Discussion:
Help in configuring users in DTLS
(too old to reply)
Dharm S
2014-11-10 06:59:18 UTC
Permalink
Hi All,

I have generated certificates and used the keys while entering the SNMP
commands. I ran snmpd after entering the following lines in snmp.conf:

peerCert 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
localCert 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6

where peerCert is the fingerprint of snmpd.crt and localCert in manager.crt.

And in snmpd.conf, I have:

[snmp] localCert 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
certSecName 10 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
--cn

The snmpget dtlsudp:localhost:10161 sysContact.0 gives following debug
messages:
cert:util:init: init
cert:index:add: dir /usr/local/etc/snmp/tls/ca-certs at index 0
cert:index:add: dir /home/anjali/.snmp/tls/certs at index 4
cert:index:add: dir /usr/local/etc/snmp/tls/private at index 2
cert:index:add: dir /home/anjali/.snmp/tls/private at index 5
cert:index:add: dir /home/anjali/.snmp/tls/ca-certs at index 3
cert:index:add: dir /usr/local/etc/snmp/tls/certs at index 1
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/ca-certs
cert:index:lookup: /usr/local/etc/snmp/tls/ca-certs (0)
/var/net-snmp/cert_indexes/0
cert:index:parse: The index for /usr/local/etc/snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/certs
cert:index:lookup: /usr/local/etc/snmp/tls/certs (1)
/var/net-snmp/cert_indexes/1
cert:index:parse: The index for /usr/local/etc/snmp/tls/certs looks good
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/private
cert:index:lookup: /usr/local/etc/snmp/tls/private (2)
/var/net-snmp/cert_indexes/2
cert:index:parse: The index for /usr/local/etc/snmp/tls/private looks good
cert:key:struct:new: new key 0x0x9f81438 for manager.key
cert:key:struct:new: new key 0x0x9f81388 for snmpd.key
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/ca-certs
cert:index:lookup: /home/anjali/.snmp/tls/ca-certs (3)
/var/net-snmp/cert_indexes/3
cert:index:parse: The index for /home/anjali/.snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/certs
cert:index:lookup: /home/anjali/.snmp/tls/certs (4)
/var/net-snmp/cert_indexes/4
cert:index:parse: The index for /home/anjali/.snmp/tls/certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/private
cert:index:lookup: /home/anjali/.snmp/tls/private (5)
/var/net-snmp/cert_indexes/5
cert:index:parse: The index for /home/anjali/.snmp/tls/private looks good
cert:partner: manager.crt match found!
cert:partner: snmpd.crt match found!
cert:key:read: Checking file snmpd.key
cert:key:read: Checking file manager.key
cert:dump: -------------------- Certificates -----------------
cert:dump: cert snmpd.crt in /usr/local/etc/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
cert:dump: cert manager.crt in /usr/local/etc/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
cert:dump: key manager.key in /usr/local/etc/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: key snmpd.key in /usr/local/etc/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: ------------------------ End ----------------------
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 167466280
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
167466280
cert:find:params: hint =
89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
cert:find:found: using cert manager.crt /
8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert manager.crt /
8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
(uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
167493864
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
167493864
cert:find:params: hint =
09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:trust_ca: checking roots for 0x9f80f08
cert:trust: putting trusted cert 0x9f81f70 =
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 in certstore 0x9fd36d0
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
167598104
cert:find:params: hint = 8954990382e414a949d54638c05fb5b2b82771c6
cert:find:found: using cert manager.crt /
8954990382e414a949d54638c05fb5b2b82771c6 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
167493864
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
167493864
cert:find:params: hint =
09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
The fingerprint from the remote side's certificate didn't match the expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
failed rfc5343 contextEngineID probing
snmpwalk: Timeout (Success)

But if i comment peerCert and localCert and run snmpd with fingerprints
entered in command line, I get the output.

snmpget -v 3 -u final --defSecurityModel=tsm -T
our_identity=89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 -T
their_identity=09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
dtlsudp:localhost:10161 sysContact.0 -Dcert

output:
cert:util:init: init
cert:index:add: dir /usr/local/etc/snmp/tls/ca-certs at index 0
cert:index:add: dir /home/anjali/.snmp/tls/certs at index 4
cert:index:add: dir /usr/local/etc/snmp/tls/private at index 2
cert:index:add: dir /home/anjali/.snmp/tls/private at index 5
cert:index:add: dir /home/anjali/.snmp/tls/ca-certs at index 3
cert:index:add: dir /usr/local/etc/snmp/tls/certs at index 1
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/ca-certs
cert:index:lookup: /usr/local/etc/snmp/tls/ca-certs (0)
/var/net-snmp/cert_indexes/0
cert:index:parse: The index for /usr/local/etc/snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/certs
cert:index:lookup: /usr/local/etc/snmp/tls/certs (1)
/var/net-snmp/cert_indexes/1
cert:index:parse: The index for /usr/local/etc/snmp/tls/certs looks good
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/private
cert:index:lookup: /usr/local/etc/snmp/tls/private (2)
/var/net-snmp/cert_indexes/2
cert:index:parse: The index for /usr/local/etc/snmp/tls/private looks good
cert:key:struct:new: new key 0x0x97b6218 for manager.key
cert:key:struct:new: new key 0x0x97b6168 for snmpd.key
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/ca-certs
cert:index:lookup: /home/anjali/.snmp/tls/ca-certs (3)
/var/net-snmp/cert_indexes/3
cert:index:parse: The index for /home/anjali/.snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/certs
cert:index:lookup: /home/anjali/.snmp/tls/certs (4)
/var/net-snmp/cert_indexes/4
cert:index:parse: The index for /home/anjali/.snmp/tls/certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/private
cert:index:lookup: /home/anjali/.snmp/tls/private (5)
/var/net-snmp/cert_indexes/5
cert:index:parse: The index for /home/anjali/.snmp/tls/private looks good
cert:partner: manager.crt match found!
cert:partner: snmpd.crt match found!
cert:key:read: Checking file snmpd.key
cert:key:read: Checking file manager.key
cert:dump: -------------------- Certificates -----------------
cert:dump: cert snmpd.crt in /usr/local/etc/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
cert:dump: cert manager.crt in /usr/local/etc/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
cert:dump: key manager.key in /usr/local/etc/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: key snmpd.key in /usr/local/etc/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: ------------------------ End ----------------------
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 159287896
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
159287896
cert:find:params: hint =
89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
cert:find:found: using cert manager.crt /
8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert manager.crt /
8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
(uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
159374304
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
159374304
cert:find:params: hint =
09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:trust_ca: checking roots for 0x97b5ce0
cert:trust: putting trusted cert 0x97b6d50 =
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 in certstore 0x980f408
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
159374304
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
159374304
cert:find:params: hint =
09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
SNMPv2-MIB::sysContact.0 = STRING: Me <***@example.org>

After this i uncomment peerCert and localCert in snmp.conf, and I am able
to get the output using just

snmpget dtlsudp:localhost:10161 sysContact.0

Can anyone help me in understanding what makes it read while modifying
snmp.conf when snmpd is running and it doesnt read the fingerprints as
required with initial configuration????
Dharm S
2014-11-12 05:21:26 UTC
Permalink
Hi Arefin,

