Re: SNMP TLS snmpget error

[sandhya reddy]

I have one basic doubt.
Why do we mention the their_identity in snmpget TLS request as the peers certificate info will be unknown??
our_identity will be sufficient right ?

I'm trying to setup agent also locally.

Using the DTLS turtorial i have done the following

1)  In Server(Agent)

i have generated self signed certificate and configured this fingerprint as serverCert  in snmpd.conf file. Also configured the user as "Agent-83"
 
[snmp] serverCert 28:0F:20:2E:BC:CE:5A:E8:B6:79:1F:67:3B:5D:17:DA:61:A8:6D:9B

rwuser -s tsm "Agent-83"

2)  From Client(Manager), i give snmpget request from client

sudo snmpget -Dtsm,tls,openssl,cert -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43  -T their_identity=28:0F:20:2E:BC:CE:5A:E8:B6:79:1F:67:3B:5D:17:DA:61:A8:6D:9B tlstcp:10.253.6.83 sysContact.0

In client i can see the following error

tls:config: our identity CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43
tls:config: their identity 28:0F:20:2E:BC:CE:5A:E8:B6:79:1F:67:3B:5D:17:DA:61:A8:6D:9B
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 163889776
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 163889776
cert:find:params:  hint = CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43
cert:find:found: using cert tutorial-joecool.crt / cd7445c9a3a3550a6c3703b24938b10199958e43 for identity(1) (uses=identity+remote_peer (3))
cert:find:found: using cert tutorial-joecool.crt / cd7445c9a3a3550a6c3703b24938b10199958e43 for identity(1) (uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 163827608
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 163827608
cert:find:params:  hint = 28:0F:20:2E:BC:CE:5A:E8:B6:79:1F:67:3B:5D:17:DA:61:A8:6D:9B
cert:find:params: looking for remote_peer(2) in FILE(0x1), hint 163827608
cert:find:params:  hint = 28:0F:20:2E:BC:CE:5A:E8:B6:79:1F:67:3B:5D:17:DA:61:A8:6D:9B
tlstcp: connecting to tlstcp 10.253.6.83:10161
tls_x509:verify: Cert: /C=US/ST=CA/L=Davis/O=Net-SNMP/OU=Development/CN=Agent-83/emailAddress=rootuser@rootuser-OptiPlex-745
tls_x509:verify:   fp: 280f202ebcce5ae8b6791f673b5d17da61a86d9b
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 163853656
cert:find:params:  hint = 280f202ebcce5ae8b6791f673b5d17da61a86d9b
tls_x509:verify:   no matching fp found
tls verification failure: ok=0 ctx=0xbf83eea8 depth=0 err=18:self signed certificate
tlstcp: failed to ssl_connect
snmpget: Unknown host (tlstcp:10.253.6.83)

In server i can see the following error
tlstcp: netsnmp_tlstcp_accept called
TLSTCP: Failed SSL_accept
---- OpenSSL Related Errors: ----
 TLS error: SSL_accept: rc=0, sslerror = 1 (SSL_ERROR_SSL)
 TLS Error: tlsv1 alert unknown ca

Awaiting response.

Thanks

Sandhya

On Tue, Aug 5, 2014 at 2:25 PM, sandhya reddy <sr8...@gmail.com> wrote:

Hi all,

By default, on Windows OS net start "net-snmp agent" command will start the agent on udp port 161.

What is the procedure to run agent with tlstcp:10161 on Windows machine.

Also is there any specific link to follow the commands in Windows for TLSTCP?

Please help me.

Thanks,

sandhya

On Fri, Aug 1, 2014 at 4:20 PM, sandhya reddy <sr8...@gmail.com> wrote:

I've included the debug options when i run snmpd daemon from which also i can see errors.

root@rootuser-Veriton-Series:/home/rootuser/projects/net-snmp-5.6.2.1# snmpd -f -Le -Dtsm,dtls,tls,openssl,cert tlstcp:10161

