>> crl fetching failed
>>>> certificate status is not available
>>>> certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" key:
>>>> 2048 bit RSA
>>>> reached self-signed root ca with a path length of 0
>>>> verified signature with SHA256/RSA
>>>> received TLS CertificateRequest handshake (102 bytes)
>>>> received TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan
>>>> Root CA
>>>> received TLS ServerHelloDone handshake (0 bytes)
>>>> sending TLS peer certificate 'C=CH, O=Linux strongSwan, OU=Accounting,
>>>> CN=dave at strongswan.org'
>>>> sending TLS Certificate handshake (1068 bytes)
>>>> sending TLS ClientKeyExchange handshake (66 bytes)
>>>> created signature with SHA256/RSA
>>>> sending TLS CertificateVerify handshake (260 bytes)
>>>> sending TLS Handshake record (1406 bytes)
>>>> sending TLS ChangeCipherSpec record (1 bytes)
>>>> sending TLS Finished handshake (12 bytes)
>>>> sending TLS Handshake record (64 bytes)
>>>> processing TLS ChangeCipherSpec record (1 bytes)
>>>> processing TLS Handshake record (64 bytes)
>>>> received TLS Finished handshake (12 bytes)
>>>> sending TLS ApplicationData record (64 bytes)
>>>> processing TLS ApplicationData record (64 bytes)
>>>> => 20 bytes @ 0x3fffd13fa22d
>>>> 0: 00 00 00 00 00 00 00 02 00 00 00 14 00 00 00 00 ................
>>>> 16: 00 00 00 01 ....
>>>> => 4 bytes @ 0x3fffd13fa23d
>>>> 0: 00 00 00 01 ....
>>>> received PT-TLS message #0 of type 'Version Response' (20 bytes)
>>>> doing SASL client authentication
>>>> processing TLS ApplicationData record (64 bytes)
>>>> => 16 bytes @ 0x3fffd13fa22d
>>>> 0: 00 00 00 00 00 00 00 03 00 00 00 10 00 00 00 01 ................
>>>> received PT-TLS message #1 of type 'SASL Mechanisms' (16 bytes)
>>>> PT-TLS authentication complete
>>>> entering PT-TLS data transport phase
>>>> assigned TNCCS Connection ID 1
>>>> IMC 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long
>>>> +excl -soh
>>>> over IF-T for TLS 2.0 with maximum PA-TNC message size of 2097104
>>>> bytes
>>>> IMC 1 "OS" changed state of Connection ID 1 to 'Handshake'
>>>> operating system numeric version is 7.1
>>>> last boot: Jan 05 18:39:35 UTC 2015, 74582 s ago
>>>> IPv4 forwarding is disabled
>>>> factory default password is disabled
>>>> failed to open '/var/lib/dbus/machine-id'
>>>> no device ID available
>>>> creating PA-TNC message with ID 0x7cd4e2e8
>>>> creating PA-TNC attribute type 'IETF/Product Information'
>>>> 0x000000/0x00000002
>>>> => 12 bytes @ 0x1001c84f110
>>>> 0: 00 09 08 00 00 52 65 64 20 48 61 74 .....Red Hat
>>>> creating PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
>>>> => 25 bytes @ 0x1001c849830
>>>> 0: 16 37 2E 31 20 42 65 74 61 20 28 4D 61 69 70 6F .7.1 Beta (Maipo
>>>> 16: 29 20 70 70 63 36 34 00 00 ) ppc64..
>>>> creating PA-TNC attribute type 'IETF/Numeric Version'
>>>> 0x000000/0x00000003
>>>> => 16 bytes @ 0x1001c84d240
>>>> 0: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
>>>> creating PA-TNC attribute type 'IETF/Operational Status'
>>>> 0x000000/0x00000005
>>>> => 24 bytes @ 0x1001c849ba0
>>>> 0: 03 01 00 00 32 30 31 35 2D 30 31 2D 30 35 54 31 ....2015-01-05T1
>>>> 16: 38 3A 33 39 3A 33 35 5A 8:39:35Z
>>>> creating PA-TNC attribute type 'IETF/Forwarding Enabled'
>>>> 0x000000/0x0000000b
>>>> => 4 bytes @ 0x1001c849c60
>>>> 0: 00 00 00 00 ....
>>>> creating PA-TNC attribute type 'IETF/Factory Default Password Enabled'
>>>> 0x000000/0x0000000c
>>>> => 4 bytes @ 0x1001c84dcc0
>>>> 0: 00 00 00 00 ....
>>>> created PA-TNC message: => 165 bytes @ 0x1001c84f130
>>>> 0: 01 00 00 00 7C D4 E2 E8 00 00 00 00 00 00 00 02 ....|...........
>>>> 16: 00 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 .........Red Hat
>>>> 32: 00 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 ...........%.7.1
>>>> 48: 20 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 Beta (Maipo) pp
>>>> 64: 63 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 c64.............
>>>> 80: 1C 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 ................
>>>> 96: 00 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 ............$...
>>>> 112: 00 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 .2015-01-05T18:3
>>>> 128: 39 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 9:35Z...........
>>>> 144: 10 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 ................
>>>> 160: 10 00 00 00 00 .....
>>>> creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
>>>> PB-TNC state transition from 'Init' to 'Server Working'
>>>> creating PB-TNC CDATA batch
>>>> adding IETF/PB-Language-Preference message
>>>> adding IETF/PB-PA message
>>>> sending PB-TNC CDATA batch (228 bytes) for Connection ID 1
>>>> => 228 bytes @ 0x1001c849b00
>>>> 0: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06 ................
>>>> 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
>>>> 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
>>>> 48: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01 ................
>>>> 64: 00 00 00 7C D4 E2 E8 00 00 00 00 00 00 00 02 00 ...|............
>>>> 80: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00 ........Red Hat.
>>>> 96: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20 ..........%.7.1
>>>> 112: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63 Beta (Maipo) ppc
>>>> 128: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C 64..............
>>>> 144: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
>>>> 160: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00 ...........$....
>>>> 176: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39 2015-01-05T18:39
>>>> 192: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10 :35Z............
>>>> 208: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10 ................
>>>> 224: 00 00 00 00 ....
>>>> sending PT-TLS message #1 of type 'PB-TNC Batch' (244 bytes)
>>>> sending TLS ApplicationData record (288 bytes)
>>>> processing TLS Alert record (48 bytes)
>>>>
>>>> *received fatal TLS alert 'bad record mac'*sending TLS close notify
>>>> sending TLS Alert record (48 bytes)
>>>> IMC 1 "OS" deleted the state of Connection ID 1
>>>> removed TNCCS Connection ID 1
>>>> IMC 1 "OS" terminated
>>>> removed TCG functional component namespace
>>>> removed ITA-HSR functional component namespace
>>>> removed IETF attributes
>>>> removed ITA-HSR attributes
>>>> removed TCG attributes
>>>> libimcv terminated
>>>>
>>>> Server (x86-64) logs have been attached them with this email.
>>>>
>>>> Please let me know if any other information is required.
>>>>
>>>> Thanks and Regards
>>>> Avesh
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150107/f9dca8b7/attachment-0001.html>
More information about the Dev
mailing list