[strongSwan-dev] TLS negotiation failing on power pc 64
Avesh Agarwal
avesh.ncsu at gmail.com
Thu Jan 8 06:35:03 CET 2015
Hi,
It turns out that unintialization of record type in the while loop during
building of TLS records in tls.c is wreaking havoc on ppc64. I have come up
with a preliminary patch for upstream review which is although being a one
liner required some extensive debugging:
diff -urNp strongswan-5.2.2/src/libtls/tls.c
strongswan-5.2.2-test/src/libtls/tls.c
--- strongswan-5.2.2/src/libtls/tls.c 2014-05-21 08:00:31.000000000 -0400
+++ strongswan-5.2.2-test/src/libtls/tls.c 2015-01-08 00:27:28.524867037
-0500
@@ -295,6 +295,7 @@ METHOD(tls_t, build, status_t,
/* query upper layers for new records, as many as we can get */
while (TRUE)
{
+ type = 0;
status = this->protection->build(this->protection, &type,
&data);
switch (status)
{
Another way could be to add a new member for tls_content_type_t something
like TLS_RECORD/CONTENT_TYPE_INITIALIZATION = 0. Any feedback is
appreciated.
Thanks
Avesh
On Wed, Jan 7, 2015 at 5:12 PM, Avesh Agarwal <avesh.ncsu at gmail.com> wrote:
> Hi,
>
> I think that the issue is NOT 64 bit sequence number on ppc64 but the
> following comparison in the code:
>
> if (*type == TLS_CHANGE_CIPHER_SPEC)
> {
> this->seq_out = 0;
> return status;
> }
>
> It seems that at some point the above if clause is being true only on
> ppc64 even though there is no TLS_CHANGE_CIPHER_SPEC being sent. It causes
> the sequence number to set to 0 from 2 but at the receiver side, sequence
> number 2 is expected and failure occurs.
>
> Thanks
> Avesh
>
>
> On Wed, Jan 7, 2015 at 3:35 PM, Avesh Agarwal <avesh.ncsu at gmail.com>
> wrote:
>
>> Hi,
>>
>> The issue seems to be happening on ppc64 TLS client or server due to the
>> switch to 64 bit sequence number from 32 bit sequence in earlier releases.
>>
>> Thanks
>> Avesh
>>
>> On Wed, Jan 7, 2015 at 2:51 PM, Avesh Agarwal <avesh.ncsu at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> It seems that sequence number are not being treated correctly on ppc64.
>>> When ppc64 calculated assoc structure, it comes up with: 00 00 00 00 00 00
>>> 00 00 17 03 03 00 F5
>>>
>>> Whereas x86_64 server is expecting 00 00 00 00 00 00 00 02 17 03 03 00
>>> F5.
>>>
>>> And thats why signature verification is falling, because seq number on
>>> ppc64 client calculated for type 17 is 0 whereas on x86_64 it is 2. But yet
>>> to see why this discrepancy is happening at ppc64 client only during this
>>> particular exchange.
>>>
>>> Thanks
>>> Avesh
>>>
>>> On Wed, Jan 7, 2015 at 1:36 PM, Avesh Agarwal <avesh.ncsu at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I investigated this issue further, and I found that it is following
>>>> during signature verification in the following code at server side in
>>>> src/libtls/tls_aead_expl.c:
>>>>
>>>> if (!this->signer->get_signature(this->signer, assoc, NULL) ||
>>>> !this->signer->verify_signature(this->signer, *data,
>>>> mac))
>>>> {
>>>> return FALSE;
>>>> }
>>>>
>>>> It seems that ppc64 client is sending different signature that what is
>>>> expected by x86_64 server.
>>>>
>>>> The weird part is that it happens only during following exchange,
>>>> (these logs have customized debug messages inserted by me) . Any
>>>> encryption/decryption/signature verification before this exchange works
>>>> fine . The culprit seems the following assoc structure: 0: 00 00 00 00 00
>>>> 00 00 02 17 03 03 00 F4 when sent from ppc64 client.
>>>>
>>>> x86_64 server side logs:
>>>>
>>>> Jan 7 10:30:22 10[TLS] 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E
>>>> 31 20 ..........%.7.1
>>>> Jan 7 10:30:22 10[TLS] 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70
>>>> 70 63 Beta (Maipo) ppc
>>>> Jan 7 10:30:22 10[TLS] 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00
>>>> 00 1C 64..............