registered debug token tsm, 1
registered debug token dtls, 1
registered debug token tls, 1
registered debug token openssl, 1
registered debug token cert, 1
tlstcp: registering TLS constructor
dtlsudp: registering DTLS constructor
tsm: registering ourselves
tsm:  returned 0
cert:util:init: init
cert:index:add: dir /usr/local/share/snmp/tls/private at index 2
cert:index:add: dir /usr/local/share/snmp/tls/ca-certs at index 0
cert:index:add: dir /home/rootuser/.snmp/tls/certs at index 4
cert:index:add: dir /home/rootuser/.snmp/tls/private at index 5
cert:index:add: dir /usr/local/share/snmp/tls/certs at index 1
cert:index:add: dir /home/rootuser/.snmp/tls/ca-certs at index 3
cert:index:dir: Scanning directory /usr/local/share/snmp/tls/ca-certs
cert:index:lookup: /usr/local/share/snmp/tls/ca-certs (0) /var/net-snmp/cert_indexes/0
cert:index:parse: The index for /usr/local/share/snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /usr/local/share/snmp/tls/certs
cert:index:lookup: /usr/local/share/snmp/tls/certs (1) /var/net-snmp/cert_indexes/1
cert:index:parse: The index for /usr/local/share/snmp/tls/certs looks good
cert:index:parse: added 3 certs from index
cert:index:dir: Scanning directory /usr/local/share/snmp/tls/private
cert:index:lookup: /usr/local/share/snmp/tls/private (2) /var/net-snmp/cert_indexes/2
cert:index:parse: The index for /usr/local/share/snmp/tls/private looks good
cert:key:struct:new: new key 0x0x94ba308 for snmp.key
cert:key:struct:new: new key 0x0x94ba358 for tutorial-joecool.key
cert:key:struct:new: new key 0x0x94ba3b8 for tutorial-agent.key
cert:key:struct:new: new key 0x0x94ba410 for Agent-89.key
cert:index:parse: added 4 certs from index
cert:partner: Agent-89.crt match found!
cert:partner: tutorial-agent.crt match found!
cert:partner: tutorial-joecool.crt match found!
cert:key:read: Checking file Agent-89.key
cert:key:read: Checking file tutorial-agent.key
cert:key:read: Checking file tutorial-joecool.key
cert:dump: -------------------- Certificates -----------------
cert:dump: cert Agent-89.crt in /usr/local/share/snmp/tls/certs
cert:dump:    type 1 flags 0x3 (identity+remote_peer)
cert:dump: cert tutorial-agent.crt in /usr/local/share/snmp/tls/certs
cert:dump:    type 1 flags 0x3 (identity+remote_peer)
cert:dump: cert tutorial-joecool.crt in /usr/local/share/snmp/tls/certs
cert:dump:    type 1 flags 0x3 (identity+remote_peer)
cert:dump: key Agent-89.key in /usr/local/share/snmp/tls/private
cert:dump:    type 4 flags 0x1 (identity)
cert:dump: key snmp.key in /usr/local/share/snmp/tls/private
cert:dump:    type 4 flags 0x1 (identity)
cert:dump: key tutorial-agent.key in /usr/local/share/snmp/tls/private
cert:dump:    type 4 flags 0x1 (identity)
cert:dump: key tutorial-joecool.key in /usr/local/share/snmp/tls/private
cert:dump:    type 4 flags 0x1 (identity)
cert:dump: ------------------------ End ----------------------
Warning: no access control information configured.
  (Config search path: /usr/local/etc/snmp:/usr/local/share/snmp:/usr/local/lib/snmp:/root/.snmp)
  It's unlikely this agent can serve any useful purpose in this state.
  Run "snmpconf -g basic_setup" to help you configure the snmpd.conf file for this agent.
tlstcp: listening on tlstcp port 0.0.0.0:10161

---- OpenSSL Related Errors: ----

 error: #33579106 (file b_sock.c, line 804)
  Textual Error: port='0.0.0.0:10161'
 error: #537301109 (file b_sock.c, line 806)

---- End of OpenSSL Errors ----

TLSTCP: Falied to do first accept on the TLS accept BIO
NET-SNMP version 5.6.2.1

On Fri, Aug 1, 2014 at 10:30 AM, sandhya reddy <sr8...@gmail.com> wrote:

Hi Bill

Followig is the detailed error statement:

trace: netsnmp_tdomain_transport_full(): snmp_transport.c, 478:
tdomain: tdomain_transport_full("snmp", "tlstcp:10.253.6.83", 0, "udp", "[NIL]")
trace: find_tdomain(): snmp_transport.c, 430:
tdomain: Found domain "tlstcp" from specifier "tlstcp"
trace: netsnmp_lookup_default_target(): snmp_service.c, 400:
defaults: netsnmp_lookup_default_target("snmp", "tlstcp") -> ":10161"
trace: netsnmp_tdomain_transport_full(): snmp_transport.c, 601:
tdomain: trying domain "tlstcp" address "10.253.6.83" default address ":10161"
trace: netsnmp_sess_config_and_open_transport(): snmp_api.c, 1523:
snmp_sess: opening transport: 0
trace: netsnmp_sess_config_transport(): snmp_api.c, 1464:
snmp_sess: configuring transport
tls:config: their identity Agent-83
tls:config: our identity tutorial-joecool
trace: sslctx_client_setup(): transports/snmpTLSBaseDomain.c, 516:
sslctx_client: looking for local id: tutorial-joecool
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 161398264
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 161398264
cert:find:params:  hint = tutorial-joecool
cert:find:params: looking for identity(1) in FILE(0x1), hint 161398264
cert:find:params:  hint = tutorial-joecool
9:cert:subset:found: 1 matches
cert:find:found: using cert tutorial-joecool.crt / 9b49604cc747f4481d319e1923ace1d783fc5b6c for identity(1) (uses=identity+remote_peer (3))
cert:find:found: using cert tutorial-joecool.crt / 9b49604cc747f4481d319e1923ace1d783fc5b6c for identity(1) (uses=identity+remote_peer (3))
trace: sslctx_client_setup(): transports/snmpTLSBaseDomain.c, 531:
sslctx_client: using public key: tutorial-joecool.crt
trace: sslctx_client_setup(): transports/snmpTLSBaseDomain.c, 533:
sslctx_client: using private key: tutorial-joecool.key
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 161503528
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 161503528
cert:find:params:  hint = Agent-83
cert:find:params: looking for remote_peer(2) in FILE(0x1), hint 161503528
cert:find:params:  hint = Agent-83
9:cert:subset:found: 0 matches
trace: netsnmp_tlstcp_open(): transports/snmpTLSTCPDomain.c, 709:
tlstcp: connecting to tlstcp 10.253.6.83:10161
tlstcp: failed to ssl_connect
trace: netsnmp_sess_config_and_open_transport(): snmp_api.c, 1540:
snmp_sess: couldn't interpret peername

snmpget: Unknown host (tlstcp:10.253.6.83)

Thanks
sandhya

On Fri, Aug 1, 2014 at 10:01 AM, sandhya reddy <sr8...@gmail.com> wrote:

Is there any way that we set the source port also when sending request??

Thanks,

Sandhya

On Thu, Jul 31, 2014 at 6:30 PM, sandhya reddy <sr8...@gmail.com> wrote:

Hi Bill,

I guess that SYN not getting any response is due to firewall issue at our side

1) Now i've tried to setup one PC as Net-SNMP Agent and other as manager.

2) On the PC which is an Agent i have started snmpd service on port 10161 using snmpd tlstcp:10161 command.

This port is in LISTEN state.

3) I have generated certificate in Agent using net-snmp-cert command with name as Agent-89. I give this name in snmpget request their_identity parameter. Do i have to give the agent certificate name also when sending snmpget request from manager? If so why?

Command:
snmpget -T our_identity=tutorial-joecool -T their_identity=Agent-83 -t 10 tlstcp:<IP> sysUpTime.0

Inspite of these i get the error.

tlstcp:Failed to SSl connect

snmpget: Unknown host(Transport endpoint is not connected)

I've tried on another PC and got different error

No log handling enabled - using stderr logging

tlstcp: failed to connect to 10.253.6.83:10161

---- OpenSSL Related Errors: ----
 error: #33562734 (file bss_conn.c, line 269)

  Textual Error: host=10.253.6.83:10161

 error: #537342055 (file bss_conn.c, line 273)
---- End of OpenSSL Errors ----

snmpget: Unknown host (tlstcp:10.253.6.83) (Connection timed out)

Please help me with this setup.

Firewall issue i can't resolve as of now. Please help me setting up agent and manager locally

On Thu, Jul 31, 2014 at 2:10 PM, sandhya reddy <sr8...@gmail.com> wrote:

Hi Bill,
I've understood bit better from your explanation.
I'll follow that link.

Conceptually, i understand  the following. Please let me know whether I’m correct.

1)
a) Net-SNMP tool can act as both SNMP manager and SNMP Agent.
Or
b) Net-SNMP tool acts as Manager only and test.net-snmp.org acts as Agent only?

Which of a and b are correct.

2) test.net-snmp.org acts as agent and it has it's own certificate tutorial-agent. We have to use this cert if we retrieve info from test.net-snmp.org agent

3) tutorial-agent is a self signed certificate and tutorial-CA is a CA signed certificate for agent.

4) I have tried giving the command you gave. I get an error.

$ snmpget -T our_identity=tutorial-joecool -T their_identity=tutorial-agent \

>           -t 10 tls:test.net-snmp.org sysUpTime.0

Error:

No log handling enabled - using stderr logging
tlstcp: failed to connect to test.net-snmp.org:10161
---- OpenSSL Related Errors: ----
 error: #33562734 (file bss_conn.c, line 269)
  Textual Error: host=test.net-snmp.org:10161
 error: #537342055 (file bss_conn.c, line 273)
---- End of OpenSSL Errors ----
snmpget: Unknown host (tls:test.net-snmp.org) (Connection timed out)

Tried the above command with tlstcp:test.net-snmp.org also. But still the same error.

