I am having some difficulty getting TLS to work (opendnp3 2.2.0 and openssh 1.0.2d).
Admittedly a little over my head at creating ca, certs, and key files but my outstation app is not balking at my first cut.
When I try to connect from the master:
Using CA certificate: /home/rmcclung/ca/cacert.pem
Using certificate chain: /home/rmcclung/ca/server_crt.pem
Using private key file: /home/rmcclung/ca/server_key.pem
ms(1517264702513) INFO manager - Starting thread (0)
channel state change: OPENING
Commands:
a - toggle autorestore on/off
b - send bypass mode request
c - send cold restart command
d - modify deadband value for analog input
p - send PFC on/off request
r - send regulation mode request
s - modify L1V and L2V setpoints
t - toggle debug trace on/off
u - toggle unsolicited responses on/off
w - send warm restart command
q - exit program
>>> ms(1517264702550) WARN tls-client - Error verifying certificate at depth: 0 subject: /CN=grid-bridge.com/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.co
ms(1517264702551) WARN tls-client - Error Connecting: certificate verify failed
ms(1517264703560) WARN tls-client - Error verifying certificate at depth: 0 subject: /CN=grid-bridge.com/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.co
ms(1517264703562) WARN tls-client - Error Connecting: certificate verify failed
ms(1517264705570) WARN tls-client - Error verifying certificate at depth: 0 subject: /CN=grid-bridge.com/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.co
ms(1517264705571) WARN tls-client - Error Connecting: certificate verify failed
The outstation's debug output:
channel state change: OPENING
ms(1517264702554) INFO server - TLS handshake failed: short read
ms(1517264703564) INFO server - TLS handshake failed: short read
ms(1517264705573) INFO server - TLS handshake failed: short read
Using openssl (instead of running the master app) I am able to connect to the outstation and it appears all is well as far as I can tell:
$ openssl s_client -connect 127.0.0.1:20001 -CAfile cacert.pem -cert server_crt.pem -key server_key.pem
CONNECTED(00000003)
depth=1 CN = GB Root Certificate Authority, ST = NC, C = US, emailAddress = rob.mcclung@grid-bridge.com, O = Gridbridge, OU = Eng
verify return:1
depth=0 CN = grid-bridge.com, ST = NC, C = US, emailAddress = rob.mcclung@grid-bridge.com, O = Gridbridge, OU = Eng
verify return:1
---
Certificate chain
0 s:/CN=grid-bridge.com/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
i:/CN=GB Root Certificate Authority/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
1 s:/CN=GB Root Certificate Authority/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
i:/CN=GB Root Certificate Authority/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDUjCCAjqgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkTEmMCQGA1UEAwwdR0Ig
Um9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxCzAJBgNVBAgMAk5DMQswCQYDVQQG
EwJVUzEqMCgGCSqGSIb3DQEJARYbcm9iLm1jY2x1bmdAZ3JpZC1icmlkZ2UuY29t
MRMwEQYDVQQKDApHcmlkYnJpZGdlMQwwCgYDVQQLDANFbmcwHhcNMTgwMTI5MTQz
MDI2WhcNMjMwMTI4MTQzMDI2WjCBgzEYMBYGA1UEAwwPZ3JpZC1icmlkZ2UuY29t
MQswCQYDVQQIDAJOQzELMAkGA1UEBhMCVVMxKjAoBgkqhkiG9w0BCQEWG3JvYi5t
Y2NsdW5nQGdyaWQtYnJpZGdlLmNvbTETMBEGA1UECgwKR3JpZGJyaWRnZTEMMAoG
A1UECwwDRW5nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbjFiYphK7sw7p
UXwO7vGlzWE+GkvTA1dgX+CVLydBp3Afv8dLtLmFyPCKNTf0WrHLBtAAyfmouEf6
BvUww5FgBO09F70oJokXmTKEiPC6ZHt+7vJiY0p+GJySGWx1KAo8w1IRcypmpey7
61lkkdJDcugNpqCr63g6d3U6tGCYVwIDAQABo0UwQzAJBgNVHRMEAjAAMAsGA1Ud
DwQEAwIF4DApBgNVHREEIjAggg9ncmlkLWJyaWRnZS5jb22CDWVybWNvLWVjaS5j
b20wDQYJKoZIhvcNAQEFBQADggEBADXOBjDUIkZCt5TfShc66f5LnB6wJ+aRMqyI
FblYIyzKXqu7cyHwdMMo675j3YZynHal8MQb/OVdVpy5Kjq2zUO+QKZ6ELwYWYYK
xXlhTZu3Lgh71LEoXIwRV1ry/PLHRj2AIWxisFCKyph5AI9+Wjew043p+dTkgUxo
EBUgQYa7SB05Cn78uJrsjov2vf04CgpBj8oVbO8RHrb+U0zozccVKYXqhRlLk3QO
CQXw7MFlTpYBre8qEXNePW7+GmCv5liE0N/3OQ6qAs4a+VwgMXjI07KJOTRkwfxK
/9o0ndnSDvodQygySa8xgTotC+AORbWhbQghUum8bykh5eXN8ts=
-----END CERTIFICATE-----
subject=/CN=grid-bridge.com/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
issuer=/CN=GB Root Certificate Authority/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 1988 bytes and written 2475 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 97BBCBA2429BEAE333F5FBE95745B497A06D8EDDF1D53495F3805E4B4810D9A05C2FF6AEC9C4809BFC361BB92771FA3B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1517264445
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
d
D
n%\ufffd\ufffd\ufffd\ufffd\ufffdd <---- (now receiving AL and LL data from the outstation)
D
n%\ufffd\ufffd\ufffd\ufffd\ufffdd
D
n%\ufffd\ufffd\ufffdxUd
D
n%\ufffd\ufffd\ufffdf
The outstation's debug output:
channel state change: OPENING
channel state change: OPEN
ms(1517264577738) --AL-> outstation - FE 82 94 08
ms(1517264577740) --AL-> outstation - FIR: 1 FIN: 1 CON: 1 UNS: 1 SEQ: 14 FUNC: UNSOLICITED_RESPONSE IIN: [0x94, 0x08]
ms(1517264577742) --TL-> outstation - FIR: 1 FIN: 1 SEQ: 30 LEN: 4
ms(1517264577744) --LL-> outstation - Function: PRI_UNCONFIRMED_USER_DATA Dest: 1 Source: 10 Length: 5
ms(1517264577745) --LL-> outstation - 05 64 0A 44 01 00 0A 00 6E 25
ms(1517264577746) --LL-> outstation - DE FE 82 94 08 62 BE