>>>> Jan 7 10:30:22 10[TLS] 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00
>>>> 00 00 ................
>>>> Jan 7 10:30:22 10[TLS] 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01
>>>> 00 00 ...........$....
>>>> Jan 7 10:30:22 10[TLS] 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A
>>>> 33 39 2015-01-05T18:39
>>>> Jan 7 10:30:22 10[TLS] 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00
>>>> 00 10 :35Z............
>>>> Jan 7 10:30:22 10[TLS] 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00
>>>> 00 10 ................
>>>> Jan 7 10:30:22 10[TLS] 240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9
>>>> 10 D5 .........~h.....
>>>> Jan 7 10:30:22 10[TLS] 256: 9E 6F 11 9C CE E7 3F AC 07 07 07 07 07 07
>>>> 07 07 .o....?........., 272
>>>> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, after padding: 5.5: =>
>>>> 264 bytes @ 0x7f138e0ec495
>>>> Jan 7 10:30:22 10[TLS] 0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00
>>>> 00 01 ................
>>>> Jan 7 10:30:22 10[TLS] 16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00
>>>> 00 06 ................
>>>> Jan 7 10:30:22 10[TLS] 32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E
>>>> 67 75 ....Accept-Langu
>>>> Jan 7 10:30:22 10[TLS] 48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00
>>>> 01 00 age: en.........
>>>> Jan 7 10:30:22 10[TLS] 64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF
>>>> FF 01 ................
>>>> Jan 7 10:30:22 10[TLS] 80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00
>>>> 02 00 .....^..........
>>>> Jan 7 10:30:22 10[TLS] 96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61
>>>> 74 00 ........Red Hat.
>>>> Jan 7 10:30:22 10[TLS] 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E
>>>> 31 20 ..........%.7.1
>>>> Jan 7 10:30:22 10[TLS] 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70
>>>> 70 63 Beta (Maipo) ppc
>>>> Jan 7 10:30:22 10[TLS] 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00
>>>> 00 1C 64..............
>>>> Jan 7 10:30:22 10[TLS] 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00
>>>> 00 00 ................
>>>> Jan 7 10:30:22 10[TLS] 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01
>>>> 00 00 ...........$....
>>>> Jan 7 10:30:22 10[TLS] 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A
>>>> 33 39 2015-01-05T18:39
>>>> Jan 7 10:30:22 10[TLS] 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00
>>>> 00 10 :35Z............
>>>> Jan 7 10:30:22 10[TLS] 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00
>>>> 00 10 ................
>>>> Jan 7 10:30:22 10[TLS] 240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9
>>>> 10 D5 .........~h.....
>>>> Jan 7 10:30:22 10[TLS] 256: 9E 6F 11 9C CE E7 3F
>>>> AC .o....?., 264
>>>> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, mac: 6.25: => 20
>>>> bytes @ 0x7f138e0ec589
>>>> Jan 7 10:30:22 10[TLS] 0: ED B9 C3 BD A0 7E 68 13 BC C9 10 D5 9E 6F
>>>> 11 9C .....~h......o..
>>>> Jan 7 10:30:22 10[TLS] 16: CE E7 3F AC
>>>> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, after mac: 6.5: => 244
>>>> bytes @ 0x7f138e0ec495
>>>> Jan 7 10:30:22 10[TLS] 0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00
>>>> 00 01 ................
>>>> Jan 7 10:30:22 10[TLS] 16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00
>>>> 00 06 ................
>>>> Jan 7 10:30:22 10[TLS] 32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E
>>>> 67 75 ....Accept-Langu
>>>> Jan 7 10:30:22 10[TLS] 48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00
>>>> 01 00 age: en.........
>>>> Jan 7 10:30:22 10[TLS] 64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF
>>>> FF 01 ................
>>>> Jan 7 10:30:22 10[TLS] 80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00
>>>> 02 00 .....^..........
>>>> Jan 7 10:30:22 10[TLS] 96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61
>>>> 74 00 ........Red Hat.