I have also sniffed the traces.

I can see SYN going out and retransmissions of SYN but don't get any response.

5) The request gets generated from random port. Is that fine or should it go from port 10161.

And should we start any service like snmpd on port 10161.

I assume snmpd is for snmp requests and snmptrapd is for traps. These are for receiving requests and traps. Only for receiving we need to start this service is what i understand

Looking forward for your response ASAP.

Thanks,
sandhya

On Fri, Jul 25, 2014 at 8:54 PM, Bill Fenner <fen...@gmail.com> wrote:

I followed the step by step directions from

http://www.net-snmp.org/wiki/index.php/TUT:Using_TLS

and got:

$ snmpget -T our_identity=tutorial-joecool \

>           -T their_identity=tutorial-agent \

>           -t 10 tls:test.net-snmp.org sysUpTime.0

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1162098689) 134 days, 12:03:06.89

$ snmpget -T our_identity=tutorial-joecool \

>           -T trust_cert=tutorial-CA \

>           -t 10 tls:test.net-snmp.org sysUpTime.0

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1162099339) 134 days, 12:03:13.39

$ snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 \

>         -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B \

>         tls:test.net-snmp.org sysContact.0

SNMPv2-MIB::sysContact.0 = STRING: Net-SNMP Coders <net-snm...@lists.sourceforge.net>

While you say you have the private key, you have the private key for joecool, not for agent.  You have to generate a key for your own local agent, and that is the identity you'll need to use in the their_identity argument.

You use the net-snmp-cert command to manage/generate certs.

  Bill

On Fri, Jul 25, 2014 at 7:32 AM, sandhya reddy <sr8...@gmail.com> wrote:

Hi Bill,

Glad to see your response.

I have retrieved the entire certificate tar-ball http://www.net-snmp.org/tutorial/tutorial-5/certificates/tutorial-.snmp.tar.gz and uncompressed it. 

Initially, i tried to send the snmpget request to test.net-snmp.org using the certificates from the tutorial but it also failed giving error "Error finding client keys. Unable to create SSL context. Unknown host". Tutorial also gives the private keys. I have checked this in private folder of snmp

If i try to send to the one in the tutirial test.net-snmp.org it should work right ?

This is why i  switched to the next setup.

In this, i tried to setup Net-SNMP on two PCs using the same certs and keys in tutorial.

When u pointed out regarding certs i realized that i'm doing it wrong. i should create the cert in both Manager and Agent and use these two when sending out snmpget request from Manger right?

How do you create the certificates. Is there any link that follow steps to create certificates for Net-SNMP?

Once again i thank you for giving response. I've been waiting for some response.

Thanks,

sandhya

On Thu, Jul 24, 2014 at 5:44 PM, Bill Fenner <fen...@gmail.com> wrote:

Did you configure the certificates properly?  In particular, did you configure the server with the private key?  Since you're using the fingerprints from the tutorial, but using your local server instead of test.net-snmp.org, where did you get the private key?  It's not part of the published set of keys.

  Bill

On Wed, Jul 23, 2014 at 7:08 AM, sandhya reddy <sr8...@gmail.com> wrote:

Hi Coders and Users,

I've setup NET-SNMP 5.6.2.1 and configured tsm model.

I've done this setup on two Ubuntu 14.04 PCs

I'm trying to send out snmpget request over tlstcp:10161 The folowing are the steps i follow

1) Start snmpd using the command : snmpd tlstcp:10161 

2) snmpget -T our_identity=CD:74:45:C9:A3:A3:55:0A:6C:37:03:B2:49:38:B1:01:99:95:8E:43 -T their_identity=CA:B8:0A:B3:6B:4C:21:2A:F2:92:CD:0B:6B:DF:6A:9F:23:D6:30:4B tlstcp:<IPAddress>:10161 sysContact.0

I get an error "Failed to create SSL context".

I'm debugging using wireshark sniffs and observe the following:

In the process of sending out snmpget request, TCP connection is getting established (i see SYN, SYN/ACK and ACK)and i see PUSH data to the agent(which might be Client hello the next step from SNMP manager) for which agent is trying to tear down the TCP connection with FIN/ACK

Please give me some inputs as to what is wrong that is'm doing.

Please help me to get snmpget request working 

Thanks,

Sandhya

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Net-snmp-coders mailing list
Net-snm...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders