RE: [Nufw-users] How to get the right certificate when usingnutcpc to connect to NuFW

[Nguyen Anh Dung]

Hi,
I tried to set nuauth_uses_fake_sasl to 0 and 1 then test it but things are the 
same. I did install kerberos too.

Thanks,
Dzung Nguyen.

-----Message d'origine-----
De : Eric Leblond [mailto:address@hidden 
Envoyé : jeudi 29 octobre 2009 14:20
À : Nguyen Anh Dung
Cc : address@hidden
Objet : RE: [Nufw-users] How to get the right certificate when usingnutcpc to 
connect to NuFW

Hi,

On Thu, 29 Oct 2009 06:57:03 +0700, "Nguyen Anh Dung" <address@hidden>
wrote:
> Hi Eric Leblond,
> Thanks for your response, I did test it for 2 hours and got nothing :(
> I tried to do another way: As in the guideline
>       openssl  req  -new  -x509  -keyout  private/CAkey.pem  -out
>               private/CAcert.pem
>       You have to set a strong password here and keep it secret.
>       
>       Generating nufw and nuauth private keys:
>       openssl  genrsa  -out  private/nufw-key.pem
>       openssl  genrsa  -out  private/nuauth-key.pem
>       Generating Certificate Signing Requests for both nufw and nuauth keys:
>       openssl  req  -new  -key  private/nufw-key.pem  -out  nufw.csr
>       openssl  req  -new  -key  private/nuauth-key.pem  -out  nuauth.csr
>       
>       Having our keys signed by the certificate authority we created:
>       openssl  x509  -req  -days  365  -in  nufw.csr  -CA     
> private/CAcert.pem

>       \
>       -CAkey  private/CAkey.pem  -CAcreateserial  -out  nufw-cert.pem
>       openssl  x509  -req  -days  365  -in  nuauth.csr  -CA 
        private/CAcert.pem
>       \
>       -CAkey  private/CAkey.pem  -CAcreateserial  -out  nuauth-cert.pem
>       
>       Copy the files where needed:
>       For nufw:
>       cp  private/nufw-key.pem  /etc/nufw/
>       cp  nufw-cert.pem  /etc/nufw/
>       For nuauth:
>       cp  private/nuauth-key.pem  /etc/nufw/
>       cp  nuauth-cert.pem  /etc/nufw/
> 
> I created the certificate authority (CAcert.pem) and I copid it to
> /etc/nufw/NuFW-cacert.pem.
> Then I tried nutcpc again
> nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem -K
> /etc/nufw/nufw-key.pem -H right
> There are errors:
> 
> In client side:
> Connecting to NuFW gateway (right)
> Server Certificate OK
> TLS session lost, check your certificate validity.
> Unable to initate connection to NuFW gateway
> Problem: Error in the certificate.
> Authentication failed (check parameters)
> 
> In server side:
> ** Message: [7] TLS Handshaking (last error: 0)
> ** Message: [9] Peer provided 1 certificates

Hey, you've succedeed in having TLS working ! You are blocked at next step.

> ** Message: [9] module checks certificate
> Unable to setup connect
> ** Message: [7] client didn't choose mechanism

Here, you have a problem with the client at the very start of the sasl
negotiation.

What authentication method are you trying to use ?
Have you modified the variable nuauth_uses_fake_sasl in nuauth.conf ?

BR,


> ** Message: Authentication error: SASL error: authentication process
> interupted.
> ** Message: Authentication error: user: (null) from 127.0.0.1 port
(4819),
> protocol version 4
> 
> Thank you so much.
> Dzung Nguyen.
> 
> -----Message d'origine-----
> De : Eric Leblond [mailto:address@hidden 
> Envoyé : mercredi 28 octobre 2009 16:59
> À : Nguyen Anh Dung
> Cc : address@hidden
> Objet : Re: [Nufw-users] How to get the right certificate when
usingnutcpc
> to connect to NuFW
> 
> Hi,
> 
> Le mercredi 28 octobre 2009 à 16:20 +0700, Nguyen Anh Dung a écrit :
>> Hi All,
>> I'm a newbie to NuFW and i'm trying to install NuFW from source code
>> in Trustix Linux 3.0.5 (kernel 2.6.19.7-3). After several days of
>> wrestling :P, i installed it successfully as guided in the handbook
>> 2.2.
>> I do everything as guided in the handbook from step 3.5.1 to step
>> 3.6.3 (with common name in certificate is 'right' (my hostname)).
>> 
>> However, when i used nutcpc to connect to NuFW, there are errors:
>> 
>> nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem
>> -K /etc/nufw/nufw-key.pem -H right
>> Error in client
>>    Connecting to NuFW gateway (right)
>>    Unable to initate connection to NuFW gateway
>>    Problem: Certificate authority verification failed: invalid, signer
>>    not found
>>    Authentication failed (check parameters)
>> Error in server
>>    ** Message: [7] TLS Handshaking (last error: 0)
>>    ** Message: [4] TLS handshake has failed (The peer did not send any
>> certificate.)
>>    ** Message: [4] Failed connection from client 127.0.0.1
>>    GNUTLS ERROR: Error in the push function
>>    Unable to setup connect
> 
> This error is commonly found when client and server do not used the same
> certificate authority. Please check that nuauth is using a certificate
> provided by NuFW-cacert.pem. If this is not the case, nutcpc will not
> send its certificate to the server because it has no certificate the
> server can check.
> 
> BR,
> 
>> 
>> nutcpc -N -d -U root -H right (as in the guideline)
>> Error in client
>>     *******    WARNING   ******
>>     You are trying to connect to nuauth without configuring a
>> certificate authority (CA)
>>     You are vulnerable to attack like man-in-the-middle.
>>     Do you really want to do that? Type "yes" to continue: yes
>>     Connecting to NuFW gateway (127.0.0.1)
>>     TLS error: server request certificate, none configured
>>     Unable to initate connection to NuFW gateway
>>     Problem: Certificate authority verification failed: invalid,
>> signer not found
>>     Authentication failed (check parameters)
>> Error in server
>>    WARNING: you have not provided any certificate authority.
>>    nutcpc will *NOT* verify server certificate trust.
>>    Use the -A <cafile> option to setup CA.
>>    As certificate will not be trusted, disabling FQDN check.
>>    ** Message: [7] TLS Handshaking (last error: 0)
>>    ** Message: [4] TLS handshake has failed (The peer did not send any
>> certificate.)
>>    ** Message: [4] Failed connection from client 127.0.0.1
>>    GNUTLS ERROR: Error in the push function
>>    Unable to setup connect
>> 
>> I use "netstat -np" and confirm that nuauth has connected to NuFW.
>> 
>> BTW, nutcpc have 3 options, -C, -A, and -K. I can understand -K but
>> confuse about -A and -C. How can i distinguish them and create them?
> 
> -A : certificate authority : the public certificate of the PKI
> -K : the private key
> -C : the certificate (corresponding to the private key)
> 
>> 
>> P/S: Is there any one who only follow the instructions in the handbook
>> can make NuFW work?
> 
> Looks like some have succedeed ;)
> 
> BR,
> 
>> 
>> Thank you so much.
>> Dzung Nguyen.
>> 
>> 
>> _______________________________________________
>> Nufw-users mailing list
>> address@hidden
>> http://lists.nongnu.org/mailman/listinfo/nufw-users
> 
> 
> 
> _______________________________________________
> Nufw-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/nufw-users

-- 
Eric Leblond
http://www.inl.fr  -  http://www.edenwall.com