Thanks for the response. But the issue seems to be something else. I am
getting the same error again though i used 600 or 640.
I had a similar problem! Apparently the file permission on the certs was
too open! Reducing the file permission to something like 640 or 600 solve
the problem for me. Pardon me if this is not the case.
Post by Dharm S
Hi All,
I have generated certificates and used the keys while entering the SNMP
peerCert 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
localCert 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
where peerCert is the fingerprint of snmpd.crt and localCert in
manager.crt.
[snmp] localCert
09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
certSecName 10
89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 --cn
The snmpget dtlsudp:localhost:10161 sysContact.0 gives following debug
cert:util:init: init
cert:index:add: dir /usr/local/etc/snmp/tls/ca-certs at index 0
cert:index:add: dir /home/anjali/.snmp/tls/certs at index 4
cert:index:add: dir /usr/local/etc/snmp/tls/private at index 2
cert:index:add: dir /home/anjali/.snmp/tls/private at index 5
cert:index:add: dir /home/anjali/.snmp/tls/ca-certs at index 3
cert:index:add: dir /usr/local/etc/snmp/tls/certs at index 1
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/ca-certs
cert:index:lookup: /usr/local/etc/snmp/tls/ca-certs (0)
/var/net-snmp/cert_indexes/0
cert:index:parse: The index for /usr/local/etc/snmp/tls/ca-certs looks
good
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/certs
cert:index:lookup: /usr/local/etc/snmp/tls/certs (1)
/var/net-snmp/cert_indexes/1
cert:index:parse: The index for /usr/local/etc/snmp/tls/certs looks good
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/private
cert:index:lookup: /usr/local/etc/snmp/tls/private (2)
/var/net-snmp/cert_indexes/2
cert:index:parse: The index for /usr/local/etc/snmp/tls/private looks good
cert:key:struct:new: new key 0x0x9f81438 for manager.key
cert:key:struct:new: new key 0x0x9f81388 for snmpd.key
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/ca-certs
cert:index:lookup: /home/anjali/.snmp/tls/ca-certs (3)
/var/net-snmp/cert_indexes/3
cert:index:parse: The index for /home/anjali/.snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/certs
cert:index:lookup: /home/anjali/.snmp/tls/certs (4)
/var/net-snmp/cert_indexes/4
cert:index:parse: The index for /home/anjali/.snmp/tls/certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/private
cert:index:lookup: /home/anjali/.snmp/tls/private (5)
/var/net-snmp/cert_indexes/5
cert:index:parse: The index for /home/anjali/.snmp/tls/private looks good
cert:partner: manager.crt match found!
cert:partner: snmpd.crt match found!
cert:key:read: Checking file snmpd.key
cert:key:read: Checking file manager.key
cert:dump: -------------------- Certificates -----------------
cert:dump: cert snmpd.crt in /usr/local/etc/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
cert:dump: cert manager.crt in /usr/local/etc/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
cert:dump: key manager.key in /usr/local/etc/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: key snmpd.key in /usr/local/etc/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: ------------------------ End ----------------------
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint
167466280
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
167466280
cert:find:params: hint =
89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
cert:find:found: using cert manager.crt /
8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert manager.crt /
8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
(uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
167493864
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
167493864
cert:find:params: hint =
09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:trust_ca: checking roots for 0x9f80f08
cert:trust: putting trusted cert 0x9f81f70 =
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 in certstore 0x9fd36d0
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
167598104
cert:find:params: hint = 8954990382e414a949d54638c05fb5b2b82771c6
cert:find:found: using cert manager.crt /
8954990382e414a949d54638c05fb5b2b82771c6 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
167493864
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
167493864
cert:find:params: hint =
09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
The fingerprint from the remote side's certificate didn't match the
expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the
expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the
expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the
expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the
expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
tsm: needed to free transport data
The fingerprint from the remote side's certificate didn't match the
expected
got 8954990382e414a949d54638c05fb5b2b82771c6, expected
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0
DTLSUDP: failed to verify ssl certificate (of the server)
failed rfc5343 contextEngineID probing
snmpwalk: Timeout (Success)
But if i comment peerCert and localCert and run snmpd with fingerprints
entered in command line, I get the output.
snmpget -v 3 -u final --defSecurityModel=tsm -T
our_identity=89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 -T
their_identity=09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
dtlsudp:localhost:10161 sysContact.0 -Dcert
cert:util:init: init
cert:index:add: dir /usr/local/etc/snmp/tls/ca-certs at index 0
cert:index:add: dir /home/anjali/.snmp/tls/certs at index 4
cert:index:add: dir /usr/local/etc/snmp/tls/private at index 2
cert:index:add: dir /home/anjali/.snmp/tls/private at index 5
cert:index:add: dir /home/anjali/.snmp/tls/ca-certs at index 3
cert:index:add: dir /usr/local/etc/snmp/tls/certs at index 1
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/ca-certs
cert:index:lookup: /usr/local/etc/snmp/tls/ca-certs (0)
/var/net-snmp/cert_indexes/0
cert:index:parse: The index for /usr/local/etc/snmp/tls/ca-certs looks
good
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/certs
cert:index:lookup: /usr/local/etc/snmp/tls/certs (1)
/var/net-snmp/cert_indexes/1
cert:index:parse: The index for /usr/local/etc/snmp/tls/certs looks good
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/private
cert:index:lookup: /usr/local/etc/snmp/tls/private (2)
/var/net-snmp/cert_indexes/2
cert:index:parse: The index for /usr/local/etc/snmp/tls/private looks good
cert:key:struct:new: new key 0x0x97b6218 for manager.key
cert:key:struct:new: new key 0x0x97b6168 for snmpd.key
cert:index:parse: added 2 certs from index
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/ca-certs
cert:index:lookup: /home/anjali/.snmp/tls/ca-certs (3)
/var/net-snmp/cert_indexes/3
cert:index:parse: The index for /home/anjali/.snmp/tls/ca-certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/certs
cert:index:lookup: /home/anjali/.snmp/tls/certs (4)
/var/net-snmp/cert_indexes/4
cert:index:parse: The index for /home/anjali/.snmp/tls/certs looks good
cert:index:dir: Scanning directory /home/anjali/.snmp/tls/private
cert:index:lookup: /home/anjali/.snmp/tls/private (5)
/var/net-snmp/cert_indexes/5
cert:index:parse: The index for /home/anjali/.snmp/tls/private looks good
cert:partner: manager.crt match found!
cert:partner: snmpd.crt match found!
cert:key:read: Checking file snmpd.key
cert:key:read: Checking file manager.key
cert:dump: -------------------- Certificates -----------------
cert:dump: cert snmpd.crt in /usr/local/etc/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
cert:dump: cert manager.crt in /usr/local/etc/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
cert:dump: key manager.key in /usr/local/etc/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: key snmpd.key in /usr/local/etc/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: ------------------------ End ----------------------
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint
159287896
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
159287896
cert:find:params: hint =
89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6
cert:find:found: using cert manager.crt /
8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert manager.crt /
8954990382e414a949d54638c05fb5b2b82771c6 for identity(1)
(uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
159374304
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
159374304
cert:find:params: hint =
09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:trust_ca: checking roots for 0x97b5ce0
cert:trust: putting trusted cert 0x97b6d50 =
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 in certstore 0x980f408
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
159374304
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
159374304
cert:find:params: hint =
09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt /
0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2)
(uses=identity+remote_peer (3))
After this i uncomment peerCert and localCert in snmp.conf, and I am able
to get the output using just
snmpget dtlsudp:localhost:10161 sysContact.0
Can anyone help me in understanding what makes it read while modifying
snmp.conf when snmpd is running and it doesnt read the fingerprints as
required with initial configuration????
------------------------------------------------------------------------------
_______________________________________________
Net-snmp-users mailing list
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
--
M. A. Arefin
240.401.7074 (cell)
Loading...