CESNET
Error with TLS Call Home connection using netopeer2-cli
Describe the issue: I am encountering an error when attempting to listen for a TLS Call Home connection using netopeer2-cli. Below is the command and the error log I receive:
Command: listen --tls
Error Log: cmd_listen: Waiting 60s for a TLS Call Home connection on port 4335... nc ERROR: Communication socket unexpectedly closed. cmd_listen: Receiving TLS Call Home on port 4335 failed.
Here are the relevant logs from the netopeer2-server: [INF]: LN: Trying to connect via IPv4 to 172.17.167.137:4335. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Successfully connected to 172.17.167.137:4335 over IPv4. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Successfully connected to 172.17.167.137:4335 over IPv4. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Session 822 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: SR: Session 822 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Session 823 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: SR: Session 823 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Session 824 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: SR: Session 824 (user "root", CID 56) created. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: depth 1. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: depth 1. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/[email protected]. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/[email protected]. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: depth 0. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/[email protected]. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/[email protected]. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Cert-to-name unsuccessful, dropping the new client. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [ERR]: LN: Client certificate error (application verification failure). Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: [ERR]: LN: SSL accept failed (certificate verify failed). Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/[email protected]. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/[email protected]. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify CTN: cert fail, cert-to-name will continue on the next cert in chain. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: depth 0. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: subject: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/[email protected]. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert verify: issuer: /C=in/ST=ut/L=ut/O=ut/OU=ru/CN=ut/[email protected]. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Cert-to-name unsuccessful, dropping the new client. Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: Client certificate error (application verification failure). Aug 08 09:45:01 13266--SW--MCP7 netopeer2-server[41237]: SSL accept failed (certificate verify failed). Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: Call Home client "default-client" endpoint "endpoint-tls" failed connection attempt limit 3 reached. Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Call Home client "default-client" endpoint "endpoint-tls" failed connection attempt limit 3 reached. Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Call Home client "default-client" endpoint "endpoint-tls" connecting... Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: Trying to connect via IPv4 to 172.17.167.137:4335. Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: [INF]: LN: getsockopt() error (Connection refused). Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: Call Home client "default-client" endpoint "endpoint-tls" connecting... Aug 08 09:45:03 13266--SW--MCP7 netopeer2-server[41237]: Trying to connect via IPv4 to 172.17.167.137:4335.
Steps to Reproduce:
- Start the netopeer2-server.
- Run
listen --tlscommand from netopeer2-cli. - Observe the error log.
Expected Behavior: The TLS Call Home connection should be established successfully.
Actual Behavior:
The connection fails with the error: SSL accept failed (certificate verify failed).
Any help resolving this issue would be greatly appreciated.
regard aarti
Hi, what libnetconf2/netopeer2 versions are you using? I think that the problem is that you're missing a cert-to-name entry for the client's certificate in the server's configuration.
Hi @Roytak ,
We are using libnetconf2-2.1.31 and netopeer2-2.1.59. The issue might be related to a missing cert-to-name entry for the client's certificate in the server's configuration. Here's an example of how it should look:
<client-authentication> <required/> <ca-certs>cacerts</ca-certs> <client-certs>clientcerts</client-certs> <cert-maps> <cert-to-name> <id>1</id> <fingerprint>02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74</fingerprint> <map-type xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name">x509c2n:specified</map-type> <name>tls-test</name> </cert-to-name> </cert-maps> </client-authentication>
This configuration needs to be added under the