TLS verify problem

[Rob M]

I am having some difficulty getting TLS to work (opendnp3 2.2.0 and openssh 1.0.2d). 

Admittedly a little over my head at creating ca, certs, and key files but my outstation app is not balking at my first cut.

When I try to connect from the master:

Using CA certificate: /home/rmcclung/ca/cacert.pem
Using certificate chain: /home/rmcclung/ca/server_crt.pem
Using private key file: /home/rmcclung/ca/server_key.pem
ms(1517264702513) INFO    manager - Starting thread (0)
channel state change: OPENING
Commands:
 a - toggle autorestore on/off
 b - send bypass mode request
 c - send cold restart command
 d - modify deadband value for analog input
 p - send PFC on/off request
 r - send regulation mode request
 s - modify L1V and L2V setpoints
 t - toggle debug trace on/off
 u - toggle unsolicited responses on/off
 w - send warm restart command
 q - exit program
>>> ms(1517264702550) WARN    tls-client - Error verifying certificate at depth: 0 subject: /CN=grid-bridge.com/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.co
ms(1517264702551) WARN    tls-client - Error Connecting: certificate verify failed
ms(1517264703560) WARN    tls-client - Error verifying certificate at depth: 0 subject: /CN=grid-bridge.com/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.co
ms(1517264703562) WARN    tls-client - Error Connecting: certificate verify failed
ms(1517264705570) WARN    tls-client - Error verifying certificate at depth: 0 subject: /CN=grid-bridge.com/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.co
ms(1517264705571) WARN    tls-client - Error Connecting: certificate verify failed

The outstation's debug output:

channel state change: OPENING
ms(1517264702554) INFO    server - TLS handshake failed: short read
ms(1517264703564) INFO    server - TLS handshake failed: short read
ms(1517264705573) INFO    server - TLS handshake failed: short read

Using openssl (instead of running the master app) I am able to connect to the outstation and it appears all is well as far as I can tell:

$ openssl s_client -connect 127.0.0.1:20001 -CAfile cacert.pem -cert server_crt.pem -key server_key.pem
CONNECTED(00000003)
depth=1 CN = GB Root Certificate Authority, ST = NC, C = US, emailAddress = rob.mcclung@grid-bridge.com, O = Gridbridge, OU = Eng
verify return:1
depth=0 CN = grid-bridge.com, ST = NC, C = US, emailAddress = rob.mcclung@grid-bridge.com, O = Gridbridge, OU = Eng
verify return:1
---
Certificate chain
 0 s:/CN=grid-bridge.com/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
   i:/CN=GB Root Certificate Authority/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
 1 s:/CN=GB Root Certificate Authority/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
   i:/CN=GB Root Certificate Authority/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDUjCCAjqgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkTEmMCQGA1UEAwwdR0Ig
Um9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxCzAJBgNVBAgMAk5DMQswCQYDVQQG
EwJVUzEqMCgGCSqGSIb3DQEJARYbcm9iLm1jY2x1bmdAZ3JpZC1icmlkZ2UuY29t
MRMwEQYDVQQKDApHcmlkYnJpZGdlMQwwCgYDVQQLDANFbmcwHhcNMTgwMTI5MTQz
MDI2WhcNMjMwMTI4MTQzMDI2WjCBgzEYMBYGA1UEAwwPZ3JpZC1icmlkZ2UuY29t
MQswCQYDVQQIDAJOQzELMAkGA1UEBhMCVVMxKjAoBgkqhkiG9w0BCQEWG3JvYi5t
Y2NsdW5nQGdyaWQtYnJpZGdlLmNvbTETMBEGA1UECgwKR3JpZGJyaWRnZTEMMAoG
A1UECwwDRW5nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbjFiYphK7sw7p
UXwO7vGlzWE+GkvTA1dgX+CVLydBp3Afv8dLtLmFyPCKNTf0WrHLBtAAyfmouEf6
BvUww5FgBO09F70oJokXmTKEiPC6ZHt+7vJiY0p+GJySGWx1KAo8w1IRcypmpey7
61lkkdJDcugNpqCr63g6d3U6tGCYVwIDAQABo0UwQzAJBgNVHRMEAjAAMAsGA1Ud
DwQEAwIF4DApBgNVHREEIjAggg9ncmlkLWJyaWRnZS5jb22CDWVybWNvLWVjaS5j
b20wDQYJKoZIhvcNAQEFBQADggEBADXOBjDUIkZCt5TfShc66f5LnB6wJ+aRMqyI
FblYIyzKXqu7cyHwdMMo675j3YZynHal8MQb/OVdVpy5Kjq2zUO+QKZ6ELwYWYYK
xXlhTZu3Lgh71LEoXIwRV1ry/PLHRj2AIWxisFCKyph5AI9+Wjew043p+dTkgUxo
EBUgQYa7SB05Cn78uJrsjov2vf04CgpBj8oVbO8RHrb+U0zozccVKYXqhRlLk3QO
CQXw7MFlTpYBre8qEXNePW7+GmCv5liE0N/3OQ6qAs4a+VwgMXjI07KJOTRkwfxK
/9o0ndnSDvodQygySa8xgTotC+AORbWhbQghUum8bykh5eXN8ts=
-----END CERTIFICATE-----
subject=/CN=grid-bridge.com/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
issuer=/CN=GB Root Certificate Authority/ST=NC/C=US/emailAddress=rob.mcclung@grid-bridge.com/O=Gridbridge/OU=Eng
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 1988 bytes and written 2475 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 97BBCBA2429BEAE333F5FBE95745B497A06D8EDDF1D53495F3805E4B4810D9A05C2FF6AEC9C4809BFC361BB92771FA3B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1517264445
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
d
D
n%\ufffd\ufffd\ufffd\ufffd\ufffdd  <---- (now receiving AL and LL data from the outstation)
D
n%\ufffd\ufffd\ufffd\ufffd\ufffdd
D
n%\ufffd\ufffd\ufffdxUd
D
n%\ufffd\ufffd\ufffdf

The outstation's debug output:

channel state change: OPENING
channel state change: OPEN
ms(1517264577738) --AL->  outstation - FE 82 94 08
ms(1517264577740) --AL->  outstation - FIR: 1 FIN: 1 CON: 1 UNS: 1 SEQ: 14 FUNC: UNSOLICITED_RESPONSE IIN: [0x94, 0x08]
ms(1517264577742) --TL->  outstation - FIR: 1 FIN: 1 SEQ: 30 LEN: 4
ms(1517264577744) --LL->  outstation - Function: PRI_UNCONFIRMED_USER_DATA Dest: 1 Source: 10 Length: 5
ms(1517264577745) --LL->  outstation - 05 64 0A 44 01 00 0A 00 6E 25
ms(1517264577746) --LL->  outstation - DE FE 82 94 08 62 BE

Thanks in advance for any insight or suggestions!

Rob

[Rob M]

Never mind, I found my silly mistake right after I posted. The depth parm was incorrect (set to zero) on the master side.

[Adam Crain]

That's a cryptic error message for that configuration issue. Perhaps there's something we can do to give a better error.

-Adam

[Sean Mackey]

Where can I set the master depth parameter?

[Adam Crain]

Hi Sean,

It looks like this parameter was removed in the 3.0.0 release.  Certificate chains of all lengths (including self-signed) are allowed.

Regards,

Adam