Discussion:
DTLS not consistent
(too old to reply)
Dharm S
2014-12-23 05:34:40 UTC
Permalink
Hi All,

I was trying net-snmp with dtls support with snmpd running on one system
and manager on another. The USM model worked well. Regarding DTLS i found
this strange behaviour of requests being processed only at times. The
certificate fingerprints are included in the snmpd.conf as written in the
tutorial. My openssl version shows the following:

OpenSSL 1.0.0e 6 Sep 2011
built on: Thu Feb 9 00:57:05 UTC 2012
platform: debian-i386
options: bn(64,32) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g
-Wall

Is it the problem regarding openssl?? Can you guide me on which parameters
to be checked while receiving and sending requests between manager and
snmpd? The dtls,cert tokens show successful messages while processing. But
when it doesnt process I get the following errors:

dtlsudp: have 148 bytes to send
dtlsudp: received 48 raw bytes on way to dtls
dtlsudp: have 168 bytes to send
dtlsudp: Trying to write 69 of buffered data
dtlsudp: received 1375 raw bytes on way to dtls
tls_x509:verify: Cert:
/C=US/ST=CA/L=Davis/O=Net-SNMP/OU=Development/CN=snmpd_self/emailAddress=
***@net-snmp.org
tls_x509:verify: fp: 64b0d3303f8ff59667577f5a7131c9986fd91456
tls_x509:verify: verify_callback called with: ok=1 ctx=0xbfb7b3f8 depth=0
err=0:ok
tls_x509:verify: returning the passed in value of 1
dtlsudp: have 1948 bytes to send
dtlsudp: Trying to write 69 of buffered data
tsm: needed to free transport data
dtlsudp: sending 69 bytes
dtlsudp: Trying to write 69 of buffered data
tsm: needed to free transport data
dtlsudp: sending 69 bytes
dtlsudp: Trying to write 138 of buffered data
tsm: needed to free transport data
dtlsudp: sending 69 bytes
dtlsudp: Trying to write 207 of buffered data
tsm: needed to free transport data
dtlsudp: sending 69 bytes
dtlsudp: Trying to write 276 of buffered data
tsm: needed to free transport data
dtlsudp: sending 69 bytes
dtlsudp: Trying to write 345 of buffered data
failed rfc5343 contextEngineID probing
snmpwalk: Timeout (Success)
dtlsudp:close: closing dtlsudp transport 0x9167c28
dtlsudp:close: 414 bytes remain in write_cache
dtlsudp:close: dumping 414 bytes from write_cache
dtlsudp:close: closing SSL socket
tlsbase: Freeing TLS Base data for a session

Thanks,
Dharm
Wes Hardaker
2014-12-23 06:34:41 UTC
Permalink
Post by Dharm S
failed rfc5343 contextEngineID probing
So, judging from the packet information it appears that the snmp library
looks like it gets the dtls connection open (or at least it believes it
is; whether the *other* side agrees is subject to debate still). Then
it's trying to send a contextEngineId probe through which is 69 bytes
long. and it tries that multiple times (and you can see the buffer
filling up because all the packet buffers add up in multiples of
69). And then it finally fails with a contextEngineId sync failure.

Do you have the logs from the server side too?
--
Wes Hardaker
Parsons
Dharm S
2014-12-23 07:51:59 UTC
Permalink
Hi Wes,

The server side logs are as follows:

cert:util:config: parsing 10
A7:C7:EB:F8:30:6B:4F:9E:78:28:C4:1E:CF:F1:DC:6B:EA:91:C6:AE --cn
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint
3214037692
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
3214037692
cert:find:params: hint =
A7:C7:EB:F8:30:6B:4F:9E:78:28:C4:1E:CF:F1:DC:6B:EA:91:C6:AE
cert:find:found: using cert manager_self_1.crt /
a7c7ebf8306b4f9e7828c41ecff1dc6bea91c6ae for remote_peer(2)
(uses=remote_peer (2))
cert:find:found: using cert manager_self_1.crt /
a7c7ebf8306b4f9e7828c41ecff1dc6bea91c6ae for remote_peer(2)
(uses=remote_peer (2))
cert:map:add: pri 10, fp a7c7ebf8306b4f9e7828c41ecff1dc6bea91c6ae
dtlsudp: netsnmp_dtlsudp_transport(): transports/snmpDTLSUDPDomain.c, 1421:
A SNMP version other than 3 was requested with (D)TLS; using 3 anyways
tlstcp: listening on tlstcp port 0.0.0.0:10161
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 165187808
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
165187808
cert:find:params: hint =
64:B0:D3:30:3F:8F:F5:96:67:57:7F:5A:71:31:C9:98:6F:D9:14:56
cert:find:found: using cert snmpd_self.crt /
64b0d3303f8ff59667577f5a7131c9986fd91456 for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd_self.crt /
64b0d3303f8ff59667577f5a7131c9986fd91456 for identity(1)
(uses=identity+remote_peer (3))
NET-SNMP version 5.7.3.rc3
dtlsudp: received 148 raw bytes on way to dtls
dtlsudp: starting a new connection
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 165187808
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
165187808
cert:find:params: hint =
64:B0:D3:30:3F:8F:F5:96:67:57:7F:5A:71:31:C9:98:6F:D9:14:56
cert:find:found: using cert snmpd_self.crt /
64b0d3303f8ff59667577f5a7131c9986fd91456 for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd_self.crt /
64b0d3303f8ff59667577f5a7131c9986fd91456 for identity(1)
(uses=identity+remote_peer (3))
dtlsudp:cookie: generating cookie...
dtlsudp: have 48 bytes to send
dtlsudp: received 168 raw bytes on way to dtls
dtlsudp:cookie: verify cookie: 1
dtlsudp: have 1375 bytes to send
dtlsudp: received 148 raw bytes on way to dtls
dtlsudp: starting a new connection
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 165187808
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
165187808
cert:find:params: hint =
64:B0:D3:30:3F:8F:F5:96:67:57:7F:5A:71:31:C9:98:6F:D9:14:56
cert:find:found: using cert snmpd_self.crt /
64b0d3303f8ff59667577f5a7131c9986fd91456 for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpd_self.crt /
64b0d3303f8ff59667577f5a7131c9986fd91456 for identity(1)
(uses=identity+remote_peer (3))
dtlsudp have 48 bytes to send
dtlsudp: received 168 raw bytes on way to dtls
dtlsudp:cookie: verify cookie: 1
dtlsudp: have 1375 bytes to send
dtlsudp: received 1948 raw bytes on way to dtls
tls_x509:verify: Cert:
/C=US/ST=CA/L=Davis/O=Net-SNMP/OU=Development/CN=self1/emailAddress=
***@net-snmp.org
tls_x5:cookie: generating cookie...
dtlsudp:09:verify: fp: a7c7ebf8306b4f9e7828c41ecff1dc6bea91c6ae
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint
165219632
cert:find:params: hint = a7c7ebf8306b4f9e7828c41ecff1dc6bea91c6ae
cert:find:found: using cert manager_self_1.crt /
a7c7ebf8306b4f9e7828c41ecff1dc6bea91c6ae for remote_peer(2)
(uses=remote_peer (2))
tls_x509:verify: Found locally: /usr/share/manager_self_1.crt
tls_x509:verify: verify_callback called with: ok=0 ctx=0xbf9268d8 depth=0
err=18:self signed certificate
tls_x509:verify: accepting matching fp of self-signed certificate found
in: manager_self_1.crt
tls_x509:verify: Cert:
/C=US/ST=CA/L=Davis/O=Net-SNMP/OU=Development/CN=self1/emailAddress=
***@net-snmp.org
tls_x509:verify: fp: a7c7ebf8306b4f9e7828c41ecff1dc6bea91c6ae
tls_x509:verify: verify_callback called with: ok=1 ctx=0xbf9268d8 depth=0
err=18:self signed certificate
tls_x509:verify: returning the passed in value of 1
dtlsudp: have 1498 bytes to send


Thanks,
Dharm

On Tue, Dec 23, 2014 at 12:04 PM, Wes Hardaker <
Post by Wes Hardaker
Post by Dharm S
failed rfc5343 contextEngineID probing
So, judging from the packet information it appears that the snmp library
looks like it gets the dtls connection open (or at least it believes it
is; whether the *other* side agrees is subject to debate still). Then
it's trying to send a contextEngineId probe through which is 69 bytes
long. and it tries that multiple times (and you can see the buffer
filling up because all the packet buffers add up in multiples of
69). And then it finally fails with a contextEngineId sync failure.
Do you have the logs from the server side too?
--
Wes Hardaker
Parsons
Loading...