>>>> Jan 7 10:30:22 10[TLS] 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E
>>>> 31 20 ..........%.7.1
>>>> Jan 7 10:30:22 10[TLS] 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70
>>>> 70 63 Beta (Maipo) ppc
>>>> Jan 7 10:30:22 10[TLS] 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00
>>>> 00 1C 64..............
>>>> Jan 7 10:30:22 10[TLS] 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00
>>>> 00 00 ................
>>>> Jan 7 10:30:22 10[TLS] 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01
>>>> 00 00 ...........$....
>>>> Jan 7 10:30:22 10[TLS] 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A
>>>> 33 39 2015-01-05T18:39
>>>> Jan 7 10:30:22 10[TLS] 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00
>>>> 00 10 :35Z............
>>>> Jan 7 10:30:22 10[TLS] 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00
>>>> 00 10 ................
>>>> Jan 7 10:30:22 10[TLS] 240: 00 00 00
>>>> 00 ...., 244
>>>> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c, assoc: 6.75: => 13
>>>> bytes @ 0x7f138e0ec350
>>>> Jan 7 10:30:22 10[TLS] 0: 00 00 00 00 00 00 00 02 17 03 03 00
>>>> F4 ............., 13
>>>> Jan 7 10:30:22 10[TLS] decrypt tls_aead_expl.c: 7
>>>> Jan 7 10:30:22 10[TLS] TLS record decryption failed
>>>> Jan 7 10:30:22 10[TLS] sending fatal TLS alert 'bad record mac'
>>>>
>>>>
>>>> At ppc64 client side logs:
>>>>
>>>> sending PB-TNC CDATA batch (228 bytes) for Connection ID 1
>>>> => 228 bytes @ 0x1000c66d1d0
>>>> 0: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06 ................
>>>> 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
>>>> 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
>>>> 48: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01 ................
>>>> 64: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02 00 .....^..........
>>>> 80: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00 ........Red Hat.
>>>> 96: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20 ..........%.7.1
>>>> 112: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63 Beta (Maipo) ppc
>>>> 128: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C 64..............
>>>> 144: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
>>>> 160: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00 ...........$....
>>>> 176: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39 2015-01-05T18:39
>>>> 192: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10 :35Z............
>>>> 208: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10 ................
>>>> 224: 00 00 00 00 ....
>>>> sending PT-TLS message #1 of type 'PB-TNC Batch' (244 bytes)
>>>> encrypt tls_aead_expl.c, before encryption: 1: => 272 bytes @
>>>> 0x1000c669bd0
>>>> 0: 00 00 00 00 00 00 00 07 00 00 00 F4 00 00 00 01 ................
>>>> 16: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06 ................
>>>> 32: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
>>>> 48: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
>>>> 64: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01 ................
>>>> 80: 00 00 00 B2 91 5E F6 00 00 00 00 00 00 00 02 00 .....^..........
>>>> 96: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00 ........Red Hat.
>>>> 112: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20 ..........%.7.1
>>>> 128: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63 Beta (Maipo) ppc
>>>> 144: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C 64..............
>>>> 160: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
>>>> 176: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00 ...........$....
>>>> 192: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39 2015-01-05T18:39
>>>> 208: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10 :35Z............
>>>> 224: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10 ................
>>>> 240: 00 00 00 00 ED B9 C3 BD A0 7E 68 13 BC C9 10 D5 .........~h.....
>>>> 256: 9E 6F 11 9C CE E7 3F AC 07 07 07 07 07 07 07 07
>>>> .o....?........., 272
>>>> encrypt tls_aead_expl.c, after encryption: 2: => 272 bytes @
>>>> 0x1000c669bd0
>>>> 0: 12 F6 84 24 74 97 99 02 8F B1 4C 3D 97 CC 33 D7 ...$t.....L=..3.
>>>> 16: A9 04 27 80 28 2B 7B CE 84 97 0B F4 ED DD 23 1F ..'.(+{.......#.
>>>> 32: 98 5C E1 78 E6 03 5E D5 D6 2F DD F9 D5 A1 FB 4A .\.x..^../.....J
>>>> 48: 32 17 43 07 F5 AF 0B FF AD 6B 29 01 E4 29 9C 36 2.C......k)..).6
>>>> 64: AC 2F 2B 0C 97 EE 5F 06 C4 5A A4 AC 0E CF 7E 18 ./+..._..Z....~.
>>>> 80: 0D 86 FA 68 0B CF 67 DC EA 17 49 4E 86 97 39 D3 ...h..g...IN..9.
>>>> 96: 5D 24 E1 93 01 88 C1 ED 3E DA 1C 8D 17 47 2E B8 ]$......>....G..
>>>> 112: 17 44 7E 0F AC 90 B7 B5 84 3E 01 7A D0 4A 13 F9 .D~......>.z.J..
>>>> 128: F1 F8 29 C5 C4 E4 D3 A3 A2 87 43 55 A5 CF 49 5E ..).......CU..I^
>>>> 144: 23 53 8A FE 1D 48 CF B8 C4 D3 4F F5 BB B5 BF EB #S...H....O.....
>>>> 160: 02 6C E6 74 81 0F C4 69 A8 EC 17 DD 26 CF 61 AF .l.t...i....&.a.
>>>> 176: 75 DC 96 A1 23 A0 1C A7 5E 0E 91 43 77 F2 69 EA u...#...^..Cw.i.
>>>> 192: 70 C6 2A 24 9B 8B 22 7A 12 58 03 09 9D 65 A6 19 p.*$.."z.X...e..
>>>> 208: 14 AD 15 E7 F5 A1 4B C8 93 D8 59 41 76 45 AE 5A ......K...YAvE.Z
>>>> 224: 63 73 A7 A4 FA 1D 53 8E F9 32 7F 58 32 7A 1E 66 cs....S..2.X2z.f
>>>> 240: A5 65 25 44 93 D8 57 27 5F CA 39 01 85 79 15 C3 .e%D..W'_.9..y..
>>>> 256: 04 F5 4A D9 90 9E 01 C8 DC 66 64 DA E5 86 FC FB
>>>> ..J......fd....., 272
>>>> encrypt tls_aead_expl.c, after IV: 3: => 288 bytes @ 0x1000c66f3f0
>>>> 0: 71 58 04 43 29 B9 1C 01 27 95 6D AA D5 C2 9F 07 qX.C)...'.m.....
>>>> 16: 12 F6 84 24 74 97 99 02 8F B1 4C 3D 97 CC 33 D7 ...$t.....L=..3.
>>>> 32: A9 04 27 80 28 2B 7B CE 84 97 0B F4 ED DD 23 1F ..'.(+{.......#.
>>>> 48: 98 5C E1 78 E6 03 5E D5 D6 2F DD F9 D5 A1 FB 4A .\.x..^../.....J
>>>> 64: 32 17 43 07 F5 AF 0B FF AD 6B 29 01 E4 29 9C 36 2.C......k)..).6
>>>> 80: AC 2F 2B 0C 97 EE 5F 06 C4 5A A4 AC 0E CF 7E 18 ./+..._..Z....~.
>>>> 96: 0D 86 FA 68 0B CF 67 DC EA 17 49 4E 86 97 39 D3 ...h..g...IN..9.
>>>> 112: 5D 24 E1 93 01 88 C1 ED 3E DA 1C 8D 17 47 2E B8 ]$......>....G..
>>>> 128: 17 44 7E 0F AC 90 B7 B5 84 3E 01 7A D0 4A 13 F9 .D~......>.z.J..
>>>> 144: F1 F8 29 C5 C4 E4 D3 A3 A2 87 43 55 A5 CF 49 5E ..).......CU..I^
>>>> 160: 23 53 8A FE 1D 48 CF B8 C4 D3 4F F5 BB B5 BF EB #S...H....O.....
>>>> 176: 02 6C E6 74 81 0F C4 69 A8 EC 17 DD 26 CF 61 AF .l.t...i....&.a.
>>>> 192: 75 DC 96 A1 23 A0 1C A7 5E 0E 91 43 77 F2 69 EA u...#...^..Cw.i.
>>>> 208: 70 C6 2A 24 9B 8B 22 7A 12 58 03 09 9D 65 A6 19 p.*$.."z.X...e..
>>>> 224: 14 AD 15 E7 F5 A1 4B C8 93 D8 59 41 76 45 AE 5A ......K...YAvE.Z
>>>> 240: 63 73 A7 A4 FA 1D 53 8E F9 32 7F 58 32 7A 1E 66 cs....S..2.X2z.f
>>>> 256: A5 65 25 44 93 D8 57 27 5F CA 39 01 85 79 15 C3 .e%D..W'_.9..y..
