Netopeer TLS support
314 views
Skip to first unread message
Xiang Li
Jul 16, 2014, 9:49:40 AM7/16/14
to neto...@googlegroups.com
Hi
I wanted to check out Netopeer TLS support. It seems this has been implemented recently. Is there any document about how to use it?
I managed to build and start Netopeer server listening both on 830 for SSH and 6513 for TLS, but could not figure out how to use netopeer-cli to connect to the server using tls. Can you help?
Thanks!
--Xiang Li
Michal Vasko
Jul 16, 2014, 10:26:14 AM7/16/14
to neto...@googlegroups.com
Hey Xiang,
TLS support is, indeed, recent, but should be working (though not too user-friendly, we are working on it). For starters, don't forget to configure all the parts (server, CLI, libnetconf) with --enable-tls. Since TLS listening on port 6513 is default, you shouldn't have any problems starting it, so you got that working. Now, start CLI and check "help connect". You should see another option (compared to without TLS) enabling you to either specify the path to the *.pem file with both your certificate and key or specify separately *.crt and *.key (all of these are provided as examples called "client.pem/.crt/.key"). So using connect with all the correct arguments (don't forget --port, although 6513 should be the default) should be successful.
However, once you send your certificate to the server, it must be verified. For this purpose there is also the certificate "rootCA.pem" provided (which was used to sign client certificate), but you must copy it into the correct path for OpenSSL to find it. Since all of this is a work-in-progress, this path is not yet final and it's all a bit chaotic (you may get some warnings), so I suggest you just correctly add "rootCA.pem" into your system certificate store and it should work. Some distributions are able to do this using a GUI tool, but it can also be done manually (you should easily find it, basically you just copy your certificate into the correct directory and use "c_rehash" utility there).
Michal
TLS support is, indeed, recent, but should be working (though not too user-friendly, we are working on it). For starters, don't forget to configure all the parts (server, CLI, libnetconf) with --enable-tls. Since TLS listening on port 6513 is default, you shouldn't have any problems starting it, so you got that working. Now, start CLI and check "help connect". You should see another option (compared to without TLS) enabling you to either specify the path to the *.pem file with both your certificate and key or specify separately *.crt and *.key (all of these are provided as examples called "client.pem/.crt/.key"). So using connect with all the correct arguments (don't forget --port, although 6513 should be the default) should be successful.
However, once you send your certificate to the server, it must be verified. For this purpose there is also the certificate "rootCA.pem" provided (which was used to sign client certificate), but you must copy it into the correct path for OpenSSL to find it. Since all of this is a work-in-progress, this path is not yet final and it's all a bit chaotic (you may get some warnings), so I suggest you just correctly add "rootCA.pem" into your system certificate store and it should work. Some distributions are able to do this using a GUI tool, but it can also be done manually (you should easily find it, basically you just copy your certificate into the correct directory and use "c_rehash" utility there).
Michal
Xiang Li
Jul 16, 2014, 10:37:15 AM7/16/14
to Michal Vasko, neto...@googlegroups.com
Michal
Thanks for the information. I was wondering how Netopeer server validate client certificate... I will try your suggestions later.
Thanks again,
--Xiang Li
--
You received this message because you are subscribed to the Google Groups "Netopeer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netopeer+u...@googlegroups.com.
Visit this group at http://groups.google.com/group/netopeer.
For more options, visit https://groups.google.com/d/optout.
Michal Vasko
Jul 28, 2014, 2:20:42 AM7/28/14
to neto...@googlegroups.com, mv6...@gmail.com
Hi Xiang,
if you still did not get round to trying TLS, I suggest you do it with libnetconf and netopeer on their "tls" branches. Many of the things I mentioned are either solved or made much easier (client certificate management is done fully via CLI with new commands). Just thought I'd let you know. It may not be perfect, though, and we will appreciate any bug reports.
Michal
if you still did not get round to trying TLS, I suggest you do it with libnetconf and netopeer on their "tls" branches. Many of the things I mentioned are either solved or made much easier (client certificate management is done fully via CLI with new commands). Just thought I'd let you know. It may not be perfect, though, and we will appreciate any bug reports.
Michal
Xiang Li
Jul 28, 2014, 9:45:39 AM7/28/14
to Michal Vasko, neto...@googlegroups.com
Michal
Thank you very much for the tip! No I haven't got time to check it out. I will definitely report back when I get to it...
Best regards
-Xiang
--
Xiang Li
Feb 10, 2015, 4:19:29 PM2/10/15
to neto...@googlegroups.com, mv6...@gmail.com
Hi Michal
I noticed the following extra debugging prints is being sent with the server hello message unexpectedly right after the tls session is established:
libnetconf DEBUG: Received message (session ): process 18032: arguments to dbus_message_iter_append_basic() were incorrect, assertion "_dbus_check_is_valid_utf8 (*string_p)" failed in file ../../dbus/dbus-message.c line 2535.
<server hello follows...>
Then netopeer-cli aborts with the following msg:
libnetconf ERROR: Invalid XML data received.
libnetconf ERROR: Malformed message received, closing the session .
libnetconf DEBUG: Writing message (session ): <?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<close-session/>
</rpc>
libnetconf ERROR: Reading from the TLS session failed (5)
libnetconf ERROR: Malformed message received, closing the session .
Because I am implementing TLS support in our GUI client NETCONFc, and
if I manually strip the extra debugging msg, my implementation can then talk
to the netopeer server successfully over TLS.
The netoppeer server version I am using is:
xiangli@ubuntu:~/ssl_test$ netopeer-server -V
netopeer-server version: 0.6.0
Can you check if this is a bug in netoppeer server?
Thanks
-Xiang
On Monday, July 28, 2014 at 8:45:39 AM UTC-5, Xiang Li wrote:
MichalThank you very much for the tip! No I haven't got time to check it out. I will definitely report back when I get to it...Best regards-Xiang
On Mon, Jul 28, 2014 at 1:20 AM, Michal Vasko <mv6...@gmail.com> wrote:
Hi Xiang,
if you still did not get round to trying TLS, I suggest you do it with libnetconf and netopeer on their "tls" branches. Many of the things I mentioned are either solved or made much easier (client certificate management is done fully via CLI with new commands). Just thought I'd let you know. It may not be perfect, though, and we will appreciate any bug reports.
Michal
--
You received this message because you are subscribed to the Google Groups "Netopeer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netopeer+unsubscribe@googlegroups.com.
Michal Vasko
Feb 11, 2015, 3:18:25 AM2/11/15
to neto...@googlegroups.com, mv6...@gmail.com
Hi Xiang,
thanks for the bug report, I might take a look at it, but there will be a completely new TLS netopeer server. Until it is officially up, you can find it here in the branch ssh_tls. It was tested to a certain extent and should work well. We would appreciate bug reports from that netopeer much more.
Regards,
Michal
thanks for the bug report, I might take a look at it, but there will be a completely new TLS netopeer server. Until it is officially up, you can find it here in the branch ssh_tls. It was tested to a certain extent and should work well. We would appreciate bug reports from that netopeer much more.
Regards,
Michal
Reply all
Reply to author
Forward
0 new messages