>>>> 272: 04 F5 4A D9 90 9E 01 C8 DC 66 64 DA E5 86 FC FB
>>>> ..J......fd....., 288
>>>> sending TLS ApplicationData record (288 bytes)
>>>>
>>>> Just sending some more info assuming it might be helpful in debugging.
>>>>
>>>> Thanks and Regards
>>>> Avesh
>>>>
>>>> On Tue, Jan 6, 2015 at 10:51 AM, Avesh Agarwal <avesh.ncsu at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I came across a bug where TLS negotiation is failing on power pc 64
>>>>> architecture with the latest release 5.2.2. I also tested 5.2.0 and the
>>>>> issue is present. But the issue does not show up with earlier 5.1.1
>>>>> release. Also this does not happen on x86 architecture.
>>>>>
>>>>> This was tested with OS IMC/IMV by using pt-tls. The client logs
>>>>> (ppc64) are as follows:
>>>>>
>>>>> loading IMCs from '/etc/tnc_config'
>>>>> libimcv initialized
>>>>> IMC 1 "OS" initialized
>>>>> processing "/etc/redhat-release" file
>>>>> operating system name is 'Red Hat'
>>>>> operating system version is '7.1 Beta (Maipo) ppc64'
>>>>> IMC 1 "OS" loaded from '/usr/lib64/strongswan/imcvs/
>>>>> imc-os.so'
>>>>> loaded plugins: pt-tls-client curl revocation constraints pem nonce
>>>>> tnc-tnccs tnc-imc tnccs-20 openssl
>>>>> unable to load 9 plugin features (9 due to unmet dependencies)
>>>>> created thread 01 [30359]
>>>>> entering PT-TLS setup phase
>>>>> 36 supported TLS cipher suites:
>>>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>>>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>>>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>>>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>>>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>>>>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>>>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>>>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>>>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>>>>> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
>>>>> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
>>>>> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
>>>>> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
>>>>> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>>>> TLS_RSA_WITH_AES_128_CBC_SHA
>>>>> TLS_RSA_WITH_AES_128_CBC_SHA256
>>>>> TLS_RSA_WITH_AES_256_CBC_SHA
>>>>> TLS_RSA_WITH_AES_256_CBC_SHA256
>>>>> TLS_RSA_WITH_AES_128_GCM_SHA256
>>>>> TLS_RSA_WITH_AES_256_GCM_SHA384
>>>>> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
>>>>> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
>>>>> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
>>>>> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
>>>>> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
>>>>> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>>>>> TLS_RSA_WITH_3DES_EDE_CBC_SHA
>>>>> entering PT-TLS negotiation phase
>>>>> sending offer for PT-TLS version 1
>>>>> sending PT-TLS message #0 of type 'Version Request' (20 bytes)
>>>>> sending Server Name Indication for 'aaa.strongswan.org'
>>>>> sending TLS ClientHello handshake (188 bytes)
>>>>> sending TLS Handshake record (192 bytes)
>>>>> processing TLS Handshake record (1571 bytes)
>>>>> received TLS ServerHello handshake (54 bytes)
>>>>> negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>>> received TLS Certificate handshake (1066 bytes)
>>>>> received TLS server certificate 'C=CH, O=Linux strongSwan, CN=
>>>>> aaa.strongswan.org'
>>>>> received TLS ServerKeyExchange handshake (329 bytes)
>>>>> using certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
>>>>> certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" key:
>>>>> 2048 bit RSA
>>>>> using trusted ca certificate "C=CH, O=Linux strongSwan,
>>>>> CN=strongSwan Root CA"
>>>>> checking certificate status of "C=CH, O=Linux strongSwan, CN=
>>>>> aaa.strongswan.org"
>>>>> ocsp check skipped, no ocsp found
>>>>> fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
>>>>> sending http request to 'http://crl.strongswan.org/strongswan.crl'.
>>>>> ..
>>>>> libcurl http request failed [6]: Could not resolve host:
>>>>> crl.strongswan.org; Name or service not known
>>>>> crl fetching failed
>>>>> certificate status is not available
>>>>> certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" key:
>>>>> 2048 bit RSA
>>>>> reached self-signed root ca with a path length of 0
>>>>> verified signature with SHA256/RSA
>>>>> received TLS CertificateRequest handshake (102 bytes)
>>>>> received TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan
>>>>> Root CA
>>>>> received TLS ServerHelloDone handshake (0 bytes)
>>>>> sending TLS peer certificate 'C=CH, O=Linux strongSwan, OU=Accounting,
>>>>> CN=dave at strongswan.org'
>>>>> sending TLS Certificate handshake (1068 bytes)
>>>>> sending TLS ClientKeyExchange handshake (66 bytes)
>>>>> created signature with SHA256/RSA
>>>>> sending TLS CertificateVerify handshake (260 bytes)
>>>>> sending TLS Handshake record (1406 bytes)
>>>>> sending TLS ChangeCipherSpec record (1 bytes)
>>>>> sending TLS Finished handshake (12 bytes)
>>>>> sending TLS Handshake record (64 bytes)
>>>>> processing TLS ChangeCipherSpec record (1 bytes)
>>>>> processing TLS Handshake record (64 bytes)
>>>>> received TLS Finished handshake (12 bytes)
>>>>> sending TLS ApplicationData record (64 bytes)
>>>>> processing TLS ApplicationData record (64 bytes)
>>>>> => 20 bytes @ 0x3fffd13fa22d
>>>>> 0: 00 00 00 00 00 00 00 02 00 00 00 14 00 00 00 00 ................
>>>>> 16: 00 00 00 01 ....
>>>>> => 4 bytes @ 0x3fffd13fa23d
>>>>> 0: 00 00 00 01 ....
>>>>> received PT-TLS message #0 of type 'Version Response' (20 bytes)
>>>>> doing SASL client authentication
>>>>> processing TLS ApplicationData record (64 bytes)
>>>>> => 16 bytes @ 0x3fffd13fa22d
>>>>> 0: 00 00 00 00 00 00 00 03 00 00 00 10 00 00 00 01 ................
>>>>> received PT-TLS message #1 of type 'SASL Mechanisms' (16 bytes)
>>>>> PT-TLS authentication complete
>>>>> entering PT-TLS data transport phase
>>>>> assigned TNCCS Connection ID 1
>>>>> IMC 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long
>>>>> +excl -soh
>>>>> over IF-T for TLS 2.0 with maximum PA-TNC message size of 2097104
>>>>> bytes
>>>>> IMC 1 "OS" changed state of Connection ID 1 to 'Handshake'
>>>>> operating system numeric version is 7.1
>>>>> last boot: Jan 05 18:39:35 UTC 2015, 74582 s ago
>>>>> IPv4 forwarding is disabled
>>>>> factory default password is disabled
>>>>> failed to open '/var/lib/dbus/machine-id'
>>>>> no device ID available
>>>>> creating PA-TNC message with ID 0x7cd4e2e8
>>>>> creating PA-TNC attribute type 'IETF/Product Information'
>>>>> 0x000000/0x00000002
>>>>> => 12 bytes @ 0x1001c84f110
>>>>> 0: 00 09 08 00 00 52 65 64 20 48 61 74 .....Red Hat
>>>>> creating PA-TNC attribute type 'IETF/String Version'
>>>>> 0x000000/0x00000004
>>>>> => 25 bytes @ 0x1001c849830
>>>>> 0: 16 37 2E 31 20 42 65 74 61 20 28 4D 61 69 70 6F .7.1 Beta (Maipo
>>>>> 16: 29 20 70 70 63 36 34 00 00 ) ppc64..
>>>>> creating PA-TNC attribute type 'IETF/Numeric Version'
>>>>> 0x000000/0x00000003
>>>>> => 16 bytes @ 0x1001c84d240
>>>>> 0: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
>>>>> creating PA-TNC attribute type 'IETF/Operational Status'
>>>>> 0x000000/0x00000005
>>>>> => 24 bytes @ 0x1001c849ba0
>>>>> 0: 03 01 00 00 32 30 31 35 2D 30 31 2D 30 35 54 31 ....2015-01-05T1
>>>>> 16: 38 3A 33 39 3A 33 35 5A 8:39:35Z
>>>>> creating PA-TNC attribute type 'IETF/Forwarding Enabled'
>>>>> 0x000000/0x0000000b
>>>>> => 4 bytes @ 0x1001c849c60
>>>>> 0: 00 00 00 00 ....
>>>>> creating PA-TNC attribute type 'IETF/Factory Default Password Enabled'
>>>>> 0x000000/0x0000000c
>>>>> => 4 bytes @ 0x1001c84dcc0
>>>>> 0: 00 00 00 00 ....
>>>>> created PA-TNC message: => 165 bytes @ 0x1001c84f130
>>>>> 0: 01 00 00 00 7C D4 E2 E8 00 00 00 00 00 00 00 02 ....|...........
>>>>> 16: 00 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 .........Red Hat
>>>>> 32: 00 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 ...........%.7.1
>>>>> 48: 20 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 Beta (Maipo) pp
>>>>> 64: 63 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 c64.............
>>>>> 80: 1C 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 ................
>>>>> 96: 00 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 ............$...
>>>>> 112: 00 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 .2015-01-05T18:3
>>>>> 128: 39 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 9:35Z...........
>>>>> 144: 10 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 ................
>>>>> 160: 10 00 00 00 00 .....
>>>>> creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
>>>>> PB-TNC state transition from 'Init' to 'Server Working'
>>>>> creating PB-TNC CDATA batch
>>>>> adding IETF/PB-Language-Preference message
>>>>> adding IETF/PB-PA message
>>>>> sending PB-TNC CDATA batch (228 bytes) for Connection ID 1
>>>>> => 228 bytes @ 0x1001c849b00
>>>>> 0: 02 00 00 01 00 00 00 E4 00 00 00 00 00 00 00 06 ................
>>>>> 16: 00 00 00 1F 41 63 63 65 70 74 2D 4C 61 6E 67 75 ....Accept-Langu
>>>>> 32: 61 67 65 3A 20 65 6E 80 00 00 00 00 00 00 01 00 age: en.........
>>>>> 48: 00 00 BD 00 00 00 00 00 00 00 01 00 01 FF FF 01 ................
>>>>> 64: 00 00 00 7C D4 E2 E8 00 00 00 00 00 00 00 02 00 ...|............
>>>>> 80: 00 00 18 00 09 08 00 00 52 65 64 20 48 61 74 00 ........Red Hat.
>>>>> 96: 00 00 00 00 00 00 04 00 00 00 25 16 37 2E 31 20 ..........%.7.1
>>>>> 112: 42 65 74 61 20 28 4D 61 69 70 6F 29 20 70 70 63 Beta (Maipo) ppc
>>>>> 128: 36 34 00 00 00 00 00 00 00 00 00 03 00 00 00 1C 64..............
>>>>> 144: 00 00 00 07 00 00 00 01 00 00 00 00 00 00 00 00 ................
>>>>> 160: 00 00 00 00 00 00 00 05 00 00 00 24 03 01 00 00 ...........$....
>>>>> 176: 32 30 31 35 2D 30 31 2D 30 35 54 31 38 3A 33 39 2015-01-05T18:39
>>>>> 192: 3A 33 35 5A 00 00 00 00 00 00 00 0B 00 00 00 10 :35Z............
>>>>> 208: 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 10 ................
>>>>> 224: 00 00 00 00 ....
>>>>> sending PT-TLS message #1 of type 'PB-TNC Batch' (244 bytes)
>>>>> sending TLS ApplicationData record (288 bytes)
>>>>> processing TLS Alert record (48 bytes)
>>>>>
>>>>> *received fatal TLS alert 'bad record mac'*sending TLS close notify
>>>>> sending TLS Alert record (48 bytes)
>>>>> IMC 1 "OS" deleted the state of Connection ID 1
>>>>> removed TNCCS Connection ID 1
>>>>> IMC 1 "OS" terminated
>>>>> removed TCG functional component namespace
>>>>> removed ITA-HSR functional component namespace
>>>>> removed IETF attributes
>>>>> removed ITA-HSR attributes
>>>>> removed TCG attributes
>>>>> libimcv terminated
>>>>>
>>>>> Server (x86-64) logs have been attached them with this email.
>>>>>
>>>>> Please let me know if any other information is required.
>>>>>
>>>>> Thanks and Regards
>>>>> Avesh
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150108/bfd62015/attachment-0001.html>
More information about the Dev
mailing list